sys/linux: enhanced descs for io_uring

* sys/linux: enhanced descs for io_uring

Introduced pseudo-call "syz_io_uring_put_sqes_on_ring()" for writing
submission queue entries (sqes) on sq_ring, which was obtained by
mmap'ping the offsets obtained from io_uring_setup().

Added descriptions for io_ring_register operations that were missing
earlier.

Did misc changes to adapt the descriptions for the updates on the
io_uring subsystem.

* pkg/host: add io_uring pseudo-syscall

* executor/common_linux.h: fix issues with io_uring pseudo-syscall

* executor: fixed io_uring offset computation

* executor: fixes and refactorings in syz_io_uring_submit()

* executor: added syz_io_uring_complete() pseudo-syscall for io_uring

* sys/linux: added descriptions for io_uring operations

Each operation requires a different struct io_uring_sqe set up. Those
are described to be submitted to the sq ring.

* executor: use uint32 instead of uint32_t

* executor: remove nonfailing from pseudo-calls

* sys/linux: fix io_uring epoll_ctl sqe

* prog: fix TestTransitivelyEnabledCallsLinux()

The newly introduced syscall, syz_io_uring_submit$IORING_OP_EPOLL_CTL,
uses fd_epoll. Adapt TestTransitivelyEnabledCallsLinux() to account for
this.

* sys/linux: add IORING_OP_PROVIDE_BUFFERS and IORING_OP_REMOVE_BUFFERS

* sys/linux: fix IORING_OP_WRITE_FIXED and IORING_OP_READ_FIXED

addr and len are for the buffer located at buf_index

* sys/linux: io_uring: use reg. bufs for READ, READV, RECV, RECVMSG

As a result, IOSQE_BUFFER_SELECT_BIT is included in the iosqe_flags.

* sys/linux: io_uring: misc fixes

* sys/linux: io_uring: add IORING_SETUP_ATTACH_WQ

* executor: refactorings on io_uring pseudo syscalls

* sys/linux: io_uring: fix desc for params.cq_entries

* executor: fix SQ_ARRAY_OFFSET computation

This is required with the fix in io_uring kernel code.
https://lore.kernel.org/io-uring/CACT4Y+bgTCMXi3eU7xV+W0ZZNceZFUWRTkngojdr0G_yuY8w9w@mail.gmail.com/T/#t

* executor: added pseudosyscall syz_io_uring_cq_eventfd_toggle()

The usage of cq_ring->flags is only for manipulating
IORING_CQ_EVENTFD_DISABLED bit. This is achieved by a pseudo-syscall,
which toggles the bit.

* executor: added pseudocall syz_io_uring_put_ring_metadata

Removed syz_io_uring_cq_eventfd_toggle() and introduced
syz_io_uring_put_ring_metadata() instead. We have many pieces of
metadata for both sq_ring and cq_ring, for which we are given the
offsets, and some of are not supposed to be manipulated by the
application. Among them, both sq and cq flags can be changed. Both valid
and invalid cases might cause interesting outcomes. Use the newly
introduced pseudo syscall to manipulate them randomly while also
manipulating the flags to their special values.

* executor: added pseudo-syscall syz_memcpy_off

Removed syz_io_uring_put_ring_metadata() and instead added a much more
generic pseudo systemcall to achieve the task. This should benefit other
subsystems as well.

* sys/linux: refactored io_uring descriptions

syz_io_uring_submit() is called with a union of sqes to reduce
duplication of other parameters of the function.

io_uring_sqe is templated with io_uring_sqe_t, and this template type is
used to describe sqes for different ops.

The organization of io_uring.txt is changed.

* sys/linux: io_uring: improved descs to utilize registered files

The files are registered using
io_uring_register$IORING_REGISTER_FILES(). When IOSQE_FIXED_FILE_BIT is
enabled in iosqe_flags in sqe, a variety of operations can use those
registered files using the index of the file instead of fd.

Changed the sqe descriptions for the eligible operations to utilize
this.

* sys/linux: io_uring: improved the descs to utilize personality_id in sqes

A personality_id can be registered for a io_uring fd using
io_uring_register$IORING_REGISTER_PERSONALITY(). This id can be utilized
within sqes. This commit improves the descs for io_uring to utilize it.

In addition, the descriptions for the misc field in io_uring_sqe_t is
refactored as most are shared among sqes.

* sys/linux: io_uring: utilized cqe.res

io_uring_cqe.res is used to carry the return value of operations
achieved through io_uring. The only operations with meaningful return
values (in terms of their possible usage) are openat and openat2. The
pseudo-syscall syz_io_uring_complete() is modified to account for this
and return those fds. The description for sqe_user_data is splitted into
two to identify openat and non-openat io_uring ops.

IORING_OP_IOCTL was suggested but never supported in io_uring. Thus, the
note on this is removed in the descriptions.

tee() expects pipefds, thus, IORING_OP_TEE. The descriptions for the
pipe r/w fds are written as ordinary fd. Thus, in the description for
IORING_OP_TEE, which is io_uring_sqe_tee, fd is used in the place where
pipefds are expected. The note on this is removed in the descriptions.

* sys/linux/test: added test for io_uring

This is not tested yet.

* sys/linux/test: fixed the test for io_uring

The changes successfully pass the sys/linux/test/io_uring test.

sys/linux/io_uring.txt: sq_ring_ptr and cq_ring_ptr are really the same.
Thus, they are replaced with ring_ptr.

executor/common_linux.h: thanks to io_uring test, a bug is found in
where the sq_array's address is computed in syz_io_uring_submit().
Fixed. In addition, similar to the descriptions, the naming for the
ring_ptr is changed from {sq,cq}_ring_ptr to ring_ptr.

* sys/linux: io_uring: misc fixes

* sys/linux: io_uring: changed the sqe_user_data enum

Used a smaller range to ease the collisions. Used comperatively unique
and magic numbers for openat user_data to avoid thinking as if the cqe
belongs to openat while the user_data is coming from some random
location.

* pkg/host: added checks for io_uring syscall

* pkg/host: fixed checks for io_uring syscall

* sys/linux: fixed io_uring test

10 files changed, 857 insertions, 26 deletions

diff --git a/sys/linux/io_uring.txt b/sys/linux/io_uring.txt
index 9ce0eaef7..a2d384319 100644
--- a/sys/linux/io_uring.txt
+++ b/sys/linux/io_uring.txt
@@ -3,15 +3,21 @@
 
 # See http://kernel.dk/io_uring.pdf
 
-# TODO: we don't write anything to the actual uring.
-# NEED: we somehow need to write the mmap-ed range after the mmap. vring needs something similar.
-
 include <uapi/linux/io_uring.h>
+# For EPOLL_CTL_ADD, EPOLL_CTL_MOD, EPOLL_CTL_DEL
+include <uapi/linux/eventpoll.h>
 
 resource fd_io_uring[fd]
+resource ring_ptr[int64]
+resource sqes_ptr[int64]
+resource ioring_personality_id[int16]
+
+# fs/io_uring.c
+define IORING_MAX_ENTRIES	32768
+define IORING_MAX_CQ_ENTRIES	(2 * IORING_MAX_ENTRIES)
 
-io_uring_setup(entries int32[1:4096], params ptr[in, io_uring_params]) fd_io_uring
-io_uring_enter(fd fd_io_uring, to_submit int32, min_complete int32, flags flags[io_uring_enter_flags], sigmask ptr[in, sigset_t], size len[sigmask])
+io_uring_setup(entries int32[1:IORING_MAX_ENTRIES], params ptr[inout, io_uring_params]) fd_io_uring
+io_uring_enter(fd fd_io_uring, to_submit int32[0:IORING_MAX_ENTRIES], min_complete int32[0:IORING_MAX_CQ_ENTRIES], flags flags[io_uring_enter_flags], sigmask ptr[in, sigset_t], size len[sigmask])
 io_uring_register$IORING_REGISTER_BUFFERS(fd fd_io_uring, opcode const[IORING_REGISTER_BUFFERS], arg ptr[in, array[iovec_out]], nr_args len[arg])
 io_uring_register$IORING_UNREGISTER_BUFFERS(fd fd_io_uring, opcode const[IORING_UNREGISTER_BUFFERS], arg const[0], nr_args const[0])
 io_uring_register$IORING_REGISTER_FILES(fd fd_io_uring, opcode const[IORING_REGISTER_FILES], arg ptr[in, array[fd]], nr_args len[arg])
@@ -19,40 +25,315 @@ io_uring_register$IORING_UNREGISTER_FILES(fd fd_io_uring, opcode const[IORING_UN
 io_uring_register$IORING_REGISTER_EVENTFD(fd fd_io_uring, opcode const[IORING_REGISTER_EVENTFD], arg ptr[in, fd_event], nr_args const[1])
 io_uring_register$IORING_UNREGISTER_EVENTFD(fd fd_io_uring, opcode const[IORING_UNREGISTER_EVENTFD], arg const[0], nr_args const[0])
 io_uring_register$IORING_REGISTER_FILES_UPDATE(fd fd_io_uring, opcode const[IORING_REGISTER_FILES_UPDATE], arg ptr[in, io_uring_files_update], nr_args len[arg:fds])
+io_uring_register$IORING_REGISTER_EVENTFD_ASYNC(fd fd_io_uring, opcode const[IORING_REGISTER_EVENTFD_ASYNC], arg ptr[in, fd_event], nr_args const[1])
+io_uring_register$IORING_REGISTER_PROBE(fd fd_io_uring, opcode const[IORING_REGISTER_PROBE], arg ptr[inout, io_uring_probe], nr_args len[arg:ops])
+io_uring_register$IORING_REGISTER_PERSONALITY(fd fd_io_uring, opcode const[IORING_REGISTER_PERSONALITY], arg const[0], nr_args const[0]) ioring_personality_id
+io_uring_register$IORING_UNREGISTER_PERSONALITY(fd fd_io_uring, opcode const[IORING_UNREGISTER_PERSONALITY], arg const[0], nr_args ioring_personality_id)
 
-mmap$IORING_OFF_SQ_RING(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_io_uring, offset const[IORING_OFF_SQ_RING])
-mmap$IORING_OFF_CQ_RING(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_io_uring, offset const[IORING_OFF_CQ_RING])
-mmap$IORING_OFF_SQES(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_io_uring, offset const[IORING_OFF_SQES])
+# The mmap'ed area for SQ and CQ rings are really the same -- the difference is
+# accounted for with the usage of offsets.
+mmap$IORING_OFF_SQ_RING(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_io_uring, offset const[IORING_OFF_SQ_RING]) ring_ptr
+mmap$IORING_OFF_CQ_RING(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_io_uring, offset const[IORING_OFF_CQ_RING]) ring_ptr
+mmap$IORING_OFF_SQES(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_io_uring, offset const[IORING_OFF_SQES]) sqes_ptr
 
-io_uring_setup_flags = IORING_SETUP_IOPOLL, IORING_SETUP_SQPOLL, IORING_SETUP_SQ_AFF, IORING_SETUP_CQSIZE
+# If no flags are specified(0), the io_uring instance is setup for interrupt driven IO.
+io_uring_setup_flags = 0, IORING_SETUP_IOPOLL, IORING_SETUP_SQPOLL, IORING_SETUP_SQ_AFF, IORING_SETUP_CQSIZE, IORING_SETUP_CLAMP, IORING_SETUP_ATTACH_WQ
 io_uring_enter_flags = IORING_ENTER_GETEVENTS, IORING_ENTER_SQ_WAKEUP
 _ = __NR_mmap2
 
+# Once an io_uring is set up by calling io_uring_setup, the offsets to the member fields
+# to be used on the mmap'ed area are set in structs io_sqring_offsets and io_cqring_offsets.
+# Except io_sqring_offsets.array, the offsets are static while all depend on how struct io_rings
+# is organized in code. The offsets can be marked as resources in syzkaller descriptions but
+# this makes it difficult to generate correct programs by the fuzzer. Thus, the offsets are
+# hard-coded here (and in the executor).
+define SQ_HEAD_OFFSET	0
+define SQ_TAIL_OFFSET	64
+define SQ_RING_MASK_OFFSET	256
+define SQ_RING_ENTRIES_OFFSET	264
+define SQ_FLAGS_OFFSET	276
+define SQ_DROPPED_OFFSET	272
+define CQ_HEAD_OFFSET	128
+define CQ_TAIL_OFFSET	192
+define CQ_RING_MASK_OFFSET	260
+define CQ_RING_ENTRIES_OFFSET	268
+define CQ_RING_OVERFLOW_OFFSET	284
+define CQ_FLAGS_OFFSET	280
+
+# Notice all offsets are pointing to uint32 values. This is assumed for the 
+io_uring_offsets = SQ_HEAD_OFFSET, SQ_TAIL_OFFSET, SQ_RING_MASK_OFFSET, SQ_RING_ENTRIES_OFFSET, SQ_FLAGS_OFFSET, SQ_DROPPED_OFFSET, CQ_HEAD_OFFSET, CQ_TAIL_OFFSET, CQ_RING_MASK_OFFSET, CQ_RING_ENTRIES_OFFSET, CQ_RING_OVERFLOW_OFFSET, CQ_FLAGS_OFFSET
+
+# Also, all values are int32, thus, set nbytes to 4.
+syz_memcpy_off$IO_URING_METADATA_GENERIC(ring_ptr ring_ptr, off flags[io_uring_offsets], src ptr[in, int32], src_off const[0], nbytes const[4])
+
+# The flags available are: IORING_SQ_NEED_WAKEUP (1) for sq, IORING_CQ_EVENTFD_DISABLED (1) for cq. Use int32[0:1] to represent possible values.
+io_uring_flags_offsets = SQ_FLAGS_OFFSET, CQ_FLAGS_OFFSET
+syz_memcpy_off$IO_URING_METADATA_FLAGS(ring_ptr ring_ptr, flag_off flags[io_uring_flags_offsets], src ptr[in, int32[0:1]], src_off const[0], nbytes const[4])
+
+io_uring_probe {
+	last_op	const[0, int8]
+	ops_len	const[0, int8]
+	resv	const[0, int16]
+	resv2	array[const[0, int32], 3]
+	ops	array[io_uring_probe_op, 0:IORING_OP_LAST]
+}
+
+io_uring_probe_op {
+	op	const[0, int8]
+	resv	const[0, int8]
+	flags	const[0, int16]
+	resv2	const[0, int32]
+}
+
+io_uring_files_update {
+	offset	int32
+	resv	const[0, int32]
+	fds	ptr64[in, array[fd]]
+}
+
+# NEED: part of fields are input here and part are output. We can't express this yet (#245).
 io_uring_params {
+# sq_entries, cq_entries, features, wq_fd, sq_off, and cq_off are set by the kernel
 	sq_entries	const[0, int32]
-	cq_entries	const[0, int32]
+	cq_entries	int32[0:IORING_MAX_CQ_ENTRIES]
 	flags		flags[io_uring_setup_flags, int32]
 	sq_thread_cpu	int32[0:3]
 	sq_thread_idle	int32[0:1000]
 	features	const[0, int32]
-	resv		array[const[0, int32], 4]
-	sq_off		io_sqring_offsets
-	cq_off		io_sqring_offsets
+	wq_fd		fd_io_uring[opt]
+	resv		array[const[0, int32], 3]
+# We don't really use them (they are hard-coded). Thus, just pass some memory region of their size.
+	sq_off		array[const[0, int32], 10]
+	cq_off		array[const[0, int32], 10]
+}
+
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+# Descriptions for sq_ring and cq_ring manipulation # # # # # # # # # # # # # #
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+
+# Retrieve the cqe at the head of the cq_ring and advance the head. The only meaningful
+# resource contained within a cqe is by the completion of openat or openat2 calls,
+# which produce fd. If that is the case, returns the return value of those. Otherwise,
+# for other operations, returns an invalid fd (-1).
+syz_io_uring_complete(ring_ptr ring_ptr) fd
+
+# Submit sqe into the sq_ring
+syz_io_uring_submit(ring_ptr ring_ptr, sqes_ptr sqes_ptr, sqe ptr[in, io_uring_sqe_u], sqes_index int32)
+
+io_uring_sqe_u [
+	IORING_OP_NOP			io_uring_sqe_nop
+	IORING_OP_READV			io_uring_sqe_readv
+	IORING_OP_WRITEV		io_uring_sqe_writev
+	IORING_OP_FSYNC			io_uring_sqe_fsync
+	IORING_OP_READ_FIXED		io_uring_sqe_read_fixed
+	IORING_OP_WRITE_FIXED		io_uring_sqe_write_fixed
+	IORING_OP_POLL_ADD		io_uring_sqe_poll_add
+	IORING_OP_POLL_REMOVE		io_uring_sqe_poll_remove
+	IORING_OP_SYNC_FILE_RANGE	io_uring_sqe_sync_file_range
+	IORING_OP_SENDMSG		io_uring_sqe_sendmsg
+	IORING_OP_RECVMSG		io_uring_sqe_recvmsg
+	IORING_OP_TIMEOUT		io_uring_sqe_timeout
+	IORING_OP_TIMEOUT_REMOVE	io_uring_sqe_timeout_remove
+	IORING_OP_ACCEPT		io_uring_sqe_accept
+	IORING_OP_ASYNC_CANCEL		io_uring_sqe_async_cancel
+	IORING_OP_LINK_TIMEOUT		io_uring_sqe_link_timeout
+	IORING_OP_CONNECT		io_uring_sqe_connect
+	IORING_OP_FALLOCATE		io_uring_sqe_fallocate
+	IORING_OP_OPENAT		io_uring_sqe_openat
+	IORING_OP_CLOSE			io_uring_sqe_close
+	IORING_OP_FILES_UPDATE		io_uring_sqe_files_update
+	IORING_OP_STATX			io_uring_sqe_statx
+	IORING_OP_READ			io_uring_sqe_read
+	IORING_OP_WRITE			io_uring_sqe_write
+	IORING_OP_FADVISE		io_uring_sqe_fadvise
+	IORING_OP_MADVISE		io_uring_sqe_madvise
+	IORING_OP_SEND			io_uring_sqe_send
+	IORING_OP_RECV			io_uring_sqe_recv
+	IORING_OP_OPENAT2		io_uring_sqe_openat2
+	IORING_OP_EPOLL_CTL		io_uring_sqe_epoll_ctl
+	IORING_OP_SPLICE		io_uring_sqe_splice
+	IORING_OP_PROVIDE_BUFFERS	io_uring_sqe_provide_buffers
+	IORING_OP_REMOVE_BUFFERS	io_uring_sqe_remove_buffers
+	IORING_OP_TEE			io_uring_sqe_tee
+]
+
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+# io_uring submission queue entry (io_uring_sqe) descriptions # # # # # # # # #
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+
+#
+# sqe type template
+#
+
+type io_uring_sqe_t[OP, IOPRIO, FD, OFF, ADDR, LEN, MISC_FLAGS, USER_DATA, MISC] {
+	opcode		const[OP, int8]
+	flags		flags[iosqe_flags, int8]
+	ioprio		IOPRIO
+	fd		FD
+	off		OFF
+	addr		ADDR
+	len		LEN
+	misc_flags	MISC_FLAGS
+	user_data	flags[USER_DATA, int64]
+# This is a union of different possibilites with a padding at the end.
+	misc		MISC
+} [size[SIZEOF_IO_URING_SQE]]
+
+define SIZEOF_IO_URING_SQE	64
+
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+
+#
+# Instantiation of sqes for each op
+#
+
+type io_uring_sqe_nop io_uring_sqe_t[IORING_OP_NOP, const[0, int16], const[0, int32], const[0, int64], const[0, int64], const[0, int32], const[0, int32], zero_flag, array[const[0, int64], 3]]
+
+io_uring_sqe_readv [
+	pass_iovec		io_uring_sqe_t[IORING_OP_READV, flags[ioprio_priorities, int16], fd_or_fixed_fd_index, fileoff[int64], ptr[in, array[iovec_out]], len[addr, int32], flags[rwf_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+	use_registered_buffer	io_uring_sqe_t[IORING_OP_READV, flags[ioprio_priorities, int16], fd_or_fixed_fd_index, fileoff[int64], const[0, int64], const[0, int32], flags[rwf_flags, int32], sqe_user_data_not_openat, buf_index_personality_misc]
+]
+
+type io_uring_sqe_writev io_uring_sqe_t[IORING_OP_WRITEV, flags[ioprio_priorities, int16], fd_or_fixed_fd_index, fileoff[int64], ptr[in, array[iovec_in]], len[addr, int32], flags[rwf_flags, int32], sqe_user_data_not_openat, buf_index_personality_misc]
+type io_uring_sqe_fsync io_uring_sqe_t[IORING_OP_FSYNC, const[0, int16], fd_or_fixed_fd_index, const[0, int64], const[0, int64], const[0, int32], flags[io_uring_fsync_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_read_fixed io_uring_sqe_t[IORING_OP_READ_FIXED, flags[ioprio_priorities, int16], fd_or_fixed_fd_index, fileoff[int64], int64, int32, flags[rwf_flags, int32], sqe_user_data_not_openat, buf_index_personality_misc]
+type io_uring_sqe_write_fixed io_uring_sqe_t[IORING_OP_WRITE_FIXED, flags[ioprio_priorities, int16], fd_or_fixed_fd_index, fileoff[int64], int64, int32, flags[rwf_flags, int32], sqe_user_data_not_openat, buf_index_personality_misc]
+type io_uring_sqe_poll_add io_uring_sqe_t[IORING_OP_POLL_ADD, const[0, int16], fd_or_fixed_fd_index, const[0, int64], const[0, int64], const[0, int32], io_uring_sqe_poll_add_misc_flags, sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_poll_remove io_uring_sqe_t[IORING_OP_POLL_REMOVE, const[0, int16], const[0, int32], const[0, int64], flags[sqe_user_data, int64], const[0, int32], const[0, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_sync_file_range io_uring_sqe_t[IORING_OP_SYNC_FILE_RANGE, const[0, int16], fd_or_fixed_fd_index, fileoff[int64], const[0, int64], int32, flags[sync_file_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_sendmsg io_uring_sqe_t[IORING_OP_SENDMSG, const[0, int16], sock, const[0, int64], ptr[in, send_msghdr], const[0, int32], flags[send_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_recvmsg io_uring_sqe_t[IORING_OP_RECVMSG, const[0, int16], sock, const[0, int64], ptr[inout, recv_msghdr], const[0, int32], flags[recv_flags, int32], sqe_user_data_not_openat, buf_group_personality_misc]
+type io_uring_sqe_timeout io_uring_sqe_t[IORING_OP_TIMEOUT, const[0, int16], const[0, int32], io_uring_timeout_completion_event_count, ptr[in, timespec], const[1, int32], flags[io_uring_timeout_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_timeout_remove io_uring_sqe_t[IORING_OP_TIMEOUT_REMOVE, const[0, int16], const[0, int32], const[0, int64], flags[sqe_user_data, int64], const[0, int32], const[0, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_accept io_uring_sqe_t[IORING_OP_ACCEPT, const[0, int16], sock, ptr[inout, len[addr, int32]], ptr[out, sockaddr_storage, opt], const[0, int32], flags[accept_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_async_cancel io_uring_sqe_t[IORING_OP_ASYNC_CANCEL, const[0, int16], const[0, int32], const[0, int64], flags[sqe_user_data, int64], const[0, int32], const[0, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_link_timeout io_uring_sqe_t[IORING_OP_LINK_TIMEOUT, const[0, int16], const[0, int32], const[0, int64], ptr[in, timespec], const[1, int32], flags[io_uring_timeout_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_connect io_uring_sqe_t[IORING_OP_CONNECT, const[0, int16], sock, len[addr, int32], ptr[in, sockaddr_storage], const[0, int32], const[0, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_fallocate io_uring_sqe_t[IORING_OP_FALLOCATE, const[0, int16], fd_or_fixed_fd_index, fileoff[int64], const[0, int64], int32, const[0, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_openat io_uring_sqe_t[IORING_OP_OPENAT, const[0, int16], fd_dir[opt], const[0, int64], ptr[in, filename], flags[open_mode, int32], flags[open_flags, int32], sqe_user_data_openat, personality_only_misc]
+type io_uring_sqe_close io_uring_sqe_t[IORING_OP_CLOSE, const[0, int16], fd, const[0, int64], const[0, int64], const[0, int32], const[0, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_files_update io_uring_sqe_t[IORING_OP_FILES_UPDATE, const[0, int16], const[0, int32], fileoff[int64], ptr[in, array[fd]], len[addr, int32], const[0, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_statx io_uring_sqe_t[IORING_OP_STATX, const[0, int16], fd_dir[opt], ptr[out, statx], ptr[in, filename], flags[statx_mask, int32], flags[statx_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+
+io_uring_sqe_read [
+	pass_buffer		io_uring_sqe_t[IORING_OP_READ, flags[ioprio_priorities, int16], fd_or_fixed_fd_index, fileoff[int64], buffer[out], bytesize[addr, int32], flags[rwf_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+	use_registered_buffer	io_uring_sqe_t[IORING_OP_READ, flags[ioprio_priorities, int16], fd_or_fixed_fd_index, fileoff[int64], const[0, int64], const[0, int32], flags[rwf_flags, int32], sqe_user_data_not_openat, buf_index_personality_misc]
+]
+
+type io_uring_sqe_write io_uring_sqe_t[IORING_OP_WRITE, flags[ioprio_priorities, int16], fd_or_fixed_fd_index, fileoff[int64], buffer[in], bytesize[addr, int32], flags[rwf_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_fadvise io_uring_sqe_t[IORING_OP_FADVISE, const[0, int16], fd_or_fixed_fd_index, fileoff[int64], const[0, int64], int32, flags[fadvise_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_madvise io_uring_sqe_t[IORING_OP_MADVISE, const[0, int16], const[0, int32], const[0, int64], vma, len[addr, int32], flags[madvise_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+type io_uring_sqe_send io_uring_sqe_t[IORING_OP_SEND, const[0, int16], sock, const[0, int64], buffer[in], len[addr, int32], flags[send_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+
+io_uring_sqe_recv [
+	pass_buffer		io_uring_sqe_t[IORING_OP_RECV, const[0, int16], sock, const[0, int64], buffer[inout], len[addr, int32], flags[recv_flags, int32], sqe_user_data_not_openat, personality_only_misc]
+	use_registered_buffer	io_uring_sqe_t[IORING_OP_RECV, const[0, int16], sock, const[0, int64], const[0, int64], const[0, int32], flags[recv_flags, int32], sqe_user_data_not_openat, buf_group_personality_misc]
+]
+
+type io_uring_sqe_openat2 io_uring_sqe_t[IORING_OP_OPENAT2, const[0, int16], fd_dir[opt], ptr[in, open_how], ptr[in, filename], bytesize[off, int32], const[0, int32], sqe_user_data_openat, personality_only_misc]
+type io_uring_sqe_epoll_ctl_t[EPOLL_OP, EPOLL_EVENTS] io_uring_sqe_t[IORING_OP_EPOLL_CTL, const[0, int16], fd_epoll, EPOLL_EVENTS, fd, const[EPOLL_OP, int32], const[0, int32], sqe_user_data_not_openat, personality_only_misc]
+
+io_uring_sqe_epoll_ctl [
+	add	io_uring_sqe_epoll_ctl_t[EPOLL_CTL_ADD, ptr[in, epoll_event]]
+	del	io_uring_sqe_epoll_ctl_t[EPOLL_CTL_DEL, const[0, int64]]
+	mod	io_uring_sqe_epoll_ctl_t[EPOLL_CTL_MOD, ptr[in, epoll_event]]
+]
+
+type io_uring_sqe_splice io_uring_sqe_t[IORING_OP_SPLICE, const[0, int16], fd_or_fixed_fd_index, fileoff[int64], io_uring_sqe_splice_off_in, int32, flags[splice_flags, int32], sqe_user_data_not_openat, io_uring_sqe_splice_misc]
+type io_uring_sqe_provide_buffers io_uring_sqe_t[IORING_OP_PROVIDE_BUFFERS, const[0, int16], int32, io_uring_bid[int64], buffer[in], int32, const[0, int32], sqe_user_data_not_openat, buf_group_personality_misc]
+type io_uring_sqe_remove_buffers io_uring_sqe_t[IORING_OP_PROVIDE_BUFFERS, const[0, int16], int32, const[0, int64], const[0, int64], const[0, int32], const[0, int32], sqe_user_data_not_openat, buf_group_personality_misc]
+type io_uring_sqe_tee io_uring_sqe_t[IORING_OP_TEE, const[0, int16], fd_or_fixed_fd_index, const[0, int64], const[0, int64], int32, flags[splice_flags, int32], sqe_user_data_not_openat, io_uring_sqe_tee_misc]
+
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+
+# 
+# Flags, enumerations, and misc fields of sqe ops
+#
+
+iosqe_flags = IOSQE_IO_DRAIN_BIT, IOSQE_IO_LINK_BIT, IOSQE_IO_HARDLINK_BIT, IOSQE_ASYNC_BIT, IOSQE_BUFFER_SELECT_BIT, IOSQE_FIXED_FILE_BIT
+
+fd_or_fixed_fd_index [
+	fd		fd
+# Use the registered files (io_uring_register$IORING_REGISTER_FILES) when IOSQE_FIXED_FILE_BIT is set in sqe.
+# To ease collisions, limit the indices.
+	fd_index	int32[0:10]
+]
+
+# 0 for normal file integrity sync, IORING_FSYNC_DATASYNC to provide data sync only semantics
+io_uring_fsync_flags = 0, IORING_FSYNC_DATASYNC
+
+# 0 for relative, IORING_TIMEOUT_ABS for absolute timeout value
+io_uring_timeout_flags = 0, IORING_TIMEOUT_ABS
+
+# The timeout condition is met when either the specific timeout expries, or the
+# specified number of events have completed. If not set, defaults to 1. Use a
+# limited range to allow utilization of this value to meet timeout condition besides
+# the timeout expiration.
+type io_uring_timeout_completion_event_count int64[0:10]
+
+# An already issued request can be attempted to be cancelled using ASYNC_CANCEL
+# operation. This operation identifies the operations using what's passed as
+# with user_data in their sqe. To ease collisions of ASYNC_CANCEL operation with
+# already submitted ones, use a limited range of values for user_data field.
+# Among all operations that can be achieved by submitting to the io_uring, only
+# openat and openat2 returns a useful resource (fd) that we can use for other
+# systemcalls. The resulting fds are returned within io_uring_cqe.res. The only way
+# to identify cqes for those operations is to keep track of their user data. Thus,
+# use a seperate set of sqe_user_data range for openat and openat2.
+sqe_user_data_not_openat = 0, 1
+sqe_user_data_openat = 0x12345, 0x23456
+sqe_user_data = 0, 1, 0x12345, 0x23456
+
+# The buffer id (bid) and the buffer group id (bgid) are registered using
+# IORING_OP_PROVIDE_BUFFERS. Use the ids in a limited range to ease collisions
+# with other operations.
+type io_uring_bid[T] T[0:3]
+type io_uring_bgid[T] T[0:3]
+
+zero_flag = 0
+
+io_uring_sqe_poll_add_misc_flags {
+	misc_flags		flags[pollfd_events, int16]
+# 2 bytes of padding to fill what is left from the union of flags
+	fill_flags_union	const[0, int16]
 }
 
-io_sqring_offsets {
-	head		const[0, int32]
-	tail		const[0, int32]
-	ring_mask	const[0, int32]
-	ring_entries	const[0, int32]
-	flags		const[0, int32]
-	dropped		const[0, int32]
-	array		const[0, int32]
-	resv1		const[0, int32]
-	resv2		const[0, int64]
+io_uring_sqe_splice_off_in {
+	splice_off_in_unused	const[0, int32]
+	splice_off_in		fd
 }
 
-io_uring_files_update {
-	offset	int32
-	fds	ptr[in, array[fd]]
+# Descriptions for MISC field of io_uring_sqe_t. The content for most are common
+# while there are a few specials.
+
+personality_only_misc {
+	buf_index_unused	const[0, int16]
+	ioring_personality_id	ioring_personality_id[opt]
+	pad_unused		array[const[0, int8], 20]
+}
+
+buf_index_personality_misc {
+	buf_index		io_uring_bid[int16]
+	ioring_personality_id	ioring_personality_id[opt]
+	pad_unused		array[const[0, int8], 20]
+}
+
+buf_group_personality_misc {
+	buf_group		io_uring_bgid[int16]
+	ioring_personality_id	ioring_personality_id[opt]
+	pad_unused		array[const[0, int8], 20]
+}
+
+io_uring_sqe_splice_misc {
+	buf_unused		const[0, int16]
+	ioring_personality_id	ioring_personality_id[opt]
+	splice_fd_in		fd
+	pad_unused		array[const[0, int64], 2]
+}
+
+io_uring_sqe_tee_misc {
+	buf_unused		const[0, int16]
+	ioring_personality_id	ioring_personality_id[opt]
+	splice_fd_in		fd
+	pad_unused		array[const[0, int64], 2]
 }
diff --git a/sys/linux/io_uring_386.const b/sys/linux/io_uring_386.const
index e740fc5fa..e689800e0 100644
--- a/sys/linux/io_uring_386.const
+++ b/sys/linux/io_uring_386.const
@@ -1,20 +1,86 @@
 # AUTOGENERATED FILE
+CQ_FLAGS_OFFSET = 280
+CQ_HEAD_OFFSET = 128
+CQ_RING_ENTRIES_OFFSET = 268
+CQ_RING_MASK_OFFSET = 260
+CQ_RING_OVERFLOW_OFFSET = 284
+CQ_TAIL_OFFSET = 192
+EPOLL_CTL_ADD = 1
+EPOLL_CTL_DEL = 2
+EPOLL_CTL_MOD = 3
 IORING_ENTER_GETEVENTS = 1
 IORING_ENTER_SQ_WAKEUP = 2
+IORING_FSYNC_DATASYNC = 1
+IORING_MAX_CQ_ENTRIES = 65536
+IORING_MAX_ENTRIES = 32768
 IORING_OFF_CQ_RING = 134217728
 IORING_OFF_SQES = 268435456
 IORING_OFF_SQ_RING = 0
+IORING_OP_ACCEPT = 13
+IORING_OP_ASYNC_CANCEL = 14
+IORING_OP_CLOSE = 19
+IORING_OP_CONNECT = 16
+IORING_OP_EPOLL_CTL = 29
+IORING_OP_FADVISE = 24
+IORING_OP_FALLOCATE = 17
+IORING_OP_FILES_UPDATE = 20
+IORING_OP_FSYNC = 3
+IORING_OP_LAST = 34
+IORING_OP_LINK_TIMEOUT = 15
+IORING_OP_MADVISE = 25
+IORING_OP_NOP = 0
+IORING_OP_OPENAT = 18
+IORING_OP_OPENAT2 = 28
+IORING_OP_POLL_ADD = 6
+IORING_OP_POLL_REMOVE = 7
+IORING_OP_PROVIDE_BUFFERS = 31
+IORING_OP_READ = 22
+IORING_OP_READV = 1
+IORING_OP_READ_FIXED = 4
+IORING_OP_RECV = 27
+IORING_OP_RECVMSG = 10
+IORING_OP_SEND = 26
+IORING_OP_SENDMSG = 9
+IORING_OP_SPLICE = 30
+IORING_OP_STATX = 21
+IORING_OP_SYNC_FILE_RANGE = 8
+IORING_OP_TEE = 33
+IORING_OP_TIMEOUT = 11
+IORING_OP_TIMEOUT_REMOVE = 12
+IORING_OP_WRITE = 23
+IORING_OP_WRITEV = 2
+IORING_OP_WRITE_FIXED = 5
 IORING_REGISTER_BUFFERS = 0
 IORING_REGISTER_EVENTFD = 4
+IORING_REGISTER_EVENTFD_ASYNC = 7
 IORING_REGISTER_FILES = 2
 IORING_REGISTER_FILES_UPDATE = 6
+IORING_REGISTER_PERSONALITY = 9
+IORING_REGISTER_PROBE = 8
+IORING_SETUP_ATTACH_WQ = 32
+IORING_SETUP_CLAMP = 16
 IORING_SETUP_CQSIZE = 8
 IORING_SETUP_IOPOLL = 1
 IORING_SETUP_SQPOLL = 2
 IORING_SETUP_SQ_AFF = 4
+IORING_TIMEOUT_ABS = 1
 IORING_UNREGISTER_BUFFERS = 1
 IORING_UNREGISTER_EVENTFD = 5
 IORING_UNREGISTER_FILES = 3
+IORING_UNREGISTER_PERSONALITY = 10
+IOSQE_ASYNC_BIT = 4
+IOSQE_BUFFER_SELECT_BIT = 5
+IOSQE_FIXED_FILE_BIT = 0
+IOSQE_IO_DRAIN_BIT = 1
+IOSQE_IO_HARDLINK_BIT = 3
+IOSQE_IO_LINK_BIT = 2
+SIZEOF_IO_URING_SQE = 64
+SQ_DROPPED_OFFSET = 272
+SQ_FLAGS_OFFSET = 276
+SQ_HEAD_OFFSET = 0
+SQ_RING_ENTRIES_OFFSET = 264
+SQ_RING_MASK_OFFSET = 256
+SQ_TAIL_OFFSET = 64
 __NR_io_uring_enter = 426
 __NR_io_uring_register = 427
 __NR_io_uring_setup = 425
diff --git a/sys/linux/io_uring_amd64.const b/sys/linux/io_uring_amd64.const
index 17cb79106..4666bae59 100644
--- a/sys/linux/io_uring_amd64.const
+++ b/sys/linux/io_uring_amd64.const
@@ -1,20 +1,86 @@
 # AUTOGENERATED FILE
+CQ_FLAGS_OFFSET = 280
+CQ_HEAD_OFFSET = 128
+CQ_RING_ENTRIES_OFFSET = 268
+CQ_RING_MASK_OFFSET = 260
+CQ_RING_OVERFLOW_OFFSET = 284
+CQ_TAIL_OFFSET = 192
+EPOLL_CTL_ADD = 1
+EPOLL_CTL_DEL = 2
+EPOLL_CTL_MOD = 3
 IORING_ENTER_GETEVENTS = 1
 IORING_ENTER_SQ_WAKEUP = 2
+IORING_FSYNC_DATASYNC = 1
+IORING_MAX_CQ_ENTRIES = 65536
+IORING_MAX_ENTRIES = 32768
 IORING_OFF_CQ_RING = 134217728
 IORING_OFF_SQES = 268435456
 IORING_OFF_SQ_RING = 0
+IORING_OP_ACCEPT = 13
+IORING_OP_ASYNC_CANCEL = 14
+IORING_OP_CLOSE = 19
+IORING_OP_CONNECT = 16
+IORING_OP_EPOLL_CTL = 29
+IORING_OP_FADVISE = 24
+IORING_OP_FALLOCATE = 17
+IORING_OP_FILES_UPDATE = 20
+IORING_OP_FSYNC = 3
+IORING_OP_LAST = 34
+IORING_OP_LINK_TIMEOUT = 15
+IORING_OP_MADVISE = 25
+IORING_OP_NOP = 0
+IORING_OP_OPENAT = 18
+IORING_OP_OPENAT2 = 28
+IORING_OP_POLL_ADD = 6
+IORING_OP_POLL_REMOVE = 7
+IORING_OP_PROVIDE_BUFFERS = 31
+IORING_OP_READ = 22
+IORING_OP_READV = 1
+IORING_OP_READ_FIXED = 4
+IORING_OP_RECV = 27
+IORING_OP_RECVMSG = 10
+IORING_OP_SEND = 26
+IORING_OP_SENDMSG = 9
+IORING_OP_SPLICE = 30
+IORING_OP_STATX = 21
+IORING_OP_SYNC_FILE_RANGE = 8
+IORING_OP_TEE = 33
+IORING_OP_TIMEOUT = 11
+IORING_OP_TIMEOUT_REMOVE = 12
+IORING_OP_WRITE = 23
+IORING_OP_WRITEV = 2
+IORING_OP_WRITE_FIXED = 5
 IORING_REGISTER_BUFFERS = 0
 IORING_REGISTER_EVENTFD = 4
+IORING_REGISTER_EVENTFD_ASYNC = 7
 IORING_REGISTER_FILES = 2
 IORING_REGISTER_FILES_UPDATE = 6
+IORING_REGISTER_PERSONALITY = 9
+IORING_REGISTER_PROBE = 8
+IORING_SETUP_ATTACH_WQ = 32
+IORING_SETUP_CLAMP = 16
 IORING_SETUP_CQSIZE = 8
 IORING_SETUP_IOPOLL = 1
 IORING_SETUP_SQPOLL = 2
 IORING_SETUP_SQ_AFF = 4
+IORING_TIMEOUT_ABS = 1
 IORING_UNREGISTER_BUFFERS = 1
 IORING_UNREGISTER_EVENTFD = 5
 IORING_UNREGISTER_FILES = 3
+IORING_UNREGISTER_PERSONALITY = 10
+IOSQE_ASYNC_BIT = 4
+IOSQE_BUFFER_SELECT_BIT = 5
+IOSQE_FIXED_FILE_BIT = 0
+IOSQE_IO_DRAIN_BIT = 1
+IOSQE_IO_HARDLINK_BIT = 3
+IOSQE_IO_LINK_BIT = 2
+SIZEOF_IO_URING_SQE = 64
+SQ_DROPPED_OFFSET = 272
+SQ_FLAGS_OFFSET = 276
+SQ_HEAD_OFFSET = 0
+SQ_RING_ENTRIES_OFFSET = 264
+SQ_RING_MASK_OFFSET = 256
+SQ_TAIL_OFFSET = 64
 __NR_io_uring_enter = 426
 __NR_io_uring_register = 427
 __NR_io_uring_setup = 425
diff --git a/sys/linux/io_uring_arm.const b/sys/linux/io_uring_arm.const
index e740fc5fa..e689800e0 100644
--- a/sys/linux/io_uring_arm.const
+++ b/sys/linux/io_uring_arm.const
@@ -1,20 +1,86 @@
 # AUTOGENERATED FILE
+CQ_FLAGS_OFFSET = 280
+CQ_HEAD_OFFSET = 128
+CQ_RING_ENTRIES_OFFSET = 268
+CQ_RING_MASK_OFFSET = 260
+CQ_RING_OVERFLOW_OFFSET = 284
+CQ_TAIL_OFFSET = 192
+EPOLL_CTL_ADD = 1
+EPOLL_CTL_DEL = 2
+EPOLL_CTL_MOD = 3
 IORING_ENTER_GETEVENTS = 1
 IORING_ENTER_SQ_WAKEUP = 2
+IORING_FSYNC_DATASYNC = 1
+IORING_MAX_CQ_ENTRIES = 65536
+IORING_MAX_ENTRIES = 32768
 IORING_OFF_CQ_RING = 134217728
 IORING_OFF_SQES = 268435456
 IORING_OFF_SQ_RING = 0
+IORING_OP_ACCEPT = 13
+IORING_OP_ASYNC_CANCEL = 14
+IORING_OP_CLOSE = 19
+IORING_OP_CONNECT = 16
+IORING_OP_EPOLL_CTL = 29
+IORING_OP_FADVISE = 24
+IORING_OP_FALLOCATE = 17
+IORING_OP_FILES_UPDATE = 20
+IORING_OP_FSYNC = 3
+IORING_OP_LAST = 34
+IORING_OP_LINK_TIMEOUT = 15
+IORING_OP_MADVISE = 25
+IORING_OP_NOP = 0
+IORING_OP_OPENAT = 18
+IORING_OP_OPENAT2 = 28
+IORING_OP_POLL_ADD = 6
+IORING_OP_POLL_REMOVE = 7
+IORING_OP_PROVIDE_BUFFERS = 31
+IORING_OP_READ = 22
+IORING_OP_READV = 1
+IORING_OP_READ_FIXED = 4
+IORING_OP_RECV = 27
+IORING_OP_RECVMSG = 10
+IORING_OP_SEND = 26
+IORING_OP_SENDMSG = 9
+IORING_OP_SPLICE = 30
+IORING_OP_STATX = 21
+IORING_OP_SYNC_FILE_RANGE = 8
+IORING_OP_TEE = 33
+IORING_OP_TIMEOUT = 11
+IORING_OP_TIMEOUT_REMOVE = 12
+IORING_OP_WRITE = 23
+IORING_OP_WRITEV = 2
+IORING_OP_WRITE_FIXED = 5
 IORING_REGISTER_BUFFERS = 0
 IORING_REGISTER_EVENTFD = 4
+IORING_REGISTER_EVENTFD_ASYNC = 7
 IORING_REGISTER_FILES = 2
 IORING_REGISTER_FILES_UPDATE = 6
+IORING_REGISTER_PERSONALITY = 9
+IORING_REGISTER_PROBE = 8
+IORING_SETUP_ATTACH_WQ = 32
+IORING_SETUP_CLAMP = 16
 IORING_SETUP_CQSIZE = 8
 IORING_SETUP_IOPOLL = 1
 IORING_SETUP_SQPOLL = 2
 IORING_SETUP_SQ_AFF = 4
+IORING_TIMEOUT_ABS = 1
 IORING_UNREGISTER_BUFFERS = 1
 IORING_UNREGISTER_EVENTFD = 5
 IORING_UNREGISTER_FILES = 3
+IORING_UNREGISTER_PERSONALITY = 10
+IOSQE_ASYNC_BIT = 4
+IOSQE_BUFFER_SELECT_BIT = 5
+IOSQE_FIXED_FILE_BIT = 0
+IOSQE_IO_DRAIN_BIT = 1
+IOSQE_IO_HARDLINK_BIT = 3
+IOSQE_IO_LINK_BIT = 2
+SIZEOF_IO_URING_SQE = 64
+SQ_DROPPED_OFFSET = 272
+SQ_FLAGS_OFFSET = 276
+SQ_HEAD_OFFSET = 0
+SQ_RING_ENTRIES_OFFSET = 264
+SQ_RING_MASK_OFFSET = 256
+SQ_TAIL_OFFSET = 64
 __NR_io_uring_enter = 426
 __NR_io_uring_register = 427
 __NR_io_uring_setup = 425
diff --git a/sys/linux/io_uring_arm64.const b/sys/linux/io_uring_arm64.const
index dda794af9..a3f60c7b6 100644
--- a/sys/linux/io_uring_arm64.const
+++ b/sys/linux/io_uring_arm64.const
@@ -1,20 +1,86 @@
 # AUTOGENERATED FILE
+CQ_FLAGS_OFFSET = 280
+CQ_HEAD_OFFSET = 128
+CQ_RING_ENTRIES_OFFSET = 268
+CQ_RING_MASK_OFFSET = 260
+CQ_RING_OVERFLOW_OFFSET = 284
+CQ_TAIL_OFFSET = 192
+EPOLL_CTL_ADD = 1
+EPOLL_CTL_DEL = 2
+EPOLL_CTL_MOD = 3
 IORING_ENTER_GETEVENTS = 1
 IORING_ENTER_SQ_WAKEUP = 2
+IORING_FSYNC_DATASYNC = 1
+IORING_MAX_CQ_ENTRIES = 65536
+IORING_MAX_ENTRIES = 32768
 IORING_OFF_CQ_RING = 134217728
 IORING_OFF_SQES = 268435456
 IORING_OFF_SQ_RING = 0
+IORING_OP_ACCEPT = 13
+IORING_OP_ASYNC_CANCEL = 14
+IORING_OP_CLOSE = 19
+IORING_OP_CONNECT = 16
+IORING_OP_EPOLL_CTL = 29
+IORING_OP_FADVISE = 24
+IORING_OP_FALLOCATE = 17
+IORING_OP_FILES_UPDATE = 20
+IORING_OP_FSYNC = 3
+IORING_OP_LAST = 34
+IORING_OP_LINK_TIMEOUT = 15
+IORING_OP_MADVISE = 25
+IORING_OP_NOP = 0
+IORING_OP_OPENAT = 18
+IORING_OP_OPENAT2 = 28
+IORING_OP_POLL_ADD = 6
+IORING_OP_POLL_REMOVE = 7
+IORING_OP_PROVIDE_BUFFERS = 31
+IORING_OP_READ = 22
+IORING_OP_READV = 1
+IORING_OP_READ_FIXED = 4
+IORING_OP_RECV = 27
+IORING_OP_RECVMSG = 10
+IORING_OP_SEND = 26
+IORING_OP_SENDMSG = 9
+IORING_OP_SPLICE = 30
+IORING_OP_STATX = 21
+IORING_OP_SYNC_FILE_RANGE = 8
+IORING_OP_TEE = 33
+IORING_OP_TIMEOUT = 11
+IORING_OP_TIMEOUT_REMOVE = 12
+IORING_OP_WRITE = 23
+IORING_OP_WRITEV = 2
+IORING_OP_WRITE_FIXED = 5
 IORING_REGISTER_BUFFERS = 0
 IORING_REGISTER_EVENTFD = 4
+IORING_REGISTER_EVENTFD_ASYNC = 7
 IORING_REGISTER_FILES = 2
 IORING_REGISTER_FILES_UPDATE = 6
+IORING_REGISTER_PERSONALITY = 9
+IORING_REGISTER_PROBE = 8
+IORING_SETUP_ATTACH_WQ = 32
+IORING_SETUP_CLAMP = 16
 IORING_SETUP_CQSIZE = 8
 IORING_SETUP_IOPOLL = 1
 IORING_SETUP_SQPOLL = 2
 IORING_SETUP_SQ_AFF = 4
+IORING_TIMEOUT_ABS = 1
 IORING_UNREGISTER_BUFFERS = 1
 IORING_UNREGISTER_EVENTFD = 5
 IORING_UNREGISTER_FILES = 3
+IORING_UNREGISTER_PERSONALITY = 10
+IOSQE_ASYNC_BIT = 4
+IOSQE_BUFFER_SELECT_BIT = 5
+IOSQE_FIXED_FILE_BIT = 0
+IOSQE_IO_DRAIN_BIT = 1
+IOSQE_IO_HARDLINK_BIT = 3
+IOSQE_IO_LINK_BIT = 2
+SIZEOF_IO_URING_SQE = 64
+SQ_DROPPED_OFFSET = 272
+SQ_FLAGS_OFFSET = 276
+SQ_HEAD_OFFSET = 0
+SQ_RING_ENTRIES_OFFSET = 264
+SQ_RING_MASK_OFFSET = 256
+SQ_TAIL_OFFSET = 64
