# Copyright 2021 syzkaller project authors. All rights reserved. # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. # The source file of mali bifrost ioctl can be found in ChromeOS source tree: # https://chromium.googlesource.com/chromiumos/third_party/kernel/+/chromeos-4.19/drivers/gpu/arm/bifrost/mali_kbase_ioctl.h include include include include include include resource fd_bifrost[fd] resource gpu_addr[int64]: BASEP_MEM_INVALID_HANDLE, BASEP_MEM_WRITE_ALLOC_PAGES_HANDLE resource user_addr[int64]: -1 resource fd_fence[fd] resource fd_hwcnt[fd] openat$bifrost(fd const[AT_FDCWD], file ptr[in, string["/dev/bifrost"]], flags flags[open_flags], mode const[0]) fd_bifrost # Device name on Android openat$mali(fd const[AT_FDCWD], file ptr[in, string["/dev/mali0"]], flags flags[open_flags], mode const[0]) fd_bifrost mmap$bifrost(addr const[0], len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_bifrost, offset fileoff) user_addr _ = __NR_mmap2 ioctl$KBASE_IOCTL_JOB_SUBMIT(fd fd_bifrost, cmd const[KBASE_IOCTL_JOB_SUBMIT], arg ptr[in, kbase_ioctl_job_submit]) ioctl$KBASE_IOCTL_POST_TERM(fd fd_bifrost, cmd const[KBASE_IOCTL_POST_TERM], arg const[0]) ioctl$KBASE_IOCTL_SOFT_EVENT_UPDATE(fd fd_bifrost, cmd const[KBASE_IOCTL_SOFT_EVENT_UPDATE], arg ptr[in, kbase_ioctl_soft_event_update]) ioctl$KBASE_IOCTL_VERSION_CHECK(fd fd_bifrost, cmd const[KBASE_IOCTL_VERSION_CHECK], arg ptr[inout, kbase_ioctl_version_check]) ioctl$KBASE_IOCTL_SET_FLAGS(fd fd_bifrost, cmd const[KBASE_IOCTL_SET_FLAGS], arg ptr[in, kbase_ioctl_set_flags]) ioctl$KBASE_IOCTL_GET_GPUPROPS(fd fd_bifrost, cmd const[KBASE_IOCTL_GET_GPUPROPS], arg ptr[inout, kbase_ioctl_get_gpuprops]) ioctl$KBASE_IOCTL_MEM_ALLOC(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_ALLOC], arg ptr[inout, kbase_ioctl_mem_alloc]) ioctl$KBASE_IOCTL_MEM_QUERY(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_QUERY], arg ptr[inout, kbase_ioctl_mem_query]) ioctl$KBASE_IOCTL_MEM_FREE(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_FREE], arg ptr[in, kbase_ioctl_mem_free]) ioctl$KBASE_IOCTL_HWCNT_READER_SETUP(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_READER_SETUP], arg ptr[in, kbase_ioctl_hwcnt_reader_setup]) fd_hwcnt ioctl$KBASE_IOCTL_HWCNT_ENABLE(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_ENABLE], arg ptr[in, kbase_ioctl_hwcnt_enable]) ioctl$KBASE_IOCTL_HWCNT_DUMP(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_DUMP], arg const[0]) ioctl$KBASE_IOCTL_HWCNT_CLEAR(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_CLEAR], arg const[0]) ioctl$KBASE_IOCTL_HWCNT_SET(fd fd_bifrost, cmd const[KBASE_IOCTL_HWCNT_SET], arg ptr[inout, kbase_ioctl_hwcnt_values]) ioctl$KBASE_IOCTL_DISJOINT_QUERY(fd fd_bifrost, cmd const[KBASE_IOCTL_DISJOINT_QUERY], arg ptr[out, kbase_ioctl_disjoint_query]) ioctl$KBASE_IOCTL_GET_DDK_VERSION(fd fd_bifrost, cmd const[KBASE_IOCTL_GET_DDK_VERSION], arg ptr[inout, kbase_ioctl_get_ddk_version]) ioctl$KBASE_IOCTL_MEM_JIT_INIT_10_2(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_JIT_INIT_10_2], arg ptr[in, kbase_ioctl_mem_jit_init_10_2]) ioctl$KBASE_IOCTL_MEM_JIT_INIT_11_5(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_JIT_INIT_11_5], arg