sys/linux: add description for Mali Bifrost driver (#2394)

* sys/linux: add description for mali bifrost driver

* sys/linux: regenerate dev_bifrost.txt.const

* sys/linux/dev_bifrost: separate BASE_*_GROUP_ID_* to individual bits

* sys/linux/dev_bifrost: format code

6 files changed, 521 insertions, 0 deletions

diff --git a/CONTRIBUTORS b/CONTRIBUTORS
index 60f8d8a42..680d347a0 100644
--- a/CONTRIBUTORS
+++ b/CONTRIBUTORS
@@ -30,6 +30,7 @@ Google Inc.
  Stefano Duo
  Aleksandr Nogikh
  Dean Deng
+ Pi-Hsun Shih
 Baozeng Ding
 Lorenzo Stoakes
 Jeremy Huang
diff --git a/sys/linux/dev_bifrost.txt b/sys/linux/dev_bifrost.txt
new file mode 100644
index 000000000..6bb9dc9ff
--- /dev/null
+++ b/sys/linux/dev_bifrost.txt
@@ -0,0 +1,377 @@
+# Copyright 2021 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+# The source file of mali bifrost ioctl can be found in ChromeOS source tree:
+# https://chromium.googlesource.com/chromiumos/third_party/kernel/+/chromeos-4.19/drivers/gpu/arm/bifrost/mali_kbase_ioctl.h
+
+include <asm/page.h>
+include <drivers/gpu/arm/bifrost/mali_kbase_debug.h>
+include <drivers/gpu/arm/bifrost/mali_kbase_hwcnt_reader.h>
+include <drivers/gpu/arm/bifrost/mali_kbase_ioctl.h>
+include <drivers/gpu/arm/bifrost/mali_base_kernel.h>
+include <uapi/linux/fcntl.h>
+
+resource fd_bifrost[fd]
+resource gpu_addr[int64]: BASEP_MEM_INVALID_HANDLE, BASEP_MEM_WRITE_ALLOC_PAGES_HANDLE
+resource user_addr[int64]: -1
+resource fd_fence[fd]
+resource fd_hwcnt[fd]
+
+openat$bifrost(fd const[AT_FDCWD], file ptr[in, string["/dev/bifrost"]], flags flags[open_flags], mode const[0]) fd_bifrost
+
+mmap$bifrost(addr const[0], len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_bifrost, offset fileoff) user_addr
+_ = __NR_mmap2
+
+ioctl$KBASE_IOCTL_JOB_SUBMIT(fd fd_bifrost, cmd const[KBASE_IOCTL_JOB_SUBMIT], arg ptr[in, kbase_ioctl_job_submit])
+ioctl$KBASE_IOCTL_POST_TERM(fd fd_bifrost, cmd const[KBASE_IOCTL_POST_TERM], arg const[0])
+ioctl$KBASE_IOCTL_SOFT_EVENT_UPDATE(fd fd_bifrost, cmd const[KBASE_IOCTL_SOFT_EVENT_UPDATE], arg ptr[in, kbase_ioctl_soft_event_update])
+ioctl$KBASE_IOCTL_VERSION_CHECK(fd fd_bifrost, cmd const[KBASE_IOCTL_VERSION_CHECK], arg ptr[inout, kbase_ioctl_version_check])
+ioctl$KBASE_IOCTL_SET_FLAGS(fd fd_bifrost, cmd const[KBASE_IOCTL_SET_FLAGS], arg ptr[in, kbase_ioctl_set_flags])
+ioctl$KBASE_IOCTL_GET_GPUPROPS(fd fd_bifrost, cmd const[KBASE_IOCTL_GET_GPUPROPS], arg ptr[inout, kbase_ioctl_get_gpuprops])
+ioctl$KBASE_IOCTL_MEM_ALLOC(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_ALLOC], arg ptr[inout, kbase_ioctl_mem_alloc])
+ioctl$KBASE_IOCTL_MEM_QUERY(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_QUERY], arg ptr[inout, kbase_ioctl_mem_query])
+ioctl$KBASE_IOCTL_MEM_FREE(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_FREE], arg ptr[in, kbase_ioctl_mem_free])
+ioctl$KBASE_IOCTL_HWCNT_READER_SETUP(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_READER_SETUP], arg ptr[in, kbase_ioctl_hwcnt_reader_setup]) fd_hwcnt
+ioctl$KBASE_IOCTL_HWCNT_ENABLE(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_ENABLE], arg ptr[in, kbase_ioctl_hwcnt_enable])
+ioctl$KBASE_IOCTL_HWCNT_DUMP(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_DUMP], arg const[0])
+ioctl$KBASE_IOCTL_HWCNT_CLEAR(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_CLEAR], arg const[0])
+ioctl$KBASE_IOCTL_HWCNT_SET(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_SET], arg ptr[inout, kbase_ioctl_hwcnt_values])
+ioctl$KBASE_IOCTL_DISJOINT_QUERY(fd fd_bifrost, cmd const[KBASE_IOCTL_DISJOINT_QUERY], arg ptr[out, kbase_ioctl_disjoint_query])
+ioctl$KBASE_IOCTL_GET_DDK_VERSION(fd fd_bifrost, cmd const[KBASE_IOCTL_GET_DDK_VERSION], arg ptr[inout, kbase_ioctl_get_ddk_version])
+ioctl$KBASE_IOCTL_MEM_JIT_INIT_10_2(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_JIT_INIT_10_2], arg ptr[in, kbase_ioctl_mem_jit_init_10_2])
+ioctl$KBASE_IOCTL_MEM_JIT_INIT_11_5(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_JIT_INIT_11_5], arg ptr[in, kbase_ioctl_mem_jit_init_11_5])
+ioctl$KBASE_IOCTL_MEM_JIT_INIT(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_JIT_INIT], arg ptr[in, kbase_ioctl_mem_jit_init])
+ioctl$KBASE_IOCTL_MEM_SYNC(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_SYNC], arg ptr[in, kbase_ioctl_mem_sync])
+ioctl$KBASE_IOCTL_MEM_FIND_CPU_OFFSET(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_FIND_CPU_OFFSET], arg ptr[inout, kbase_ioctl_mem_find_cpu_offset])
+ioctl$KBASE_IOCTL_GET_CONTEXT_ID(fd fd_bifrost, cmd const[KBASE_IOCTL_GET_CONTEXT_ID], arg ptr[out, kbase_ioctl_get_context_id])
+ioctl$KBASE_IOCTL_TLSTREAM_ACQUIRE(fd fd_bifrost, cmd const[KBASE_IOCTL_TLSTREAM_ACQUIRE], arg ptr[in, kbase_ioctl_tlstream_acquire])
+ioctl$KBASE_IOCTL_TLSTREAM_FLUSH(fd fd_bifrost, cmd const[KBASE_IOCTL_TLSTREAM_FLUSH], arg const[0])
+ioctl$KBASE_IOCTL_MEM_COMMIT(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_COMMIT], arg ptr[in, kbase_ioctl_mem_commit])
+ioctl$KBASE_IOCTL_MEM_ALIAS(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_ALIAS], arg ptr[inout, kbase_ioctl_mem_alias])
+ioctl$KBASE_IOCTL_MEM_IMPORT(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_IMPORT], arg ptr[inout, kbase_ioctl_mem_import])
+ioctl$KBASE_IOCTL_MEM_FLAGS_CHANGE(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_FLAGS_CHANGE], arg ptr[in, kbase_ioctl_mem_flags_change])
+ioctl$KBASE_IOCTL_STREAM_CREATE(fd fd_bifrost, cmd const[KBASE_IOCTL_STREAM_CREATE], arg ptr[in, kbase_ioctl_stream_create]) fd_fence
+ioctl$KBASE_IOCTL_FENCE_VALIDATE(fd fd_bifrost, cmd const[KBASE_IOCTL_FENCE_VALIDATE], arg ptr[in, kbase_ioctl_fence_validate])
+ioctl$KBASE_IOCTL_MEM_PROFILE_ADD(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_PROFILE_ADD], arg ptr[in, kbase_ioctl_mem_profile_add])
+ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(fd fd_bifrost, cmd const[KBASE_IOCTL_STICKY_RESOURCE_MAP], arg ptr[in, kbase_ioctl_sticky_resource_map])
+ioctl$KBASE_IOCTL_STICKY_RESOURCE_UNMAP(fd fd_bifrost, cmd const[KBASE_IOCTL_STICKY_RESOURCE_UNMAP], arg ptr[in, kbase_ioctl_sticky_resource_unmap])
+ioctl$KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET], arg ptr[inout, kbase_ioctl_mem_find_gpu_start_and_offset])
+ioctl$KBASE_IOCTL_MEM_EXEC_INIT(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_EXEC_INIT], arg ptr[in, kbase_ioctl_mem_exec_init])
+ioctl$KBASE_IOCTL_GET_CPU_GPU_TIMEINFO(fd fd_bifrost, cmd const[KBASE_IOCTL_GET_CPU_GPU_TIMEINFO], arg ptr[inout, kbase_ioctl_get_cpu_gpu_timeinfo])
+
+ioctl$KBASE_HWCNT_READER_GET_HWVER(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_GET_HWVER], arg const[0])
+ioctl$KBASE_HWCNT_READER_GET_BUFFER_SIZE(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_GET_BUFFER_SIZE], arg const[0])
+ioctl$KBASE_HWCNT_READER_DUMP(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_DUMP], arg const[0])
+ioctl$KBASE_HWCNT_READER_CLEAR(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_CLEAR], arg const[0])
+ioctl$KBASE_HWCNT_READER_GET_BUFFER(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_GET_BUFFER], arg ptr[out, kbase_hwcnt_reader_metadata])
+ioctl$KBASE_HWCNT_READER_PUT_BUFFER(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_PUT_BUFFER], arg ptr[in, kbase_hwcnt_reader_metadata])
+ioctl$KBASE_HWCNT_READER_SET_INTERVAL(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_SET_INTERVAL], arg intptr)
+ioctl$KBASE_HWCNT_READER_ENABLE_EVENT(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_ENABLE_EVENT], arg const[0])
+ioctl$KBASE_HWCNT_READER_DISABLE_EVENT(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_DISABLE_EVENT], arg const[0])
+ioctl$KBASE_HWCNT_READER_GET_API_VERSION(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_GET_API_VERSION], arg const[0])
+
+type base_atom_id int8
+
+base_jd_atom_v2 {
+	jc		int64
+	udata		base_jd_udata
+	extres_list	int64
+	nr_extres	int16
+	compat_core_req	int16
+	pre_dep		array[base_dependency, 2]
+	atom_number	base_atom_id
+	prio		flags[base_jd_prio, int8]
+	device_nr	int8
+	jobslot		int8
+	core_req	flags[base_jd_core_req, int32]
+	renderpass_id	int8
+	padding		array[const[0, int8], 7]
+}
+
+base_dependency {
+	atom_id		base_atom_id
+	dependency_type	flags[base_jd_dep_type, int8]
+}
+
+base_jd_udata {
+	blob	array[int64, 2]
+}
+
+kbase_ioctl_job_submit {
+	addr		ptr64[out, array[base_jd_atom_v2]]
+	nr_atoms	len[addr, int32]
+# sizeof(base_jd_atom_v2)
+	stride		const[56, int32]
+}
+
+kbase_ioctl_soft_event_update {
+	event		gpu_addr
+	new_status	int32
+	flags		const[0, int32]
+}
+
+kbase_ioctl_version_check {
+	major	int16
+	minor	int16
+}
+
+kbase_ioctl_set_flags {
+	create_flags	flags[basep_context_create_kernel_flags, int32]
+}
+
+kbase_ioctl_get_gpuprops {
+	buffer	ptr64[out, array[int8]]
+	size	len[buffer, int32]
+	flags	const[0, int32]
+}
+
+kbase_ioctl_mem_alloc_in {
+	va_pages	int64
+	commit_pages	int64
+	extent		int64
+	flags		flags[base_mem_alloc_flags, int64]
+}
+
+kbase_ioctl_mem_alloc_out {
+	flags	int64
+	gpu_va	gpu_addr
+}
+
+kbase_ioctl_mem_alloc [
+	in	kbase_ioctl_mem_alloc_in	(in)
+	out	kbase_ioctl_mem_alloc_out	(out)
+]
+
+kbase_ioctl_mem_query_in {
+	gpu_addr	gpu_addr
+	query		flags[kbase_ioctl_mem_query_flags, int64]
+}
+
+kbase_ioctl_mem_query_out {
+	value	int64
+}
+
+kbase_ioctl_mem_query [
+	in	kbase_ioctl_mem_query_in	(in)
+	out	kbase_ioctl_mem_query_out	(out)
+]
+
+kbase_ioctl_mem_free {
+	gpu_addr	gpu_addr
+}
+
+kbase_ioctl_hwcnt_reader_setup {
+	buffer_count	int32
+	jm_bm		int32
+	shader_bm	int32
+	tiler_bm	int32
+	mmu_l2_bm	int32
+}
+
+kbase_ioctl_hwcnt_enable {
+	dump_buffer	gpu_addr
+	jm_bm		int32
+	shader_bm	int32
+	tiler_bm	int32
+	mmu_l2_bm	int32
+}
+
+kbase_ioctl_hwcnt_values {
+	data	ptr64[out, array[int8]]
+	size	len[data, int32]
+	padding	const[0, int32]
+}
+
+kbase_ioctl_disjoint_query {
+	counter	int32
+}
+
+kbase_ioctl_get_ddk_version {
+	version_buffer	ptr64[out, array[int8]]
+	size		len[version_buffer, int32]
+	padding		const[0, int32]
+}
+
+kbase_ioctl_mem_jit_init_10_2 {
+	va_pages	int64
+}
+
+kbase_ioctl_mem_jit_init_11_5 {
+	va_pages	int64
+	max_allocations	int8
+	trim_level	int8
+	group_id	int8
+	padding		array[const[0, int8], 5]
+}
+
+kbase_ioctl_mem_jit_init {
+	va_pages	int64
+	max_allocations	int8
+	trim_level	int8
+	group_id	int8
+	padding		array[const[0, int8], 5]
+	phys_pages	int64
+}
+
+kbase_ioctl_mem_sync {
+	handle		gpu_addr
+	user_addr	user_addr
+	size		int64
+	type		flags[base_syncset_op_flags, int8]
+	padding		array[const[0, int8], 7]
+}
+
+kbase_ioctl_mem_find_cpu_offset [
+	in	kbase_ioctl_mem_find_cpu_offset_in	(in)
+	out	kbase_ioctl_mem_find_cpu_offset_out	(out)
+]
+
+kbase_ioctl_mem_find_cpu_offset_in {
+	gpu_addr	gpu_addr
+	cpu_addr	user_addr
+	size		int64
+}
+
+kbase_ioctl_mem_find_cpu_offset_out {
+	offset	int64
+}
+
+kbase_ioctl_get_context_id {
+	id	int32
+}
+
+kbase_ioctl_tlstream_acquire {
+	flags	int32
+}
+
+kbase_ioctl_mem_commit {
+	gpu_addr	gpu_addr
+	pages		int64
+}
+
+kbase_ioctl_mem_alias [
+	in	kbase_ioctl_mem_alias_in	(in)
+	out	kbase_ioctl_mem_alias_out	(out)
+]
+
+kbase_ioctl_mem_alias_in {
+	flags		flags[base_mem_alloc_flags, int64]
+	stride		int64
+	nents		len[aliasing_info, int64]
+	aliasing_info	ptr64[in, array[base_mem_aliasing_info]]
+}
+
+kbase_ioctl_mem_alias_out {
+	flags		int64
+	gpu_va		gpu_addr
+	va_pages	int64
+}
+
+base_mem_aliasing_info {
+	handle	gpu_addr
+	offset	int64
+	length	int64
+}
+
+kbase_ioctl_mem_import [
+	in	kbase_ioctl_mem_import_in	(in)
+	out	kbase_ioctl_mem_import_out	(out)
+]
+
+kbase_ioctl_mem_import_in {
+	flags	flags[base_mem_alloc_flags, int64]
+	phandle	int64
+	type	flags[base_mem_import_type, int32]
+	padding	const[0, int32]
+}
+
+kbase_ioctl_mem_import_out {
+	flags		int64
+	gpu_va		gpu_addr
+	va_pages	int64
+}
+
+kbase_ioctl_mem_flags_change {
+	gpu_va	gpu_addr
+	flags	flags[base_mem_alloc_flags, int64]
+	mask	int64
+}
+
+kbase_ioctl_stream_create {
+	name	array[int8, 32]
+}
+
+kbase_ioctl_fence_validate {
+	fd	fd_fence
+}
+
+kbase_ioctl_mem_profile_add {
+	buffer	ptr64[in, array[int8]]
+	len	len[buffer, int32]
+	padding	const[0, int32]
+}
+
+kbase_ioctl_sticky_resource_map {
+	count	len[address, int64]
+	address	ptr64[in, array[int64]]
+}
+
+kbase_ioctl_sticky_resource_unmap {
+	count	len[address, int64]
+	address	ptr64[in, array[int64]]
+}
+
+kbase_ioctl_mem_find_gpu_start_and_offset [
+	in	kbase_ioctl_mem_find_gpu_start_and_offset_in	(in)
+	out	kbase_ioctl_mem_find_gpu_start_and_offset_out	(out)
+]
+
+kbase_ioctl_mem_find_gpu_start_and_offset_in {
+	gpu_addr	gpu_addr
+	size		int64
+}
+
+kbase_ioctl_mem_find_gpu_start_and_offset_out {
+	start	gpu_addr
+	offset	int64
+}
+
+kbase_ioctl_mem_exec_init {
+	va_pages	int64
+}
+
+kbase_ioctl_get_cpu_gpu_timeinfo [
+	in	kbase_ioctl_get_cpu_gpu_timeinfo_in	(in)
+	out	kbase_ioctl_get_cpu_gpu_timeinfo_out	(out)
+]
+
+kbase_ioctl_get_cpu_gpu_timeinfo_in {
+	request_flags	flags[base_timerequest_allowed_flags, int32]
+	paddings	array[const[0, int8], 7]
+}
+
+kbase_ioctl_get_cpu_gpu_timeinfo_out {
+	sec		int64
+	nsec		int32
+	padding		const[0, int32]
+	timestamp	int64
+	cycle_counter	int64
+}
+
+kbase_hwcnt_reader_metadata {
+	timestamp	int64
+	event_id	int32
+	buffer_idx	int32
+}
+
+base_jd_dep_type = BASE_JD_DEP_TYPE_INVALID, BASE_JD_DEP_TYPE_DATA, BASE_JD_DEP_TYPE_ORDER
+base_jd_prio = BASE_JD_PRIO_MEDIUM, BASE_JD_PRIO_HIGH, BASE_JD_PRIO_LOW
+base_jd_core_req = BASE_JD_REQ_DEP, BASE_JD_REQ_FS, BASE_JD_REQ_CS, BASE_JD_REQ_T, BASE_JD_REQ_CF, BASE_JD_REQ_V, BASE_JD_REQ_FS_AFBC, BASE_JD_REQ_EVENT_COALESCE, BASE_JD_REQ_COHERENT_GROUP, BASE_JD_REQ_PERMON, BASE_JD_REQ_EXTERNAL_RESOURCES, BASE_JD_REQ_SOFT_JOB, BASE_JD_REQ_ONLY_COMPUTE, BASE_JD_REQ_SPECIFIC_COHERENT_GROUP, BASE_JD_REQ_EVENT_ONLY_ON_FAILURE, BASE_JD_REQ_SKIP_CACHE_START, BASE_JD_REQ_SKIP_CACHE_END, BASE_JD_REQ_JOB_SLOT, BASE_JD_REQ_START_RENDERPASS, BASE_JD_REQ_END_RENDERPASS
+kbase_ioctl_mem_query_flags = KBASE_MEM_QUERY_COMMIT_SIZE, KBASE_MEM_QUERY_VA_SIZE, KBASE_MEM_QUERY_FLAGS
+base_syncset_op_flags = BASE_SYNCSET_OP_MSYNC, BASE_SYNCSET_OP_CSYNC
+# 0x400000-0x2000000 are individual bits of BASE_MEM_GROUP_ID_MASK
+base_mem_alloc_flags = BASE_MEM_PROT_CPU_RD, BASE_MEM_PROT_CPU_WR, BASE_MEM_PROT_GPU_RD, BASE_MEM_PROT_GPU_WR, BASE_MEM_PROT_GPU_EX, BASEP_MEM_PERMANENT_KERNEL_MAPPING, BASE_MEM_GPU_VA_SAME_4GB_PAGE, BASEP_MEM_NO_USER_FREE, BASE_MEM_RESERVED_BIT_8, BASE_MEM_GROW_ON_GPF, BASE_MEM_COHERENT_SYSTEM, BASE_MEM_COHERENT_LOCAL, BASE_MEM_CACHED_CPU, BASE_MEM_SAME_VA, BASE_MEM_NEED_MMAP, BASE_MEM_COHERENT_SYSTEM_REQUIRED, BASE_MEM_PROTECTED, BASE_MEM_DONT_NEED, BASE_MEM_IMPORT_SHARED, BASE_MEM_RESERVED_BIT_19, BASE_MEM_TILER_ALIGN_TOP_EXTENT_MAX_PAGES, BASE_MEM_TILER_ALIGN_TOP, BASE_MEM_UNCACHED_GPU, 0x400000, 0x800000, 0x1000000, 0x2000000, BASE_MEM_IMPORT_SYNC_ON_MAP_UNMAP, BASE_MEM_FLAG_MAP_FIXED
+base_mem_import_type = BASE_MEM_IMPORT_TYPE_INVALID, BASE_MEM_IMPORT_TYPE_UMM, BASE_MEM_IMPORT_TYPE_USER_BUFFER
+# 0x08-0x20 are individual bits of BASEP_CONTEXT_MMU_GROUP_ID_MASK
+basep_context_create_kernel_flags = BASE_CONTEXT_SYSTEM_MONITOR_SUBMIT_DISABLED, 0x8, 0x10, 0x20, 0x40
+base_timerequest_allowed_flags = BASE_TIMEINFO_MONOTONIC_FLAG, BASE_TIMEINFO_TIMESTAMP_FLAG, BASE_TIMEINFO_CYCLE_COUNTER_FLAG, BASE_TIMEINFO_KERNEL_SOURCE_FLAG, BASE_TIMEINFO_USER_SOURCE_FLAG
diff --git a/sys/linux/dev_bifrost.txt.const b/sys/linux/dev_bifrost.txt.const
new file mode 100644
index 000000000..116d5dbf6
--- /dev/null
+++ b/sys/linux/dev_bifrost.txt.const
@@ -0,0 +1,120 @@
+# Code generated by syz-sysgen. DO NOT EDIT.
+arches = 386, amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x
+AT_FDCWD = 18446744073709551516
+BASEP_MEM_INVALID_HANDLE = 0
+BASEP_MEM_NO_USER_FREE = 128
+BASEP_MEM_PERMANENT_KERNEL_MAPPING = 32
+BASEP_MEM_WRITE_ALLOC_PAGES_HANDLE = 16384
+BASE_CONTEXT_SYSTEM_MONITOR_SUBMIT_DISABLED = 2
+BASE_JD_DEP_TYPE_DATA = 1
+BASE_JD_DEP_TYPE_INVALID = 0
+BASE_JD_DEP_TYPE_ORDER = 2
+BASE_JD_PRIO_HIGH = 1
+BASE_JD_PRIO_LOW = 2
+BASE_JD_PRIO_MEDIUM = 0
+BASE_JD_REQ_CF = 8
+BASE_JD_REQ_COHERENT_GROUP = 64
+BASE_JD_REQ_CS = 2
+BASE_JD_REQ_DEP = 0
+BASE_JD_REQ_END_RENDERPASS = 524288
+BASE_JD_REQ_EVENT_COALESCE = 32
+BASE_JD_REQ_EVENT_ONLY_ON_FAILURE = 4096
+BASE_JD_REQ_EXTERNAL_RESOURCES = 256
+BASE_JD_REQ_FS = 1
+BASE_JD_REQ_FS_AFBC = 8192
+BASE_JD_REQ_JOB_SLOT = 131072
+BASE_JD_REQ_ONLY_COMPUTE = 1024
+BASE_JD_REQ_PERMON = 128
+BASE_JD_REQ_SKIP_CACHE_END = 65536
+BASE_JD_REQ_SKIP_CACHE_START = 32768
+BASE_JD_REQ_SOFT_JOB = 512
+BASE_JD_REQ_SPECIFIC_COHERENT_GROUP = 2048
+BASE_JD_REQ_START_RENDERPASS = 262144
+BASE_JD_REQ_T = 4
+BASE_JD_REQ_V = 16
+BASE_MEM_CACHED_CPU = 4096
+BASE_MEM_COHERENT_LOCAL = 2048
+BASE_MEM_COHERENT_SYSTEM = 1024
+BASE_MEM_COHERENT_SYSTEM_REQUIRED = 32768
+BASE_MEM_DONT_NEED = 131072
+BASE_MEM_FLAG_MAP_FIXED = 134217728
+BASE_MEM_GPU_VA_SAME_4GB_PAGE = 64
+BASE_MEM_GROW_ON_GPF = 512
+BASE_MEM_IMPORT_SHARED = 262144
+BASE_MEM_IMPORT_SYNC_ON_MAP_UNMAP = 67108864
+BASE_MEM_IMPORT_TYPE_INVALID = 0
+BASE_MEM_IMPORT_TYPE_UMM = 2
+BASE_MEM_IMPORT_TYPE_USER_BUFFER = 3
+BASE_MEM_NEED_MMAP = 16384
+BASE_MEM_PROTECTED = 65536
+BASE_MEM_PROT_CPU_RD = 1
+BASE_MEM_PROT_CPU_WR = 2
+BASE_MEM_PROT_GPU_EX = 16
+BASE_MEM_PROT_GPU_RD = 4
+BASE_MEM_PROT_GPU_WR = 8
+BASE_MEM_RESERVED_BIT_19 = 524288
+BASE_MEM_RESERVED_BIT_8 = 256
+BASE_MEM_SAME_VA = 8192
+BASE_MEM_TILER_ALIGN_TOP = 1048576
+BASE_MEM_TILER_ALIGN_TOP_EXTENT_MAX_PAGES = 512, ppc64le:32
+BASE_MEM_UNCACHED_GPU = 2097152
+BASE_SYNCSET_OP_CSYNC = 2
+BASE_SYNCSET_OP_MSYNC = 1
+BASE_TIMEINFO_CYCLE_COUNTER_FLAG = 4
+BASE_TIMEINFO_KERNEL_SOURCE_FLAG = 1073741824
+BASE_TIMEINFO_MONOTONIC_FLAG = 1
+BASE_TIMEINFO_TIMESTAMP_FLAG = 2
+BASE_TIMEINFO_USER_SOURCE_FLAG = 2147483648
+KBASE_HWCNT_READER_CLEAR = 1074052625
+KBASE_HWCNT_READER_DISABLE_EVENT = 1074052673
+KBASE_HWCNT_READER_DUMP = 1074052624
+KBASE_HWCNT_READER_ENABLE_EVENT = 1074052672
+KBASE_HWCNT_READER_GET_API_VERSION = 1074052863
+KBASE_HWCNT_READER_GET_BUFFER = 2148580896
+KBASE_HWCNT_READER_GET_BUFFER_SIZE = 2147794433
+KBASE_HWCNT_READER_GET_HWVER = 2147794432
+KBASE_HWCNT_READER_PUT_BUFFER = 1074839073
+KBASE_HWCNT_READER_SET_INTERVAL = 1074052656
+KBASE_IOCTL_DISJOINT_QUERY = 2147778572
+KBASE_IOCTL_FENCE_VALIDATE = 1074036761
+KBASE_IOCTL_GET_CONTEXT_ID = 2147778577
+KBASE_IOCTL_GET_CPU_GPU_TIMEINFO = 3223355442
+KBASE_IOCTL_GET_DDK_VERSION = 1074823181
+KBASE_IOCTL_GET_GPUPROPS = 1074823171
+KBASE_IOCTL_HWCNT_CLEAR = 32779
+KBASE_IOCTL_HWCNT_DUMP = 32778
+KBASE_IOCTL_HWCNT_ENABLE = 1075347465
+KBASE_IOCTL_HWCNT_READER_SETUP = 1075085320
+KBASE_IOCTL_HWCNT_SET = 1074823200
+KBASE_IOCTL_JOB_SUBMIT = 1074823170
+KBASE_IOCTL_MEM_ALIAS = 3223355413
+KBASE_IOCTL_MEM_ALLOC = 3223355397
+KBASE_IOCTL_MEM_COMMIT = 1074823188
+KBASE_IOCTL_MEM_EXEC_INIT = 1074298918
+KBASE_IOCTL_MEM_FIND_CPU_OFFSET = 3222831120
+KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET = 3222306847
+KBASE_IOCTL_MEM_FLAGS_CHANGE = 1075347479
+KBASE_IOCTL_MEM_FREE = 1074298887
+KBASE_IOCTL_MEM_IMPORT = 3222831126
+KBASE_IOCTL_MEM_JIT_INIT = 1075347470
+KBASE_IOCTL_MEM_JIT_INIT_10_2 = 1074298894
