sys/linux: add ion and ashmem devices support

Note: ion supercedes the old android interface, which is moved to sys/android.
2024-11-27 05:10:43 +00:00 · 2018-01-08 19:14:22 +01:00 · 2018-01-08 19:14:22 +01:00 · 7166c86520
commit 7166c86520
parent 5aac8b06c6
31 changed files with 6674 additions and 5865 deletions
--- a/docs/linux/setup_linux-host_android-device_arm64-kernel.md
+++ b/docs/linux/setup_linux-host_android-device_arm64-kernel.md
@ -6,8 +6,17 @@ Prerequisites:

 - Build syzkaller

+In case you have old Android `/dev/ion` driver:
+
 ```sh
-$ make TARGETOS=linux TARGETARCH=arm64
+cp sys/android/* sys/linux
+make generate
+```
+
+Then:
+
+```sh
+make TARGETOS=linux TARGETARCH=arm64
 ```

 - Create config with `"type": "adb"` and specify adb devices to use. For example:
--- a/executor/syscalls_linux.h
+++ b/executor/syscalls_linux.h
@ -2,7 +2,7 @@

 #if defined(__i386__) || 0
 #define GOARCH "386"
-#define SYZ_REVISION "4c64822c6b707ad89072a21db3874258929c0129"
+#define SYZ_REVISION "492a214456d7021b507ccce917144e6d6ef5ae3a"
 #define __NR_syz_emit_ethernet 1000000
 #define __NR_syz_extract_tcp_res 1000001
 #define __NR_syz_fuse_mount 1000002
@ -12,7 +12,7 @@
 #define __NR_syz_open_procfs 1000006
 #define __NR_syz_open_pts 1000007

-unsigned syscall_count = 1469;
+unsigned syscall_count = 1481;
 call_t syscalls[] = {
    {"accept4", 364},
    {"accept4$ax25", 364},
@ -364,11 +364,20 @@ call_t syscalls[] = {
    {"io_setup", 245},
    {"io_submit", 248},
    {"ioctl", 54},
+    {"ioctl$ASHMEM_GET_NAME", 54},
+    {"ioctl$ASHMEM_GET_PIN_STATUS", 54},
+    {"ioctl$ASHMEM_GET_PROT_MASK", 54},
+    {"ioctl$ASHMEM_GET_SIZE", 54},
+    {"ioctl$ASHMEM_PURGE_ALL_CACHES", 54},
+    {"ioctl$ASHMEM_SET_NAME", 54},
+    {"ioctl$ASHMEM_SET_PROT_MASK", 54},
+    {"ioctl$ASHMEM_SET_SIZE", 54},
    {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 54},
    {"ioctl$BINDER_SET_CONTEXT_MGR", 54},
    {"ioctl$BINDER_SET_MAX_THREADS", 54},
    {"ioctl$BINDER_THREAD_EXIT", 54},
    {"ioctl$BINDER_WRITE_READ", 54},
+    {"ioctl$DMA_BUF_IOCTL_SYNC", 54},
    {"ioctl$DRM_IOCTL_ADD_BUFS", 54},
    {"ioctl$DRM_IOCTL_ADD_CTX", 54},
    {"ioctl$DRM_IOCTL_ADD_MAP", 54},
@ -467,6 +476,8 @@ call_t syscalls[] = {
    {"ioctl$GIO_SCRNMAP", 54},
    {"ioctl$GIO_UNIMAP", 54},
    {"ioctl$GIO_UNISCRNMAP", 54},
+    {"ioctl$ION_IOC_ALLOC", 54},
+    {"ioctl$ION_IOC_HEAP_QUERY", 54},
    {"ioctl$KDADDIO", 54},
    {"ioctl$KDDELIO", 54},
    {"ioctl$KDDISABIO", 54},
@ -949,6 +960,7 @@ call_t syscalls[] = {
    {"open$dir", 5},
    {"open_by_handle_at", 342},
    {"openat", 295},
+    {"openat$ashmem", 295},
    {"openat$audio", 295},
    {"openat$autofs", 295},
    {"openat$capi20", 295},
@ -1489,7 +1501,7 @@ call_t syscalls[] = {

 #if defined(__x86_64__) || 0
 #define GOARCH "amd64"
-#define SYZ_REVISION "040bde910c2bab847ddef91adf9b959305032f1b"
+#define SYZ_REVISION "3b4929b41a5d0e6662d69a6205b51efd164a266b"
 #define __NR_syz_emit_ethernet 1000000
 #define __NR_syz_extract_tcp_res 1000001
 #define __NR_syz_fuse_mount 1000002
@ -1499,7 +1511,7 @@ call_t syscalls[] = {
 #define __NR_syz_open_procfs 1000006
 #define __NR_syz_open_pts 1000007

-unsigned syscall_count = 1529;
+unsigned syscall_count = 1534;
 call_t syscalls[] = {
    {"accept", 43},
    {"accept$alg", 43},
@ -1862,11 +1874,20 @@ call_t syscalls[] = {
    {"io_setup", 206},
    {"io_submit", 209},
    {"ioctl", 16},
+    {"ioctl$ASHMEM_GET_NAME", 16},
+    {"ioctl$ASHMEM_GET_PIN_STATUS", 16},
+    {"ioctl$ASHMEM_GET_PROT_MASK", 16},
+    {"ioctl$ASHMEM_GET_SIZE", 16},
+    {"ioctl$ASHMEM_PURGE_ALL_CACHES", 16},
+    {"ioctl$ASHMEM_SET_NAME", 16},
+    {"ioctl$ASHMEM_SET_PROT_MASK", 16},
+    {"ioctl$ASHMEM_SET_SIZE", 16},
    {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 16},
    {"ioctl$BINDER_SET_CONTEXT_MGR", 16},
    {"ioctl$BINDER_SET_MAX_THREADS", 16},
    {"ioctl$BINDER_THREAD_EXIT", 16},
    {"ioctl$BINDER_WRITE_READ", 16},
+    {"ioctl$DMA_BUF_IOCTL_SYNC", 16},
    {"ioctl$DRM_IOCTL_ADD_BUFS", 16},
    {"ioctl$DRM_IOCTL_ADD_CTX", 16},
    {"ioctl$DRM_IOCTL_ADD_MAP", 16},
@ -1966,12 +1987,7 @@ call_t syscalls[] = {
    {"ioctl$GIO_UNIMAP", 16},
    {"ioctl$GIO_UNISCRNMAP", 16},
    {"ioctl$ION_IOC_ALLOC", 16},
-    {"ioctl$ION_IOC_CUSTOM", 16},
-    {"ioctl$ION_IOC_FREE", 16},
-    {"ioctl$ION_IOC_IMPORT", 16},
-    {"ioctl$ION_IOC_MAP", 16},
-    {"ioctl$ION_IOC_SHARE", 16},
-    {"ioctl$ION_IOC_SYNC", 16},
+    {"ioctl$ION_IOC_HEAP_QUERY", 16},
    {"ioctl$KDADDIO", 16},
    {"ioctl$KDDELIO", 16},
    {"ioctl$KDDISABIO", 16},
@ -2468,6 +2484,7 @@ call_t syscalls[] = {
    {"open$dir", 2},
    {"open_by_handle_at", 304},
    {"openat", 257},
+    {"openat$ashmem", 257},
    {"openat$audio", 257},
    {"openat$autofs", 257},
    {"openat$capi20", 257},
@ -3036,7 +3053,7 @@ call_t syscalls[] = {

 #if defined(__arm__) || 0
 #define GOARCH "arm"
-#define SYZ_REVISION "0225b0af4514cf8d3f74eb14a51f7f2df957d336"
+#define SYZ_REVISION "2b29d93e4fdf86b17c466ea49cf95810d8ca5005"
 #define __NR_syz_emit_ethernet 1000000
 #define __NR_syz_extract_tcp_res 1000001
 #define __NR_syz_fuse_mount 1000002
@ -3046,7 +3063,7 @@ call_t syscalls[] = {
 #define __NR_syz_open_procfs 1000006
 #define __NR_syz_open_pts 1000007

-unsigned syscall_count = 1479;
+unsigned syscall_count = 1491;
 call_t syscalls[] = {
    {"accept", 285},
    {"accept$alg", 285},
@ -3404,11 +3421,20 @@ call_t syscalls[] = {
    {"io_setup", 243},
    {"io_submit", 246},
    {"ioctl", 54},
+    {"ioctl$ASHMEM_GET_NAME", 54},
+    {"ioctl$ASHMEM_GET_PIN_STATUS", 54},
+    {"ioctl$ASHMEM_GET_PROT_MASK", 54},
+    {"ioctl$ASHMEM_GET_SIZE", 54},
+    {"ioctl$ASHMEM_PURGE_ALL_CACHES", 54},
+    {"ioctl$ASHMEM_SET_NAME", 54},
+    {"ioctl$ASHMEM_SET_PROT_MASK", 54},
+    {"ioctl$ASHMEM_SET_SIZE", 54},
    {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 54},
    {"ioctl$BINDER_SET_CONTEXT_MGR", 54},
    {"ioctl$BINDER_SET_MAX_THREADS", 54},
    {"ioctl$BINDER_THREAD_EXIT", 54},
    {"ioctl$BINDER_WRITE_READ", 54},
+    {"ioctl$DMA_BUF_IOCTL_SYNC", 54},
    {"ioctl$DRM_IOCTL_ADD_BUFS", 54},
    {"ioctl$DRM_IOCTL_ADD_CTX", 54},
    {"ioctl$DRM_IOCTL_ADD_MAP", 54},
@ -3507,6 +3533,8 @@ call_t syscalls[] = {
    {"ioctl$GIO_SCRNMAP", 54},
    {"ioctl$GIO_UNIMAP", 54},
    {"ioctl$GIO_UNISCRNMAP", 54},
+    {"ioctl$ION_IOC_ALLOC", 54},
+    {"ioctl$ION_IOC_HEAP_QUERY", 54},
    {"ioctl$KDADDIO", 54},
    {"ioctl$KDDELIO", 54},
    {"ioctl$KDDISABIO", 54},
@ -3969,6 +3997,7 @@ call_t syscalls[] = {
    {"open$dir", 5},
    {"open_by_handle_at", 371},
    {"openat", 322},
+    {"openat$ashmem", 322},
    {"openat$audio", 322},
    {"openat$autofs", 322},
    {"openat$capi20", 322},
@ -4533,7 +4562,7 @@ call_t syscalls[] = {

 #if defined(__aarch64__) || 0
 #define GOARCH "arm64"
-#define SYZ_REVISION "aa1ba146297e92cb7b1c944b45fa6b8517d20b5f"
+#define SYZ_REVISION "9c00587ca2d4db5ed33b93b457cbd82050d87ac3"
 #define __NR_syz_emit_ethernet 1000000
 #define __NR_syz_extract_tcp_res 1000001
 #define __NR_syz_fuse_mount 1000002
@ -4543,7 +4572,7 @@ call_t syscalls[] = {
 #define __NR_syz_open_procfs 1000006
 #define __NR_syz_open_pts 1000007

-unsigned syscall_count = 1458;
+unsigned syscall_count = 1463;
 call_t syscalls[] = {
    {"accept", 202},
    {"accept$alg", 202},
@ -4892,11 +4921,20 @@ call_t syscalls[] = {
    {"io_setup", 0},
    {"io_submit", 2},
    {"ioctl", 29},
+    {"ioctl$ASHMEM_GET_NAME", 29},
+    {"ioctl$ASHMEM_GET_PIN_STATUS", 29},
+    {"ioctl$ASHMEM_GET_PROT_MASK", 29},
+    {"ioctl$ASHMEM_GET_SIZE", 29},
+    {"ioctl$ASHMEM_PURGE_ALL_CACHES", 29},
+    {"ioctl$ASHMEM_SET_NAME", 29},
+    {"ioctl$ASHMEM_SET_PROT_MASK", 29},
+    {"ioctl$ASHMEM_SET_SIZE", 29},
    {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 29},
    {"ioctl$BINDER_SET_CONTEXT_MGR", 29},
    {"ioctl$BINDER_SET_MAX_THREADS", 29},
    {"ioctl$BINDER_THREAD_EXIT", 29},
    {"ioctl$BINDER_WRITE_READ", 29},
+    {"ioctl$DMA_BUF_IOCTL_SYNC", 29},
    {"ioctl$DRM_IOCTL_ADD_BUFS", 29},
    {"ioctl$DRM_IOCTL_ADD_CTX", 29},
    {"ioctl$DRM_IOCTL_ADD_MAP", 29},
@ -4996,12 +5034,7 @@ call_t syscalls[] = {
    {"ioctl$GIO_UNIMAP", 29},
    {"ioctl$GIO_UNISCRNMAP", 29},
    {"ioctl$ION_IOC_ALLOC", 29},
-    {"ioctl$ION_IOC_CUSTOM", 29},
-    {"ioctl$ION_IOC_FREE", 29},
-    {"ioctl$ION_IOC_IMPORT", 29},
-    {"ioctl$ION_IOC_MAP", 29},
-    {"ioctl$ION_IOC_SHARE", 29},
-    {"ioctl$ION_IOC_SYNC", 29},
+    {"ioctl$ION_IOC_HEAP_QUERY", 29},
    {"ioctl$KDADDIO", 29},
    {"ioctl$KDDELIO", 29},
    {"ioctl$KDDISABIO", 29},
@ -5461,6 +5494,7 @@ call_t syscalls[] = {
    {"nanosleep", 101},
    {"open_by_handle_at", 265},
    {"openat", 56},
+    {"openat$ashmem", 56},
    {"openat$audio", 56},
    {"openat$autofs", 56},
    {"openat$capi20", 56},
@ -6009,7 +6043,7 @@ call_t syscalls[] = {

 #if defined(__ppc64__) || defined(__PPC64__) || defined(__powerpc64__) || 0
 #define GOARCH "ppc64le"
-#define SYZ_REVISION "2d8dca03f154194cf3a43c13d7b6c3addf3eda6a"
+#define SYZ_REVISION "3d1e8f474fcaedab74ace5877617a91edb66ae43"
 #define __NR_syz_emit_ethernet 1000000
 #define __NR_syz_extract_tcp_res 1000001
 #define __NR_syz_fuse_mount 1000002
@ -6019,7 +6053,7 @@ call_t syscalls[] = {
 #define __NR_syz_open_procfs 1000006
 #define __NR_syz_open_pts 1000007

