All of lore.kernel.org
 help / color / mirror / Atom feed
* Assertion failure through virtio_blk_req_complete
@ 2020-05-11  4:06 Alexander Bulekov
  2020-05-21 13:44 ` Stefan Hajnoczi
  2020-08-12 10:27 ` Stefan Hajnoczi
  0 siblings, 2 replies; 3+ messages in thread
From: Alexander Bulekov @ 2020-05-11  4:06 UTC (permalink / raw)
  To: qemu-devel; +Cc: kwolf, mreitz, stefanha, mst

Hello,
While fuzzing, I found an input that triggers an assertion through
virtio-blk.c:

void address_space_unmap(AddressSpace *, void *, hwaddr, int, hwaddr): Assertion `mr != NULL' failed

#8 0x7fa947707091 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
#9 0x55ec68a73a97 in address_space_unmap exec.c:3619:9
#10 0x55ec6943ffab in dma_memory_unmap include/sysemu/dma.h:145:5
#11 0x55ec693e2df6 in virtqueue_unmap_sg hw/virtio/virtio.c:640:9
#12 0x55ec693e435b in virtqueue_fill hw/virtio/virtio.c:789:5
#13 0x55ec693e8cf0 in virtqueue_push hw/virtio/virtio.c:863:5
#14 0x55ec68ff73ce in virtio_blk_req_complete hw/block/virtio-blk.c:83:5
#15 0x55ec68ff037e in virtio_blk_handle_request hw/block/virtio-blk.c:671:13
#16 0x55ec68fec4c0 in virtio_blk_handle_vq hw/block/virtio-blk.c:780:17
#17 0x55ec6901ae79 in virtio_blk_handle_output_do hw/block/virtio-blk.c:803:5
#18 0x55ec6901a336 in virtio_blk_handle_output hw/block/virtio-blk.c:819:5
#19 0x55ec694168f0 in virtio_queue_notify hw/virtio/virtio.c:2284:9
#20 0x55ec6b55abc5 in virtio_mmio_write hw/virtio/virtio-mmio.c:369:13
#21 0x55ec68d9e17b in memory_region_write_accessor memory.c:496:5

I can reproduce it in a qemu 5.0 build using:
cat << EOF | qemu-system-i386 -M pc-q35-5.0 -M microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic -device virtio-blk-device,drive=mydrive,scsi=true -drive file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none -display none -serial none -qtest stdio
write 0x1ba000b 0x12 0x01820040bf07f0ffffffffffff3328000101
write 0x1ba1003 0x2 0x0101
write 0xc0000e28 0x2c 0x000046dd000000000049dd00000000004cdd00000000004fdd000000000052dd000000000055dd0000000000
EOF

I also uploaded the above trace, in case the formatting is broken:

curl https://paste.debian.net/plain/1146092 | qemu-system-i386 -M pc-q35-5.0 -M microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic -device virtio-blk-device,drive=mydrive,scsi=true -drive file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none -display none -serial none -qtest stdio

Please let me know if I can provide any further info.
-Alex


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Assertion failure through virtio_blk_req_complete
  2020-05-11  4:06 Assertion failure through virtio_blk_req_complete Alexander Bulekov
@ 2020-05-21 13:44 ` Stefan Hajnoczi
  2020-08-12 10:27 ` Stefan Hajnoczi
  1 sibling, 0 replies; 3+ messages in thread
From: Stefan Hajnoczi @ 2020-05-21 13:44 UTC (permalink / raw)
  To: Alexander Bulekov; +Cc: kwolf, mst, qemu-devel, stefanha, mreitz

[-- Attachment #1: Type: text/plain, Size: 2342 bytes --]

On Mon, May 11, 2020 at 12:06:22AM -0400, Alexander Bulekov wrote:
> Hello,
> While fuzzing, I found an input that triggers an assertion through
> virtio-blk.c:
> 
> void address_space_unmap(AddressSpace *, void *, hwaddr, int, hwaddr): Assertion `mr != NULL' failed
> 
> #8 0x7fa947707091 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
> #9 0x55ec68a73a97 in address_space_unmap exec.c:3619:9
> #10 0x55ec6943ffab in dma_memory_unmap include/sysemu/dma.h:145:5
> #11 0x55ec693e2df6 in virtqueue_unmap_sg hw/virtio/virtio.c:640:9
> #12 0x55ec693e435b in virtqueue_fill hw/virtio/virtio.c:789:5
> #13 0x55ec693e8cf0 in virtqueue_push hw/virtio/virtio.c:863:5
> #14 0x55ec68ff73ce in virtio_blk_req_complete hw/block/virtio-blk.c:83:5
> #15 0x55ec68ff037e in virtio_blk_handle_request hw/block/virtio-blk.c:671:13
> #16 0x55ec68fec4c0 in virtio_blk_handle_vq hw/block/virtio-blk.c:780:17
> #17 0x55ec6901ae79 in virtio_blk_handle_output_do hw/block/virtio-blk.c:803:5
> #18 0x55ec6901a336 in virtio_blk_handle_output hw/block/virtio-blk.c:819:5
> #19 0x55ec694168f0 in virtio_queue_notify hw/virtio/virtio.c:2284:9
> #20 0x55ec6b55abc5 in virtio_mmio_write hw/virtio/virtio-mmio.c:369:13
> #21 0x55ec68d9e17b in memory_region_write_accessor memory.c:496:5
> 
> I can reproduce it in a qemu 5.0 build using:
> cat << EOF | qemu-system-i386 -M pc-q35-5.0 -M microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic -device virtio-blk-device,drive=mydrive,scsi=true -drive file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none -display none -serial none -qtest stdio
> write 0x1ba000b 0x12 0x01820040bf07f0ffffffffffff3328000101
> write 0x1ba1003 0x2 0x0101
> write 0xc0000e28 0x2c 0x000046dd000000000049dd00000000004cdd00000000004fdd000000000052dd000000000055dd0000000000
> EOF
> 
> I also uploaded the above trace, in case the formatting is broken:
> 
> curl https://paste.debian.net/plain/1146092 | qemu-system-i386 -M pc-q35-5.0 -M microvm,x-option-roms=off,pit=off,pic=off,isa-serial=off,rtc=off -nographic -device virtio-blk-device,drive=mydrive,scsi=true -drive file=null-co://,id=mydrive,if=none,format=raw -nographic -monitor none -display none -serial none -qtest stdio

Thanks! I've found the root cause for this. Will send a patch.

Stefan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Assertion failure through virtio_blk_req_complete
  2020-05-11  4:06 Assertion failure through virtio_blk_req_complete Alexander Bulekov
  2020-05-21 13:44 ` Stefan Hajnoczi
@ 2020-08-12 10:27 ` Stefan Hajnoczi
  1 sibling, 0 replies; 3+ messages in thread
From: Stefan Hajnoczi @ 2020-08-12 10:27 UTC (permalink / raw)
  To: Alexander Bulekov
  Cc: Kevin Wolf, Michael S. Tsirkin, qemu-devel, Stefan Hajnoczi, Max Reitz

On Mon, May 11, 2020 at 5:07 AM Alexander Bulekov <alxndr@bu.edu> wrote:
> While fuzzing, I found an input that triggers an assertion through
> virtio-blk.c:

This reproducer does not work anymore in 5.1 but the underlying bug is
still there so I am sending a patch series.

Stefan


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-08-12 10:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-11  4:06 Assertion failure through virtio_blk_req_complete Alexander Bulekov
2020-05-21 13:44 ` Stefan Hajnoczi
2020-08-12 10:27 ` Stefan Hajnoczi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.