From 0c245ee318d7cb7257960c447754cfcbb3eec4f6 Mon Sep 17 00:00:00 2001
From: Alexander Potapenko <glider@google.com>
Date: Thu, 26 Sep 2024 15:32:16 +0200
Subject: sys/linux: use GICD/GICR register offsets in SYZOS_API_MEMWRITE

In addition to random offsets passed to SYZOS_API_MEMWRITE, use VGICv3
distributor/redistributor base and offsets of the corresponding registers.
---
 sys/linux/dev_kvm.txt                              | 93 +++++++++++++++++++++-
 sys/linux/dev_kvm.txt.const                        | 62 +++++++++++++++
 .../test/arm64-syz_kvm_setup_syzos_vm-memwrite     |  2 +-
 sys/linux/test/syz_kvm_setup_cpu_arm64-memwrite    |  2 +-
 4 files changed, 156 insertions(+), 3 deletions(-)

(limited to 'sys')

diff --git a/sys/linux/dev_kvm.txt b/sys/linux/dev_kvm.txt
index bbf7a673b..ea294686d 100644
--- a/sys/linux/dev_kvm.txt
+++ b/sys/linux/dev_kvm.txt
@@ -356,13 +356,104 @@ syzos_api_irq_setup {
 
 syzos_memwrite_len = 1, 2, 4, 8
 
-syzos_api_memwrite {
+syzos_api_memwrite [
+	generic		syzos_api_memwrite_generic
+	vgic_gicd	syzos_api_memwrite_vgic_gicd
+	vgic_gicr	syzos_api_memwrite_vgic_gicr
+]
+
+syzos_api_memwrite_generic {
 	base	flags[kvm_guest_addrs, int64]
 	offset	int64[0:4096]
 	value	int64
 	len	flags[syzos_memwrite_len, int64]
 }
 
+# Definitions from include/linux/irqchip/arm-gic-v3.h
+define GICD_CTLR	0x0000
+define GICD_TYPER	0x0004
+define GICD_IIDR	0x0008
+define GICD_TYPER2	0x000C
+define GICD_STATUSR	0x0010
+define GICD_SETSPI_NSR	0x0040
+define GICD_CLRSPI_NSR	0x0048
+define GICD_SETSPI_SR	0x0050
+define GICD_CLRSPI_SR	0x0058
+define GICD_IGROUPR	0x0080
+define GICD_ISENABLER	0x0100
+define GICD_ICENABLER	0x0180
+define GICD_ISPENDR	0x0200
+define GICD_ICPENDR	0x0280
+define GICD_ISACTIVER	0x0300
+define GICD_ICACTIVER	0x0380
+define GICD_IPRIORITYR	0x0400
+define GICD_ICFGR	0x0C00
+define GICD_IGRPMODR	0x0D00
+define GICD_NSACR	0x0E00
+define GICD_IGROUPRnE	0x1000
+define GICD_ISENABLERnE	0x1200
+define GICD_ICENABLERnE	0x1400
+define GICD_ISPENDRnE	0x1600
+define GICD_ICPENDRnE	0x1800
+define GICD_ISACTIVERnE	0x1A00
+define GICD_ICACTIVERnE	0x1C00
+define GICD_IPRIORITYRnE	0x2000
+define GICD_ICFGRnE	0x3000
+define GICD_IROUTER	0x6000
+define GICD_IROUTERnE	0x8000
+define GICD_IDREGS	0xFFD0
+define GICD_PIDR2	0xFFE8
+define GICD_ITARGETSR	0x0800
+define GICD_SGIR	0x0F00
+define GICD_CPENDSGIR	0x0F10
+define GICD_SPENDSGIR	0x0F20
+
+kvm_vgic_gicd_regs = GICD_CTLR, GICD_TYPER, GICD_IIDR, GICD_TYPER2, GICD_STATUSR, GICD_SETSPI_NSR, GICD_CLRSPI_NSR, GICD_SETSPI_SR, GICD_CLRSPI_SR, GICD_IGROUPR, GICD_ISENABLER, GICD_ICENABLER, GICD_ISPENDR, GICD_ICPENDR, GICD_ISACTIVER, GICD_ICACTIVER, GICD_IPRIORITYR, GICD_ICFGR, GICD_IGRPMODR, GICD_NSACR, GICD_IGROUPRnE, GICD_ISENABLERnE, GICD_ICENABLERnE, GICD_ISPENDRnE, GICD_ICPENDRnE, GICD_ISACTIVERnE, GICD_ICACTIVERnE, GICD_IPRIORITYRnE, GICD_ICFGRnE, GICD_IROUTER, GICD_IROUTERnE, GICD_IDREGS, GICD_PIDR2, GICD_ITARGETSR, GICD_SGIR, GICD_CPENDSGIR, GICD_SPENDSGIR
+
+# 0x08000000 is ARM64_ADDR_GICD_BASE from executor/kvm.h
+syzos_api_memwrite_vgic_gicd {
+	base	const[0x8000000, int64]
+	offset	flags[kvm_vgic_gicd_regs, int64]
+	value	int64
+	len	flags[syzos_memwrite_len, int64]
+}
+
+define GICR_CTLR	GICD_CTLR
+define GICR_IIDR	0x0004
+define GICR_TYPER	0x0008
+define GICR_STATUSR	GICD_STATUSR
+define GICR_WAKER	0x0014
+define GICR_SETLPIR	0x0040
+define GICR_CLRLPIR	0x0048
+define GICR_PROPBASER	0x0070
+define GICR_PENDBASER	0x0078
+define GICR_INVLPIR	0x00A0
+define GICR_INVALLR	0x00B0
+define GICR_SYNCR	0x00C0
+define GICR_IDREGS	GICD_IDREGS
+define GICR_PIDR2	GICD_PIDR2
+define GICR_IGROUPR0	GICD_IGROUPR
+define GICR_ISENABLER0	GICD_ISENABLER
+define GICR_ICENABLER0	GICD_ICENABLER
+define GICR_ISPENDR0	GICD_ISPENDR
+define GICR_ICPENDR0	GICD_ICPENDR
+define GICR_ISACTIVER0	GICD_ISACTIVER
+define GICR_ICACTIVER0	GICD_ICACTIVER
+define GICR_IPRIORITYR0	GICD_IPRIORITYR
+define GICR_ICFGR0	GICD_ICFGR
+define GICR_IGRPMODR0	GICD_IGRPMODR
+define GICR_NSACR	GICD_NSACR
+
+kvm_vgic_gicr_regs = GICR_CTLR, GICR_IIDR, GICR_TYPER, GICR_STATUSR, GICR_WAKER, GICR_SETLPIR, GICR_CLRLPIR, GICR_PROPBASER, GICR_PENDBASER, GICR_INVLPIR, GICR_INVALLR, GICR_SYNCR, GICR_IDREGS, GICR_PIDR2, GICR_IGROUPR0, GICR_ISENABLER0, GICR_ICENABLER0, GICR_ISPENDR0, GICR_ICPENDR0, GICR_ISACTIVER0, GICR_ICACTIVER0, GICR_IPRIORITYR0, GICR_ICFGR0, GICR_IGRPMODR0, GICR_NSACR
+
+# 0x080a0000 is ARM64_ADDR_GICR_BASE from executor/kvm.h, 0x20000 is redistributor size. We assume the maximum number of VCPUs is 4.
+syzos_api_memwrite_vgic_gicr {
+	base	int64[0x80a0000:0x8100000, 0x20000]
+	offset	flags[kvm_vgic_gicr_regs, int64]
+	value	int64
+	len	flags[syzos_memwrite_len, int64]
+}
+
 type syzos_api[NUM, PAYLOAD] {
 	call	const[NUM, int64]
 	size	bytesize[parent, int64]
diff --git a/sys/linux/dev_kvm.txt.const b/sys/linux/dev_kvm.txt.const
index 1f4b504e1..92fa15fe2 100644
--- a/sys/linux/dev_kvm.txt.const
+++ b/sys/linux/dev_kvm.txt.const
@@ -17,6 +17,68 @@ ARM_SMCCC_VENDOR_HYP_KVM_FEATURES_FUNC_ID = 386:amd64:mips64le:ppc64le:s390x:???
 ARM_SMCCC_VENDOR_HYP_KVM_PTP_FUNC_ID = 386:amd64:mips64le:ppc64le:s390x:???, arm64:2248146945
 ARM_SMCCC_VERSION_FUNC_ID = 386:amd64:mips64le:ppc64le:s390x:???, arm64:2147483648
 AT_FDCWD = 18446744073709551516
+GICD_CLRSPI_NSR = 72
+GICD_CLRSPI_SR = 88
+GICD_CPENDSGIR = 3856
+GICD_CTLR = 0
+GICD_ICACTIVER = 896
+GICD_ICACTIVERnE = 7168
+GICD_ICENABLER = 384
+GICD_ICENABLERnE = 5120
+GICD_ICFGR = 3072
+GICD_ICFGRnE = 12288
+GICD_ICPENDR = 640
+GICD_ICPENDRnE = 6144
+GICD_IDREGS = 65488
+GICD_IGROUPR = 128
+GICD_IGROUPRnE = 4096
+GICD_IGRPMODR = 3328
+GICD_IIDR = 8
+GICD_IPRIORITYR = 1024
+GICD_IPRIORITYRnE = 8192
+GICD_IROUTER = 24576
+GICD_IROUTERnE = 32768
+GICD_ISACTIVER = 768
+GICD_ISACTIVERnE = 6656
+GICD_ISENABLER = 256
+GICD_ISENABLERnE = 4608
+GICD_ISPENDR = 512
+GICD_ISPENDRnE = 5632
+GICD_ITARGETSR = 2048
+GICD_NSACR = 3584
+GICD_PIDR2 = 65512
+GICD_SETSPI_NSR = 64
+GICD_SETSPI_SR = 80
+GICD_SGIR = 3840
+GICD_SPENDSGIR = 3872
+GICD_STATUSR = 16
+GICD_TYPER = 4
+GICD_TYPER2 = 12
+GICR_CLRLPIR = 72
+GICR_CTLR = 0
+GICR_ICACTIVER0 = 896
+GICR_ICENABLER0 = 384
+GICR_ICFGR0 = 3072
+GICR_ICPENDR0 = 640
+GICR_IDREGS = 65488
+GICR_IGROUPR0 = 128
+GICR_IGRPMODR0 = 3328
+GICR_IIDR = 4
+GICR_INVALLR = 176
+GICR_INVLPIR = 160
+GICR_IPRIORITYR0 = 1024
+GICR_ISACTIVER0 = 768
+GICR_ISENABLER0 = 256
+GICR_ISPENDR0 = 512
+GICR_NSACR = 3584
+GICR_PENDBASER = 120
+GICR_PIDR2 = 65512
+GICR_PROPBASER = 112
+GICR_SETLPIR = 64
+GICR_STATUSR = 16
+GICR_SYNCR = 192
+GICR_TYPER = 8
+GICR_WAKER = 20
 KVM_ARM_PREFERRED_TARGET = 386:amd64:mips64le:ppc64le:s390x:???, arm64:2149625519
 KVM_ARM_SET_COUNTER_OFFSET = 386:amd64:mips64le:ppc64le:s390x:???, arm64:1074835125
 KVM_ARM_SET_DEVICE_ADDR = 1074835115, mips64le:ppc64le:2148576939
diff --git a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite
index 0aaf2a6eb..69f0b176f 100644
--- a/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite
+++ b/sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite
@@ -6,7 +6,7 @@ r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
 r2 = syz_kvm_setup_syzos_vm(r1)
 # Emulate a uexit with the memwrite API command: write 0 at address ARM64_ADDR_UEXIT.
 #
-r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@memwrite={AUTO, AUTO, {0xdddd0000, 0x100, 0x0, 0x8}}], AUTO}, 0x0, 0x0)
+r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@memwrite={AUTO, AUTO, @generic={0xdddd0000, 0x100, 0x0, 0x8}}], AUTO}, 0x0, 0x0)
 
 r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
 r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
diff --git a/sys/linux/test/syz_kvm_setup_cpu_arm64-memwrite b/sys/linux/test/syz_kvm_setup_cpu_arm64-memwrite
index 00b866dd2..99d38dc69 100644
--- a/sys/linux/test/syz_kvm_setup_cpu_arm64-memwrite
+++ b/sys/linux/test/syz_kvm_setup_cpu_arm64-memwrite
@@ -8,7 +8,7 @@ r3 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
 r4 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r3, 0x3, 0x1, r2, 0x0)
 # Emulate a uexit with the memwrite API command: write 0 at address ARM64_ADDR_UEXIT.
 #
-syz_kvm_setup_cpu$arm64(r1, r2, &(0x7f0000e8a000/0x18000), &AUTO=[{0x0, &AUTO=[@memwrite={AUTO, AUTO, {0xdddd0000, 0x100, 0x0, 0x8}}], AUTO}], 0x1, 0x0, 0x0, 0x0)
+syz_kvm_setup_cpu$arm64(r1, r2, &(0x7f0000e8a000/0x18000), &AUTO=[{0x0, &AUTO=[@memwrite={AUTO, AUTO, @generic={0xdddd0000, 0x100, 0x0, 0x8}}], AUTO}], 0x1, 0x0, 0x0, 0x0)
 # Run till uexit.
 #
 ioctl$KVM_RUN(r2, AUTO, 0x0)
-- 
cgit mrf-deployment