diff options
| -rw-r--r-- | CONTRIBUTORS | 1 | ||||
| -rw-r--r-- | executor/common_linux.h | 16 | ||||
| -rw-r--r-- | pkg/csource/generated.go | 12 | ||||
| -rw-r--r-- | sys/linux/io_uring.txt | 2 | ||||
| -rw-r--r-- | sys/linux/test/io_uring | 2 |
5 files changed, 15 insertions, 18 deletions
diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 1f78fd42b..49b48d104 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -120,3 +120,4 @@ George Kennedy Arm Ltd Andrew Turner h0wdy +Dylan Yudaken
\ No newline at end of file diff --git a/executor/common_linux.h b/executor/common_linux.h index ff27913d9..62f0b3f2c 100644 --- a/executor/common_linux.h +++ b/executor/common_linux.h @@ -1931,18 +1931,16 @@ struct io_uring_params { #include <unistd.h> // Wrapper for io_uring_setup and the subsequent mmap calls that map the ring and the sqes -static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) +static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { - // syzlang: syz_io_uring_setup(entries int32[1:IORING_MAX_ENTRIES], params ptr[inout, io_uring_params], addr_ring vma, addr_sqes vma, ring_ptr ptr[out, ring_ptr], sqes_ptr ptr[out, sqes_ptr]) fd_io_uring - // C: syz_io_uring_setup(uint32 entries, struct io_uring_params* params, void* mmap_addr_ring, void* mmap_addr_sqes, void** ring_ptr_out, void** sqes_ptr_out) // returns uint32 fd_io_uring + // syzlang: syz_io_uring_setup(entries int32[1:IORING_MAX_ENTRIES], params ptr[inout, io_uring_params], ring_ptr ptr[out, ring_ptr], sqes_ptr ptr[out, sqes_ptr]) fd_io_uring + // C: syz_io_uring_setup(uint32 entries, struct io_uring_params* params, void** ring_ptr_out, void** sqes_ptr_out) // returns uint32 fd_io_uring // Cast to original uint32 entries = (uint32)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; - void* vma1 = (void*)a2; - void* vma2 = (void*)a3; - void** ring_ptr_out = (void**)a4; - void** sqes_ptr_out = (void**)a5; + void** ring_ptr_out = (void**)a2; + void** sqes_ptr_out = (void**)a3; uint32 fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); @@ -1954,10 +1952,10 @@ static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long // The implication is that the sq_ring_ptr and the cq_ring_ptr are the same but the // difference is in the offsets to access the fields of these rings. uint32 ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; - *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); + *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32 sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; - *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); + *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } diff --git a/pkg/csource/generated.go b/pkg/csource/generated.go index 4f704ebf9..019cd1582 100644 --- a/pkg/csource/generated.go +++ b/pkg/csource/generated.go @@ -4447,23 +4447,21 @@ struct io_uring_params { #include <sys/mman.h> #include <unistd.h> -static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5) +static long syz_io_uring_setup(volatile long a0, volatile long a1, volatile long a2, volatile long a3) { uint32 entries = (uint32)a0; struct io_uring_params* setup_params = (struct io_uring_params*)a1; - void* vma1 = (void*)a2; - void* vma2 = (void*)a3; - void** ring_ptr_out = (void**)a4; - void** sqes_ptr_out = (void**)a5; + void** ring_ptr_out = (void**)a2; + void** sqes_ptr_out = (void**)a3; uint32 fd_io_uring = syscall(__NR_io_uring_setup, entries, setup_params); uint32 sq_ring_sz = setup_params->sq_off.array + setup_params->sq_entries * sizeof(uint32); uint32 cq_ring_sz = setup_params->cq_off.cqes + setup_params->cq_entries * SIZEOF_IO_URING_CQE; uint32 ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz; - *ring_ptr_out = mmap(vma1, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQ_RING); + *ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING); uint32 sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE; - *sqes_ptr_out = mmap(vma2, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE | MAP_FIXED, fd_io_uring, IORING_OFF_SQES); + *sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES); return fd_io_uring; } diff --git a/sys/linux/io_uring.txt b/sys/linux/io_uring.txt index efd8723b0..ed7112bad 100644 --- a/sys/linux/io_uring.txt +++ b/sys/linux/io_uring.txt @@ -19,7 +19,7 @@ define IORING_MAX_CQ_ENTRIES (2 * IORING_MAX_ENTRIES) # First does the setup calling io_uring_setup, than calls mmap to map the ring and # the sqes. It is hard for the fuzzer to generate correct programs using mmap calls # with fuzzer-provided mmap length. This wrapper ensures correct length computation. -syz_io_uring_setup(entries int32[1:IORING_MAX_ENTRIES], params ptr[inout, io_uring_params], addr_ring vma, addr_sqes vma, ring_ptr ptr[out, ring_ptr], sqes_ptr ptr[out, sqes_ptr]) fd_io_uring +syz_io_uring_setup(entries int32[1:IORING_MAX_ENTRIES], params ptr[inout, io_uring_params], ring_ptr ptr[out, ring_ptr], sqes_ptr ptr[out, sqes_ptr]) fd_io_uring io_uring_setup(entries int32[1:IORING_MAX_ENTRIES], params ptr[inout, io_uring_params]) fd_io_uring io_uring_enter(fd fd_io_uring, to_submit int32[0:IORING_MAX_ENTRIES], min_complete int32[0:IORING_MAX_CQ_ENTRIES], flags flags[io_uring_enter_flags], sigmask ptr[in, sigset_t], size len[sigmask]) diff --git a/sys/linux/test/io_uring b/sys/linux/test/io_uring index 3e7e80371..9bb7fb66f 100644 --- a/sys/linux/test/io_uring +++ b/sys/linux/test/io_uring @@ -1,6 +1,6 @@ # Create an io_uring instance -r0 = syz_io_uring_setup(0x1, &AUTO={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000000000000000000", [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f00000a0000)=nil, &(0x7f00000b0000)=nil, &AUTO=<r1=>0x0, &AUTO=<r2=>0x0) +r0 = syz_io_uring_setup(0xF00, &AUTO={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000000000000000000", [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &AUTO=<r1=>0x0, &AUTO=<r2=>0x0) # Set IORING_CQ_EVENTFD_DISABLED. Has no side-effect for the test, # only tests syz_memcpy_off(). |