ptr[in, kbase_ioctl_mem_jit_init_11_5]) ioctl$KBASE_IOCTL_MEM_JIT_INIT(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_JIT_INIT], arg ptr[in, kbase_ioctl_mem_jit_init]) ioctl$KBASE_IOCTL_MEM_SYNC(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_SYNC], arg ptr[in, kbase_ioctl_mem_sync]) ioctl$KBASE_IOCTL_MEM_FIND_CPU_OFFSET(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_FIND_CPU_OFFSET], arg ptr[inout, kbase_ioctl_mem_find_cpu_offset]) ioctl$KBASE_IOCTL_GET_CONTEXT_ID(fd fd_bifrost, cmd const[KBASE_IOCTL_GET_CONTEXT_ID], arg ptr[out, kbase_ioctl_get_context_id]) ioctl$KBASE_IOCTL_TLSTREAM_ACQUIRE(fd fd_bifrost, cmd const[KBASE_IOCTL_TLSTREAM_ACQUIRE], arg ptr[in, kbase_ioctl_tlstream_acquire]) ioctl$KBASE_IOCTL_TLSTREAM_FLUSH(fd fd_bifrost, cmd const[KBASE_IOCTL_TLSTREAM_FLUSH], arg const[0]) ioctl$KBASE_IOCTL_MEM_COMMIT(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_COMMIT], arg ptr[in, kbase_ioctl_mem_commit]) ioctl$KBASE_IOCTL_MEM_ALIAS(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_ALIAS], arg ptr[inout, kbase_ioctl_mem_alias]) ioctl$KBASE_IOCTL_MEM_IMPORT(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_IMPORT], arg ptr[inout, kbase_ioctl_mem_import]) ioctl$KBASE_IOCTL_MEM_FLAGS_CHANGE(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_FLAGS_CHANGE], arg ptr[in, kbase_ioctl_mem_flags_change]) ioctl$KBASE_IOCTL_STREAM_CREATE(fd fd_bifrost, cmd const[KBASE_IOCTL_STREAM_CREATE], arg ptr[in, kbase_ioctl_stream_create]) fd_fence ioctl$KBASE_IOCTL_FENCE_VALIDATE(fd fd_bifrost, cmd const[KBASE_IOCTL_FENCE_VALIDATE], arg ptr[in, kbase_ioctl_fence_validate]) ioctl$KBASE_IOCTL_MEM_PROFILE_ADD(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_PROFILE_ADD], arg ptr[in, kbase_ioctl_mem_profile_add]) ioctl$KBASE_IOCTL_STICKY_RESOURCE_MAP(fd fd_bifrost, cmd const[KBASE_IOCTL_STICKY_RESOURCE_MAP], arg ptr[in, kbase_ioctl_sticky_resource_map]) ioctl$KBASE_IOCTL_STICKY_RESOURCE_UNMAP(fd fd_bifrost, cmd const[KBASE_IOCTL_STICKY_RESOURCE_UNMAP], arg ptr[in, kbase_ioctl_sticky_resource_unmap]) ioctl$KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET], arg ptr[inout, kbase_ioctl_mem_find_gpu_start_and_offset]) ioctl$KBASE_IOCTL_MEM_EXEC_INIT(fd fd_bifrost, cmd const[KBASE_IOCTL_MEM_EXEC_INIT], arg ptr[in, kbase_ioctl_mem_exec_init]) ioctl$KBASE_IOCTL_GET_CPU_GPU_TIMEINFO(fd fd_bifrost, cmd const[KBASE_IOCTL_GET_CPU_GPU_TIMEINFO], arg ptr[inout, kbase_ioctl_get_cpu_gpu_timeinfo]) ioctl$KBASE_HWCNT_READER_GET_HWVER(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_GET_HWVER], arg const[0]) ioctl$KBASE_HWCNT_READER_GET_BUFFER_SIZE(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_GET_BUFFER_SIZE], arg const[0]) ioctl$KBASE_HWCNT_READER_DUMP(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_DUMP], arg const[0]) ioctl$KBASE_HWCNT_READER_CLEAR(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_CLEAR], arg const[0]) ioctl$KBASE_HWCNT_READER_GET_BUFFER(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_GET_BUFFER], arg ptr[out, kbase_hwcnt_reader_metadata]) ioctl$KBASE_HWCNT_READER_PUT_BUFFER(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_PUT_BUFFER], arg ptr[in, kbase_hwcnt_reader_metadata]) ioctl$KBASE_HWCNT_READER_SET_INTERVAL(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_SET_INTERVAL], arg intptr) ioctl$KBASE_HWCNT_READER_ENABLE_EVENT(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_ENABLE_EVENT], arg const[0]) ioctl$KBASE_HWCNT_READER_DISABLE_EVENT(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_DISABLE_EVENT], arg const[0]) ioctl$KBASE_HWCNT_READER_GET_API_VERSION(fd fd_hwcnt, cmd const[KBASE_HWCNT_READER_GET_API_VERSION], arg const[0]) type base_atom_id int8 base_jd_atom_v2 { jc int64 udata base_jd_udata extres_list int64 nr_extres int16 compat_core_req int16 pre_dep array[base_dependency, 2] atom_number base_atom_id prio flags[base_jd_prio, int8] device_nr int8 jobslot int8 core_req flags[base_jd_core_req, int32] renderpass_id int8 padding array[const[0, int8], 7] } base_dependency { atom_id base_atom_id dependency_type flags[base_jd_dep_type, int8] } base_jd_udata { blob array[int64, 2] } kbase_ioctl_job_submit { addr ptr64[out, array[base_jd_atom_v2]] nr_atoms len[addr, int32] # sizeof(base_jd_atom_v2) stride const[56, int32] } kbase_ioctl_soft_event_update { event gpu_addr new_status int32 flags const[0, int32] } kbase_ioctl_version_check { major int16 minor int16 } kbase_ioctl_set_flags { create_flags flags[basep_context_create_kernel_flags, int32] } kbase_ioctl_get_gpuprops { buffer ptr64[out, array[int8]] size len[buffer, int32] flags const[0, int32] } kbase_ioctl_mem_alloc { va_pages int64 commit_pages int64 extent int64 flags flags[base_mem_alloc_flags, int64] out_flags int64 (out_overlay) gpu_va gpu_addr } kbase_ioctl_mem_query { gpu_addr gpu_addr query flags[kbase_ioctl_mem_query_flags, int64] value int64 (out_overlay) } kbase_ioctl_mem_free { gpu_addr gpu_addr } kbase_ioctl_hwcnt_reader_setup { buffer_count int32 jm_bm int32 shader_bm int32 tiler_bm int32 mmu_l2_bm int32 } kbase_ioctl_hwcnt_enable { dump_buffer gpu_addr jm_bm int32 shader_bm int32 tiler_bm int32 mmu_l2_bm int32 } kbase_ioctl_hwcnt_values { data ptr64[out, array[int8]] size len[data, int32] padding const[0, int32] } kbase_ioctl_disjoint_query { counter int32 } kbase_ioctl_get_ddk_version { version_buffer ptr64[out, array[int8]] size len[version_buffer, int32] padding const[0, int32] } kbase_ioctl_mem_jit_init_10_2 { va_pages int64 } kbase_ioctl_mem_jit_init_11_5 { va_pages int64 max_allocations int8 trim_level int8 group_id int8 padding array[const[0, int8], 5] } kbase_ioctl_mem_jit_init { va_pages int64 max_allocations int8 trim_level int8 group_id int8 padding array[const[0, int8], 5] phys_pages int64 } kbase_ioctl_mem_sync { handle gpu_addr user_addr user_addr size int64 type flags[base_syncset_op_flags, int8] padding array[const[0, int8], 7] } kbase_ioctl_mem_find_cpu_offset { gpu_addr gpu_addr cpu_addr user_addr size int64 offset int64 (out_overlay) } kbase_ioctl_get_context_id { id int32 } kbase_ioctl_tlstream_acquire { flags int32 } kbase_ioctl_mem_commit { gpu_addr gpu_addr pages int64 } kbase_ioctl_mem_alias { flags flags[base_mem_alloc_flags, int64] stride int64 nents len[aliasing_info, int64] aliasing_info ptr64[in, array[base_mem_aliasing_info]] out_flags int64 (out_overlay) gpu_va gpu_addr va_pages int64 } base_mem_aliasing_info { handle gpu_addr offset int64 length int64 } kbase_ioctl_mem_import { flags flags[base_mem_alloc_flags, int64] phandle int64 type flags[base_mem_import_type, int32] padding const[0, int32] out_flags int64 (out_overlay) gpu_va gpu_addr va_pages int64 } kbase_ioctl_mem_flags_change { gpu_va gpu_addr flags flags[base_mem_alloc_flags, int64] mask int64 } kbase_ioctl_stream_create { name array[int8, 32] } kbase_ioctl_fence_validate { fd fd_fence } kbase_ioctl_mem_profile_add { buffer ptr64[in, array[int8]] len len[buffer, int32] padding const[0, int32] } kbase_ioctl_sticky_resource_map { count len[address, int64] address ptr64[in, array[int64]] } kbase_ioctl_sticky_resource_unmap { count len[address, int64] address ptr64[in, array[int64]] } kbase_ioctl_mem_find_gpu_start_and_offset { gpu_addr gpu_addr size int64 start gpu_addr (out_overlay) offset int64 } kbase_ioctl_mem_exec_init { va_pages int64 } kbase_ioctl_get_cpu_gpu_timeinfo { request_flags flags[base_timerequest_allowed_flags, int32] paddings array[const[0, int8], 7] sec int64 (out_overlay) nsec int32 padding int32 timestamp int64 cycle_counter int64 } kbase_hwcnt_reader_metadata { timestamp int64 event_id int32 buffer_idx int32 } base_jd_dep_type = BASE_JD_DEP_TYPE_INVALID, BASE_JD_DEP_TYPE_DATA, BASE_JD_DEP_TYPE_ORDER base_jd_prio = BASE_JD_PRIO_MEDIUM, BASE_JD_PRIO_HIGH, BASE_JD_PRIO_LOW base_jd_core_req = BASE_JD_REQ_DEP, BASE_JD_REQ_FS, BASE_JD_REQ_CS, BASE_JD_REQ_T, BASE_JD_REQ_CF, BASE_JD_REQ_V, BASE_JD_REQ_FS_AFBC, BASE_JD_REQ_EVENT_COALESCE, BASE_JD_REQ_COHERENT_GROUP, BASE_JD_REQ_PERMON, BASE_JD_REQ_EXTERNAL_RESOURCES, BASE_JD_REQ_SOFT_JOB, BASE_JD_REQ_ONLY_COMPUTE, BASE_JD_REQ_SPECIFIC_COHERENT_GROUP, BASE_JD_REQ_EVENT_ONLY_ON_FAILURE, BASE_JD_REQ_SKIP_CACHE_START, BASE_JD_REQ_SKIP_CACHE_END, BASE_JD_REQ_JOB_SLOT, BASE_JD_REQ_START_RENDERPASS, BASE_JD_REQ_END_RENDERPASS kbase_ioctl_mem_query_flags = KBASE_MEM_QUERY_COMMIT_SIZE, KBASE_MEM_QUERY_VA_SIZE, KBASE_MEM_QUERY_FLAGS base_syncset_op_flags = BASE_SYNCSET_OP_MSYNC, BASE_SYNCSET_OP_CSYNC # 0x400000-0x2000000 are individual bits of BASE_MEM_GROUP_ID_MASK base_mem_alloc_flags = BASE_MEM_PROT_CPU_RD, BASE_MEM_PROT_CPU_WR, BASE_MEM_PROT_GPU_RD, BASE_MEM_PROT_GPU_WR, BASE_MEM_PROT_GPU_EX, BASEP_MEM_PERMANENT_KERNEL_MAPPING, BASE_MEM_GPU_VA_SAME_4GB_PAGE, BASEP_MEM_NO_USER_FREE, BASE_MEM_RESERVED_BIT_8, BASE_MEM_GROW_ON_GPF, BASE_MEM_COHERENT_SYSTEM, BASE_MEM_COHERENT_LOCAL, BASE_MEM_CACHED_CPU, BASE_MEM_SAME_VA, BASE_MEM_NEED_MMAP, BASE_MEM_COHERENT_SYSTEM_REQUIRED, BASE_MEM_PROTECTED, BASE_MEM_DONT_NEED, BASE_MEM_IMPORT_SHARED, BASE_MEM_RESERVED_BIT_19, BASE_MEM_TILER_ALIGN_TOP_EXTENT_MAX_PAGES, BASE_MEM_TILER_ALIGN_TOP, BASE_MEM_UNCACHED_GPU, 0x400000, 0x800000, 0x1000000, 0x2000000, BASE_MEM_IMPORT_SYNC_ON_MAP_UNMAP, BASE_MEM_FLAG_MAP_FIXED base_mem_import_type = BASE_MEM_IMPORT_TYPE_INVALID, BASE_MEM_IMPORT_TYPE_UMM, BASE_MEM_IMPORT_TYPE_USER_BUFFER # 0x08-0x20 are individual bits of BASEP_CONTEXT_MMU_GROUP_ID_MASK basep_context_create_kernel_flags = BASE_CONTEXT_SYSTEM_MONITOR_SUBMIT_DISABLED, 0x8, 0x10, 0x20, 0x40 base_timerequest_allowed_flags = BASE_TIMEINFO_MONOTONIC_FLAG, BASE_TIMEINFO_TIMESTAMP_FLAG, BASE_TIMEINFO_CYCLE_COUNTER_FLAG, BASE_TIMEINFO_KERNEL_SOURCE_FLAG, BASE_TIMEINFO_USER_SOURCE_FLAG