Fuzzer not responding

[albigay]

Hello,

After going through the process to get everything built and running, when I start syzkaller none of the fuzzers appear to be working.

~/razzer/tools/race-syzkaller/exp$ sudo -E ./run.sh --config configs/kernel/config
~/razzer/tools/qemu-2.5.0 ~/fast/razzer/tools/race-syzkaller/exp
[*] Rebuilding QEMU
VMLINUX:  ~/razzer/tools/race-syzkaller/kernel-build/build-v4.17/vmlinux
HYPEADDR: 0xffffffff8031be1e
  CC    disas/i386.o
  CC    x86_64-softmmu/cpus.o
  CC    x86_64-softmmu/hypercall.o
  CC    x86_64-softmmu/kvm-all.o
  LINK  x86_64-softmmu/qemu-system-x86_64

~/fast/razzer/tools/race-syzkaller/exp
[*] KERNEL_VERSION: v4.17
[*] git: e289c23db10a60854a602a2c6ae7df8c449dce75 (master)
 kernels_repo                                                         | 2 +-
 scripts/install.sh                                                   | 2 +-
 scripts/kernel_version.lst                                           | 1 +
 scripts/qemu/install.sh                                              | 2 ++
 tools/llvmlinux/targets/x86_64/build-kernel.sh                       | 4 ++--
 tools/llvmlinux/targets/x86_64/configs/static_analysis_v4.8.mk       | 2 +-
 tools/race-syzkaller/exp/configs/kernel/config                       | 5 ++---
 tools/race-syzkaller/exp/partition-scripts/partitioned_analysis.sh   | 5 ++++-
 tools/race-syzkaller/exp/partition-scripts/run-partition-analysis.py | 1 +
 9 files changed, 15 insertions(+), 9 deletions(-)
[*] Running: syz-manager -config configs/kernel/config -v 0
2019/07/09 09:36:08 Suppress  option: 1
2019/07/09 09:36:08 RootCause  option: false
2019/07/09 09:36:08 Loading race candidate pairs...
2019/07/09 09:36:13 Loading suppressed mempair: 1148234
2019/07/09 09:36:14 Removed supp-ed mempair: 1158064
2019/07/09 09:36:14 Remaining mempair: 0
2019/07/09 09:36:14 Total # of mempair: 0
2019/07/09 09:36:14 Total # of mapping: 0
2019/07/09 09:36:14 Initializing cover per mapping...
2019/07/09 09:36:14 Building Sparse race candidates...
2019/07/09 09:36:14 Total # of sparseRaceCandPairs: 0 (0)
2019/07/09 09:36:14 [*] loading corpus
2019/07/09 09:36:15 [+] loaded 1192 corpus programs (1192 total, 0 deleted)
2019/07/09 09:36:15 [*] loading racecorpus
2019/07/09 09:36:15 [-] No raceprog cand loaded from racecorpus
2019/07/09 09:36:15 [*] loading likelycorpus
2019/07/09 09:36:15 [-] No raceprog cand loaded from likelycorpus
2019/07/09 09:36:15 serving http on http://0.0.0.0:56741
2019/07/09 09:36:15 serving rpc on tcp://[::]:33495
2019/07/09 09:36:15 booting test machines...
2019/07/09 09:36:15 wait for the connection from test machine...
2019/07/09 09:36:36 received first connection from test machine fuzzer-9
2019/07/09 09:36:43 machine check: 1517 calls enabled, kcov=true, kleakcheck=false, faultinjection=false, comps=false
2019/07/09 09:36:45 #1 Fuzzer: exe 1 (1), sig 0 (0), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:36:45      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-2 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-7 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-12 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-6 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-10 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-8 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-1 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-5 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-13 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-14 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-11 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-15 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-4 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (fuzzer) fuzzer-0 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-1 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-15 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-4 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-5 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-12 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-9 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-8 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-6 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-10 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:45      [WARN] (sched) sched-13 is not responding (last poll was 9223372036.9 secs before)
2019/07/09 09:36:55 #2 Fuzzer: exe 759 (379), sig 14016 (7008), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:36:55      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:05 #3 Fuzzer: exe 2356 (785), sig 16653 (5551), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:05      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:15 #4 Fuzzer: exe 3504 (876), sig 17635 (4408), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:15      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:25 #5 Fuzzer: exe 4438 (887), sig 17963 (3592), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:37:25      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0
2019/07/09 09:37:28 [*] Sent all cands from corpusDB

#####

cat configs/kernel/config
{
  "target": "linux/amd64",
  "http": "0.0.0.0:56741",
  "workdir": "$PWD/workdir",
  "vmlinux": "$KERNEL_BUILD/vmlinux",
  "image": "$PWD/wheezy.img",
  "sshkey": "$PWD/ssh/id_rsa",
  "syzkaller": "$SYZKALLER_HOME/src/github.com/google/syzkaller",
  "procs": 1,
  "type": "qemu",
  "mempair":   "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mempair",
  "mapping":   "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/mapping",
  "callgraph": "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/callgraph",
  "distance":  "$SYZKALLER_HOME/exp/configs/kernel/partition/$KERNEL_VERSION/distance",
  "sandbox": "none",
  "vm": {
    "schedcount": 16,
    "count": 16,
    "kernel": "$KERNEL_BUILD/arch/x86/boot/bzImage",
    "cpu": 2,
    "mem": 8192,
    "qemu": "$QEMU_HOME/build/x86_64-softmmu/qemu-system-x86_64"
  }
}

[lifeasageek]

Not quite sure what happened, but looks like the fuzzer VM is not properly booted up. Have you created wheezy.img with public/private key pairs? This is something we haven't documented yet (will be updated soon).

If you did so, could you please check if you can boot up the VM using https://github.com/compsec-snu/razzer/blob/master/scripts/syzkaller/run-qemu.sh, and see if you can connect to it as well.

[albigay]

The VM appears to be good. I did had to set some environment variables that were needed by run-qemu.sh

~/razzer$ sudo -E ./scripts/syzkaller/run-qemu.sh
WARNING: Image format was not specified for 'razzer/tools/race-syzkaller/exp/wheezy.img' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2]
qemu: could not load kernel '/arch/x86/boot/bzImage': No such file or directory
~/razzer$ echo $KERNEL

~/razzer$ echo $KERNEL_BUILD
~/razzer/tools/race-syzkaller/kernel-build/build-v4.17/
~/razzer$ export KERNEL=$KERNEL_BUILD
~/razzer$ sudo -E ./scripts/syzkaller/run-qemu.sh
WARNING: Image format was not specified for 'razzer/tools/race-syzkaller/exp/wheezy.img' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.80000001H:ECX.svm [bit 2]
early console in setup code
early console in extract_kernel
input_data: 0x00000000033e13b4
input_len: 0x0000000000bef3d3
output: 0x0000000000200000
output_len: 0x0000000002b12870
kernel_total_size: 0x0000000003df4000

Decompressing Linux... Parsing ELF... done.
Booting the kernel.
[    0.000000] Linux version 4.17 (host@hostname) (gcc version 7.3.0 (GCC) ) #1 SMP PREEMPT Mon Jul 8 08:36:48 EDT 2019
[    0.000000] Command line: console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ
[    0.000000] x86/fpu: Legacy x87 FPU detected.
[    0.000000] e820: BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000007ffdffff] usable
[    0.000000] BIOS-e820: [mem 0x000000007ffe0000-0x000000007fffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
[    0.000000] bootconsole [earlyser0] enabled
[    0.000000] NX (Execute Disable) protection: active
[    0.000000] SMBIOS 2.8 present.
[    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[    0.000000] e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
[    0.000000] e820: remove [mem 0x000a0000-0x000fffff] usable
[    0.000000] e820: last_pfn = 0x7ffe0 max_arch_pfn = 0x400000000
[    0.000000] MTRR default type: write-back
[    0.000000] MTRR fixed ranges enabled:
[    0.000000]   00000-9FFFF write-back
[    0.000000]   A0000-BFFFF uncachable
[    0.000000]   C0000-FFFFF write-protect
[    0.000000] MTRR variable ranges enabled:
[    0.000000]   0 base 0080000000 mask FF80000000 uncachable
[    0.000000]   1 disabled
[    0.000000]   2 disabled
[    0.000000]   3 disabled
[    0.000000]   4 disabled
[    0.000000]   5 disabled
[    0.000000]   6 disabled
[    0.000000]   7 disabled
[    0.000000] x86/PAT: PAT not supported by CPU.
[    0.000000] x86/PAT: Configuration [0-7]: WB  WT  UC- UC  WB  WT  UC- UC
[    0.000000] found SMP MP-table at [mem 0x000f6a80-0x000f6a8f] mapped at [        (ptrval)]
[    0.000000] Base memory trampoline at [        (ptrval)] 99000 size 24576
[    0.000000] BRK [0x03fcf000, 0x03fcffff] PGTABLE
[    0.000000] BRK [0x03fd0000, 0x03fd0fff] PGTABLE
[    0.000000] BRK [0x03fd1000, 0x03fd1fff] PGTABLE
[    0.000000] BRK [0x03fd2000, 0x03fd2fff] PGTABLE
[    0.000000] BRK [0x03fd3000, 0x03fd3fff] PGTABLE
[    0.000000] ACPI: Early table checksum verification disabled
[    0.000000] ACPI: RSDP 0x00000000000F6860 000014 (v00 BOCHS )
[    0.000000] ACPI: RSDT 0x000000007FFE1656 000030 (v01 BOCHS  BXPCRSDT 00000001 BXPC 00000001)
[    0.000000] ACPI: FACP 0x000000007FFE14AA 000074 (v01 BOCHS  BXPCFACP 00000001 BXPC 00000001)
[    0.000000] ACPI: DSDT 0x000000007FFE0040 00146A (v01 BOCHS  BXPCDSDT 00000001 BXPC 00000001)
[    0.000000] ACPI: FACS 0x000000007FFE0000 000040
[    0.000000] ACPI: APIC 0x000000007FFE159E 000080 (v01 BOCHS  BXPCAPIC 00000001 BXPC 00000001)
[    0.000000] ACPI: HPET 0x000000007FFE161E 000038 (v01 BOCHS  BXPCHPET 00000001 BXPC 00000001)
[    0.000000] ACPI: Local APIC address 0xfee00000
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000000001000-0x0000000000ffffff]
[    0.000000]   DMA32    [mem 0x0000000001000000-0x000000007ffdffff]
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000001000-0x000000000009efff]
[    0.000000]   node   0: [mem 0x0000000000100000-0x000000007ffdffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000001000-0x000000007ffdffff]
[    0.000000] On node 0 totalpages: 524158
[    0.000000]   DMA zone: 64 pages used for memmap
[    0.000000]   DMA zone: 3605 pages reserved
[    0.000000]   DMA zone: 3998 pages, LIFO batch:0
[    0.000000]   DMA32 zone: 8128 pages used for memmap
[    0.000000]   DMA32 zone: 520160 pages, LIFO batch:31
[    0.000000] kasan: KernelAddressSanitizer initialized
[    0.000000] ACPI: PM-Timer IO Port: 0x608
[    0.000000] ACPI: Local APIC address 0xfee00000
[    0.000000] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[    0.000000] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[    0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[    0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[    0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[    0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[    0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[    0.000000] ACPI: IRQ0 used by override.
[    0.000000] ACPI: IRQ5 used by override.
[    0.000000] ACPI: IRQ9 used by override.
[    0.000000] ACPI: IRQ10 used by override.
[    0.000000] ACPI: IRQ11 used by override.
[    0.000000] Using ACPI (MADT) for SMP configuration information
[    0.000000] ACPI: HPET id: 0x8086a201 base: 0xfed00000
[    0.000000] smpboot: Allowing 2 CPUs, 0 hotplug CPUs
[    0.000000] e820: [mem 0x80000000-0xfeffbfff] available for PCI devices
[    0.000000] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.000000] setup_percpu: NR_CPUS:8192 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:1
[    0.000000] percpu: Embedded 42 pages/cpu s141128 r0 d30904 u1048576
[    0.000000] pcpu-alloc: s141128 r0 d30904 u1048576 alloc=1*2097152
[    0.000000] pcpu-alloc: [0] 0 1
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 512361
[    0.000000] Kernel command line: console=ttyS0 root=/dev/sda debug earlyprintk=serial slub_debug=QUZ
[    0.000000] slub_debug option 'Q' unknown. skipped
[    0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[    0.000000] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes)
[    0.000000] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes)
[    0.000000] Memory: 1726644K/2096632K available (24581K kernel code, 5360K rwdata, 5860K rodata, 1840K init, 23280K bss, 369988K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[    0.000000] Kernel/User page tables isolation: enabled
[    0.000000] kmemleak: Kernel memory leak detector disabled
[    0.000000] Running RCU self tests
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000]  RCU lockdep checking is enabled.
[    0.000000]  Build-time adjustment of leaf fanout to 64.
[    0.000000]  RCU restricting CPUs from NR_CPUS=8192 to nr_cpu_ids=2.
[    0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=2
[    0.000000] NR_IRQS:4352 nr_irqs:440 16
[    0.000000] console [ttyS0] enabled
[    0.000000] console [ttyS0] enabled
[    0.000000] bootconsole [earlyser0] disabled
[    0.000000] bootconsole [earlyser0] disabled
[    0.000000] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[    0.000000] ... MAX_LOCKDEP_SUBCLASSES:  8
[    0.000000] ... MAX_LOCK_DEPTH:          48
[    0.000000] ... MAX_LOCKDEP_KEYS:        8191
[    0.000000] ... CLASSHASH_SIZE:          4096
[    0.000000] ... MAX_LOCKDEP_ENTRIES:     32768
[    0.000000] ... MAX_LOCKDEP_CHAINS:      65536
[    0.000000] ... CHAINHASH_SIZE:          32768
[    0.000000]  memory used by lock dependency info: 8159 kB
[    0.000000]  per task-struct memory footprint: 1920 bytes
[    0.000000] kmemleak: Early log buffer exceeded (1439), please increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE
[    0.000000] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns
[    0.000000] hpet clockevent registered
[    0.000000] tsc: Fast TSC calibration using PIT
[    0.000000] tsc: Detected 2394.448 MHz processor
[    0.020005] Calibrating delay loop (skipped), value calculated using timer frequency.. 4788.89 BogoMIPS (lpj=23944480)
[    0.021504] pid_max: default: 32768 minimum: 301
[    0.022223] ACPI: Core revision 20160831
[    0.059464] ACPI: 1 ACPI AML tables successfully acquired and loaded
[    0.060253] Security Framework initialized
[    0.060842] SELinux:  Initializing.
[    0.061521] SELinux:  Starting in permissive mode
[    0.062370] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes)
[    0.063369] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes)
[    0.066461] Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0
[    0.067277] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0
[    0.068301] Spectre V2 : Mitigation: Full generic retpoline
[    0.069251] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[    0.070010] Speculative Store Bypass: Vulnerable
[    0.070824] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[    0.074066] Freeing SMP alternatives memory: 32K
[    0.075497] smpboot: Max logical packages: 2
[    0.078591] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[    0.180000] smpboot: CPU0: Intel QEMU Virtual CPU version 2.5+ (family: 0x6, model: 0x6, stepping: 0x3)
[    0.200047] Performance Events: PMU not available due to virtualization, using software events only.
[    0.270303] NMI watchdog: disabled (cpu0): hardware events not enabled
[    0.271638] NMI watchdog: Shutting down hard lockup detector on all cpus
[    0.370347] x86: Booting SMP configuration:
[    0.371396] .... node  #0, CPUs:      #1[    0.531436] x86: Booted up 1 node, 2 CPUs
[    0.531436] smpboot: Total of 2 processors activated (9577.55 BogoMIPS)
[    0.540114] CPU1: update max cpu_capacity 1024
[    0.550021] CPU1: update max cpu_capacity 1024
[    0.660379] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.663083] futex hash table entries: 512 (order: 4, 65536 bytes)
[    0.667976] NET: Registered protocol family 16
[    0.710062] cpuidle: using governor menu
[    0.711445] ACPI: bus type PCI registered
