Arm + KASAN + syzbot

Dmitry Vyukov dvyukov at google.com
Tue Jan 19 13:57:16 EST 2021 

On Tue, Jan 19, 2021 at 1:37 PM Russell King - ARM Linux admin
<linux at armlinux.org.uk> wrote:
>
> On Tue, Jan 19, 2021 at 01:05:11PM +0100, Dmitry Vyukov wrote:
> > Yes, I used the qemu -dtb flag.
> >
> > I tried to use CONFIG_ARM_APPENDED_DTB because it looks like a very
> > nice option. However, I couldn't make it work.
> > I enabled:
> > CONFIG_ARM_APPENDED_DTB=y
> > CONFIG_ARM_ATAG_DTB_COMPAT=y
> > # CONFIG_ARM_ATAG_DTB_COMPAT_CMDLINE_FROM_BOOTLOADER is not set
> > CONFIG_ARM_ATAG_DTB_COMPAT_CMDLINE_EXTEND=y
> > and removed qemu -dtb flag and I see:
> >
> > Error: invalid dtb and unrecognized/unsupported machine ID
> >   r1=0x000008e0, r2=0x80000100
> >   r2[]=05 00 00 00 01 00 41 54 01 00 00 00 00 10 00 00
>
> Right, r2 now doesn't point at valid DT, but points to an ATAG list.
>
> The decompressor should notice that, and fix up the appended DTB.
>
> I assume you concatenated the zImage and the appropriate DTB and
> passed _that_ as the kernel to qemu?

Mkay, I didn't. I assumed kbuild will do this for me.

Appending dtb works, but not completely. I did:

cp arch/arm/boot/zImage arch/arm/boot/zImage.dtb
cat arch/arm/boot/dts/vexpress-v2p-ca15-tc1.dtb >> arch/arm/boot/zImage.dtb

Now I have:
ls -l arch/arm/boot/zImage* arch/arm/boot/dts/vexpress-v2p-ca15-tc1.dtb
-rw-r----- 1 dvyukov primarygroup    13209 Jan 14 13:41
arch/arm/boot/dts/vexpress-v2p-ca15-tc1.dtb
-rwxr-x--- 1 dvyukov primarygroup 33712008 Jan 19 16:55 arch/arm/boot/zImage
-rwxr-x--- 1 dvyukov primarygroup 33725217 Jan 19 18:57 arch/arm/boot/zImage.dtb

Using "-kernel arch/arm/boot/zImage -dtb
arch/arm/boot/dts/vexpress-v2p-ca15-tc1.dtb" fully works.
Using just "-kernel arch/arm/boot/zImage" does not work, not output
from qemu whatsoever (expected).
But using just "-kernel arch/arm/boot/zImage.dtb" gives an interesting
effect. Kernel starts booting, I see console output up to late init
stages, but then it can't find the root device.
So appended dtb works... but only in half. Is names of block devices
something that's controlled by dtb?

[   89.140285][    T1] VFS: Cannot open root device "vda" or
unknown-block(0,0): error -6
[   89.144547][    T1] Please append a correct "root=" boot option;
here are the available partitions:
[   89.146058][    T1] 0100            4096 ram0
[   89.146295][    T1]  (driver?)
[   89.147537][    T1] 0101            4096 ram1
[   89.147740][    T1]  (driver?)
[   89.148948][    T1] 0102            4096 ram2
[   89.149150][    T1]  (driver?)
[   89.150296][    T1] 0103            4096 ram3
[   89.150497][    T1]  (driver?)
[   89.152714][    T1] 0104            4096 ram4
[   89.152920][    T1]  (driver?)
[   89.154198][    T1] 0105            4096 ram5
[   89.154401][    T1]  (driver?)
[   89.155609][    T1] 0106            4096 ram6
[   89.155811][    T1]  (driver?)
[   89.157020][    T1] 0107            4096 ram7
[   89.157221][    T1]  (driver?)
[   89.158507][    T1] 0108            4096 ram8
[   89.158708][    T1]  (driver?)
[   89.159907][    T1] 0109            4096 ram9
[   89.160109][    T1]  (driver?)
[   89.163842][    T1] 010a            4096 ram10
[   89.164055][    T1]  (driver?)
[   89.165300][    T1] 010b            4096 ram11
[   89.165502][    T1]  (driver?)
[   89.166705][    T1] 010c            4096 ram12
[   89.166906][    T1]  (driver?)
[   89.168131][    T1] 010d            4096 ram13
[   89.168341][    T1]  (driver?)
[   89.169551][    T1] 010e            4096 ram14
[   89.169753][    T1]  (driver?)
[   89.170957][    T1] 010f            4096 ram15
[   89.172047][    T1]  (driver?)
[   89.175569][    T1] 1f00          131072 mtdblock0
[   89.175801][    T1]  (driver?)
[   89.177051][    T1] 1f01           32768 mtdblock1
[   89.177256][    T1]  (driver?)
[   89.178481][    T1] 1f02             128 mtdblock2
[   89.178685][    T1]  (driver?)


Just in case, that's v5.11-rc4 with this config:
https://gist.githubusercontent.com/dvyukov/aeb69235ff37a3d48c1a8a74c2fad162/raw/b37273ba14306d4ca2e2fffc07af41c759e092b7/gistfile1.txt
and this qemu command line:

qemu-system-arm      -machine vexpress-a15 -cpu max -smp 2 -m 2G
-device virtio-blk-device,drive=hd0     -drive
if=none,format=raw,id=hd0,file=image-arm -snapshot     -kernel
arch/arm/boot/zImage.dtb                -nographic      -netdev
user,host=10.0.2.10,hostfwd=tcp::10022-:22,id=net0 -device
virtio-net-device,netdev=net0 -append "earlyprintk=serial oops=panic
panic_on_warn=1 nmi_watchdog=panic panic=86400 net.ifnames=0
sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb
kvm-intel.nested=1 nf-conntrack-ftp.ports=20000
nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000
nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000
vivid.n_devs=16 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2
netrom.nr_ndevs=16 rose.rose_ndevs=16 spec_store_bypass_disable=prctl
numa=fake=2 nopcid dummy_hcd.num=8 binder.debug_mask=0
rcupdate.rcu_expedited=1 root=/dev/vda console=ttyAMA0 vmalloc=512M
watchdog_thresh=165 workqueue.watchdog_thresh=420"

More information about the linux-arm-kernel mailing list