-unsigned syscall_count = 1438;
+unsigned syscall_count = 1450;
 call_t syscalls[] = {
    {"accept", 330},
    {"accept$alg", 330},
@ -6380,11 +6414,20 @@ call_t syscalls[] = {
    {"io_setup", 227},
    {"io_submit", 230},
    {"ioctl", 54},
+    {"ioctl$ASHMEM_GET_NAME", 54},
+    {"ioctl$ASHMEM_GET_PIN_STATUS", 54},
+    {"ioctl$ASHMEM_GET_PROT_MASK", 54},
+    {"ioctl$ASHMEM_GET_SIZE", 54},
+    {"ioctl$ASHMEM_PURGE_ALL_CACHES", 54},
+    {"ioctl$ASHMEM_SET_NAME", 54},
+    {"ioctl$ASHMEM_SET_PROT_MASK", 54},
+    {"ioctl$ASHMEM_SET_SIZE", 54},
    {"ioctl$BINDER_GET_NODE_DEBUG_INFO", 54},
    {"ioctl$BINDER_SET_CONTEXT_MGR", 54},
    {"ioctl$BINDER_SET_MAX_THREADS", 54},
    {"ioctl$BINDER_THREAD_EXIT", 54},
    {"ioctl$BINDER_WRITE_READ", 54},
+    {"ioctl$DMA_BUF_IOCTL_SYNC", 54},
    {"ioctl$DRM_IOCTL_ADD_BUFS", 54},
    {"ioctl$DRM_IOCTL_ADD_CTX", 54},
    {"ioctl$DRM_IOCTL_ADD_MAP", 54},
@ -6483,6 +6526,8 @@ call_t syscalls[] = {
    {"ioctl$GIO_SCRNMAP", 54},
    {"ioctl$GIO_UNIMAP", 54},
    {"ioctl$GIO_UNISCRNMAP", 54},
+    {"ioctl$ION_IOC_ALLOC", 54},
+    {"ioctl$ION_IOC_HEAP_QUERY", 54},
    {"ioctl$KDADDIO", 54},
    {"ioctl$KDDELIO", 54},
    {"ioctl$KDDISABIO", 54},
@ -6931,6 +6976,7 @@ call_t syscalls[] = {
    {"open$dir", 5},
    {"open_by_handle_at", 346},
    {"openat", 286},
+    {"openat$ashmem", 286},
    {"openat$audio", 286},
    {"openat$autofs", 286},
    {"openat$capi20", 286},
--- a/sys/android/ion.txt
+++ b/sys/android/ion.txt
@ -0,0 +1,46 @@
+# Copyright 2016 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+# billylau@
+
+# Description of ioctl calls for /dev/ion, which is based off of 3.18 kernel.
+# TODO: ION_IOC_HEAP_QUERY is detected for 4.10 upstream, but not covered in this description.
+
+include <asm/ioctl.h>
+include <linux/fcntl.h>
+include <../drivers/staging/android/uapi/ion.h>
+
+resource fd_ion[fd]
+resource fd_ion_generic[fd]
+
+resource ion_handle[int32]
+
+openat$ion(fd const[AT_FDCWD], file ptr[in, string["/dev/ion"]], flags flags[open_flags], mode const[0]) fd_ion
+ioctl$ION_IOC_ALLOC(fd fd_ion, cmd const[ION_IOC_ALLOC], arg ptr[inout, ion_allocation_data])
+ioctl$ION_IOC_FREE(fd fd_ion, cmd const[ION_IOC_FREE], arg ptr[in, ion_handle_data])
+ioctl$ION_IOC_MAP(fd fd_ion, cmd const[ION_IOC_MAP], arg ptr[inout, ion_fd_data])
+ioctl$ION_IOC_SHARE(fd fd_ion, cmd const[ION_IOC_SHARE], arg ptr[inout, ion_fd_data])
+ioctl$ION_IOC_IMPORT(fd fd_ion, cmd const[ION_IOC_IMPORT], arg ptr[inout, ion_fd_data])
+ioctl$ION_IOC_SYNC(fd fd_ion, cmd const[ION_IOC_SYNC], arg ptr[inout, ion_fd_data])
+ioctl$ION_IOC_CUSTOM(fd fd_ion, cmd const[ION_IOC_CUSTOM], arg ptr[inout, ion_custom_data])
+
+ion_allocation_data {
+	len	intptr
+	align	intptr
+	heapid	int32
+	flags	int32
+	handle	ion_handle
+}
+
+ion_handle_data {
+	handle	ion_handle
+}
+
+ion_fd_data {
+	handle	ion_handle
+	fd	fd_ion_generic
+}
+
+ion_custom_data {
+	cmd	int32
+	arg	intptr
+}
--- a/sys/android/ion_amd64.const
+++ b/sys/android/ion_amd64.const
@ -0,0 +1,11 @@
+# AUTOGENERATED FILE
+AT_FDCWD = 18446744073709551516
+ION_IOC_ALLOC = 3223341312
+ION_IOC_CUSTOM = 3222292742
+ION_IOC_FREE = 3221506305
+ION_IOC_IMPORT = 3221768453
+ION_IOC_MAP = 3221768450
+ION_IOC_SHARE = 3221768452
+ION_IOC_SYNC = 3221768455
+__NR_ioctl = 16
+__NR_openat = 257
--- a/sys/android/ion_arm64.const
+++ b/sys/android/ion_arm64.const
@ -0,0 +1,11 @@
+# AUTOGENERATED FILE
+AT_FDCWD = 18446744073709551516
+ION_IOC_ALLOC = 3223341312
+ION_IOC_CUSTOM = 3222292742
+ION_IOC_FREE = 3221506305
+ION_IOC_IMPORT = 3221768453
+ION_IOC_MAP = 3221768450
+ION_IOC_SHARE = 3221768452
+ION_IOC_SYNC = 3221768455
+__NR_ioctl = 29
+__NR_openat = 56
--- a/sys/linux/386.go
+++ b/sys/linux/386.go
--- a/sys/linux/amd64.go
+++ b/sys/linux/amd64.go
--- a/sys/linux/arm.go
+++ b/sys/linux/arm.go
--- a/sys/linux/arm64.go
+++ b/sys/linux/arm64.go
--- a/sys/linux/ashmem.txt
+++ b/sys/linux/ashmem.txt
@ -0,0 +1,24 @@
+# Copyright 2017 syzkaller project authors. All rights reserved.
+# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+include <asm/ioctl.h>
+include <uapi/linux/fcntl.h>
+include <drivers/staging/android/uapi/ashmem.h>
+
+resource fd_ashmem[fd]
+
+openat$ashmem(fd const[AT_FDCWD], file ptr[in, string["/dev/ashmem"]], flags flags[open_flags], mode const[0]) fd_ashmem
+
+ioctl$ASHMEM_SET_NAME(fd fd_ashmem, cmd const[ASHMEM_SET_NAME], arg ptr[in, string])
+ioctl$ASHMEM_GET_NAME(fd fd_ashmem, cmd const[ASHMEM_GET_NAME], arg ptr[out, array[int8]])
+ioctl$ASHMEM_SET_SIZE(fd fd_ashmem, cmd const[ASHMEM_SET_SIZE], arg intptr)
+ioctl$ASHMEM_GET_SIZE(fd fd_ashmem, cmd const[ASHMEM_GET_SIZE], arg const[0])
+ioctl$ASHMEM_SET_PROT_MASK(fd fd_ashmem, cmd const[ASHMEM_SET_PROT_MASK], arg ptr[in, ashmem_pin])
+ioctl$ASHMEM_GET_PROT_MASK(fd fd_ashmem, cmd const[ASHMEM_GET_PROT_MASK], arg ptr[out, ashmem_pin])
+ioctl$ASHMEM_GET_PIN_STATUS(fd fd_ashmem, cmd const[ASHMEM_GET_PIN_STATUS], arg const[0])
+ioctl$ASHMEM_PURGE_ALL_CACHES(fd fd_ashmem, cmd const[ASHMEM_PURGE_ALL_CACHES], arg const[0])
+
+ashmem_pin {
+	offset	int32
+	len	int32
+}
--- a/sys/linux/ashmem_386.const
+++ b/sys/linux/ashmem_386.const
@ -0,0 +1,12 @@
+# AUTOGENERATED FILE
+ASHMEM_GET_NAME = 2164291330
+ASHMEM_GET_PIN_STATUS = 30473
+ASHMEM_GET_PROT_MASK = 30470
+ASHMEM_GET_SIZE = 30468
+ASHMEM_PURGE_ALL_CACHES = 30474
+ASHMEM_SET_NAME = 1090549505
+ASHMEM_SET_PROT_MASK = 1074034437
+ASHMEM_SET_SIZE = 1074034435
+AT_FDCWD = 18446744073709551516
+__NR_ioctl = 54
+__NR_openat = 295
--- a/sys/linux/ashmem_amd64.const
+++ b/sys/linux/ashmem_amd64.const
@ -0,0 +1,12 @@
+# AUTOGENERATED FILE
+ASHMEM_GET_NAME = 2164291330
+ASHMEM_GET_PIN_STATUS = 30473
+ASHMEM_GET_PROT_MASK = 30470
+ASHMEM_GET_SIZE = 30468
+ASHMEM_PURGE_ALL_CACHES = 30474
+ASHMEM_SET_NAME = 1090549505
+ASHMEM_SET_PROT_MASK = 1074296581
+ASHMEM_SET_SIZE = 1074296579
+AT_FDCWD = 18446744073709551516
+__NR_ioctl = 16
+__NR_openat = 257
--- a/sys/linux/ashmem_arm.const
+++ b/sys/linux/ashmem_arm.const
@ -0,0 +1,12 @@
+# AUTOGENERATED FILE
+ASHMEM_GET_NAME = 2164291330
+ASHMEM_GET_PIN_STATUS = 30473
+ASHMEM_GET_PROT_MASK = 30470
+ASHMEM_GET_SIZE = 30468
+ASHMEM_PURGE_ALL_CACHES = 30474
+ASHMEM_SET_NAME = 1090549505
+ASHMEM_SET_PROT_MASK = 1074034437
+ASHMEM_SET_SIZE = 1074034435
+AT_FDCWD = 18446744073709551516
+__NR_ioctl = 54
+__NR_openat = 322
--- a/sys/linux/ashmem_arm64.const
+++ b/sys/linux/ashmem_arm64.const
@ -0,0 +1,12 @@
+# AUTOGENERATED FILE
+ASHMEM_GET_NAME = 2164291330
+ASHMEM_GET_PIN_STATUS = 30473
+ASHMEM_GET_PROT_MASK = 30470
+ASHMEM_GET_SIZE = 30468
+ASHMEM_PURGE_ALL_CACHES = 30474
+ASHMEM_SET_NAME = 1090549505
+ASHMEM_SET_PROT_MASK = 1074296581
+ASHMEM_SET_SIZE = 1074296579
+AT_FDCWD = 18446744073709551516
+__NR_ioctl = 29
+__NR_openat = 56
--- a/sys/linux/ashmem_ppc64le.const
+++ b/sys/linux/ashmem_ppc64le.const
@ -0,0 +1,12 @@
+# AUTOGENERATED FILE
+ASHMEM_GET_NAME = 1090549506
+ASHMEM_GET_PIN_STATUS = 536901385
+ASHMEM_GET_PROT_MASK = 536901382
+ASHMEM_GET_SIZE = 536901380
+ASHMEM_PURGE_ALL_CACHES = 536901386
+ASHMEM_SET_NAME = 2164291329
+ASHMEM_SET_PROT_MASK = 2148038405
+ASHMEM_SET_SIZE = 2148038403
+AT_FDCWD = 18446744073709551516
+__NR_ioctl = 54
+__NR_openat = 286
--- a/sys/linux/bpf_386.const
+++ b/sys/linux/bpf_386.const
@ -123,7 +123,7 @@ BPF_SUB0 = 1
 BPF_W0 = 0
 BPF_XADD0 = 6
 BPF_XOR0 = 10
-__BPF_FUNC_MAX_ID = 59
+__BPF_FUNC_MAX_ID = 58
 __NR_bpf = 357
 bpf_call_code = 133
 bpf_exit_code = 149
--- a/sys/linux/bpf_amd64.const
+++ b/sys/linux/bpf_amd64.const
@ -123,7 +123,7 @@ BPF_SUB0 = 1
 BPF_W0 = 0
 BPF_XADD0 = 6
 BPF_XOR0 = 10
-__BPF_FUNC_MAX_ID = 59
+__BPF_FUNC_MAX_ID = 58
 __NR_bpf = 321
 bpf_call_code = 133
 bpf_exit_code = 149
--- a/sys/linux/bpf_arm64.const
+++ b/sys/linux/bpf_arm64.const
@ -123,7 +123,7 @@ BPF_SUB0 = 1
 BPF_W0 = 0
 BPF_XADD0 = 6
 BPF_XOR0 = 10
-__BPF_FUNC_MAX_ID = 59
+__BPF_FUNC_MAX_ID = 58
 __NR_bpf = 280
 bpf_call_code = 133
 bpf_exit_code = 149
--- a/sys/linux/bpf_ppc64le.const
+++ b/sys/linux/bpf_ppc64le.const
@ -123,7 +123,7 @@ BPF_SUB0 = 1
 BPF_W0 = 0
 BPF_XADD0 = 6
 BPF_XOR0 = 10
-__BPF_FUNC_MAX_ID = 59
+__BPF_FUNC_MAX_ID = 58
 __NR_bpf = 361
 bpf_call_code = 133
 bpf_exit_code = 149
--- a/sys/linux/ion.txt
+++ b/sys/linux/ion.txt
@ -1,46 +1,53 @@
-# Copyright 2016 syzkaller project authors. All rights reserved.
+# Copyright 2017 syzkaller project authors. All rights reserved.
 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
-# billylau@
-
-# Description of ioctl calls for /dev/ion, which is based off of 3.18 kernel.
-# TODO: ION_IOC_HEAP_QUERY is detected for 4.10 upstream, but not covered in this description.

 include <asm/ioctl.h>
-include <linux/fcntl.h>
-include <../drivers/staging/android/uapi/ion.h>
+include <uapi/linux/fcntl.h>
+include <uapi/linux/dma-buf.h>
+include <drivers/staging/android/uapi/ion.h>

 resource fd_ion[fd]
-resource fd_ion_generic[fd]
-
-resource ion_handle[int32]
+resource fd_dma_buf[fd]

 openat$ion(fd const[AT_FDCWD], file ptr[in, string["/dev/ion"]], flags flags[open_flags], mode const[0]) fd_ion
+
 ioctl$ION_IOC_ALLOC(fd fd_ion, cmd const[ION_IOC_ALLOC], arg ptr[inout, ion_allocation_data])
-ioctl$ION_IOC_FREE(fd fd_ion, cmd const[ION_IOC_FREE], arg ptr[in, ion_handle_data])
-ioctl$ION_IOC_MAP(fd fd_ion, cmd const[ION_IOC_MAP], arg ptr[inout, ion_fd_data])
-ioctl$ION_IOC_SHARE(fd fd_ion, cmd const[ION_IOC_SHARE], arg ptr[inout, ion_fd_data])
-ioctl$ION_IOC_IMPORT(fd fd_ion, cmd const[ION_IOC_IMPORT], arg ptr[inout, ion_fd_data])
-ioctl$ION_IOC_SYNC(fd fd_ion, cmd const[ION_IOC_SYNC], arg ptr[inout, ion_fd_data])
-ioctl$ION_IOC_CUSTOM(fd fd_ion, cmd const[ION_IOC_CUSTOM], arg ptr[inout, ion_custom_data])
+ioctl$ION_IOC_HEAP_QUERY(fd fd_ion, cmd const[ION_IOC_HEAP_QUERY], arg ptr[inout, ion_allocation_data])
+
+ioctl$DMA_BUF_IOCTL_SYNC(fd fd_dma_buf, cmd const[DMA_BUF_IOCTL_SYNC], arg ptr[in, flags[dma_buf_sync_flags, int64]])

 ion_allocation_data {
-	len	intptr
-	align	intptr
-	heapid	int32
-	flags	int32
-	handle	ion_handle
+	len		int64
+	heap_id_mask	flags[ion_heap_mask, int32]
+	flags		flags[ion_alloc_flags, int32]
+	fd		fd_dma_buf[opt]
+	unused		const[0, int32]
 }

-ion_handle_data {
-	handle	ion_handle
+ion_heap_query {
+	cnt		len[heaps, int32]
+	reserved0	const[0, int32]
+	heaps		ptr64[out, ion_heap_data]
+	reserved1	const[0, int32]
+	reserved2	const[0, int32]
 }

-ion_fd_data {
-	handle	ion_handle
-	fd	fd_ion_generic
+ion_heap_data {
+	name		string["name", MAX_HEAP_NAME]
+	type		int32
+	heap_id		int32
+	reserved0	int32
+	reserved1	int32
+	reserved2	int32
 }

-ion_custom_data {
-	cmd	int32
-	arg	intptr
-}
+ion_alloc_flags = ION_FLAG_CACHED
+ion_heap_mask = ION_HEAP_TYPE_SYSTEM_BIT, ION_HEAP_TYPE_SYSTEM_CONTIG_BIT, ION_HEAP_TYPE_CARVEOUT_BIT, ION_HEAP_TYPE_CHUNK_BIT, ION_HEAP_TYPE_DMA_BIT, ION_HEAP_TYPE_CUSTOM_BIT
+dma_buf_sync_flags = DMA_BUF_SYNC_READ, DMA_BUF_SYNC_WRITE, DMA_BUF_SYNC_END
+
+define ION_HEAP_TYPE_SYSTEM_BIT	1 << ION_HEAP_TYPE_SYSTEM
+define ION_HEAP_TYPE_SYSTEM_CONTIG_BIT	1 << ION_HEAP_TYPE_SYSTEM_CONTIG
+define ION_HEAP_TYPE_CARVEOUT_BIT	1 << ION_HEAP_TYPE_CARVEOUT
+define ION_HEAP_TYPE_CHUNK_BIT	1 << ION_HEAP_TYPE_CHUNK
+define ION_HEAP_TYPE_DMA_BIT	1 << ION_HEAP_TYPE_DMA
+define ION_HEAP_TYPE_CUSTOM_BIT	1 << ION_HEAP_TYPE_CUSTOM
--- a/sys/linux/ion_386.const
+++ b/sys/linux/ion_386.const
@ -0,0 +1,18 @@
+# AUTOGENERATED FILE
+AT_FDCWD = 18446744073709551516
+DMA_BUF_IOCTL_SYNC = 1074291200
+DMA_BUF_SYNC_END = 4
+DMA_BUF_SYNC_READ = 1
+DMA_BUF_SYNC_WRITE = 2
+ION_FLAG_CACHED = 1
+ION_HEAP_TYPE_CARVEOUT_BIT = 4
+ION_HEAP_TYPE_CHUNK_BIT = 8
+ION_HEAP_TYPE_CUSTOM_BIT = 32
+ION_HEAP_TYPE_DMA_BIT = 16
+ION_HEAP_TYPE_SYSTEM_BIT = 1
+ION_HEAP_TYPE_SYSTEM_CONTIG_BIT = 2
+ION_IOC_ALLOC = 3222817024
+ION_IOC_HEAP_QUERY = 3222817032
+MAX_HEAP_NAME = 32
+__NR_ioctl = 54
+__NR_openat = 295
--- a/sys/linux/ion_amd64.const
+++ b/sys/linux/ion_amd64.const
@ -1,11 +1,18 @@
 # AUTOGENERATED FILE
 AT_FDCWD = 18446744073709551516
-ION_IOC_ALLOC = 3223341312
-ION_IOC_CUSTOM = 3222292742
-ION_IOC_FREE = 3221506305
-ION_IOC_IMPORT = 3221768453
-ION_IOC_MAP = 3221768450
-ION_IOC_SHARE = 3221768452
-ION_IOC_SYNC = 3221768455
+DMA_BUF_IOCTL_SYNC = 1074291200
+DMA_BUF_SYNC_END = 4
+DMA_BUF_SYNC_READ = 1
+DMA_BUF_SYNC_WRITE = 2
+ION_FLAG_CACHED = 1
+ION_HEAP_TYPE_CARVEOUT_BIT = 4
+ION_HEAP_TYPE_CHUNK_BIT = 8
+ION_HEAP_TYPE_CUSTOM_BIT = 32
+ION_HEAP_TYPE_DMA_BIT = 16
+ION_HEAP_TYPE_SYSTEM_BIT = 1
+ION_HEAP_TYPE_SYSTEM_CONTIG_BIT = 2
+ION_IOC_ALLOC = 3222817024
+ION_IOC_HEAP_QUERY = 3222817032
+MAX_HEAP_NAME = 32
 __NR_ioctl = 16
 __NR_openat = 257
--- a/sys/linux/ion_arm.const
+++ b/sys/linux/ion_arm.const
@ -0,0 +1,18 @@
+# AUTOGENERATED FILE
+AT_FDCWD = 18446744073709551516
+DMA_BUF_IOCTL_SYNC = 1074291200
+DMA_BUF_SYNC_END = 4
+DMA_BUF_SYNC_READ = 1
+DMA_BUF_SYNC_WRITE = 2
+ION_FLAG_CACHED = 1
+ION_HEAP_TYPE_CARVEOUT_BIT = 4
+ION_HEAP_TYPE_CHUNK_BIT = 8
+ION_HEAP_TYPE_CUSTOM_BIT = 32
+ION_HEAP_TYPE_DMA_BIT = 16
+ION_HEAP_TYPE_SYSTEM_BIT = 1
+ION_HEAP_TYPE_SYSTEM_CONTIG_BIT = 2
+ION_IOC_ALLOC = 3222817024
+ION_IOC_HEAP_QUERY = 3222817032
+MAX_HEAP_NAME = 32
+__NR_ioctl = 54
+__NR_openat = 322
--- a/sys/linux/ion_arm64.const
+++ b/sys/linux/ion_arm64.const
@ -1,11 +1,18 @@
 # AUTOGENERATED FILE
 AT_FDCWD = 18446744073709551516
-ION_IOC_ALLOC = 3223341312
-ION_IOC_CUSTOM = 3222292742
-ION_IOC_FREE = 3221506305
-ION_IOC_IMPORT = 3221768453
-ION_IOC_MAP = 3221768450
-ION_IOC_SHARE = 3221768452
-ION_IOC_SYNC = 3221768455
+DMA_BUF_IOCTL_SYNC = 1074291200
+DMA_BUF_SYNC_END = 4
+DMA_BUF_SYNC_READ = 1
+DMA_BUF_SYNC_WRITE = 2
+ION_FLAG_CACHED = 1
+ION_HEAP_TYPE_CARVEOUT_BIT = 4
+ION_HEAP_TYPE_CHUNK_BIT = 8
+ION_HEAP_TYPE_CUSTOM_BIT = 32
+ION_HEAP_TYPE_DMA_BIT = 16
+ION_HEAP_TYPE_SYSTEM_BIT = 1
+ION_HEAP_TYPE_SYSTEM_CONTIG_BIT = 2
+ION_IOC_ALLOC = 3222817024
+ION_IOC_HEAP_QUERY = 3222817032
+MAX_HEAP_NAME = 32
 __NR_ioctl = 29
 __NR_openat = 56
--- a/sys/linux/ion_ppc64le.const
+++ b/sys/linux/ion_ppc64le.const
@ -0,0 +1,18 @@
+# AUTOGENERATED FILE
+AT_FDCWD = 18446744073709551516
+DMA_BUF_IOCTL_SYNC = 2148033024
+DMA_BUF_SYNC_END = 4
+DMA_BUF_SYNC_READ = 1
+DMA_BUF_SYNC_WRITE = 2
+ION_FLAG_CACHED = 1
+ION_HEAP_TYPE_CARVEOUT_BIT = 4
+ION_HEAP_TYPE_CHUNK_BIT = 8
+ION_HEAP_TYPE_CUSTOM_BIT = 32
+ION_HEAP_TYPE_DMA_BIT = 16
+ION_HEAP_TYPE_SYSTEM_BIT = 1
+ION_HEAP_TYPE_SYSTEM_CONTIG_BIT = 2
+ION_IOC_ALLOC = 3222817024
+ION_IOC_HEAP_QUERY = 3222817032
+MAX_HEAP_NAME = 32
+__NR_ioctl = 54
+__NR_openat = 286
--- a/sys/linux/ppc64le.go
+++ b/sys/linux/ppc64le.go
--- a/sys/linux/socket_inet6_arm.const