[    0.715045] PCI: Using configuration type 1 for base access
[    0.811690] HugeTLB registered 2 MB page size, pre-allocated 0 pages
[    0.820843] ACPI: Added _OSI(Module Device)
[    0.821432] ACPI: Added _OSI(Processor Device)
[    0.822031] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.822664] ACPI: Added _OSI(Processor Aggregator Device)
[    0.850880] ACPI: Interpreter enabled
[    0.851519] ACPI: (supports S0 S3 S5)
[    0.852010] ACPI: Using IOAPIC for interrupt routing
[    0.852871] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[    0.931819] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[    0.932664] acpi PNP0A03:00: _OSC: OS supports [Segments]
[    0.933478] acpi PNP0A03:00: _OSC failed (AE_NOT_FOUND); disabling ASPM
[    0.934370] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.
[    0.936824] PCI host bridge to bus 0000:00
[    0.937381] pci_bus 0000:00: root bus resource [io  0x0000-0x0cf7 window]
[    0.938254] pci_bus 0000:00: root bus resource [io  0x0d00-0xffff window]
[    0.939129] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[    0.940029] pci_bus 0000:00: root bus resource [mem 0x80000000-0xfebfffff window]
[    0.940992] pci_bus 0000:00: root bus resource [mem 0x100000000-0x17fffffff window]
[    0.941972] pci_bus 0000:00: root bus resource [bus 00-ff]
[    0.942775] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000
[    0.946550] pci 0000:00:01.0: [8086:7000] type 00 class 0x060100
[    0.950536] pci 0000:00:01.1: [8086:7010] type 00 class 0x010180
[    0.953686] pci 0000:00:01.1: reg 0x20: [io  0xc040-0xc04f]
[    0.955526] pci 0000:00:01.1: legacy IDE quirk: reg 0x10: [io  0x01f0-0x01f7]
[    0.956497] pci 0000:00:01.1: legacy IDE quirk: reg 0x14: [io  0x03f6]
[    0.957374] pci 0000:00:01.1: legacy IDE quirk: reg 0x18: [io  0x0170-0x0177]
[    0.958322] pci 0000:00:01.1: legacy IDE quirk: reg 0x1c: [io  0x0376]
[    0.961633] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000
[    0.963338] pci 0000:00:01.3: quirk: [io  0x0600-0x063f] claimed by PIIX4 ACPI
[    0.964339] pci 0000:00:01.3: quirk: [io  0x0700-0x070f] claimed by PIIX4 SMB
[    0.967936] pci 0000:00:02.0: [1234:1111] type 00 class 0x030000
[    0.969846] pci 0000:00:02.0: reg 0x10: [mem 0xfd000000-0xfdffffff pref]
[    0.971731] pci 0000:00:02.0: reg 0x18: [mem 0xfebb0000-0xfebb0fff]
[    0.977301] pci 0000:00:02.0: reg 0x30: [mem 0xfeba0000-0xfebaffff pref]
[    0.981714] pci 0000:00:03.0: [8086:100e] type 00 class 0x020000
[    0.983752] pci 0000:00:03.0: reg 0x10: [mem 0xfeb80000-0xfeb9ffff]
[    0.985244] pci 0000:00:03.0: reg 0x14: [io  0xc000-0xc03f]
[    0.989253] pci 0000:00:03.0: reg 0x30: [mem 0xfeb00000-0xfeb7ffff pref]
[    0.993291] pci_bus 0000:00: on NUMA node 0
[    1.002659] ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)
[    1.005227] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)
[    1.007768] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)
[    1.010258] ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)
[    1.011807] ACPI: PCI Interrupt Link [LNKS] (IRQs *9)
[    1.015278] ACPI: Enabled 2 GPEs in block 00 to 0F
[    1.016958] vgaarb: setting as boot device: PCI:0000:00:02.0
[    1.017695] vgaarb: device added: PCI:0000:00:02.0,decodes=io+mem,owns=io+mem,locks=none
[    1.018724] vgaarb: loaded
[    1.019097] vgaarb: bridge control possible 0000:00:02.0
[    1.021438] SCSI subsystem initialized
[    1.030279] libata version 3.00 loaded.
[    1.031573] ACPI: bus type USB registered
[    1.032617] usbcore: registered new interface driver usbfs
[    1.033711] usbcore: registered new interface driver hub
[    1.034775] usbcore: registered new device driver usb
[    1.035962] pps_core: LinuxPPS API ver. 1 registered
[    1.036785] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    1.038349] PTP clock support registered
[    1.040667] Advanced Linux Sound Architecture Driver Initialized.
[    1.041854] PCI: Using ACPI for IRQ routing
[    1.042542] PCI: pci_cache_line_size set to 64 bytes
[    1.043510] e820: reserve RAM buffer [mem 0x0009fc00-0x0009ffff]
[    1.044446] e820: reserve RAM buffer [mem 0x7ffe0000-0x7fffffff]
[    1.049241] NetLabel: Initializing
[    1.049734] NetLabel:  domain hash size = 128
[    1.050032] NetLabel:  protocols = UNLABELED CIPSOv4
[    1.050948] NetLabel:  unlabeled traffic allowed by default
[    1.052026] clocksource: Switched to clocksource hpet
[    1.185695] VFS: Disk quotas dquot_6.6.0
[    1.186363] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    1.188077] pnp: PnP ACPI init
[    1.189357] pnp 00:00: Plug and Play ACPI device, IDs PNP0b00 (active)
[    1.190994] pnp 00:01: Plug and Play ACPI device, IDs PNP0303 (active)
[    1.192527] pnp 00:02: Plug and Play ACPI device, IDs PNP0f13 (active)
[    1.193578] pnp 00:03: [dma 2]
[    1.194361] pnp 00:03: Plug and Play ACPI device, IDs PNP0700 (active)
[    1.196149] pnp 00:04: Plug and Play ACPI device, IDs PNP0400 (active)
[    1.197923] pnp 00:05: Plug and Play ACPI device, IDs PNP0501 (active)
[    1.202872] pnp: PnP ACPI: found 6 devices
[    1.212723] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[    1.215044] pci_bus 0000:00: resource 4 [io  0x0000-0x0cf7 window]
[    1.215902] pci_bus 0000:00: resource 5 [io  0x0d00-0xffff window]
[    1.216735] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[    1.217652] pci_bus 0000:00: resource 7 [mem 0x80000000-0xfebfffff window]
[    1.218568] pci_bus 0000:00: resource 8 [mem 0x100000000-0x17fffffff window]
[    1.224509] NET: Registered protocol family 2
[    1.260866] TCP established hash table entries: 16384 (order: 5, 131072 bytes)
[    1.263086] TCP bind hash table entries: 16384 (order: 8, 1048576 bytes)
[    1.266269] TCP: Hash tables configured (established 16384 bind 16384)
[    1.268185] UDP hash table entries: 1024 (order: 5, 163840 bytes)
[    1.271056] UDP-Lite hash table entries: 1024 (order: 5, 163840 bytes)
[    1.273830] NET: Registered protocol family 1
[    1.274521] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[    1.275365] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[    1.276187] pci 0000:00:01.0: Activating ISA DMA hang workarounds
[    1.277108] pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[    1.278287] PCI: CLS 0 bytes, default 64
[    1.285296] audit: initializing netlink subsys (disabled)
[    1.286237] audit: type=2000 audit(1562681319.280:1): initialized
[    1.290364] workingset: timestamp_bits=45 max_order=19 bucket_order=0
[    1.376030] fuse init (API version 7.26)
[    1.379690] SELinux:  Registering netfilter hooks
[    1.389408] Key type asymmetric registered
[    1.390000] Asymmetric key parser 'x509' registered
[    1.391493] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[    1.392516] io scheduler noop registered
[    1.393049] io scheduler deadline registered
[    1.394944] io scheduler cfq registered (default)
[    1.399583] pci_hotplug: PCI Hot Plug PCI Core version: 0.5
[    1.402128] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[    1.403182] ACPI: Power Button [PWRF]
[    1.406493] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[    1.432058] 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[    1.438112] Non-volatile memory driver v1.3
[    1.439108] Linux agpgart interface v0.103
[    1.440887] [drm] Initialized
[    1.479223] brd: module loaded
[    1.500498] loop: module loaded
[    1.501233] Loading iSCSI transport class v2.0-870.
[    1.516992] ata_piix 0000:00:01.1: version 2.13
[    1.527180] scsi host0: ata_piix
[    1.532313] scsi host1: ata_piix
[    1.533682] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc040 irq 14
[    1.534549] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc048 irq 15
[    1.536436] tun: Universal TUN/TAP device driver, 1.6
[    1.537089] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[    1.542518] e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI
[    1.543298] e100: Copyright(c) 1999-2006 Intel Corporation
[    1.544330] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[    1.545311] e1000: Copyright (c) 1999-2006 Intel Corporation.
[    1.712727] ata2.01: NODEV after polling detection
[    1.714522] ata1.01: NODEV after polling detection
[    1.716808] ata1.00: ATA-7: QEMU HARDDISK, 2.5+, max UDMA/100
[    1.718525] ata1.00: 2097152 sectors, multi 16: LBA48
[    1.720708] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100
[    1.723408] ata2.00: configured for MWDMA2
[    1.725819] ata1.00: configured for MWDMA2
[    1.748984] scsi 0:0:0:0: Direct-Access     ATA      QEMU HARDDISK    2.5+ PQ: 0 ANSI: 5
[    1.836802] sd 0:0:0:0: [sda] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB)
[    1.840442] sd 0:0:0:0: [sda] Write Protect is off
[    1.841632] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[    1.842603] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[    1.845770] sd 0:0:0:0: Attached scsi generic sg0 type 0
[    1.850840] scsi 1:0:0:0: CD-ROM            QEMU     QEMU DVD-ROM     2.5+ PQ: 0 ANSI: 5
[    1.858851] sd 0:0:0:0: [sda] Attached SCSI disk
[    1.921381] sr 1:0:0:0: [sr0] scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray
[    1.922995] cdrom: Uniform CD-ROM driver Revision: 3.20
[    1.929471] sr 1:0:0:0: Attached scsi CD-ROM sr0
[    1.932489] sr 1:0:0:0: Attached scsi generic sg1 type 5
[    2.310203] tsc: Refined TSC clocksource calibration: 2394.452 MHz
[    2.311080] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2283be6f12a, max_idle_ns: 440795258165 ns
[    3.259993] ACPI: PCI Interrupt Link [LNKC] enabled at IRQ 11
[    3.320927] clocksource: Switched to clocksource tsc
[    3.667291] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 52:54:00:12:34:56
[    3.668384] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[    3.669556] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
[    3.670400] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[    3.671480] sky2: driver version 1.30
[    3.672628] PPP generic driver version 2.4.2
[    3.673712] PPP BSD Compression module registered
[    3.674443] PPP Deflate Compression module registered
[    3.675184] PPP MPPE Compression module registered
[    3.675891] NET: Registered protocol family 24
[    3.676692] usbcore: registered new interface driver asix
[    3.677628] usbcore: registered new interface driver ax88179_178a
[    3.683679] usbcore: registered new interface driver cdc_ether
[    3.684670] usbcore: registered new interface driver net1080
[    3.685602] usbcore: registered new interface driver cdc_subset
[    3.686553] usbcore: registered new interface driver zaurus
[    3.687468] usbcore: registered new interface driver cdc_ncm
[    3.688942] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    3.689846] ehci-pci: EHCI PCI platform driver
[    3.690635] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    3.691534] ohci-pci: OHCI PCI platform driver
[    3.692303] uhci_hcd: USB Universal Host Controller Interface driver
[    3.694131] usbcore: registered new interface driver usblp
[    3.695049] usbcore: registered new interface driver usb-storage
[    3.696278] mousedev: PS/2 mouse device common for all mice
[    3.697783] usbcore: registered new interface driver xpad
[    3.698667] usbcore: registered new interface driver usb_acecad
[    3.699638] usbcore: registered new interface driver aiptek
[    3.700875] usbcore: registered new interface driver gtco
[    3.701810] usbcore: registered new interface driver hanwang
[    3.702722] usbcore: registered new interface driver kbtab
[    3.704252] rtc_cmos 00:00: RTC can wake from S4
[    3.706068] rtc_cmos 00:00: rtc core: registered rtc_cmos as rtc0
[    3.707209] rtc_cmos 00:00: alarms up to one day, y3k, 114 bytes nvram, hpet irqs
[    3.711701] device-mapper: uevent: version 1.0.3
[    3.719414] device-mapper: ioctl: 4.35.0-ioctl (2016-06-23) initialised: dm-devel@redhat.com
[    3.721118] hidraw: raw HID events driver (C) Jiri Kosina
[    3.742458] usbcore: registered new interface driver usbhid
[    3.743266] usbhid: USB HID core driver
[    3.751035] ashmem: initialized
[    3.778996] u32 classifier
[    3.779413]     Actions configured
[    3.779925] Netfilter messages via NETLINK v0.30.
[    3.781679] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
[    3.783539] ctnetlink v0.93: registering with nfnetlink.
[    3.786836] xt_time: kernel timezone is -0000
[    3.787815] ip_tables: (C) 2000-2006 Netfilter Core Team
[    3.789224] arp_tables: arp_tables: (C) 2002 David S. Miller
[    3.790228] Initializing XFRM netlink socket
[    3.805939] NET: Registered protocol family 10
[    3.811111] mip6: Mobile IPv6
[    3.811604] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    3.813440] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[    3.816252] NET: Registered protocol family 17
[    3.816939] NET: Registered protocol family 15
[    3.819374] registered taskstats version 1
[    3.822627] console [netcon0] enabled
[    3.823163] netconsole: network logging started
[    3.823807] otg_wakelock_init: No USB transceiver found
[    3.830090] ALSA device list:
[    3.830533]   No soundcards found.
[    3.831906] md: Waiting for all devices to be available before autodetect
[    3.832919] md: If you don't use raid, use raid=noautodetect
[    3.836816] md: Autodetecting RAID arrays.
[    3.837454] md: Scanned 0 and added 0 devices.
[    3.838107] md: autorun ...
[    3.838515] md: ... autorun DONE.
[    3.840599] EXT4-fs (sda): couldn't mount as ext3 due to feature incompatibilities
[    3.842711] EXT4-fs (sda): couldn't mount as ext2 due to feature incompatibilities
[    3.859644] EXT4-fs (sda): mounted filesystem with ordered data mode. Opts: (null)
[    3.860915] VFS: Mounted root (ext4 filesystem) readonly on device 8:0.
[    3.867198] Freeing unused kernel memory: 1840K
[    3.867846] Write protecting the kernel read-only data: 32768k
[    3.870074] rodata_test: test data was not read only
[    3.872424] Freeing unused kernel memory: 2024K
[    3.876154] Freeing unused kernel memory: 284K
[    3.946283] random: fast init done
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.30:  No such file or directory
INIT: version 2.88 booting
[info] Using makefile-style concurrent boot in runlevel S.
[ ok ] Starting the hotplug events dispatcher: udevd.
[ ok ] Synthesizing the initial hotplug events...done.
[ ok ] Waiting for /dev to be fully populated...done.
[ ok ] Activating swap...done.
[    5.871514] EXT4-fs (sda): re-mounted. Opts: (null)
[ ok ] Cleaning up temporary files... /tmp.
[ ok ] Activating lvm and md swap...done.
[....] Checking file systems...fsck from util-linux 2.20.1
done.
[ ok ] Mounting local filesystems...done.
[ ok ] Activating swapfile swap...done.
[ ok ] Cleaning up temporary files....
[....] Setting kernel variables ...sysctl: cannot stat /proc/sys/net/core/bpf_jit_enable: No such file or directory
sysctl: cannot stat /proc/sys/net/core/bpf_jit_harden: No such file or directory
done.
[    8.388920] random: dd: uninitialized urandom read (512 bytes read)
[....] Configuring network interfaces...Internet Systems Consortium DHCP Client 4.2.2
Copyright 2004-2011 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

[    8.631962] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    8.650844] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[    8.653085] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Listening on LPF/eth0/52:54:00:12:34:56
Sending on   LPF/eth0/52:54:00:12:34:56
Sending on   Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4
DHCPREQUEST on eth0 to 255.255.255.255 port 67
DHCPOFFER from 10.0.2.2
DHCPACK from 10.0.2.2
bound to 10.0.2.15 -- renewal in 36412 seconds.
done.
[ ok ] Cleaning up temporary files....
INIT: Entering runlevel: 2
[info] Using makefile-style concurrent boot in runlevel 2.
[ ok ] Starting enhanced syslogd: rsyslogd.
[    9.598397] random: sshd: uninitialized urandom read (32 bytes read)
[ ok ] Starting periodic command scheduler: cron.
[ ok ] Starting OpenBSD Secure Shell server: sshd.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login:
Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: root
Last login: Thu Jun  6 14:54:42 UTC 2019 on ttyS0
Linux syzkaller 4.17 #1 SMP PREEMPT Mon Jul 8 08:36:48 EDT 2019 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@syzkaller:~# [   21.592846] random: crng init done

root@syzkaller:~#

[lifeasageek]

Do you also have id_rsa in the right place? The document from Syzkaller would be helpful - https://github.com/google/syzkaller/blob/master/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md

[lifeasageek]

Oh this is my bad. Your fuzzer is working correctly:

2019/07/09 09:36:55 #2 Fuzzer: exe 759 (379), sig 14016 (7008), syncSig 0 (0)| Sched: exe 0 (0), sig 0 (0)| Race: 0| Crash: 0
2019/07/09 09:36:55      fuzzer rq 0, manager rq: 0, sched rq: 0, supp: 0/0

You probably don't have enough CPU cores to run all VMs, and that's why it gives you the warning.

Btw, you don't have static analysis results according to your logs, so scheduler (2nd phase fuzzing) won't be working for you. Please follow the instruction in static analysis docs.

2019/07/09 09:36:14 Total # of mempair: 0
2019/07/09 09:36:14 Total # of mapping: 0

[albigay]

Odd, that it shows Total # of mempair: 0 sometimes. When I run it right now I see Total # of mempair: 1158064 maybe it was due to a bad workdir I do consistently see Total # of mappings: 0 on every attempt.

I believe I have followed the instructions in your static analysis docs. The run-partition-analysis.py does take roughly a full day to complete. And it only would finish if I modified partitioned_analysis.sh to use -only-needed for llvm-link

The reason I had to add -only-needed was llvm-link was complaining that there were duplicate symbols in the .bc files that were also in the kernel vmlinux.bc file

Could that be why I have no mappings?

Thank you for your help!

[lifeasageek]

run-partition-analysis.py should roughly take a couple of hours to a day (depending on how you set max_size), and that alone should not be a problem. Observing the duplicate symbols seems odd to me, and this should be something Dae R. knows better than me. Since your log showed 1M mempairs before, at least it worked out for you once.

If everything related to the static analysis worked out correctly, you must have these two files, mapping and mempair.

-rw-rw-r-- 1 blee blee 2.2M Jul  7 16:44 mapping
-rw-rw-r-- 1 blee blee 4.4M Jul  7 16:44 mempair

[albigay]

Something must be failing when the mapping is generated as this file only contains [] my mempair file is approx. 232MB

[lifeasageek]

If you mempair has mempair information, you only need to run merge-mempairs.py again, which would generate mapping.

[albigay]

That script seems to work without errors but I still end up with empty mapping

razzer/tools/race-syzkaller/exp/partition-scripts$ ./merge-mempairs.py
kernel version: (v4.17)
[*] Total files: 100
[0] merged len: 115602 (duplicate 0)
[1] merged len: 138253 (duplicate 109134)
[2] merged len: 143199 (duplicate 107142)
[3] merged len: 166831 (duplicate 110557)
[4] merged len: 170861 (duplicate 108023)
[5] merged len: 170997 (duplicate 107824)
[6] merged len: 173839 (duplicate 114857)
[7] merged len: 174694 (duplicate 108264)
[8] merged len: 175279 (duplicate 108900)
[9] merged len: 175296 (duplicate 107886)
[10] merged len: 175296 (duplicate 0)
[11] merged len: 177316 (duplicate 113860)
[12] merged len: 177840 (duplicate 109462)
[13] merged len: 178225 (duplicate 111837)
[14] merged len: 178225 (duplicate 0)
[15] merged len: 185767 (duplicate 113110)
[16] merged len: 195864 (duplicate 109135)
[17] merged len: 237166 (duplicate 120206)
[18] merged len: 252285 (duplicate 120459)
[19] merged len: 294217 (duplicate 111198)
[20] merged len: 294316 (duplicate 108979)
[21] merged len: 295050 (duplicate 114003)
[22] merged len: 295098 (duplicate 107955)
[23] merged len: 307216 (duplicate 119412)
[24] merged len: 307216 (duplicate 0)
[25] merged len: 308327 (duplicate 138775)
[26] merged len: 310645 (duplicate 112923)
[27] merged len: 313355 (duplicate 113887)
[28] merged len: 318731 (duplicate 117177)
[29] merged len: 319955 (duplicate 112350)
[30] merged len: 320432 (duplicate 108648)
[31] merged len: 322319 (duplicate 107835)
[32] merged len: 322981 (duplicate 113545)
[33] merged len: 322981 (duplicate 0)
[34] merged len: 559892 (duplicate 114190)
[35] merged len: 564488 (duplicate 121779)
[36] merged len: 566527 (duplicate 112276)
[37] merged len: 588589 (duplicate 118213)
[38] merged len: 588591 (duplicate 108852)
[39] merged len: 605937 (duplicate 120579)
[40] merged len: 606201 (duplicate 112846)
[41] merged len: 614222 (duplicate 115619)
[42] merged len: 614222 (duplicate 0)
[43] merged len: 614226 (duplicate 107886)
[44] merged len: 614226 (duplicate 0)
[45] merged len: 626091 (duplicate 117860)
[46] merged len: 626779 (duplicate 110621)
[47] merged len: 654491 (duplicate 139080)
[48] merged len: 654597 (duplicate 109875)
[49] merged len: 659724 (duplicate 108595)
[50] merged len: 659724 (duplicate 0)
[51] merged len: 661856 (duplicate 122836)
[52] merged len: 666367 (duplicate 109938)
[53] merged len: 667266 (duplicate 115918)
[54] merged len: 667299 (duplicate 107993)
[55] merged len: 670082 (duplicate 108664)
[56] merged len: 670097 (duplicate 118013)
[57] merged len: 670647 (duplicate 118804)
[58] merged len: 670647 (duplicate 108707)
[59] merged len: 681185 (duplicate 116153)
[60] merged len: 732715 (duplicate 115166)
[61] merged len: 732751 (duplicate 108701)
[62] merged len: 733198 (duplicate 108115)
[63] merged len: 743984 (duplicate 111353)
[64] merged len: 743984 (duplicate 0)
[65] merged len: 743984 (duplicate 0)
[66] merged len: 744146 (duplicate 107879)
[67] merged len: 745261 (duplicate 109454)
[68] merged len: 745637 (duplicate 107879)
[69] merged len: 750780 (duplicate 117034)
[70] merged len: 949660 (duplicate 132765)
[71] merged len: 950778 (duplicate 107910)
[72] merged len: 951493 (duplicate 108695)
[73] merged len: 951494 (duplicate 0)
[74] merged len: 952950 (duplicate 116108)
[75] merged len: 953256 (duplicate 140678)
[76] merged len: 954204 (duplicate 113684)
[77] merged len: 955809 (duplicate 108898)
[78] merged len: 955809 (duplicate 0)
[79] merged len: 1082633 (duplicate 263676)
[80] merged len: 1085222 (duplicate 120148)
[81] merged len: 1085222 (duplicate 74)
[82] merged len: 1085290 (duplicate 108053)
[83] merged len: 1085301 (duplicate 107838)
[84] merged len: 1090826 (duplicate 129416)
[85] merged len: 1098688 (duplicate 123490)
[86] merged len: 1111287 (duplicate 133219)
[87] merged len: 1111311 (duplicate 112745)
[88] merged len: 1111870 (duplicate 107926)
[89] merged len: 1111978 (duplicate 118117)
[90] merged len: 1112231 (duplicate 120154)
[91] merged len: 1127818 (duplicate 111905)
[92] merged len: 1127998 (duplicate 112340)
[93] merged len: 1130926 (duplicate 109703)
[94] merged len: 1131785 (duplicate 108734)
[95] merged len: 1134026 (duplicate 141216)
[96] merged len: 1141355 (duplicate 114325)
[97] merged len: 1157995 (duplicate 129206)
[98] merged len: 1158064 (duplicate 109122)
[99] merged len: 1158064 (duplicate 0)
kernel version: (v4.17)
kernel version: (v4.17)
[*] vmlinux:  razzer/tools/race-syzkaller/kernel-build/build-v4.17/vmlinux
[*] mempair:  ./mempair
[*] kernel :  razzer/kernels_repo/kernel_v4.17/
[*] Loading mempair locs
[*] Loaded 77188 mempair locs
[*] Taking dwarfdump of vmlinux
         Loading from backup: razzer/tmp/dwarfdump-4a46e1321affd41c2dee14dacc5e9650.txt
[*] Collecting debug info from dwarfdump
[*] Taking objdump of vmlinux
         Loading from backup: [razzer/tmp/objdump-4a46e1321affd41c2dee14dacc5e9650.txt]
[*] Collecting asms per loc
[*] Loaded 0 locInfos (<> 77188 mempair locs)
[*] Dumping loc instr info
[*] Print mapping info
[*] DONE

[lifeasageek]

It's hard to tell what goes wrong based on your log. You may try to have a look at get_address.py, as well as loc_to_instr.txt generated by get_address.py. Since your mapping generation worked out once, you may have a half-cooked file that get_address.py relies on.