Uexit asserts

executor/common_kvm_arm64.h

@@ -361,3 +361,22 @@ static long syz_kvm_vgic_v3_setup(volatile long a0, volatile long a1, volatile l
 	return vgic_fd;
 }
 #endif
+
+#if SYZ_EXECUTOR || __NR_syz_kvm_assert_syzos_uexit
+static long syz_kvm_assert_syzos_uexit(volatile long a0, volatile long a1)
+{
+	struct kvm_run* run = (struct kvm_run*)a0;
+	uint64 expect = a1;
+
+	if (!run || (run->exit_reason != KVM_EXIT_MMIO) || (run->mmio.phys_addr != ARM64_ADDR_UEXIT)) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if ((((uint64*)(run->mmio.data))[0]) != expect) {
+		errno = EDOM;
+		return -1;
+	}
+	return 0;
+}
+#endif

executor/common_linux.h

@@ -3186,7 +3186,7 @@ static long syz_mount_image(
 }
 #endif
 
-#if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu || __NR_syz_kvm_vgic_v3_setup || __NR_syz_kvm_setup_syzos_vm || __NR_syz_kvm_add_vcpu
+#if SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu || __NR_syz_kvm_vgic_v3_setup || __NR_syz_kvm_setup_syzos_vm || __NR_syz_kvm_add_vcpu || __NR_syz_kvm_assert_syzos_uexit
 // KVM is not yet supported on RISC-V
 #if !GOARCH_riscv64 && !GOARCH_arm
 #include <errno.h>

pkg/runtest/run.go

@@ -563,10 +563,19 @@ func checkCallResult(req *runRequest, isC bool, run, call int, info *flatrpc.Pro
 		if len(inf.Signal) < 2 && !calls[callName] && len(info.Extra.Signal) == 0 {
 			return fmt.Errorf("run %v: call %v: no signal", run, call)
 		}
-		// syz_btf_id_by_name is a pseudo-syscall that might not provide
-		// any coverage when invoked.
-		if len(inf.Cover) == 0 && callName != "syz_btf_id_by_name" {
-			return fmt.Errorf("run %v: call %v: no cover", run, call)
+		// Pseudo-syscalls that might not provide any coverage when invoked.
+		noCovSyscalls := []string{"syz_btf_id_by_name", "syz_kvm_assert_syzos_uexit"}
+		if len(inf.Cover) == 0 {
+			found := true
+			for _, s := range noCovSyscalls {
+				if callName == s {
+					found = true
+					break
+				}
+			}
+			if !found {
+				return fmt.Errorf("run %v: call %v: no cover", run, call)
+			}
 		}
 		calls[callName] = true
 	} else {

pkg/vminfo/linux_syscalls.go

@@ -83,6 +83,7 @@ var linuxSyscallChecks = map[string]func(*checkContext, *prog.Syscall) string{
 	"syz_kvm_vgic_v3_setup":       linuxSyzSupportedOnArm64,
 	"syz_kvm_setup_syzos_vm":      linuxSyzSupportedOnArm64,
 	"syz_kvm_add_vcpu":            linuxSyzSupportedOnArm64,
+	"syz_kvm_assert_syzos_uexit":  linuxSyzSupportedOnArm64,
 	"syz_emit_vhci":               linuxVhciInjectionSupported,
 	"syz_init_net_socket":         linuxSyzInitNetSocketSupported,
 	"syz_genetlink_get_family_id": linuxSyzGenetlinkGetFamilyIDSupported,

sys/linux/dev_kvm_arm64.txt

@@ -25,6 +25,8 @@ kvm_num_irqs = 32, 64, 128, 256, 512
 # Set up the VGICv3 IRQ controller inside a VM.
 syz_kvm_vgic_v3_setup(fd fd_kvmvm, ncpus intptr[0:4], nirqs flags[kvm_num_irqs]) fd_kvmdev
 
