Assertion failure in bdrv_aio_cancel, through ide
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
While fuzzing, I found an input that triggers an assertion failure in bdrv_aio_cancel, through ide:
#1 0x00007ffff685755b in __GI_abort () at abort.c:79
#2 0x0000555556a8d396 in bdrv_aio_cancel (acb=0x60700006
#3 0x0000555556a58525 in blk_aio_cancel (acb=0x2) at /home/alxndr/
#4 0x0000555556552f5b in ide_reset (s=<optimized out>) at /home/alxndr/
#5 0x0000555556552aeb in ide_bus_reset (bus=0x62d00001
#6 0x0000555556579ba5 in ahci_reset_port (s=<optimized out>, port=<optimized out>) at /home/alxndr/
#7 0x000055555657bd8d in ahci_port_write (s=0x61e000014d70, port=0x2, offset=<optimized out>, val=0x10) at /home/alxndr/
#8 0x000055555657bd8d in ahci_mem_write (opaque=<optimized out>, addr=<optimized out>, val=<optimized out>, size=<optimized out>) at /home/alxndr/
#9 0x00005555560028d7 in memory_
#10 0x0000555556002280 in access_
#11 0x0000555556002280 in memory_
#12 0x0000555555f171d4 in flatview_
#13 0x0000555555f0fb98 in flatview_write (fv=0x60600003b180, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /home/alxndr/
I can reproduce it in qemu 5.0 using:
cat << EOF | ~/Development/
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe106c000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x7
outl 0xcf8 0x8000fb20
write 0x0 0x3 0x2780e7
write 0xe106c22c 0xd 0x1130c21802113
write 0xe106c218 0x15 0x1100101100101
EOF
I also attached the commands to this launchpad report, in case the formatting is broken:
qemu-system-i386 -qtest stdio -monitor none -serial none -M pc-q35-5.0 -nographic < attachment
Please let me know if I can provide any further info.
-Alex
Changed in qemu: | |
status: | Fix Committed → Fix Released |
(gdb) fr 4 cancel( s->pio_ aiocb); em_aiocb_ info>, bs = 0x0, cb = 0x56378b63d9f8 <ide_flush_cb>, opaque = 0x56378d64d730, refcnt = 2}
#4 0x000056378b63e3aa in ide_reset (s=0x56378d64d730) at hw/ide/core.c:1318
1318 blk_aio_
(gdb) p *s->pio_aiocb
$1 = {aiocb_info = 0x56378bb55520 <blk_aio_
void bdrv_aio_ cancel( BlockAIOCB *acb) aio_ref( acb); aio_cancel_ async(acb) ; info->get_ aio_context) {
abort( );
{
qemu_
bdrv_
while (acb->refcnt > 1) {
if (acb->aiocb_
...
} else if (acb->bs) {
...
} else {
}