linux syscall descriptions improvements

docs/syscall_descriptions_syntax.md

@@ -95,7 +95,7 @@ Call attributes are:
 ```
 "disabled": the call will not be used in fuzzing; useful to temporary disable some calls
 	or prohibit particular argument combinations.
-"timeout[N]": additional execution timeout (in ms) for the call on top of some default value
+"timeout[N]": additional execution timeout (in ms) for the call on top of some default value.
 "prog_timeout[N]": additional execution timeout (in ms) for the whole program if it contains this call;
 	if a program contains several such calls, the max value is used.
 "ignore_return": ignore return value of this syscall in fallback feedback; need to be used for calls
@@ -107,9 +107,13 @@ Call attributes are:
 	Without that, the fuzzer will sometimes attempt to replace complex structures with arrays of bytes,
 	possibly triggering interesting mutations, but also making programs hard to reason about.
 "fsck": the content of the compressed buffer argument for this syscall is a file system and the
-    string argument is a fsck-like command that will be called to verify the filesystem
+	string argument is a fsck-like command that will be called to verify the filesystem.
 "remote_cover": wait longer to collect remote coverage for this call.
-"kfuzz_test": the call is a kfuzztest target
+"kfuzz_test": the call is a kfuzztest target.
+"snapshot": the call is enabled by default only in snapshot fuzzing mode,
+	but "enable_syscalls" and "disable_syscalls" config parameters override this.
+	It is generally used to mark calls that are not safe to execute in non-snapshot mode
+	(can lead to false positives, or lost connections to test machines.
 ```
 
 ## Ints

pkg/mgrconfig/load.go

@@ -112,21 +112,20 @@ func DefaultValues() *Config {
 type DescriptionsMode int
 
 const (
-	invalidDescriptions = iota
-	ManualDescriptions
+	ManualDescriptions = 1 << iota
 	AutoDescriptions
-	AnyDescriptions
+	SnapshotDescriptions
+
+	AnyDescriptions = ManualDescriptions | AutoDescriptions
 )
 
 const manualDescriptions = "manual"
 
-var (
-	strToDescriptionsMode = map[string]DescriptionsMode{
-		manualDescriptions: ManualDescriptions,
-		"auto":             AutoDescriptions,
-		"any":              AnyDescriptions,
-	}
-)
+var strToDescriptionsMode = map[string]DescriptionsMode{
+	manualDescriptions: ManualDescriptions,
+	"auto":             AutoDescriptions,
+	"any":              AnyDescriptions,
+}
 
 func SetTargets(cfg *Config) error {
 	var err error
@@ -184,9 +183,13 @@ func Complete(cfg *Config) error {
 		return fmt.Errorf("fuzzing_vms cannot be less than 0")
 	}
 
+	descriptionsMode := strToDescriptionsMode[cfg.Experimental.DescriptionsMode]
+	if cfg.Snapshot {
+		descriptionsMode |= SnapshotDescriptions
+	}
 	var err error
 	cfg.Syscalls, err = ParseEnabledSyscalls(cfg.Target, cfg.EnabledSyscalls, cfg.DisabledSyscalls,
-		strToDescriptionsMode[cfg.Experimental.DescriptionsMode])
+		descriptionsMode)
 	if err != nil {
 		return err
 	}
@@ -419,10 +422,6 @@ func SplitTarget(str string) (os, vmarch, arch string, target *prog.Target, sysT
 
 func ParseEnabledSyscalls(target *prog.Target, enabled, disabled []string,
 	descriptionsMode DescriptionsMode) ([]int, error) {
-	if descriptionsMode == invalidDescriptions {
-		return nil, fmt.Errorf("config param descriptions_mode must contain one of auto/manual/any")
-	}
-
 	syscalls := make(map[int]bool)
 	if len(enabled) != 0 {
 		for _, c := range enabled {
@@ -439,14 +438,17 @@ func ParseEnabledSyscalls(target *prog.Target, enabled, disabled []string,
 		}
 	} else {
 		for _, call := range target.Syscalls {
+			if call.Attrs.Snapshot && (descriptionsMode&SnapshotDescriptions) == 0 {
+				continue
+			}
 			syscalls[call.ID] = true
 		}
 	}
 
 	for call := range syscalls {
 		if target.Syscalls[call].Attrs.Disabled ||
-			descriptionsMode == ManualDescriptions && target.Syscalls[call].Attrs.Automatic ||
-			descriptionsMode == AutoDescriptions &&
+			(descriptionsMode&AutoDescriptions) == 0 && target.Syscalls[call].Attrs.Automatic ||
+			(descriptionsMode&ManualDescriptions) == 0 &&
 				!target.Syscalls[call].Attrs.Automatic && !target.Syscalls[call].Attrs.AutomaticHelper {
 			delete(syscalls, call)
 		}

prog/types.go

@@ -49,6 +49,7 @@ type SyscallAttrs struct {
 	Automatic       bool
 	AutomaticHelper bool
 	KFuzzTest       bool
+	Snapshot        bool
 	Fsck            string
 	// Filesystem is used in tools/syz-imagegen when fs name cannot be deduced from
 	// the part after $.

sys/linux/bpf_trace.txt

@@ -15,8 +15,10 @@ syz_btf_id_by_name$bpf_lsm(name ptr[in, string[bpf_lsm_func_names]]) bpf_lsm_btf
 bpf$BPF_PROG_WITH_BTFID_LOAD(cmd const[BPF_PROG_LOAD], arg ptr[in, bpf_prog_with_btfid], size len[arg]) fd_bpf_prog_with_btfid (timeout[500])
 bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(cmd const[BPF_PROG_LOAD], arg ptr[in, bpf_prog_raw_tracepoint], size len[arg]) fd_bpf_prog_raw_tracepoint (timeout[500])
 
-bpf$BPF_RAW_TRACEPOINT_OPEN_UNNAMED(cmd const[BPF_RAW_TRACEPOINT_OPEN], arg ptr[in, bpf_raw_tracepoint_unnamed], size len[arg]) fd_perf_base (timeout[500])
-bpf$BPF_RAW_TRACEPOINT_OPEN(cmd const[BPF_RAW_TRACEPOINT_OPEN], arg ptr[in, bpf_raw_tracepoint], size len[arg]) fd_perf_base (timeout[500])
+# BPF programs attached to random tracepoints can kill any process (including the executor runner process),
+# leading to false "lost connection" crashes. So we enable them only in snapshot mode.
+bpf$BPF_RAW_TRACEPOINT_OPEN_UNNAMED(cmd const[BPF_RAW_TRACEPOINT_OPEN], arg ptr[in, bpf_raw_tracepoint_unnamed], size len[arg]) fd_perf_base (snapshot, timeout[500])
+bpf$BPF_RAW_TRACEPOINT_OPEN(cmd const[BPF_RAW_TRACEPOINT_OPEN], arg ptr[in, bpf_raw_tracepoint], size len[arg]) fd_perf_base (snapshot, timeout[500])
 
 bpf_prog_with_btfid [
 	bpf_lsm		bpf_lsm_prog

sys/linux/dev_snapshot.txt

@@ -11,9 +11,9 @@ openat$snapshot(fd const[AT_FDCWD], file ptr[in, string["/dev/snapshot"]], flags
 write$snapshot(fd fd_snapshot, buffer ptr[in, array[int8]], len bytesize[buffer])
 read$snapshot(fd fd_snapshot, buffer ptr[out, array[int8]], len bytesize[buffer])
 
-# These are disabled because they can easily kill the machine.
-ioctl$SNAPSHOT_FREEZE(fd fd_snapshot, cmd const[SNAPSHOT_FREEZE]) (disabled)
-ioctl$SNAPSHOT_POWER_OFF(fd fd_snapshot, cmd const[SNAPSHOT_POWER_OFF]) (disabled)
+# These are enabled only in snapshot mode because they can easily kill the machine.
+ioctl$SNAPSHOT_FREEZE(fd fd_snapshot, cmd const[SNAPSHOT_FREEZE]) (snapshot)
+ioctl$SNAPSHOT_POWER_OFF(fd fd_snapshot, cmd const[SNAPSHOT_POWER_OFF]) (snapshot)
 
 ioctl$SNAPSHOT_UNFREEZE(fd fd_snapshot, cmd const[SNAPSHOT_UNFREEZE])
 ioctl$SNAPSHOT_CREATE_IMAGE(fd fd_snapshot, cmd const[SNAPSHOT_CREATE_IMAGE], arg ptr[out, int32])

sys/linux/dev_video4linux.txt

@@ -991,3 +991,9 @@ v4l2_input_capabilities = V4L2_IN_CAP_DV_TIMINGS, V4L2_IN_CAP_CUSTOM_TIMINGS, V4
 v4l2_output_type = V4L2_OUTPUT_TYPE_MODULATOR, V4L2_OUTPUT_TYPE_ANALOG, V4L2_OUTPUT_TYPE_ANALOGVGAOVERLAY
 v4l2_output_capabilities = V4L2_OUT_CAP_DV_TIMINGS, V4L2_OUT_CAP_CUSTOM_TIMINGS, V4L2_OUT_CAP_STD, V4L2_OUT_CAP_NATIVE_SIZE
 v4l2_query_ext_ctrl = V4L2_CTRL_FLAG_NEXT_CTRL, V4L2_CTRL_FLAG_NEXT_COMPOUND
+
+# These are actually defined in the newer kernel versions.
+# But the newer kernel versions don't build with make extract.
+# This can be removed once we can regenerate consts on at least v6.19-rc3.
+define V4L2_META_FMT_MALI_C55_PARAMS	1345664323
+define V4L2_META_FMT_MALI_C55_STATS	1395995971

sys/linux/fs_ioctl_ext4.txt

@@ -24,13 +24,13 @@ ext4_checkpoint_flags = EXT4_IOC_CHECKPOINT_FLAG_DISCARD, EXT4_IOC_CHECKPOINT_FL
 
 # EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways.
 # Fortunately, the value does not conflict with any other ioctl commands for now.
-ioctl$EXT4_IOC_SHUTDOWN(fd fd, cmd const[EXT4_IOC_SHUTDOWN]) (disabled)
+ioctl$EXT4_IOC_SHUTDOWN(fd fd, cmd const[EXT4_IOC_SHUTDOWN]) (snapshot)
 
 # EXT4_IOC_RESIZE_FS on root fs can shrink it to 0 (or whatever is the minimum size)
 # and then creation of new temp dirs for tests will fail.
 # TODO: not necessary for sandbox=namespace as it tests in a tmpfs
 # and/or if we mount tmpfs for sandbox=none (#971).
-ioctl$EXT4_IOC_RESIZE_FS(fd fd, cmd const[EXT4_IOC_RESIZE_FS]) (disabled)
+ioctl$EXT4_IOC_RESIZE_FS(fd fd, cmd const[EXT4_IOC_RESIZE_FS]) (snapshot)
 
 ext4_new_group_input {
 	group		int32

sys/linux/fs_ioctl_f2fs.txt

@@ -33,7 +33,7 @@ ioctl$F2FS_IOC_COMPRESS_FILE(fd fd, cmd const[F2FS_IOC_COMPRESS_FILE], arg const
 
 # F2FS_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways.
 # Fortunately, the value does not conflict with any other ioctl commands for now.
-ioctl$F2FS_IOC_SHUTDOWN(fd fd, cmd const[F2FS_IOC_SHUTDOWN], args ptr[in, flags[f2fs_shutdown_flag, int32]]) (disabled)
+ioctl$F2FS_IOC_SHUTDOWN(fd fd, cmd const[F2FS_IOC_SHUTDOWN], args ptr[in, flags[f2fs_shutdown_flag, int32]]) (snapshot)
 
 f2fs_gc_range {
 	sync	bool32

sys/linux/sys.txt

@@ -64,6 +64,8 @@ include <fs/smb/client/cifsglob.h>
 include <xen/interface/io/xs_wire.h>
 include <uapi/linux/prctl.h>
 include <asm/prctl.h>
+include <linux/reboot.h>
+include <linux/swap.h>
 
 resource fd[int32]: -1
 resource fd_dir[fd]: AT_FDCWD
@@ -262,8 +264,8 @@ ioctl$FIOCLEX(fd fd, cmd const[FIOCLEX])
 ioctl$FIONCLEX(fd fd, cmd const[FIONCLEX])
 ioctl$FITHAW(fd fd, cmd const[FITHAW])
 
-# FIFREEZE is disabled because it can easily kill the machine.
-ioctl$FIFREEZE(fd fd, cmd const[FIFREEZE]) (disabled)
+# FIFREEZE is enabled in sandbox mode only because it can easily kill the machine.
+ioctl$FIFREEZE(fd fd, cmd const[FIFREEZE]) (snapshot)
 
 fcntl$dupfd(fd fd, cmd flags[fcntl_dupfd], arg fd) fd
 fcntl$getflags(fd fd, cmd flags[fcntl_getflags])
@@ -544,8 +546,8 @@ waitid(which flags[waitid_which], pid pid, infop ptr[out, siginfo, opt], options
 waitid$P_PIDFD(which const[P_PIDFD], pidfd fd_pidfd, infop ptr[out, siginfo, opt], options flags[wait_options], ru ptr[out, rusage, opt])
 wait4(pid pid, status ptr[out, int32, opt], options flags[wait_options], ru ptr[out, rusage, opt])
 times(buf ptr[out, tms])
-# Can send signals to all processes (pid=-1).
-#kill(pid pid, sig signalno)
+# Can send signals to all processes (pid=-1) so it's enabled only in snapshot mode.
+kill(pid pid, sig signalno) (snapshot)
 
 set_thread_area(info ptr[in, user_desc])
 get_thread_area(info ptr[in, user_desc])
@@ -570,6 +572,56 @@ sched_setattr(pid pid, attr ptr[in, sched_attr], flags const[0])
 sched_yield()
 getrandom(buf buffer[out], len len[buf], flags flags[getrandom_flags])
 
+reboot(magic1 const[LINUX_REBOOT_MAGIC1], magic2 const[LINUX_REBOOT_MAGIC2], cmd flags[reboot_commands], arg const[0]) (snapshot)
+
+reboot_commands = LINUX_REBOOT_CMD_RESTART, LINUX_REBOOT_CMD_HALT, LINUX_REBOOT_CMD_CAD_ON, LINUX_REBOOT_CMD_CAD_OFF, LINUX_REBOOT_CMD_POWER_OFF, LINUX_REBOOT_CMD_RESTART2, LINUX_REBOOT_CMD_SW_SUSPEND, LINUX_REBOOT_CMD_KEXEC
+
+swapon(specialfile ptr[in, filename], swap_flags flags[swap_flags]) (snapshot)
+swapoff(specialfile ptr[in, filename]) (snapshot)
+
+swap_flags = SWAP_FLAG_PRIO_MASK, SWAP_FLAG_PREFER, SWAP_FLAG_DISCARD, SWAP_FLAG_DISCARD_ONCE, SWAP_FLAG_DISCARD_PAGES
+
+sethostname(name ptr[in, array[int8]], len bytesize[name]) (snapshot)
+setdomainname(name ptr[in, array[int8]], len bytesize[name]) (snapshot)
+
+gettimeofday(tv ptr[out, timeval], tz ptr[out, timezone])
+settimeofday(tv ptr[out, timeval], tz ptr[out, timezone]) (snapshot)
+adjtimex(txc_p ptr[in, __kernel_timex]) (snapshot)
+
+timezone {
+	tz_minuteswest	int32
+	tz_dsttime	int32
+}
+
+__kernel_timex {
+	modes		flags[adjtimex_modes, int32]
+	pad0		const[0, int32]
+	offset		int64
+	freq		int64
+	maxerror	int64
+	esterror	int64
+	status		int32
+	pad1		const[0, int32]
+	constant	int64
+	precision	int64
+	tolerance	int64
+	int		timeval
+	tick		int64
+	ppsfreq		int64
+	jitter		int64
+	shift		int32
+	pad2		const[0, int32]
+	stabil		int64
+	jitcnt		int64
+	calcnt		int64
+	errcnt		int64
+	stbcnt		int64
+	tai		int32
+	pad3		array[const[0, int32], 11]
+}
+
+adjtimex_modes = ADJ_OFFSET, ADJ_FREQUENCY, ADJ_MAXERROR, ADJ_ESTERROR, ADJ_STATUS, ADJ_TIMECONST, ADJ_TAI, ADJ_SETOFFSET, ADJ_MICRO, ADJ_NANO, ADJ_TICK
+
 membarrier(cmd flags[membarrier_cmd], flags const[0])
 
 membarrier_cmd = MEMBARRIER_CMD_GLOBAL, MEMBARRIER_CMD_GLOBAL_EXPEDITED, MEMBARRIER_CMD_PRIVATE_EXPEDITED, MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED, MEMBARRIER_CMD_PRIVATE_EXPEDITED_SYNC_CORE, MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED_SYNC_CORE, MEMBARRIER_CMD_QUERY, MEMBARRIER_CMD_REGISTER_GLOBAL_EXPEDITED, MEMBARRIER_CMD_SHARED
@@ -1390,11 +1442,6 @@ clone3_flags = CLONE_CLEAR_SIGHAND, CLONE_INTO_CGROUP, clone_flags
 ptrace_peeksiginfo_flags = PTRACE_PEEKSIGINFO_SHARED
 close_range_flags = CLOSE_RANGE_UNSHARE
 
-# adjtimex flags.
-_ = STA_PLL, STA_PPSFREQ, STA_PPSTIME, STA_FLL, STA_INS, STA_DEL, STA_UNSYNC, STA_FREQHOLD, STA_PPSSIGNAL, STA_PPSJITTER, STA_PPSWANDER, STA_PPSERROR, STA_CLOCKERR, STA_NANO, STA_MODE, STA_CLK, STA_RONLY
-# clock_adjtime modes
-_ = ADJ_OFFSET, ADJ_FREQUENCY, ADJ_MAXERROR, ADJ_ESTERROR, ADJ_STATUS, ADJ_TIMECONST, ADJ_TAI, ADJ_SETOFFSET, ADJ_MICRO, ADJ_NANO, ADJ_TICK, ADJ_OFFSET_SINGLESHOT
-
 # Consts for target.SpecialFileLenghts.
 _ = SMB_PATH_MAX, XT_CGROUP_PATH_MAX, XENSTORE_REL_PATH_MAX
 
@@ -1408,18 +1455,10 @@ define KCOV_REMOTE_ENABLE	1075340134
 # umask
 # vhangup
 # _sysctl
-# adjtimex
-# swapon
-# swapoff
 # nfsservctl
 # getcpu
 
 # Probably no sense in calling these.
 # Also affect system-wide state, so not reproducible anyway.
-# gettimeofday
-# settimeofday
-# reboot
-# sethostname
-# setdomainname
 # sched_get_priority_max
 # sched_get_priority_min

