Assertion-failure in scsi_dma_complete, with megasas

Bug #1878263 reported by Alexander Bulekov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Undecided
Unassigned

Bug Description

Hello,
While fuzzing, I found an input that triggers an assertion-failure in scsi_dma_complete, with megasas:

qemu-system-i386: /home/alxndr/Development/qemu/hw/scsi/scsi-disk.c:292: void scsi_dma_complete(void *, int): Assertion `r->req.aiocb != NULL' failed.

#3 0x00007ffff6866092 in __GI___assert_fail (assertion=0x555556efa460 <str> "r->req.aiocb != NULL", file=0x555556ef9b20 <str> "/home/alxndr/Development/qemu/hw/scsi/scsi-disk.c", line=0x124, function=0x555556efa560 <__PRETTY_FUNCTION__.scsi_dma_complete> "void scsi_dma_complete(void *, int)") at assert.c:101
#4 0x000055555669d473 in scsi_dma_complete (opaque=0x616000040280, ret=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/scsi-disk.c:292
#5 0x000055555639c89b in dma_complete (dbs=<optimized out>, ret=<optimized out>) at /home/alxndr/Development/qemu/dma-helpers.c:118
#6 0x000055555639c89b in dma_blk_cb (opaque=<optimized out>, ret=<optimized out>) at /home/alxndr/Development/qemu/dma-helpers.c:136
#7 0x000055555639bd58 in dma_blk_io (ctx=<optimized out>, sg=<optimized out>, offset=<optimized out>, align=<optimized out>, io_func=<optimized
out>, io_func_opaque=<optimized out>, cb=<optimized out>, opaque=<optimized out>, dir=<optimized out>) at /home/alxndr/Development/qemu/dma-helpers.c:232
#8 0x000055555669baa5 in scsi_write_data (req=0x616000040280) at /home/alxndr/Development/qemu/hw/scsi/scsi-disk.c:583
#9 0x00005555566b5d93 in scsi_req_continue (req=0x616000040280) at /home/alxndr/Development/qemu/hw/scsi/scsi-bus.c:1337
#10 0x00005555566f52e3 in megasas_enqueue_req (cmd=<optimized out>, is_write=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/megasas.c:1651
#11 0x00005555566e276f in megasas_handle_io (s=<optimized out>, cmd=<optimized out>, frame_cmd=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/megasas.c:1790
#12 0x00005555566e276f in megasas_handle_frame (s=<optimized out>, frame_addr=<optimized out>, frame_count=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/megasas.c:1969
#13 0x00005555566e276f in megasas_mmio_write (opaque=<optimized out>, addr=<optimized out>, val=<optimized out>, size=<optimized out>) at /home/alxndr/Development/qemu/hw/scsi/megasas.c:2122
#14 0x00005555560028d7 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:483
#15 0x0000555556002280 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x7fffeeb301e0, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
#16 0x0000555556002280 in memory_region_dispatch_write (mr=<optimized out>, addr=<optimized out>, data=0x17, op=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476
#17 0x0000555555f171d4 in flatview_write_continue (fv=<optimized out>, addr=0xc1c0, attrs=..., ptr=<optimized out>, len=0x1, addr1=0x7fffffffae00, l=<optimized out>, mr=0x7fffeeb301e0) at /home/alxndr/Development/qemu/exec.c:3137
#18 0x0000555555f0fb98 in flatview_write (fv=0x606000038180, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /home/alxndr/Development/qemu/exec.c:3177

I can reproduce it in qemu 5.0 using:

cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -qtest stdio -nographic -monitor none -serial none -M q35 -device megasas -device scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0
outl 0xcf8 0x80001818
outl 0xcfc 0xc101
outl 0xcf8 0x8000181c
outl 0xcf8 0x80001804
outw 0xcfc 0x7
outl 0xcf8 0x8000186a
write 0x14 0x1 0xfe
write 0x0 0x1 0x02
outb 0xc1c0 0x17
EOF

I also attached the commands to this launchpad report, in case the formatting is broken:

qemu-system-i386 -qtest stdio -nographic -monitor none -serial none -M q35 -device megasas -device scsi-cd,drive=null0 -blockdev driver=null-co,read-zeroes=on,node-name=null0 < attachment

Please let me know if I can provide any further info.
-Alex

Revision history for this message
Alexander Bulekov (a1xndr) wrote :
description: updated
Revision history for this message
Thomas Huth (th-huth) wrote :

Fixed in commit 4773a5f35b0d83674f92816a226a594b03bbcf60

Changed in qemu:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments