all: add binderfs fuzzing support

Create one instance of binderfs per process and add descriptions to
enable syzkaller to create binderfs mounts and binder devices itself.

Keep descriptions compatible with the legacy mode (when devices are
created at boot time).

4 files changed, 57 insertions, 7 deletions

diff --git a/sys/linux/dev_binder.txt b/sys/linux/dev_binder.txt
index b7b50f655..1fcfa6a95 100644
--- a/sys/linux/dev_binder.txt
+++ b/sys/linux/dev_binder.txt
@@ -1,10 +1,10 @@
 # Copyright 2017 syzkaller project authors. All rights reserved.
 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
 
-# Description uses binder device per test process, they are expected to be configured with
-# CONFIG_ANDROID_BINDER_DEVICES="binder0,...,binder31".
-# "binder,hwbinder,vndbinder" is also supported; this is the kconfig default and
-# it's what's used on real Android devices (the main user of binder).
+# These descriptions rely on binderfs being enabled and creating at least binder0
+# and binder1 devices right after a mount.
+# "binder,hwbinder,vndbinder" devices are also supported; this is the kconfig default
+# and it's what's used on real Android devices (the main user of binder).
 # Description assumes CONFIG_ANDROID_BINDER_IPC_32BIT is not set.
 
 include <linux/android/binder.h>
@@ -19,8 +19,8 @@ type binder_handle int32[0:3]
 # It seems that cookies are only checked for inequality and non-matching cookies only cover error paths.
 type binder_cookie const[0, int64]
 
-syz_open_dev$binderN(dev ptr[in, string["/dev/binder#"]], id proc[0, 1], flags flags[binder_open_flags]) fd_binder
 openat$binder(fd const[AT_FDCWD], file ptr[in, string["/dev/binder"]], flags flags[binder_open_flags], mode const[0]) fd_binder
+openat$binderfs(fd const[AT_FDCWD], file ptr[in, string[binderfs_devpath]], flags flags[binder_open_flags], mode const[0]) fd_binder
 openat$hwbinder(fd const[AT_FDCWD], file ptr[in, string["/dev/hwbinder"]], flags flags[binder_open_flags], mode const[0]) fd_binder
 openat$vndbinder(fd const[AT_FDCWD], file ptr[in, string["/dev/vndbinder"]], flags flags[binder_open_flags], mode const[0]) fd_binder
 
diff --git a/sys/linux/dev_binderfs.txt b/sys/linux/dev_binderfs.txt
new file mode 100644
index 000000000..f2dff258a
--- /dev/null
+++ b/sys/linux/dev_binderfs.txt
@@ -0,0 +1,40 @@
+# Copyright 2021 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+include <linux/fcntl.h>
+include <linux/unistd.h>
+include <linux/android/binderfs.h>
+
+# ./binderfs will be mounted by syz-executor, but let's also see how a single process
+# operates with multiple ones.
+binderfs_mountpoint = "./binderfs", "./binderfs2"
+
+# Control paths.
+binderfs_ctrlpath = "./binderfs/binder-control", "./binderfs2/binder-control"
+
+# Device names.
+binderfs_devname = "binder0", "binder1", "custom0", "custom1"
+
+# Unfortunately, syzlang does not currently favor string concatenation for open (and related) syscalls. So we concatenate it manually.
+binderfs_devpath = "./binderfs/binder0", "./binderfs/binder1", "./binderfs/custom0", "./binderfs/custom1", "./binderfs2/binder0", "./binderfs2/binder1", "./binderfs2/custom0", "./binderfs2/custom1"
+
+mkdirat$binderfs(fd const[AT_FDCWD], path ptr[in, string[binderfs_mountpoint]], mode const[0x1ff])
+mount$binderfs(src ptr[in, string["binder"]], dst ptr[in, string[binderfs_mountpoint]], type ptr[in, string["binder"]], flags flags[mount_flags], opts ptr[in, fs_options[binderfs_options]])
+unlinkat$binderfs_device(fd const[AT_FDCWD], path ptr[in, string[binderfs_devpath]])
+
+binderfs_options [
+	max	fs_opt_oct["max", int32]
+	stats	stringnoz["stats=global"]
+] [varlen]
+
+define BINDERFS_NAME_LEN	BINDERFS_MAX_NAME + 1
+
+binderfs_device {
+	name	string[binderfs_devname, BINDERFS_NAME_LEN]	(in)
+	major	int32	(out)
+	minor	int32	(out)
+}
+
+resource fd_binderfs_ctrl[fd]
+openat$binderfs_ctrl(fd const[AT_FDCWD], file ptr[in, string[binderfs_ctrlpath]], flags flags[binder_open_flags], mode const[0]) fd_binderfs_ctrl
+ioctl$BINDER_CTL_ADD(fd fd_binderfs_ctrl, cmd const[BINDER_CTL_ADD], arg ptr[inout, binderfs_device])
diff --git a/sys/linux/dev_binderfs.txt.const b/sys/linux/dev_binderfs.txt.const
new file mode 100644
index 000000000..f21650a03
--- /dev/null
+++ b/sys/linux/dev_binderfs.txt.const
@@ -0,0 +1,10 @@
+# Code generated by syz-sysgen. DO NOT EDIT.
+arches = 386, amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x
+AT_FDCWD = 18446744073709551516
+BINDERFS_NAME_LEN = 256
+BINDER_CTL_ADD = 3238552065
+__NR_ioctl = 54, amd64:16, arm64:riscv64:29, mips64le:5015
+__NR_mkdirat = 34, 386:296, amd64:258, arm:323, mips64le:5248, ppc64le:287, s390x:289
+__NR_mount = 21, amd64:165, arm64:riscv64:40, mips64le:5160
+__NR_openat = 56, 386:295, amd64:257, arm:322, mips64le:5247, ppc64le:286, s390x:288
+__NR_unlinkat = 35, 386:301, amd64:263, arm:328, mips64le:5253, ppc64le:292, s390x:294
diff --git a/sys/linux/test/binder b/sys/linux/test/binder
index 8805d2deb..0c4445595 100644
--- a/sys/linux/test/binder
+++ b/sys/linux/test/binder
@@ -1,6 +1,6 @@
-r0 = syz_open_dev$binderN(&AUTO='/dev/binder#\x00', 0x0, 0x2)
+r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
 ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, AUTO, &AUTO={AUTO, 0x100, 0x0, 0x0})
 mmap$binder(&(0x7f00000a0000), 0x2000, 0x1, 0x11, r0, 0x0)
-r1 = syz_open_dev$binderN(&AUTO='/dev/binder#\x00', 0x0, 0x2)
+r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder1\x00', 0x0, 0x0)
 mmap$binder(&(0x7f00000c0000), 0x2000, 0x1, 0x11, r1, 0x0)
 ioctl$BINDER_WRITE_READ(r1, AUTO, &AUTO={AUTO, AUTO, &AUTO=[@transaction_sg={AUTO, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, AUTO, AUTO, &AUTO={@flat=@binder={AUTO, 0x0, 0x0, 0x0}, @fd={AUTO, AUTO, r0, AUTO, 0x0}, @ptr={AUTO, 0x0, &AUTO=""/10, AUTO, 0x0, 0x0}}, &AUTO={AUTO, AUTO, AUTO}}, 0x10}], AUTO, AUTO, &AUTO})