- lock all relevant mutexes just before fork
- unlock all mutexes just after fork in the parent
- full reinit non-spinlocks in the child
This is not using the normal pthread_atfork interface to ensure order of
operation, malloc is used as implementation detail too often.
temporarily disable KCOV on the current lwp. Should be used in the rare
but problematic cases where extreme noise is introduced by an
uninteresting subsystem.
Use this capability to silence KCOV during the LOCKDEBUG lookups. This
divides the size of the KCOV output by more than two in my KCOV+vHCI
tests.
threads other than curlwp, which is useful when fuzzing components that
defer processing, such as the network stack (partially runs in softints)
and the USB stack (partially runs in uhub kthreads).
A subsystem that whishes to provide coverage for its threads creates a
"mailbox" via kcov_remote_register() and gives it a (subsystem, id)
identifier. There is one mailbox per "target lwp". The target lwp(s)
must then call kcov_remote_enter() and kcov_remote_leave() with the
identifier, to respectively enable and disable coverage within the
thread.
On the userland side, the fuzzer has access to the mailboxes on the
system with the KCOV_IOC_REMOTE_ATTACH and KCOV_IOC_REMOTE_DETACH ioctls.
When attached to a mailbox with a given identifier, the KCOV_IOC_ENABLE,
KCOV_IOC_DISABLE and mmap() operations will affect the mailbox.
As a demonstrator, the vHCI subsystem is changed to use KCOV mailboxes.
When the vHCI bus attaches it creates as many mailboxes as it has USB
ports, each mailbox being associated with a distinct port. Uhub is changed
to enable KCOV coverage in usbd_new_device(). With that in place, all of
the USB enumeration procedure can be traced with KCOV.
Make sure local_port is not shared within a crunchgen binary. There is
more to do to get full functionnality in crunchgen, but at least this
change makes dhcpd listen on the right port again.
'ip->ip_ttl'; but ip_output() won't if the target is not a multicast
address, meaning that the uninitialized 'ip->ip_ttl' byte gets sent to
the network. This leaks one byte of kernel heap.
Fix this by filling 'ip->ip_ttl' with a TTL of one.
Found by KMSAN.
Reported-by: syzbot+e49f7b8a8fec5a477c9a@syzkaller.appspotmail.com
The physical pages remain forever reserved because it's not convenient
to unreserve them at the moment after we reserved them during
fdt_build_bootconifg, but it's just two pages so not that big a deal.
SIGCHLD once blocked is discarded by the kernel as it has the
SA_IGNORE property. During the fork(2) operation all signals can be
shortly blocked and missed (unless there is a registered signal
handler in the traced child). This leads to a race in this test if
there would be an intention to catch SIGCHLD.
Fixes PR lib/55241 by Andreas Gustafsson
They deliver the logic of bypassing selected signals directly to the
debuggee, without informing the debugger.
This can be used to implement the QPassSignals GDB/LLDB protocol.
This call can be useful to avoid signal races in ATF ptrace tests.
we can't read feature-rx-copy in resume, at that time the new backend
device is not filled yet; convert it just to feature flag read on interface
attach, can assume any backend would support rx-copy anyway
fix compile with XENNET_DEBUG
part of PR port-xen/55207
christos