Bug #1883728 “address_space_unmap: Assertion `mr != NULL' failed...” : Bugs : QEMU

Revision history for this message

Bugs SysSec (bugs-syssec) wrote on 2020-06-16:

#1

xhci_assert1.zip Edit (845.4 KiB, application/zip)

Alex Bennée (ajbennee) on 2020-06-17

tags:

added: testcase

Revision history for this message

Alexander Bulekov (a1xndr) wrote on 2020-08-11:

#2

Download full text (7.3 KiB)

Here's a qtest reproducer:

cat << EOF | ./i386-softmmu/qemu-system-i386 \
-device nec-usb-xhci -trace usb\* \
-device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001016
outl 0xcfc 0x3c319f0d
outl 0xcf8 0x80001004
outl 0xcfc 0xc77695e
writel 0x9f0d000000000040 0xffffd855
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
writeq 0x9f0d000000002000 0x5c05140100000000
writeq 0x9f0d000000002000 0x5c05140100000000
write 0x2008d 0x1 0x13
writeq 0x9f0d000000002000 0x100ef0100000009
write 0x200ad 0x1 0x27
write 0x200bd 0x1 0x5c
write 0x200cd 0x1 0x2e
write 0x200dd 0x1 0x2f
write 0x200e8 0x1 0x08
write 0x200ec 0x1 0xfe
write 0x200ed 0x1 0x08
write 0x200fd 0x1 0x05
write 0x2010d 0x1 0x2e
write 0x2011d 0x1 0x2f
write 0x2012d 0x1 0x08
write 0x20137 0x1 0x5e
write 0x2013a 0x1 0x2f
write 0x2013d 0x1 0x05
write 0x2014d 0x1 0x13
writeq 0x9f0d000000002000 0x100ef0100000009
EOF

...
[S +0.017146] OK
[R +0.017149] writeq 0x9f0d000000002000 0x5c05140100000000
30899@1597183147.299108:usb_xhci_doorbell_write off 0x0000, val 0x00000000
30899@1597183147.299112:usb_xhci_fetch_trb addr 0x0000000000000000, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
30899@1597183147.299115:usb_xhci_doorbell_write off 0x0004, val 0x5c051401
OK
[S +0.017162] OK
[R +0.017166] writeq 0x9f0d000000002000 0x5c05140100000000
30899@1597183147.299124:usb_xhci_doorbell_write off 0x0000, val 0x00000000
30899@1597183147.299126:usb_xhci_fetch_trb addr 0x0000000000000010, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
30899@1597183147.299129:usb_xhci_slot_enable slotid 1
30899@1597183147.299132:usb_xhci_fetch_trb addr 0x0000000000000020, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002e00
30899@1597183147.299134:usb_xhci_fetch_trb addr 0x0000000000000030, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
30899@1597183147.299137:usb_xhci_slot_enable slotid 2
30899@1597183147.299139:usb_xhci_fetch_trb addr 0x0000000000000040, CR_ADDRESS_DEVICE, p 0x000000000001722e, s 0x00000000, c 0x01002e00
30899@1597183147.299144:usb_xhci_slot_address slotid 1, port 1
30899@1597183147.299148:usb_xhci_ep_enable slotid 1, epid 1
30899@1597183147.299151:usb_xhci_fetch_trb addr 0x0000000000000050, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
30899@1597183147.299154:usb_xhci_doorbell_write off 0x0004, val 0x5c051401
30899@1597183147.299157:usb_xhci_ep_kick slotid 1, epid 1, streamid 23557
30899@1597183147.299161:usb_xhci_fetch_trb addr 0x0000000000020070, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
OK
[S +0.017210] OK
[R +0.017214] write 0x2008d 0x1 0x13
OK
[S +0.017219] OK
[R +0.017223] writeq 0x9f0d000000002000 0x100ef0100000009
30899@1597183147.299181:usb_xhci_doorbell_write off 0x0000, val 0x00000009
30899@1597183147.299183:usb_xhci_doorbell_write off 0x0004, val 0x0100ef01
30899@1597183147.299185:usb_x...