+++ b/sys/linux/socket_inet6_arm.const
@ -1,4 +1,5 @@
 # AUTOGENERATED FILE
+AF_INET = 2
 AF_INET6 = 10
 IP6T_SO_GET_REVISION_MATCH = 68
 IP6T_SO_GET_REVISION_TARGET = 69
--- a/sys/linux/socket_inet_arm.const
+++ b/sys/linux/socket_inet_arm.const
@ -88,25 +88,6 @@ SIOCSIFDSTADDR = 35096
 SIOCSIFFLAGS = 35092
 SIOCSIFNETMASK = 35100
 SIOCSIFPFLAGS = 35124
-XFRM_MODE_BEET = 4
-XFRM_MODE_IN_TRIGGER = 3
-XFRM_MODE_ROUTEOPTIMIZATION = 2
-XFRM_MODE_TRANSPORT = 0
-XFRM_MODE_TUNNEL = 1
-XFRM_POLICY_ALLOW = 0
-XFRM_POLICY_BLOCK = 1
-XFRM_SHARE_ANY = 0
-XFRM_SHARE_SESSION = 1
-XFRM_SHARE_UNIQUE = 3
-XFRM_SHARE_USER = 2
-XFRM_STATE_AF_UNSPEC = 32
-XFRM_STATE_ALIGN4 = 64
-XFRM_STATE_DECAP_DSCP = 2
-XFRM_STATE_ESN = 128
-XFRM_STATE_ICMP = 16
-XFRM_STATE_NOECN = 1
-XFRM_STATE_NOPMTUDISC = 4
-XFRM_STATE_WILDRECV = 8
 __NR_accept = 285
 __NR_accept4 = 366
 __NR_bind = 282
--- a/sys/linux/socket_key_arm.const
+++ b/sys/linux/socket_key_arm.const
@ -1,6 +1,11 @@
 # AUTOGENERATED FILE
 AF_KEY = 15
 AT_FDCWD = 18446744073709551516
+IPSEC_DIR_ANY = 0
+IPSEC_DIR_FWD = 3
+IPSEC_DIR_INBOUND = 1
+IPSEC_DIR_MAX = 4
+IPSEC_DIR_OUTBOUND = 2
 IPSEC_POLICY_BYPASS = 4
 IPSEC_POLICY_DISCARD = 0
 PF_KEY_V2 = 2
@ -20,6 +25,10 @@ SADB_EXT_SA = 1
 SADB_EXT_SPIRANGE = 16
 SADB_MAX = 24
 SADB_RESERVED = 0
+SADB_SAFLAGS_DECAP_DSCP = 1073741824
+SADB_SAFLAGS_NOECN = 2147483648
+SADB_SAFLAGS_NOPMTUDISC = 536870912
+SADB_SAFLAGS_PFS = 1
 SADB_SATYPE_AH = 2
 SADB_SATYPE_ESP = 3
 SADB_SATYPE_MAX = 9
--- a/sys/linux/socket_netlink_xfrm_arm.const
+++ b/sys/linux/socket_netlink_xfrm_arm.const
@ -0,0 +1,94 @@
+# AUTOGENERATED FILE
+AF_INET = 2
+AF_INET6 = 10
+AF_NETLINK = 16
+IPPROTO_AH = 51
+IPPROTO_COMP = 108
+IPPROTO_DSTOPTS = 60
+IPPROTO_ESP = 50
+IPPROTO_ROUTING = 43
+IPSEC_PROTO_ANY = 255
+NETLINK_XFRM = 6
+SOCK_RAW = 3
+XFRMA_ADDRESS_FILTER = 26
+XFRMA_ALG_AEAD = 18
+XFRMA_ALG_AUTH = 1
+XFRMA_ALG_AUTH_TRUNC = 20
+XFRMA_ALG_COMP = 3
+XFRMA_ALG_CRYPT = 2
+XFRMA_COADDR = 14
+XFRMA_ENCAP = 4
+XFRMA_ETIMER_THRESH = 12
+XFRMA_KMADDRESS = 19
+XFRMA_LASTUSED = 15
+XFRMA_LTIME_VAL = 9
+XFRMA_MARK = 21
+XFRMA_MIGRATE = 17
+XFRMA_OFFLOAD_DEV = 28
+XFRMA_OUTPUT_MARK = 29
+XFRMA_POLICY = 7
+XFRMA_POLICY_TYPE = 16
+XFRMA_PROTO = 25
+XFRMA_REPLAY_ESN_VAL = 23
+XFRMA_REPLAY_THRESH = 11
+XFRMA_REPLAY_VAL = 10
+XFRMA_SA = 6
+XFRMA_SA_EXTRA_FLAGS = 24
+XFRMA_SEC_CTX = 8
+XFRMA_SPD_IPV4_HTHRESH = 3
+XFRMA_SPD_IPV6_HTHRESH = 4
+XFRMA_SRCADDR = 13
+XFRMA_TFCPAD = 22
+XFRMA_TMPL = 5
+XFRM_MODE_BEET = 4
+XFRM_MODE_IN_TRIGGER = 3
+XFRM_MODE_ROUTEOPTIMIZATION = 2
+XFRM_MODE_TRANSPORT = 0
+XFRM_MODE_TUNNEL = 1
+XFRM_MSG_ACQUIRE = 23
+XFRM_MSG_ALLOCSPI = 22
+XFRM_MSG_DELPOLICY = 20
+XFRM_MSG_DELSA = 17
+XFRM_MSG_EXPIRE = 24
+XFRM_MSG_FLUSHPOLICY = 29
+XFRM_MSG_FLUSHSA = 28
+XFRM_MSG_GETAE = 31
+XFRM_MSG_GETPOLICY = 21
+XFRM_MSG_GETSA = 18
+XFRM_MSG_GETSADINFO = 35
+XFRM_MSG_GETSPDINFO = 37
+XFRM_MSG_MIGRATE = 33
+XFRM_MSG_NEWAE = 30
+XFRM_MSG_NEWPOLICY = 19
+XFRM_MSG_NEWSA = 16
+XFRM_MSG_NEWSPDINFO = 36
+XFRM_MSG_POLEXPIRE = 27
+XFRM_MSG_REPORT = 32
+XFRM_MSG_UPDPOLICY = 25
+XFRM_MSG_UPDSA = 26
+XFRM_OFFLOAD_INBOUND = 2
+XFRM_OFFLOAD_IPV6 = 1
+XFRM_POLICY_ALLOW = 0
+XFRM_POLICY_BLOCK = 1
+XFRM_POLICY_FWD = 2
+XFRM_POLICY_ICMP = 2
+XFRM_POLICY_IN = 0
+XFRM_POLICY_LOCALOK = 1
+XFRM_POLICY_OUT = 1
+XFRM_POLICY_TYPE_MAIN = 0
+XFRM_POLICY_TYPE_SUB = 1
+XFRM_SC_ALG_SELINUX = 1
+XFRM_SHARE_ANY = 0
+XFRM_SHARE_SESSION = 1
+XFRM_SHARE_UNIQUE = 3
+XFRM_SHARE_USER = 2
+XFRM_STATE_AF_UNSPEC = 32
+XFRM_STATE_ALIGN4 = 64
+XFRM_STATE_DECAP_DSCP = 2
+XFRM_STATE_ESN = 128
+XFRM_STATE_ICMP = 16
+XFRM_STATE_NOECN = 1
+XFRM_STATE_NOPMTUDISC = 4
+XFRM_STATE_WILDRECV = 8
+__NR_sendmsg = 296
+__NR_socket = 281
--- a/sys/syz-extract/extract.go
+++ b/sys/syz-extract/extract.go
@ -99,7 +99,6 @@ func main() {
 			failf("failed to find sys files: %v", err)
 		}
 		androidFiles := map[string]bool{
-			"ion.txt":        true,
 			"tlk_device.txt": true,
 		}
 		for _, f := range matches {