qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug 1878067] Re: Assertion failure in eth_get_gso_type through the

From: Alexander Bulekov
Subject: Re: [Bug 1878067] Re: Assertion failure in eth_get_gso_type through the e1000e
Date: Tue, 25 May 2021 16:52:44 -0000 
Yes - looks like it was fixed in
7564bf7701 ("net: remove an assert call in eth_get_gso_type")

On 210525 0953, Thomas Huth wrote:
> I can reproduce this with QEMU v5.0, but with the current master branch,
> the problem seems to be gone for me. Can you confirm that it is fixed?
> 
> ** Changed in: qemu
>        Status: New => Incomplete
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1878067
> 
> Title:
>   Assertion failure in eth_get_gso_type through the e1000e
> 
> Status in QEMU:
>   Incomplete
> 
> Bug description:
>   Hello,
>   While fuzzing, I found an input that triggers an assertion failure in
>   eth_get_gso_type through the e1000e:
> 
>   #1  0x00007ffff685755b in __GI_abort () at abort.c:79
>   #2  0x00007ffff7c75dc3 in  () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
>   #3  0x00007ffff7cd0b0a in g_assertion_message_expr () at 
> /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
>   #4  0x0000555556875f33 in eth_get_gso_type (l3_proto=<optimized out>, 
> l3_hdr=<optimized out>, l4proto=<optimized out>) at 
> /home/alxndr/Development/qemu/net/eth.c:76
>   #5  0x00005555565e09ac in net_tx_pkt_get_gso_type (pkt=0x631000014800, 
> tso_enable=0x1) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:300
>   #6  0x00005555565e09ac in net_tx_pkt_build_vheader (pkt=0x631000014800, 
> tso_enable=<optimized out>, csum_enable=<optimized out>, gso_size=<optimized 
> out>) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:316
>   #7  0x000055555660bdb1 in e1000e_setup_tx_offloads (core=0x7fffeeb754e0, 
> tx=0x7fffeeb95748) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:637
>   #8  0x000055555660bdb1 in e1000e_tx_pkt_send (core=0x7fffeeb754e0, 
> tx=0x7fffeeb95748, queue_index=<optimized out>) at 
> /home/alxndr/Development/qemu/hw/net/e1000e_core.c:658
>   #9  0x000055555660bdb1 in e1000e_process_tx_desc (core=0x7fffeeb754e0, 
> tx=0x7fffeeb95748, dp=<optimized out>, queue_index=<optimized out>) at 
> /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
>   #10 0x000055555660bdb1 in e1000e_start_xmit 
> (core=core@entry=0x7fffeeb754e0, txr=<optimized out>, 
> txr@entry=0x7fffffffbe60) at 
> /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
>   #11 0x0000555556607e2e in e1000e_set_tctl (core=0x7fffeeb754e0, 
> index=<optimized out>, val=<optimized out>) at 
> /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2431
>   #12 0x00005555565f90fd in e1000e_core_write (core=<optimized out>, 
> addr=<optimized out>, val=<optimized out>, size=<optimized out>) at 
> /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
>   #13 0x0000555555ff4337 in memory_region_write_accessor (mr=<optimized out>, 
> addr=<optimized out>, value=<optimized out>, size=<optimized out>, 
> shift=<optimized out>, mask=<optimized out>, attrs=...) at 
> /home/alxndr/Development/qemu/memory.c:483
>   #14 0x0000555555ff3ce0 in access_with_adjusted_size (addr=<optimized out>, 
> value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, 
> access_size_max=<optimized out>, access_fn=<optimized out>, 
> mr=0x7fffeeb75110, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
>   #15 0x0000555555ff3ce0 in memory_region_dispatch_write (mr=<optimized out>, 
> addr=<optimized out>, data=0x2b, op=<optimized out>, attrs=...) at 
> /home/alxndr/Development/qemu/memory.c:1476
> 
>   I can reproduce it in qemu 5.0 built with using:
>   cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M 
> pc-q35-5.0 -netdev user,id=qtest-bn0 -device e1000e,netdev=qtest-bn0 -display 
> none -nodefaults -nographic -qtest stdio -monitor none -serial none
>   outl 0xcf8 0x80000810
>   outl 0xcfc 0xe0000000
>   outl 0xcf8 0x80000814
>   outl 0xcf8 0x80000804
>   outw 0xcfc 0x7
>   outl 0xcf8 0x800008a2
>   write 0xe0000420 0x1fc 
> 0x3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff272d2f3ff9ffdf00000000002477ff272d2f3ff9ffdf0000000000247fff272d2f3ff9ffdf00000000002487ff272d2f3ff9ffdf0000000000248fff272d2f3ff9ffdf00000000002497ff272d2f3ff9ffdf0000000000249fff272d2f3ff9ffdf000000000024a7ff272d2f3ff9ffdf000000000024afff272d2f3ff9ffdf000000000024b7ff272d2f3ff9ffdf000000000024bfff272d2f3ff9ffdf000000000024c7ff272d2f3ff9ffdf000000000024cfff272d2f3ff9ffdf000000000024d7ff272d2f3ff9ffdf000000000024dfff272d2f3ff9ffdf000000000024e7ff272d2f3ff9ffdf000000000024efff272d2f3ff9ffdf000000000024f7ff272d2f3ff9ffdf000000000024ffff272d2f3ff9ffdf00000000002407ff272d2f3ff9ffdf0000000000240fff272d2f3ff9ffdf00000000002417ff272d2f3ff9ffdf0000000000241fff272d2f3ff9ffdf00000000002427ff272d2f3ff9ffdf0000000000242fff272d2f3ff9ffdf00000000002437ff272d2f3ff9ffdf0000000000243fff272d2f3ff9ffdf00000000002447ff272d2f3ff9ffdf0000000000244fff272d2f3ff9ffdf00000000002457ff272d2f3ff9ffdf0000000000245fff272d2f3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff27
>   write 0xe00000b8 0x349 
> 0xa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52b
>   EOF
> 
>   I also attached the trace to this launchpad report, in case the
>   formatting is broken:
> 
>   qemu-system-i386 -M pc-q35-5.0 -netdev user,id=qtest-bn0 -device
>   e1000e,netdev=qtest-bn0 -display none -nodefaults -nographic -qtest
>   stdio -monitor none -serial none < attachment
> 
>   Please let me know if I can provide any further info.
>   -Alex
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1878067/+subscriptions

