github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/ipc.txt

# Copyright 2017 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

include <linux/fcntl.h>
include <linux/stat.h>
include <linux/ipc.h>
include <linux/shm.h>
include <linux/msg.h>
include <linux/sem.h>
include <uapi/linux/shm.h>

resource ipc[int32]: 0, -1

type ipc_key_t proc[2039359027, 4, int32]

# TODO: describe ipc syscall

resource ipc_msq[ipc]
msgget(key ipc_key_t, flags flags[msgget_flags]) ipc_msq
msgget$private(key const[IPC_PRIVATE], flags flags[msgget_flags]) ipc_msq
msgsnd(msqid ipc_msq, msgp ptr[in, msgbuf], sz len[msgp], flags flags[msgsnd_flags])
msgrcv(msqid ipc_msq, msgp ptr[out, msgbuf], sz len[msgp], typ flags[msgbuf_type], flags flags[msgrcv_flags])
msgctl$IPC_STAT(msqid ipc_msq, cmd const[IPC_STAT], buf buffer[out])
msgctl$IPC_SET(msqid ipc_msq, cmd const[IPC_SET], buf ptr[in, msqid_ds])
msgctl$IPC_RMID(msqid ipc_msq, cmd const[IPC_RMID])
msgctl$IPC_INFO(msqid ipc_msq, cmd const[IPC_INFO], buf buffer[out])
msgctl$MSG_INFO(msqid ipc_msq, cmd const[MSG_INFO], buf buffer[out])
msgctl$MSG_STAT(msqid ipc_msq, cmd const[MSG_STAT], buf buffer[out])
msgctl$MSG_STAT_ANY(msqid ipc_msq, cmd const[MSG_STAT_ANY], buf buffer[out])

resource ipc_sem[ipc]
semget(key ipc_key_t, nsems flags[sem_sem_id], flags flags[semget_flags]) ipc_sem
semget$private(key const[IPC_PRIVATE], nsems flags[sem_sem_id], flags flags[semget_flags]) ipc_sem
semop(semid ipc_sem, ops ptr[in, array[sembuf]], nops len[ops])
semtimedop(semid ipc_sem, ops ptr[in, array[sembuf]], nops len[ops], timeout ptr[in, timespec])

# semctl$GETVAL produces random errno values, so we use ignore_return attribute.
# Since we don't have strict const enforcement, we need to apply it to all variants.
# When/if we have stricter enforcement of arguments for syscall variants, we may remove some of the attributes.

semctl$IPC_STAT(semid ipc_sem, semnum const[0], cmd const[IPC_STAT], arg buffer[out]) (ignore_return)
semctl$IPC_SET(semid ipc_sem, semnum const[0], cmd const[IPC_SET], arg ptr[in, semid_ds]) (ignore_return)
semctl$IPC_RMID(semid ipc_sem, semnum const[0], cmd const[IPC_RMID]) (ignore_return)
semctl$IPC_INFO(semid ipc_sem, semnum flags[sem_sem_id], cmd const[IPC_INFO], buf buffer[out]) (ignore_return)
semctl$SEM_INFO(semid ipc_sem, semnum flags[sem_sem_id], cmd const[SEM_INFO], arg buffer[out]) (ignore_return)
semctl$SEM_STAT(semid ipc_sem, semnum flags[sem_sem_id], cmd const[SEM_STAT], arg buffer[out]) (ignore_return)
semctl$SEM_STAT_ANY(semid ipc_sem, semnum flags[sem_sem_id], cmd const[SEM_STAT_ANY], arg buffer[out]) (ignore_return)
semctl$GETALL(semid ipc_sem, semnum const[0], cmd const[GETALL], arg buffer[out]) (ignore_return)
semctl$GETNCNT(semid ipc_sem, semnum flags[sem_sem_id], cmd const[GETNCNT], arg buffer[out]) (ignore_return)
semctl$GETPID(semid ipc_sem, semnum flags[sem_sem_id], cmd const[GETPID], arg buffer[out]) (ignore_return)
semctl$GETVAL(semid ipc_sem, semnum flags[sem_sem_id], cmd const[GETVAL], arg buffer[out]) (ignore_return)
semctl$GETZCNT(semid ipc_sem, semnum flags[sem_sem_id], cmd const[GETZCNT], arg buffer[out]) (ignore_return)
semctl$SETALL(semid ipc_sem, semnum const[0], cmd const[SETALL], arg ptr[in, array[int16]]) (ignore_return)
semctl$SETVAL(semid ipc_sem, semnum flags[sem_sem_id], cmd const[SETVAL], arg ptr[in, int32]) (ignore_return)

