From c5e085d96d1cdc855365b7fd9c1825b886f266f6 Mon Sep 17 00:00:00 2001
From: Ricardo Cañuelo <ricardo.canuelo@collabora.com>
Date: Mon, 8 Jun 2020 12:57:25 +0200
Subject: sys/linux: specific descriptions for vim2m (v4l2)

Add a set of descriptions to focus the fuzzing process on the V4L2 vim2m
test driver. This should be useful to test the M2M framework.

The syscalls are based on a specific file descriptor for the vim2m
device and a selection of v4l2 ioctls that operate on it. Some of the
existing v4l2 data structure definitions have been extended to allow
restricting and selecting some options in order to narrow down the
fuzzing process.

Initial support for Request API added.
---
 sys/linux/dev_video4linux_vim2m.txt | 58 +++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 sys/linux/dev_video4linux_vim2m.txt

(limited to 'sys/linux/dev_video4linux_vim2m.txt')

diff --git a/sys/linux/dev_video4linux_vim2m.txt b/sys/linux/dev_video4linux_vim2m.txt
new file mode 100644
index 000000000..d0eb6fd43
--- /dev/null
+++ b/sys/linux/dev_video4linux_vim2m.txt
@@ -0,0 +1,58 @@
+# Copyright 2020 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+# V4L2 specific support for the vim2m driver.
+#
+# These descriptions narrow the search space to focus on the M2M
+# framework code. The vim2m driver should be built into the kernel
+# (CONFIG_VIDEO_VI2M2=y)
+
+include <linux/time.h>
+include <linux/types.h>
+include <uapi/asm/ioctl.h>
+include <uapi/linux/fcntl.h>
+include <uapi/linux/videodev2.h>
+include <uapi/linux/v4l2-common.h>
+include <uapi/linux/v4l2-subdev.h>
+include <uapi/linux/v4l2-mediabus.h>
+include <uapi/linux/media-bus-format.h>
+include <uapi/linux/v4l2-controls.h>
+
+resource fd_vim2m[fd]
+
+# syz_open_dev will use devices from /dev/video0 to /dev/video10
+# openat$vim2m assumes a symlink (/dev/vim2m) to the appropriate vim2m device
+# This can be set with a udev rule such as this:
+#
+#     ATTR{name}=="vim2m", SYMLINK+="vim2m"
+
+syz_open_dev$vim2m(dev ptr[in, string["/dev/video#"]], id intptr, flags const[O_RDWR]) fd_vim2m
+openat$vim2m(fd const[AT_FDCWD], file ptr[in, string["/dev/vim2m"]], flags const[O_RDWR], mode const[0]) fd_vim2m
+
+# Specialized ioctls for vim2m
+
+ioctl$vim2m_VIDIOC_QUERYCAP(fd fd_vim2m, cmd const[VIDIOC_QUERYCAP], arg ptr[out, v4l2_capability])
+ioctl$vim2m_VIDIOC_ENUM_FMT(fd fd_vim2m, cmd const[VIDIOC_ENUM_FMT], arg ptr[inout, v4l2_fmtdesc[v4l2_buf_type_vim2m]])
+ioctl$vim2m_VIDIOC_ENUM_FRAMESIZES(fd fd_vim2m, cmd const[VIDIOC_ENUM_FRAMESIZES], arg ptr[inout, v4l2_frmsizeenum])
+ioctl$vim2m_VIDIOC_G_FMT(fd fd_vim2m, cmd const[VIDIOC_G_FMT], arg ptr[inout, v4l2_format[v4l2_buf_type_vim2m]])
+ioctl$vim2m_VIDIOC_TRY_FMT(fd fd_vim2m, cmd const[VIDIOC_TRY_FMT], arg ptr[inout, v4l2_format[v4l2_buf_type_vim2m]])
+ioctl$vim2m_VIDIOC_S_FMT(fd fd_vim2m, cmd const[VIDIOC_S_FMT], arg ptr[inout, v4l2_format[v4l2_buf_type_vim2m]])
+ioctl$vim2m_VIDIOC_REQBUFS(fd fd_vim2m, cmd const[VIDIOC_REQBUFS], arg ptr[inout, v4l2_requestbuffers[v4l2_buf_type_vim2m]])
+ioctl$vim2m_VIDIOC_QUERYBUF(fd fd_vim2m, cmd const[VIDIOC_QUERYBUF], arg ptr[inout, v4l2_buffer[v4l2_buf_type_vim2m, fd_request]])
+ioctl$vim2m_VIDIOC_QBUF(fd fd_vim2m, cmd const[VIDIOC_QBUF], arg ptr[inout, v4l2_buffer[v4l2_buf_type_vim2m, fd_request]])
+ioctl$vim2m_VIDIOC_DQBUF(fd fd_vim2m, cmd const[VIDIOC_DQBUF], arg ptr[inout, v4l2_buffer[v4l2_buf_type_vim2m, fd_request]])
+ioctl$vim2m_VIDIOC_PREPARE_BUF(fd fd_vim2m, cmd const[VIDIOC_PREPARE_BUF], arg ptr[inout, v4l2_buffer[v4l2_buf_type_vim2m, fd_request]])
+ioctl$vim2m_VIDIOC_CREATE_BUFS(fd fd_vim2m, cmd const[VIDIOC_CREATE_BUFS], arg ptr[inout, v4l2_create_buffers[v4l2_buf_type_vim2m]])
+ioctl$vim2m_VIDIOC_EXPBUF(fd fd_vim2m, cmd const[VIDIOC_EXPBUF], arg ptr[inout, v4l2_exportbuffer[v4l2_buf_type_vim2m]])
+ioctl$vim2m_VIDIOC_S_CTRL(fd fd_vim2m, cmd const[VIDIOC_S_CTRL], arg ptr[inout, v4l2_control])
+ioctl$vim2m_VIDIOC_STREAMON(fd fd_vim2m, cmd const[VIDIOC_STREAMON], arg ptr[in, vim2m_qtype])
+ioctl$vim2m_VIDIOC_STREAMOFF(fd fd_vim2m, cmd const[VIDIOC_STREAMON], arg ptr[in, vim2m_qtype])
+
+# Limit buffer types to OUTPUT and CAPTURE
+
+vim2m_qtype [
+	output	const[V4L2_BUF_TYPE_VIDEO_OUTPUT, int32]
+	capture	const[V4L2_BUF_TYPE_VIDEO_CAPTURE, int32]
+]
+
+v4l2_buf_type_vim2m = V4L2_BUF_TYPE_VIDEO_CAPTURE, V4L2_BUF_TYPE_VIDEO_OUTPUT
-- 
cgit mrf-deployment