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878067

Title:
  Assertion failure in eth_get_gso_type through the e1000e

Status in QEMU:
  Incomplete

Bug description:
  Hello,
  While fuzzing, I found an input that triggers an assertion failure in
  eth_get_gso_type through the e1000e:

  #1  0x00007ffff685755b in __GI_abort () at abort.c:79
  #2  0x00007ffff7c75dc3 in  () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
  #3  0x00007ffff7cd0b0a in g_assertion_message_expr () at 
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
  #4  0x0000555556875f33 in eth_get_gso_type (l3_proto=<optimized out>, 
l3_hdr=<optimized out>, l4proto=<optimized out>) at 
/home/alxndr/Development/qemu/net/eth.c:76
  #5  0x00005555565e09ac in net_tx_pkt_get_gso_type (pkt=0x631000014800, 
tso_enable=0x1) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:300
  #6  0x00005555565e09ac in net_tx_pkt_build_vheader (pkt=0x631000014800, 
tso_enable=<optimized out>, csum_enable=<optimized out>, gso_size=<optimized 
out>) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:316
  #7  0x000055555660bdb1 in e1000e_setup_tx_offloads (core=0x7fffeeb754e0, 
tx=0x7fffeeb95748) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:637
  #8  0x000055555660bdb1 in e1000e_tx_pkt_send (core=0x7fffeeb754e0, 
tx=0x7fffeeb95748, queue_index=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:658
  #9  0x000055555660bdb1 in e1000e_process_tx_desc (core=0x7fffeeb754e0, 
tx=0x7fffeeb95748, dp=<optimized out>, queue_index=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
  #10 0x000055555660bdb1 in e1000e_start_xmit (core=core@entry=0x7fffeeb754e0, 
txr=<optimized out>, txr@entry=0x7fffffffbe60) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
  #11 0x0000555556607e2e in e1000e_set_tctl (core=0x7fffeeb754e0, 
index=<optimized out>, val=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:2431
  #12 0x00005555565f90fd in e1000e_core_write (core=<optimized out>, 
addr=<optimized out>, val=<optimized out>, size=<optimized out>) at 
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
  #13 0x0000555555ff4337 in memory_region_write_accessor (mr=<optimized out>, 
addr=<optimized out>, value=<optimized out>, size=<optimized out>, 
shift=<optimized out>, mask=<optimized out>, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:483
  #14 0x0000555555ff3ce0 in access_with_adjusted_size (addr=<optimized out>, 
value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, 
access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x7fffeeb75110, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:544
  #15 0x0000555555ff3ce0 in memory_region_dispatch_write (mr=<optimized out>, 
addr=<optimized out>, data=0x2b, op=<optimized out>, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:1476

  I can reproduce it in qemu 5.0 built with using:
  cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M 
pc-q35-5.0 -netdev user,id=qtest-bn0 -device e1000e,netdev=qtest-bn0 -display 
none -nodefaults -nographic -qtest stdio -monitor none -serial none
  outl 0xcf8 0x80000810
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80000814
  outl 0xcf8 0x80000804
  outw 0xcfc 0x7
  outl 0xcf8 0x800008a2
  write 0xe0000420 0x1fc 
0x3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff272d2f3ff9ffdf00000000002477ff272d2f3ff9ffdf0000000000247fff272d2f3ff9ffdf00000000002487ff272d2f3ff9ffdf0000000000248fff272d2f3ff9ffdf00000000002497ff272d2f3ff9ffdf0000000000249fff272d2f3ff9ffdf000000000024a7ff272d2f3ff9ffdf000000000024afff272d2f3ff9ffdf000000000024b7ff272d2f3ff9ffdf000000000024bfff272d2f3ff9ffdf000000000024c7ff272d2f3ff9ffdf000000000024cfff272d2f3ff9ffdf000000000024d7ff272d2f3ff9ffdf000000000024dfff272d2f3ff9ffdf000000000024e7ff272d2f3ff9ffdf000000000024efff272d2f3ff9ffdf000000000024f7ff272d2f3ff9ffdf000000000024ffff272d2f3ff9ffdf00000000002407ff272d2f3ff9ffdf0000000000240fff272d2f3ff9ffdf00000000002417ff272d2f3ff9ffdf0000000000241fff272d2f3ff9ffdf00000000002427ff272d2f3ff9ffdf0000000000242fff272d2f3ff9ffdf00000000002437ff272d2f3ff9ffdf0000000000243fff272d2f3ff9ffdf00000000002447ff272d2f3ff9ffdf0000000000244fff272d2f3ff9ffdf00000000002457ff272d2f3ff9ffdf0000000000245fff272d2f3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff27
  write 0xe00000b8 0x349 
0xa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52b
  EOF

  I also attached the trace to this launchpad report, in case the
  formatting is broken:

  qemu-system-i386 -M pc-q35-5.0 -netdev user,id=qtest-bn0 -device
  e1000e,netdev=qtest-bn0 -display none -nodefaults -nographic -qtest
  stdio -monitor none -serial none < attachment

  Please let me know if I can provide any further info.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878067/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]