all: integrate with mac80211_hwsim

Two virtual wireless devices are instantiated during network devices
initialization.

A new flag (-wifi) is added that controls whether these virtual wifi
devices are instantiated and configured during proc initialization.

Also, two new pseudo syscalls are added:
1. syz_80211_inject_frame(mac_addr, packet, packet_len) -- injects an
arbitrary packet into the wireless stack. It is injected as if it
originated from the device identitied by mac_addr.
2. syz_80211_join_ibss(interface_name, ssid, ssid_len, mode) --
puts a specific network interface into IBSS state and joins an IBSS
network.

Arguments of syz_80211_join_ibss:
1) interface_name -- null-terminated string that identifies
a wireless interface
2) ssid, ssid_len -- SSID of an IBSS network to join to
3) mode -- mode of syz_80211_join_ibss operation (see below)

Modes of operation:
JOIN_IBSS_NO_SCAN (0x0) -- channel scan is not performed and
syz_80211_join_ibss waits until the interface reaches IF_OPER_UP.
JOIN_IBSS_BG_SCAN (0x1) -- channel scan is performed (takes ~ 9
seconds), syz_80211_join_ibss does not await IF_OPER_UP.
JOIN_IBSS_BG_NO_SCAN (0x2) -- channel scan is not performed,
syz_80211_join_ibss does not await IF_OPER_UP.

Local testing ensured that these syscalls are indeed able to set up an
operating network and inject packets into mac80211.

4 files changed, 67 insertions, 1 deletions

diff --git a/sys/linux/net_80211.txt b/sys/linux/net_80211.txt
new file mode 100644
index 000000000..0847b8cd9
--- /dev/null
+++ b/sys/linux/net_80211.txt
@@ -0,0 +1,51 @@
+# Copyright 2020 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+include <linux/ieee80211.h>
+
+type ieee80211_fixed_mac_addr[LAST] {
+	byte0	const[0x8, int8]
+	byte1	const[0x2, int8]
+	byte2	const[0x11, int8]
+	byte3	const[0x0, int8]
+	byte4	const[0x0, int8]
+	byte5	LAST
+} [packed]
+
+ieee80211_mac_addr [
+	device_a	ieee80211_fixed_mac_addr[const[0x0, int8]]
+	device_b	ieee80211_fixed_mac_addr[const[0x1, int8]]
+	broadcast	array[const[0xff, int8], 6]
+]
+
+ieee80211_ssid [
+	random			array[int8, 0:IEEE80211_MAX_SSID_LEN]
+	default_ibss_ssid	array[const[0x1, int8], 6]
+] [varlen]
+
+type ieee80211_frame array[int8]
+
+# Inject an 802.11 frame.
+# mac_addr -- mac address of the device that will receive the message (actually it determines
+#   the network interface that will receive this message).
+# buf -- raw 802.11 frame. It should neither include an FCS, nor leave space for it at the end of the frame.
+syz_80211_inject_frame(mac_addr ptr[in, ieee80211_mac_addr], buf ptr[in, ieee80211_frame], buf_len len[buf])
+
+# Pseudo system call that puts a specific interface into IBSS state and joins an IBSS network.
+# Although it is done for all interfaces at executor initialization and the nl80211 commands that it executes
+# are present in syzkaller descriptions of nl80211, experiments demonstrated that addition of this pseudo
+# syscall provokes a much bigger number of issues.
+# Also, this pseudo call makes it possible to put interfaces generated by sendmsg$NL80211_CMD_NEW_INTERFACE
+# into an operable state at runtime.
+syz_80211_join_ibss(interface ptr[in, string[devnames]], ssid ptr[in, ieee80211_ssid], ssid_len len[ssid], join_mode flags[join_ibss_modes])
+
+# Modes of syz_80211_join_ibss operation:
+# JOIN_IBSS_NO_SCAN -- channel scan is not performed and syz_80211_join_ibss waits until the interface reaches IF_OPER_UP
+# JOIN_IBSS_BG_SCAN -- channel scan is performed (takes ~ 9 seconds), syz_80211_join_ibss does not await IF_OPER_UP
+# JOIN_IBSS_BG_NO_SCAN -- channel scan is not performed, syz_80211_join_ibss does not await IF_OPER_UP
+
+define JOIN_IBSS_NO_SCAN	0x0
+define JOIN_IBSS_BG_SCAN	0x1
+define JOIN_IBSS_BG_NO_SCAN	0x2
+
+join_ibss_modes = JOIN_IBSS_NO_SCAN, JOIN_IBSS_BG_SCAN, JOIN_IBSS_BG_NO_SCAN
diff --git a/sys/linux/net_80211.txt.const b/sys/linux/net_80211.txt.const
new file mode 100644
index 000000000..86aaf01de
--- /dev/null
+++ b/sys/linux/net_80211.txt.const
@@ -0,0 +1,6 @@
+# Code generated by syz-sysgen. DO NOT EDIT.
+arches = 386, amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x
+IEEE80211_MAX_SSID_LEN = 32
+JOIN_IBSS_BG_NO_SCAN = 2
+JOIN_IBSS_BG_SCAN = 1
+JOIN_IBSS_NO_SCAN = 0
diff --git a/sys/linux/socket.txt b/sys/linux/socket.txt
index a8595fc5e..5bc654c74 100644
--- a/sys/linux/socket.txt
+++ b/sys/linux/socket.txt
@@ -384,7 +384,7 @@ rtentry {
 # Note: lapb0, bpq0 and hwsim0 are only present in init namespace.
 # Note: for roseN and nrN we should use proc type, but for simplicity we currently use N=0.
 # Note: netdevsim0 and netpci0 are renamed in initialize_devlink_ports()
-devnames = "", "lo", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "sit0", "ip6tnl0", "ip6gre0", "ip6gretap0", "bond0", "dummy0", "nr0", "rose0", "erspan0", "vlan0", "bridge0", "vcan0", "team0", "syz_tun", "veth0", "veth1", "veth0_to_bridge", "veth1_to_bridge", "veth0_to_bond", "veth1_to_bond", "veth0_to_team", "veth1_to_team", "bridge_slave_0", "bridge_slave_1", "bond_slave_0", "bond_slave_1", "team_slave_0", "team_slave_1", "syzkaller0", "syzkaller1", "veth0_to_hsr", "veth1_to_hsr", "hsr0", "ip6erspan0", "vxcan1", "caif0", "batadv0", "veth0_to_batadv", "veth1_to_batadv", "batadv_slave_0", "batadv_slave_1", "netdevsim0", "netpci0", "xfrm0", "veth0_virt_wifi", "veth1_virt_wifi", "virt_wifi0", "veth0_vlan", "veth1_vlan", "vlan0", "vlan1", "macvlan0", "macvlan1", "ipvlan0", "ipvlan1", "veth0_macvtap", "veth1_macvtap", "macvtap0", "macsec0", "geneve0", "geneve1", "wg0", "wg1", "wg2"
+devnames = "", "lo", "tunl0", "gre0", "gretap0", "ip_vti0", "ip6_vti0", "sit0", "ip6tnl0", "ip6gre0", "ip6gretap0", "bond0", "dummy0", "nr0", "rose0", "erspan0", "vlan0", "bridge0", "vcan0", "team0", "syz_tun", "veth0", "veth1", "veth0_to_bridge", "veth1_to_bridge", "veth0_to_bond", "veth1_to_bond", "veth0_to_team", "veth1_to_team", "bridge_slave_0", "bridge_slave_1", "bond_slave_0", "bond_slave_1", "team_slave_0", "team_slave_1", "syzkaller0", "syzkaller1", "veth0_to_hsr", "veth1_to_hsr", "hsr0", "ip6erspan0", "vxcan1", "caif0", "batadv0", "veth0_to_batadv", "veth1_to_batadv", "batadv_slave_0", "batadv_slave_1", "netdevsim0", "netpci0", "xfrm0", "veth0_virt_wifi", "veth1_virt_wifi", "virt_wifi0", "veth0_vlan", "veth1_vlan", "vlan0", "vlan1", "macvlan0", "macvlan1", "ipvlan0", "ipvlan1", "veth0_macvtap", "veth1_macvtap", "macvtap0", "macsec0", "geneve0", "geneve1", "wg0", "wg1", "wg2", "wlan0", "wlan1"
 
 type devname string[devnames, IFNAMSIZ]
 
diff --git a/sys/linux/test/80211_ibss b/sys/linux/test/80211_ibss
new file mode 100644
index 000000000..0bea2f5f8
--- /dev/null
+++ b/sys/linux/test/80211_ibss
@@ -0,0 +1,9 @@
+# requires: -sandbox=namespace
+
+# Join IBSSS network
+
+syz_80211_join_ibss(&AUTO='wlan0\x00', &AUTO=@default_ibss_ssid, 0x6, 0x0)
+
+# Inject an arbitrary packet
+
+syz_80211_inject_frame(&AUTO=@device_a, &AUTO="00112233445566778899", 0xa)
\ No newline at end of file