no output from test machine

[yuw...@gmail.com]

When I run "./bin/syz-manager -config=android.cfg" ,then the device reboot. After reboot, the console showed as follow:

2020/06/09 09:17:33 executing adb [shell pwd]

2020/06/09 09:17:33 adb returned

2020/06/09 09:17:34 executing adb [shell pwd]

2020/06/09 09:17:34 adb returned

2020/06/09 09:17:34 executing adb [root]

2020/06/09 09:17:37 adb returned

2020/06/09 09:17:38 executing adb [shell pwd]

2020/06/09 09:17:38 adb returned

2020/06/09 09:17:39 executing adb [shell pwd]

2020/06/09 09:17:40 adb returned

2020/06/09 09:17:40 executing adb [shell dumpsys battery | grep level:]

2020/06/09 09:17:40 adb returned

2020/06/09 09:17:40 device 123456789: battery level 100%, OK

2020/06/09 09:17:40 executing adb [shell rm -Rf /data/syzkaller*]

2020/06/09 09:17:40 adb returned

2020/06/09 09:17:40 executing adb [shell echo 0 > /proc/sys/kernel/kptr_restrict]

2020/06/09 09:17:40 adb returned

2020/06/09 09:17:40 executing adb [reverse tcp:46846 tcp:33162]

2020/06/09 09:17:40 adb returned

2020/06/09 09:17:40 executing adb [push /home/asd/workspace/go/gopath/src/github.com/google/syzkaller/bin/linux_arm/syz-fuzzer /data/syz-fuzzer]

2020/06/09 09:17:41 adb returned

2020/06/09 09:17:41 executing adb [push /home/asd/workspace/go/gopath/src/github.com/google/syzkaller/bin/linux_arm/syz-executor /data/syz-executor]

2020/06/09 09:17:41 adb returned

2020/06/09 09:17:41 starting: adb shell /data/syz-fuzzer -executor=/data/syz-executor -name=vm-0 -arch=arm -manager=127.0.0.1:46846 -sandbox=none -procs=1 -cover=false -debug=true -test=false -vv=100

2020/06/09 01:17:40 fuzzer started

2020/06/09 01:17:41 dialing manager at 127.0.0.1:46846

2020/06/09 09:22:41 instance closed

2020/06/09 09:22:41 vm-0: crash: no output from test machine

2020/06/09 09:22:42 executing adb [shell pwd]

2020/06/09 09:22:42 adb returned

2020/06/09 09:22:42 executing adb [shell reboot]

2020/06/09 09:22:46 adb returned

2020/06/09 09:22:57 executing adb [shell pwd]

2020/06/09 09:22:57 adb returned

2020/06/09 09:22:58 executing adb [shell pwd]

2020/06/09 09:22:58 adb returned

=======================================================================

After 5mins, it showed "vm-0: crash: no output from test machine"

cfg file is as follow:

{

        "target": "linux/arm",

        "http": "127.0.0.1:50000",

        "workdir": "/home/asd/workspace/go/gopath/src/github.com/google/syzkaller/workdir",

        "kernel_obj": "/home/asd/workspace/go/gopath/src/github.com/google/syzkaller/msm-4.9",

        "syzkaller": "/home/asd/workspace/go/gopath/src/github.com/google/syzkaller",

        "sandbox": "none",

        "procs": 1,

        "type": "adb",

        "cover": false,

        "vm": {

                "devices": ["123456789"]

        }

}

=======================================================================

go version go1.14.2 linux/amd64

syzkaller's latest commit is 7751efd

device is 32bit, kernel is msm-4.9

host is Ubuntu 16.04.6 LTS

I patched "KASAN for ARM" to kernel

https://lwn.net/ml/linux-arm-kernel/20200507124522.171...@linaro.org/

=======================================================================

How can I solve this problem？Thank you all the same!

[Dmitry Vyukov]

Hi,

Looking at this output, it hanged somewhere between these lines:
https://github.com/google/syzkaller/blob/master/syz-fuzzer/fuzzer.go#L163-L184
because at the beginning of checkMachine it should have been logged this line:
https://github.com/google/syzkaller/blob/master/syz-fuzzer/testing.go#L118

So it either (1) couldn't connect back to the host, or (2) syz-manager
did not reply within 5 mins.

Please sync to pick up this change:
https://github.com/google/syzkaller/commit/092934c131705d77c23b65df2a846fcd49d98469
and retry with it. If we will see that line, then it's (2), otherwise it's (1).

Additionally try to repeat the same manually, add a reverse forwarding
adb root

adb reverse tcp:46846 tcp:33162

and try to connect to the tcp port on the host.
So far it looks like there is something wrong with the adb and reverse
forwarding does not work.

> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/f1bd1c65-5f0a-485e-a6f7-b0c98bac3288o%40googlegroups.com.

[yuw...@gmail.com]

First of all, thanks a lot for helping me patiently.

 I synced and added some log like this:

163         log.Logf(0, "dialing manager at %v", *flagManager)

164         manager, err := rpctype.NewRPCClient(*flagManager)

165         if err != nil {

166                 log.Fatalf("failed to connect to manager: %v ", err)

167         }

168         log.Logf(1, "connecting to manager...")

169         a := &rpctype.ConnectArgs{Name: *flagName}

170         r := &rpctype.ConnectRes{}

171         if err := manager.Call("Manager.Connect", a, r); err != nil {

172                 log.Fatalf("failed to connect to manager: %v ", err)

173         }

174         log.Logf(1, "[LINE: 174]")

175         featureFlags, err := csource.ParseFeaturesFlags("none", "none", true)

176         if err != nil {

177                 log.Fatal(err)

178         }

179         log.Logf(1, "[LINE: 179]")

180         if r.CheckResult == nil {

=============================================================================================

And this time console showed:

2020/06/10 20:27:07 executing adb [shell pwd]

2020/06/10 20:27:07 adb returned

2020/06/10 20:27:07 executing adb [root]

2020/06/10 20:27:10 adb returned

2020/06/10 20:27:11 executing adb [shell pwd]

2020/06/10 20:27:11 adb returned

2020/06/10 20:27:11 executing adb [shell dumpsys battery | grep level:]

2020/06/10 20:27:12 adb returned

2020/06/10 20:27:12 device 123456789: battery level 100%, OK

2020/06/10 20:27:12 executing adb [shell rm -Rf /data/syzkaller*]

2020/06/10 20:27:12 adb returned

2020/06/10 20:27:12 executing adb [shell echo 0 > /proc/sys/kernel/kptr_restrict]

2020/06/10 20:27:12 adb returned

2020/06/10 20:27:12 executing adb [reverse tcp:1569 tcp:33002]

2020/06/10 20:27:12 adb returned

2020/06/10 20:27:12 executing adb [push /home/asd/workspace/go/gopath/src/github.com/google/syzkaller/bin/linux_arm/syz-fuzzer /data/syz-fuzzer]

2020/06/10 20:27:13 adb returned

2020/06/10 20:27:13 executing adb [push /home/asd/workspace/go/gopath/src/github.com/google/syzkaller/bin/linux_arm/syz-executor /data/syz-executor]

2020/06/10 20:27:13 adb returned

2020/06/10 20:27:13 starting: adb shell /data/syz-fuzzer -executor=/data/syz-executor -name=vm-0 -arch=arm -manager=127.0.0.1:1569 -sandbox=none -procs=1 -cover=false -debug=true -test=false -vv=100

2020/06/10 12:27:12 fuzzer started

2020/06/10 12:27:13 dialing manager at 127.0.0.1:1569

2020/06/10 12:27:13 connecting to manager...

2020/06/10 20:32:13 instance closed

2020/06/10 20:32:13 vm-0: crash: no output from test machine

2020/06/10 20:32:14 executing adb [shell pwd]

2020/06/10 20:32:14 adb returned

2020/06/10 20:32:14 executing adb [shell reboot]

2020/06/10 20:32:18 adb returned

============================================================================================================

I think maybe something goes wrong with manager.Call("Manager.Connect", a, r), but I have no idea to debug in GO language.

I also tried to exec cmd "adb root" & "adb reverse tcp:1569 tcp:33002", but it doesn't work.

Hopeing for your reply.

Best wishes :)

在 2020年6月10日星期三 UTC+8下午7:22:10，Dmitry Vyukov写道：

> https://lwn.net/ml/linux-arm-kernel/20200507124522.171323-1-linus...@linaro.org/

> =======================================================================
> How can I solve this problem？Thank you all the same!
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to syzk...@googlegroups.com.

[Dmitry Vyukov]

Humm... Frankly I expected that it would not be able to Dial
(establish a tcp connection).
The first line of the Connect handler in syz-manager already has logging:
https://github.com/google/syzkaller/blob/master/syz-manager/rpc.go#L85
We don't see that line in the log.

It looks like a tcp connection to host was established, but then no
data transferred...

Unfortunately I don't have any good suggestions. I don't remember
anybody reported something similar on this list, and we don't use
android/adb actively...

Simpler thing that may shed some light (but may not), is to wait for
the "connecting to manager..." line, then connect to the device in
another console and do kill -6 for the syz-fuzzer process. Then it
should dump stacks of all goroutines. Maybe there will be something
that will help.
Additionally after that you may do 'killall -6 syz-manager' on the
host, and syz-manager will also dump all stacks. Maybe these will be
helpful.

If that will not shed any light, I would try to do what syzkaller does manually:
- create listening tcp socket on the host
- setup reverse proxy with adb
- try to connect from the device and exchange some data

>> > https://lwn.net/ml/linux-arm-kernel/20200507124522.171...@linaro.org/

>> > =======================================================================
>> > How can I solve this problem？Thank you all the same!
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "syzkaller" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to syzk...@googlegroups.com.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/f1bd1c65-5f0a-485e-a6f7-b0c98bac3288o%40googlegroups.com.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/a9e235fa-cab7-4cd4-9dcc-bb3573c10048o%40googlegroups.com.

[何文经]

First of all, I apologize for my carelessness.I assumed there are no errors at the beginning of the log.But in fact, there may be something wrong at the beginning.  

The complete log file has been attached.

At the beginning of log, it shows:

2020/06/11 10:37:53 serving rpc on tcp://[::]:45723

Maybe it should be the IP instead of "[::]", such as tcp://127.0.0.1:45723.

Should I set the IP address manually?Just like sys-manager cannot associate the console, and I modified like this:

-       inst.console = findConsole(inst.adbBin, inst.device)
+       //inst.console = findConsole(inst.adbBin, inst.device)
+       inst.console = "/dev/ttyACM0"

Hope for your reply.
Best wishes :)  

'Dmitry Vyukov' via syzkaller <syzk...@googlegroups.com> 于2020年6月10日周三 下午10:05写道：

You received this message because you are subscribed to a topic in the Google Groups "syzkaller" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/syzkaller/bsXciiDVdc0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to syzkaller+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/CACT4Y%2Ba0j_7wBjONbihqnunyKTq0Hf-N%3DO%3DCxJQPSR7t%3D4mA1g%40mail.gmail.com.

[Dmitry Vyukov]

On Thu, Jun 11, 2020 at 8:13 AM 何文经 <yuw...@gmail.com> wrote:
>
> First of all, I apologize for my carelessness.I assumed there are no errors at the beginning of the log.But in fact, there may be something wrong at the beginning.
> The complete log file has been attached.
> At the beginning of log, it shows:
> 2020/06/11 10:37:53 serving rpc on tcp://[::]:45723
> Maybe it should be the IP instead of "[::]", such as tcp://127.0.0.1:45723.

I don't know. Maybe it listens only over ipv6, and the adb connects
only over ipv4? Does it fix things for you?

> Should I set the IP address manually?Just like sys-manager cannot associate the console, and I modified like this:

Well, that's definitely not the intended way to do things.
But if you change things and find combination that works, then it may
help us to understand what the problem is and then fix the source code
properly so that it does not need any fixing in future.

[何文经]

OK, there may be something wrong with my modifications.

Now I have reset the source code without my modifications. 

Try it again. This time, it crashed with:

vm-0: crash: panic:LINE, dump:LINE 

The full log and cfg file have been attached.

Look forward to your reply.

Best regards.:)

[Dmitry Vyukov]

Well, it would be good if you say that you modified the relevant part
of the code sooner.

Re the panic sync to pick up this commit:
https://github.com/google/syzkaller/commit/6fe5725de825de9fe21e7697443eadd5fd6bafbf
Android output is a mess. Does anybody even test Android? How?... Never mind.

[yuwezyu]

That's my bad.
Because I work with android security, so fuzz android's kernel matters.

After picking the commit, I run again. And this time it showed:

2020/06/12 14:44:23 instance closed

2020/06/12 14:44:23 vm-0: crash: WARNING in corrupted [corrupted]

2020/06/12 14:44:23 failed to symbolize report: failed to start scripts/get_maintainer.pl [scripts/get_maintainer.pl --no-n --no-rolestats --git-min-percent=15 -f /home/workspace/asd/NX8/kernel/msm-4.9/mm/vmalloc.c]: fork/exec scripts/get_maintainer.pl: no such file or directory

2020/06/12 14:44:24 executing adb [shell pwd]

2020/06/12 14:44:24 adb returned

2020/06/12 14:44:24 executing adb [shell reboot]

2020/06/12 14:44:28 adb returned

Emmm...I googled and still have no idea to deal with it.

在 2020年6月12日星期五 UTC+8下午2:29:01，Dmitry Vyukov写道：

[Dmitry Vyukov]

On Fri, Jun 12, 2020 at 9:14 AM yuwezyu <yuw...@gmail.com> wrote:
>
> That's my bad.
> Because I work with android security, so fuzz android's kernel matters.
> After picking the commit, I run again. And this time it showed:
> 2020/06/12 14:44:23 instance closed
> 2020/06/12 14:44:23 vm-0: crash: WARNING in corrupted [corrupted]
> 2020/06/12 14:44:23 failed to symbolize report: failed to start scripts/get_maintainer.pl [scripts/get_maintainer.pl --no-n --no-rolestats --git-min-percent=15 -f /home/workspace/asd/NX8/kernel/msm-4.9/mm/vmalloc.c]: fork/exec scripts/get_maintainer.pl: no such file or directory
> 2020/06/12 14:44:24 executing adb [shell pwd]
> 2020/06/12 14:44:24 adb returned
> 2020/06/12 14:44:24 executing adb [shell reboot]
> 2020/06/12 14:44:28 adb returned
> Emmm...I googled and still have no idea to deal with it.

This looks like a real kernel bug.

You either improperly specified "kernel_src" parameter, or the sources
are incomplete (do not contain scripts/get_maintainer.pl). If you
don't have /home/workspace/asd/NX8/kernel/msm-4.9/scripts/get_maintainer.pl,
that's wrong.

The fact that the crash is parsed as "in corrupted" may be something
to fix in pkg/report. Please either submit a PR to fix it, or at least
submit a PR with a test case similar to this one:
https://github.com/google/syzkaller/blob/master/pkg/report/testdata/linux/report/239

> 在 2020年6月12日星期五 UTC+8下午2:29:01，Dmitry Vyukov写道：
>>
>> On Fri, Jun 12, 2020 at 7:40 AM 何文经 <yuw...@gmail.com> wrote:
>> >
>> > OK, there may be something wrong with my modifications.
>> > Now I have reset the source code without my modifications.
>> > Try it again. This time, it crashed with:
>> > vm-0: crash: panic:LINE, dump:LINE
>> > The full log and cfg file have been attached.
>> > Look forward to your reply.
>> > Best regards.:)
>>
>> Well, it would be good if you say that you modified the relevant part
>> of the code sooner.
>>
>> Re the panic sync to pick up this commit:
>> https://github.com/google/syzkaller/commit/6fe5725de825de9fe21e7697443eadd5fd6bafbf
>> Android output is a mess. Does anybody even test Android? How?... Never mind.
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/8532af2f-e2b2-4987-a427-5a7b3bb6bb8ao%40googlegroups.com.

[yuwezyu]

There are two questions that confuse me：

First:

    Are the kernel source codes necessary? 

    In my cfg file, I don't set "kernel_src" which will set to the "kernel_obj" directory by default.https://github.com/google/syzkaller/blob/master/pkg/mgrconfig/config.go#L40

    I set the "kernel_obj" to msm-4.9. But in msm-4.9, there is no kernel source code.Actually it's the "KERN_OBJ" directory which generated after kernel compiling. I renamed it. There are vmlinux and many other .o files in it.

   

Second:

The fact that the crash is parsed as "in corrupted" may be something
to fix in pkg/report. Please either submit a PR to fix it, or at least
submit a PR with a test case similar to this one:
https://github.com/google/syzkaller/blob/master/pkg/report/testdata/linux/report/239

    Is this mean I should create a file (e.g. 500) under pkg/report/testdata/linux/report and write the wraning message in it to fix the  corruption?

    But in serial log, there is no warning message showed:

[  108.904051] init: starting service 'scanserver'...

[  108.939161] init: Service 'scanserver' (pid 3929) exited with status 1

[  108.939239] init: Sending signal 9 to service 'scanserver' (pid 3929) process group...

[  108.939662] libprocessgroup: Successfully killed process cgroup uid 1000 pid 3929 in 0ms

[  108.940288] init: updatable process 'scanserver' exited 4 times in 4 minutes

[  108.940411] init: Init cannot set 'ro.init.updatable_crashing' to '1': Read-only property was already set

[  109.281763] FG_CW2017 : cw_get_capacity-344 : \x016CW2017[344]: UI_SOC = 99, UI_decimal = 21 soc = 97, soc_decimal = 60

[  109.282557] vol = 4134  cap = 99 temp = 290

[  109.386598] healthd: battery l=99 v=8268 t=29.0 h=1 st=3 cc=6 chg=u

2020/06/12 15:51:15 instance closed

2020/06/12 15:51:15 vm-0: crash: WARNING in corrupted [corrupted]

2020/06/12 15:51:15 failed to symbolize report: failed to run ["scripts/get_maintainer.pl" "--no-n" "--no-rolestats" "--git-min-percent=15" "-f" "/home/workspace/asd/NX8/kernel/msm-4.9/mm/vmalloc.c"]: exit status 2

    
在 2020年6月12日星期五 UTC+8下午3:29:49，Dmitry Vyukov写道：

> To unsubscribe from this group and stop receiving emails from it, send an email to syzk...@googlegroups.com.

[Dmitry Vyukov]

On Fri, Jun 12, 2020 at 10:41 AM yuwezyu <yuw...@gmail.com> wrote:
>
> There are two questions that confuse me：
> First:
> Are the kernel source codes necessary?

Yes.

> In my cfg file, I don't set "kernel_src" which will set to the "kernel_obj" directory by default.https://github.com/google/syzkaller/blob/master/pkg/mgrconfig/config.go#L40
> I set the "kernel_obj" to msm-4.9. But in msm-4.9, there is no kernel source code.Actually it's the "KERN_OBJ" directory which generated after kernel compiling. I renamed it. There are vmlinux and many other .o files in it.
>
> Second:
>>
>> The fact that the crash is parsed as "in corrupted" may be something
>> to fix in pkg/report. Please either submit a PR to fix it, or at least
>> submit a PR with a test case similar to this one:
>> https://github.com/google/syzkaller/blob/master/pkg/report/testdata/linux/report/239
>
> Is this mean I should create a file (e.g. 500) under pkg/report/testdata/linux/report and write the wraning message in it

Yes.

> to fix the corruption?

No, adding a test won't fix anything by itself.
A fix will be something in pkg/report/linux.go.

> But in serial log, there is no warning message showed:

There should be a line containing "WARNING:", probably before the part
that you posted. Otherwise syz-manager would not identify a WARNING.
You may see all regexps that it matches here:
https://github.com/google/syzkaller/blob/master/pkg/report/linux.go#L903-L1674

> [ 108.904051] init: starting service 'scanserver'...

> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/4159ffd3-9d9d-4cf0-9b5e-e6c1d26b8bffo%40googlegroups.com.