xhci_kick_epctx: Assertion `ring->dequeue != 0' failed.

Bug #1883732 reported by Bugs SysSec
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

To reproduce run the QEMU with the following command line:
```
qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
```

QEMU Version:
```
# qemu-5.0.0
$ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
$ x86_64-softmmu/qemu-system-x86_64 --version
QEMU emulator version 5.0.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
```

Revision history for this message
Bugs SysSec (bugs-syssec) wrote :
Revision history for this message
Alexander Bulekov (a1xndr) wrote :
Download full text (3.5 KiB)

Here's a QTest reproducer:

cat << EOF | ./i386-softmmu/qemu-system-i386 \
-device nec-usb-xhci -trace usb\* \
-device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001014
outl 0xcfc 0xff000a8e
outl 0xcf8 0x80001004
outl 0xcfc 0x1c77695e
writel 0xff000a8e00000040 0x1d00d815
write 0x1d 0x1 0x5c
write 0x2d 0x1 0x27
write 0x3d 0x1 0x2e
write 0xd 0x1 0x60
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x4d 0x1 0x5c
write 0x5d 0x1 0x27
write 0x60 0x1 0x2e
write 0x61 0x1 0x72
write 0x62 0x1 0x01
write 0x6d 0x1 0x2e
write 0x6f 0x1 0x01
writel 0xff000a8e00002000 0x0
writeq 0xff000a8e00002000 0x514ef0100000009
EOF

The trace:
[R +0.031152] writel 0xff000a8e00000040 0x1d00d815
26994@1597124755.565242:usb_xhci_oper_write off 0x0000, val 0x1d00d815
26994@1597124755.565247:usb_xhci_run
26994@1597124755.565252:usb_xhci_irq_intx level 0
OK
[S +0.031173] OK
[R +0.031179] write 0x1d 0x1 0x5c
OK
[S +0.031190] OK
[R +0.031195] write 0x2d 0x1 0x27
OK
[S +0.031198] OK
[R +0.031203] write 0x3d 0x1 0x2e
OK
[S +0.031207] OK
[R +0.031211] write 0xd 0x1 0x60
OK
[S +0.031214] OK
[R +0.031219] write 0x17232 0x1 0x03
OK
[S +0.031224] OK
[R +0.031228] write 0x17254 0x1 0x05
OK
[S +0.031231] OK
[R +0.031236] write 0x4d 0x1 0x5c
OK
[S +0.031239] OK
[R +0.031244] write 0x5d 0x1 0x27
OK
[S +0.031247] OK
[R +0.031251] write 0x60 0x1 0x2e
OK
[S +0.031254] OK
[R +0.031259] write 0x61 0x1 0x72
OK
[S +0.031262] OK
[R +0.031267] write 0x62 0x1 0x01
OK
[S +0.031270] OK
[R +0.031275] write 0x6d 0x1 0x2e
OK
[S +0.031278] OK
[R +0.031282] write 0x6f 0x1 0x01
OK
[S +0.031286] OK
[R +0.031290] writel 0xff000a8e00002000 0x0
26994@1597124755.565377:usb_xhci_doorbell_write off 0x0000, val 0x00000000
26994@1597124755.565384:usb_xhci_fetch_trb addr 0x0000000000000000, ???, p 0x0000000000000000, s 0x00000000, c 0x00006000
26994@1597124755.565390:usb_xhci_unimplemented command (0x18)
26994@1597124755.565395:usb_xhci_fetch_trb addr 0x0000000000000010, CR_NOOP, p 0x0000000000000000, s 0x00000000, c 0x00005c00
26994@1597124755.565399:usb_xhci_fetch_trb addr 0x0000000000000020, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
26994@1597124755.565403:usb_xhci_slot_enable slotid 1
26994@1597124755.565406:usb_xhci_fetch_trb addr 0x0000000000000030, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002e00
26994@1597124755.565411:usb_xhci_fetch_trb addr 0x0000000000000040, CR_NOOP, p 0x0000000000000000, s 0x00000000, c 0x00005c00
26994@1597124755.565416:usb_xhci_fetch_trb addr 0x0000000000000050, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
26994@1597124755.565421:usb_xhci_slot_enable slotid 2
26994@1597124755.565423:usb_xhci_fetch_trb addr 0x0000000000000060, CR_ADDRESS_DEVICE, p 0x000000000001722e, s 0x00000000, c 0x01002e00
26994@1597124755.565431:usb_xhci_slot_address slotid 1, port 1
26994@1597124755.565436:usb_xhci_ep_enable slotid 1, epid 1
26994@1597124755.565444:usb_xhci_fetch_trb addr 0x0000000000000070, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
OK
[S +0.031365] OK
[R +0.031370] writeq 0xff000a8e00002000 0x514...

Read more...

Revision history for this message
Alexander Bulekov (a1xndr) wrote :

ClusterFuzz testcase 5662083651469312 is verified as fixed in https://oss-fuzz.com/revisions?job=libfuzzer_asan_qemu&range=202011160601:202011170627

Changed in qemu:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers