github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/dev_virtual_nci.txt (about) 1 # Copyright 2022 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 include <uapi/asm/ioctl.h> 5 include <uapi/linux/fcntl.h> 6 include <net/nfc/nci.h> 7 8 resource fd_nci[fd] 9 10 resource nfc_dev_id[int32] 11 12 openat$nci(fd const[AT_FDCWD], file ptr[in, string["/dev/virtual_nci"]], flags const[O_RDWR], mode const[0]) fd_nci 13 14 ioctl$IOCTL_GET_NCIDEV_IDX(fd fd_nci, cmd const[IOCTL_GET_NCIDEV_IDX], arg ptr[out, nfc_dev_id]) 15 read$nci(fd fd_nci, data ptr[out, array[int8]], len bytesize[data]) 16 write$nci(fd fd_nci, data ptr[in, nci_frame], len bytesize[data]) 17 18 define IOCTL_GET_NCIDEV_IDX 0 19 define NCI_OP_CORE_RESET_RSP_OID nci_opcode_oid(NCI_OP_CORE_RESET_RSP) 20 define NCI_OP_CORE_INIT_RSP_OID nci_opcode_oid(NCI_OP_CORE_INIT_RSP) 21 define NCI_OP_CORE_SET_CONFIG_RSP_OID nci_opcode_oid(NCI_OP_CORE_SET_CONFIG_RSP) 22 define NCI_OP_CORE_CONN_CREATE_RSP_OID nci_opcode_oid(NCI_OP_CORE_CONN_CREATE_RSP) 23 define NCI_OP_CORE_CONN_CLOSE_RSP_OID nci_opcode_oid(NCI_OP_CORE_CONN_CLOSE_RSP) 24 define NCI_OP_RF_DISCOVER_MAP_RSP_OID nci_opcode_oid(NCI_OP_RF_DISCOVER_MAP_RSP) 25 define NCI_OP_RF_DISCOVER_RSP_OID nci_opcode_oid(NCI_OP_RF_DISCOVER_RSP) 26 define NCI_OP_RF_DISCOVER_SELECT_RSP_OID nci_opcode_oid(NCI_OP_RF_DISCOVER_SELECT_RSP) 27 define NCI_OP_RF_DEACTIVATE_RSP_OID nci_opcode_oid(NCI_OP_RF_DEACTIVATE_RSP) 28 define NCI_OP_NFCEE_DISCOVER_RSP_OID nci_opcode_oid(NCI_OP_NFCEE_DISCOVER_RSP) 29 define NCI_OP_NFCEE_MODE_SET_RSP_OID nci_opcode_oid(NCI_OP_NFCEE_MODE_SET_RSP) 30 31 define NCI_OP_CORE_RESET_NTF_OID nci_opcode_oid(NCI_OP_CORE_RESET_NTF) 32 define NCI_OP_CORE_CONN_CREDITS_NTF_OID nci_opcode_oid(NCI_OP_CORE_CONN_CREDITS_NTF) 33 define NCI_OP_CORE_GENERIC_ERROR_NTF_OID nci_opcode_oid(NCI_OP_CORE_GENERIC_ERROR_NTF) 34 define NCI_OP_CORE_INTF_ERROR_NTF_OID nci_opcode_oid(NCI_OP_CORE_INTF_ERROR_NTF) 35 define NCI_OP_RF_DISCOVER_NTF_OID nci_opcode_oid(NCI_OP_RF_DISCOVER_NTF) 36 define NCI_OP_RF_INTF_ACTIVATED_NTF_OID nci_opcode_oid(NCI_OP_RF_INTF_ACTIVATED_NTF) 37 define NCI_OP_RF_DEACTIVATE_NTF_OID nci_opcode_oid(NCI_OP_RF_DEACTIVATE_NTF) 38 define NCI_OP_NFCEE_DISCOVER_NTF_OID nci_opcode_oid(NCI_OP_NFCEE_DISCOVER_NTF) 39 define NCI_OP_RF_NFCEE_ACTION_NTF_OID nci_opcode_oid(NCI_OP_RF_NFCEE_ACTION_NTF) 40 41 # The exact error code does not matter much (only ok/not ok). 42 type nci_status int8[0:1] 43 44 nci_frame [ 45 DATA nci_data_hdr 46 47 NCI_GID_PROPRIETARY_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_PROPRIETARY, 0, array[int8]] 48 49 NCI_OP_CORE_RESET_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_RESET_RSP_OID, nci_core_reset_rsp] 50 NCI_OP_CORE_INIT_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_INIT_RSP_OID, nci_core_init_rsp] 51 NCI_OP_CORE_INIT_RSP_V2 nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_INIT_RSP_OID, nci_core_init_rsp_nci_ver2] 52 NCI_OP_CORE_SET_CONFIG_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_SET_CONFIG_RSP_OID, nci_core_set_config_rsp] 53 NCI_OP_CORE_CONN_CREATE_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_CONN_CREATE_RSP_OID, nci_core_conn_create_rsp] 54 NCI_OP_CORE_CONN_CLOSE_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_CORE, NCI_OP_CORE_CONN_CLOSE_RSP_OID, nci_status] 55 56 NCI_OP_RF_DISCOVER_MAP_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DISCOVER_MAP_RSP_OID, nci_status] 57 NCI_OP_RF_DISCOVER_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DISCOVER_RSP_OID, nci_status] 58 NCI_OP_RF_DISCOVER_SELECT_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DISCOVER_SELECT_RSP_OID, nci_status] 59 NCI_OP_RF_DEACTIVATE_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DEACTIVATE_RSP_OID, nci_status] 60 61 NCI_OP_NFCEE_DISCOVER_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_NFCEE_MGMT, NCI_OP_NFCEE_DISCOVER_RSP_OID, nci_nfcee_discover_rsp] 62 NCI_OP_NFCEE_MODE_SET_RSP nci_ctrl_hdr[NCI_MT_RSP_PKT, NCI_GID_NFCEE_MGMT, NCI_OP_NFCEE_MODE_SET_RSP_OID, nci_status] 63 64 NCI_GID_PROPRIETARY_NFT nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_PROPRIETARY, 0, array[int8]] 65 66 NCI_OP_CORE_RESET_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_CORE, NCI_OP_CORE_RESET_NTF_OID, nci_core_reset_ntf] 67 NCI_OP_CORE_CONN_CREDITS_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_CORE, NCI_OP_CORE_CONN_CREDITS_NTF_OID, nci_core_conn_credit_ntf] 68 NCI_OP_CORE_GENERIC_ERROR_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_CORE, NCI_OP_CORE_GENERIC_ERROR_NTF_OID, nci_status] 69 NCI_OP_CORE_INTF_ERROR_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_CORE, NCI_OP_CORE_INTF_ERROR_NTF_OID, nci_core_intf_error_ntf] 70 71 NCI_OP_RF_DISCOVER_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DISCOVER_NTF_OID, nci_rf_discover_ntf_t] 72 NCI_OP_RF_INTF_ACTIVATED_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_INTF_ACTIVATED_NTF_OID, nci_rf_intf_activated_ntf_t] 73 NCI_OP_RF_DEACTIVATE_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_DEACTIVATE_NTF_OID, nci_rf_deactivate_ntf] 74 NCI_OP_RF_NFCEE_ACTION_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_RF_MGMT, NCI_OP_RF_NFCEE_ACTION_NTF_OID, void] 75 76 NCI_OP_NFCEE_DISCOVER_NTF nci_ctrl_hdr[NCI_MT_NTF_PKT, NCI_GID_NFCEE_MGMT, NCI_OP_NFCEE_DISCOVER_NTF_OID, nci_nfcee_discover_ntf] 77 ] [varlen] 78 79 nci_data_hdr { 80 conn_id int8:4[0:4] 81 # NCI_PBF_LAST/NCI_PBF_CONT 82 pbf int8:1 83 # This does not seem to be used. 84 mt const[NCI_MT_DATA_PKT, int8:3] 85 # This does not seem to be used. 86 rfu const[0, int8] 87 # It does not seem to be actually used/verified by the code (only logged), so let's keep random. 88 plen int8 89 data array[int8] 90 } [packed] 91 92 type nci_ctrl_hdr[MT, GID, OID, PAYLOAD] { 93 gid const[GID, int8:4] 94 # NCI_PBF_LAST/NCI_PBF_CONT 95 pbf int8:1 96 mt const[MT, int8:3] 97 oid const[OID, int8] 98 # It does not seem to be actually used/verified by the code (only logged), so let's keep random. 99 plen int8 100 payload PAYLOAD 101 } [packed] 102 103 nci_core_reset_rsp { 104 status nci_status 105 nci_ver flags[nci_ver, int8] 106 config_status int8 107 } [packed] 108 109 nci_ver = 0, 1, NCI_VER_2_MASK 110 111 nci_core_init_rsp { 112 rsp1 nci_core_init_rsp_1 113 rsp2 nci_core_init_rsp_2 114 } [packed] 115 116 nci_core_init_rsp_1 { 117 status nci_status 118 nfcc_features int32 119 num_supported_rf_interfaces len[supported_rf_interfaces, int8] 120 supported_rf_interfaces array[int8] 121 } [packed] 122 123 nci_core_init_rsp_2 { 124 max_logical_connections int8 125 max_routing_table_size int16 126 max_ctrl_pkt_payload_len int8 127 max_size_for_large_params int16 128 manufact_id int8 129 manufact_specific_info int32 130 } [packed] 131 132 nci_core_init_rsp_nci_ver2 { 133 status nci_status 134 nfcc_features int32 135 max_logical_connections int8 136 max_routing_table_size int16 137 max_ctrl_pkt_payload_len int8 138 max_data_pkt_hci_payload_len int8 139 number_of_hci_credit int8 140 max_nfc_v_frame_size int16 141 num_supported_rf_interfaces len[supported_rf_interfaces, int8] 142 supported_rf_interfaces array[int8] 143 } [packed] 144 145 nci_core_set_config_rsp { 146 status nci_status 147 num_params len[params_id, int8] 148 params_id array[int8] 149 } [packed] 150 151 nci_core_conn_create_rsp { 152 status nci_status 153 max_ctrl_pkt_payload_len int8 154 credits_cnt int8 155 conn_id int8[0:4] 156 } [packed] 157 158 nci_nfcee_discover_rsp { 159 status nci_status 160 num_nfcee int8 161 } [packed] 162 163 nci_core_reset_ntf { 164 reset_trigger int8 165 config_status int8 166 nci_ver flags[nci_ver, int8] 167 manufact_id int8 168 manufacturer_specific_len int8 169 manufact_specific_info int32 170 } [packed] 171 172 nci_core_conn_credit_ntf { 173 num_entries len[conn_entries, int8] 174 conn_entries array[conn_credit_entry] 175 } [packed] 176 177 conn_credit_entry { 178 conn_id int8[0:4] 179 credits int8 180 } [packed] 181 182 nci_core_intf_error_ntf { 183 status nci_status 184 conn_id int8[0:4] 185 } [packed] 186 187 nci_rf_discover_ntf_t [ 188 a nci_rf_discover_ntf[NCI_NFC_A_PASSIVE_POLL_MODE, rf_tech_specific_params_nfca_poll] 189 b nci_rf_discover_ntf[NCI_NFC_B_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcb_poll] 190 f nci_rf_discover_ntf[NCI_NFC_F_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcf_poll] 191 v nci_rf_discover_ntf[NCI_NFC_V_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcv_poll] 192 ] [varlen] 193 194 type nci_rf_discover_ntf[MODE, POLL] { 195 rf_discovery_id int8 196 rf_protocol