[Consultation] How to see test case and run specified modules testing?

[康兴锋 (Xingfeng Kang)]

@ Damitry and Lukas，
I'm very sorry to disturb you, I have two questions for syzkaller tools, If you have time, Would you help to answer it ,Thanks before !

Question1:
Attached is a screenshot of our test report, about "sprd-asoc- 1% of 802" info, The meaning of "802" is that there are 802 test cases to cover module "sprd-asoc-", right?, If yes, Where can I see the list of test cases?

Question2:
About Syzkaller tool, Does it support testing of specified modules? Such as, CTS and VTS, if yes, how to do it?


I would appreciate any feedback. Thanks.

Regards
Xingfeng
________________________________
This email (including its attachments) is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you are not the intended recipient, please do not read, copy, use or disclose any part of this e-mail to others. Please notify the sender immediately and permanently delete this e-mail and any attachments if you received it in error. Internet communications cannot be guaranteed to be timely, secure, error-free or virus-free. The sender does not accept liability for any errors or omissions.
本邮件及其附件具有保密性质，受法律保护不得泄露，仅发送给本邮件所指特定收件人。严禁非经授权使用、宣传、发布或复制本邮件或其内容。若非该特定收件人，请勿阅读、复制、 使用或披露本邮件的任何内容。若误收本邮件，请从系统中永久性删除本邮件及所有附件，并以回复邮件的方式即刻告知发件人。无法保证互联网通信及时、安全、无误或防毒。发件人对任何错漏均不承担责任。

[Dmitry Vyukov]

On Wed, Nov 11, 2020 at 4:34 AM 康兴锋 (Xingfeng Kang)
<xingfe...@unisoc.com> wrote:
>
> @ Damitry and Lukas，
> I'm very sorry to disturb you, I have two questions for syzkaller tools, If you have time, Would you help to answer it ,Thanks before !
>
> Question1:
> Attached is a screenshot of our test report, about "sprd-asoc- 1% of 802" info, The meaning of "802" is that there are 802 test cases to cover module "sprd-asoc-", right?, If yes, Where can I see the list of test cases?

Hi Xingfeng,

No, it means that sprd-asoc file has 802 code coverage points and 1%
of them was covered during fuzzing.

> Question2:
> About Syzkaller tool, Does it support testing of specified modules? Such as, CTS and VTS, if yes, how to do it?

syzkaller manager config has "enable_syscalls" parameter that can be
used to restrict set of system calls used during fuzzing to aim it at
a particular kernel subsystem.

[康兴锋 (Xingfeng Kang)]

> Question1:
> Attached is a screenshot of our test report, about "sprd-asoc- 1% of 802" info, The meaning of "802" is that there are 802 test cases to cover module "sprd-asoc-", right?, If yes, Where can I see the list of test cases?

No, it means that sprd-asoc file has 802 code coverage points and 1% of them was covered during fuzzing.

-----> @Dmitry，about this issue, I have the below questions, if you have time, would you help to answer it.thanks.
A. “802 code coverage points”，For "code coverage points" is means the code that can be covered by syscall？
B." 1% of them was covered during fuzzing." For 1% code coverage, Where can I see the list of test cases that has been executed? Or randomly generated?
C. syscall is the basic execution unit in syzkaller tool, Some syscalls form the prog structure, At this, Prog can understand a test case? Some progs form the corpus, corpus has been executed by DUT. I don’t know if my understanding is correct.

[Dmitry Vyukov]

On Wed, Nov 11, 2020 at 9:31 AM 康兴锋 (Xingfeng Kang)
<xingfe...@unisoc.com> wrote:
>
> > Question1:
> > Attached is a screenshot of our test report, about "sprd-asoc- 1% of 802" info, The meaning of "802" is that there are 802 test cases to cover module "sprd-asoc-", right?, If yes, Where can I see the list of test cases?
> No, it means that sprd-asoc file has 802 code coverage points and 1% of them was covered during fuzzing.
> -----> @Dmitry，about this issue, I have the below questions, if you have time, would you help to answer it.thanks.
> A. “802 code coverage points”，For "code coverage points" is means the code that can be covered by syscall？

That's code that can be covered, but not necessary by syscalls (also
by interrupts, background threads, init code, etc).

> B." 1% of them was covered during fuzzing." For 1% code coverage, Where can I see the list of test cases that has been executed? Or randomly generated?

All test cases are not preserved. They are transient: generated,
executed and thrown away.
You can see all test cases if you run syz-manager with -debug flag,
but it will be slow and is intended only for debugging.

> C. syscall is the basic execution unit in syzkaller tool, Some syscalls form the prog structure, At this, Prog can understand a test case? Some progs form the corpus, corpus has been executed by DUT. I don’t know if my understanding is correct.

Yes, program is a basic execution unit. A program consists of several syscalls.
You can look at the programs stored in the corpus so far using
tools/syz-db utility:
$ syz-db unpack workdir/corpus.db /tmp/corpus
Then /tmp/corpus will contain all test programs in text form.

[康兴锋 (Xingfeng Kang)]

@Dmitry, Thank you very much for your kind heartiness on taking time answering my mind of doubt .

[康兴锋 (Xingfeng Kang)]

@Dmitry，
I'm very sorry to disturb you again.
We create the syzkaller Env base on mobile DUT and run 7 days, but check the report, find only 273 corpus has been executed, would you have any comments give me about this issue?

-----Original Message-----
From: 康兴锋 (Xingfeng Kang)
Sent: Thursday, November 12, 2020 7:14 PM
To: 'Dmitry Vyukov' <dvy...@google.com>
Cc: Lukas Bulwahn <lukas....@gmail.com>; 孙政 (Zheng Sun) <Zhen...@unisoc.com>; 吴嘉骏 (Jiajun Wu) <Jiaj...@unisoc.com>; syzkaller <syzk...@googlegroups.com>
Subject: RE: [Consultation] How to see test case and run specified modules testing?

@Dmitry, Thank you very much for your kind heartiness on taking time answering my mind of doubt .

[Dmitry Vyukov]

On Thu, Nov 26, 2020 at 6:28 AM 康兴锋 (Xingfeng Kang)
<xingfe...@unisoc.com> wrote:
>
> @Dmitry，
> I'm very sorry to disturb you again.
> We create the syzkaller Env base on mobile DUT and run 7 days, but check the report, find only 273 corpus has been executed, would you have any comments give me about this issue?

If you attach manager config, excerpt from manager log, saved manager
web page, coverage report and workdir, I can do a quick glance for
anything suspicious.

[康兴锋 (Xingfeng Kang)]

If you attach manager config, excerpt from manager log, saved manager web page, coverage report and workdir, I can do a quick glance for anything suspicious

----@Zheng, Please,thanks

[Dmitry Vyukov]

You are running with -debug flag. See above re -debug flag:
https://groups.google.com/g/syzkaller/c/OdJjEM_6Vos/m/rIVrNRaGAAAJ

On Thu, Nov 26, 2020 at 8:43 AM 孙政 (Zheng Sun) <Zhen...@unisoc.com> wrote:
>
> fyi
>
> -----------------------------------------------------------------------------------
>
> Zheng.sun
> 紫光展锐科技有限公司
> 电话: 86-21-20360600 分机：6693
> 邮箱: zhen...@unisoc.com
> 网址: www.unisoc.com
> 地址: 中国•上海浦东张江祖冲之路2288弄 展锐中心2号楼202136
>
>
>
> -----邮件原件-----
> 发件人: 孙政 (Zheng Sun)
> 发送时间: 2020年11月26日, 星期四 14:44
> 收件人: 康兴锋 (Xingfeng Kang) <Xingfe...@unisoc.com>; Dmitry Vyukov <dvy...@google.com>
> 抄送: Lukas Bulwahn <lukas....@gmail.com>; 吴嘉骏 (Jiajun Wu) <Jiaj...@unisoc.com>; syzkaller <syzk...@googlegroups.com>
> 主题: 答复: [Consultation] How to see test case and run specified modules testing?
>
> fyi
>
> -----------------------------------------------------------------------------------
>
> Zheng.sun
>
> -----邮件原件-----
> 发件人: 康兴锋 (Xingfeng Kang) <xingfe...@unisoc.com>
> 发送时间: 2020年11月26日, 星期四 14:23
> 收件人: Dmitry Vyukov <dvy...@google.com>
> 抄送: Lukas Bulwahn <lukas....@gmail.com>; 孙政 (Zheng Sun) <Zhen...@unisoc.com>; 吴嘉骏 (Jiajun Wu) <jiaj...@unisoc.com>; syzkaller <syzk...@googlegroups.com>
> 主题: RE: [Consultation] How to see test case and run specified modules testing?

[孙政 (Zheng Sun)]

Yes , we running syz-manager with -debug flag ,

-----------------------------------------------------------------------------------

Zheng.sun
紫光展锐科技有限公司
电话: 86-21-20360600 分机：6693
邮箱: zhen...@unisoc.com
网址: www.unisoc.com
地址: 中国•上海浦东张江祖冲之路2288弄 展锐中心2号楼202136



-----邮件原件-----

发件人: Dmitry Vyukov <dvy...@google.com>
发送时间: 2020年11月26日, 星期四 15:48
收件人: 孙政 (Zheng Sun) <Zhen...@unisoc.com>
抄送: 康兴锋 (Xingfeng Kang) <xingfe...@unisoc.com>; Lukas Bulwahn <lukas....@gmail.com>; 吴嘉骏 (Jiajun Wu) <jiaj...@unisoc.com>; syzkaller <syzk...@googlegroups.com>
主题: Re: [Consultation] How to see test case and run specified modules testing?

[孙政 (Zheng Sun)]

Hi Dmitry,
i try add a new syscall mem_emem_trigger in kernel4.14 ,how can i fix this error
1. in our prcetice , we use syakzller from google (https://github.com/google/syzkaller/)
linux base on which branch 4.9 or 4.14?
2.we build using orginal methold without any modify, make TARGETOS=linux TARGETARCH=arm64
it can be run on our kernel4.14 branch? obviously we add our own code into linux , in this case syscall gemerate methold has some specieal way?

3.we run syzkaller about a week time , but we got very low coverage most folder about 10% our own code cannot be touched ,
(most syscall in croups just like this "syz_*/socket$*/openat$/mount$ )
so same quesiton different code syscall methold same ? how to increase code coverage ? how to add new syscalls?
ps: https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions.md ,

add new syscall step as fllow:
1. include/linux/syscalls.h add function :
asmlinkage long sys_mem_emem_trigger(unsigned long value);
2. include/uapi/asm-generic/unistd.h
define NR_mem_emem_trigger id
3. mm/emem.c define syscall
SYSCALL_DEFINE1(mem_emem_trigger, unsigned long , value)
4.in syzkaller sys folder creat emem.txt add this :
include <linux/emem.h>
mem_emem_trigger(data ptr[out, int32 [800:950]])
5.build make generate:
make bin/syz-extract
bin/syz-extract -os linux -arch arm64 -sourcedir "kernel/kernel4.14" -builddir "/out/androidr/ums512_1h10_Natv/obj" emem.txt
i got this :

syzkaller$ make generate
make descriptions
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
syscall mem_emem_trigger is unsupported on all arches (typo?)
Makefile:143: recipe for target '.descriptions' failed
make[2]: *** [.descriptions] Error 1
Makefile:139: recipe for target 'descriptions' failed
make[1]: *** [descriptions] Error 2
Makefile:223: recipe for target 'generate' failed
make: *** [generate] Error 2


ptach:
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 816532c7c17e..e7fd3ce2972c 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -945,4 +945,5 @@ asmlinkage long sys_pidfd_send_signal(int pidfd, int sig,
siginfo_t __user *info,
unsigned int flags);

+asmlinkage long sys_mem_emem_trigger(unsigned long value);
#endif
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 119661ff7e94..6dd17d9f35af 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -898,8 +898,14 @@ __SYSCALL(__NR_fork, sys_fork)
__SYSCALL(__NR_fork, sys_ni_syscall)
#endif /* CONFIG_MMU */

+#define __NR_mem_emem_trigger 1080
+#ifdef CONFIG_E_SHOW_MEM
+__SYSCALL(__NR_mem_emem_trigger, sys_mem_emem_trigger)
+#endif /*CONFIG_E_SHOW_MEM*/
+
#undef __NR_syscalls
-#define __NR_syscalls (__NR_fork+1)
+#define __NR_syscalls (__NR_mem_emem_trigger+1)
+

#endif /* __ARCH_WANT_SYSCALL_DEPRECATED */

diff --git a/mm/emem.c b/mm/emem.c
index f36890710dda..e0e2bb9abf78 100644
--- a/mm/emem.c
+++ b/mm/emem.c
@@ -37,7 +37,7 @@
#include <linux/fs.h>
#include <linux/delay.h>
#include <linux/workqueue.h>
-
+#include <linux/syscalls.h>
#define DEFAULT_PROC_ADJ 900
#ifdef CONFIG_SPRD_DEBUG
#define EMEM_SHOW_INTERVAL 2
@@ -173,5 +173,26 @@ static int __init emem_init(void)
return 0;
}

+SYSCALL_DEFINE1(mem_emem_trigger, unsigned long , value)
+{
+ int val[4];
+ void __user *argp = (void __user *)value;
+ //unsigned char *emem_buf = NULL;
+ if (value <0)
+ return -1;
+ //emem_buf = kmalloc(sizeof(val), GFP_KERNEL);
+ //if(emem_buf<0 )
+ // return -1;
+ if(copy_from_user(val , argp , 1))
+ return -EFAULT;
+ sysctl_emem_trigger = val[0];
+
+ // kfree(emem_buf);
+ return 0;
+}
+

Thanks!
zheng.sun

[Dmitry Vyukov]

On Fri, Nov 27, 2020 at 4:29 AM 孙政 (Zheng Sun) <Zhen...@unisoc.com> wrote:
>
> Hi Dmitry,
> i try add a new syscall mem_emem_trigger in kernel4.14 ,how can i fix this error
> 1. in our prcetice , we use syakzller from google (https://github.com/google/syzkaller/)
> linux base on which branch 4.9 or 4.14?

Hi Zheng,

I am not sure I understand the question.
Generally you use kernel branch that corresponds to the code you want
to test. If you want to test 4.14 branch, you use 4.14 branch.

> 2.we build using orginal methold without any modify, make TARGETOS=linux TARGETARCH=arm64
> it can be run on our kernel4.14 branch?

syzkaller on 4.14 LTS branch:
https://syzkaller.appspot.com/linux-4.14
I can't say about your branch because I don't know what is your
branch. Overall I would expect it to work.

> obviously we add our own code into linux , in this case syscall gemerate methold has some specieal way?

I am not sure I understand the question. What do you mean by "syscall
gemerate methold"?
General instructions for adding syscalls are described here:
https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions.md

> 3.we run syzkaller about a week time , but we got very low coverage most folder about 10% our own code cannot be touched ,
> (most syscall in croups just like this "syz_*/socket$*/openat$/mount$ )
> so same quesiton different code syscall methold same ?

I don't understand the question, sorry. Could you rephrase it?

> how to increase code coverage ?

First, you need to remove the -debug flag as I mentioned before.
-debug is intended to be slow and give low coverage.

> how to add new syscalls?

The procedure is described in the link you provide on the next line,
so I am not sure what exactly you are asking...

> ps: https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions.md ,



> add new syscall step as fllow:
> 1. include/linux/syscalls.h add function :
> asmlinkage long sys_mem_emem_trigger(unsigned long value);
> 2. include/uapi/asm-generic/unistd.h
> define NR_mem_emem_trigger id
> 3. mm/emem.c define syscall
> SYSCALL_DEFINE1(mem_emem_trigger, unsigned long , value)
> 4.in syzkaller sys folder creat emem.txt add this :
> include <linux/emem.h>
> mem_emem_trigger(data ptr[out, int32 [800:950]])
> 5.build make generate:
> make bin/syz-extract
> bin/syz-extract -os linux -arch arm64 -sourcedir "kernel/kernel4.14" -builddir "/out/androidr/ums512_1h10_Natv/obj" emem.txt
> i got this :
>
> syzkaller$ make generate
> make descriptions
> go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
> make .descriptions
> bin/syz-sysgen
> syscall mem_emem_trigger is unsupported on all arches (typo?)

