![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / dev
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.49 / (download) - annotate - [select for diffs], Sat Jul 29 06:52:50 2023 UTC (10 months, 1 week ago) by anton
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.48: +25 -20 lines
Diff to previous 1.48 (colored)
Read curcpu once in kcov code hot paths.
Revision 1.48 / (download) - annotate - [select for diffs], Wed Jan 19 06:46:55 2022 UTC (2 years, 4 months ago) by anton
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.47: +1 -41 lines
Diff to previous 1.47 (colored)
Remove temporary verbose logging.
Revision 1.47 / (download) - annotate - [select for diffs], Wed Jan 12 19:55:12 2022 UTC (2 years, 4 months ago) by anton
Branch: MAIN
Changes since 1.46: +5 -5 lines
Diff to previous 1.46 (colored)
Extend the verbose logging.
Revision 1.46 / (download) - annotate - [select for diffs], Tue Jan 11 06:23:05 2022 UTC (2 years, 4 months ago) by anton
Branch: MAIN
Changes since 1.45: +41 -1 lines
Diff to previous 1.45 (colored)
Add temporary verbose logging when remote coverage fails to attach. In the hopes of tracking down a rare bug seen on syzkaller.
Revision 1.45 / (download) - annotate - [select for diffs], Tue Jan 11 06:00:41 2022 UTC (2 years, 4 months ago) by anton
Branch: MAIN
Changes since 1.44: +2 -3 lines
Diff to previous 1.44 (colored)
In revision 1.43 of kcov.c, the redundant conditional of checking for an exising kcov descriptor with the given device minor was removed since kcov is a cloning device; i.e. the device minor should always be unique. However, there's one edge case to still consider in which one thread have tracing enabled while another thread closes the same kcov descriptor. The kcov descriptor is kept alive until thread with tracing enabled exits to prevent usage after free. This does however cause the spec file layer above to flag the device minor as unused. Any subsequent open of /dev/kcov would trip on the assertion in kcovopen() until the thread with tracing enabled exits. Therefore unconditionally remove the kcov descriptor from the global list of active descriptors which is fine since the same kcov descriptor will later be freed in kcov_exit(). I have never seen this in the wild but realized while hunting another bug.
Revision 1.44 / (download) - annotate - [select for diffs], Wed Dec 29 07:15:13 2021 UTC (2 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.43: +16 -1 lines
Diff to previous 1.43 (colored)
Do not allow send/receive of kcov descriptors as the file descriptor can be kept alive longer than expected causing syzkaller to no longer being able to enable remote coverage. ok visa@ Reported-by: syzbot+ab2016d729cda7b0d003@syzkaller.appspotmail.com
Revision 1.43 / (download) - annotate - [select for diffs], Tue Dec 28 17:50:10 2021 UTC (2 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.42: +5 -13 lines
Diff to previous 1.42 (colored)
The initial kd_lookup() in kcovopen() is redundant as kcov is a cloning device. Turn it into an assertion instead to better state the expected semantics of D_CLONE. Prompted after a discussion with visa@
Revision 1.42 / (download) - annotate - [select for diffs], Mon Dec 27 15:38:25 2021 UTC (2 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)
Yet another errno correction.
Revision 1.41 / (download) - annotate - [select for diffs], Tue Dec 21 06:08:57 2021 UTC (2 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.40: +18 -8 lines
Diff to previous 1.40 (colored)
errno overhaul, getting rid of some ambiguity. In the hopes of tracking down a rare but annoying problem related to remote coverage exposed by syzkaller.
Revision 1.40 / (download) - annotate - [select for diffs], Sun Dec 19 07:45:59 2021 UTC (2 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.39: +11 -8 lines
Diff to previous 1.39 (colored)
Reduce the overhead of all trace routines by returning as early as possible in kd_curproc().
Revision 1.39 / (download) - annotate - [select for diffs], Sat Dec 18 08:24:31 2021 UTC (2 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.38: +25 -24 lines
Diff to previous 1.38 (colored)
Reduce the overhead of the trace compare routines by checking if kcov is enabled for the current thread before doing anything else.
Revision 1.38 / (download) - annotate - [select for diffs], Mon Jul 5 05:50:19 2021 UTC (2 years, 11 months ago) by anton
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.37: +1 -4 lines
Diff to previous 1.37 (colored)
rename kd_put() -> kd_copy()
Revision 1.37 / (download) - annotate - [select for diffs], Mon Jul 5 05:49:30 2021 UTC (2 years, 11 months ago) by anton
Branch: MAIN
Changes since 1.36: +4 -4 lines
Diff to previous 1.36 (colored)
rename kd_put() -> kd_copy()
Revision 1.36 / (download) - annotate - [select for diffs], Sat Oct 10 07:07:46 2020 UTC (3 years, 8 months ago) by anton
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.35: +3 -2 lines
Diff to previous 1.35 (colored)
Clear the kcov device for the current thread before freeing the same kcov device. Prevents a use-after-free, note I've never seen this one in practice.
Revision 1.35 / (download) - annotate - [select for diffs], Sun Oct 4 18:49:22 2020 UTC (3 years, 8 months ago) by anton
Branch: MAIN
Changes since 1.34: +1 -3 lines
Diff to previous 1.34 (colored)
Remove outdated comment.
Revision 1.34 / (download) - annotate - [select for diffs], Sat Oct 3 07:31:12 2020 UTC (3 years, 8 months ago) by anton
Branch: MAIN
Changes since 1.33: +115 -24 lines
Diff to previous 1.33 (colored)
Collect coverage from interrupts. Currently limited to remote sections which allows coverage of timeouts executed from softclock to be collected. During boot, a dedicated coverage buffer per CPU is allocated which is used to collect coverage in interrupts. The kcov implementation in Linux recently added the same functionality. ok mpi@
Revision 1.33 / (download) - annotate - [select for diffs], Sat Sep 26 12:06:37 2020 UTC (3 years, 8 months ago) by anton
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.32: +13 -10 lines
Diff to previous 1.32 (colored)
Make kd_claim() accept an explicit argument representing the number of entries to claim in the coverage buffer. In preparation for some upcoming changes. ok mpi@ as part of a larger diff
Revision 1.32 / (download) - annotate - [select for diffs], Sat Sep 26 12:01:57 2020 UTC (3 years, 8 months ago) by anton
Branch: MAIN
Changes since 1.31: +10 -6 lines
Diff to previous 1.31 (colored)
Read curproc once in kcov_remote_enter() and kcov_remote_leave().
Revision 1.31 / (download) - annotate - [select for diffs], Sat Sep 26 11:59:59 2020 UTC (3 years, 8 months ago) by anton
Branch: MAIN
Changes since 1.30: +2 -1 lines
Diff to previous 1.30 (colored)
KCOV_BUF_MAX_NMEMB is defined under _KERNEL in sys/kcov.h but only used in dev/kcov.c; therefore move it to dev/kcov.c.
Revision 1.30 / (download) - annotate - [select for diffs], Sat Sep 26 11:58:17 2020 UTC (3 years, 8 months ago) by anton
Branch: MAIN
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)
Fix typo in comment.
Revision 1.29 / (download) - annotate - [select for diffs], Fri Sep 25 09:43:01 2020 UTC (3 years, 8 months ago) by anton
Branch: MAIN
Changes since 1.28: +5 -8 lines
Diff to previous 1.28 (colored)
Remove work around kcov_remote_leave() that no longer is needed since the introduction of the remote barrier in revision 1.26.
Revision 1.28 / (download) - annotate - [select for diffs], Sun Aug 30 13:19:44 2020 UTC (3 years, 9 months ago) by anton
Branch: MAIN
Changes since 1.27: +3 -1 lines
Diff to previous 1.27 (colored)
add missing wakeup for the unlikely dying case
Revision 1.27 / (download) - annotate - [select for diffs], Sun Aug 30 13:18:10 2020 UTC (3 years, 9 months ago) by anton
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
use unique wait messages with msleep_nsec()
Revision 1.26 / (download) - annotate - [select for diffs], Sat Aug 29 08:41:11 2020 UTC (3 years, 9 months ago) by anton
Branch: MAIN
Changes since 1.25: +102 -41 lines
Diff to previous 1.25 (colored)
Before clearing the kcov descriptor associated with a thread make sure no other thread is currently within a remote section. Otherwise, the remote subsystem could end up in a broken state where it doesn't reset the necessary bits upon leaving the remote section. Therefore introduce the kr_barrier() routine which waits until all ongoing remote sections have been left. Also, extend the scope of the mutex to also cover fields of struct kcov_dev. This is necessary to ensure correctness. Reported-by: syzbot+64122a5f01be1b1abb96@syzkaller.appspotmail.com
Revision 1.25 / (download) - annotate - [select for diffs], Sat Aug 29 08:24:33 2020 UTC (3 years, 9 months ago) by anton
Branch: MAIN
Changes since 1.24: +21 -21 lines
Diff to previous 1.24 (colored)
Prepare to extend the scope of the kcov remote mutex by renaming it to something more generic. It will soon cover the whole kcov subsystem.
Revision 1.24 / (download) - annotate - [select for diffs], Fri Aug 28 08:31:19 2020 UTC (3 years, 9 months ago) by anton
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
free the correct object when a remote subsystem already is present
Revision 1.23 / (download) - annotate - [select for diffs], Fri Aug 14 11:51:07 2020 UTC (3 years, 9 months ago) by anton
Branch: MAIN
Changes since 1.22: +7 -5 lines
Diff to previous 1.22 (colored)
When detaching common remote coverage, do not clear any fields. Instead, let kr_free() do the work. Otherwise a thread currently inside a remote section could end up not decrementing the number of ongoing sections while exiting the same remote section. Reported-by: syzbot+1252e696865efc29b767@syzkaller.appspotmail.com
Revision 1.22 / (download) - annotate - [select for diffs], Sat Aug 1 08:40:20 2020 UTC (3 years, 10 months ago) by anton
Branch: MAIN
Changes since 1.21: +251 -8 lines
Diff to previous 1.21 (colored)
Add support for remote coverage to kcov. Remote coverage is collected from threads other than the one currently having kcov enabled. A thread with kcov enabled occasionally delegates work to another thread, collecting coverage from such threads improves the ability of syzkaller to correlate side effects in the kernel caused by issuing a syscall. Remote coverage is divided into subsystems. The only supported subsystem right now collects coverage from scheduled tasks and timeouts on behalf of a kcov enabled thread. In order to make this work `struct task' and `struct timeout' must be extended with a new field keeping track of the process that scheduled the task/timeout. Both aforementioned structures have therefore increased with the size of a pointer on all architectures. The kernel API is documented in a new kcov_remote_register(9) manual. Remote coverage is also supported by kcov on NetBSD and Linux. ok mpi@
Revision 1.21 / (download) - annotate - [select for diffs], Fri Jul 31 07:11:35 2020 UTC (3 years, 10 months ago) by anton
Branch: MAIN
Changes since 1.20: +31 -13 lines
Diff to previous 1.20 (colored)
Make writes to the coverage buffer MP-safe using atomic operations. The new routine kd_claim() returns the next available entry in the buffer. Since the first element in the buffer is reserved to hold the number of entries, zero can be used as a sentinel value meaning that the buffer is full. A mere preparation for upcoming remote coverage support in which the buffer can be accessed by multiple threads concurrently. ok mpi@ as part of a larger diff
Revision 1.20 / (download) - annotate - [select for diffs], Sun Jun 7 19:23:33 2020 UTC (4 years ago) by anton
Branch: MAIN
Changes since 1.19: +7 -7 lines
Diff to previous 1.19 (colored)
Turn anonymous state enum into preprocessor defines, paves the way for reuse.
