sys/linux/dev_floppy.txt

# Copyright 2018 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

# Proper fuzzing of floppy device requires:
# 1) CONFIG_BLK_DEV_FD in your kernel configuration
# 2) "cmdline": " -fda FLOPPY.img " in syzkaller configuration

include <uapi/linux/fd.h>
include <uapi/linux/fcntl.h>

resource fd_floppy[fd]

# O_ACCMODE is used for ioctl-only opens, see FMODE_WRITE_IOCTL
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/fs.h?h=v5.14#n129
# Examples:
# - https://sources.debian.org/src/fdutils/5.6-2/src/floppycontrol.c/?hl=289#L289
# - https://sources.debian.org/src/fdutils/5.6-2/src/diskd.c/?hl=90#L90
fd_open_flags = O_WRONLY, O_RDWR, O_ACCMODE, O_APPEND, FASYNC, O_CLOEXEC, O_DIRECT, O_NOATIME, O_NONBLOCK, O_SYNC, O_TRUNC

syz_open_dev$floppy(dev ptr[in, string["/dev/fd#"]], id intptr, flags flags[fd_open_flags]) fd_floppy

ioctl$FLOPPY_FDEJECT(fd fd_floppy, cmd const[FDEJECT])
ioctl$FLOPPY_FDCLRPRM(fd fd_floppy, cmd const[FDCLRPRM])
ioctl$FLOPPY_FDSETPRM(fd fd_floppy, cmd const[FDSETPRM], arg ptr[in, floppy_struct])
ioctl$FLOPPY_FDDEFPRM(fd fd_floppy, cmd const[FDDEFPRM], arg ptr[in, floppy_struct])
ioctl$FLOPPY_FDGETPRM(fd fd_floppy, cmd const[FDGETPRM], arg ptr[out, floppy_struct])
ioctl$FLOPPY_FDMSGON(fd fd_floppy, cmd const[FDMSGON])
ioctl$FLOPPY_FDMSGOFF(fd fd_floppy, cmd const[FDMSGOFF])
ioctl$FLOPPY_FDFMTBEG(fd fd_floppy, cmd const[FDFMTBEG])
ioctl$FLOPPY_FDFMTTRK(fd fd_floppy, cmd const[FDFMTTRK], arg ptr[in, format_descr])
ioctl$FLOPPY_FDFMTEND(fd fd_floppy, cmd const[FDFMTEND])
ioctl$FLOPPY_FDFLUSH(fd fd_floppy, cmd const[FDFLUSH])
ioctl$FLOPPY_FDSETEMSGTRESH(fd fd_floppy, cmd const[FDSETEMSGTRESH], arg intptr[0:0xf])
ioctl$FLOPPY_FDGETMAXERRS(fd fd_floppy, cmd const[FDGETMAXERRS], arg ptr[out, floppy_max_errors])
ioctl$FLOPPY_FDSETMAXERRS(fd fd_floppy, cmd const[FDSETMAXERRS], arg ptr[in, floppy_max_errors])
ioctl$FLOPPY_FDGETDRVTYP(fd fd_floppy, cmd const[FDGETDRVTYP], arg ptr[out, floppy_drive_name])
ioctl$FLOPPY_FDSETDRVPRM(fd fd_floppy, cmd const[FDSETDRVPRM], arg ptr[in, floppy_drive_params])
ioctl$FLOPPY_FDGETDRVPRM(fd fd_floppy, cmd const[FDGETDRVPRM], arg ptr[out, floppy_drive_params])
ioctl$FLOPPY_FDPOLLDRVSTAT(fd fd_floppy, cmd const[FDPOLLDRVSTAT], arg ptr[out, floppy_drive_struct])
ioctl$FLOPPY_FDGETDRVSTAT(fd fd_floppy, cmd const[FDGETDRVSTAT], arg ptr[out, floppy_drive_struct])
ioctl$FLOPPY_FDRESET(fd fd_floppy, cmd const[FDRESET], arg flags[floppy_reset_mode])
ioctl$FLOPPY_FDGETFDCSTAT(fd fd_floppy, cmd const[FDGETFDCSTAT], arg ptr[out, floppy_fdc_state])
ioctl$FLOPPY_FDWERRORCLR(fd fd_floppy, cmd const[FDWERRORCLR])
ioctl$FLOPPY_FDWERRORGET(fd fd_floppy, cmd const[FDWERRORGET], arg ptr[out, floppy_write_errors])
ioctl$FLOPPY_FDRAWCMD(fd fd_floppy, cmd const[FDRAWCMD], arg ptr[inout, floppy_raw_cmd])
ioctl$FLOPPY_FDTWADDLE(fd fd_floppy, cmd const[FDTWADDLE])

floppy_struct {
	size	int32
	sect	int32
	head	int32
	track	int32
	stretch	int32

	gap	int8
	rate	int8
	spec1	int8
	fmt_gap	int8

	name	ptr[inout, string]
}

format_descr {
	device	int32
	head	int32
	track	int32
}

floppy_max_errors {
	abort		int32
	read_track	int32
	reset		int32
	recal		int32
	reporting	int32
}

type floppy_drive_name array[int8, 16]

floppy_drive_params {
	cmos		int8
	max_dtr		intptr
	hlt		intptr
	hut		intptr
	srt		intptr
	spinup		intptr
	spindown	intptr
	spindown_offset	int8
	select_delay	int8
	rps		int8
	tracks		int8
	timeout		intptr
	intreleave_sect	int8
	max_errors	floppy_max_errors
	flags		flags[floppy_drive_params_flags, int8]
	read_track	int8
	autodetect	array[int16, 8]
	checkfreq	int32
	native_format	int32
}

floppy_drive_struct {
	flags		flags[floppy_drive_struct_flags, intptr]
	spinup_date	intptr
	select_date	intptr
	first_read_date	intptr

	probed_format	int16
	track		int16
	maxblock	int16
	maxtrack	int16

	generation	int32
	keep_data	int32
	fd_ref		int32
	fd_device	int32

	last_checked	intptr

	dmabuf		ptr[out, int8]
	bufblocks	len[dmabuf, int32]
}

floppy_fdc_state {
	spec1		int32
	spec2		int32
	dtr		int32

	version		int8
	dor		int8
	address		intptr
	rawcmd		int32:2
	reset		int32:1
	need_configure	int32:1
	perp_mode	int32:2
	has_fifo	int32:1
	driver_version	int32

	track		array[int8, 4]
}

floppy_write_errors {
	write_errors		int32

	first_error_sector	intptr
	first_error_generation	int32
	last_error_sector	intptr
	lsat_error_generation	int32

	badness			int32
}

floppy_raw_cmd {
	flags		flags[floppy_raw_cmd_flags, int32]

	data		buffer[inout]
# kernel only. zerroed after copy_from_user. Maybe need to use const[0, intptr]
	kernel_data	ptr[in, int8]
	next		const[0, intptr]

	length		len[data, intptr]
# output value
	phys_length	const[0, intptr]
# output value. kernel only
	buffer_length	const[0, int32]

	rate		int8
	cmd_count	int8
	cmd		array[int8, 16]
# output
	reply_count	const[0, int8]
	reply		array[const[0, int8], 16]
	track		int32
# output
	resultcode	const[0, int32]

	reserved1	const[0, int32]
	reserved2	const[0, int32]
}

floppy_reset_mode = FD_RESET_IF_NEEDED, FD_RESET_IF_RAWCMD, FD_RESET_ALWAYS
floppy_drive_struct_flags = FD_NEED_TWADDLE_BIT, FD_VERIFY_BIT, FD_DISK_NEWCHANGE_BIT, FD_UNUSED_BIT, FD_DISK_CHANGED_BIT, FD_DISK_WRITABLE_BIT, FD_OPEN_SHOULD_FAIL_BIT
floppy_drive_params_flags = FTD_MSG, FD_BROKEN_DCL, FD_DEBUG, FD_SILENT_DCL_CLEAR, FD_INVERTED_DCL
floppy_raw_cmd_flags = FD_RAW_READ, FD_RAW_WRITE, FD_RAW_NO_MOTOR, FD_RAW_DISK_CHANGE, FD_RAW_INTR, FD_RAW_SPIN, FD_RAW_NO_MOTOR_AFTER, FD_RAW_NEED_DISK, FD_RAW_NEED_SEEK, FD_RAW_MORE, FD_RAW_STOP_IF_FAILURE, FD_RAW_STOP_IF_SUCCESS, FD_RAW_SOFTFAILURE, FD_RAW_FAILURE, FD_RAW_HARDFAILURE