| # Copyright 2018 syzkaller project authors. All rights reserved. |
| # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. |
| |
| # Proper fuzzing of floppy device requires: |
| # 1) CONFIG_BLK_DEV_FD in your kernel configuration |
| # 2) "cmdline": " -fda FLOPPY.img " in syzkaller configuration |
| |
| include <uapi/linux/fd.h> |
| |
| resource fd_floppy[fd] |
| |
| syz_open_dev$floppy(dev ptr[in, string["/dev/fd#"]], id intptr, flags flags[open_flags]) fd_floppy |
| |
| ioctl$FLOPPY_FDEJECT(fd fd_floppy, cmd const[FDEJECT]) |
| ioctl$FLOPPY_FDCLRPRM(fd fd_floppy, cmd const[FDCLRPRM]) |
| ioctl$FLOPPY_FDSETPRM(fd fd_floppy, cmd const[FDSETPRM], arg ptr[in, floppy_struct]) |
| ioctl$FLOPPY_FDDEFPRM(fd fd_floppy, cmd const[FDDEFPRM], arg ptr[in, floppy_struct]) |
| ioctl$FLOPPY_FDGETPRM(fd fd_floppy, cmd const[FDGETPRM], arg ptr[out, floppy_struct]) |
| ioctl$FLOPPY_FDMSGON(fd fd_floppy, cmd const[FDMSGON]) |
| ioctl$FLOPPY_FDMSGOFF(fd fd_floppy, cmd const[FDMSGOFF]) |
| ioctl$FLOPPY_FDFMTBEG(fd fd_floppy, cmd const[FDFMTBEG]) |
| ioctl$FLOPPY_FDFMTTRK(fd fd_floppy, cmd const[FDFMTTRK], arg ptr[in, format_descr]) |
| ioctl$FLOPPY_FDFMTEND(fd fd_floppy, cmd const[FDFMTEND]) |
| ioctl$FLOPPY_FDFLUSH(fd fd_floppy, cmd const[FDFLUSH]) |
| ioctl$FLOPPY_FDSETEMSGTRESH(fd fd_floppy, cmd const[FDSETEMSGTRESH], arg intptr[0:0xf]) |
| ioctl$FLOPPY_FDGETMAXERRS(fd fd_floppy, cmd const[FDGETMAXERRS], arg ptr[out, floppy_max_errors]) |
| ioctl$FLOPPY_FDSETMAXERRS(fd fd_floppy, cmd const[FDSETMAXERRS], arg ptr[in, floppy_max_errors]) |
| ioctl$FLOPPY_FDGETDRVTYP(fd fd_floppy, cmd const[FDGETDRVTYP], arg ptr[out, floppy_drive_name]) |
| ioctl$FLOPPY_FDSETDRVPRM(fd fd_floppy, cmd const[FDSETDRVPRM], arg ptr[in, floppy_drive_params]) |
| ioctl$FLOPPY_FDGETDRVPRM(fd fd_floppy, cmd const[FDGETDRVPRM], arg ptr[out, floppy_drive_params]) |
| ioctl$FLOPPY_FDPOLLDRVSTAT(fd fd_floppy, cmd const[FDPOLLDRVSTAT], arg ptr[out, floppy_drive_struct]) |
| ioctl$FLOPPY_FDGETDRVSTAT(fd fd_floppy, cmd const[FDGETDRVSTAT], arg ptr[out, floppy_drive_struct]) |
| ioctl$FLOPPY_FDRESET(fd fd_floppy, cmd const[FDRESET], arg flags[floppy_reset_mode]) |
| ioctl$FLOPPY_FDGETFDCSTAT(fd fd_floppy, cmd const[FDGETFDCSTAT], arg ptr[out, floppy_fdc_state]) |
| ioctl$FLOPPY_FDWERRORCLR(fd fd_floppy, cmd const[FDWERRORCLR]) |
| ioctl$FLOPPY_FDWERRORGET(fd fd_floppy, cmd const[FDWERRORGET], arg ptr[out, floppy_write_errors]) |
| ioctl$FLOPPY_FDRAWCMD(fd fd_floppy, cmd const[FDRAWCMD], arg ptr[inout, floppy_raw_cmd]) |
| ioctl$FLOPPY_FDTWADDLE(fd fd_floppy, cmd const[FDTWADDLE]) |
| |
| floppy_struct { |
| size int32 |
| sect int32 |
| head int32 |
| track int32 |
| stretch int32 |
| |
| gap int8 |
| rate int8 |
| spec1 int8 |
| fmt_gap int8 |
| |
| name ptr[inout, string] |
| } |
| |
| format_descr { |
| device int32 |
| head int32 |
| track int32 |
