Since the qemu riscv64 port does not work with the default -net nic
parameter, add support to use in the modern way of specifying network devices
to qemu, i.e. -device virtio-net-device,netdev=0 -netdev user,id=net0,host=...
The same applies for the -hda qemu option. Provide a way to use the
modern way of specifying image devices as well.
Other/new ports may use these options as well in the future by setting
UseNewQemuNetOptions and/or UseNewQemuImageOptions.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
* mmap syscall is special on Linux s390x because
the parameters for this syscall are passed as a struct
on user stack instead of registers.
* Introduce the SyscallTrampolines table into targets.Target
to address the above problem.
* There is a bug in Linux kernel s390x which causes QEMU TCG
to hang when KASAN is enabled. The bug has been fixed
in the forthcoming Linux 5.8 version. Until then do not enable
KASAN when using QEMU TCG, QEMU KVM shall have no problems with
KASAN.
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
The -alsologtostderr flag is a noop if -panic-log is also set. So before
this change, debug logs were not included in the syzkaller output logs.
By setting -debug-log=/dev/stderr, all debug logs are sent to stderr,
which syzkaller scrapes and includes in the output logs.
Some terms are normalised on the technical level
but may be oppressive on a societal level.
Replace them with more technically neutral terms.
See the following doc for a longer version:
https://tools.ietf.org/id/draft-knodel-terminology-00.html
* updated the contributor list
* Fixes#1750, syz-manager hangs with "target_reboot:" false in isolated VM mode
If in the isolated VM mode, "target_reboot": false option is set in the
syz-manager's configuration, it hangs forever. syz-manager essentially
keeps on waiting for the VM to reboot, while a reboot is never triggered
due to target_reboot option being set to false. The fix is to perform the
waitRebootAndSSH() check only when target_reboot is set to true.
File(s) changed:
vm/isolated/isolated.go: Move the waitRebootAndSSH() check inside the correct block
1. Always append diagnosis output at the end.
Don't intermix it with kernel output. It's confusing and not useful.
2. Don't include diagnosis output into Report.
It's too verbose and is not the crash. Keep it only in the Output.
GO's runtime calls the write system call twice to print "panic:"
and "the reason of this panic", so here is a race window when
other threads can print something to the log and we will see
something like this:
panic: log messages from another thread
The reason of the panic.
This confuses the syzkaller blacklist and dedup detection.
Signed-off-by: Andrei Vagin <avagin@google.com>
(WIP PR)
Add support for StartupScript.
* Modify Config{} to contain PostRepairScript.
* Allow repair() to execute a startup_script after reboot. The contents
of this script execute on the DUT.
Add pstore support:
* Modify Config{} to contain Pstore.
* Modify Diagnose() to reboot the DUT and fetch pstore logs,
conditional on inst.cfg.Pstore.
* Add readPstoreContents().
* Allow clearing previous pstore logs upon Create() and after use inside
readPstoreContents().
* Fetching pstore crashlogs relies on reliably getting lost connection
on DUT reboot. Use "ServerAliveInterval=6 ServerAliveCountMax=5" ssh
options when running syz-fuzzer with Pstore support enabled.
Allow parsing pstore contents:
* Diagnose() now returns pstore contents.
Refactoring:
* Move out some reusable parts of repair() to waitRebootAndSSH().
* Have an early return inside repair() if inst.waitForSSH() fails.
* vm/isolated: update isolated vm
Old isolated.go cannot hard reset the target device when the target device is stuck,
because it used SSH command to reboot.
New isolated.go can reboot the target device using USB hub,
so it can reboot the device when its kernel is crashed during fuzzing.
It also doesn't require 'CGO' like odroid.go
* vm/isolated: set default Host, comment modification
* vm/isolated: restore ssh reboot in repair()
In the previous commit, ssh reboot is removed.
but it should be remained, so this commit restore the ssh reboot.
Now, repair() func can reboot the target using ssh or /sys/bus/usb/devices/.../authorized/
* vm/isolated: update USBdev rebooting method and etc, ...
- change reboot method from using /bin/sh to file method
- change USBDevNum to array type
- restore waiting time when rebooting
* vm/isolated: update USBdev rebooting method and etc, ...
- change reboot method from using '/bin/sh' to file i/o
- change USBDevNum to array type
- restore waiting time when rebooting
* vm/isolated: update USBdev rebooting method and etc, ...
- change reboot method from using '/bin/sh' to file i/o
- change USBDevNum to array type
- restore waiting time when rebooting
* vm/isolated: some fixes based on feedback
- change variable name: USBDevNum -> USBDevNums, USBAuth -> usbAuth
- check whether USBDevNums is empty in ctor(), repair()
- move usbAuth declaration from Create() to repair()
* vm/isolated: remove empty line
* vm/isolated: fix some conditions
* vm/isolated: change comment, add validate length of USBDevNums
* vm/isolated: check whether the len(USBDevNums) and len(Targets) is same
* vm/isolated: change repair() func based on review
- wait 30*time.Minute even if TargetReboot is not set.
- reduce/combine logs
- e -> err
* vm/isolated: In repair(), print error log and return error when ssh is failed
The new manager config argument workdir_template refers to a directory. Optional.
Each VM will get a recursive copy of the files that are present in workdir_template.
VM config can then use these private copies as needed. The copy directory
can be referenced with "{{TEMPLATE}}" string. This is different from using
the files directly in that each instance will get own clean, private,
scratch copy of the files. Currently supported only for qemu_args argument
of qemu VM type. Use example:
Create a template dir with necessary files:
$ mkdir /mytemplatedir
$ truncate -s 64K /mytemplatedir/fd
Then specify the dir in the manager config:
"workdir_template": "/mytemplatedir"
Then use these files in VM config:
"qemu_args": "-fda {{TEMPLATE}}/fd"
Move HostFuzzer from vm/qemu.
It's needed in a number of other packages
and strictly saying is not specific to qemu
(it just happened that both fuchsia and akaros only support qemu).
Go support is not a priority for Fuchsia at the moment, so it's
preferable to use host fuzzing mode for Fuchsia like currently done
for Akaros.
This commit basically looks for all the places where there was special
logic for OS=="akaros" and extends the same logic for OS=="fuchsia".
$ runsc -h
...
-alsologtostderr=false: send log messages to stderr
...
Now gvisor doesn't send log messages on stderr by default,
and if we want to see these messages, we need to specify the
alsologtostderr option.
Currently the 'image_device' config option in qemu.go doesn't properly
support the modern '-drive' argument for describing qemu hard disks.
In fact the various old ways to define qemu drives all boil down to
the common form '-drive if=TYPE,bus=BUS,unit=UNIT,OPTS...'
For example '-hda img' is equivalent to '-drive index=0,media=disk,file=img'.
Let's make the 'image_device' config option support both forms.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
We've got a case when "ODEBUG:" was incorrectly detected as crash.
That was caused by a flaw in matchPos logic. Fix that.
See the added test for details.
Currently we have them duplicated in docs/configuration.md
and the actual source in pkg/mgrconfig/config.go.
Documentation is missing in one place or another,
some is outdated, some is phrased slightly differently.
Move all docs to pkg/mgrconfig/config.go and reference it
from docs/configuration.md instead.
We duplicated the no output timeout in the repro package,
and it got out of sync. It's not 3 mins now, but 5 mins.
Remove the duplication and fix this.
* vm: add bhyve support
bhyve is FreeBSD's native hypervisor. Because it is missing snapshot
support and user networking, some additional configuration on the host
is required. However, unlike QEMU on FreeBSD, bhyve can make use of
hardware virtualization features and is thus faster.
* docs/freebsd: document bhyve support
We are seeing some flakes during bisection and image testing.
Hard to tell what's the root cause because they are episodic.
But using non-preemptible VMs for bisection and image testing
looks good on all fronts.
Update #501
Currently we try to ssh into the machine for 10 minutes
even if it crashed right away. Make qemu exit on kernel panic
and stop ssh'ing when qemu exits.
Handling bad kernels fast is actually important for bisection.
Update #501
* Modified pkg/build/netbsd.go
1. Made kernel build incremental
2. Added code to copy kernel to disk image
* Fix formating issues
* Fixed basic issues
* Fixed copy kernel to disk
1. Added CPU option to default
2. Added snapshot option to vm/qemu/qemu.go
3. Hacky solution to get the build working
* Fixed issues and added vm.MonitorExecution
* Added sync instead of poweroff
The console and root that we use are specific for 386/amd64.
arm/arm64 usually use a different console and root device.
Use separate settings for 386/amd64 and arm/arm64.
A line length of 79 in the ddb output does not necessarily imply that the
following line is a continuation of the current line. Since there's no way
to distinguish between ordinary and continuation lines, it could end up
corrupting the report by joining two lines that are disjoint[1].
Instead, disable line wrapping in ddb. If we want some kind of wrapping in
the future it's easier done by pkg/report.
[1] https://syzkaller.appspot.com/bug?extid=03f7377a9848d7d008c9
* pkg/report: symbolize witness trace on OpenBSD
* vm/vmimpl: show witness locks on panic
* vm/vmimpl: show memory stats on panic
* fixup! pkg/report: symbolize witness trace on OpenBSD
Disable qemu VGA output on ppc64le. The current pseries console code in
the kernel has a bunch of bugs, and if you don't disable VGA syzkaller
won't see console output.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
ppc64le supports KVM, let's use it.
This obviously won't work on an x86 host, but at present there are issues
using syzkaller on ppc64le with qemu in TCG mode anyway.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Currently we only support canExit flag.
However there are actually 3 separate conditions:
- program can exit normally
- program can timeout (e.g. fuzzer test or runtest can't)
- program can exit with error (e.g. C test can)
Allow to specify these 3 conditions separately.
Rather than writing the diagnosis to the kernel console, Diagnose can
now directly return the extra debugging info, which will be appended ot
the kernel console log.