I think this error means that syz-extract wasn't able to extract value
of the __NR_mem_emem_trigger constant.
It should be present in emem.txt.const after you run syz-extract.

[孙政 (Zheng Sun)]

Hi Dmitry,
I will try remove debug flag . thanks

Another quesent:
In common_linux.h
#if SYZ_EXECUTOR || __NR_syz_write_emem
..
static volatile long syz_ write_emem (file ptr , int16 value)
{
file_write(" /proc/sys/vm/mem_emem_trigger " ,value)
..
}

#endif

In sys/emem.txt
Openat$p(fd fd const[AT_FDCWD] ,file ptr[out, string[" /proc/sys/vm/mem_emem_trigger "]]，flag const [O_WRONLY], ...)fd_procemem
syz_write_emem$p (fd_procmem, data ptr[out ,array[int32 , 500：900] ，count len[data])

enable_calls
{Openat$p，syz_write_emem$p}

Openat$p can be executed, but syz_write_emem$p cannot exectue successfully.
Only syz_write_emem$p(..,0x0 ) test case run, no code coverger
Why?

Best Regards
Zheng.sun

-----邮件原件-----
发件人: Dmitry Vyukov <dvy...@google.com>

发送时间: 2020年11月27日, 星期五 14:48

收件人: 孙政 (Zheng Sun) <Zhen...@unisoc.com>
抄送: 康兴锋 (Xingfeng Kang) <xingfe...@unisoc.com>; Lukas Bulwahn <lukas....@gmail.com>; 吴嘉骏 (Jiajun Wu) <jiaj...@unisoc.com>; syzkaller <syzk...@googlegroups.com>

主题: Re: syzkaller How to add special syscall

> +__SYSCALL(__NR_mem_emem_trigger, sys_mem_emem_trigger) #endif
> +/*CONFIG_E_SHOW_MEM*/

> +
> #undef __NR_syscalls
> -#define __NR_syscalls (__NR_fork+1)
> +#define __NR_syscalls (__NR_mem_emem_trigger+1)
> +
>
> #endif /* __ARCH_WANT_SYSCALL_DEPRECATED */
>
> diff --git a/mm/emem.c b/mm/emem.c
> index f36890710dda..e0e2bb9abf78 100644
> --- a/mm/emem.c
> +++ b/mm/emem.c
> @@ -37,7 +37,7 @@
> #include <linux/fs.h>
> #include <linux/delay.h>
> #include <linux/workqueue.h>
> -
> +#include <linux/syscalls.h>
> #define DEFAULT_PROC_ADJ 900
> #ifdef CONFIG_SPRD_DEBUG
> #define EMEM_SHOW_INTERVAL 2
> @@ -173,5 +173,26 @@ static int __init emem_init(void)
> return 0;
> }
>
> +SYSCALL_DEFINE1(mem_emem_trigger, unsigned long , value) {

[Dmitry Vyukov]

On Fri, Nov 27, 2020 at 1:29 PM 孙政 (Zheng Sun) <Zhen...@unisoc.com> wrote:
>
> Hi Dmitry,

> I will try remove debug flag . thanks
>
> Another quesent:
> In common_linux.h
> #if SYZ_EXECUTOR || __NR_syz_write_emem
> ..
> static volatile long syz_ write_emem (file ptr , int16 value)
> {
> file_write(" /proc/sys/vm/mem_emem_trigger " ,value)
> ..
> }
>
> #endif
>
> In sys/emem.txt
> Openat$p(fd fd const[AT_FDCWD] ,file ptr[out, string[" /proc/sys/vm/mem_emem_trigger "]]，flag const [O_WRONLY], ...)fd_procemem
> syz_write_emem$p (fd_procmem, data ptr[out ,array[int32 , 500：900] ，count len[data])
>
> enable_calls
> {Openat$p，syz_write_emem$p}
>
> Openat$p can be executed, but syz_write_emem$p cannot exectue successfully.
> Only syz_write_emem$p(..,0x0 ) test case run, no code coverger
> Why?
>
> Best Regards
> Zheng.sun

Hi Zheng,

See the following doc on debugging/testing of descriptions:
https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions.md#testing-of-descriptions

[孙政 (Zheng Sun)]

Hi  Dmitry,

    How can I fix this issue?

1.       i add new syscall  syz_sysctl_add_for_test , write proc/sys/vm/emem_trigger flile node, a trigger which can show memory info by using sysctrl

 

2.       in sys/sys.txt:

change write$sysctrl  write “0”,”1”….

 

3.       log show  write and run successfully

 

 

 

 

 

4.       code executed but not code coverge generated. Only 10%

 

 

5.       how can I solve this issue? Log add in attachment

 

Best Regrads!

[Dmitry Vyukov]

On Mon, Dec 7, 2020 at 8:45 AM 孙政 (Zheng Sun) <Zhen...@unisoc.com> wrote:
>
> Hi Dmitry,
>

> How can I fix this issue?
>
> 1. i add new syscall syz_sysctl_add_for_test , write proc/sys/vm/emem_trigger flile node, a trigger which can show memory info by using sysctrl
>
>
>

> 2. in sys/sys.txt:
>
> change write$sysctrl write “0”,”1”….
>
>
>

> 3. log show write and run successfully
>
>
>
>
>
>
>
>
>
>
>

> 4. code executed but not code coverge generated. Only 10%
>
>
>
>
>

> 5. how can I solve this issue? Log add in attachment
>
>
>
> Best Regrads!
>
>
>
>
>
>
>
> On Fri, Nov 27, 2020 at 1:29 PM 孙政 (Zheng Sun) <Zhen...@unisoc.com> wrote:
>
> >
>
> > Hi Dmitry,
>
> > I will try remove debug flag . thanks
>
> >
>
> > Another quesent:
>
> > In common_linux.h
>
> > #if SYZ_EXECUTOR || __NR_syz_write_emem ..
>
> > static volatile long syz_ write_emem (file ptr , int16 value) {
>
> > file_write(" /proc/sys/vm/mem_emem_trigger " ,value) ..
>
> > }
>
> >
>
> > #endif
>
> >
>
> > In sys/emem.txt
>
> > Openat$p(fd fd const[AT_FDCWD] ,file ptr[out, string["
>
> > /proc/sys/vm/mem_emem_trigger "]]，flag const [O_WRONLY],
>
> > ...)fd_procemem syz_write_emem$p (fd_procmem, data ptr[out
>
> > ,array[int32 , 500：900] ，count len[data])
>
> >
>
> > enable_calls
>
> > {Openat$p，syz_write_emem$p}
>
> >
>
> > Openat$p can be executed, but syz_write_emem$p cannot exectue successfully.
>
> > Only syz_write_emem$p(..,0x0 ) test case run, no code coverger Why?

It seems that most of the code does not run in the syscall context.
KCOV only collects coverage from syscalls by default. It does not
collect coverage from background kernel threads, etc. See:
https://www.kernel.org/doc/html/latest/dev-tools/kcov.html?highlight=kcov#remote-coverage-collection
on how to solve it. YOu can find some existing examples of KCOV remote
annotations in the mainline kernel.

[孙政 (Zheng Sun)]

Hi Dmitry,

 

Same question,  I follow this step ,

https://www.kernel.org/doc/html/latest/dev-tools/kcov.html?highlight=kcov#remote-coverage-collection

but execute ioctl KCOV_REMOTE_ENABLE , ERRNO 16 (devices busy) , how can I fix this issue?

 

 

kernel/kcov.c

612    case KCOV_REMOTE_ENABLE:

613            kcov_debug("KCOV_REMOTE_ENABLE\n");

614           if (kcov->mode != KCOV_MODE_INIT || !kcov->area)

615                   return -EINVAL;

616            t = current;

617           if (kcov->t != NULL || t->kcov != NULL)

618                   return -EBUSY;//here 

 

Best Reagrds

Zheng.sun

-----邮件原件-----
发件人: Dmitry Vyukov <dvy...@google.com>

发送时间: 2020年12月7日, 星期一 15:53

收件人: 孙政 (Zheng Sun) <Zhen...@unisoc.com>
抄送: 康兴锋 (Xingfeng Kang) <xingfe...@unisoc.com>; Lukas Bulwahn <lukas....@gmail.com>; 吴嘉骏 (Jiajun Wu) <jiaj...@unisoc.com>; syzkaller <syzk...@googlegroups.com>
主题: Re: syzkaller How to add special syscall

 

On Mon, Dec 7, 2020 at 8:45 AM 孙政 (Zheng Sun) <Zhen...@unisoc.com> wrote:

[Dmitry Vyukov]

+Andrey for remote coverage EBUSY question

[Andrey Konovalov]

Hi Zheng,

EBUSY likely means that the current thread is already collecting coverage via KCOV_ENABLE (without REMOTE). Syzkaller currently uses a separate thread to collect remote coverage.

Please show the kcov annotations you've added to the kernel code. And also kcov-related syzkaller changes if you did any.

Thanks!

--
You received this message because you are subscribed to the Google Groups "syzkaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/3ed48527875c4d059a180a7cf03516b8%40SHMBX02.spreadtrum.com.

[孙政 (Zheng Sun)]

Hi  Andrey,

        In syzkaller kcov_remote_enable  ioclt  “ EBUSY Error”.

In kernel add  kcov_remote_start/kcov_remote_stop  function , I got  “cover enable write trace failed,mode=0(error 22)”.

 

any suggestion?

 

-----------------------------------------------------------------------------------

Zheng.sun 紫光展锐科技有限公司 电话: 86-21-20360600 分机：6693 邮箱: zhen...@unisoc.com 网址: www.unisoc.com 地址: 中国•上海浦东张江祖冲之路2288弄 展锐中心2号楼202136

 

 

发件人: Andrey Konovalov <andre...@google.com>
发送时间: 2020年12月11日, 星期五 23:17

收件人: 孙政 (Zheng Sun) <Zhen...@unisoc.com>

抄送: Dmitry Vyukov <dvy...@google.com>; 康兴锋 (Xingfeng Kang) <xingfe...@unisoc.com>; Lukas Bulwahn <lukas....@gmail.com>; 吴嘉骏 (Jiajun Wu) <jiaj...@unisoc.com>; syzkaller <syzk...@googlegroups.com>

[Andrey Konovalov]

Re kcov annotations you have:

1. kcov_common_handle() has to be called in the context of the user
task that initialized the kcov instance. In this case it should
probably go into the open() handler for this emem file.

2. kcov_remote_start/stop() have to be called where the work is
processed, not where the work is being scheduled.

See how kcov integration is done for drivers/vhost/vhost.c.

Re the code that uses kcov: it looks fairly modified from what
syzkaller has, so I'm not sure what the issue is.

[孙政 (Zheng Sun)]

Hi Andrey,
I fllow you instraction , Deifine a new syscall "syz_sysctl_add_for_test" ，it work ok both side user/kernel space .
By tracking logs, in emem work function "kcov_remote_start " works, I got no coverage ,no corups .
Emem background work function run normally, it seems __sanitizer_cov_trace_pc did not work. I track current->kcov_mode ID 2 ,

I fork a thread in syzkaller common_linux.h inside syscall "syz_sysctl_add_for_test" , this thread killed by system , nothing else in "/sys/kernel/debug/kcov"
Any suggestion?

killing hanging pid 65
2020/12/22 16:18:33 result hanged=false:

Best Regards
-----------------------------------------------------------------------------------

Zheng.sun

-----邮件原件-----
发件人: Andrey Konovalov <andre...@google.com>
发送时间: 2020年12月15日, 星期二 21:59

收件人: 孙政 (Zheng Sun) <Zhen...@unisoc.com>
抄送: Dmitry Vyukov <dvy...@google.com>; 康兴锋 (Xingfeng Kang) <xingfe...@unisoc.com>; Lukas Bulwahn <lukas....@gmail.com>; 吴嘉骏 (Jiajun Wu) <jiaj...@unisoc.com>; syzkaller <syzk...@googlegroups.com>
主题: Re: syzkaller How to add special syscall

[Andrey Konovalov]

Hi,

It's hard to understand what exactly you're doing.

I can only suggest to trace/debug kcov code to see what goes wrong.

Thanks!