166203a88SSeth Howell# Overview 266203a88SSeth Howell 366203a88SSeth HowellThis application is intended to fuzz test the SPDK vhost target by supplying 466203a88SSeth Howellmalformed or invalid requests across a unix domain socket. This fuzzer 566203a88SSeth Howellcurrently supports fuzzing both vhost block and vhost scsi devices. When 666203a88SSeth Howellfuzzing a vhost scsi device, users can select whether to fuzz the scsi I/O 766203a88SSeth Howellqueue or the scsi admin queue. Please see the NVMe fuzzer readme for information 866203a88SSeth Howellon how output is generated, debugging procedures, and the JSON format expected 966203a88SSeth Howellwhen supplying preconstructed values to the fuzzer. 1066203a88SSeth Howell 111e1fd9acSwawryk## Request Types 1266203a88SSeth Howell 1366203a88SSeth HowellLike the NVMe fuzzer, there is an example json file showing the types of requests 1466203a88SSeth Howellthat the application accepts. Since the vhost application accepts both vhost block 1566203a88SSeth Howelland vhost scsi commands, there are three distinct object types that can be passed in 1666203a88SSeth Howellto the application. 173d8a0b19SKarol Latecki 1866203a88SSeth Howell1. vhost_blk_cmd 1966203a88SSeth Howell2. vhost_scsi_cmd 2066203a88SSeth Howell3. vhost_scsi_mgmt_cmd 2166203a88SSeth Howell 2266203a88SSeth HowellEach one of these objects contains distinct data types and they should not be used interchangeably. 2366203a88SSeth Howell 2466203a88SSeth HowellAll three of the data types begin with three iovec structures describing the request, data, and response 2566203a88SSeth Howellmemory locations. By default, these values are overwritten by the application even when supplied as part 2666203a88SSeth Howellof a json file. This is because the request and resp data pointers are intended to point to portions of 2766203a88SSeth Howellthe data structure. 2866203a88SSeth Howell 2966203a88SSeth HowellIf you want to override these iovec values using a json file, you can specify the -k option. 3066203a88SSeth HowellIn most cases, this will just result in the application failing all I/O immediately since 3166203a88SSeth Howellthe request will no longer point to a valid memory location. 3266203a88SSeth Howell 3366203a88SSeth HowellIt is possible to supply all three types of requests in a single array to the application. They will be parsed and 3466203a88SSeth Howellsubmitted to the proper block devices. 3566203a88SSeth Howell 361e1fd9acSwawryk## RPC 3766203a88SSeth Howell 3866203a88SSeth HowellThe vhost fuzzer differs from the NVMe fuzzer in that it expects devices to be configured via rpc. The fuzzer should 3966203a88SSeth Howellalways be started with the --wait-for-rpc argument. Please see below for an example of starting the fuzzer. 4066203a88SSeth Howell 41*63ee471bSMaciej Wawryk~~~bash 4266203a88SSeth Howell./test/app/fuzz/vhost_fuzz/vhost_fuzz -t 30 --wait-for-rpc & 434c42b933SAlexey Marchuk./scripts/rpc.py fuzz_vhost_create_dev -s ./Vhost.1 -b -V 444c42b933SAlexey Marchuk./scripts/rpc.py fuzz_vhost_create_dev -s ./naa.VhostScsi0.1 -l -V 45e85d4712SMaciej Wawryk./scripts/rpc.py framework_start_init 4666203a88SSeth Howell~~~ 47