flags[nci_rf_protocol, int8] 197 rf_tech_and_mode const[MODE, int8] 198 rf_tech_specific_params_len int8 199 poll POLL 200 ntf_type flags[nci_discover_ntf_type, int8] 201 } [packed] 202 203 nci_rf_protocol = NCI_RF_PROTOCOL_UNKNOWN, NCI_RF_PROTOCOL_T1T, NCI_RF_PROTOCOL_T2T, NCI_RF_PROTOCOL_T3T, NCI_RF_PROTOCOL_ISO_DEP, NCI_RF_PROTOCOL_NFC_DEP, NCI_RF_PROTOCOL_T5T 204 205 rf_tech_specific_params_nfca_poll { 206 sens_res int8 207 nfcid1_len len[nfcid1, int8] 208 nfcid1 array[int8] 209 sel_res_len int8 210 sel_res int8 211 } [packed] 212 213 rf_tech_specific_params_nfcb_poll { 214 sensb_res_len len[sensb_res, int8] 215 sensb_res array[int8] 216 } [packed] 217 218 rf_tech_specific_params_nfcf_listen { 219 local_nfcid2_len len[local_nfcid2, int8] 220 local_nfcid2 array[int8] 221 } [packed] 222 223 rf_tech_specific_params_nfcf_poll { 224 bit_rate int8 225 sensf_res_len len[sensf_res, int8] 226 sensf_res array[int8] 227 } [packed] 228 229 rf_tech_specific_params_nfcv_poll { 230 res_flags int8 231 dsfid int8 232 uid array[int8, NFC_ISO15693_UID_MAXSIZE] 233 } [packed] 234 235 nci_rf_intf_activated_ntf_t [ 236 a nci_rf_intf_activated_ntf[NCI_NFC_A_PASSIVE_POLL_MODE, rf_tech_specific_params_nfca_poll] 237 b nci_rf_intf_activated_ntf[NCI_NFC_B_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcb_poll] 238 f nci_rf_intf_activated_ntf[NCI_NFC_F_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcf_poll] 239 v nci_rf_intf_activated_ntf[NCI_NFC_V_PASSIVE_POLL_MODE, rf_tech_specific_params_nfcv_poll] 240 a_listen nci_rf_intf_activated_ntf[NCI_NFC_A_PASSIVE_LISTEN_MODE, void] 241 f_listen nci_rf_intf_activated_ntf[NCI_NFC_F_PASSIVE_LISTEN_MODE, rf_tech_specific_params_nfcf_listen] 242 ] [varlen] 243 244 type nci_rf_intf_activated_ntf[MODE, POLL] { 245 rf_discovery_id int8 246 rf_interface flags[nci_rf_interface, int8] 247 rf_protocol flags[nci_rf_protocol, int8] 248 activation_rf_tech_and_mode const[MODE, int8] 249 max_data_pkt_payload_size int8 250 initial_num_credits int8 251 rf_tech_specific_params_len int8 252 poll POLL 253 data_exch_rf_tech_and_mode int8 254 data_exch_tx_bit_rate int8 255 data_exch_rx_bit_rate int8 256 activation_params_len int8 257 # This is how all of activation_params_nfca_poll_iso_dep, activation_params_nfcb_poll_iso_dep, 258 # activation_params_poll_nfc_dep and activation_params_listen_nfc_dep look like. 259 res_len len[res, int8] 260 res array[int8] 261 } [packed] 262 263 nci_rf_interface = NCI_RF_INTERFACE_NFCEE_DIRECT, NCI_RF_INTERFACE_FRAME, NCI_RF_INTERFACE_ISO_DEP, NCI_RF_INTERFACE_NFC_DEP 264 265 nci_rf_deactivate_ntf { 266 type int8 267 reason int8 268 } [packed] 269 270 nci_nfcee_discover_ntf { 271 nfcee_id int8 272 nfcee_status int8 273 unused array[int8] 274 } [packed] 275 276 nci_discover_ntf_type = NCI_DISCOVER_NTF_TYPE_LAST, NCI_DISCOVER_NTF_TYPE_LAST_NFCC, NCI_DISCOVER_NTF_TYPE_MORE