From: Alexander Bulekov <alxndr@bu.edu>
To: qemu-devel@nongnu.org
Cc: kwolf@redhat.com, mreitz@redhat.com, stefanha@redhat.com, mst@redhat.com
Subject: Assertion failure through virtio_blk_req_complete
Date: Mon, 11 May 2020 00:06:22 -0400 [thread overview]
Message-ID: <20200511040622.xus3eqvsxbjkfum2@mozz.bu.edu> (raw)
Hello,
While fuzzing, I found an input that triggers an assertion through
virtio-blk.c:
void address_space_unmap(AddressSpace *, void *, hwaddr, int, hwaddr): Assertion `mr != NULL' failed
#8 0x7fa947707091 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
#9 0x55ec68a73a97 in address_space_unmap exec.c:3619:9
#10 0x55ec6943ffab in dma_memory_unmap include/sysemu/dma.h:145:5
#11 0x55ec693e2df6 in virtqueue_unmap_sg hw/virtio/virtio.c:640:9
#12 0x55ec693e435b in virtqueue_fill hw/virtio/virtio.c:789:5
#13 0x55ec693e8cf0 in virtqueue_push hw/virtio/virtio.c:863:5
#14 0x55ec68ff73ce in virtio_blk_req_complete hw/block/virtio-blk.c:83:5
#15 0x55ec68ff037e in virtio_blk_handle_request hw/block/virtio-blk.c:671:13
#16 0x55ec68fec4c0 in virtio_blk_handle_vq hw/block/virtio-blk.c:780:17
#17 0x55ec6901ae79 in virtio_blk_handle_output_do hw/block/virtio-blk.c:803:5
#18 0x55ec6901a336 in virtio_blk_handle_output hw/block/virtio-blk.c:819:5
#19 0x55ec694168f0 in virtio_queue_notify hw/virtio/virtio.c:2284:9
#20 0x55ec6b55abc5 in virtio_mmio_write hw/virtio/virtio-mmio.c:369:13
#21 0x55ec68d9e17b in memory_region_write_accessor memory.c:496:5
I can reproduce it in a qemu 5.0 build using:
cat << EOF | qemu-system-i386 -M pc-q35-5.0 -M microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic -device virtio-blk-device,drive=mydrive,scsi=true -drive file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none -display none -serial none -qtest stdio
write 0x1ba000b 0x12 0x01820040bf07f0ffffffffffff3328000101
write 0x1ba1003 0x2 0x0101
write 0xc0000e28 0x2c 0x000046dd000000000049dd00000000004cdd00000000004fdd000000000052dd000000000055dd0000000000
EOF
I also uploaded the above trace, in case the formatting is broken:
curl https://paste.debian.net/plain/1146092 | qemu-system-i386 -M pc-q35-5.0 -M microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic -device virtio-blk-device,drive=mydrive,scsi=true -drive file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none -display none -serial none -qtest stdio
Please let me know if I can provide any further info.
-Alex
next reply other threads:[~2020-05-11 4:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-11 4:06 Alexander Bulekov [this message]
2020-05-21 13:44 ` Assertion failure through virtio_blk_req_complete Stefan Hajnoczi
2020-08-12 10:27 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200511040622.xus3eqvsxbjkfum2@mozz.bu.edu \
--to=alxndr@bu.edu \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.