Alarm!, repro is not working, I'm blocked

 One of the initial tasks when you start working in the Linux Kernel as a newbie is fixing errors. To fix errors the way to go is pick an error from the syzkaller

 

I'll try to add here some tricks to help you work with less headaches based in my own headaches :

 

  1. The basic step to reproduce the error is run the repro C program that it's provided in the page of the selected error. The problem I had is after some successful tries to reproduce the error suddenly it didn't work anymore. I was able to run the program but it ends and with no error.
    1. What I've found is that the sandbox folder for the repro already exists and that caused the problem.
      1. The solution was as easy as to delete the syz-tmp folder in the image you're using to run your kernel and reproduce the error.

These two command in the host I use to run inside the qemu: 

scp -i ~/LF/syz/syzkaller/trixie.id_rsa -P 10021 -o UserKnownHostsFile=/dev/null  -o StrictHostKeyChecking=no -o IdentitiesOnly=yes ./repro root@127.0.0.1:/root/
ssh -i ~/LF/syz/syzkaller/trixie.id_rsa -p 10021 -o UserKnownHostsFile=/dev/null  -o StrictHostKeyChecking=no -o IdentitiesOnly=yes root@127.0.0.1 'chmod +x ./repro && ./repro'
 

 The output you expect is:



executing program                               
executing program                         
executing program                                                                                                     
executing program       
executing program
executing program                                                                                                     
executing program
executing program
executing program                              
executing program                          
executing program                              
executing program                            
executing program                             


 

 But in case of and already existing syz-tmp you'll just see the program exit (and some debug from the scp,etc commands but nothing from the repro )



Warning: Permanently added '[127.0.0.1]:10021' (ED25519) to the list of known hosts.
repro.c                                                                                                                                                                                                   100%   43KB   4.2MB/s   00:00    
Warning: Permanently added '[127.0.0.1]:10021' (ED25519) to the list of known hosts.
repro                                                                                                                                                                                                     100%   43KB   3.7MB/s   00:00    
Warning: Permanently added '[127.0.0.1]:10021' (ED25519) to the list of known hosts.
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8): No such file or directory
 
 
So I just login the qmeu vm and delete the folder and continue to debug/fix the issue 
syzkaller login: root
Linux syzkaller 6.13.0-rc7-00039-gc3812b15000c-dirty #10 SMP PREEMPT_DYNAMIC Sat Sep 20 22:15:26 CEST 2025 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@syzkaller:~# pwd
/root
root@syzkaller:~# ls
repro  repro.c  syz-tmp
root@syzkaller:~# rm -rf syz-tmp/
 

 

 

About my basic setup I used: 

I run the kernel I compile with the .config downloaded from syzkaller with this command

 

qemu-system-x86_64 \
-m 2G \
-smp 2 \
-kernel "~/LF/linux_work/linux_mainline/arch/x86/boot/bzImage" \
-append "root=/dev/sda console=ttyS0 earlyprintk=serial net.ifnames=0" \
-drive file="~/LF/syz/syzkaller/trixie.img",format=raw \
-net user,host=10.0.2.10,hostfwd=tcp::10021-:22 \
-net nic,model=e1000 \
-enable-kvm \
-nographic \
-s   
 

So the trixie.img is not the one you download from syzkaller with the kernel included as you need to compile you own kernel (and add your path to the bzImage) with the fixed you develop. A better explanation of how to download and create the image with the create-image.sh script that also will create the public/private keys needed to login in the qemu vm.

Comments

Post a Comment

Popular posts from this blog

I need a i386 kernel.

 Long time ago everything changed to 64bits for the most common architectures like x86 and arm.  We just don't remember i386 but sometimes we need to build an old 32bits .   What I need to build an i386 (how I did it) The toolchain for the i386 Tell the kernel build system that we want an architecture different from default (which now is 64bits)   That's it , in fact the linux kernel build systems is used to build several different architectures so this exercise is nothing for this beast.   I'll add the commands for my OpenSuse , for other distros it should be very similar sudo zypper in cross-i386-binutils   export ARCH=i386 ;time make LLVM=1 -j$(nproc) all CC='ccache clang'   You can check that the binary is one of 32bits architecture with the file command   $file arch/x86/boot/bzImage arch/x86/boot/bzImage: Linux kernel x86 boot executable, bzImage, version 6.16.0-rc1-dirty (jg@dell) #28 SMP PREEMPT_DYNAMIC Sat Oct ...
Read more

End of the Mentorship start of new journey

 The short Mentorship reaches its end , it used to be 6 months long but in this case it was a compressed 3 months one. The experience started with an initial filter based in a very good training available freely in the Linux Foundation site,  I think it worth mention because that Beginners' Guide to Linux Kernel  has everything you need to do your first commit. Even there are others resources in Linux Foundation that are not free, I think this is the only one you need to start.  Then started the real mentorship and the hurry to get your target of at least 5 accepted patches and that's a bit stressful:   first you start with  syzkaller   a great tool leverage from Google to run fuzzy testing. It's a really astonishing thing because give you the kernel and the C code to reproduce the issue ... or it should because not always you get the `reproducer` (how it's called that C code to reproduce the issue) . Check this blog entry for a really good guide on h...
Read more

My kernel is building ... after 1h `make` exits with no error

Image
 arghhhhh ... after so much time building all the sources the vmlinux is not created.   I did repeat the process after a make clean and an extra hour ... but again no vmlinux     The kernel build process has several steps like creating .o from .c and .h files but then objtool will do an static analysis of the generated object.   The problem comes at the end when the biggest vmlinux object must be analyzed with objtool and if options like  CONFIG_DEBUG_INFO the number DWARF data increases and eveything blows.   How much memory you'll need ... in my case with a 16GB laptop needed to add swap to allow generate finally the vmlinux  .   In the image you can see objtool with 79.93% of the memory , so aprox 12GB of ram     
Read more