 __NR_io_uring_enter = 426
 __NR_io_uring_register = 427
 __NR_io_uring_setup = 425
diff --git a/sys/linux/io_uring_mips64le.const b/sys/linux/io_uring_mips64le.const
index 98d413108..b7d68747e 100644
--- a/sys/linux/io_uring_mips64le.const
+++ b/sys/linux/io_uring_mips64le.const
@@ -1,20 +1,86 @@
 # AUTOGENERATED FILE
+CQ_FLAGS_OFFSET = 280
+CQ_HEAD_OFFSET = 128
+CQ_RING_ENTRIES_OFFSET = 268
+CQ_RING_MASK_OFFSET = 260
+CQ_RING_OVERFLOW_OFFSET = 284
+CQ_TAIL_OFFSET = 192
+EPOLL_CTL_ADD = 1
+EPOLL_CTL_DEL = 2
+EPOLL_CTL_MOD = 3
 IORING_ENTER_GETEVENTS = 1
 IORING_ENTER_SQ_WAKEUP = 2
+IORING_FSYNC_DATASYNC = 1
+IORING_MAX_CQ_ENTRIES = 65536
+IORING_MAX_ENTRIES = 32768
 IORING_OFF_CQ_RING = 134217728
 IORING_OFF_SQES = 268435456
 IORING_OFF_SQ_RING = 0
+IORING_OP_ACCEPT = 13
+IORING_OP_ASYNC_CANCEL = 14
+IORING_OP_CLOSE = 19
+IORING_OP_CONNECT = 16
+IORING_OP_EPOLL_CTL = 29
+IORING_OP_FADVISE = 24
+IORING_OP_FALLOCATE = 17
+IORING_OP_FILES_UPDATE = 20
+IORING_OP_FSYNC = 3
+IORING_OP_LAST = 34
+IORING_OP_LINK_TIMEOUT = 15
+IORING_OP_MADVISE = 25
+IORING_OP_NOP = 0
+IORING_OP_OPENAT = 18
+IORING_OP_OPENAT2 = 28
+IORING_OP_POLL_ADD = 6
+IORING_OP_POLL_REMOVE = 7
+IORING_OP_PROVIDE_BUFFERS = 31
+IORING_OP_READ = 22
+IORING_OP_READV = 1
+IORING_OP_READ_FIXED = 4
+IORING_OP_RECV = 27
+IORING_OP_RECVMSG = 10
+IORING_OP_SEND = 26
+IORING_OP_SENDMSG = 9
+IORING_OP_SPLICE = 30
+IORING_OP_STATX = 21
+IORING_OP_SYNC_FILE_RANGE = 8
+IORING_OP_TEE = 33
+IORING_OP_TIMEOUT = 11
+IORING_OP_TIMEOUT_REMOVE = 12
+IORING_OP_WRITE = 23
+IORING_OP_WRITEV = 2
+IORING_OP_WRITE_FIXED = 5
 IORING_REGISTER_BUFFERS = 0
 IORING_REGISTER_EVENTFD = 4
+IORING_REGISTER_EVENTFD_ASYNC = 7
 IORING_REGISTER_FILES = 2
 IORING_REGISTER_FILES_UPDATE = 6
+IORING_REGISTER_PERSONALITY = 9
+IORING_REGISTER_PROBE = 8
+IORING_SETUP_ATTACH_WQ = 32
+IORING_SETUP_CLAMP = 16
 IORING_SETUP_CQSIZE = 8
 IORING_SETUP_IOPOLL = 1
 IORING_SETUP_SQPOLL = 2
 IORING_SETUP_SQ_AFF = 4
+IORING_TIMEOUT_ABS = 1
 IORING_UNREGISTER_BUFFERS = 1
 IORING_UNREGISTER_EVENTFD = 5
 IORING_UNREGISTER_FILES = 3
+IORING_UNREGISTER_PERSONALITY = 10
+IOSQE_ASYNC_BIT = 4
+IOSQE_BUFFER_SELECT_BIT = 5
+IOSQE_FIXED_FILE_BIT = 0
+IOSQE_IO_DRAIN_BIT = 1
+IOSQE_IO_HARDLINK_BIT = 3
+IOSQE_IO_LINK_BIT = 2
+SIZEOF_IO_URING_SQE = 64
+SQ_DROPPED_OFFSET = 272
+SQ_FLAGS_OFFSET = 276
+SQ_HEAD_OFFSET = 0
+SQ_RING_ENTRIES_OFFSET = 264
+SQ_RING_MASK_OFFSET = 256
+SQ_TAIL_OFFSET = 64
 __NR_io_uring_enter = 5426
 __NR_io_uring_register = 5427
 __NR_io_uring_setup = 5425
diff --git a/sys/linux/io_uring_ppc64le.const b/sys/linux/io_uring_ppc64le.const
index c7afcaa57..c4e69d4d9 100644
--- a/sys/linux/io_uring_ppc64le.const
+++ b/sys/linux/io_uring_ppc64le.const
@@ -1,20 +1,86 @@
 # AUTOGENERATED FILE
+CQ_FLAGS_OFFSET = 280
+CQ_HEAD_OFFSET = 128
+CQ_RING_ENTRIES_OFFSET = 268
+CQ_RING_MASK_OFFSET = 260
+CQ_RING_OVERFLOW_OFFSET = 284
+CQ_TAIL_OFFSET = 192
+EPOLL_CTL_ADD = 1
+EPOLL_CTL_DEL = 2
+EPOLL_CTL_MOD = 3
 IORING_ENTER_GETEVENTS = 1
 IORING_ENTER_SQ_WAKEUP = 2
+IORING_FSYNC_DATASYNC = 1
+IORING_MAX_CQ_ENTRIES = 65536
+IORING_MAX_ENTRIES = 32768
 IORING_OFF_CQ_RING = 134217728
 IORING_OFF_SQES = 268435456
 IORING_OFF_SQ_RING = 0
+IORING_OP_ACCEPT = 13
+IORING_OP_ASYNC_CANCEL = 14
+IORING_OP_CLOSE = 19
+IORING_OP_CONNECT = 16
+IORING_OP_EPOLL_CTL = 29
+IORING_OP_FADVISE = 24
+IORING_OP_FALLOCATE = 17
+IORING_OP_FILES_UPDATE = 20
+IORING_OP_FSYNC = 3
+IORING_OP_LAST = 34
+IORING_OP_LINK_TIMEOUT = 15
+IORING_OP_MADVISE = 25
+IORING_OP_NOP = 0
+IORING_OP_OPENAT = 18
+IORING_OP_OPENAT2 = 28
+IORING_OP_POLL_ADD = 6
+IORING_OP_POLL_REMOVE = 7
+IORING_OP_PROVIDE_BUFFERS = 31
+IORING_OP_READ = 22
+IORING_OP_READV = 1
+IORING_OP_READ_FIXED = 4
+IORING_OP_RECV = 27
+IORING_OP_RECVMSG = 10
+IORING_OP_SEND = 26
+IORING_OP_SENDMSG = 9
+IORING_OP_SPLICE = 30
+IORING_OP_STATX = 21
+IORING_OP_SYNC_FILE_RANGE = 8
+IORING_OP_TEE = 33
+IORING_OP_TIMEOUT = 11
+IORING_OP_TIMEOUT_REMOVE = 12
+IORING_OP_WRITE = 23
+IORING_OP_WRITEV = 2
+IORING_OP_WRITE_FIXED = 5
 IORING_REGISTER_BUFFERS = 0
 IORING_REGISTER_EVENTFD = 4
+IORING_REGISTER_EVENTFD_ASYNC = 7
 IORING_REGISTER_FILES = 2
 IORING_REGISTER_FILES_UPDATE = 6
+IORING_REGISTER_PERSONALITY = 9
+IORING_REGISTER_PROBE = 8
+IORING_SETUP_ATTACH_WQ = 32
+IORING_SETUP_CLAMP = 16
 IORING_SETUP_CQSIZE = 8
 IORING_SETUP_IOPOLL = 1
 IORING_SETUP_SQPOLL = 2
 IORING_SETUP_SQ_AFF = 4
+IORING_TIMEOUT_ABS = 1
 IORING_UNREGISTER_BUFFERS = 1
 IORING_UNREGISTER_EVENTFD = 5
 IORING_UNREGISTER_FILES = 3
+IORING_UNREGISTER_PERSONALITY = 10
+IOSQE_ASYNC_BIT = 4
+IOSQE_BUFFER_SELECT_BIT = 5
+IOSQE_FIXED_FILE_BIT = 0
+IOSQE_IO_DRAIN_BIT = 1
+IOSQE_IO_HARDLINK_BIT = 3
+IOSQE_IO_LINK_BIT = 2
+SIZEOF_IO_URING_SQE = 64
+SQ_DROPPED_OFFSET = 272
+SQ_FLAGS_OFFSET = 276
+SQ_HEAD_OFFSET = 0
+SQ_RING_ENTRIES_OFFSET = 264
+SQ_RING_MASK_OFFSET = 256
+SQ_TAIL_OFFSET = 64
 __NR_io_uring_enter = 426
 __NR_io_uring_register = 427
 __NR_io_uring_setup = 425
diff --git a/sys/linux/io_uring_riscv64.const b/sys/linux/io_uring_riscv64.const
index dda794af9..a3f60c7b6 100644
--- a/sys/linux/io_uring_riscv64.const
+++ b/sys/linux/io_uring_riscv64.const
@@ -1,20 +1,86 @@
 # AUTOGENERATED FILE
+CQ_FLAGS_OFFSET = 280
+CQ_HEAD_OFFSET = 128
+CQ_RING_ENTRIES_OFFSET = 268
+CQ_RING_MASK_OFFSET = 260
+CQ_RING_OVERFLOW_OFFSET = 284
+CQ_TAIL_OFFSET = 192
+EPOLL_CTL_ADD = 1
+EPOLL_CTL_DEL = 2
+EPOLL_CTL_MOD = 3
 IORING_ENTER_GETEVENTS = 1
 IORING_ENTER_SQ_WAKEUP = 2
+IORING_FSYNC_DATASYNC = 1
+IORING_MAX_CQ_ENTRIES = 65536
+IORING_MAX_ENTRIES = 32768
