5 files changed, 36 insertions, 5 deletions

diff --git a/executor/common_kvm_arm64.h b/executor/common_kvm_arm64.h
index 66697b2cf..02e84aad8 100644
--- a/executor/common_kvm_arm64.h
+++ b/executor/common_kvm_arm64.h
@@ -361,3 +361,22 @@ static long syz_kvm_vgic_v3_setup(volatile long a0, volatile long a1, volatile l
 	return vgic_fd;
 }
 #endif
+
+#if SYZ_EXECUTOR || __NR_syz_kvm_assert_syzos_uexit
+static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1)
+{
+	struct kvm_run* run = (struct kvm_run*)a0;
+	uint64 expect = a1;
+
+	if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != ARM64_ADDR_UEXIT)) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if ((((uint64*)(run->mmio.data))[0]) != expect) {
+		errno = EDOM;
+		return -1;
+	}
+	return 0;
+}
+#endif
diff --git a/executor/common_linux.h b/executor/common_linux.h
index a84b2eeb0..5fc1bec2c 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -3186,7 +3186,7 @@ error_clear_loop:
 }
 #endif
 
-#if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu || __NR_syz_kvm_vgic_v3_setup || __NR_syz_kvm_setup_syzos_vm || __NR_syz_kvm_add_vcpu
+#if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu || __NR_syz_kvm_vgic_v3_setup || __NR_syz_kvm_setup_syzos_vm || __NR_syz_kvm_add_vcpu || __NR_syz_kvm_assert_syzos_uexit
 // KVM is not yet supported on RISC-V
 #if !GOARCH_riscv64 && !GOARCH_arm
 #include <errno.h>
diff --git a/pkg/runtest/run.go b/pkg/runtest/run.go
index 213ce3f58..ca3ed3b4b 100644
--- a/pkg/runtest/run.go
+++ b/pkg/runtest/run.go
@@ -563,10 +563,19 @@ func checkCallResult(req *runRequest, isC bool, run, call int, info *flatrpc.Pro
 		if len(inf.Signal) < 2 && !calls[callName] && len(info.Extra.Signal) == 0 {
 			return fmt.Errorf("run %v: call %v: no signal", run, call)
 		}
-		// syz_btf_id_by_name is a pseudo-syscall that might not provide
-		// any coverage when invoked.
-		if len(inf.Cover) == 0 && callName != "syz_btf_id_by_name" {
-			return fmt.Errorf("run %v: call %v: no cover", run, call)
+		// Pseudo-syscalls that might not provide any coverage when invoked.
+		noCovSyscalls := []string{"syz_btf_id_by_name", "syz_kvm_assert_syzos_uexit"}
+		if len(inf.Cover) == 0 {
+			found := true
+			for _, s := range noCovSyscalls {
+				if callName == s {
+					found = true
+					break
+				}
+			}
+			if !found {
+				return fmt.Errorf("run %v: call %v: no cover", run, call)
+			}
 		}
 		calls[callName] = true
 	} else {
diff --git a/pkg/vminfo/linux_syscalls.go b/pkg/vminfo/linux_syscalls.go
index 95e3e54eb..935c9feea 100644
--- a/pkg/vminfo/linux_syscalls.go
+++ b/pkg/vminfo/linux_syscalls.go
@@ -83,6 +83,7 @@ var linuxSyscallChecks = map[string]func(*checkContext, *prog.Syscall) string{
 	"syz_kvm_vgic_v3_setup":       linuxSyzSupportedOnArm64,
 	"syz_kvm_setup_syzos_vm":      linuxSyzSupportedOnArm64,
 	"syz_kvm_add_vcpu":            linuxSyzSupportedOnArm64,
+	"syz_kvm_assert_syzos_uexit":  linuxSyzSupportedOnArm64,
 	"syz_emit_vhci":               linuxVhciInjectionSupported,
 	"syz_init_net_socket":         linuxSyzInitNetSocketSupported,
 	"syz_genetlink_get_family_id": linuxSyzGenetlinkGetFamilyIDSupported,
diff --git a/sys/linux/dev_kvm_arm64.txt b/sys/linux/dev_kvm_arm64.txt
index a32ea7fee..a510041dc 100644
--- a/sys/linux/dev_kvm_arm64.txt
+++ b/sys/linux/dev_kvm_arm64.txt
@@ -25,6 +25,8 @@ kvm_num_irqs = 32, 64, 128, 256, 512
 # Set up the VGICv3 IRQ controller inside a VM.
 syz_kvm_vgic_v3_setup(fd fd_kvmvm, ncpus intptr[0:4], nirqs flags[kvm_num_irqs]) fd_kvmdev
 
+syz_kvm_assert_syzos_uexit(run kvm_run_ptr, exitcode int64) (no_generate)
+
 # Old-style way to set up a CPU inside a KVM VM.
 syz_kvm_setup_cpu$arm64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[1024], text ptr[in, array[kvm_text_arm64, 1]], ntext len[text], flags const[0], opts ptr[in, array[kvm_setup_opt_arm64, 1]], nopt len[opts])