resource ipc_shm[ipc]
resource shmaddr[intptr]: 0
# The unused arg is unused by syscall (does not exist at all),
# but it helps to generate sane size values.
shmget(key proc[2039339027, 4], size len[unused], flags flags[shmget_flags], unused vma) ipc_shm
shmget$private(key const[IPC_PRIVATE], size len[unused], flags flags[shmget_flags], unused vma) ipc_shm
shmat(shmid ipc_shm, addr vma, flags flags[shmat_flags]) shmaddr
shmctl$IPC_STAT(shmid ipc_shm, cmd const[IPC_STAT], buf buffer[out])
shmctl$IPC_SET(shmid ipc_shm, cmd const[IPC_SET], buf ptr[in, shmid_ds])
shmctl$IPC_RMID(shmid ipc_shm, cmd const[IPC_RMID])
shmctl$IPC_INFO(shmid ipc_shm, cmd const[IPC_INFO], buf buffer[out])
shmctl$SHM_INFO(shmid ipc_shm, cmd const[SHM_INFO], buf buffer[out])
shmctl$SHM_STAT(shmid ipc_shm, cmd const[SHM_STAT], buf buffer[out])
shmctl$SHM_STAT_ANY(shmid ipc_shm, cmd const[SHM_STAT_ANY], buf buffer[out])
shmctl$SHM_LOCK(shmid ipc_shm, cmd const[SHM_LOCK])
shmctl$SHM_UNLOCK(shmid ipc_shm, cmd const[SHM_UNLOCK])
shmdt(addr shmaddr)

msgget_flags = IPC_CREAT, IPC_EXCL, open_mode
msgbuf_type = 0, 1, 2, 3
msgsnd_flags = IPC_NOWAIT
msgrcv_flags = IPC_NOWAIT, MSG_EXCEPT, MSG_NOERROR
semget_flags = IPC_CREAT, IPC_EXCL, open_mode
semop_flags = IPC_NOWAIT, SEM_UNDO
sem_sem_id = 0, 1, 2, 3, 4
shmget_flags = IPC_CREAT, IPC_EXCL, SHM_HUGETLB, SHM_HUGE_2MB, SHM_HUGE_1GB, SHM_NORESERVE, open_mode
shmat_flags = SHM_RND, SHM_RDONLY, SHM_REMAP

ipc_perm {
# NEED: all these uid, gid, pid, mode seem to be 2 bytes on 386 (what about arm?)
	key	ipc_key_t
	uid	uid
	gid	gid
	cuid	uid
	cgid	gid
	mode	flags[open_mode, int32]
	seq	int16
}

msqid_ds {
	msg_perm	ipc_perm
	msg_first	const[0, intptr]
	msg_last	const[0, intptr]
	msg_stime	intptr
	msg_rtime	intptr
	msg_ctime	intptr
	msg_lcbytes	intptr
	msg_lqbytes	intptr
	msg_cbytes	int16
	msg_qnum	int16
	msg_qbytes	int16
	msg_lspid	pid
	msg_lrpid	pid
}

shmid_ds {
	shm_perm	ipc_perm
	shm_segsz	int32
	shm_atime	intptr
	shm_dtime	intptr
	shm_ctime	intptr
	shm_cpid	pid
	shm_lpid	pid
	shm_nattch	int16
	shm_unused	const[0, int16]
	shm_unused2	const[0, intptr]
	shm_unused3	const[0, intptr]
}

semid_ds {
	sem_perm		ipc_perm
	sem_otime		intptr
	sem_ctime		intptr
	sem_base		const[0, intptr]
	sem_pending		const[0, intptr]
	sem_pending_last	const[0, intptr]
	undo			const[0, intptr]
	sem_nsems		int16
}

sembuf {
	num	flags[sem_sem_id, int16]
	op	int16
	flg	flags[semop_flags, int16]
}

msgbuf {
	typ	flags[msgbuf_type, intptr]
	data	array[int8]
} [packed]