Here's a qtest reproducer:

cat << EOF | ./i386-softmmu/qemu-system-i386 \
-device nec-usb-xhci -trace usb\* \
-device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001016
outl 0xcfc 0x3c319f0d
outl 0xcf8 0x80001004
outl 0xcfc 0xc77695e
writel 0x9f0d000000000040 0xffffd855
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
writeq 0x9f0d000000002000 0x5c05140100000000
writeq 0x9f0d000000002000 0x5c05140100000000
write 0x2008d 0x1 0x13
writeq 0x9f0d000000002000 0x100ef0100000009
write 0x200ad 0x1 0x27
write 0x200bd 0x1 0x5c
write 0x200cd 0x1 0x2e
write 0x200dd 0x1 0x2f
write 0x200e8 0x1 0x08
write 0x200ec 0x1 0xfe
write 0x200ed 0x1 0x08
write 0x200fd 0x1 0x05
write 0x2010d 0x1 0x2e
write 0x2011d 0x1 0x2f
write 0x2012d 0x1 0x08
write 0x20137 0x1 0x5e
write 0x2013a 0x1 0x2f
write 0x2013d 0x1 0x05
write 0x2014d 0x1 0x13
writeq 0x9f0d000000002000 0x100ef0100000009
EOF

...
[S +0.017146] OK
[R +0.017149] writeq 0x9f0d000000002000 0x5c05140100000000
30899@1597183147.299108:usb_xhci_doorbell_write off 0x0000, val 0x00000000
30899@1597183147.299112:usb_xhci_fetch_trb addr 0x0000000000000000, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
30899@1597183147.299115:usb_xhci_doorbell_write off 0x0004, val 0x5c051401
OK
[S +0.017162] OK
[R +0.017166] writeq 0x9f0d000000002000 0x5c05140100000000
30899@1597183147.299124:usb_xhci_doorbell_write off 0x0000, val 0x00000000
30899@1597183147.299126:usb_xhci_fetch_trb addr 0x0000000000000010, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
30899@1597183147.299129:usb_xhci_slot_enable slotid 1
30899@1597183147.299132:usb_xhci_fetch_trb addr 0x0000000000000020, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002e00
30899@1597183147.299134:usb_xhci_fetch_trb addr 0x0000000000000030, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
30899@1597183147.299137:usb_xhci_slot_enable slotid 2
30899@1597183147.299139:usb_xhci_fetch_trb addr 0x0000000000000040, CR_ADDRESS_DEVICE, p 0x000000000001722e, s 0x00000000, c 0x01002e00
30899@1597183147.299144:usb_xhci_slot_address slotid 1, port 1
30899@1597183147.299148:usb_xhci_ep_enable slotid 1, epid 1
30899@1597183147.299151:usb_xhci_fetch_trb addr 0x0000000000000050, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
30899@1597183147.299154:usb_xhci_doorbell_write off 0x0004, val 0x5c051401
30899@1597183147.299157:usb_xhci_ep_kick slotid 1, epid 1, streamid 23557
30899@1597183147.299161:usb_xhci_fetch_trb addr 0x0000000000020070, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
OK
[S +0.017210] OK
[R +0.017214] write 0x2008d 0x1 0x13
OK
[S +0.017219] OK
[R +0.017223] writeq 0x9f0d000000002000 0x100ef0100000009
30899@1597183147.299181:usb_xhci_doorbell_write off 0x0000, val 0x00000009
30899@1597183147.299183:usb_xhci_doorbell_write off 0x0004, val 0x0100ef01
30899@1597183147.299185:usb_xhci_ep_kick slotid 1, epid 1, streamid 256
30899@1597183147.299189:usb_xhci_fetch_trb addr 0x0000000000020080, TR_STATUS, p 0x0000000000000000, s 0x00000000, c 0x00001300
30899@1597183147.299191:usb_xhci_xfer_start 0x5622548f9760: slotid 1, epid 1, streamid 0
TRB_SETUP 1300 1300 1300 0
30899@1597183147.299196:usb_xhci_fetch_trb addr 0x0000000000020090, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
OK
[S +0.017244] OK
[R +0.017248] write 0x200ad 0x1 0x27
OK
[S +0.017338] OK
[R +0.017342] writeq 0x9f0d000000002000 0x100ef0100000009
30899@1597183147.299300:usb_xhci_doorbell_write off 0x0000, val 0x00000009
30899@1597183147.299302:usb_xhci_doorbell_write off 0x0004, val 0x0100ef01
30899@1597183147.299304:usb_xhci_ep_kick slotid 1, epid 1, streamid 256
30899@1597183147.299308:usb_xhci_fetch_trb addr 0x00000000000200a0, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
30899@1597183147.299310:usb_xhci_xfer_start 0x5622548f9890: slotid 1, epid 1, streamid 0
TRB_SETUP 2700 2700 2700 0
30899@1597183147.299315:usb_xhci_fetch_trb addr 0x00000000000200b0, CR_NOOP, p 0x0000000000000000, s 0x00000000, c 0x00005c00
30899@1597183147.299318:usb_xhci_xfer_start 0x5622548f99a0: slotid 1, epid 1, streamid 0
TRB_SETUP 5c00 5c00 5c00 0
30899@1597183147.299322:usb_xhci_fetch_trb addr 0x00000000000200c0, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002e00
30899@1597183147.299325:usb_xhci_xfer_start 0x5622548f9ab0: slotid 1, epid 1, streamid 0
TRB_SETUP 2e00 2e00 2e00 0
30899@1597183147.299329:usb_xhci_fetch_trb addr 0x00000000000200d0, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002f00
30899@1597183147.299331:usb_xhci_xfer_start 0x5622548f9c10: slotid 1, epid 1, streamid 0
TRB_SETUP 2f00 2f00 2f00 0
30899@1597183147.299337:usb_xhci_fetch_trb addr 0x00000000000200e0, TR_SETUP, p 0x0000000000000000, s 0x00000008, c 0x000008fe
30899@1597183147.299340:usb_xhci_fetch_trb addr 0x00000000000200f0, TR_NORMAL, p 0x0000000000000000, s 0x00000000, c 0x00000500
30899@1597183147.299342:usb_xhci_fetch_trb addr 0x0000000000020100, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002e00
30899@1597183147.299345:usb_xhci_fetch_trb addr 0x0000000000020110, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002f00
30899@1597183147.299348:usb_xhci_fetch_trb addr 0x0000000000020120, TR_SETUP, p 0x0000000000000000, s 0x00000000, c 0x00000800
30899@1597183147.299351:usb_xhci_fetch_trb addr 0x0000000000020130, TR_NORMAL, p 0x5e00000000000000, s 0x002f0000, c 0x00000500
30899@1597183147.299353:usb_xhci_fetch_trb addr 0x0000000000020140, TR_STATUS, p 0x0000000000000000, s 0x00000000, c 0x00001300
30899@1597183147.299356:usb_xhci_xfer_start 0x5622548f9d70: slotid 1, epid 1, streamid 0
TRB_SETUP 8fe 1300 8fe 8
30899@1597183147.299361:usb_packet_state_change bus 0, port 1, ep 0, packet 0x5622548f9d78, state undef -> setup
30899@1597183147.299466:usb_packet_state_change bus 0, port 1, ep 0, packet 0x5622548f9d78, state setup -> complete
qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/exec.c:3623: void address_space_unmap(AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed.

#8 0x7f8f9e7e6091 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
#9 0x55f7507b374a in address_space_unmap exec.c:3623:9
#10 0x55f750baeab8 in dma_memory_unmap include/sysemu/dma.h:145:5
#11 0x55f750baea1b in usb_packet_unmap hw/usb/libhw.c:65:9
#12 0x55f750bcbb73 in xhci_xfer_unmap hw/usb/hcd-xhci.c:1487:5
#13 0x55f750bcba3d in xhci_try_complete_packet hw/usb/hcd-xhci.c:1642:9
#14 0x55f750bcc888 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1728:5
#15 0x55f750bcb306 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#16 0x55f750bd04e9 in xhci_kick_ep hw/usb/hcd-xhci.c:1861:5
#17 0x55f750bd253c in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#18 0x55f75091def1 in memory_region_write_accessor softmmu/memory.c:483:5
#19 0x55f75091ddf3 in access_with_adjusted_size softmmu/memory.c:544:18
#20 0x55f75091dac5 in memory_region_dispatch_write softmmu/memory.c
#21 0x55f7507b51e2 in flatview_write_continue exec.c:3176:23
#22 0x55f7507b2a30 in flatview_write exec.c:3216:14
#23 0x55f7507b2968 in address_space_write exec.c:3308:18
#24 0x55f750929e3b in qtest_process_command softmmu/qtest.c

Revision history for this message

Thomas Huth (th-huth) wrote on 2021-05-11:

#3

Can you still reproduce this assert with QEMU v6.0 ? For me, it does not seem to run into the assert() anymore, so I assume this has been fixed within the last months?

Changed in qemu:
status:	New → Incomplete
tags:	added: fuzzer usb

Revision history for this message

Alexander Bulekov (a1xndr) wrote on 2021-05-11:

#4

OSS-Fuzz never picked up on this one, so I'm guessing it was fixed sometime between 5.1 and 5.2.
Not a fun section to bisect, but looks like it was fixed by 21bc31524e ("hw: xhci: check return value of 'usb_packet_map'")

Revision history for this message

Thomas Huth (th-huth) wrote on 2021-05-12:

#5

Ok, thanks for checking! So seems like this has been fixed, thus I'm closing the bug. If it happens again, please open a new ticket in our new gitlab issue tracker.

Changed in qemu:
status:	Incomplete → Fix Released

QEMU

address_space_unmap: Assertion `mr != NULL' failed.

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches