9 files changed, 85 insertions, 47 deletions

diff --git a/executor/common_kvm.h b/executor/common_kvm.h
new file mode 100644
index 000000000..fecd00922
--- /dev/null
+++ b/executor/common_kvm.h
@@ -0,0 +1,25 @@
+// Copyright 2025 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+// This file is shared between executor and csource package.
+
+// Common KVM-related definitions.
+
+#if SYZ_EXECUTOR || __NR_syz_kvm_assert_syzos_kvm_exit
+static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1)
+{
+	struct kvm_run* run = (struct kvm_run*)a0;
+	uint64 expect = a1;
+
+	if (!run) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (run->exit_reason != expect) {
+		errno = EDOM;
+		return -1;
+	}
+	return 0;
+}
+#endif
diff --git a/executor/common_kvm_386.h b/executor/common_kvm_386.h
index 77ca4ce0e..f1b634150 100644
--- a/executor/common_kvm_386.h
+++ b/executor/common_kvm_386.h
@@ -24,6 +24,13 @@ static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1)
 }
 #endif
 
+#if SYZ_EXECUTOR || __NR_syz_kvm_assert_syzos_uexit
+static long syz_kvm_assert_syzos_kvm_exit(volatile long a0, volatile long a1)
+{
+	return 0;
+}
+#endif
+
 #if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu
 static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7)
 {
diff --git a/executor/common_kvm_amd64.h b/executor/common_kvm_amd64.h
index c21b8a09f..1344e635f 100644
--- a/executor/common_kvm_amd64.h
+++ b/executor/common_kvm_amd64.h
@@ -7,6 +7,7 @@
 // See Intel Software Developer’s Manual Volume 3: System Programming Guide
 // for details on what happens here.
 
+#include "common_kvm.h"
 #include "common_kvm_amd64_syzos.h"
 #include "kvm.h"
 #include "kvm_amd64.S.h"
diff --git a/executor/common_kvm_arm64.h b/executor/common_kvm_arm64.h
index 97a6429fe..4428a3484 100644
--- a/executor/common_kvm_arm64.h
+++ b/executor/common_kvm_arm64.h
@@ -6,6 +6,7 @@
 // Implementation of syz_kvm_setup_cpu pseudo-syscall.
 #include <sys/mman.h>
 
+#include "common_kvm.h"
 #include "kvm.h"
 
 #if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu || __NR_syz_kvm_add_vcpu || __NR_syz_kvm_setup_syzos_vm
diff --git a/executor/common_linux.h b/executor/common_linux.h
index dea1ba0c8..31ce14dc3 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -3187,7 +3187,7 @@ error_clear_loop:
 }
 #endif
 
-#if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu || __NR_syz_kvm_vgic_v3_setup || __NR_syz_kvm_setup_syzos_vm || __NR_syz_kvm_add_vcpu || __NR_syz_kvm_assert_syzos_uexit || __NR_syz_kvm_assert_reg
+#if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu || __NR_syz_kvm_vgic_v3_setup || __NR_syz_kvm_setup_syzos_vm || __NR_syz_kvm_add_vcpu || __NR_syz_kvm_assert_syzos_uexit || __NR_syz_kvm_assert_reg || __NR_syz_kvm_assert_syzos_kvm_exit
 // KVM is not yet supported on RISC-V
 #if !GOARCH_riscv64 && !GOARCH_arm
 #include <errno.h>
diff --git a/pkg/runtest/run.go b/pkg/runtest/run.go
index 99c5f4698..f242fa137 100644
--- a/pkg/runtest/run.go
+++ b/pkg/runtest/run.go
@@ -556,7 +556,7 @@ func checkCallResult(req *runRequest, isC bool, run, call int, info *flatrpc.Pro
 	if req.ExecOpts.EnvFlags&flatrpc.ExecEnvSignal != 0 {
 		callName := req.Prog.Calls[call].Meta.CallName
 		// Pseudo-syscalls that might not provide any coverage when invoked.
-		noCovSyscalls := []string{"syz_btf_id_by_name", "syz_kvm_assert_syzos_uexit"}
+		noCovSyscalls := []string{"syz_btf_id_by_name", "syz_kvm_assert_syzos_uexit", "syz_kvm_assert_syzos_kvm_exit"}
 		isNoCov := slices.Contains(noCovSyscalls, callName)
 		// Signal is always deduplicated, so we may not get any signal
 		// on a second invocation of the same syscall.
diff --git a/pkg/vminfo/linux_syscalls.go b/pkg/vminfo/linux_syscalls.go
index c5d1cf405..abd749be3 100644
--- a/pkg/vminfo/linux_syscalls.go
+++ b/pkg/vminfo/linux_syscalls.go
@@ -62,49 +62,50 @@ func linuxSupportedLSM(ctx *checkContext, call *prog.Syscall) string {
 }
 
 var linuxSyscallChecks = map[string]func(*checkContext, *prog.Syscall) string{
-	"openat":                      supportedOpenat,
-	"mount":                       linuxSupportedMount,
-	"socket":                      linuxSupportedSocket,
-	"socketpair":                  linuxSupportedSocket,
-	"pkey_alloc":                  linuxPkeysSupported,
-	"syz_open_dev":                linuxSyzOpenDevSupported,
-	"syz_open_procfs":             linuxSyzOpenProcfsSupported,
-	"syz_open_pts":                alwaysSupported,
-	"syz_execute_func":            alwaysSupported,
-	"syz_emit_ethernet":           linuxNetInjectionSupported,
-	"syz_extract_tcp_res":         linuxNetInjectionSupported,
-	"syz_usb_connect":             linuxCheckUSBEmulation,
-	"syz_usb_connect_ath9k":       linuxCheckUSBEmulation,
-	"syz_usb_disconnect":          linuxCheckUSBEmulation,
-	"syz_usb_control_io":          linuxCheckUSBEmulation,
-	"syz_usb_ep_write":            linuxCheckUSBEmulation,
-	"syz_usb_ep_read":             linuxCheckUSBEmulation,
-	"syz_kvm_setup_cpu":           linuxSyzKvmSupported,
-	"syz_kvm_vgic_v3_setup":       linuxSyzSupportedOnArm64,
-	"syz_kvm_setup_syzos_vm":      linuxSyzKvmSupported,
-	"syz_kvm_add_vcpu":            linuxSyzKvmSupported,
-	"syz_kvm_assert_syzos_uexit":  linuxSyzKvmSupported,
-	"syz_kvm_assert_reg":          linuxSyzSupportedOnArm64,
-	"syz_emit_vhci":               linuxVhciInjectionSupported,
-	"syz_init_net_socket":         linuxSyzInitNetSocketSupported,
-	"syz_genetlink_get_family_id": linuxSyzGenetlinkGetFamilyIDSupported,
-	"syz_mount_image":             linuxSyzMountImageSupported,
-	"syz_read_part_table":         linuxSyzReadPartTableSupported,
-	"syz_io_uring_setup":          alwaysSupported,
-	"syz_io_uring_submit":         alwaysSupported,
-	"syz_io_uring_complete":       alwaysSupported,
-	"syz_memcpy_off":              alwaysSupported,
-	"syz_btf_id_by_name":          linuxBtfVmlinuxSupported,
-	"syz_fuse_handle_req":         alwaysSupported,
-	"syz_80211_inject_frame":      linuxWifiEmulationSupported,
-	"syz_80211_join_ibss":         linuxWifiEmulationSupported,
-	"syz_usbip_server_init":       linuxSyzUsbIPSupported,
-	"syz_clone":                   alwaysSupported,
-	"syz_clone3":                  alwaysSupported,
-	"syz_pkey_set":                linuxPkeysSupported,
-	"syz_socket_connect_nvme_tcp": linuxSyzSocketConnectNvmeTCPSupported,
-	"syz_pidfd_open":              alwaysSupported,
-	"syz_create_resource":         alwaysSupported,
+	"openat":                        supportedOpenat,
+	"mount":                         linuxSupportedMount,
+	"socket":                        linuxSupportedSocket,
+	"socketpair":                    linuxSupportedSocket,
+	"pkey_alloc":                    linuxPkeysSupported,
+	"syz_open_dev":                  linuxSyzOpenDevSupported,
+	"syz_open_procfs":               linuxSyzOpenProcfsSupported,
+	"syz_open_pts":                  alwaysSupported,
+	"syz_execute_func":              alwaysSupported,
+	"syz_emit_ethernet":             linuxNetInjectionSupported,
+	"syz_extract_tcp_res":           linuxNetInjectionSupported,
+	"syz_usb_connect":               linuxCheckUSBEmulation,
+	"syz_usb_connect_ath9k":         linuxCheckUSBEmulation,
+	"syz_usb_disconnect":            linuxCheckUSBEmulation,
+	"syz_usb_control_io":            linuxCheckUSBEmulation,
+	"syz_usb_ep_write":              linuxCheckUSBEmulation,
+	"syz_usb_ep_read":               linuxCheckUSBEmulation,
+	"syz_kvm_setup_cpu":             linuxSyzKvmSupported,
+	"syz_kvm_vgic_v3_setup":         linuxSyzSupportedOnArm64,
+	"syz_kvm_setup_syzos_vm":        linuxSyzKvmSupported,
+	"syz_kvm_add_vcpu":              linuxSyzKvmSupported,
+	"syz_kvm_assert_syzos_uexit":    linuxSyzKvmSupported,
+	"syz_kvm_assert_syzos_kvm_exit": linuxSyzKvmSupported,
+	"syz_kvm_assert_reg":            linuxSyzSupportedOnArm64,
+	"syz_emit_vhci":                 linuxVhciInjectionSupported,
+	"syz_init_net_socket":           linuxSyzInitNetSocketSupported,
+	"syz_genetlink_get_family_id":   linuxSyzGenetlinkGetFamilyIDSupported,
+	"syz_mount_image":               linuxSyzMountImageSupported,
+	"syz_read_part_table":           linuxSyzReadPartTableSupported,
+	"syz_io_uring_setup":            alwaysSupported,
+	"syz_io_uring_submit":           alwaysSupported,
+	"syz_io_uring_complete":         alwaysSupported,
+	"syz_memcpy_off":                alwaysSupported,
+	"syz_btf_id_by_name":            linuxBtfVmlinuxSupported,
+	"syz_fuse_handle_req":           alwaysSupported,
+	"syz_80211_inject_frame":        linuxWifiEmulationSupported,
+	"syz_80211_join_ibss":           linuxWifiEmulationSupported,
+	"syz_usbip_server_init":         linuxSyzUsbIPSupported,
+	"syz_clone":                     alwaysSupported,
+	"syz_clone3":                    alwaysSupported,
+	"syz_pkey_set":                  linuxPkeysSupported,
+	"syz_socket_connect_nvme_tcp":   linuxSyzSocketConnectNvmeTCPSupported,
+	"syz_pidfd_open":                alwaysSupported,
+	"syz_create_resource":           alwaysSupported,
 }
 
 func linuxSyzOpenDevSupported(ctx *checkContext, call *prog.Syscall) string {
@@ -180,12 +181,13 @@ func linuxSyzKvmSupported(ctx *checkContext, call *prog.Syscall) string {
 		if ctx.target.Arch == targets.AMD64 || ctx.target.Arch == targets.I386 {
 			return ""
 		}
-	case "syz_kvm_setup_syzos_vm$x86", "syz_kvm_add_vcpu$x86", "syz_kvm_assert_syzos_uexit$x86":
+	case "syz_kvm_setup_syzos_vm$x86", "syz_kvm_add_vcpu$x86", "syz_kvm_assert_syzos_uexit$x86",
+		"syz_kvm_assert_syzos_kvm_exit$x86":
 		if ctx.target.Arch == targets.AMD64 {
 			return ""
 		}
 	case "syz_kvm_setup_cpu$arm64", "syz_kvm_setup_syzos_vm$arm64", "syz_kvm_add_vcpu$arm64",
-		"syz_kvm_assert_syzos_uexit$arm64":
+		"syz_kvm_assert_syzos_uexit$arm64", "syz_kvm_assert_syzos_kvm_exit$arm64":
 		if ctx.target.Arch == targets.ARM64 {
 			return ""
 		}
diff --git a/sys/linux/dev_kvm_amd64.txt b/sys/linux/dev_kvm_amd64.txt
index 6f052c375..541fcaa02 100644
--- a/sys/linux/dev_kvm_amd64.txt
+++ b/sys/linux/dev_kvm_amd64.txt
@@ -24,6 +24,7 @@ syz_kvm_add_vcpu$x86(vm kvm_syz_vm$x86, text ptr[in, kvm_text$x86]) fd_kvmcpu (n
 
 # Test assertions, will not be used by the fuzzer.
 syz_kvm_assert_syzos_uexit$x86(run kvm_run_ptr, exitcode intptr) (no_generate)
+syz_kvm_assert_syzos_kvm_exit$x86(run kvm_run_ptr, exitcode intptr) (no_generate)
 
 # Pseudo call that setups VCPU into a reasonable interesting state for execution.
 # The interface is designed for extensibility so that addition of new options does not invalidate all existing programs.
diff --git a/sys/linux/dev_kvm_arm64.txt b/sys/linux/dev_kvm_arm64.txt
index 71c27dba1..53e2d71e8 100644
--- a/sys/linux/dev_kvm_arm64.txt
+++ b/sys/linux/dev_kvm_arm64.txt
@@ -29,6 +29,7 @@ syz_kvm_vgic_v3_setup(fd fd_kvmvm, ncpus intptr[0:4], nirqs flags[kvm_num_irqs])
 # Test assertions, will not be used by the fuzzer.
 syz_kvm_assert_syzos_uexit$arm64(run kvm_run_ptr, exitcode int64) (no_generate)
 syz_kvm_assert_reg(fd fd_kvmcpu, reg int64, value int64) (no_generate)
+syz_kvm_assert_syzos_kvm_exit$arm64(run kvm_run_ptr, exitcode int64) (no_generate)
 
 # Old-style way to set up a CPU inside a KVM VM.
 syz_kvm_setup_cpu$arm64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[1024], text ptr[in, array[kvm_text_arm64, 1]], ntext len[text], flags const[0], opts ptr[in, array[kvm_setup_opt_arm64, 1]], nopt len[opts])