+syz_kvm_assert_syzos_uexit(run kvm_run_ptr, exitcode int64) (no_generate)
+
 # Old-style way to set up a CPU inside a KVM VM.
 syz_kvm_setup_cpu$arm64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[1024], text ptr[in, array[kvm_text_arm64, 1]], ntext len[text], flags const[0], opts ptr[in, array[kvm_setup_opt_arm64, 1]], nopt len[opts])
 

sys/linux/test/arm64-syz_kvm_setup_syzos_vm

@@ -19,6 +19,12 @@ r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
 # Run till the first uexit.
 #
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0x0)
 # Run till the second uexit.
 #
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0xaaaa)
+# Run till the end of guest_main(). 0xffffffffffffffff is UEXIT_END.
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0xffffffffffffffff)

sys/linux/test/arm64-syz_kvm_setup_syzos_vm-memwrite

@@ -10,6 +10,11 @@ r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@memwrite={AUTO, AUTO, @generic={0x
 
 r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
 r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
-# Run till uexit.
+# Run till the emulated uexit.
 #
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0x0)
+# Run till the end of guest_main(). 0xffffffffffffffff is UEXIT_END.
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0xffffffffffffffff)

sys/linux/test/arm64-syz_kvm_setup_syzos_vm-msr

@@ -8,5 +8,11 @@ r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
 # 0x603000000013c600 is VBAR_EL1, it aligns the written value on 0x20.
 #
 r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@msr={AUTO, AUTO, {0x603000000013c600, 0xfefefee0}}], AUTO}, 0x0, 0x0)
+r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
+
+# Run till the end of guest_main(). 0xffffffffffffffff is UEXIT_END.
+#
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0xffffffffffffffff)
 ioctl$KVM_GET_ONE_REG(r3, AUTO, &AUTO=@arm64_sys={0x603000000013c600, &AUTO})

sys/linux/test/arm64-syz_kvm_setup_syzos_vm-smc

@@ -18,3 +18,11 @@ r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@smc={AUTO, AUTO, {0xef000000, [0x0
 #
 ioctl$KVM_RUN(r3, AUTO, 0x0)
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+
+r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
+
+# Run till the end of guest_main(). 0xffffffffffffffff is UEXIT_END.
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0xffffffffffffffff)

sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3

@@ -6,10 +6,19 @@ r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
 r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
 r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@irq_setup={AUTO, AUTO, {0x1, 0x20}}], AUTO}, 0x0, 0x0)
 syz_kvm_vgic_v3_setup(r1, 0x1, 0x100)
+
+r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
+# Run till the end of guest_main(). 0xffffffffffffffff is UEXIT_END.
+#
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r5, 0xffffffffffffffff)
 #
 # Calling KVM_RUN here again would result in infinite loop.
 # Instead, signal SPI 32 (0x1000020), so that the guest can execute another uexit in the IRQ handler.
 #
 ioctl$KVM_IRQ_LINE(r1, AUTO, &AUTO={0x1000020, 0x1})
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+# 0xfffffffffffffffe is UEXIT_IRQ.
+#
+syz_kvm_assert_syzos_uexit(r5, 0xfffffffffffffffe)

sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-cpu1

@@ -7,10 +7,17 @@ r2 = syz_kvm_setup_syzos_vm(r1, &(0x7f0000c00000/0x400000)=nil)
 r3 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@irq_setup={AUTO, AUTO, {0x1, 0x20}}], AUTO}, 0x0, 0x0)
 r4 = syz_kvm_add_vcpu(r2, &AUTO={0x0, &AUTO=[@irq_setup={AUTO, AUTO, {0x1, 0x20}}], AUTO}, 0x0, 0x0)
 syz_kvm_vgic_v3_setup(r1, 0x2, 0x100)
+
+r5 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r6 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r5, 0x3, 0x1, r3, 0x0)
+r7 = mmap$KVM_VCPU(&(0x7f000000a000/0x1000)=nil, r5, 0x3, 0x1, r4, 0x0)
+
 ioctl$KVM_RUN(r4, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r7, 0xffffffffffffffff)
 #
 # Calling KVM_RUN here again would result in infinite loop.
 # Instead, signal SPI 32 on CPU 1 (0x1010020), so that the guest can execute another uexit in the IRQ handler.
 #
 ioctl$KVM_IRQ_LINE(r1, AUTO, &AUTO={0x1010020, 0x1})
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r6, 0xfffffffffffffffe)

sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-its

@@ -21,7 +21,13 @@ ioctl$KVM_SET_DEVICE_ATTR(r4, AUTO, &AUTO=@attr_arm64={0x0, 0x0, 0x4, &AUTO=0x08
 #
 ioctl$KVM_SET_DEVICE_ATTR(r4, AUTO, &AUTO=@attr_arm64={0x0, 0x4, 0x0, 0x0})
 
+r5 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r6 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r5, 0x3, 0x1, r3, 0x0)
+
+# Run till the end of guest_main(). 0xffffffffffffffff is UEXIT_END.
+#
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r6, 0xffffffffffffffff)
 #
 # Calling KVM_RUN here again would result in infinite loop.
 # Instead, signal LPI 0x2000 that is mapped to the event 0, so that the guest can execute another uexit in the IRQ handler.
@@ -30,3 +36,4 @@ ioctl$KVM_RUN(r3, AUTO, 0x0)
 #
 ioctl$KVM_SIGNAL_MSI(r1, AUTO, &AUTO={0x8090040, 0x0, 0x0, 0x1, 0x0, ""})
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r6, 0xfffffffffffffffe)

sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-its-cmd

@@ -23,10 +23,17 @@ ioctl$KVM_SET_DEVICE_ATTR(r4, AUTO, &AUTO=@attr_arm64={0x0, 0x0, 0x4, &AUTO=0x08
 #
 ioctl$KVM_SET_DEVICE_ATTR(r4, AUTO, &AUTO=@attr_arm64={0x0, 0x4, 0x0, 0x0})
 #
+# Map struct kvm_run for the VCPU.
+#
+r5 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r6 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r5, 0x3, 0x1, r3, 0x0)
+#
 # This KVM_RUN will stop after receiving the LPI.
 #
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r6, 0xfffffffffffffffe)
 #
 # This KVM_RUN will stop after finishing the user program.
 #
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r6, 0xffffffffffffffff)

sys/linux/test/arm64-syz_kvm_setup_syzos_vm-vgicv3-unroll

@@ -13,11 +13,18 @@ ioctl$KVM_SET_DEVICE_ATTR(r4, AUTO, &AUTO=@attr_arm64={0x0, 0x3, 0x0, &AUTO=0x10
 ioctl$KVM_SET_DEVICE_ATTR(r4, AUTO, &AUTO=@attr_arm64={0x0, 0x0, 0x2, &AUTO=0x08000000})
 ioctl$KVM_SET_DEVICE_ATTR(r4, AUTO, &AUTO=@attr_arm64={0x0, 0x0, 0x5, &AUTO=0x400000080a0000})
 ioctl$KVM_SET_DEVICE_ATTR(r4, AUTO, &AUTO=@attr_arm64={0x0, 0x4, 0x0, 0x0})
+#
+# Map struct kvm_run for the VCPU.
+#
+r5 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r6 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r5, 0x3, 0x1, r3, 0x0)
 
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r6, 0xffffffffffffffff)
 #
 # Calling KVM_RUN here again would result in infinite loop.
 # Instead, signal SPI 32 (0x1000020), so that the guest can execute another uexit in the IRQ handler.
 #
 ioctl$KVM_IRQ_LINE(r1, AUTO, &AUTO={0x1000020, 0x1})
 ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit(r6, 0xfffffffffffffffe)