* [Bug 1880424] [NEW] I/O write make imx_epit_reset() crash
@ 2020-05-24 17:27 Philippe Mathieu-Daudé
2020-07-28 19:54 ` [Bug 1880424] " Peter Maydell
2020-08-20 15:11 ` Thomas Huth
0 siblings, 2 replies; 3+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-05-24 17:27 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
libFuzzer found:
qemu-fuzz-arm: hw/core/ptimer.c:377: void ptimer_transaction_begin(ptimer_state *): Assertion `!s->in_transaction' failed.
==6041== ERROR: libFuzzer: deadly signal
#8 0x7fcaba320565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x563b46f91637 in ptimer_transaction_begin (qemu-fuzz-arm+0x1af1637)
#10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-arm+0x222c4c6)
#11 0x563b476cd004 in imx_epit_write (qemu-fuzz-arm+0x222d004)
#12 0x563b46582377 in memory_region_write_accessor (qemu-fuzz-arm+0x10e2377)
#13 0x563b46581ee3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e1ee3)
#14 0x563b46580a83 in memory_region_dispatch_write (qemu-fuzz-arm+0x10e0a83)
#15 0x563b463c5022 in flatview_write_continue (qemu-fuzz-arm+0xf25022)
#16 0x563b463b4ea2 in flatview_write (qemu-fuzz-arm+0xf14ea2)
#17 0x563b463b49d4 in address_space_write (qemu-fuzz-arm+0xf149d4)
Reproducer:
qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
writel 0x53f94000 0x110000
EOF
qemu-system-arm: hw/core/ptimer.c:377: ptimer_transaction_begin: Assertion `!s->in_transaction' failed.
Aborted (core dumped)
(gdb) bt
#1 0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
#2 0x00007f4aa4daa769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f4aa4db8566 in annobin_assert.c_end () at /lib64/libc.so.6
#4 0x000055ee85400164 in ptimer_transaction_begin (s=0x55ee873bc4c0) at hw/core/ptimer.c:377
#5 0x000055ee855c7936 in imx_epit_reset (dev=0x55ee871725c0) at hw/timer/imx_epit.c:111
#6 0x000055ee855c7d1b in imx_epit_write (opaque=0x55ee871725c0, offset=0, value=1114112, size=4) at hw/timer/imx_epit.c:209
#7 0x000055ee8513db85 in memory_region_write_accessor (mr=0x55ee871728f0, addr=0, value=0x7fff3012d6f8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:483
#8 0x000055ee8513dd96 in access_with_adjusted_size (addr=0, value=0x7fff3012d6f8, size=4, access_size_min=1, access_size_max=4, access_fn=
0x55ee8513daa2 <memory_region_write_accessor>, mr=0x55ee871728f0, attrs=...) at memory.c:545
#9 0x000055ee85140cbd in memory_region_dispatch_write (mr=0x55ee871728f0, addr=0, data=1114112, op=MO_32, attrs=...) at memory.c:1477
#10 0x000055ee850deba5 in flatview_write_continue (fv=0x55ee87181bd0, addr=1408843776, attrs=..., ptr=0x7fff3012d900, len=4, addr1=0, l=4, mr=0x55ee871728f0) at exec.c:3147
#11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
#12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289
** Affects: qemu
Importance: Undecided
Status: New
** Tags: arm
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880424
Title:
I/O write make imx_epit_reset() crash
Status in QEMU:
New
Bug description:
libFuzzer found:
qemu-fuzz-arm: hw/core/ptimer.c:377: void ptimer_transaction_begin(ptimer_state *): Assertion `!s->in_transaction' failed.
==6041== ERROR: libFuzzer: deadly signal
#8 0x7fcaba320565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x563b46f91637 in ptimer_transaction_begin (qemu-fuzz-arm+0x1af1637)
#10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-arm+0x222c4c6)
#11 0x563b476cd004 in imx_epit_write (qemu-fuzz-arm+0x222d004)
#12 0x563b46582377 in memory_region_write_accessor (qemu-fuzz-arm+0x10e2377)
#13 0x563b46581ee3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e1ee3)
#14 0x563b46580a83 in memory_region_dispatch_write (qemu-fuzz-arm+0x10e0a83)
#15 0x563b463c5022 in flatview_write_continue (qemu-fuzz-arm+0xf25022)
#16 0x563b463b4ea2 in flatview_write (qemu-fuzz-arm+0xf14ea2)
#17 0x563b463b49d4 in address_space_write (qemu-fuzz-arm+0xf149d4)
Reproducer:
qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
writel 0x53f94000 0x110000
EOF
qemu-system-arm: hw/core/ptimer.c:377: ptimer_transaction_begin: Assertion `!s->in_transaction' failed.
Aborted (core dumped)
(gdb) bt
#1 0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
#2 0x00007f4aa4daa769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f4aa4db8566 in annobin_assert.c_end () at /lib64/libc.so.6
#4 0x000055ee85400164 in ptimer_transaction_begin (s=0x55ee873bc4c0) at hw/core/ptimer.c:377
#5 0x000055ee855c7936 in imx_epit_reset (dev=0x55ee871725c0) at hw/timer/imx_epit.c:111
#6 0x000055ee855c7d1b in imx_epit_write (opaque=0x55ee871725c0, offset=0, value=1114112, size=4) at hw/timer/imx_epit.c:209
#7 0x000055ee8513db85 in memory_region_write_accessor (mr=0x55ee871728f0, addr=0, value=0x7fff3012d6f8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:483
#8 0x000055ee8513dd96 in access_with_adjusted_size (addr=0, value=0x7fff3012d6f8, size=4, access_size_min=1, access_size_max=4, access_fn=
0x55ee8513daa2 <memory_region_write_accessor>, mr=0x55ee871728f0, attrs=...) at memory.c:545
#9 0x000055ee85140cbd in memory_region_dispatch_write (mr=0x55ee871728f0, addr=0, data=1114112, op=MO_32, attrs=...) at memory.c:1477
#10 0x000055ee850deba5 in flatview_write_continue (fv=0x55ee87181bd0, addr=1408843776, attrs=..., ptr=0x7fff3012d900, len=4, addr1=0, l=4, mr=0x55ee871728f0) at exec.c:3147
#11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
#12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880424/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1880424] Re: I/O write make imx_epit_reset() crash
2020-05-24 17:27 [Bug 1880424] [NEW] I/O write make imx_epit_reset() crash Philippe Mathieu-Daudé
@ 2020-07-28 19:54 ` Peter Maydell
2020-08-20 15:11 ` Thomas Huth
1 sibling, 0 replies; 3+ messages in thread
From: Peter Maydell @ 2020-07-28 19:54 UTC (permalink / raw)
To: qemu-devel
Patch on list:
https://patchew.org/QEMU/20200727154550.3409-1-peter.maydell@linaro.org/
** Changed in: qemu
Status: New => In Progress
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880424
Title:
I/O write make imx_epit_reset() crash
Status in QEMU:
In Progress
Bug description:
libFuzzer found:
qemu-fuzz-arm: hw/core/ptimer.c:377: void ptimer_transaction_begin(ptimer_state *): Assertion `!s->in_transaction' failed.
==6041== ERROR: libFuzzer: deadly signal
#8 0x7fcaba320565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x563b46f91637 in ptimer_transaction_begin (qemu-fuzz-arm+0x1af1637)
#10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-arm+0x222c4c6)
#11 0x563b476cd004 in imx_epit_write (qemu-fuzz-arm+0x222d004)
#12 0x563b46582377 in memory_region_write_accessor (qemu-fuzz-arm+0x10e2377)
#13 0x563b46581ee3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e1ee3)
#14 0x563b46580a83 in memory_region_dispatch_write (qemu-fuzz-arm+0x10e0a83)
#15 0x563b463c5022 in flatview_write_continue (qemu-fuzz-arm+0xf25022)
#16 0x563b463b4ea2 in flatview_write (qemu-fuzz-arm+0xf14ea2)
#17 0x563b463b49d4 in address_space_write (qemu-fuzz-arm+0xf149d4)
Reproducer:
qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
writel 0x53f94000 0x110000
EOF
qemu-system-arm: hw/core/ptimer.c:377: ptimer_transaction_begin: Assertion `!s->in_transaction' failed.
Aborted (core dumped)
(gdb) bt
#1 0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
#2 0x00007f4aa4daa769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f4aa4db8566 in annobin_assert.c_end () at /lib64/libc.so.6
#4 0x000055ee85400164 in ptimer_transaction_begin (s=0x55ee873bc4c0) at hw/core/ptimer.c:377
#5 0x000055ee855c7936 in imx_epit_reset (dev=0x55ee871725c0) at hw/timer/imx_epit.c:111
#6 0x000055ee855c7d1b in imx_epit_write (opaque=0x55ee871725c0, offset=0, value=1114112, size=4) at hw/timer/imx_epit.c:209
#7 0x000055ee8513db85 in memory_region_write_accessor (mr=0x55ee871728f0, addr=0, value=0x7fff3012d6f8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:483
#8 0x000055ee8513dd96 in access_with_adjusted_size (addr=0, value=0x7fff3012d6f8, size=4, access_size_min=1, access_size_max=4, access_fn=
0x55ee8513daa2 <memory_region_write_accessor>, mr=0x55ee871728f0, attrs=...) at memory.c:545
#9 0x000055ee85140cbd in memory_region_dispatch_write (mr=0x55ee871728f0, addr=0, data=1114112, op=MO_32, attrs=...) at memory.c:1477
#10 0x000055ee850deba5 in flatview_write_continue (fv=0x55ee87181bd0, addr=1408843776, attrs=..., ptr=0x7fff3012d900, len=4, addr1=0, l=4, mr=0x55ee871728f0) at exec.c:3147
#11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
#12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880424/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 1880424] Re: I/O write make imx_epit_reset() crash
2020-05-24 17:27 [Bug 1880424] [NEW] I/O write make imx_epit_reset() crash Philippe Mathieu-Daudé
2020-07-28 19:54 ` [Bug 1880424] " Peter Maydell
@ 2020-08-20 15:11 ` Thomas Huth
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Huth @ 2020-08-20 15:11 UTC (permalink / raw)
To: qemu-devel
Patch has been included here:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=13557fd392890cbd985
** Changed in: qemu
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880424
Title:
I/O write make imx_epit_reset() crash
Status in QEMU:
Fix Released
Bug description:
libFuzzer found:
qemu-fuzz-arm: hw/core/ptimer.c:377: void ptimer_transaction_begin(ptimer_state *): Assertion `!s->in_transaction' failed.
==6041== ERROR: libFuzzer: deadly signal
#8 0x7fcaba320565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x563b46f91637 in ptimer_transaction_begin (qemu-fuzz-arm+0x1af1637)
#10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-arm+0x222c4c6)
#11 0x563b476cd004 in imx_epit_write (qemu-fuzz-arm+0x222d004)
#12 0x563b46582377 in memory_region_write_accessor (qemu-fuzz-arm+0x10e2377)
#13 0x563b46581ee3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e1ee3)
#14 0x563b46580a83 in memory_region_dispatch_write (qemu-fuzz-arm+0x10e0a83)
#15 0x563b463c5022 in flatview_write_continue (qemu-fuzz-arm+0xf25022)
#16 0x563b463b4ea2 in flatview_write (qemu-fuzz-arm+0xf14ea2)
#17 0x563b463b49d4 in address_space_write (qemu-fuzz-arm+0xf149d4)
Reproducer:
qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
writel 0x53f94000 0x110000
EOF
qemu-system-arm: hw/core/ptimer.c:377: ptimer_transaction_begin: Assertion `!s->in_transaction' failed.
Aborted (core dumped)
(gdb) bt
#1 0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
#2 0x00007f4aa4daa769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f4aa4db8566 in annobin_assert.c_end () at /lib64/libc.so.6
#4 0x000055ee85400164 in ptimer_transaction_begin (s=0x55ee873bc4c0) at hw/core/ptimer.c:377
#5 0x000055ee855c7936 in imx_epit_reset (dev=0x55ee871725c0) at hw/timer/imx_epit.c:111
#6 0x000055ee855c7d1b in imx_epit_write (opaque=0x55ee871725c0, offset=0, value=1114112, size=4) at hw/timer/imx_epit.c:209
#7 0x000055ee8513db85 in memory_region_write_accessor (mr=0x55ee871728f0, addr=0, value=0x7fff3012d6f8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:483
#8 0x000055ee8513dd96 in access_with_adjusted_size (addr=0, value=0x7fff3012d6f8, size=4, access_size_min=1, access_size_max=4, access_fn=
0x55ee8513daa2 <memory_region_write_accessor>, mr=0x55ee871728f0, attrs=...) at memory.c:545
#9 0x000055ee85140cbd in memory_region_dispatch_write (mr=0x55ee871728f0, addr=0, data=1114112, op=MO_32, attrs=...) at memory.c:1477
#10 0x000055ee850deba5 in flatview_write_continue (fv=0x55ee87181bd0, addr=1408843776, attrs=..., ptr=0x7fff3012d900, len=4, addr1=0, l=4, mr=0x55ee871728f0) at exec.c:3147
#11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
#12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880424/+subscriptions
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-08-20 15:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-24 17:27 [Bug 1880424] [NEW] I/O write make imx_epit_reset() crash Philippe Mathieu-Daudé
2020-07-28 19:54 ` [Bug 1880424] " Peter Maydell
2020-08-20 15:11 ` Thomas Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.