github.com/google/syzkaller@v0.0.0-20251211124644-a066d2bc4b02/sys/linux/test/vusb_lan78xx (about) 1 # This seed helps syzkaller to reliably pass the probe() checks for lan78xx driver. 2 # As some CTRL requests occur during the probe, a few syz_usb_control_io() calls may 3 # be in a weird order or even duplicate. 4 5 # TODO: currently, probe does not succeed completely. Most likely, it stems from the fact that 6 # the abundance of expected CTRL requests *during* probe is not something syzkaller can handle at the moment. 7 # Timing is essential among other things. This should be mitigated by a separate syz_usb_connect pseudo-call 8 # that deals with such requests without syz_usb_control_io. 9 10 # Ensure that we pass driver-specific basic usb interface and endpoint checks during initial probe() stages. 11 12 r0 = syz_usb_connect$lan78xx(0x5, 0x3f, &(0x7f0000000000)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0x424, 0x7850, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x80, 0xfa, {{0x9, 0x4, 0x0, 0x0, 0x3, 0xff, 0x0, 0x0, 0x0, "", {{0x9, 0x5, 0x81, 0x2, 0x200, 0x0, 0x0, 0x0, ""}, {0x9, 0x5, 0x2, 0x2, 0x200, 0x0, 0x0, 0x0, ""}, {0x9, 0x5, 0x83, 0x3, 0x40, 0x1, 0x0, 0x0, ""}}}}}}]}}, 0x0) 13 14 # This is where the fun begins. 15 # Functions like lan78xx_bind() and lan78xx_phy_init() in lan78xx_probe() utilize ~50 CTRL requests, both directions, during probe. 16 17 # Write to INT_EP_CTL register in lan78xx_setup_irq_domain(). 18 19 syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f00000003c0)={0x34, &(0x7f0000000140)={0x20, 0x11, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) 20 21 # Write to HW_CFG register in lan78xx_reset(). 22 23 syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000780)={0x34, &(0x7f0000000600)={0x40, 0x11, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) 24 25 # Read from HW_CFG register. 26 27 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 28 29 # Write to HW_CFG register. 30 31 syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000f00)={0x34, &(0x7f0000000cc0)={0x40, 0x10, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) 32 33 # Write to RX_ADDRL and RX_ADDRH registers in lan78xx_init_mac_address(). 34 35 syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000001240)={0x34, &(0x7f0000001080)={0x0, 0x6, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) 36 syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000001700)={0x34, &(0x7f0000001500)={0x20, 0x18, 0x1, ')'}, 0x0, 0x0, 0x0, 0x0, 0x0}) 37 38 # Read from MAF_LO(0) and MAF_HI(0) registers. 39 40 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 41 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 42 43 # Write to ID_REV register, back in lan78xx_reset(). 44 45 syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000002180)={0x34, &(0x7f0000000400)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0}) 46 47 # Write and read to/from USB_CFG0 register. 48 49 syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f00000006c0)={0x34, &(0x7f0000000500)={0x0, 0x7, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) 50 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 51 52 # Write to USB_CFG1 register in lan78xx_init_ltm(). 53 54 syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000002540)={0x34, &(0x7f0000002340)={0x0, 0xf, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0}) 55 56 # Read from 6 registers (LTM_BELT_IDLE0 etc.) in a row. 57 58 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 59 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 60 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 61 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 62 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 63 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 64 65 # Read from BURST_CAP and BULK_IN_DLY registers in lan78xx_reset(). 66 67 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 68 syz_usb_control_io$lan78xx(r0, 0x0, 0x0) 69 70 # Write to HW_CFG register. 71 72 syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000380)={0x34, &(0x7f0000000840)={0x0, 0x0, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0})