QEMU

xhci_find_stream: Assertion `streamid != 0' failed.

Bug #1883729 reported by Bugs SysSec
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Expired
Undecided
Unassigned

Bug Description

To reproduce run the QEMU with the following command line:
```
qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
```

QEMU Version:
```
# qemu-5.0.0
$ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
$ x86_64-softmmu/qemu-system-x86_64 --version
QEMU emulator version 5.0.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
```

Tags: usb
Revision history for this message
Bugs SysSec (bugs-syssec) wrote :
Revision history for this message
Alexander Bulekov (a1xndr) wrote :

Attaching a QTest reproducer.
./i386-softmmu/qemu-system-i386 -device nec-usb-xhci -trace usb\* \
-device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio < repro

Close to the crash:
21000@1597111713.503068:usb_xhci_slot_configure slotid 58
21000@1597111713.503074:usb_xhci_ep_disable slotid 58, epid 2
21000@1597111713.503077:usb_xhci_ep_enable slotid 58, epid 2
21000@1597111713.503085:usb_xhci_ep_disable slotid 58, epid 6
21000@1597111713.503088:usb_xhci_ep_enable slotid 58, epid 6
21000@1597111713.503092:usb_xhci_ep_disable slotid 58, epid 24
21000@1597111713.503095:usb_xhci_ep_enable slotid 58, epid 24
21000@1597111713.503099:usb_xhci_ep_disable slotid 58, epid 25
21000@1597111713.503102:usb_xhci_ep_enable slotid 58, epid 25
21000@1597111713.503106:usb_xhci_ep_disable slotid 58, epid 29
21000@1597111713.503109:usb_xhci_ep_enable slotid 58, epid 29
21000@1597111713.503113:usb_xhci_ep_disable slotid 58, epid 30
21000@1597111713.503116:usb_xhci_ep_enable slotid 58, epid 30
21000@1597111713.503121:usb_xhci_fetch_trb addr 0x0000000000000b20, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
21000@1597111713.503127:usb_xhci_slot_enable slotid 59
21000@1597111713.503130:usb_xhci_fetch_trb addr 0x0000000000000b30, CR_SET_TR_DEQUEUE, p 0x0000000000000000, s 0x00000000, c 0x00004300
21000@1597111713.503135:usb_xhci_fetch_trb addr 0x0000000000000b40, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
21000@1597111713.503140:usb_xhci_slot_enable slotid 60
21000@1597111713.503143:usb_xhci_fetch_trb addr 0x0000000000000b50, CR_EVALUATE_CONTEXT, p 0x0000000000000000, s 0x00000000, c 0x00003600
21000@1597111713.503149:usb_xhci_fetch_trb addr 0x0000000000000b60, CR_STOP_ENDPOINT, p 0x0000000000000000, s 0x00000000, c 0x3afd3c00
21000@1597111713.503154:usb_xhci_ep_stop slotid 58, epid 29
21000@1597111713.503159:usb_xhci_ep_state slotid 58, epid 29, running -> stopped
21000@1597111713.503163:usb_xhci_fetch_trb addr 0x0000000000000b70, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
21000@1597111713.503168:usb_xhci_slot_enable slotid 61
21000@1597111713.503171:usb_xhci_fetch_trb addr 0x0000000000000b80, CR_SET_TR_DEQUEUE, p 0x0000000000000000, s 0x00000000, c 0x3afd4300
21000@1597111713.503177:usb_xhci_ep_set_dequeue slotid 58, epid 29, streamid 0, ptr 0x0000000000000000
qemu-system-i386: hw/usb/hcd-xhci.c:1016: XHCIStreamContext *xhci_find_stream(XHCIEPContext *, unsigned int, uint32_t *): Assertion `streamid != 0' failed.
Aborted

Thomas Huth (th-huth)
tags: added: usb
Revision history for this message
Thomas Huth (th-huth) wrote :

Can you still reproduce this assertion with the latest version 6.0 of QEMU? ... I cannot trigger it here, so I assume this issue has been fixed?

Changed in qemu:
status: New → Incomplete
Revision history for this message
Alexander Bulekov (a1xndr) wrote :
Download full text (13.3 KiB)

I don't think it is fixed yet.. This is https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28571#c4

Bash Reproducer:
./qemu-system-i386 -display none -machine accel=qtest, -m 512M \
-machine q35 -nodefaults -drive \
file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci \
-device usb-tablet,bus=xhci.0 -device usb-bot -device \
usb-storage,drive=disk0 -chardev null,id=cd0 -chardev null,id=cd1 \
-device usb-braille,chardev=cd0 -device usb-ccid -device usb-ccid \
-device usb-kbd -device usb-mouse -device usb-serial,chardev=cd1 -device\
 usb-tablet -device usb-wacom-tablet -device usb-audio -qtest /dev/null \
-qtest stdio < attachment

Testcase:
/*
 * Autogenerated Fuzzer Test Case
 *
 * Copyright (c) 2021 <name of author>
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 */

#include "qemu/osdep.h"

#include "libqos/libqtest.h"

static void test_fuzz(void)
{
    QTestState *s = qtest_init(
        "-display none , -m 512M -machine q35 -nodefaults -drive "
        "file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci -device "
        "usb-tablet,bus=xhci.0 -device usb-bot -device usb-storage,drive=disk0 -chardev "
        "null,id=cd0 -chardev null,id=cd1 -device usb-braille,chardev=cd0 -device "
        "usb-ccid -device usb-ccid -device usb-kbd -device usb-mouse -device "
        "usb-serial,chardev=cd1 -device usb-tablet -device usb-wacom-tablet -device "
        "usb-audio -qtest /dev/null");
    qtest_outl(s, 0xcf8, 0x80000816);
    qtest_outl(s, 0xcfc, 0xffff);
    qtest_outl(s, 0xcf8, 0x80000803);
    qtest_outl(s, 0xcfc, 0x0600);
    qtest_outl(s, 0xcf8, 0x80000810);
    qtest_outl(s, 0xcfc, 0x2e654000);
    qtest_writel(s, 0xffff00002e654040, 0xffffff05);
    qtest_bufwrite(s, 0x4d, "\x04", 0x1);
    qtest_bufwrite(s, 0x5d, "\x04", 0x1);
    qtest_bufwrite(s, 0x6d, "\x04", 0x1);
    qtest_bufwrite(s, 0x7d, "\x04", 0x1);
    qtest_bufwrite(s, 0x8d, "\x04", 0x1);
    qtest_bufwrite(s, 0x9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xad, "\x04", 0x1);
    qtest_bufwrite(s, 0xbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xcd, "\x04", 0x1);
    qtest_bufwrite(s, 0xdd, "\x04", 0x1);
    qtest_bufwrite(s, 0xed, "\x04", 0x1);
    qtest_bufwrite(s, 0xfd, "\x04", 0x1);
    qtest_bufwrite(s, 0x10d, "\x04", 0x1);
    qtest_bufwrite(s, 0x11d, "\x04", 0x1);
    qtest_bufwrite(s, 0x12d, "\x04", 0x1);
    qtest_bufwrite(s, 0x13d, "\x04", 0x1);
    qtest_bufwrite(s, 0x14d, "\x04", 0x1);
    qtest_bufwrite(s, 0x15d, "\x04", 0x1);
    qtest_bufwrite(s, 0x16d, "\x04", 0x1);
    qtest_bufwrite(s, 0x17d, "\x04", 0x1);
    qtest_bufwrite(s, 0x18d, "\x04", 0x1);
    qtest_bufwrite(s, 0x19d, "\x04", 0x1);
    qtest_bufwrite(s, 0x1ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x1bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x1cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x1dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x1ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x1fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x20d, "\x04", 0x1);
    qtest_bufwrite(s, 0x21d, "\x04", 0x1);
    qtest_bufwrite(s, 0x22d, "\x04", 0x1);
    qtest_bufwrite(s, 0x23d, "\x04", 0x1);
    qtest_bufwrite(s, 0x24d...

Revision history for this message
Alexander Bulekov (a1xndr) wrote :
Revision history for this message
Thomas Huth (th-huth) wrote :

Ok, with the new attachment from comment #5, I can also reporoduce the bug again. It does not reproduce with the attachments from comment #1 or #2 anymore, so this now seems to be a different way to run into this assert. Anyway, setting the status back to Confirmed since it is reproducible again.

Changed in qemu:
status: Incomplete → Confirmed
Revision history for this message
Thomas Huth (th-huth) wrote : Moved bug report

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/273

Changed in qemu:
status: Confirmed → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.