All of lore.kernel.org
 help / color / mirror / Atom feed
From: Thomas Huth <1880424@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1880424] Re: I/O write make imx_epit_reset() crash
Date: Thu, 20 Aug 2020 15:11:01 -0000	[thread overview]
Message-ID: <159793626167.5213.1293063732209886260.malone@gac.canonical.com> (raw)
In-Reply-To: 159034126455.806.14576501511642959242.malonedeb@chaenomeles.canonical.com

Patch has been included here:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=13557fd392890cbd985

** Changed in: qemu
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880424

Title:
  I/O write make imx_epit_reset() crash

Status in QEMU:
  Fix Released

Bug description:
  libFuzzer found:

  qemu-fuzz-arm: hw/core/ptimer.c:377: void ptimer_transaction_begin(ptimer_state *): Assertion `!s->in_transaction' failed.
  ==6041== ERROR: libFuzzer: deadly signal
      #8 0x7fcaba320565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
      #9 0x563b46f91637 in ptimer_transaction_begin (qemu-fuzz-arm+0x1af1637)
      #10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-arm+0x222c4c6)
      #11 0x563b476cd004 in imx_epit_write (qemu-fuzz-arm+0x222d004)
      #12 0x563b46582377 in memory_region_write_accessor (qemu-fuzz-arm+0x10e2377)
      #13 0x563b46581ee3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e1ee3)
      #14 0x563b46580a83 in memory_region_dispatch_write (qemu-fuzz-arm+0x10e0a83)
      #15 0x563b463c5022 in flatview_write_continue (qemu-fuzz-arm+0xf25022)
      #16 0x563b463b4ea2 in flatview_write (qemu-fuzz-arm+0xf14ea2)
      #17 0x563b463b49d4 in address_space_write (qemu-fuzz-arm+0xf149d4)

  Reproducer:

  qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
  writel 0x53f94000 0x110000
  EOF

  qemu-system-arm: hw/core/ptimer.c:377: ptimer_transaction_begin: Assertion `!s->in_transaction' failed.
  Aborted (core dumped)

  (gdb) bt
  #1  0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
  #2  0x00007f4aa4daa769 in _nl_load_domain.cold () at /lib64/libc.so.6
  #3  0x00007f4aa4db8566 in annobin_assert.c_end () at /lib64/libc.so.6
  #4  0x000055ee85400164 in ptimer_transaction_begin (s=0x55ee873bc4c0) at hw/core/ptimer.c:377
  #5  0x000055ee855c7936 in imx_epit_reset (dev=0x55ee871725c0) at hw/timer/imx_epit.c:111
  #6  0x000055ee855c7d1b in imx_epit_write (opaque=0x55ee871725c0, offset=0, value=1114112, size=4) at hw/timer/imx_epit.c:209
  #7  0x000055ee8513db85 in memory_region_write_accessor (mr=0x55ee871728f0, addr=0, value=0x7fff3012d6f8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:483
  #8  0x000055ee8513dd96 in access_with_adjusted_size (addr=0, value=0x7fff3012d6f8, size=4, access_size_min=1, access_size_max=4, access_fn=
      0x55ee8513daa2 <memory_region_write_accessor>, mr=0x55ee871728f0, attrs=...) at memory.c:545
  #9  0x000055ee85140cbd in memory_region_dispatch_write (mr=0x55ee871728f0, addr=0, data=1114112, op=MO_32, attrs=...) at memory.c:1477
  #10 0x000055ee850deba5 in flatview_write_continue (fv=0x55ee87181bd0, addr=1408843776, attrs=..., ptr=0x7fff3012d900, len=4, addr1=0, l=4, mr=0x55ee871728f0) at exec.c:3147
  #11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
  #12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560, addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880424/+subscriptions


      parent reply	other threads:[~2020-08-20 15:24 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-24 17:27 [Bug 1880424] [NEW] I/O write make imx_epit_reset() crash Philippe Mathieu-Daudé
2020-07-28 19:54 ` [Bug 1880424] " Peter Maydell
2020-08-20 15:11 ` Thomas Huth [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=159793626167.5213.1293063732209886260.malone@gac.canonical.com \
    --to=1880424@bugs.launchpad.net \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.