QEMU

Segfault in artist_vram_read

Bug #1890312 reported by Alexander Bulekov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Helge Deller

Bug Description

Hello,
Reproducer:

cat << EOF | ./hppa-softmmu/qemu-system-hppa -m 64 -display none \
-qtest stdio -accel qtest
writew 0xf8118001 0x105a
readq 0xf900f8ff
EOF

=================================================================
==20118==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc6fb847672 (pc 0x55ec9c0f6828 bp 0x7ffd91000230 sp 0x7ffd90ffffd0 T0)
==20118==The signal is caused by a READ memory access.
    #0 0x55ec9c0f6828 in artist_vram_read /hw/display/artist.c:1174:15
    #1 0x55ec9b84a582 in memory_region_read_accessor /softmmu/memory.c:434:11
    #2 0x55ec9b7d1adc in access_with_adjusted_size /softmmu/memory.c:539:18
    #3 0x55ec9b7cd769 in memory_region_dispatch_read1 /softmmu/memory.c:1385:16
    #4 0x55ec9b7cc855 in memory_region_dispatch_read /softmmu/memory.c:1414:9
    #5 0x55ec9ae621de in flatview_read_continue /exec.c:3239:23
    #6 0x55ec9ae64fb1 in flatview_read /exec.c:3279:12
    #7 0x55ec9ae64af7 in address_space_read_full /exec.c:3292:18
    #8 0x55ec9b87c990 in address_space_read /include/exec/memory.h:2429:18
    #9 0x55ec9b87c990 in qtest_process_command /softmmu/qtest.c:485:13
    #10 0x55ec9b870c08 in qtest_process_inbuf /softmmu/qtest.c:710:9
    #11 0x55ec9b86f895 in qtest_read /softmmu/qtest.c:722:5
    #12 0x55ec9dd2b2f3 in qemu_chr_be_write_impl /chardev/char.c:188:9
    #13 0x55ec9dd2b477 in qemu_chr_be_write /chardev/char.c:200:9
    #14 0x55ec9dd3f763 in fd_chr_read /chardev/char-fd.c:68:9
    #15 0x55ec9de93b24 in qio_channel_fd_source_dispatch /io/channel-watch.c:84:12
    #16 0x7fc7261ad897 in g_main_context_dispatch ()
    #17 0x55ec9e28ba2b in glib_pollfds_poll /util/main-loop.c:217:9
    #18 0x55ec9e28915b in os_host_main_loop_wait /util/main-loop.c:240:5
    #19 0x55ec9e288af4 in main_loop_wait /util/main-loop.c:516:11
    #20 0x55ec9b891d00 in qemu_main_loop /softmmu/vl.c:1676:9
    #21 0x55ec9decb911 in main /softmmu/main.c:49:5

The error occurs even with Message-Id: <email address hidden> applied (I collected the above trace with the patch-set applied)

Thanks
-Alex

Helge Deller (hdeller)
Changed in qemu:
assignee: nobody → Helge Deller (hdeller)
Revision history for this message
Alexander Bulekov (a1xndr) wrote :

There's one more slightly further in the same function - line 1231 https://github.com/hdeller/qemu-hppa/blob/1e5391948f977932d17526c491d262a3cd99a690/hw/display/artist.c#L1231

cat << EOF | ./hppa-softmmu/qemu-system-hppa -m 64 -display none \
-qtest stdio -accel qtest
writeq 0xf8118005 0x1e7c50ff016d65ff
readl 0xf9080100
EOF

[I 1596601465.827371] OPENED
[R +0.043473] writeq 0xf8118005 0x1e7c50ff016d65ff
18615@1596601465.870899:artist_reg_write 1 0x118005 DST_BM_ACCESS <- 0x1e
18615@1596601465.870911:artist_reg_write 2 0x118006 DST_BM_ACCESS <- 0x7c50
18615@1596601465.870918:artist_reg_write 4 0x118008 SRC_BM_ACCESS <- 0xff016d65
18615@1596601465.870924:artist_reg_write 1 0x11800c CONTROL_PLANE <- 0xff
OK
[S +0.043557] OK
[R +0.043574] readl 0xf9080100
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18615==ERROR: AddressSanitizer: SEGV on unknown address 0x7f12d2a01040 (pc 0x560323116048 bp 0x7fffa8723bf0 sp 0x7fffa8723990 T0)
==18615==The signal is caused by a READ memory access.
    #0 0x560323116048 in artist_vram_read /home/alxndr/Development/qemu/general-fuzz/hw/display/artist.c:1231:23
    #1 0x560322868582 in memory_region_read_accessor /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:434:11
...

Revision history for this message
Philippe Mathieu-Daudé (philmd) wrote :

Fixed in commit a501bfc91763d4642390090dd4e6039d67b63702.

Changed in qemu:
status: New → Fix Committed
Revision history for this message
Thomas Huth (th-huth) wrote :

Released with QEMU v5.2.0.

Changed in qemu:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.