syzbot android crashes reappearance

[HantaoGG]

I started from this [url](https://syzkaller.appspot.com/bug?extid=c26098f86bd66cd83749) and triedReplicate the environment.This is a reproduction of a vulnerability environment for Android.
I downloaded the disk_image, vmlinux, and kernel image with commet number 【5e1b899f19c3】 and tried multiple qemu boot combinations.
I've read the [link](https://github.com/google/syzkaller/blob/master/docs/syzbot_assets.md) you gave me, but I'm still having problems actually starting the environment.
Here's what I commanded and how it worked.It's going to restart.

qemu-system-x86_64 -drive file=disk-5e1b899f.raw,format=raw -m 8G -enable-kvm -net nic -net user -smp 8 -kernel bzImage-5e1b899f -append "root=/dev/sda1"  -serial mon:stdio

logs are followed:

[   17.188254][    T1] Loading compiled-in X.509 certificates
[   17.192447][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
[   17.193041][  T105] cryptomgr_probe (105) used greatest stack depth: 28000 bytes left
[   17.294443][    T1] Key type .fscrypt registered
[   17.343611][    T1] Key type fscrypt-provisioning registered
[   17.348223][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   17.352645][    T1] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   17.383316][    T1] cfg80211: Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[   17.399440][   T81] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   17.403897][   T81] cfg80211: failed to load regulatory.db
[   17.406053][    T1] Unstable clock detected, switching default tracing clock to "global"
[   17.406053][    T1] If you want to keep using the local clock, then add:
[   17.406053][    T1]   "trace_clock=local"
[   17.406053][    T1] on the kernel command line
[   17.431990][    T1] clk: Disabling unused clocks
[   17.433704][    T1] ALSA device list:
[   17.435035][    T1]   No soundcards found.
[   17.436694][    T1] Warning: unable to open an initial console.
[   17.439229][    T1] VFS: Cannot open root device "sda1" or unknown-block(0,0): error -6
[   17.442270][    T1] Please append a correct "root=" boot option; here are the available partitions:
[   17.493990][    T1] 0100            8192 ram0
[   17.494003][    T1]  (driver?)
[   17.496725][    T1] 0101            8192 ram1
[   17.496730][    T1]  (driver?)
[   17.499426][    T1] 0102            8192 ram2
[   17.499431][    T1]  (driver?)
[   17.502247][    T1] 0103            8192 ram3
[   17.502253][    T1]  (driver?)
[   17.504976][    T1] 0104            8192 ram4
[   17.504981][    T1]  (driver?)
[   17.570472][    T1] 0105            8192 ram5
[   17.570477][    T1]  (driver?)
[   17.573255][    T1] 0106            8192 ram6
[   17.573260][    T1]  (driver?)
[   17.575991][    T1] 0107            8192 ram7
[   17.575995][    T1]  (driver?)
[   17.578710][    T1] 0108            8192 ram8
[   17.578715][    T1]  (driver?)
[   17.599391][    T1] 0109            8192 ram9
[   17.599396][    T1]  (driver?)
[   17.602177][    T1] 010a            8192 ram10
[   17.602182][    T1]  (driver?)
[   17.604954][    T1] 010b            8192 ram11
[   17.604958][    T1]  (driver?)
[   17.607693][    T1] 010c            8192 ram12
[   17.607698][    T1]  (driver?)
[   17.610438][    T1] 010d            8192 ram13
[   17.610447][    T1]  (driver?)
[   17.672132][    T1] 010e            8192 ram14
[   17.672137][    T1]  (driver?)
[   17.674875][    T1] 010f            8192 ram15
[   17.674880][    T1]  (driver?)
[   17.677639][    T1] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[   17.680880][    T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.178-syzkaller-00034-g5e1b899f19c3 #0
[   17.682125][    T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   17.682125][    T1] Call Trace:
[   17.762745][    T1]  <TASK>
[   17.762745][    T1]  dump_stack_lvl+0x151/0x1c0
[   17.762745][    T1]  ? io_uring_drop_tctx_refs+0x190/0x190
[   17.762745][    T1]  dump_stack+0x15/0x20
[   17.762745][    T1]  panic+0x287/0x760
[   17.762745][    T1]  ? klist_next+0xd6/0x310
[   17.772147][    T1]  ? fb_is_primary_device+0xe0/0xe0
[   17.772147][    T1]  ? do_mount_root+0x162/0x300
[   17.772147][    T1]  mount_block_root+0x3b0/0x3c0
[   17.841433][    T1]  ? root_delay_setup+0x30/0x30
[   17.864213][    T1]  ? getname_kernel+0x1f8/0x2e0
[   17.864213][    T1]  mount_root+0x8a/0xb0
[   17.864213][    T1]  prepare_namespace+0x1ef/0x230
[   17.864213][    T1]  kernel_init_freeable+0x302/0x400
[   17.916608][    T1]  ? report_meminit+0x80/0x80
[   17.916608][    T1]  ? __kasan_check_write+0x14/0x20
[   17.916608][    T1]  ? recalc_sigpending+0x1a5/0x230
[   17.922076][    T1]  ? _raw_spin_unlock_irq+0x4e/0x70
[   17.922076][    T1]  ? rest_init+0x130/0x130
[   17.922076][    T1]  ? rest_init+0x130/0x130
[   17.922076][    T1]  kernel_init+0x1d/0x290
[   17.922076][    T1]  ? rest_init+0x130/0x130
[   18.020683][    T1]  ret_from_fork+0x1f/0x30
[   18.022055][    T1]  </TASK>
[   18.022055][    T1] Kernel Offset: disabled
[   18.022055][    T1] Rebooting in 86400 seconds..

[a-nogikh]

Indeed, it doesn't work for Android (*). Judging by the list of the available partitions, the kernel doesn't see the the disk at all. Are the required configs not set in Android by default?..

-drive is a somewhat old qemu option, with -drive we could be more specific about what driver is to be used:

-device virtio-blk-pci,drive=myhd -drive file=disk-5e1b899f.raw,format=raw,if=none,id=myhd < ... > -append "root=/dev/vda1"

With the options above, it gets past the stage of mounting the filesystem, but then just silently hangs after:

[    2.739008][   T95] udevd[95]: starting version 3.2.11
[    2.750621][   T96] udevd[96]: starting eudev-3.2.11
[    3.796752][  T144] 8021q: adding VLAN 0 to HW filter on device eth0
[    3.806190][   T20] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[    3.808177][    T8] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

---

(*) But it still works fine for the upstream Linux.

[a-nogikh]

-drive file=disk-5e1b899f.raw,format=raw works if CONFIG_ATA and CONFIG_SATA_AHCI are set. But even then it hangs exactly like I described in the message above.

[a-nogikh]

Okay, the difference between a bootable and non-bootable Android kernel is SERIAL_8250_RUNTIME_UARTS=4 vs SERIAL_8250_RUNTIME_UARTS=0

[HantaoGG]

Thanks for the suggestion, as you suggested, I found the config with SERIAL_8250_RUNTIME_UARTS=4 in .config, and it has a commit number of 88c4075c39ed. I downloaded the relevant disk, bzImage and vmLInux and used the qemu directive as follows:

qemu-system-x86_64 \
  -m 8G \
  -smp 8 \
  -kernel bzImage \
  -append "console=ttyS0 root=/dev/vda1 earlyprintk=serial net.ifnames=0" \
  -drive file=disk.raw,format=raw,if=none,id=myhd \
  -device virtio-blk-pci,drive=myhd \
  -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
  -net nic,model=e1000 \
  -enable-kvm \
  -nographic \
  -pidfile vm.pid \
  2>&1 | tee vm.log

It did boot normally, and I was able to see the kernel information when I logged in with the root account.

But this kernel doesn't seem to support adb connection, so I tried using ssh to connect and found that this instruction works.

ssh -p 10021 [email protected]

Next, I tried to write a CFG for Syzkaller's fuzz startup.

{
    "target": "linux/amd64",
    "http": "0.0.0.0:56741",
    "workdir": "/home/syzkaller/workplace/fuzzing/syzkaller/androiddir",
    "kernel_obj": "/home/syzkaller/workplace/test/88c4075c",
    "syzkaller": "/home/syzkaller/workplace/fuzzing/syzkaller",
    "procs": 4,
    "type": "qemu",
    "image": "/home/syzkaller/workplace/test/88c4075c/disk.raw",
    "vm": {
        "count": 4,
        "kernel": "/home/syzkaller/workplace/test/88c4075c/bzImage",
        "cpu": 2,
        "mem": 2048
    }
}

It seems to have two issues, the first is a previous issue and the second is an SSH connection issue.

To solve the first problem, I added new parameters to the VM, and the result is as follows:

{
    "target": "linux/amd64",
    "http": "0.0.0.0:56741",
    "workdir": "/home/syzkaller/workplace/fuzzing/syzkaller/androiddir",
    "kernel_obj": "/home/syzkaller/workplace/test/88c4075c",
    "syzkaller": "/home/syzkaller/workplace/fuzzing/syzkaller",
    "procs": 4,
    "type": "qemu",
    "image": "/home/syzkaller/workplace/test/88c4075c/disk.raw",
    "vm": {
        "count": 4,
        "kernel": "/home/syzkaller/workplace/test/88c4075c/bzImage",
        "cmdline": "root=/dev/vda1 console=ttyS0",
        "cpu": 2,
        "qemu_args": "-enable-kvm -drive file=/home/syzkaller/workplace/test/88c4075c/disk.raw,format=raw,if=none,id=myhd -device virtio-blk-pci,drive=myhd"
    }
}

Success, currently in fuzz testing, thanks for your prompt help.