QEMU

Assertion-failure in usb_detach

Bug #1878323 reported by Alexander Bulekov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

Hello,
While fuzzing, I found an input that triggers an assertion-failure in usb_detach

/home/alxndr/Development/qemu/hw/usb/core.c:69: void usb_detach(USBPort *): Assertion `dev->state != USB_STATE_NOTATTACHED' failed.
#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555557fd2040 <str> "dev->state != USB_STATE_NOTATTACHED", file=0x555557fd1ec0 <str> "/home/alxndr/Development/qemu/hw/usb/core.c", line=0x45, function=0x555557fd2000 <__PRETTY_FUNCTION__.usb_detach> "void usb_detach(USBPort *)") at assert.c:101
#4 0x000055555723f0ce in usb_detach (port=0x62100002df30) at /home/alxndr/Development/qemu/hw/usb/core.c:69
#5 0x00005555572a05a4 in ehci_reset (opaque=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:863
#6 0x00005555572bf941 in ehci_opreg_write (ptr=0x62100002d9f0, addr=0x0, val=0xbebebebe, size=0x4) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1032
#7 0x00005555564938b5 in memory_region_write_accessor (mr=0x62100002dcb0, addr=0x0, value=0x7fffffffaad0, size=0x4, shift=0x0, mask=0xffffffff, attrs=...) at /home/alxndr/Development/qemu/memory.c:483
#8 0x000055555649328a in access_with_adjusted_size (addr=0x0, value=0x7fffffffaad0, size=0x4, access_size_min=0x1, access_size_max=0x4, access_fn=0x555556493360 <memory_region_write_accessor>, mr=0x62100002dcb0, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
#9 0x0000555556491df6 in memory_region_dispatch_write (mr=0x62100002dcb0, addr=0x0, data=0xbebebebe, op=MO_32, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476
#10 0x00005555562cbbf4 in flatview_write_continue (fv=0x60600003e600, addr=0xe0000020, attrs=..., ptr=0x625000260000, len=0xfe0, addr1=0x0, l=0x4, mr=0x62100002dcb0) at /home/alxndr/Development/qemu/exec.c:3137
#11 0x00005555562bbad9 in flatview_write (fv=0x60600003e600, addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at /home/alxndr/Development/qemu/exec.c:3177
#12 0x00005555562bb609 in address_space_write (as=0x62100002d328, addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at /home/alxndr/Development/qemu/exec.c:3268
#13 0x00005555562c06a6 in address_space_unmap (as=0x62100002d328, buffer=0x625000260000, len=0x1000, is_write=0x1, access_len=0x1000) at /home/alxndr/Development/qemu/exec.c:3592
#14 0x0000555557257d73 in dma_memory_unmap (as=0x62100002d328, buffer=0x625000260000, len=0x1000, dir=DMA_DIRECTION_FROM_DEVICE, access_len=0x1000) at /home/alxndr/Development/qemu/include/sysemu/dma.h:145
#15 0x0000555557257c57 in usb_packet_unmap (p=0x6110000484c0, sgl=0x611000048548) at /home/alxndr/Development/qemu/hw/usb/libhw.c:65
#16 0x00005555572a5953 in ehci_free_packet (p=0x611000048480) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:536
#17 0x00005555572a4ed4 in ehci_cancel_queue (q=0x60d000004f10) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:584
#18 0x00005555572a49ab in ehci_free_queue (q=0x60d000004f10, warn=0x0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:611
#19 0x00005555572b102d in ehci_queues_rip_device (ehci=0x62100002d9f0, dev=0x623000001d00, async=0x1) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:674
#20 0x00005555572af7a3 in ehci_detach (port=0x62100002df78) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:733
#21 0x000055555723f15c in usb_detach (port=0x62100002df78) at /home/alxndr/Development/qemu/hw/usb/core.c:70
#22 0x00005555572a05a4 in ehci_reset (opaque=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:863
#23 0x00005555572bf941 in ehci_opreg_write (ptr=0x62100002d9f0, addr=0x0, val=0xbebebebe, size=0x4) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1032
#24 0x00005555564938b5 in memory_region_write_accessor (mr=0x62100002dcb0, addr=0x0, value=0x7fffffffc410, size=0x4, shift=0x0, mask=0xffffffff, attrs=...) at /home/alxndr/Development/qemu/memory.c:483
#25 0x000055555649328a in access_with_adjusted_size (addr=0x0, value=0x7fffffffc410, size=0x4, access_size_min=0x1, access_size_max=0x4, access_fn=0x555556493360 <memory_region_write_accessor>, mr=0x62100002dcb0, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
#26 0x0000555556491df6 in memory_region_dispatch_write (mr=0x62100002dcb0, addr=0x0, data=0xbebebebe, op=MO_32, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476
#27 0x00005555562cbbf4 in flatview_write_continue (fv=0x60600003e600, addr=0xe0000020, attrs=..., ptr=0x625000260000, len=0xfe0, addr1=0x0, l=0x4, mr=0x62100002dcb0) at /home/alxndr/Development/qemu/exec.c:3137
#28 0x00005555562bbad9 in flatview_write (fv=0x60600003e600, addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at /home/alxndr/Development/qemu/exec.c:3177
#29 0x00005555562bb609 in address_space_write (as=0x62100002d328, addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at /home/alxndr/Development/qemu/exec.c:3268
#30 0x00005555562c06a6 in address_space_unmap (as=0x62100002d328, buffer=0x625000260000, len=0x1000, is_write=0x1, access_len=0x1000) at /home/alxndr/Development/qemu/exec.c:3592
#31 0x0000555557257d73 in dma_memory_unmap (as=0x62100002d328, buffer=0x625000260000, len=0x1000, dir=DMA_DIRECTION_FROM_DEVICE, access_len=0x1000) at /home/alxndr/Development/qemu/include/sysemu/dma.h:145
#32 0x0000555557257c57 in usb_packet_unmap (p=0x6110000484c0, sgl=0x611000048548) at /home/alxndr/Development/qemu/hw/usb/libhw.c:65
#33 0x00005555572aa87e in ehci_execute_complete (q=0x60d000004f10) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1324
#34 0x00005555572a7b8c in ehci_state_executing (q=0x60d000004f10) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1973
#35 0x00005555572b3685 in ehci_advance_state (ehci=0x62100002d9f0, async=0x1) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2094
#36 0x00005555572b2db9 in ehci_advance_async_state (ehci=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2152
#37 0x00005555572a29c3 in ehci_work_bh (opaque=0x62100002d9f0) at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2320
#38 0x0000555557bfba60 in aio_bh_call (bh=0x60400001cd90) at /home/alxndr/Development/qemu/util/async.c:136

I can reproduce it in qemu 5.0 using the commands in the attachment:

qemu-system-i386 \
-qtest stdio -nographic -monitor none -serial none \
-M pc-q35-5.0 -machine q35 \
-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 \
-device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,multifunction=on,masterbus=ich9-ehci-1.0,firstport=0 \
-device ich9-usb-uhci2,bus=pcie.0,addr=1d.1,multifunction=on,masterbus=ich9-ehci-1.0,firstport=2 \
-device ich9-usb-uhci3,bus=pcie.0,addr=1d.2,multifunction=on,masterbus=ich9-ehci-1.0,firstport=4 \
-drive if=none,id=usbcdrom,media=cdrom \
-device usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 \
-device usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom \
-display none -nodefaults -nographic < attachment

Please let me know if I can provide any further info.
-Alex

Revision history for this message
Alexander Bulekov (a1xndr) wrote :
Revision history for this message
Thomas Huth (th-huth) wrote :

I can reproduce this crash with QEMU v5.0, but with the current version from the master branch, this does not trigger anymore. I assume this has been fixed. Could you please have a try and confirm that it does not happen anymore?

Changed in qemu:
status: New → Incomplete
Revision history for this message
Alexander Bulekov (a1xndr) wrote :

OSS-Fuzz never found it, though we are fuzzing a slightly different ehci configuration there. I made a note of the arguments we should start fuzzing on OSS-Fuzz, but I think this is safe to close.

Revision history for this message
Thomas Huth (th-huth) wrote :

Ok, thanks, then let's close this ticket now.

Changed in qemu:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.