Assertion failure in address_space_unmap through virtio-blk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello,
Reproducer:
cat << EOF | ./i386-
-drive id=mydrive,
-device virtio-
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc001
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xc006 0x3aff9090
outl 0xcf8 0x8000100e
outl 0xcfc 0x41005e1e
write 0x3b00002 0x1 0x5e
write 0x3b00004 0x1 0x5e
write 0x3aff5e6 0x1 0x11
write 0x3aff5eb 0x1 0xc6
write 0x3aff5ec 0x1 0xc6
write 0x7 0x1 0xff
write 0x8 0x1 0xfb
write 0xc 0x1 0x11
write 0xe 0x1 0x5e
write 0x5e8 0x1 0x11
write 0x5ec 0x1 0xc6
outl 0x410e 0x10e
EOF
qemu-fuzz-i386: /exec.c:3623: void address_
==789== ERROR: libFuzzer: deadly signal
#8 in __assert_fail /build/
#9 in address_space_unmap /exec.c:3623:9
#10 in dma_memory_unmap /include/
#11 in virtqueue_unmap_sg /hw/virtio/
#12 in virtqueue_fill /hw/virtio/
#13 in virtqueue_push /hw/virtio/
#14 in virtio_
#15 in virtio_
#16 in virtio_
#17 in virtio_
#18 in virtio_
#19 in aio_dispatch_
#20 in aio_dispatch_
#21 in aio_dispatch /util/aio-
#22 in aio_ctx_dispatch /util/async.c:306:5
#23 in g_main_
With -trace virtio\*
...
[S +0.099667] OK
[R +0.099681] write 0x5ec 0x1 0xc6
OK
[S +0.099690] OK
[R +0.099700] outl 0x410e 0x10e
29575@159659011
29575@159659011
OK
[S +0.099833] OK
29575@159659011
29575@159659011
29575@159659011
qemu-system-i386: /home/alxndr/
-Alex
Changed in qemu: | |
status: | New → In Progress |
Hi Stefan, /msg705719. html
This looks an awful lot like the one you looked at here:
https://<email address hidden>
though this one is for virtio-pci, while that one was for virtio-mmio:
They are probably the same issue, but the original reproducer no longer
causes an asserion failure for me, so maybe there was already a fix..
-Alex
On 200805 0116, Alexander Bulekov wrote: softmmu/ qemu-system- i386 \ file=null- co://,size= 2M,format= raw,if= none \ blk,drive= mydrive \ space_unmap( AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed. glibc-GwnBeO/ glibc-2. 30/assert/ assert. c:101:3 sysemu/ dma.h:145: 5 virtio. c:690:9 virtio. c:843:5 virtio. c:917:5 blk_req_ complete /hw/block/ virtio- blk.c:83: 5 blk_handle_ request /hw/block/ virtio- blk.c:671: 13 blk_handle_ vq /hw/block/ virtio- blk.c:780: 17 queue_notify_ aio_vq /hw/virtio/ virtio. c:2324: 15 queue_host_ notifier_ aio_read /hw/virtio/ virtio. c:3495: 9 handler /util/aio- posix.c: 328:9 handlers /util/aio- posix.c: 371:20 posix.c: 381:5 context_ dispatch 2.074339: virtio_ queue_notify vdev 0x62d000030590 n 0 vq 0x7f9b93fc9800 2.074423: virtio_ blk_data_ plane_start dataplane 0x60600000f260 2.076459: virtio_ queue_notify vdev 0x62d000030590 n 0 vq 0x7f9b93fc9800 2.076642: virtio_ blk_handle_ read vdev 0x62d000030590 req 0x611000043e80 sector 0 nsectors 0 2.076651: virtio_ blk_req_ complete vdev 0x62d000030590 req 0x611000043e80 status 1 Development/ qemu/general- fuzz/exec. c:3623: void address_ space_unmap( AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed.
> Public bug reported:
>
> Hello,
> Reproducer:
> cat << EOF | ./i386-
> -drive id=mydrive,
> -device virtio-
> -nodefaults -nographic -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xc001
> outl 0xcf8 0x80001014
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> outl 0xc006 0x3aff9090
> outl 0xcf8 0x8000100e
> outl 0xcfc 0x41005e1e
> write 0x3b00002 0x1 0x5e
> write 0x3b00004 0x1 0x5e
> write 0x3aff5e6 0x1 0x11
> write 0x3aff5eb 0x1 0xc6
> write 0x3aff5ec 0x1 0xc6
> write 0x7 0x1 0xff
> write 0x8 0x1 0xfb
> write 0xc 0x1 0x11
> write 0xe 0x1 0x5e
> write 0x5e8 0x1 0x11
> write 0x5ec 0x1 0xc6
> outl 0x410e 0x10e
> EOF
>
>
> qemu-fuzz-i386: /exec.c:3623: void address_
> ==789== ERROR: libFuzzer: deadly signal
> #8 in __assert_fail /build/
> #9 in address_space_unmap /exec.c:3623:9
> #10 in dma_memory_unmap /include/
> #11 in virtqueue_unmap_sg /hw/virtio/
> #12 in virtqueue_fill /hw/virtio/
> #13 in virtqueue_push /hw/virtio/
> #14 in virtio_
> #15 in virtio_
> #16 in virtio_
> #17 in virtio_
> #18 in virtio_
> #19 in aio_dispatch_
> #20 in aio_dispatch_
> #21 in aio_dispatch /util/aio-
> #22 in aio_ctx_dispatch /util/async.c:306:5
> #23 in g_main_
>
>
> With -trace virtio\*
>
> ...
> [S +0.099667] OK
> [R +0.099681] write 0x5ec 0x1 0xc6
> OK
> [S +0.099690] OK
> [R +0.099700] outl 0x410e 0x10e
> 29575@159659011
> 29575@159659011
> OK
> [S +0.099833] OK
> 29575@159659011
> 29575@159659011
> 29575@159659011
> qemu-system-i386: /home/alxndr/
>
>
> -Alex
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because y...