executor: arm64: add SYZOS_API_MSR

MSR is an ARM64 instruction that writes a value from a GP register to
one of the system CPU registers. Exposing those registers to a fuzzer will
let us trigger unexpected behavior in handling them on the kernel side.

The SYZOS_API_MSR call has two int64 arguments, register ID and value.
Register IDs are 64-bit values obtained from ARM64_SYS_REG() in the Linux asm/kvm.h
UAPI header. Same register IDs are used by ioctl$KVM_GET_ONE_REG and
ioctl$KVM_SET_ONE_REG.

Also add sys/linux/test/syz_kvm_setup_cpu_arm64-msr

2 files changed, 20 insertions, 0 deletions

diff --git a/sys/linux/dev_kvm.txt b/sys/linux/dev_kvm.txt
index ace3a7330..16434a1d0 100644
--- a/sys/linux/dev_kvm.txt
+++ b/sys/linux/dev_kvm.txt
@@ -254,9 +254,17 @@ syzos_api_code {
 	ret	const[0xd65f03c0, int32]
 } [packed]
 
+syzos_api_msr {
+	call		const[2, int64]
+	size		bytesize[parent, int64]
+	arg_reg		flags[kvm_regs_arm64_sys, int64]
+	arg_value	int64
+}
+
 syzos_api_call [
 	uexit	syzos_api_uexit
 	code	syzos_api_code
+	msr	syzos_api_msr
 ] [varlen]
 
 kvm_text_ppc64 {
diff --git a/sys/linux/test/syz_kvm_setup_cpu_arm64-msr b/sys/linux/test/syz_kvm_setup_cpu_arm64-msr
new file mode 100644
index 000000000..210223d8a
--- /dev/null
+++ b/sys/linux/test/syz_kvm_setup_cpu_arm64-msr
@@ -0,0 +1,12 @@
+#
+# requires: arch=arm64
+#
+r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
+r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
+r2 = ioctl$KVM_CREATE_VCPU(r1, AUTO, 0x0)
+#
+# 0x603000000013c600 is VBAR_EL1, it aligns the written value on 0x20.
+#
+syz_kvm_setup_cpu$arm64(r1, r2, &(0x7f0000e8a000/0x18000)=nil, &AUTO=[{0x0, &AUTO=[@msr={AUTO, AUTO, 0x603000000013c600, 0xfefefee0}], AUTO}], 0x1, 0x0, 0x0, 0x0)
+ioctl$KVM_RUN(r2, AUTO, 0x0)
+ioctl$KVM_GET_ONE_REG(r2, AUTO, &AUTO=@arm64_sys={0x603000000013c600, &AUTO})