| } |
| |
| floppy_max_errors { |
| abort int32 |
| read_track int32 |
| reset int32 |
| recal int32 |
| reporting int32 |
| } |
| |
| type floppy_drive_name array[int8, 16] |
| |
| floppy_drive_params { |
| cmos int8 |
| max_dtr intptr |
| hlt intptr |
| hut intptr |
| srt intptr |
| spinup intptr |
| spindown intptr |
| spindown_offset int8 |
| select_delay int8 |
| rps int8 |
| tracks int8 |
| timeout intptr |
| intreleave_sect int8 |
| max_errors floppy_max_errors |
| flags flags[floppy_drive_params_flags, int8] |
| read_track int8 |
| autodetect array[int16, 8] |
| checkfreq int32 |
| native_format int32 |
| } |
| |
| floppy_drive_struct { |
| flags flags[floppy_drive_struct_flags, intptr] |
| spinup_date intptr |
| select_date intptr |
| first_read_date intptr |
| |
| probed_format int16 |
| track int16 |
| maxblock int16 |
| maxtrack int16 |
| |
| generation int32 |
| keep_data int32 |
| fd_ref int32 |
| fd_device int32 |
| |
| last_checked intptr |
| |
| dmabuf ptr[out, int8] |
| bufblocks len[dmabuf, int32] |
| } |
| |
| floppy_fdc_state { |
| spec1 int32 |
| spec2 int32 |
| dtr int32 |
| |
| version int8 |
| dor int8 |
| address intptr |
| rawcmd int32:2 |
| reset int32:1 |
| need_configure int32:1 |
| perp_mode int32:2 |
| has_fifo int32:1 |
| driver_version int32 |
| |
| track array[int8, 4] |
| } |
| |
| floppy_write_errors { |
| write_errors int32 |
| |
| first_error_sector intptr |
| first_error_generation int32 |
| last_error_sector intptr |
| lsat_error_generation int32 |
| |
| badness int32 |
| } |
| |
| floppy_raw_cmd { |
| flags flags[floppy_raw_cmd_flags, int32] |
| |
| data buffer[inout] |
| # kernel only. zerroed after copy_from_user. Maybe need to use const[0, intptr] |
| kernel_data ptr[in, int8] |
| next const[0, intptr] |
| |
| length len[data, intptr] |
| # output value |
| phys_length const[0, intptr] |
| # output value. kernel only |
| buffer_length const[0, int32] |
| |
| rate int8 |
| cmd_count int8 |
| cmd array[int8, 16] |
| # output |
| reply_count const[0, int8] |
| reply array[const[0, int8], 16] |
| track int32 |
| # output |
| resultcode const[0, int32] |
| |
| reserved1 const[0, int32] |
| reserved2 const[0, int32] |
| } |
| |
| floppy_reset_mode = FD_RESET_IF_NEEDED, FD_RESET_IF_RAWCMD, FD_RESET_ALWAYS |
| floppy_drive_struct_flags = FD_NEED_TWADDLE_BIT, FD_VERIFY_BIT, FD_DISK_NEWCHANGE_BIT, FD_UNUSED_BIT, FD_DISK_CHANGED_BIT, FD_DISK_WRITABLE_BIT, FD_OPEN_SHOULD_FAIL_BIT |
| floppy_drive_params_flags = FTD_MSG, FD_BROKEN_DCL, FD_DEBUG, FD_SILENT_DCL_CLEAR, FD_INVERTED_DCL |
| floppy_raw_cmd_flags = FD_RAW_READ, FD_RAW_WRITE, FD_RAW_NO_MOTOR, FD_RAW_DISK_CHANGE, FD_RAW_INTR, FD_RAW_SPIN, FD_RAW_NO_MOTOR_AFTER, FD_RAW_NEED_DISK, FD_RAW_NEED_SEEK, FD_RAW_MORE, FD_RAW_STOP_IF_FAILURE, FD_RAW_STOP_IF_SUCCESS, FD_RAW_SOFTFAILURE, FD_RAW_FAILURE, FD_RAW_HARDFAILURE |