failed to make a ioctl A input value depend on ioctl B output

[erdong zhang]

Hi,

 I try to make ioctl B' output value as a resource that another ioctl can use it as a input value, my syscall as following:

```
resource mem_handle_r[int64]
ioctl$AIP_MEM_CREATE_IOCTL(fd fd_ilu, cmd const[AIP_MEM_CREATE_IOCTL], arg ptr[inout, ioctl_mem_create_args])
ioctl$AIP_MEM_OPEN_IOCTL(fd fd_ilu, cmd const[AIP_MEM_OPEN_IOCTL], arg ptr[inout, ioctl_mem_open_args])
```


```
ioctl_mem_create_args {
    input THUNKIF_CREATE_ALLOCATION_DESC (in)
hAllocation mem_handle_r (out)
    address int64 (out)
}

# TODO is pCpuVa and fake_va right?
THUNKIF_CREATE_ALLOCATION_DESC {
    hContext    KCONTEXT_HANDLE
    hVideoDecoder  KVDEC_HANDLE
    flags    THUNKIF_CREATE_ALLOCATION_FLAG
    size_in_bytes  int64[0:34359738368]
    base_alignment int32
    heap    int32
    pCpuVa      ptr64[in, int64]
    fake_va    ptr64[in, int64]
}

ioctl_mem_open_args {
input THUNKIF_OPEN_MEM_DESC (in)
hAllocation KMEM_HANDLE   (out)
    address int64   (out)
    size int64   (out)
    heap int32   (out)
}

THUNKIF_OPEN_MEM_DESC {
    hContext KCONTEXT_HANDLE
    hContextGuest KCONTEXT_HANDLE
    hMemGuest mem_handle_r (in)
    va int64
    size int64
}

```

The ioctl$AIP_MEM_CREATE_IOCTL syscall return a value ioctl_mem_create_args.hAllocation , i want to use it in ioctl$AIP_MEM_OPEN_IOCTL as
a input value. is there some syntax error, the corpus gengerated as flowings:
```
r0 = openat$ilu(0xffffffffffffff9c, 0x0, 0x80401, 0x0)
ioctl$AIP_CONTEXT_CREATE_IOCTL(r0, 0x5450, 0x0)
r1 = openat$ilu(0xffffffffffffff9c, &(0x7f0000000100), 0x8100, 0x0)
ioctl$AIP_MEM_CREATE_IOCTL(r1, 0xc0488105, &(0x7f0000000480)={{0x1, 0xfffffffffffffffc, @flag_bit, 0x2000008, 0x3d, 0x2, 0x0, 0x0}})
r2 = openat$ilu(0xffffffffffffff9c, &(0x7f0000000000), 0x8100, 0x0)
ioctl$AIP_MEM_CREATE_IOCTL(r2, 0xc0488105, &(0x7f0000000480)={{0x1, 0xfffffffffffffffc, @flag_bit, 0x2000008, 0x3d, 0x2, 0x0, 0x0}})
r3 = openat$ilu(0xffffffffffffff9c, &(0x7f0000000080), 0x20201, 0x0)
ioctl$AIP_MEM_OPEN_IOCTL(r3, 0xc0488104, &(0x7f0000000100)={{0x2, 0x1000001, 0x100000001, 0x3, 0x9}})
```

I can not see the code that make mem_handle_r as a input to ioctl$AIP_MEM_OPEN_IOCTL.
And, i translate the corput to a c program by syz-pro2c, the c code also doesnot exist the `resource mem_handle_r[int64]` releated code.

Thanks for any suggestions.

[Aleksandr Nogikh]

Hi,

This program doesn't take a resource from hAllocation to put it to
hMemGuest. If it did, the MEM_CREATE_IOCTL would contain something
like <r2=>0x0 and MEM_OPEN_IOCTL would use the resource explicitly.

I think it could be one of:
1. Syzkaller just didn't generate the right program yet.
2. Your descriptions are not entirely correct and taking the
hAllocation value to hMemGuest does not change anything.

You could try to write the correct seed program yourself and check if
it does reach the kernel code of your interest:
https://github.com/google/syzkaller/blob/master/docs/syscall_descriptions.md#testing-of-descriptions
https://github.com/google/syzkaller/blob/master/docs/program_syntax.md

> ```

>
> I can not see the code that make mem_handle_r as a input to ioctl$AIP_MEM_OPEN_IOCTL.
> And, i translate the corput to a c program by syz-pro2c, the c code also doesnot exist the `resource mem_handle_r[int64]` releated code.

That's expected - the syz program you shared does not use the resource.

>
> Thanks for any suggestions.
>

--
Aleksandr