Note: make presubmit fails at the make lint with the following error message pkg/host/syscalls_linux.go:173:1: cyclomatic complexity 27 of func "isSupportedSyzkall" is high (> 24). This seems to be due to the additional branches in the "isSupportedSyzkall", does anyone have any solution for that?

Hi Stefano,

It needs to be refactored somehow to reduce cyclomatic complexity.
Perhaps a map from syscall name to checking function will help to reduce it once and for all.
An intermediate solution may be to combine some functions into a single case, but I am not sure how exactly the checker counts, maybe it won't help.

Codecov Report

Merging #2001 into master will increase coverage by 0.1%.
The diff coverage is 50.0%.

My local instance running without syz_fuse_mount for 20h more now got to 61% of readdir.c. So it seems that the fuzzer is capable of getting all that coverage, maybe just somewhat slower. Slightly bumping priority of using the directory with a new pseudo-syscall does not look like a good RoI. And this helps only 1 filesystem out of 92, while applicable to all of them. I am thinking about some alternative approaches.

1. It seem that we could slightly modify existing syz_mount_image to get the same effect: pass empty image for fuse, and then if image is empty, skip the memfd/loop part and just do mkdir+mount and add return of the dir fd. This looks equivalent and will benefit all filesystems with few additional lines of C code.
2. Preseeding corpus with more complex scenarios seems to be useful. Please add the getdents program to sys/linux/test as well and we will figure out how to inject them into fuzzer corpus. If we start injecting them, then more non-trivial programs there will be useful. I hate working around fuzzer deficiencies with brute-force preseeding, but, well, all is fair in love, war and fuzzing.
3. Perhaps we can do some generic improvement for O_CREAT that will benefit all operations on all filesystems. But I am not sure what exactly it should be... any ideas?
4. Perhaps we can do some generic improvement in how the fuzzer works with files/directories. For example, how it chooses existing/new filename:
   

   syzkaller/prog/rand.go

   Lines 278 to 302 in 7030187

   	func (r *randGen) filenameImpl(s *state) string {
   	if r.oneOf(100) {
   	return specialFiles[r.Intn(len(specialFiles))]
   	}
   	if len(s.files) == 0 || r.oneOf(10) {
   	// Generate a new name.
   	dir := "."
   	if r.oneOf(2) && len(s.files) != 0 {
   	dir = r.randFromMap(s.files)
   	if dir != "" && dir[len(dir)-1] == 0 {
   	dir = dir[:len(dir)-1]
   	}
   	if r.oneOf(10) && filepath.Clean(dir)[0] != '.' {
   	dir += "/.."
   	}
   	}
   	for i := 0; ; i++ {
   	f := fmt.Sprintf("%v/file%v", dir, i)
   	if !s.files[f] {
   	return f
   	}
   	}
   	}
   	return r.randFromMap(s.files)
   	}

   
   or how fd/fd_dir are organized. fd_dir is a bit of hack now. It does not really anyhow biased towards opening directories, and e.g. we may already have an fd that refers to a dir, but then if we need an fd_dir that existing fd won't be used. As far as I remember I introduced fd_dir just to mark some arguments as "in this position we want a directory". Maybe a better split would be fd and fd_file (refers to some file/dir rather than pipe/dev/memfd/epoll/etc). Or maybe we need to change filenameImpl to use fileN and dirN elements so that it knows later what is what. But I did not think much about this, I am not sure if it will work out or not.

My local instance running without syz_fuse_mount for 20h more now got to 61% of readdir.c. So it seems that the fuzzer is capable of getting all that coverage, maybe just somewhat slower. Slightly bumping priority of using the directory with a new pseudo-syscall does not look like a good RoI. And this helps only 1 filesystem out of 92, while applicable to all of them. I am thinking about some alternative approaches.

1. It seem that we could slightly modify existing syz_mount_image to get the same effect: pass empty image for fuse, and then if image is empty, skip the memfd/loop part and just do mkdir+mount and add return of the dir fd. This looks equivalent and will benefit all filesystems with few additional lines of C code.

I was thinking that a lot more was going on inside syz_mount_image, but I guess that is not the case. I have refactored it and added what I was previously doing inside syz_fuse_mount.

2. Preseeding corpus with more complex scenarios seems to be useful. Please add the getdents program to sys/linux/test as well and we will figure out how to inject them into fuzzer corpus. If we start injecting them, then more non-trivial programs there will be useful. I hate working around fuzzer deficiencies with brute-force preseeding, but, well, all is fair in love, war and fuzzing.

Agreed.

The change looks good to me.
Please rebase to resolve conflicts. We stepped onto each other, sorry. go test ./executor will be a fast way to test for new warnings.

Please rebase to resolve conflicts. We stepped onto each other, sorry. go test ./executor will be a fast way to test for new warnings.

All conflicts should be resolved now. Thanks for suggesting go test ./executor, it definitely helped to speed up the process.