| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* vm/cuttlefish: add vm type for cuttlefish on gce
This new VM type embeds the existing 'gce' type to start an instance and
then run a Cuttlefish Android VM on it using the 'launch_cvd' binary
installed on it.
This requires us to make a few fields on the 'gce' type visible so that
'cuttlefish' can set them when starting the instance.
The remaining functionality (SSH forwarding, file copying, and running
commands on the nested Android VM will be in following changes.
For more information on Cuttlefish, see:
https://source.android.com/setup/create/cuttlefish
https://android.googlesource.com/device/google/cuttlefish/
* vm/cuttlefish: add vm type for cuttlefish on gce
This new VM type embeds the existing 'gce' type to start an instance and
then run a Cuttlefish Android VM on it using the 'launch_cvd' binary
installed on it.
This requires us to make a few fields on the 'gce' type visible so that
'cuttlefish' can set them when starting the instance.
The remaining functionality (SSH forwarding, file copying, and running
commands on the nested Android VM will be in following changes.
For more information on Cuttlefish, see:
https://source.android.com/setup/create/cuttlefish
https://android.googlesource.com/device/google/cuttlefish/
* vm/cuttlefish: add vm type for cuttlefish on gce
This new VM type embeds the existing 'gce' type to start an instance and
then run a Cuttlefish Android VM on it using the 'launch_cvd' binary
installed on it.
This requires us to make a few fields on the 'gce' type visible so that
'cuttlefish' can set them when starting the instance.
The remaining functionality (SSH forwarding, file copying, and running
commands on the nested Android VM will be in following changes.
For more information on Cuttlefish, see:
https://source.android.com/setup/create/cuttlefish
https://android.googlesource.com/device/google/cuttlefish/
* vm/cuttlefish: fix missed log.Logf(0 call to log.Logf(1
* vm/cuttlefish: remove unneeded log.Logf() calls
These logging for Count() isn't terribly useful since it's a single-line
call with very simple logic.
For the unimplemented methods the log lines have limited utility since
they're already returning error messages which will get logged.
|
| |
|
|
|
|
|
|
|
| |
This commit replaces all `ioutil.TempDir` with `t.TempDir` in tests.
The directory created by `t.TempDir` is automatically removed when the
test and all its subtests complete.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
|
| |
|
|
| |
Now we always enable it, make this configurable for GCE instances.
|
| |
|
|
|
|
| |
Invoking qemu with the nowait option produces a warning that the
short-form boolean options are deprecated and that wait=off is
preferred.
|
| |
|
|
| |
Current state: every 5 minutes VM reboots.
Fix: signal "executing program" to monitor to prevent this reboot.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QEMU occasionally sends events in the same stream used for QMP commands
so from time time the received packet is not a QMP reponse but a QMP event
which breaks the parser. For example, events are send when a machine state
changed.
This adds basic support for event. For now we skip them and wait until
the expected QMP command response arrives.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
| |
rm fails if a symlink exists but points to a nonexistent location.
|
| |
|
|
| |
remote_device_proxy uses localhost for Android WFH connection.
|
| |
|
|
| |
Allow ssh-rsa not only from getSerialPortOutput(), but also from Run().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSH 8.8 release disables RSA signatures using the SHA-1 hash
algorithm by default.
Sadly, the ssh-serialport.googleapis.com:9600 uses the deprecated
algorithm for host-key. The end-point identifies itself as:
debug1: Remote protocol version 2.0, remote software version Go
debug1: no match: Go
...
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
This should be fixed on the server side, but for now I added a
workaround of enabling this deprecated algorithm.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A user has reported the following crash:
panic: runtime error: invalid memory address or nil pointer dereference
goroutine 1021 [running]:
github.com/google/syzkaller/vm/qemu.(*instance).qmp()
vm/qemu/qmp.go:96 +0x1c9
github.com/google/syzkaller/vm/qemu.(*instance).hmp()
vm/qemu/qmp.go:115 +0xbd
github.com/google/syzkaller/vm/qemu.(*instance).Diagnose()
vm/qemu/qemu.go:662 +0x18d
qmp function accesses resp even if doQmp returns an error
and doQmp can return a nil resp in this case if inst.monEnc.Encode fails.
Don't access resp if error is returned. The only caller hmp
does not use the returned object is an error is returned.
|
| |
|
|
|
|
| |
These messages are of relevance to debugging problems on syz-ci's side,
but due to log level 1 they are not saved to logs by default. Set their
log level to 0.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This way users don't have to overwrite qemu_args in their configs.
|
| | |
|
| |
|
|
|
| |
On Android 12+ debugfs gets unmounted after boot. This remounts it as
part of reset.
|
| |
|
|
|
|
|
|
|
|
| |
Currently syzkaller only applies its suppressions regexps to the oops message
itself and a small number of its preceding bytes. A case has been reported
(#2685), where it was important to analyse a bigger portion of output data.
Pass the whole log and a starting position to the `Report.Parse` method
separately instead of passing an already cut log there. Adjust use cases of
the `Report.Parse` method to handle its new behavior.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a number of report post-processing activities are implemented as a
decorator over the interface that defines OS-specific implementations.
Following exactly the same interface is too restrictive in this case as adding
extra parameters to the post-processing forces the developer to adjust all
implementations thay may not need these parameters at all.
Untie the wrapper from the Reporter interface. Use a package-private
reporterImpl interface for the OS-specific implementations, while having an
exported Reporter structure. Make sure that Reporter is stored and
passed as a pointer.
|
| |
|
|
|
|
|
|
|
|
|
| |
"make generate" produces this diff when go 1.17 (go1.17-c95464f0ea3f==upstream)
is used. Seems compatible with >=1.16.
https://github.com/golang/go/commit/4d2d89ff42ca documents the syntax.
https://github.com/golang/go/commit/eeadce2d8713 enforces "ignore" for
unsatisfiable tags hence the pkg/csource/gen.go change.
Signed-off-by: Alexey Kardashevskiy <aik@linux.ibm.com>
|
| |
|
|
|
|
|
| |
Let's stop instances with "runsc kill" instead of killing sandbox
processes. This will guarantee that ongoing rpc calls will not fail with
unexpected errors.
Reported-by: syzbot+084fca334720887441e7@syzkaller.appspotmail.com
|
| | |
|
| |
|
|
|
|
|
| |
Qemu emits the following message when using the short form:
warning: short-form boolean option 'server' deprecated
-chardev", fmt.Sprintf("socket,id=SOCKSYZ,server=on
|
| |
|
|
| |
The repair script can bring the device out of crash mode.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Don't pass cmdline arguments that are not needed for basic operation.
We used to enforce too many cmdline args that are really up to user.
Users may not want panic_on_warn, or KVM configuration is really up to user
(should be setup the way it's setup in real targets of interest).
Leave all these args to user. CONFIG_CMDLINE is the right way for user
to configure default args.
|
| | |
|
| |
|
|
| |
This reverts commit 69a06ca2b532ff4021a43fdead4e2ac1452a44c0.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PC returned for dynamic loaded module (DLKM) is not
parsed in coverage page.
So the commit is to use DLKM modules' load address
to restore the PC and show coverage data of DLKM.
As the load address is written in cfg file, so kaslr
needs to be disabled.
And for linux target, load address is getting from
/proc/modules during instance setup.
For either manual or auto address setting case,
name and path are needed in config kernel_modules, where
name is module name on target.
path is module unstripped object path on host.
addr is decimal value of module load address on target.
