From patchwork Tue Sep 5 22:35:49 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petar Penkov X-Patchwork-Id: 810312 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="HYeYkZgF"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3xn1qC5wb4z9sP3 for ; Wed, 6 Sep 2017 08:39:19 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753890AbdIEWgK (ORCPT ); Tue, 5 Sep 2017 18:36:10 -0400 Received: from mail-pg0-f43.google.com ([74.125.83.43]:38243 "EHLO mail-pg0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752670AbdIEWgJ (ORCPT ); Tue, 5 Sep 2017 18:36:09 -0400 Received: by mail-pg0-f43.google.com with SMTP id v66so11801406pgb.5 for ; Tue, 05 Sep 2017 15:36:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=x/S0w4rrqrMQGcTgoysx3vYnh9QIwpG3MI2j0xqsGrU=; b=HYeYkZgFOdg4ThRYFgelprHrM/EEYAMzRufIJbQDqXyHY7uNWGELlUjXKGPnJkEM4Z HQ6Bolk1W3OcdiVxCcJJhFdhrFTHqaN+MJbwNbtsscPXbgBXzr3vl06Q7Qsuqu7SjqLV eIINQ1bUvKj2HGDEKy3zRN3b00OkQuBFEOThqLKqWesRhrfVD0CoTEFkKPTzaPhLGEnm NVN8ARHBjQFsS+my35B8oHwN2/hZkFdJJK/tZgjNWVUrVScu3E0g9gtVKsP2cSF8x5eT M4j8XblKLjo5+FV5jvKX2yxqgWawQyKgihjRF2rYQ2dtWfmc7OEOavkSdwv4XdURu7vW wzSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=x/S0w4rrqrMQGcTgoysx3vYnh9QIwpG3MI2j0xqsGrU=; b=Uztt7+Y6o6zp1BZpuPpYCP39sFKz8a7n+l14WWCH0zRf4dj9e9uRVpJyVttri5VdJY Cqj4P0P0Qbz1Kg8Nnx+p4MJXvjogA1WpKrtC6iDz0ECY4c7YlNufJ/xPQ863okyKbDc0 WvsLllUD2hEiIejtCdk4VR14mmhZFUQAUl2UXXOOW/onaRpsCvNh1rqMtQDnXW7pWMEF yWVSt/vburRHLN4wE093gAZkTstiB3bI7de0vwrh5iYKTZLhpeSt2z0kyBSWtQDZCbW9 /nJZuN627fYWD3XzETLW1Z5+6TkFGOrBTDM+WHCfhWSxR8wutIfYQtnv+jORmHh396dM RrNw== X-Gm-Message-State: AHPjjUgXPi0PQtpWseKk/zGksl6AW1pADaBUahI4gwvL7TigYwa4ibwg cBWX5VZtvQbQljFUxW+H9jSs X-Google-Smtp-Source: ADKCNb4ue6VJQPOoBbuX9J+Jy34QWkZgboZXG55XhKz6F6E0/IWlyQPwKkI/yXbKzyAW29JIYErCMw== X-Received: by 10.98.21.20 with SMTP id 20mr5340780pfv.326.1504650968500; Tue, 05 Sep 2017 15:36:08 -0700 (PDT) Received: from localhost ([2620:15c:2cb:1:183d:cea1:ba48:3c2f]) by smtp.gmail.com with ESMTPSA id f5sm20593pga.30.2017.09.05.15.36.07 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Tue, 05 Sep 2017 15:36:07 -0700 (PDT) From: Petar Penkov To: netdev@vger.kernel.org Cc: Petar Penkov Subject: [PATCH net-next RFC 0/2] Improve code coverage of syzkaller Date: Tue, 5 Sep 2017 15:35:49 -0700 Message-Id: <20170905223551.27925-1-ppenkov@google.com> X-Mailer: git-send-email 2.14.1.581.gf28d330327-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This patch series is intended to improve code coverage of syzkaller on the early receive path, specifically including flow dissector, GRO, and GRO with frags parts of the networking stack. Syzkaller exercises the stack through the TUN driver and this is therefore where changes reside. Current coverage through netif_receive_skb() is limited as it does not touch on any of the aforementioned code paths. Furthermore, for full coverage, it is necessary to have more flexibility over the linear and non-linear data of the skbs. The following patches address this by providing the user(syzkaller) with the ability to send via napi_gro_receive() and napi_gro_frags(). Additionally, syzkaller can specify how many fragments there are and how much data per fragment there is. This is done by exploiting the convenient structure of iovecs. Finally, this patch series adds support for exercising the flow dissector during fuzzing. The code path including napi_gro_receive() can be enabled via the CONFIG_TUN_NAPI compile-time flag, and can be used by users other than syzkaller. The remainder of the changes in this patch series give the user significantly more control over packets entering the kernel. To avoid potential security vulnerabilities, hide the ability to send custom skbs and the flow dissector code paths behind a run-time flag IFF_NAPI_FRAGS that is advertised and accepted only if CONFIG_TUN_NAPI is enabled. The patch series will be followed with changes to packetdrill, where these additions to the TUN driver are exercised and demonstrated. This will give the ability to write regression tests for specific parts of the early networking stack. Patch 1/ Add NAPI struct per receive queue, enable NAPI, and use napi_gro_receive() Patch 2/ Use NAPI skb and napi_gro_frags(), exercise flow dissector, and allow custom skbs. Petar Penkov (2): tun: enable NAPI for TUN/TAP driver tun: enable napi_gro_frags() for TUN/TAP driver drivers/net/Kconfig | 8 ++ drivers/net/tun.c | 251 +++++++++++++++++++++++++++++++++++++++++--- include/uapi/linux/if_tun.h | 1 + 3 files changed, 246 insertions(+), 14 deletions(-)