qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Assertion failure through virtio_blk_req_complete

From: Stefan Hajnoczi
Subject: Re: Assertion failure through virtio_blk_req_complete
Date: Thu, 21 May 2020 14:44:40 +0100 
On Mon, May 11, 2020 at 12:06:22AM -0400, Alexander Bulekov wrote:
> Hello,
> While fuzzing, I found an input that triggers an assertion through
> virtio-blk.c:
> 
> void address_space_unmap(AddressSpace *, void *, hwaddr, int, hwaddr): 
> Assertion `mr != NULL' failed
> 
> #8 0x7fa947707091 in __assert_fail 
> /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
> #9 0x55ec68a73a97 in address_space_unmap exec.c:3619:9
> #10 0x55ec6943ffab in dma_memory_unmap include/sysemu/dma.h:145:5
> #11 0x55ec693e2df6 in virtqueue_unmap_sg hw/virtio/virtio.c:640:9
> #12 0x55ec693e435b in virtqueue_fill hw/virtio/virtio.c:789:5
> #13 0x55ec693e8cf0 in virtqueue_push hw/virtio/virtio.c:863:5
> #14 0x55ec68ff73ce in virtio_blk_req_complete hw/block/virtio-blk.c:83:5
> #15 0x55ec68ff037e in virtio_blk_handle_request hw/block/virtio-blk.c:671:13
> #16 0x55ec68fec4c0 in virtio_blk_handle_vq hw/block/virtio-blk.c:780:17
> #17 0x55ec6901ae79 in virtio_blk_handle_output_do hw/block/virtio-blk.c:803:5
> #18 0x55ec6901a336 in virtio_blk_handle_output hw/block/virtio-blk.c:819:5
> #19 0x55ec694168f0 in virtio_queue_notify hw/virtio/virtio.c:2284:9
> #20 0x55ec6b55abc5 in virtio_mmio_write hw/virtio/virtio-mmio.c:369:13
> #21 0x55ec68d9e17b in memory_region_write_accessor memory.c:496:5
> 
> I can reproduce it in a qemu 5.0 build using:
> cat << EOF | qemu-system-i386 -M pc-q35-5.0 -M 
> microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic 
> -device virtio-blk-device,drive=mydrive,scsi=true -drive 
> file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none 
> -display none -serial none -qtest stdio
> write 0x1ba000b 0x12 0x01820040bf07f0ffffffffffff3328000101
> write 0x1ba1003 0x2 0x0101
> write 0xc0000e28 0x2c 
> 0x000046dd000000000049dd00000000004cdd00000000004fdd000000000052dd000000000055dd0000000000
> EOF
> 
> I also uploaded the above trace, in case the formatting is broken:
> 
> curl https://paste.debian.net/plain/1146092 | qemu-system-i386 -M pc-q35-5.0 
> -M microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off 
> -nographic -device virtio-blk-device,drive=mydrive,scsi=true -drive 
> file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none 
> -display none -serial none -qtest stdio

Thanks! I've found the root cause for this. Will send a patch.

Stefan

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]