Revision 1.19 / (download) - annotate - [select for diffs], Mon May 25 14:00:15 2020 UTC (4 years ago) by anton
Branch: MAIN
Changes since 1.18: +5 -1 lines
Diff to previous 1.18 (colored)
Add a comment explaining the interaction between kcovclose() and kcov_exit().
Revision 1.18 / (download) - annotate - [select for diffs], Sun May 17 08:46:05 2020 UTC (4 years ago) by anton
Branch: MAIN
Changes since 1.17: +8 -1 lines
Diff to previous 1.17 (colored)
Prevent kcov from collecting coverage after the kernel has panicked. This could happen if curproc had kcov enabled while panicking. ok mpi@ visa@
Revision 1.17 / (download) - annotate - [select for diffs], Sat May 16 08:38:34 2020 UTC (4 years ago) by anton
Branch: MAIN
Changes since 1.16: +1 -26 lines
Diff to previous 1.16 (colored)
remove unused debug statements
Revision 1.16 / (download) - annotate - [select for diffs], Sat May 16 08:35:49 2020 UTC (4 years ago) by anton
Branch: MAIN
Changes since 1.15: +27 -35 lines
Diff to previous 1.15 (colored)
In preparation for stopping coverage collection once the kernel has panicked, extract common parts between the two coverage collection functions to a new helper called kd_curproc(). While here, sprinkle a few branch prediction hints borrowed from NetBSD. ok mpi@ visa@
Revision 1.15 / (download) - annotate - [select for diffs], Sun May 19 08:55:27 2019 UTC (5 years ago) by anton
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.14: +12 -7 lines
Diff to previous 1.14 (colored)
During fuzzing, one or many fuzzing processes are often stuck waiting on memory from the subproc malloc subsystem which is exhausted. Attempt to circumvent such scenarios by allocation the kcov coverage buffer using km_alloc() instead. With help from kettenis@ and ok visa@
Revision 1.14 / (download) - annotate - [select for diffs], Tue May 14 13:44:45 2019 UTC (5 years ago) by jsg
Branch: MAIN
Changes since 1.13: +3 -2 lines
Diff to previous 1.13 (colored)
armv7 and arm64 also have ci_idepth ok anton@
Revision 1.13 / (download) - annotate - [select for diffs], Sun Jan 20 09:57:23 2019 UTC (5 years, 4 months ago) by anton
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.12: +133 -2 lines
Diff to previous 1.12 (colored)
Add support for a new kcov trace mode called KCOV_MODE_TRACE_CMP where comparison instructions and switch statements are being traced. This mode will be used during fuzzing to generate even more coverage. The same mode is also supported by FreeBSD and Linux. Thanks to jmc@ for improving the manual bits. ok bluhm@ visa@
Revision 1.12 / (download) - annotate - [select for diffs], Sun Jan 20 09:47:31 2019 UTC (5 years, 4 months ago) by anton
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
Rework conditional for clarity, no functional change. ok bluhm@ visa@ (as part of a larger diff)
Revision 1.11 / (download) - annotate - [select for diffs], Sat Jan 19 17:23:32 2019 UTC (5 years, 4 months ago) by anton
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
backout previous; syzkaller did not cope well with this change
Revision 1.10 / (download) - annotate - [select for diffs], Wed Jan 16 19:27:07 2019 UTC (5 years, 4 months ago) by anton
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)
Deny mmap() on enabled kcov fds. Sometimes syzkaller manages to duplicate an existing kcov fd and corrupt the coverage buffer. ok bluhm@ visa@
Revision 1.9 / (download) - annotate - [select for diffs], Thu Jan 3 08:56:53 2019 UTC (5 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.8: +2 -3 lines
Diff to previous 1.8 (colored)
Favor ENOTTY for unknown ioctl commands.
Revision 1.8 / (download) - annotate - [select for diffs], Thu Dec 27 19:33:08 2018 UTC (5 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.7: +8 -2 lines
Diff to previous 1.7 (colored)
Make KIOENABLE accept a mode argument, currently limited to KCOV_MODE_TRACE_PC. Thanks to jmc@ for improving the manual bits. ok deraadt@ mpi@
Revision 1.7 / (download) - annotate - [select for diffs], Thu Dec 27 10:04:16 2018 UTC (5 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.6: +33 -23 lines
Diff to previous 1.6 (colored)
Separate kcov descriptor state and trace mode as a first step towards supporting different trace modes. ok mpi@
Revision 1.6 / (download) - annotate - [select for diffs], Tue Dec 25 21:56:53 2018 UTC (5 years, 5 months ago) by anton
Branch: MAIN
Changes since 1.5: +16 -11 lines
Diff to previous 1.5 (colored)
In the kcov ioctl(KIOSETBUFSIZE) path, malloc() can sleep. Double check that someone else didn't win the race. ok mpi@
Revision 1.5 / (download) - annotate - [select for diffs], Wed Dec 12 07:29:38 2018 UTC (5 years, 6 months ago) by anton
Branch: MAIN
Changes since 1.4: +12 -4 lines
Diff to previous 1.4 (colored)
Make kcov MP-safe. Calling the injected tracing function __sanitizer_cov_trace_pc() early in the boot process caused a subtle crash while booting the secondary CPU(s). On amd64, accessing curcpu during this period is not safe since its GSBASE register is yet not written. After the CPU has been booted curproc can also be NULL for a brief period of time before the idle thread tied to the same CPU has started. The two problems can simply be avoided by postponing access to curcpu and curproc until /dev/kcov has been opened at least once. The end goal here is to allow fuzzing of MP kernels, which already is in full swing. This work has gone through many iterations before settling on the least intrusive change; many thanks for visa@ for reviewing and providing valuable input. Issue originally reported by Greg Steuck on tech@ who also took the time to test all iterations and providing me access to a virtualised OpenBSD machine for easier testing. ok mpi@ visa@
Revision 1.4 / (download) - annotate - [select for diffs], Mon Aug 27 15:57:39 2018 UTC (5 years, 9 months ago) by anton
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.3: +18 -19 lines
Diff to previous 1.3 (colored)
Rename struct kd -> kcov_dev. The terse name was initially fine since it wasn't used outside of dev/kcov.c. Nowadays, struct proc includes a kcov pointer and it therefore deserves a more descriptive name. Prodded by visa@; ok deraadt@ visa@
Revision 1.3 / (download) - annotate - [select for diffs], Sat Aug 25 15:38:07 2018 UTC (5 years, 9 months ago) by anton
Branch: MAIN
Changes since 1.2: +34 -29 lines
Diff to previous 1.2 (colored)
Change kcov semantics, kernel code coverage tracing is now enabled on a per thread basis instead of process. The decision to enable on process made development easier initially but could lead to non-deterministic results for processes with more than one thread. This behavior matches the implementation found on both Linux and FreeBSD. With help and ok mpi@ visa@
Revision 1.2 / (download) - annotate - [select for diffs], Tue Aug 21 18:06:12 2018 UTC (5 years, 9 months ago) by anton
Branch: MAIN
Changes since 1.1: +1 -5 lines
Diff to previous 1.1 (colored)
Rework kcov kernel config. Instead of treating kcov as both an option and a pseudo-device, get rid of the option. Enabling kcov now requires the following line to be added to the kernel config: pseudo-device kcov 1 This is how pseudo devices are enabled in general. A side-effect of this change is that dev/kcov.c will no longer be compiled by default. Prodded by deraadt@; ok mpi@ visa@
Revision 1.1 / (download) - annotate - [select for diffs], Sun Aug 19 11:42:33 2018 UTC (5 years, 9 months ago) by anton
Branch: MAIN
Add kcov(4), a kernel code coverage tracing driver. It's used in conjunction with the syzkaller kernel fuzzer. So far, 8 distinct panics have been found and fixed. This effort will continue. kcov is limited to architectures using Clang as their default compiler and is not enabled by default. With help from mpi@, thanks! ok kettenis@ mpi@ visa@