Currently syz-env make test failed due to the following error:

--- FAIL: TestGenerate (7.42s)
    --- FAIL: TestGenerate/linux/386 (1.06s)
        csource_test.go:66: seed=1595642834780028916
        --- FAIL: TestGenerate/linux/386/23 (0.25s)

...
                <stdin>: In function 'syz_btf_id_by_name':
                <stdin>:330:8: error: 'BTF_KIND_FUNC_PROTO' undeclared (first use in this function); did you mean 'BTF_KIND_UNION'?
                <stdin>:330:8: note: each undeclared identifier is reported only once for each function it appears in
                <stdin>:331:18: error: invalid application of 'sizeof' to incomplete type 'struct btf_param'
                <stdin>:333:8: error: 'BTF_KIND_VAR' undeclared (first use in this function); did you mean 'BTF_KIND_PTR'?
                <stdin>:334:18: error: invalid application of 'sizeof' to incomplete type 'struct btf_var'
                <stdin>:336:8: error: 'BTF_KIND_DATASEC' undeclared (first use in this function); did you mean 'BTF_KIND_PTR'?
                <stdin>:337:18: error: invalid application of 'sizeof' to incomplete type 'struct btf_var_secinfo'

I suspect the reason is that syz-env is using an older linux version (so only a portion of BTF_* is not found). How should I fix this problem?

Currently syz-env make test failed due to the following error:

--- FAIL: TestGenerate (7.42s)
    --- FAIL: TestGenerate/linux/386 (1.06s)
        csource_test.go:66: seed=1595642834780028916
        --- FAIL: TestGenerate/linux/386/23 (0.25s)

...
                <stdin>: In function 'syz_btf_id_by_name':
                <stdin>:330:8: error: 'BTF_KIND_FUNC_PROTO' undeclared (first use in this function); did you mean 'BTF_KIND_UNION'?
                <stdin>:330:8: note: each undeclared identifier is reported only once for each function it appears in
                <stdin>:331:18: error: invalid application of 'sizeof' to incomplete type 'struct btf_param'
                <stdin>:333:8: error: 'BTF_KIND_VAR' undeclared (first use in this function); did you mean 'BTF_KIND_PTR'?
                <stdin>:334:18: error: invalid application of 'sizeof' to incomplete type 'struct btf_var'
                <stdin>:336:8: error: 'BTF_KIND_DATASEC' undeclared (first use in this function); did you mean 'BTF_KIND_PTR'?
                <stdin>:337:18: error: invalid application of 'sizeof' to incomplete type 'struct btf_var_secinfo'

I suspect the reason is that syz-env is using an older linux version (so only a portion of BTF_* is not found). How should I fix this problem?

https://github.com/google/syzkaller/blob/master/docs/pseudo_syscalls.md
should answer your question (search for "headers for recently added kernel subsystems").

Yes, malloc is not OK and don't use FILE*.

mmap'ing something at a fixed address is minimal disturbance to the kernel behavior. We could mmap the file as well rather than read it in, should also make the code simpler.
I think we could choose some fixed unused address, mmap the file there with MAP_FIXED, if the mmap fails because something is already mapped, assume another syscall has already mapped it, so just use it.

I think we could choose some fixed unused address, mmap the file there with MAP_FIXED, if the mmap fails because something is already mapped, assume another syscall has already mapped it, so just use it.

It seems like it is not possible to mmap the file /sys/kernel/btf/vmlinux (see here). The last time I tried to mmap it, it failed with ENODEV.

Is using mmap with MAP_FIXED | MAP_ANONYMOUS to dynamically obtain memory allowed?

I think we could choose some fixed unused address, mmap the file there with MAP_FIXED, if the mmap fails because something is already mapped, assume another syscall has already mapped it, so just use it.

It seems like it is not possible to mmap the file /sys/kernel/btf/vmlinux (see here). The last time I tried to mmap it, it failed with ENODEV.

Yikes!
It's even stored in a continuous region of memory in the kernel already :(

Is using mmap with MAP_FIXED | MAP_ANONYMOUS to dynamically obtain memory allowed?

Let's say, yes. There are no strict rules. We are just trying to disturb execution as less as possible and make things as deterministic as possible.

Is using mmap with MAP_FIXED | MAP_ANONYMOUS to dynamically obtain memory allowed?

Let's say, yes. There are no strict rules. We are just trying to disturb execution as less as possible and make things as deterministic as possible.

Should we be careful to not do a MAP_FIXED over an existing mapping? Maybe use MAP_FIXED_NOREPLACE instead?

What will be the best way to obtain a fixed address that is portable to different architecture? I am looking at virtual memory mappings on different architecture, but not sure if I am on the right direction.

Codecov Report

Merging #1971 into master will increase coverage by 0.1%.
The diff coverage is 60.0%.

What will be the best way to obtain a fixed address that is portable to different architecture? I am looking at virtual memory mappings on different architecture, but not sure if I am on the right direction.

Check that it does not overlap with any existing mapping. Works for 32-bits. Not too low, not too high (kernel tends to map something there). I would probably take address close to our data region (mapped in os_init), but not adjacent to it.

Fix the problems above and convert the draft into a normal pull request.
@jedav @morehouse @dvyukov
I will squash the commits once it is approved.

The only problem I am facing is that when I run the test syz-runtest -vv 5 -debug -config config.json -tests btf_id, it shows the following error:

btf_id /thr C                         : FAIL: run 0: wrong call 1 result 22, want 0
        ### start
        ### call=1 errno=22
        ### call=2 errno=9
        ### call=3 errno=9
        ### call=4 errno=9
        ### call=6 errno=22
        ### call=7 errno=9
        ### call=8 errno=9
        ### call=9 errno=9
        ### call=0 errno=0
        ### call=5 errno=0

where the content of btf_id is

r0 = syz_btf_id_by_name(&AUTO='bpf_lsm_path_mkdir\x00')
r1 = bpf$BPF_LSM_PROG_LOAD(0x5, &AUTO=@test0={0x1d, 0x2, &AUTO={{0xb7, 0x0, 0x0, 0x0, 0x0}, {0x95, 0x0, 0x0, 0x0, 0x0}}, &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 'test\x00', 0x0, 0x1b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r0, 0x0}, 0x78)
r2 = bpf$BPF_LSM_RAW_TRACEPOINT_OPEN(0x11, &AUTO={0x0, r1}, 0x10)
close(r2)
close(r1)
r3 = syz_btf_id_by_name(&AUTO='bpf_lsm_path_mkdir\x00')
r4 = bpf$BPF_LSM_PROG_LOAD(0x5, &AUTO=@test0={0x1d, 0x2, &AUTO={{0xb7, 0x0, 0x0, 0x0, 0x0}, {0x95, 0x0, 0x0, 0x0, 0x0}}, &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 'test\x00', 0x0, 0x1b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r3, 0x0}, 0x78)
r5 = bpf$BPF_LSM_RAW_TRACEPOINT_OPEN(0x11, &AUTO={0x0, r4}, 0x10)
close(r5)
close(r4)

So it seems like call 1 (r1 = bpf$BPF_LSM_PROG_LOAD) is completed before call 0 (r0 = syz_btf_id_by_name). I don't quite understand how this can happen because r0 is used as an argument in call `.

The only problem I am facing is that when I run the test syz-runtest -vv 5 -debug -config config.json -tests btf_id, it shows the following error:

btf_id /thr C                         : FAIL: run 0: wrong call 1 result 22, want 0
        ### start
        ### call=1 errno=22
        ### call=2 errno=9
        ### call=3 errno=9
        ### call=4 errno=9
        ### call=6 errno=22
        ### call=7 errno=9
        ### call=8 errno=9
        ### call=9 errno=9
        ### call=0 errno=0
        ### call=5 errno=0

where the content of btf_id is

r0 = syz_btf_id_by_name(&AUTO='bpf_lsm_path_mkdir\x00')
r1 = bpf$BPF_LSM_PROG_LOAD(0x5, &AUTO=@test0={0x1d, 0x2, &AUTO={{0xb7, 0x0, 0x0, 0x0, 0x0}, {0x95, 0x0, 0x0, 0x0, 0x0}}, &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 'test\x00', 0x0, 0x1b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r0, 0x0}, 0x78)
r2 = bpf$BPF_LSM_RAW_TRACEPOINT_OPEN(0x11, &AUTO={0x0, r1}, 0x10)
close(r2)
close(r1)
r3 = syz_btf_id_by_name(&AUTO='bpf_lsm_path_mkdir\x00')
r4 = bpf$BPF_LSM_PROG_LOAD(0x5, &AUTO=@test0={0x1d, 0x2, &AUTO={{0xb7, 0x0, 0x0, 0x0, 0x0}, {0x95, 0x0, 0x0, 0x0, 0x0}}, &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 'test\x00', 0x0, 0x1b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, r3, 0x0}, 0x78)
r5 = bpf$BPF_LSM_RAW_TRACEPOINT_OPEN(0x11, &AUTO={0x0, r4}, 0x10)
close(r5)
close(r4)

So it seems like call 1 (r1 = bpf$BPF_LSM_PROG_LOAD) is completed before call 0 (r0 = syz_btf_id_by_name). I don't quite understand how this can happen because r0 is used as an argument in call `.

syz_btf_id_by_name is probably too slow.
executor has 45 ms timeout for execution of syscalls:
https://github.com/google/syzkaller/blob/master/executor/executor.cc#L731
If a syscall does not finish within that timeout the next syscalls is kicked off. That's probably what you are seeing.
Check out the timeout syscall attribute:

$ grep "(timeout" sys/linux/*.txt

After increasing the time limit, the problem with syz-runtest is now:

btf_id namespace                      : FAIL: run 0: wrong call 1 result 1, want 0
btf_id namespace/cover                : FAIL: run 0: call 0 is not executed
btf_id namespace C                    : FAIL: run 0: wrong call 1 result 1, want 0

I think I need to change pkg/host/syscalls_linux.go by allowing syz_btf_id_by_name only when onlySandboxNone(). Is this correct?

After increasing the time limit, the problem with syz-runtest is now:

btf_id namespace                      : FAIL: run 0: wrong call 1 result 1, want 0
btf_id namespace/cover                : FAIL: run 0: call 0 is not executed
btf_id namespace C                    : FAIL: run 0: wrong call 1 result 1, want 0

I think I need to change pkg/host/syscalls_linux.go by allowing syz_btf_id_by_name only when onlySandboxNone(). Is this correct?

If it requires CAP_ADMIN, then yes.

I am waiting for #2005 to be merged so I can run make presubmit. I also need to change that part of the file.

#2005 is merged now. Please rebase.

When I run syz-runtest -config config.json -tests btf_id the test failed with:

btf_id none/cover                     : FAIL: run 0: call 3: no cover
btf_id none/repeat/cover              : FAIL: run 1: call 3: no cover
btf_id none/thr/repeat/cover          : FAIL: run 1: call 3: no cover

Call 3 is the second call to the psuedo-syscall syz_btf_id_by_name. It is not getting coverage because syz_btf_id_by_name does not read vmlinux in second and later calls. Thus, it should be normal for this call to not get any coverage. Wonder what I should do here.

Also, is it important to pass all the test in syz-runtest? I ask @necipfazil before and he advised me to use syz-execprog to do the testing instead.

By the way, syz-runtest do not work for now:

2020/08/05 17:59:25 io_uring: unknown comment "Create an io_uring instance"

It seems like there need to be an extra blank line before each syscall, or the parser will assume the comment is the expected errno.
I could submit a quick fix if this should be done.

And also, I can not pass the make presubmit check now because there are a lot of commit messages that does not follow the format:

##[error]Wrong commit subject format: 'Revert "dashboard/config: select KCSAN_VERBOSE in KCSAN config"'. Please use 'main/affected/package: short change description'. See docs/contributing.md for details.
##[error]Wrong commit subject format: 'Revert "dashboard/config: disable PARAVIRT_DEBUG with KCSAN"'. Please use 'main/affected/package: short change description'. See docs/contributing.md for details.
##[error]Wrong commit subject format: 'Revert "executor: enable extra coverage on OpenBSD"'. Please use 'main/affected/package: short change description'. See docs/contributing.md for details.
##[error]Wrong commit subject format: 'dashboard/app: Receive Recipients from API'. Please use 'main/affected/package: short change description'. See docs/contributing.md for details.
...

I think this will be resolved once #2015 is merged. This commit passed other tests now. I will squash my commits once they are approved.

And also, I can not pass the make presubmit check now because there are a lot of commit messages that does not follow the format:

Fixes for this merged. Should work now.

Also, is it important to pass all the test in syz-runtest? I ask @necipfazil before and he advised me to use syz-execprog to do the testing instead.

Yes, syz-runtest should pass.
syz-execprog is handy for initial development b/c you can do iterations faster, while syz-runtest takes some time.
But syz-execprog tests literally nothing, it is happy with any outcome, it also does not test multiple execution modes, sandboxes, C reproducers, etc. While syz-runtest tests all that.
Eventually we will enable syz-runtest on CI, it's just tricky b/c it needs working kernel+vm.

Re syz_btf_id_by_name and "no coverage", I think we should just special-case syz_btf_id_by_name in pkg/runtest for now. It's intentional that it does not get coverage. And since it's first such syscall, I don't think it makes sense to implement something more fundamental right now.

The change itself looks good to me.
Please rebase to HEAD so that CI passes, squash commits and fix pkg/runtest, and we are ready for merge.

I fixed the problem and now it passes CI checks.
Please let me know if there are any problem. Thank you very much.

Perfect!
I am eager to see syzbot reaction :)