From: Thomas Huth <1878067@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1878067] Re: Assertion failure in eth_get_gso_type through the e1000e
Date: Tue, 25 May 2021 09:53:48 -0000 [thread overview]
Message-ID: <162193642849.18988.391910116164926060.malone@chaenomeles.canonical.com> (raw)
In-Reply-To: 158922026261.5250.13637087242622903872.malonedeb@chaenomeles.canonical.com
I can reproduce this with QEMU v5.0, but with the current master branch,
the problem seems to be gone for me. Can you confirm that it is fixed?
** Changed in: qemu
Status: New => Incomplete
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878067
Title:
Assertion failure in eth_get_gso_type through the e1000e
Status in QEMU:
Incomplete
Bug description:
Hello,
While fuzzing, I found an input that triggers an assertion failure in
eth_get_gso_type through the e1000e:
#1 0x00007ffff685755b in __GI_abort () at abort.c:79
#2 0x00007ffff7c75dc3 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007ffff7cd0b0a in g_assertion_message_expr () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x0000555556875f33 in eth_get_gso_type (l3_proto=<optimized out>, l3_hdr=<optimized out>, l4proto=<optimized out>) at /home/alxndr/Development/qemu/net/eth.c:76
#5 0x00005555565e09ac in net_tx_pkt_get_gso_type (pkt=0x631000014800, tso_enable=0x1) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:300
#6 0x00005555565e09ac in net_tx_pkt_build_vheader (pkt=0x631000014800, tso_enable=<optimized out>, csum_enable=<optimized out>, gso_size=<optimized out>) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:316
#7 0x000055555660bdb1 in e1000e_setup_tx_offloads (core=0x7fffeeb754e0, tx=0x7fffeeb95748) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:637
#8 0x000055555660bdb1 in e1000e_tx_pkt_send (core=0x7fffeeb754e0, tx=0x7fffeeb95748, queue_index=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:658
#9 0x000055555660bdb1 in e1000e_process_tx_desc (core=0x7fffeeb754e0, tx=0x7fffeeb95748, dp=<optimized out>, queue_index=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
#10 0x000055555660bdb1 in e1000e_start_xmit (core=core@entry=0x7fffeeb754e0, txr=<optimized out>, txr@entry=0x7fffffffbe60) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
#11 0x0000555556607e2e in e1000e_set_tctl (core=0x7fffeeb754e0, index=<optimized out>, val=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2431
#12 0x00005555565f90fd in e1000e_core_write (core=<optimized out>, addr=<optimized out>, val=<optimized out>, size=<optimized out>) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
#13 0x0000555555ff4337 in memory_region_write_accessor (mr=<optimized out>, addr=<optimized out>, value=<optimized out>, size=<optimized out>, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:483
#14 0x0000555555ff3ce0 in access_with_adjusted_size (addr=<optimized out>, value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x7fffeeb75110, attrs=...) at /home/alxndr/Development/qemu/memory.c:544
#15 0x0000555555ff3ce0 in memory_region_dispatch_write (mr=<optimized out>, addr=<optimized out>, data=0x2b, op=<optimized out>, attrs=...) at /home/alxndr/Development/qemu/memory.c:1476
I can reproduce it in qemu 5.0 built with using:
cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -M pc-q35-5.0 -netdev user,id=qtest-bn0 -device e1000e,netdev=qtest-bn0 -display none -nodefaults -nographic -qtest stdio -monitor none -serial none
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x800008a2
write 0xe0000420 0x1fc 0x3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff272d2f3ff9ffdf00000000002477ff272d2f3ff9ffdf0000000000247fff272d2f3ff9ffdf00000000002487ff272d2f3ff9ffdf0000000000248fff272d2f3ff9ffdf00000000002497ff272d2f3ff9ffdf0000000000249fff272d2f3ff9ffdf000000000024a7ff272d2f3ff9ffdf000000000024afff272d2f3ff9ffdf000000000024b7ff272d2f3ff9ffdf000000000024bfff272d2f3ff9ffdf000000000024c7ff272d2f3ff9ffdf000000000024cfff272d2f3ff9ffdf000000000024d7ff272d2f3ff9ffdf000000000024dfff272d2f3ff9ffdf000000000024e7ff272d2f3ff9ffdf000000000024efff272d2f3ff9ffdf000000000024f7ff272d2f3ff9ffdf000000000024ffff272d2f3ff9ffdf00000000002407ff272d2f3ff9ffdf0000000000240fff272d2f3ff9ffdf00000000002417ff272d2f3ff9ffdf0000000000241fff272d2f3ff9ffdf00000000002427ff272d2f3ff9ffdf0000000000242fff272d2f3ff9ffdf00000000002437ff272d2f3ff9ffdf0000000000243fff272d2f3ff9ffdf00000000002447ff272d2f3ff9ffdf0000000000244fff272d2f3ff9ffdf00000000002457ff272d2f3ff9ffdf0000000000245fff272d2f3ff9ffdf00000000002467ff272d2f3ff9ffdf0000000000246fff27
write 0xe00000b8 0x349 0xa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52bff003100ffa300f52b
EOF
I also attached the trace to this launchpad report, in case the
formatting is broken:
qemu-system-i386 -M pc-q35-5.0 -netdev user,id=qtest-bn0 -device
e1000e,netdev=qtest-bn0 -display none -nodefaults -nographic -qtest
stdio -monitor none -serial none < attachment
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878067/+subscriptions
next prev parent reply other threads:[~2021-05-25 10:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-11 18:04 [Bug 1878067] [NEW] Assertion failure in eth_get_gso_type through the e1000e Alexander Bulekov
2020-06-23 15:33 ` [Bug 1878067] " Alexander Bulekov
2020-06-23 15:54 ` [Bug 1878067] [NEW] " Philippe Mathieu-Daudé
2020-06-23 15:54 ` Philippe Mathieu-Daudé
2021-05-25 9:53 ` Thomas Huth [this message]
2021-05-25 16:52 ` [Bug 1878067] " Alexander Bulekov
2021-05-26 5:50 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=162193642849.18988.391910116164926060.malone@chaenomeles.canonical.com \
--to=1878067@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.