 IORING_OFF_CQ_RING = 134217728
 IORING_OFF_SQES = 268435456
 IORING_OFF_SQ_RING = 0
+IORING_OP_ACCEPT = 13
+IORING_OP_ASYNC_CANCEL = 14
+IORING_OP_CLOSE = 19
+IORING_OP_CONNECT = 16
+IORING_OP_EPOLL_CTL = 29
+IORING_OP_FADVISE = 24
+IORING_OP_FALLOCATE = 17
+IORING_OP_FILES_UPDATE = 20
+IORING_OP_FSYNC = 3
+IORING_OP_LAST = 34
+IORING_OP_LINK_TIMEOUT = 15
+IORING_OP_MADVISE = 25
+IORING_OP_NOP = 0
+IORING_OP_OPENAT = 18
+IORING_OP_OPENAT2 = 28
+IORING_OP_POLL_ADD = 6
+IORING_OP_POLL_REMOVE = 7
+IORING_OP_PROVIDE_BUFFERS = 31
+IORING_OP_READ = 22
+IORING_OP_READV = 1
+IORING_OP_READ_FIXED = 4
+IORING_OP_RECV = 27
+IORING_OP_RECVMSG = 10
+IORING_OP_SEND = 26
+IORING_OP_SENDMSG = 9
+IORING_OP_SPLICE = 30
+IORING_OP_STATX = 21
+IORING_OP_SYNC_FILE_RANGE = 8
+IORING_OP_TEE = 33
+IORING_OP_TIMEOUT = 11
+IORING_OP_TIMEOUT_REMOVE = 12
+IORING_OP_WRITE = 23
+IORING_OP_WRITEV = 2
+IORING_OP_WRITE_FIXED = 5
 IORING_REGISTER_BUFFERS = 0
 IORING_REGISTER_EVENTFD = 4
+IORING_REGISTER_EVENTFD_ASYNC = 7
 IORING_REGISTER_FILES = 2
 IORING_REGISTER_FILES_UPDATE = 6
+IORING_REGISTER_PERSONALITY = 9
+IORING_REGISTER_PROBE = 8
+IORING_SETUP_ATTACH_WQ = 32
+IORING_SETUP_CLAMP = 16
 IORING_SETUP_CQSIZE = 8
 IORING_SETUP_IOPOLL = 1
 IORING_SETUP_SQPOLL = 2
 IORING_SETUP_SQ_AFF = 4
+IORING_TIMEOUT_ABS = 1
 IORING_UNREGISTER_BUFFERS = 1
 IORING_UNREGISTER_EVENTFD = 5
 IORING_UNREGISTER_FILES = 3
+IORING_UNREGISTER_PERSONALITY = 10
+IOSQE_ASYNC_BIT = 4
+IOSQE_BUFFER_SELECT_BIT = 5
+IOSQE_FIXED_FILE_BIT = 0
+IOSQE_IO_DRAIN_BIT = 1
+IOSQE_IO_HARDLINK_BIT = 3
+IOSQE_IO_LINK_BIT = 2
+SIZEOF_IO_URING_SQE = 64
+SQ_DROPPED_OFFSET = 272
+SQ_FLAGS_OFFSET = 276
+SQ_HEAD_OFFSET = 0
+SQ_RING_ENTRIES_OFFSET = 264
+SQ_RING_MASK_OFFSET = 256
+SQ_TAIL_OFFSET = 64
 __NR_io_uring_enter = 426
 __NR_io_uring_register = 427
 __NR_io_uring_setup = 425
diff --git a/sys/linux/io_uring_s390x.const b/sys/linux/io_uring_s390x.const
index c7afcaa57..c4e69d4d9 100644
--- a/sys/linux/io_uring_s390x.const
+++ b/sys/linux/io_uring_s390x.const
@@ -1,20 +1,86 @@
 # AUTOGENERATED FILE
+CQ_FLAGS_OFFSET = 280
+CQ_HEAD_OFFSET = 128
+CQ_RING_ENTRIES_OFFSET = 268
+CQ_RING_MASK_OFFSET = 260
+CQ_RING_OVERFLOW_OFFSET = 284
+CQ_TAIL_OFFSET = 192
+EPOLL_CTL_ADD = 1
+EPOLL_CTL_DEL = 2
+EPOLL_CTL_MOD = 3
 IORING_ENTER_GETEVENTS = 1
 IORING_ENTER_SQ_WAKEUP = 2
+IORING_FSYNC_DATASYNC = 1
+IORING_MAX_CQ_ENTRIES = 65536
+IORING_MAX_ENTRIES = 32768
 IORING_OFF_CQ_RING = 134217728
 IORING_OFF_SQES = 268435456
 IORING_OFF_SQ_RING = 0
+IORING_OP_ACCEPT = 13
+IORING_OP_ASYNC_CANCEL = 14
+IORING_OP_CLOSE = 19
+IORING_OP_CONNECT = 16
+IORING_OP_EPOLL_CTL = 29
+IORING_OP_FADVISE = 24
+IORING_OP_FALLOCATE = 17
+IORING_OP_FILES_UPDATE = 20
+IORING_OP_FSYNC = 3
+IORING_OP_LAST = 34
+IORING_OP_LINK_TIMEOUT = 15
+IORING_OP_MADVISE = 25
+IORING_OP_NOP = 0
+IORING_OP_OPENAT = 18
+IORING_OP_OPENAT2 = 28
+IORING_OP_POLL_ADD = 6
+IORING_OP_POLL_REMOVE = 7
+IORING_OP_PROVIDE_BUFFERS = 31
+IORING_OP_READ = 22
+IORING_OP_READV = 1
+IORING_OP_READ_FIXED = 4
+IORING_OP_RECV = 27
+IORING_OP_RECVMSG = 10
+IORING_OP_SEND = 26
+IORING_OP_SENDMSG = 9
+IORING_OP_SPLICE = 30
+IORING_OP_STATX = 21
+IORING_OP_SYNC_FILE_RANGE = 8
+IORING_OP_TEE = 33
+IORING_OP_TIMEOUT = 11
+IORING_OP_TIMEOUT_REMOVE = 12
+IORING_OP_WRITE = 23
+IORING_OP_WRITEV = 2
+IORING_OP_WRITE_FIXED = 5
 IORING_REGISTER_BUFFERS = 0
 IORING_REGISTER_EVENTFD = 4
+IORING_REGISTER_EVENTFD_ASYNC = 7
 IORING_REGISTER_FILES = 2
 IORING_REGISTER_FILES_UPDATE = 6
+IORING_REGISTER_PERSONALITY = 9
+IORING_REGISTER_PROBE = 8
+IORING_SETUP_ATTACH_WQ = 32
+IORING_SETUP_CLAMP = 16
 IORING_SETUP_CQSIZE = 8
 IORING_SETUP_IOPOLL = 1
 IORING_SETUP_SQPOLL = 2
 IORING_SETUP_SQ_AFF = 4
+IORING_TIMEOUT_ABS = 1
 IORING_UNREGISTER_BUFFERS = 1
 IORING_UNREGISTER_EVENTFD = 5
 IORING_UNREGISTER_FILES = 3
+IORING_UNREGISTER_PERSONALITY = 10
+IOSQE_ASYNC_BIT = 4
+IOSQE_BUFFER_SELECT_BIT = 5
+IOSQE_FIXED_FILE_BIT = 0
+IOSQE_IO_DRAIN_BIT = 1
+IOSQE_IO_HARDLINK_BIT = 3
+IOSQE_IO_LINK_BIT = 2
+SIZEOF_IO_URING_SQE = 64
+SQ_DROPPED_OFFSET = 272
+SQ_FLAGS_OFFSET = 276
+SQ_HEAD_OFFSET = 0
+SQ_RING_ENTRIES_OFFSET = 264
+SQ_RING_MASK_OFFSET = 256
+SQ_TAIL_OFFSET = 64
 __NR_io_uring_enter = 426
 __NR_io_uring_register = 427
 __NR_io_uring_setup = 425
diff --git a/sys/linux/test/io_uring b/sys/linux/test/io_uring
new file mode 100644
index 000000000..3e28259d1
--- /dev/null
+++ b/sys/linux/test/io_uring
@@ -0,0 +1,22 @@
+# Create an io_uring instance
+r0 = io_uring_setup(0x1, &AUTO={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [0x0, 0x0, 0x0], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]})
+
+# mmap the ring and the sqes
+r1 = mmap$IORING_OFF_SQ_RING(&(0x7f00000a0000)=nil, 0x184, 0x3, 0x8001, r0, AUTO)
+r2 = mmap$IORING_OFF_SQES(&(0x7f00000b0000)=nil, 0x40, 0x3, 0x8001, r0, AUTO)
+
+# Set IORING_CQ_EVENTFD_DISABLED. Has no side-effect for the test,
+# only tests syz_memcpy_off().
+syz_memcpy_off$IO_URING_METADATA_FLAGS(r1, 0x114, &AUTO=0x1, 0x0, AUTO)
+
+# Write an openat2 operation to the submission queue
+syz_io_uring_submit(r1, r2, &AUTO=@IORING_OP_OPENAT2={AUTO, 0x0, AUTO, 0xffffffffffffff9c, &AUTO={0x42, 0x0, 0x0}, &AUTO='./file1\x00', AUTO, AUTO, 0x12345, {AUTO, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]} }, 0x0)
+
+# Notify the kernel about the submission and wait until completion
+io_uring_enter(r0, 0x1, 0x1, 0x1, 0x0, 0x0)
+
+# Get the resulting fd from the completion queue
+r3 = syz_io_uring_complete(r1)
+
+# Close the file
+close(r3)