Example of config:
"kernel_modules": [
{
"name": "nf_nat",
"path": "/usr/src/linux-source/net/netfilter/nf_nat.ko",
"addr": 18446744072637911040
}
]
|
| |
|
|
|
| |
For context see:
https://groups.google.com/g/syzkaller/c/NBCGPtkMTWs/m/jVZnTnWcAgAJ
|
| |
|
|
|
|
|
| |
Restrict access to the external network from within the VM
and access to VM SSH to local interface only.
Fixes #332
|
| |
|
|
|
|
| |
We used to use empty ssh key as indication to use the GCE magic,
but this conflicts with using no ssh key at all (empty password).
Use string "GCE" instead to enable GCE magic.
|
| |
|
|
|
|
| |
Significant portion of oopses with qemu emulation gets truncated.
Hard to say if we don't wait long enough or there is something else,
but scaling "wait for output" timeout seems reasonable regardless.
|
| |
|
|
|
| |
ARM only supports virtio-net-device and virtio-rng-device
and the new way of passing image file.
|
| |
|
|
| |
Increase ssh wait timeout according to the target slowdown.
|
| |
|
|
|
|
| |
Add sys/targets.Timeouts struct that parametrizes timeouts throughout the system.
The struct allows to control syscall/program/no output timeouts for OS/arch/VM/etc.
See comment on the struct for more details.
|
| |
|
|
| |
We don't need indirection via strings to declare executingProgram var.
|
| |
|
|
|
|
| |
Users should not be concerned with the internal derived fields.
Move all derived fields into a separate struct before adding more.
This leaves config.go as a better documentation for end users.
|
| |
|
|
|
| |
For context see the discussion at:
https://groups.google.com/g/syzkaller/c/ruwaYUvwHTw/m/E9Cg9OfvAgAJ
|
| |
|
|
|
|
|
|
|
| |
The way to diagnose generally depends on the issue.
E.g. do we need register dump to debug this issue?
Do we need host dmesg dump? Some diagnosis may be
directly specific to a particular problem (e.g. dumping
a particular debugfs/procfs file).
Pass Report to Diagnose to make this possible.
|
| |
|
|
|
|
| |
The "no output" handling mostly duplicates extractError logic
(with open-coded report.VMDiagnosisStart).
Deduplicate this logic.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
MSI-X support is mandatory for any PCI device on s390x but
virtio-rng-pci doesn't support it.
Fixes the following error on s390x:
qemu-system-s390x: -device virtio-rng-pci: MSI-X support is mandatory in the S390 architecture
The problem was introduced in commit 36e8b020 ("vm/qemu: enable virtio-rng-pci").
Signed-off-by: Alexander Egorenkov <Alexander.Egorenkov@ibm.com>
|
| |
|
|
|
|
|
|
|
|
| |
* Collecting kernel logs with dmesg over ssh doesn't work well and
sometimes we miss call traces when a crash occurs. Getting the kernel
log from a virtual serial port is much more effective.
* Creating linked clone VMs is faster then full clone VMs but it
requires snapshot management and this will bring more complexity to
syzkaller. Keep it simple and create full clone VMs for now.
* Use host-only networking because the VM gets its IP faster that way
|
| |
|
|
|
| |
Can help with entropy initialization during boot
and can be tested as /dev/hwrng as well.
|
| |
|
|
|
| |
Everybody except for fuchsia use /.
Does not make sense to repeat for everybody.
|
| |
|
|
| |
Add a new configuration variable to specify number of bhyve VM vCPUs
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We use strings to identify OS/Arch.
These strings are duplicated throughout the code base massively.
golangci-lint points to possiblity of typos and duplication.
We already had to define these names in pkg/csource
and disable checking for prog package. A future change triggers
such warnings in another package.
Add OS/Arch name consts to sys/targets so that they can be used
to refer to OS/Arch. Use the consts everywhere.
|
| |
|
|
|
|
|
| |
compiler says:
vm/qemu/qemu.go:501:49: conversion from int to string yields a string
of one rune, not a string of digits (did you mean fmt.Sprint(x)?)
|