sys/linux/sys.txt.const

@@ -229,6 +229,16 @@ KEXEC_ARCH_SH = 2752512
 KEXEC_ARCH_X86_64 = 4063232
 KEXEC_ON_CRASH = 1
 KEXEC_PRESERVE_CONTEXT = 2
+LINUX_REBOOT_CMD_CAD_OFF = 0
+LINUX_REBOOT_CMD_CAD_ON = 2309737967
+LINUX_REBOOT_CMD_HALT = 3454992675
+LINUX_REBOOT_CMD_KEXEC = 1163412803
+LINUX_REBOOT_CMD_POWER_OFF = 1126301404
+LINUX_REBOOT_CMD_RESTART = 19088743
+LINUX_REBOOT_CMD_RESTART2 = 2712847316
+LINUX_REBOOT_CMD_SW_SUSPEND = 3489725666
+LINUX_REBOOT_MAGIC1 = 4276215469
+LINUX_REBOOT_MAGIC2 = 672274793
 LOCK_EX = 2
 LOCK_NB = 4
 LOCK_SH = 1
@@ -566,6 +576,11 @@ STA_PPSWANDER = 1024
 STA_RONLY = 65280
 STA_UNSYNC = 64
 STICKY_TIMEOUTS = 67108864
+SWAP_FLAG_DISCARD = 65536
+SWAP_FLAG_DISCARD_ONCE = 131072
+SWAP_FLAG_DISCARD_PAGES = 262144
+SWAP_FLAG_PREFER = 32768
+SWAP_FLAG_PRIO_MASK = 32767
 SYNC_FILE_RANGE_WAIT_AFTER = 4
 SYNC_FILE_RANGE_WAIT_BEFORE = 1
 SYNC_FILE_RANGE_WRITE = 2
@@ -700,6 +715,7 @@ __NR_ioprio_get = 31, 386:290, amd64:252, arm:315, mips64le:5274, ppc64le:274, s
 __NR_ioprio_set = 30, 386:289, amd64:251, arm:314, mips64le:5273, ppc64le:273, s390x:282
 __NR_kcmp = 272, 386:349, amd64:312, arm:378, mips64le:5306, ppc64le:354, s390x:343
 __NR_kexec_load = 104, 386:283, amd64:246, arm:347, mips64le:5270, ppc64le:268, s390x:277
+__NR_kill = 37, amd64:62, arm64:riscv64:129, mips64le:5060
 __NR_lchown = 16, amd64:94, arm64:riscv64:???, mips64le:5092, s390x:198
 __NR_link = 9, amd64:86, arm64:riscv64:???, mips64le:5084
 __NR_linkat = 37, 386:303, amd64:265, arm:330, mips64le:5255, ppc64le:294, s390x:296
@@ -776,6 +792,7 @@ __NR_readahead = 213, 386:arm:225, amd64:187, mips64le:5179, ppc64le:191, s390x:
 __NR_readlink = 85, amd64:89, arm64:riscv64:???, mips64le:5087
 __NR_readlinkat = 78, 386:305, amd64:267, arm:332, mips64le:5257, ppc64le:296, s390x:298
 __NR_readv = 145, amd64:19, arm64:riscv64:65, mips64le:5018
+__NR_reboot = 88, amd64:169, arm64:riscv64:142, mips64le:5164
 __NR_remap_file_pages = 234, 386:257, amd64:216, arm:253, mips64le:5210, ppc64le:239, s390x:267
 __NR_rename = 38, amd64:82, arm64:riscv64:???, mips64le:5080
 __NR_renameat = 386:302, amd64:264, arm:329, arm64:38, mips64le:5254, ppc64le:293, riscv64:???, s390x:295
@@ -830,6 +847,8 @@ __NR_stat = 106, amd64:4, arm64:riscv64:???, mips64le:5004
 __NR_stat64 = 195, amd64:arm64:mips64le:ppc64le:riscv64:s390x:???
 __NR_statfs = 99, amd64:137, arm64:riscv64:43, mips64le:5134
 __NR_statx = 291, 386:ppc64le:383, amd64:332, arm:397, mips64le:5326, s390x:379
+__NR_swapoff = 115, amd64:168, arm64:riscv64:225, mips64le:5163
+__NR_swapon = 87, amd64:167, arm64:riscv64:224, mips64le:5162
 __NR_symlink = 83, amd64:88, arm64:riscv64:???, mips64le:5086
 __NR_symlinkat = 36, 386:304, amd64:266, arm:331, mips64le:5256, ppc64le:295, s390x:297
 __NR_sync = 36, amd64:162, arm64:riscv64:81, mips64le:5157