diff options
Diffstat (limited to 'sys/linux/test')
| -rw-r--r-- | sys/linux/test/vusb_lan78xx | 72 | ||||
| -rw-r--r-- | sys/linux/test/vusb_rtl8150 | 25 | ||||
| -rw-r--r-- | sys/linux/test/vusb_sierra_net | 21 |
3 files changed, 118 insertions, 0 deletions
diff --git a/sys/linux/test/vusb_lan78xx b/sys/linux/test/vusb_lan78xx new file mode 100644 index 000000000..461ff4825 --- /dev/null +++ b/sys/linux/test/vusb_lan78xx @@ -0,0 +1,72 @@ +# This seed helps syzkaller to reliably pass the probe() checks for lan78xx driver. +# As some CTRL requests occur during the probe, a few syz_usb_control_io() calls may +# be in a weird order or even duplicate. + +# TODO: currently, probe does not succeed completely. Most likely, it stems from the fact that +# the abundance of expected CTRL requests *during* probe is not something syzkaller can handle at the moment. +# Timing is essential among other things. This should be mitigated by a separate syz_usb_connect pseudo-call +# that deals with such requests without syz_usb_control_io. + +# Ensure that we pass driver-specific basic usb interface and endpoint checks during initial probe() stages. + +r0 = syz_usb_connect$lan78xx(0x5, 0x3f, &(0x7f0000000000)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0x424, 0x7850, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x80, 0xfa, {{0x9, 0x4, 0x0, 0x0, 0x3, 0xff, 0x0, 0x0, 0x0, "", {{0x9, 0x5, 0x81, 0x2, 0x200, 0x0, 0x0, 0x0, ""}, {0x9, 0x5, 0x2, 0x2, 0x200, 0x0, 0x0, 0x0, ""}, {0x9, 0x5, 0x83, 0x3, 0x40, 0x1, 0x0, 0x0, ""}}}}}}]}}, 0x0) + +# This is where the fun begins. +# Functions like lan78xx_bind() and lan78xx_phy_init() in lan78xx_probe() utilize ~50 CTRL requests, both directions, during probe. + +# Write to INT_EP_CTL register in lan78xx_setup_irq_domain(). + +syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f00000003c0)={0x34, &(0x7f0000000140)={0x20, 0x11, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) + +# Write to HW_CFG register in lan78xx_reset(). + +syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000780)={0x34, &(0x7f0000000600)={0x40, 0x11, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) + +# Read from HW_CFG register. + +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) + +# Write to HW_CFG register. + +syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000f00)={0x34, &(0x7f0000000cc0)={0x40, 0x10, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) + +# Write to RX_ADDRL and RX_ADDRH registers in lan78xx_init_mac_address(). + +syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000001240)={0x34, &(0x7f0000001080)={0x0, 0x6, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) +syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000001700)={0x34, &(0x7f0000001500)={0x20, 0x18, 0x1, ')'}, 0x0, 0x0, 0x0, 0x0, 0x0}) + +# Read from MAF_LO(0) and MAF_HI(0) registers. + +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) + +# Write to ID_REV register, back in lan78xx_reset(). + +syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000002180)={0x34, &(0x7f0000000400)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0}) + +# Write and read to/from USB_CFG0 register. + +syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f00000006c0)={0x34, &(0x7f0000000500)={0x0, 0x7, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) + +# Write to USB_CFG1 register in lan78xx_init_ltm(). + +syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000002540)={0x34, &(0x7f0000002340)={0x0, 0xf, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) + +# Read from 6 registers (LTM_BELT_IDLE0 etc.) in a row. + +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) + +# Read from BURST_CAP and BULK_IN_DLY registers in lan78xx_reset(). + +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) +syz_usb_control_io$lan78xx(r0, 0x0, 0x0) + +# Write to HW_CFG register. + +syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000380)={0x34, &(0x7f0000000840)={0x0, 0x0, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) diff --git a/sys/linux/test/vusb_rtl8150 b/sys/linux/test/vusb_rtl8150 new file mode 100644 index 000000000..6f8accf7c --- /dev/null +++ b/sys/linux/test/vusb_rtl8150 @@ -0,0 +1,25 @@ +# This seed helps syzkaller to reliably pass the probe() checks for rtl8150 driver. +# As some CTRL requests occur during the probe, a few syz_usb_control_io() calls may +# be in a weird order or even duplicate. + +# Ensure that we pass driver-specific basic usb interface and endpoint checks during initial probe() stages. + +r0 = syz_usb_connect$rtl8150(0x3, 0x3f, &(0x7f00000003c0)={{0x12, 0x1, 0x110, 0xff, 0xff, 0x0, 0x40, 0xbda, 0x8150, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x5, 0x80, 0x0, {{0x9, 0x4, 0x0, 0x7f, 0x3, 0xff, 0x11, 0x1, 0x5, "", {{0x9, 0x5, 0x81, 0x2, 0x40, 0x6, 0x9, 0x4, ""}, {0x9, 0x5, 0x2, 0x2, 0x20, 0x2, 0x57, 0x6e, ""}, {0x9, 0x5, 0x83, 0x3, 0x240, 0x3, 0x82, 0x8, ""}}}}}}]}}, 0x0) + +# During probe, rtl8150_reset() requires reading/writing registers via usb_control_msg(), see: +# https://elixir.bootlin.com/linux/v6.16/source/drivers/net/usb/rtl8150.c#L316 + +# The timing of dealing with CTRL requests is very awkward. So as not to fail dealing with registers, these calls come in. +# They are not directly related to rtl8150 code itself yet seem to be making that the next calls below run on time. +# TODO: figure out the circumstances fully and consider switching to sleep/nanosleep instead. + +syz_usb_control_io$rtl8150(r0, &(0x7f0000000580)={0x14, 0x0, &(0x7f0000000480)={0x0, 0x3, 0x3, @lang_id={0x0, 0x3, 0x0}}}, 0x0) +syz_usb_control_io$rtl8150(r0, &(0x7f0000002980)={0x14, 0x0, &(0x7f00000028c0)={0x0, 0x3, 0x3, @lang_id={0x0, 0x3, 0x0}}}, 0x0) + +# Receive a request via set_registers(). + +syz_usb_control_io$rtl8150(r0, 0x0, 0x0) + +# Send a request via get_registers(). Sent data should make the while{} loop in rtl8150_reset() stop early. + +syz_usb_control_io$rtl8150(r0, 0x0, &(0x7f0000004280)={0x2c, 0x0, 0x0, 0x0, 0x0, &(0x7f0000004240)={0x40, 0x5, 0x2, "2bd8"}}) diff --git a/sys/linux/test/vusb_sierra_net b/sys/linux/test/vusb_sierra_net new file mode 100644 index 000000000..482f7619f --- /dev/null +++ b/sys/linux/test/vusb_sierra_net @@ -0,0 +1,21 @@ +# This seed helps syzkaller to reliably pass the probe() checks for sierra_net driver. +# As some CTRL requests occur during the probe, a few syz_usb_control_io() calls may +# be in a weird order or even duplicate. + +# Ensure that we pass driver-specific basic usb interface and endpoint checks during initial probe() stages. + +r0 = syz_usb_connect$sierra_net(0x0, 0x3f, &(0x7f0000000080)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0x1199, 0x68a3, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x80, 0xfa, {{0x9, 0x4, 0x7, 0x0, 0x3, 0xff, 0x0, 0x0, 0x0, "", {{0x9, 0x5, 0x43978451d8f6fedb, 0x2, 0x40, 0x2, 0x1b, 0xfe, ""}, {0x9, 0x5, 0x7, 0x2, 0x200, 0xc, 0x77, 0x3, ""}, {0x9, 0x5, 0x81, 0x3, 0x20, 0x0, 0xfd, 0x32, ""}}}}}}]}}, 0x0) + +# To pass the probe, at the minumum one has to make the crafted device write to the driver in sierra_net_get_fw_attr(), see: +# https://elixir.bootlin.com/linux/v6.16/source/drivers/net/usb/sierra_net.c#L636 +# Technically, there are other CTRL requests, such as the ones in sierra_net_dosync() - however, they are allowed to fail, so we can ignore them. + +# Seemingly, this call is only here to keep the timing right. +# TODO: fix the expected delay with sleep/nanosleep. + +syz_usb_control_io$sierra_net(r0, 0x0, 0x0) + +# Send a CTRL request to driver concerning firmware data. See: +# https://elixir.bootlin.com/linux/v6.16/source/drivers/net/usb/sierra_net.c#L743 + +syz_usb_control_io$sierra_net(r0, &(0x7f0000000100)={0x14, &(0x7f0000000000)={0x20, 0x21, 0x8, {0x8, 0x11, "e4ff14eca81f"}}, 0x0}, 0x0) |