文本文件  |  120行  |  5.07 KB

# Copyright 2018 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

include <linux/types.h>
include <uapi/linux/fs.h>
include <scsi/sg.h>
include <scsi/scsi.h>
include <scsi/scsi_ioctl.h>
include <uapi/linux/blktrace_api.h>

resource fd_sg[fd_block_trace]

syz_open_dev$sg(dev ptr[in, string["/dev/sg#"]], id intptr, flags flags[open_flags]) fd_sg

ioctl$SG_IO(fd fd_sg, cmd const[SG_IO], arg ptr[in, sg_io_hdr])
ioctl$SG_SET_TIMEOUT(fd fd_sg, cmd const[SG_SET_TIMEOUT], arg ptr[in, int32])
ioctl$SG_GET_TIMEOUT(fd fd_sg, cmd const[SG_GET_TIMEOUT], arg const[0])
ioctl$SG_GET_LOW_DMA(fd fd_sg, cmd const[SG_GET_LOW_DMA], arg ptr[out, int32])
ioctl$SG_GET_SCSI_ID(fd fd_sg, cmd const[SG_GET_SCSI_ID], arg ptr[out, array[int8, SG_SCSI_ID_T_SIZE]])
ioctl$SG_SET_FORCE_PACK_ID(fd fd_sg, cmd const[SG_SET_FORCE_PACK_ID], arg ptr[in, bool32])
ioctl$SG_GET_PACK_ID(fd fd_sg, cmd const[SG_GET_PACK_ID], arg ptr[out, int32])
ioctl$SG_GET_NUM_WAITING(fd fd_sg, cmd const[SG_GET_NUM_WAITING], arg ptr[out, int32])
ioctl$SG_GET_SG_TABLESIZE(fd fd_sg, cmd const[SG_GET_SG_TABLESIZE], arg ptr[out, int32])
ioctl$SG_SET_RESERVED_SIZE(fd fd_sg, cmd const[SG_SET_RESERVED_SIZE], arg ptr[in, int32])
ioctl$SG_GET_RESERVED_SIZE(fd fd_sg, cmd const[SG_GET_RESERVED_SIZE], arg ptr[out, int32])
ioctl$SG_GET_COMMAND_Q(fd fd_sg, cmd const[SG_GET_COMMAND_Q], arg ptr[out, int32])
ioctl$SG_GET_KEEP_ORPHAN(fd fd_sg, cmd const[SG_GET_KEEP_ORPHAN], arg ptr[out, int32])
ioctl$SG_GET_VERSION_NUM(fd fd_sg, cmd const[SG_GET_VERSION_NUM], arg ptr[out, int32])
ioctl$SG_GET_ACCESS_COUNT(fd fd_sg, cmd const[SG_GET_ACCESS_COUNT], arg ptr[out, int32])
ioctl$SG_EMULATED_HOST(fd fd_sg, cmd const[SG_EMULATED_HOST], arg ptr[out, int32])
ioctl$SG_SET_COMMAND_Q(fd fd_sg, cmd const[SG_SET_COMMAND_Q], arg ptr[in, bool32])
ioctl$SG_SET_KEEP_ORPHAN(fd fd_sg, cmd const[SG_SET_KEEP_ORPHAN], arg ptr[in, int32])
ioctl$SG_NEXT_CMD_LEN(fd fd_sg, cmd const[SG_NEXT_CMD_LEN], arg ptr[in, int32[0:SG_MAX_CDB_SIZE]])
ioctl$SG_SET_DEBUG(fd fd_sg, cmd const[SG_SET_DEBUG], arg ptr[in, bool32])
ioctl$SG_SCSI_RESET(fd fd_sg, cmd const[SG_SCSI_RESET], arg const[0])
ioctl$SG_GET_REQUEST_TABLE(fd fd_sg, cmd const[SG_GET_REQUEST_TABLE], arg ptr[out, array[int8, SG_REQUEST_TABLE_SIZE]])

ioctl$SCSI_IOCTL_SEND_COMMAND(fd fd_sg, cmd const[SCSI_IOCTL_SEND_COMMAND], arg ptr[in, scsi_ioctl_command])
ioctl$SCSI_IOCTL_TEST_UNIT_READY(fd fd_sg, cmd const[SCSI_IOCTL_TEST_UNIT_READY])
ioctl$SCSI_IOCTL_DOORLOCK(fd fd_sg, cmd const[SCSI_IOCTL_DOORLOCK])
ioctl$SCSI_IOCTL_DOORUNLOCK(fd fd_sg, cmd const[SCSI_IOCTL_DOORUNLOCK])
ioctl$SCSI_IOCTL_START_UNIT(fd fd_sg, cmd const[SCSI_IOCTL_START_UNIT])
ioctl$SCSI_IOCTL_STOP_UNIT(fd fd_sg, cmd const[SCSI_IOCTL_STOP_UNIT])
ioctl$SCSI_IOCTL_SYNC(fd fd_sg, cmd const[SCSI_IOCTL_SYNC])
ioctl$SCSI_IOCTL_BENCHMARK_COMMAND(fd fd_sg, cmd const[SCSI_IOCTL_BENCHMARK_COMMAND])
ioctl$SCSI_IOCTL_GET_BUS_NUMBER(fd fd_sg, cmd const[SCSI_IOCTL_GET_BUS_NUMBER], arg ptr[out, int32])
ioctl$SCSI_IOCTL_GET_PCI(fd fd_sg, cmd const[SCSI_IOCTL_GET_PCI], arg ptr[out, array[int8, 20]])
ioctl$SCSI_IOCTL_PROBE_HOST(fd fd_sg, cmd const[SCSI_IOCTL_PROBE_HOST], arg ptr[out, scsi_ioctl_probe_host_out_buffer])
ioctl$SCSI_IOCTL_GET_IDLUN(fd fd_sg, cmd const[SCSI_IOCTL_GET_IDLUN], arg ptr[out, scsi_idlun])

sg_io_hdr {
	interface_id	flags[sg_interface_id, int32]
	dxfer_direction	flags[sg_dxfer_direction, int32]
	cmd_len		len[cmdp, int8]
	mx_sb_len	int8
	data		sg_io_hdr_data
	cmdp		ptr[in, array[int8]]
	sbp		ptr[out, array[int8]]
	timeout		int32
	flags		flags[sg_flags, int32]
	pack_id		flags[sg_pack_id, int32]
	usr_ptr		ptr[out, int8]
	status		const[0, int8]
	masked_status	const[0, int8]
	msg_status	const[0, int8]
	sb_len_wr	const[0, int8]
	host_status	const[0, int16]
	driver_status	const[0, int16]
	resid		const[0, int32]
	duration	const[0, int32]
	info		const[0, int32]
} [packed, size[SG_IO_HDR_SIZE]]

sg_io_hdr_data [
	buffer	sg_io_hdr_data_buffer
	scatter	sg_io_hdr_data_scatter
]

sg_io_hdr_data_buffer {
	iovec_count	const[0, int16]
	dxfer_len	bytesize[dxferp, int32]
	dxferp		ptr[out, array[int8]]
} [packed]

sg_io_hdr_data_scatter {
	iovec_count	len[dxferp, int16]
	dxfer_len	const[0, int32]
	dxferp		ptr[in, array[iovec_out]]
} [packed]

scsi_ioctl_command {
	inlen	len[data, int32]
	outlen	int32
	opcode	int32
# TODO: this needs improvement: there are some command headers depending on opcode
# and inlen only describes data past header.
	data	array[int8]
}

scsi_idlun {
	dev_id		int32
	host_unique_id	int32
}

scsi_ioctl_probe_host_out_buffer {
	len	bytesize[data, int32]
	data	array[int8]
}

sg_interface_id = 0, 'S'
sg_dxfer_direction = SG_DXFER_NONE, SG_DXFER_TO_DEV, SG_DXFER_FROM_DEV, SG_DXFER_TO_FROM_DEV, SG_DXFER_UNKNOWN
sg_flags = SG_FLAG_DIRECT_IO, SG_FLAG_UNUSED_LUN_INHIBIT, SG_FLAG_MMAP_IO, SG_FLAG_NO_DXFER, SG_FLAG_Q_AT_TAIL, SG_FLAG_Q_AT_HEAD
# TODO: we need negative integers for -1
sg_pack_id = -1, 0, 1, 2, 3

define SG_MAX_CDB_SIZE	252
define SG_REQUEST_TABLE_SIZE	SG_MAX_QUEUE * sizeof(sg_req_info_t)
define SG_IO_HDR_SIZE	sizeof(struct sg_io_hdr)
define SG_SCSI_ID_T_SIZE	sizeof(sg_scsi_id_t)