diff options
| -rw-r--r-- | sys/linux/dev_bsg.txt | 84 | ||||
| -rw-r--r-- | sys/linux/dev_bsg.txt.const | 23 | ||||
| -rw-r--r-- | sys/linux/sys.txt | 1 |
3 files changed, 107 insertions, 1 deletions
diff --git a/sys/linux/dev_bsg.txt b/sys/linux/dev_bsg.txt new file mode 100644 index 000000000..f3fc3275b --- /dev/null +++ b/sys/linux/dev_bsg.txt @@ -0,0 +1,84 @@ +# Copyright 2025 syzkaller project authors. All rights reserved. +# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +include <linux/blkdev.h> +include <scsi/scsi.h> +include <scsi/scsi_ioctl.h> +include <scsi/sg.h> +include <linux/bsg.h> + +resource fd_bsg[fd_sg] + +openat$bsg(fd const[AT_FDCWD], file ptr[in, string[bsg_devices]], flags flags[open_flags], mode const[0]) fd_bsg + +# bsg shares some ioctl calls with main sg driver in sys/linux/dev_sg.txt. +# Describe them here separately for the sake of clarity and visibility. +ioctl$BSG_GET_COMMAND_Q(fd fd_bsg, cmd const[SG_GET_COMMAND_Q], arg ptr[out, int32]) +ioctl$BSG_SET_COMMAND_Q(fd fd_bsg, cmd const[SG_SET_COMMAND_Q], arg ptr[in, bool32]) + +ioctl$BSG_GET_VERSION_NUM(fd fd_bsg, cmd const[SG_GET_VERSION_NUM], arg ptr[out, int32]) +ioctl$BSG_SET_TIMEOUT(fd fd_bsg, cmd const[SG_SET_TIMEOUT], arg ptr[in, int64]) +ioctl$BSG_GET_TIMEOUT(fd fd_bsg, cmd const[SG_GET_TIMEOUT], arg const[0]) +ioctl$BSG_GET_RESERVED_SIZE(fd fd_bsg, cmd const[SG_GET_RESERVED_SIZE], arg ptr[out, int32]) +ioctl$BSG_SET_RESERVED_SIZE(fd fd_bsg, cmd const[SG_SET_RESERVED_SIZE], arg ptr[in, int32]) +ioctl$BSG_EMULATED_HOST(fd fd_bsg, cmd const[SG_EMULATED_HOST], arg ptr[out, int32]) + +ioctl$BSG_IO(fd fd_bsg, cmd const[SG_IO], arg ptr[inout, sg_io_v4]) + +# TODO: Double-check and narrow down some of the missing constraints +# on expected values in this struct to make fuzzing more effective. +# For instance, such fields as: +# req_tag, req_prio, d[in,out]_iovec_count, d[in,out]_xferp, flags, usr_ptr +sg_io_v4 { + guard flags[bsg_guard, int32] + prot const[BSG_PROTOCOL_SCSI, int32] + subprot int32[bsg_sub_protocols] + + req_len len[req, int32] + req ptr[in, array[int8, 1:SCSI_CDB_SIZE]] + req_tag int64 + req_attr const[0, int32] + req_prio int32 + req_extra int32 + max_resp_len bytesize[resp, int32] + resp ptr[out, array[int8, SCSI_SENSE_BUFFERSIZE]] + +# TODO: Figure out the logic behind scatter lists pointed to by din_xferp (and dout_xferp) +# and how to account for it in syz-lang. For now, keep it simple with 0. + dout_iovec_count const[0, int32] + dout_xfer_len len[dout_xferp, int32] + din_iovec_count const[0, int32] + din_xfer_len len[din_xferp, int32] + dout_xferp ptr[in, array[int8, 0:BSG_XFER_SIZE]] + din_xferp ptr[out, array[int8, 0:BSG_XFER_SIZE]] + + timeout int32 + flags flags[bsg_flags, int32] + usr_ptr ptr[inout, array[int8]] + spare_in int32 + + drv_status const[0, int32] + trans_status const[0, int32] + dev_status const[0, int32] + retry_delay const[0, int32] + info const[0, int32] + dur const[0, int32] + resp_len const[0, int32] + din_resid const[0, int32] + dout_resid const[0, int32] + gen_tag const[0, int64] + spare_out const[0, int32] + + pad const[0, int32] +} + +# TODO: Format for bsg devices' names: "/dev/bsg/a:b:c:d". Figure out if a more sensible option exists +# apart from hardcoding it (like below). +bsg_devices = "/dev/bsg/0:0:0:0", "/dev/bsg/1:0:0:0", "/dev/bsg/2:0:0:0", "/dev/bsg/3:0:0:0" +bsg_sub_protocols = BSG_SUB_PROTOCOL_SCSI_CMD, BSG_SUB_PROTOCOL_SCSI_TMF, BSG_SUB_PROTOCOL_SCSI_TRANSPORT +bsg_flags = BSG_FLAG_Q_AT_TAIL, BSG_FLAG_Q_AT_HEAD +bsg_guard = 0, 'Q' + +define SCSI_SENSE_BUFFERSIZE 96 +define SCSI_CDB_SIZE 32 +define BSG_XFER_SIZE 128 diff --git a/sys/linux/dev_bsg.txt.const b/sys/linux/dev_bsg.txt.const new file mode 100644 index 000000000..e0a6045d2 --- /dev/null +++ b/sys/linux/dev_bsg.txt.const @@ -0,0 +1,23 @@ +# Code generated by syz-sysgen. DO NOT EDIT. +arches = 386, amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x +AT_FDCWD = 18446744073709551516 +BSG_FLAG_Q_AT_HEAD = 32 +BSG_FLAG_Q_AT_TAIL = 16 +BSG_PROTOCOL_SCSI = 0 +BSG_SUB_PROTOCOL_SCSI_CMD = 0 +BSG_SUB_PROTOCOL_SCSI_TMF = 1 +BSG_SUB_PROTOCOL_SCSI_TRANSPORT = 2 +BSG_XFER_SIZE = 128 +SCSI_CDB_SIZE = 32 +SCSI_SENSE_BUFFERSIZE = 96 +SG_EMULATED_HOST = 8707 +SG_GET_COMMAND_Q = 8816 +SG_GET_RESERVED_SIZE = 8818 +SG_GET_TIMEOUT = 8706 +SG_GET_VERSION_NUM = 8834 +SG_IO = 8837 +SG_SET_COMMAND_Q = 8817 +SG_SET_RESERVED_SIZE = 8821 +SG_SET_TIMEOUT = 8705 +__NR_ioctl = 54, amd64:16, arm64:riscv64:29, mips64le:5015 +__NR_openat = 56, 386:295, amd64:257, arm:322, mips64le:5247, ppc64le:286, s390x:288 diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt index a48d38c0b..947be41ab 100644 --- a/sys/linux/sys.txt +++ b/sys/linux/sys.txt @@ -727,7 +727,6 @@ openat$nmem0(fd const[AT_FDCWD], file ptr[in, string["/dev/nmem0"]], flags flags openat$nvram(fd const[AT_FDCWD], file ptr[in, string["/dev/nvram"]], flags flags[open_flags], mode const[0]) fd openat$ocfs2_control(fd const[AT_FDCWD], file ptr[in, string["/dev/ocfs2_control"]], flags flags[open_flags], mode const[0]) fd openat$nvme_fabrics(fd const[AT_FDCWD], file ptr[in, string["/dev/nvme-fabrics"]], flags flags[open_flags], mode const[0]) fd -openat$bsg(fd const[AT_FDCWD], file ptr[in, string["/dev/bsg"]], flags flags[open_flags], mode const[0]) fd pipefd { rfd fd |