+KBASE_IOCTL_MEM_JIT_INIT_11_5 = 1074823182
+KBASE_IOCTL_MEM_PROFILE_ADD = 1074823195
+KBASE_IOCTL_MEM_QUERY = 3222306822
+KBASE_IOCTL_MEM_SYNC = 1075871759
+KBASE_IOCTL_POST_TERM = 32772
+KBASE_IOCTL_SET_FLAGS = 1074036737
+KBASE_IOCTL_SOFT_EVENT_UPDATE = 1074823196
+KBASE_IOCTL_STICKY_RESOURCE_MAP = 1074823197
+KBASE_IOCTL_STICKY_RESOURCE_UNMAP = 1074823198
+KBASE_IOCTL_STREAM_CREATE = 1075871768
+KBASE_IOCTL_TLSTREAM_ACQUIRE = 1074036754
+KBASE_IOCTL_TLSTREAM_FLUSH = 32787
+KBASE_IOCTL_VERSION_CHECK = 3221520384
+KBASE_MEM_QUERY_COMMIT_SIZE = 1
+KBASE_MEM_QUERY_FLAGS = 3
+KBASE_MEM_QUERY_VA_SIZE = 2
+__NR_ioctl = 54, amd64:16, arm64:riscv64:29, mips64le:5015
+__NR_mmap = 90, 386:arm:192, amd64:9, arm64:riscv64:222, mips64le:5009
+__NR_mmap2 = 192, amd64:arm64:mips64le:ppc64le:riscv64:s390x:???
+__NR_openat = 56, 386:295, amd64:257, arm:322, mips64le:5247, ppc64le:286, s390x:288
diff --git a/sys/linux/test/dev_bifrost b/sys/linux/test/dev_bifrost
new file mode 100644
index 000000000..c90c96103
--- /dev/null
+++ b/sys/linux/test/dev_bifrost
@@ -0,0 +1,16 @@
+# requires: manual
+
+r0 = openat$bifrost(0xffffffffffffff9c, &AUTO='/dev/bifrost\x00', 0x2, 0x0)
+
+# These two ioctl set up kbase_context
+
+ioctl$KBASE_IOCTL_VERSION_CHECK(r0, 0xc0048000, &AUTO={0xB, 0xF})
+ioctl$KBASE_IOCTL_SET_FLAGS(r0, 0x40048001, &AUTO={0x0})
+
+# Offset 0x3000 is BASE_MEM_MAP_TRACKING_HANDLE
+
+mmap$bifrost(nil, 0x3000, 0x3, 0x1, r0, 0x3000)
+
+ioctl$KBASE_IOCTL_MEM_ALLOC(r0, 0xc0208005, &AUTO=@in={0x1, 0x1, 0x0, 0xf})
+
+close(r0)
diff --git a/sys/syz-extract/extract.go b/sys/syz-extract/extract.go
index d8ae1eeda..d9ba12b40 100644
--- a/sys/syz-extract/extract.go
+++ b/sys/syz-extract/extract.go
@@ -264,6 +264,9 @@ func archFileList(os, arch string, files []string) (string, []string, []string,
 			"vnet_mptcp.txt": true,
 			// Was in linux-next, but then was removed, fate is unknown.
 			"dev_watch_queue.txt": true,
+			// Not upstream, generated on:
+			// https://chromium.googlesource.com/chromiumos/third_party/kernel d2a8a1eb8b86
+			"dev_bifrost.txt": true,
 		}
 		androidFiles := map[string]bool{
 			"dev_tlk_device.txt": true,
diff --git a/sys/targets/common.go b/sys/targets/common.go
index 1f781cb0e..bddd90f9d 100644
--- a/sys/targets/common.go
+++ b/sys/targets/common.go
@@ -93,6 +93,10 @@ func MakeUnixNeutralizer(target *prog.Target) *UnixNeutralizer {
 func (arch *UnixNeutralizer) Neutralize(c *prog.Call) {
 	switch c.Meta.CallName {
 	case "mmap":
+		if c.Meta.Name == "mmap$bifrost" {
+			// Mali bifrost mmap doesn't support MAP_FIXED.
+			return
+		}
 		// Add MAP_FIXED flag, otherwise it produces non-deterministic results.
 		c.Args[3].(*prog.ConstArg).Val |= arch.MAP_FIXED
 	case "mknod", "mknodat":