[Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed.

[Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed.

[Bugs SysSec]

Public bug reported:

To reproduce run the QEMU with the following command line:
```
qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
```

QEMU Version:
```
# qemu-5.0.0
$ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
$ x86_64-softmmu/qemu-system-x86_64 --version
QEMU emulator version 5.0.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
```

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "xhci_assert3.zip"
   https://bugs.launchpad.net/bugs/1883729/+attachment/5384432/+files/xhci_assert3.zip

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883729

Title:
  xhci_find_stream: Assertion `streamid != 0' failed.

Status in QEMU:
  New

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions

[Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed.

[Alexander Bulekov]

Attaching a QTest reproducer.
./i386-softmmu/qemu-system-i386 -device nec-usb-xhci -trace usb\* \
-device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio < repro


Close to the crash:
21000@1597111713.503068:usb_xhci_slot_configure slotid 58
21000@1597111713.503074:usb_xhci_ep_disable slotid 58, epid 2
21000@1597111713.503077:usb_xhci_ep_enable slotid 58, epid 2
21000@1597111713.503085:usb_xhci_ep_disable slotid 58, epid 6
21000@1597111713.503088:usb_xhci_ep_enable slotid 58, epid 6
21000@1597111713.503092:usb_xhci_ep_disable slotid 58, epid 24
21000@1597111713.503095:usb_xhci_ep_enable slotid 58, epid 24
21000@1597111713.503099:usb_xhci_ep_disable slotid 58, epid 25
21000@1597111713.503102:usb_xhci_ep_enable slotid 58, epid 25
21000@1597111713.503106:usb_xhci_ep_disable slotid 58, epid 29
21000@1597111713.503109:usb_xhci_ep_enable slotid 58, epid 29
21000@1597111713.503113:usb_xhci_ep_disable slotid 58, epid 30
21000@1597111713.503116:usb_xhci_ep_enable slotid 58, epid 30
21000@1597111713.503121:usb_xhci_fetch_trb addr 0x0000000000000b20, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
21000@1597111713.503127:usb_xhci_slot_enable slotid 59
21000@1597111713.503130:usb_xhci_fetch_trb addr 0x0000000000000b30, CR_SET_TR_DEQUEUE, p 0x0000000000000000, s 0x00000000, c 0x00004300
21000@1597111713.503135:usb_xhci_fetch_trb addr 0x0000000000000b40, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
21000@1597111713.503140:usb_xhci_slot_enable slotid 60
21000@1597111713.503143:usb_xhci_fetch_trb addr 0x0000000000000b50, CR_EVALUATE_CONTEXT, p 0x0000000000000000, s 0x00000000, c 0x00003600
21000@1597111713.503149:usb_xhci_fetch_trb addr 0x0000000000000b60, CR_STOP_ENDPOINT, p 0x0000000000000000, s 0x00000000, c 0x3afd3c00
21000@1597111713.503154:usb_xhci_ep_stop slotid 58, epid 29
21000@1597111713.503159:usb_xhci_ep_state slotid 58, epid 29, running -> stopped
21000@1597111713.503163:usb_xhci_fetch_trb addr 0x0000000000000b70, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
21000@1597111713.503168:usb_xhci_slot_enable slotid 61
21000@1597111713.503171:usb_xhci_fetch_trb addr 0x0000000000000b80, CR_SET_TR_DEQUEUE, p 0x0000000000000000, s 0x00000000, c 0x3afd4300
21000@1597111713.503177:usb_xhci_ep_set_dequeue slotid 58, epid 29, streamid 0, ptr 0x0000000000000000
qemu-system-i386: hw/usb/hcd-xhci.c:1016: XHCIStreamContext *xhci_find_stream(XHCIEPContext *, unsigned int, uint32_t *): Assertion `streamid != 0' failed.
Aborted


** Attachment added: "repro"
   https://bugs.launchpad.net/qemu/+bug/1883729/+attachment/5400547/+files/repro

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883729

Title:
  xhci_find_stream: Assertion `streamid != 0' failed.

Status in QEMU:
  New

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions

[Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed.

[Thomas Huth]

** Tags added: usb

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883729

Title:
  xhci_find_stream: Assertion `streamid != 0' failed.

Status in QEMU:
  New

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions

[Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed.

[Thomas Huth]

Can you still reproduce this assertion with the latest version 6.0 of
QEMU? ... I cannot trigger it here, so I assume this issue has been
fixed?

** Changed in: qemu
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883729

Title:
  xhci_find_stream: Assertion `streamid != 0' failed.

Status in QEMU:
  Incomplete

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions

[Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed.

[Alexander Bulekov]

I don't think it is fixed yet.. This is https://bugs.chromium.org/p/oss-
fuzz/issues/detail?id=28571#c4

Bash Reproducer:
./qemu-system-i386 -display none -machine accel=qtest, -m 512M \
-machine q35 -nodefaults -drive \
file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci \
-device usb-tablet,bus=xhci.0 -device usb-bot -device \
usb-storage,drive=disk0 -chardev null,id=cd0 -chardev null,id=cd1 \
-device usb-braille,chardev=cd0 -device usb-ccid -device usb-ccid \
-device usb-kbd -device usb-mouse -device usb-serial,chardev=cd1 -device\
 usb-tablet -device usb-wacom-tablet -device usb-audio -qtest /dev/null \
-qtest stdio < attachment

Testcase:
/*
 * Autogenerated Fuzzer Test Case
 *
 * Copyright (c) 2021 <name of author>
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 */

#include "qemu/osdep.h"

#include "libqos/libqtest.h"

static void test_fuzz(void)
{
    QTestState *s = qtest_init(
        "-display none , -m 512M -machine q35 -nodefaults -drive "
        "file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci -device "
        "usb-tablet,bus=xhci.0 -device usb-bot -device usb-storage,drive=disk0 -chardev "
        "null,id=cd0 -chardev null,id=cd1 -device usb-braille,chardev=cd0 -device "
        "usb-ccid -device usb-ccid -device usb-kbd -device usb-mouse -device "
        "usb-serial,chardev=cd1 -device usb-tablet -device usb-wacom-tablet -device "
        "usb-audio -qtest /dev/null");
    qtest_outl(s, 0xcf8, 0x80000816);
    qtest_outl(s, 0xcfc, 0xffff);
    qtest_outl(s, 0xcf8, 0x80000803);
    qtest_outl(s, 0xcfc, 0x0600);
    qtest_outl(s, 0xcf8, 0x80000810);
    qtest_outl(s, 0xcfc, 0x2e654000);
    qtest_writel(s, 0xffff00002e654040, 0xffffff05);
    qtest_bufwrite(s, 0x4d, "\x04", 0x1);
    qtest_bufwrite(s, 0x5d, "\x04", 0x1);
    qtest_bufwrite(s, 0x6d, "\x04", 0x1);
    qtest_bufwrite(s, 0x7d, "\x04", 0x1);
    qtest_bufwrite(s, 0x8d, "\x04", 0x1);
    qtest_bufwrite(s, 0x9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xad, "\x04", 0x1);
    qtest_bufwrite(s, 0xbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xcd, "\x04", 0x1);
    qtest_bufwrite(s, 0xdd, "\x04", 0x1);
    qtest_bufwrite(s, 0xed, "\x04", 0x1);
    qtest_bufwrite(s, 0xfd, "\x04", 0x1);
    qtest_bufwrite(s, 0x10d, "\x04", 0x1);
    qtest_bufwrite(s, 0x11d, "\x04", 0x1);
    qtest_bufwrite(s, 0x12d, "\x04", 0x1);
    qtest_bufwrite(s, 0x13d, "\x04", 0x1);
    qtest_bufwrite(s, 0x14d, "\x04", 0x1);
    qtest_bufwrite(s, 0x15d, "\x04", 0x1);
    qtest_bufwrite(s, 0x16d, "\x04", 0x1);
    qtest_bufwrite(s, 0x17d, "\x04", 0x1);
    qtest_bufwrite(s, 0x18d, "\x04", 0x1);
    qtest_bufwrite(s, 0x19d, "\x04", 0x1);
    qtest_bufwrite(s, 0x1ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x1bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x1cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x1dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x1ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x1fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x20d, "\x04", 0x1);
    qtest_bufwrite(s, 0x21d, "\x04", 0x1);
    qtest_bufwrite(s, 0x22d, "\x04", 0x1);
    qtest_bufwrite(s, 0x23d, "\x04", 0x1);
    qtest_bufwrite(s, 0x24d, "\x04", 0x1);
    qtest_bufwrite(s, 0x25d, "\x04", 0x1);
    qtest_bufwrite(s, 0x26d, "\x04", 0x1);
    qtest_bufwrite(s, 0x27d, "\x04", 0x1);
    qtest_bufwrite(s, 0x28d, "\x04", 0x1);
    qtest_bufwrite(s, 0x29d, "\x04", 0x1);
    qtest_bufwrite(s, 0x2ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x2bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x2cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x2dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x2ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x2fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x30d, "\x04", 0x1);
    qtest_bufwrite(s, 0x31d, "\x04", 0x1);
    qtest_bufwrite(s, 0x32d, "\x04", 0x1);
    qtest_bufwrite(s, 0x33d, "\x04", 0x1);
    qtest_bufwrite(s, 0x34d, "\x04", 0x1);
    qtest_bufwrite(s, 0x35d, "\x04", 0x1);
    qtest_bufwrite(s, 0x36d, "\x04", 0x1);
    qtest_bufwrite(s, 0x37d, "\x04", 0x1);
    qtest_bufwrite(s, 0x38d, "\x04", 0x1);
    qtest_bufwrite(s, 0x39d, "\x04", 0x1);
    qtest_bufwrite(s, 0x3ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x3bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x3cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x3dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x3ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x3fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x40d, "\x04", 0x1);
    qtest_bufwrite(s, 0x41d, "\x04", 0x1);
    qtest_bufwrite(s, 0x42d, "\x04", 0x1);
    qtest_bufwrite(s, 0x43d, "\x04", 0x1);
    qtest_bufwrite(s, 0x44d, "\x04", 0x1);
    qtest_bufwrite(s, 0x45d, "\x04", 0x1);
    qtest_bufwrite(s, 0x46d, "\x04", 0x1);
    qtest_bufwrite(s, 0x47d, "\x04", 0x1);
    qtest_bufwrite(s, 0x48d, "\x04", 0x1);
    qtest_bufwrite(s, 0x49d, "\x04", 0x1);
    qtest_bufwrite(s, 0x4ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x4bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x4cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x4dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x4ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x4fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x50d, "\x04", 0x1);
    qtest_bufwrite(s, 0x51d, "\x04", 0x1);
    qtest_bufwrite(s, 0x52d, "\x04", 0x1);
    qtest_bufwrite(s, 0x53d, "\x04", 0x1);
    qtest_bufwrite(s, 0x54d, "\x04", 0x1);
    qtest_bufwrite(s, 0x55d, "\x04", 0x1);
    qtest_bufwrite(s, 0x56d, "\x04", 0x1);
    qtest_bufwrite(s, 0x57d, "\x04", 0x1);
    qtest_bufwrite(s, 0x58d, "\x04", 0x1);
    qtest_bufwrite(s, 0x59d, "\x04", 0x1);
    qtest_bufwrite(s, 0x5ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x5bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x5cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x5dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x5ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x5fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x60d, "\x04", 0x1);
    qtest_bufwrite(s, 0x61d, "\x04", 0x1);
    qtest_bufwrite(s, 0x62d, "\x04", 0x1);
    qtest_bufwrite(s, 0x63d, "\x04", 0x1);
    qtest_bufwrite(s, 0x64d, "\x04", 0x1);
    qtest_bufwrite(s, 0x65d, "\x04", 0x1);
    qtest_bufwrite(s, 0x66d, "\x04", 0x1);
    qtest_bufwrite(s, 0x67d, "\x04", 0x1);
    qtest_bufwrite(s, 0x68d, "\x04", 0x1);
    qtest_bufwrite(s, 0x69d, "\x04", 0x1);
    qtest_bufwrite(s, 0x6ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x6bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x6cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x6dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x6ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x6fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x70d, "\x04", 0x1);
    qtest_bufwrite(s, 0x71d, "\x04", 0x1);
    qtest_bufwrite(s, 0x72d, "\x04", 0x1);
    qtest_bufwrite(s, 0x73d, "\x04", 0x1);
    qtest_bufwrite(s, 0x74d, "\x04", 0x1);
    qtest_bufwrite(s, 0x75d, "\x04", 0x1);
    qtest_bufwrite(s, 0x76d, "\x04", 0x1);
    qtest_bufwrite(s, 0x77d, "\x04", 0x1);
    qtest_bufwrite(s, 0x78d, "\x04", 0x1);
    qtest_bufwrite(s, 0x79d, "\x04", 0x1);
    qtest_bufwrite(s, 0x7ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x7bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x7cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x7dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x7ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x7fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x80d, "\x04", 0x1);
    qtest_bufwrite(s, 0x81d, "\x04", 0x1);
    qtest_bufwrite(s, 0x82d, "\x04", 0x1);
    qtest_bufwrite(s, 0x83d, "\x04", 0x1);
    qtest_bufwrite(s, 0x84d, "\x04", 0x1);
    qtest_bufwrite(s, 0x85d, "\x04", 0x1);
    qtest_bufwrite(s, 0x86d, "\x04", 0x1);
    qtest_bufwrite(s, 0x87d, "\x04", 0x1);
    qtest_bufwrite(s, 0x88d, "\x04", 0x1);
    qtest_bufwrite(s, 0x89d, "\x04", 0x1);
    qtest_bufwrite(s, 0x8ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x8bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x8cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x8dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x8ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x8fd, "\x04", 0x1);
    qtest_bufwrite(s, 0x90d, "\x04", 0x1);
    qtest_bufwrite(s, 0x91d, "\x04", 0x1);
    qtest_bufwrite(s, 0x92d, "\x04", 0x1);
    qtest_bufwrite(s, 0x93d, "\x04", 0x1);
    qtest_bufwrite(s, 0x94d, "\x04", 0x1);
    qtest_bufwrite(s, 0x95d, "\x04", 0x1);
    qtest_bufwrite(s, 0x96d, "\x04", 0x1);
    qtest_bufwrite(s, 0x97d, "\x04", 0x1);
    qtest_bufwrite(s, 0x98d, "\x04", 0x1);
    qtest_bufwrite(s, 0x99d, "\x04", 0x1);
    qtest_bufwrite(s, 0x9ad, "\x04", 0x1);
    qtest_bufwrite(s, 0x9bd, "\x04", 0x1);
    qtest_bufwrite(s, 0x9cd, "\x04", 0x1);
    qtest_bufwrite(s, 0x9dd, "\x04", 0x1);
    qtest_bufwrite(s, 0x9ed, "\x04", 0x1);
    qtest_bufwrite(s, 0x9fd, "\x04", 0x1);
    qtest_bufwrite(s, 0xa0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xa9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xaad, "\x04", 0x1);
    qtest_bufwrite(s, 0xabd, "\x04", 0x1);
    qtest_bufwrite(s, 0xacd, "\x04", 0x1);
    qtest_bufwrite(s, 0xadd, "\x04", 0x1);
    qtest_bufwrite(s, 0xaed, "\x04", 0x1);
    qtest_bufwrite(s, 0xafd, "\x04", 0x1);
    qtest_bufwrite(s, 0xb0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xb9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xbad, "\x04", 0x1);
    qtest_bufwrite(s, 0xbbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xbcd, "\x04", 0x1);
    qtest_bufwrite(s, 0xbdd, "\x04", 0x1);
    qtest_bufwrite(s, 0xbed, "\x04", 0x1);
    qtest_bufwrite(s, 0xbfd, "\x04", 0x1);
    qtest_bufwrite(s, 0xc0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xc9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xcad, "\x04", 0x1);
    qtest_bufwrite(s, 0xcbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xccd, "\x04", 0x1);
    qtest_bufwrite(s, 0xcdd, "\x04", 0x1);
    qtest_bufwrite(s, 0xced, "\x04", 0x1);
    qtest_bufwrite(s, 0xcfd, "\x04", 0x1);
    qtest_bufwrite(s, 0xd0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xd9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xdad, "\x04", 0x1);
    qtest_bufwrite(s, 0xdbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xdcd, "\x04", 0x1);
    qtest_bufwrite(s, 0xddd, "\x04", 0x1);
    qtest_bufwrite(s, 0xded, "\x04", 0x1);
    qtest_bufwrite(s, 0xdfd, "\x04", 0x1);
    qtest_bufwrite(s, 0xe0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xe9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xead, "\x04", 0x1);
    qtest_bufwrite(s, 0xebd, "\x04", 0x1);
    qtest_bufwrite(s, 0xecd, "\x04", 0x1);
    qtest_bufwrite(s, 0xedd, "\x04", 0x1);
    qtest_bufwrite(s, 0xeed, "\x04", 0x1);
    qtest_bufwrite(s, 0xefd, "\x04", 0x1);
    qtest_bufwrite(s, 0xf0d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf1d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf2d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf3d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf4d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf5d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf6d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf7d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf8d, "\x04", 0x1);
    qtest_bufwrite(s, 0xf9d, "\x04", 0x1);
    qtest_bufwrite(s, 0xfad, "\x04", 0x1);
    qtest_bufwrite(s, 0xfbd, "\x04", 0x1);
    qtest_bufwrite(s, 0xfcd, "\x04", 0x1);
    qtest_bufwrite(s, 0xfdd, "\x04", 0x1);
    qtest_bufwrite(s, 0xfed, "\x24", 0x1);
    qtest_bufwrite(s, 0xffd, "\x24", 0x1);
    qtest_bufwrite(s, 0x100d, "\x24", 0x1);
    qtest_bufwrite(s, 0x101d, "\x24", 0x1);
    qtest_bufwrite(s, 0x102d, "\x24", 0x1);
    qtest_bufwrite(s, 0x1041, "\x6d", 0x1);
    qtest_bufwrite(s, 0x104d, "\x2c", 0x1);
    qtest_bufwrite(s, 0x104f, "\x05", 0x1);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_bufwrite(s, 0x6d04, "\x03", 0x1);
    qtest_bufwrite(s, 0x6d26, "\x04", 0x1);
    qtest_bufwrite(s, 0x6d41, "\x04", 0x1);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_writel(s, 0xffff00002e656000, 0x0);
    qtest_bufwrite(s, 0xffff00002e656014, "\x01\x00\x00\x00", 0x4);
    qtest_quit(s);
}
int main(int argc, char **argv)
{
    const char *arch = qtest_get_arch();

    g_test_init(&argc, &argv, NULL);

    if (strcmp(arch, "i386") == 0) {
        qtest_add_func("fuzz/test_fuzz", test_fuzz);
    }

    return g_test_run();
}

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883729

Title:
  xhci_find_stream: Assertion `streamid != 0' failed.

Status in QEMU:
  Incomplete

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions

[Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed.

[Alexander Bulekov]

** Attachment added: "attachment"
   https://bugs.launchpad.net/qemu/+bug/1883729/+attachment/5496430/+files/attachment

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883729

Title:
  xhci_find_stream: Assertion `streamid != 0' failed.

Status in QEMU:
  Incomplete

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions

[Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed.

[Thomas Huth]

Ok, with the new attachment from comment #5, I can also reporoduce the
bug again. It does not reproduce with the attachments from comment #1 or
#2 anymore, so this now seems to be a different way to run into this
assert. Anyway, setting the status back to Confirmed since it is
reproducible again.

** Changed in: qemu
       Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883729

Title:
  xhci_find_stream: Assertion `streamid != 0' failed.

Status in QEMU:
  Confirmed

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions

[Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed.

[Thomas Huth]

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/273


** Changed in: qemu
       Status: Confirmed => Expired

** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #273
   https://gitlab.com/qemu-project/qemu/-/issues/273

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883729

Title:
  xhci_find_stream: Assertion `streamid != 0' failed.

Status in QEMU:
  Expired

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions