From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.5 required=3.0 tests=HK_RANDOM_FROM,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C370C433E1 for ; Wed, 1 Jul 2020 18:55:51 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5BB6E2082F for ; Wed, 1 Jul 2020 18:55:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5BB6E2082F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:47804 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jqhte-0002lo-Lt for qemu-devel@archiver.kernel.org; Wed, 01 Jul 2020 14:55:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53940) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jqhst-0002BM-1o for qemu-devel@nongnu.org; Wed, 01 Jul 2020 14:55:03 -0400 Received: from relay64.bu.edu ([128.197.228.104]:43810) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jqhsq-000205-TR for qemu-devel@nongnu.org; Wed, 01 Jul 2020 14:55:02 -0400 X-Envelope-From: alxndr@bu.edu X-BU-AUTH: mozz.bu.edu [128.197.127.33] Received: from BU-AUTH (localhost.localdomain [127.0.0.1]) (authenticated bits=0) by relay64.bu.edu (8.14.3/8.14.3) with ESMTP id 061Is54p030416 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Wed, 1 Jul 2020 14:54:10 -0400 Date: Wed, 1 Jul 2020 14:54:05 -0400 From: Alexander Bulekov To: Philippe =?utf-8?Q?Mathieu-Daud=C3=A9?= Subject: Re: [RFC PATCH] cpus: Initialize current_cpu with the first vCPU created Message-ID: <20200701185304.f3hjftxmtcb2tzue@mozz.bu.edu> References: <20200701182100.26930-1-philmd@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200701182100.26930-1-philmd@redhat.com> User-Agent: NeoMutt/20180716 Received-SPF: pass client-ip=128.197.228.104; envelope-from=alxndr@bu.edu; helo=relay64.bu.edu X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/01 14:55:00 X-ACL-Warn: Detected OS = Linux 2.6.x X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Bug 1878645 <1878645@bugs.launchpad.net>, qemu-devel@nongnu.org, Paolo Bonzini , Alex =?utf-8?Q?Benn=C3=A9e?= , Richard Henderson Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" On 200701 2021, Philippe Mathieu-Daudé wrote: > We can run I/O access with the 'i' or 'o' HMP commands in the > monitor. These commands are expected to run on a vCPU. The > monitor is not a vCPU thread. To avoid crashing, initialize > the 'current_cpu' variable with the first vCPU created. The > command executed on the monitor will end using it. > > This fixes: > > $ cat << EOF| qemu-system-i386 -M q35 -nographic -serial none -monitor stdio > o/4 0xcf8 0x8400f841 > o/4 0xcfc 0xaa215d6d > o/4 0x6d30 0x2ef8ffbe > o/1 0xb2 0x20 > EOF > Segmentation fault (core dumped) > > Thread 1 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. > 0x00005555558946c7 in tcg_handle_interrupt (cpu=0x0, mask=64) at accel/tcg/tcg-all.c:57 > 57 old_mask = cpu->interrupt_request; > (gdb) bt > #0 0x00005555558946c7 in tcg_handle_interrupt (cpu=0x0, mask=64) at accel/tcg/tcg-all.c:57 > #1 0x00005555558ed7d2 in cpu_interrupt (cpu=0x0, mask=64) at include/hw/core/cpu.h:877 > #2 0x00005555558ee776 in ich9_apm_ctrl_changed (val=32, arg=0x555556e2ff50) at hw/isa/lpc_ich9.c:442 > #3 0x0000555555b47f96 in apm_ioport_writeb (opaque=0x555556e308c0, addr=0, val=32, size=1) at hw/isa/apm.c:44 > #4 0x0000555555879931 in memory_region_write_accessor (mr=0x555556e308e0, addr=0, value=0x7fffffffb9f8, size=1, shift=0, mask=255, attrs=...) at memory.c:483 > #5 0x0000555555879b5a in access_with_adjusted_size (addr=0, value=0x7fffffffb9f8, size=4, access_size_min=1, access_size_max=1, access_fn= > 0x55555587984e , mr=0x555556e308e0, attrs=...) at memory.c:544 > #6 0x000055555587ca32 in memory_region_dispatch_write (mr=0x555556e308e0, addr=0, data=32, op=MO_32, attrs=...) at memory.c:1465 > #7 0x000055555581b7e9 in flatview_write_continue (fv=0x55555698a790, addr=178, attrs=..., ptr=0x7fffffffbb84, len=4, addr1=0, l=4, mr=0x555556e308e0) at exec.c:3198 > #8 0x000055555581b92e in flatview_write (fv=0x55555698a790, addr=178, attrs=..., buf=0x7fffffffbb84, len=4) at exec.c:3238 > #9 0x000055555581bc81 in address_space_write (as=0x555556441220 , addr=178, attrs=..., buf=0x7fffffffbb84, len=4) at exec.c:3329 > #10 0x0000555555873f08 in cpu_outl (addr=178, val=32) at ioport.c:80 > #11 0x000055555598a26a in hmp_ioport_write (mon=0x5555567621b0, qdict=0x555557702600) at monitor/misc.c:937 > #12 0x0000555555c9c5a5 in handle_hmp_command (mon=0x5555567621b0, cmdline=0x55555676aae1 "/1 0xb2 0x20") at monitor/hmp.c:1082 > #13 0x0000555555c99e02 in monitor_command_cb (opaque=0x5555567621b0, cmdline=0x55555676aae0 "o/1 0xb2 0x20", readline_opaque=0x0) at monitor/hmp.c:47 > ^ > HMP command from monitor > > Reported-by: Alexander Bulekov > Buglink: https://bugs.launchpad.net/qemu/+bug/1878645 > Signed-off-by: Philippe Mathieu-Daudé > --- > Cc: Bug 1878645 <1878645@bugs.launchpad.net> > > RFC because I believe the correct fix is to NOT use current_cpu > out of cpus.c, at least use qemu_get_cpu(0) to get the first vCPU. > --- > cpus.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/cpus.c b/cpus.c > index 41d1c5099f..1f6f43d221 100644 > --- a/cpus.c > +++ b/cpus.c > @@ -2106,6 +2106,9 @@ void qemu_init_vcpu(CPUState *cpu) > { > MachineState *ms = MACHINE(qdev_get_machine()); > > + if (!current_cpu) { > + current_cpu = cpu; > + } Seems like a neat solution. is it fair to assume that qemu_init_vcpu is called before any threads that can do I/O are created? I confirmed that the qtest and hmp crashes are avoided. -Alex > cpu->nr_cores = ms->smp.cores; > cpu->nr_threads = ms->smp.threads; > cpu->stopped = true; > -- > 2.21.3 > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B79D3C433E1 for ; Wed, 1 Jul 2020 19:02:16 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 927F82082F for ; Wed, 1 Jul 2020 19:02:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 927F82082F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bugs.launchpad.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:52534 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jqhzr-0005Cz-ME for qemu-devel@archiver.kernel.org; Wed, 01 Jul 2020 15:02:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59958) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jqhyb-0004QZ-KW for qemu-devel@nongnu.org; Wed, 01 Jul 2020 15:00:57 -0400 Received: from indium.canonical.com ([91.189.90.7]:45672) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jqhyZ-0005KM-5w for qemu-devel@nongnu.org; Wed, 01 Jul 2020 15:00:57 -0400 Received: from loganberry.canonical.com ([91.189.90.37]) by indium.canonical.com with esmtp (Exim 4.86_2 #2 (Debian)) id 1jqhyW-0008N6-BJ for ; Wed, 01 Jul 2020 19:00:52 +0000 Received: from loganberry.canonical.com (localhost [127.0.0.1]) by loganberry.canonical.com (Postfix) with ESMTP id EA4632E810E for ; Wed, 1 Jul 2020 19:00:51 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Date: Wed, 01 Jul 2020 18:54:05 -0000 From: Alexander Bulekov <1878645@bugs.launchpad.net> To: qemu-devel@nongnu.org X-Launchpad-Notification-Type: bug X-Launchpad-Bug: product=qemu; status=New; importance=Undecided; assignee=None; X-Launchpad-Bug-Information-Type: Public X-Launchpad-Bug-Private: no X-Launchpad-Bug-Security-Vulnerability: no X-Launchpad-Bug-Commenters: a1xndr ajbennee philmd X-Launchpad-Bug-Reporter: Alexander Bulekov (a1xndr) X-Launchpad-Bug-Modifier: Alexander Bulekov (a1xndr) References: <158947246472.30762.752698283456022174.malonedeb@chaenomeles.canonical.com> <20200701182100.26930-1-philmd@redhat.com> Message-ID: <20200701185304.f3hjftxmtcb2tzue@mozz.bu.edu> Subject: [Bug 1878645] Re: [RFC PATCH] cpus: Initialize current_cpu with the first vCPU created X-Launchpad-Message-Rationale: Subscriber (QEMU) @qemu-devel-ml X-Launchpad-Message-For: qemu-devel-ml Precedence: bulk X-Generated-By: Launchpad (canonical.com); Revision="1cbd0aa39df153c901321817f9b57cf3f232b507"; Instance="production-secrets-lazr.conf" X-Launchpad-Hash: 4c48a23ec21115a4f61c5e29edc1688edaf2d710 Received-SPF: none client-ip=91.189.90.7; envelope-from=bounces@canonical.com; helo=indium.canonical.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/01 10:05:42 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -58 X-Spam_score: -5.9 X-Spam_bar: ----- X-Spam_report: (-5.9 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bug 1878645 <1878645@bugs.launchpad.net> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Message-ID: <20200701185405.gFc1Nxu1eFBYvgdd3zYaXNcW65lESmfbBysvUpZ5nUE@z> On 200701 2021, Philippe Mathieu-Daud=C3=A9 wrote: > We can run I/O access with the 'i' or 'o' HMP commands in the > monitor. These commands are expected to run on a vCPU. The > monitor is not a vCPU thread. To avoid crashing, initialize > the 'current_cpu' variable with the first vCPU created. The > command executed on the monitor will end using it. > = > This fixes: > = > $ cat << EOF| qemu-system-i386 -M q35 -nographic -serial none -monitor = stdio > o/4 0xcf8 0x8400f841 > o/4 0xcfc 0xaa215d6d > o/4 0x6d30 0x2ef8ffbe > o/1 0xb2 0x20 > EOF > Segmentation fault (core dumped) > = > Thread 1 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. > 0x00005555558946c7 in tcg_handle_interrupt (cpu=3D0x0, mask=3D64) at ac= cel/tcg/tcg-all.c:57 > 57 old_mask =3D cpu->interrupt_request; > (gdb) bt > #0 0x00005555558946c7 in tcg_handle_interrupt (cpu=3D0x0, mask=3D64) a= t accel/tcg/tcg-all.c:57 > #1 0x00005555558ed7d2 in cpu_interrupt (cpu=3D0x0, mask=3D64) at inclu= de/hw/core/cpu.h:877 > #2 0x00005555558ee776 in ich9_apm_ctrl_changed (val=3D32, arg=3D0x5555= 56e2ff50) at hw/isa/lpc_ich9.c:442 > #3 0x0000555555b47f96 in apm_ioport_writeb (opaque=3D0x555556e308c0, a= ddr=3D0, val=3D32, size=3D1) at hw/isa/apm.c:44 > #4 0x0000555555879931 in memory_region_write_accessor (mr=3D0x555556e3= 08e0, addr=3D0, value=3D0x7fffffffb9f8, size=3D1, shift=3D0, mask=3D255, at= trs=3D...) at memory.c:483 > #5 0x0000555555879b5a in access_with_adjusted_size (addr=3D0, value=3D= 0x7fffffffb9f8, size=3D4, access_size_min=3D1, access_size_max=3D1, access_= fn=3D > 0x55555587984e , mr=3D0x555556e308e0,= attrs=3D...) at memory.c:544 > #6 0x000055555587ca32 in memory_region_dispatch_write (mr=3D0x555556e3= 08e0, addr=3D0, data=3D32, op=3DMO_32, attrs=3D...) at memory.c:1465 > #7 0x000055555581b7e9 in flatview_write_continue (fv=3D0x55555698a790,= addr=3D178, attrs=3D..., ptr=3D0x7fffffffbb84, len=3D4, addr1=3D0, l=3D4, = mr=3D0x555556e308e0) at exec.c:3198 > #8 0x000055555581b92e in flatview_write (fv=3D0x55555698a790, addr=3D1= 78, attrs=3D..., buf=3D0x7fffffffbb84, len=3D4) at exec.c:3238 > #9 0x000055555581bc81 in address_space_write (as=3D0x555556441220 , addr=3D178, attrs=3D..., buf=3D0x7fffffffbb84, len=3D4) at = exec.c:3329 > #10 0x0000555555873f08 in cpu_outl (addr=3D178, val=3D32) at ioport.c:80 > #11 0x000055555598a26a in hmp_ioport_write (mon=3D0x5555567621b0, qdict= =3D0x555557702600) at monitor/misc.c:937 > #12 0x0000555555c9c5a5 in handle_hmp_command (mon=3D0x5555567621b0, cmd= line=3D0x55555676aae1 "/1 0xb2 0x20") at monitor/hmp.c:1082 > #13 0x0000555555c99e02 in monitor_command_cb (opaque=3D0x5555567621b0, = cmdline=3D0x55555676aae0 "o/1 0xb2 0x20", readline_opaque=3D0x0) at monitor= /hmp.c:47 > ^ > HMP command from monitor > = > Reported-by: Alexander Bulekov > Buglink: https://bugs.launchpad.net/qemu/+bug/1878645 > Signed-off-by: Philippe Mathieu-Daud=C3=A9 > --- > Cc: Bug 1878645 <1878645@bugs.launchpad.net> > = > RFC because I believe the correct fix is to NOT use current_cpu > out of cpus.c, at least use qemu_get_cpu(0) to get the first vCPU. > --- > cpus.c | 3 +++ > 1 file changed, 3 insertions(+) > = > diff --git a/cpus.c b/cpus.c > index 41d1c5099f..1f6f43d221 100644 > --- a/cpus.c > +++ b/cpus.c > @@ -2106,6 +2106,9 @@ void qemu_init_vcpu(CPUState *cpu) > { > MachineState *ms =3D MACHINE(qdev_get_machine()); > = > + if (!current_cpu) { > + current_cpu =3D cpu; > + } Seems like a neat solution. is it fair to assume that qemu_init_vcpu is called before any threads that can do I/O are created? I confirmed that the qtest and hmp crashes are avoided. -Alex > cpu->nr_cores =3D ms->smp.cores; > cpu->nr_threads =3D ms->smp.threads; > cpu->stopped =3D true; > -- = > 2.21.3 > -- = You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1878645 Title: null-ptr dereference in ich9_apm_ctrl_changed Status in QEMU: New Bug description: Hello, While fuzzing, I found an input which triggers a NULL pointer dereference= in tcg_handle_interrupt. It seems the culprint is a "cpu" pointer - maybe th= is bug is specific to QTest? =3D=3D23862=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x00000= 00000b4 (pc 0x55b9dc7c9dce bp 0x7ffc346a0900 sp 0x7ffc346a0880 T0) =3D=3D23862=3D=3DThe signal is caused by a READ memory access. =3D=3D23862=3D=3DHint: address points to the zero page. #0 0x55b9dc7c9dce in tcg_handle_interrupt /home/alxndr/Development/qe= mu/accel/tcg/tcg-all.c:57:21 #1 0x55b9dc904799 in cpu_interrupt /home/alxndr/Development/qemu/incl= ude/hw/core/cpu.h:872:5 #2 0x55b9dc9085e8 in ich9_apm_ctrl_changed /home/alxndr/Development/q= emu/hw/isa/lpc_ich9.c:442:13 #3 0x55b9dd19cdc8 in apm_ioport_writeb /home/alxndr/Development/qemu/= hw/isa/apm.c:50:13 #4 0x55b9dc73f8b4 in memory_region_write_accessor /home/alxndr/Develo= pment/qemu/memory.c:483:5 #5 0x55b9dc73f289 in access_with_adjusted_size /home/alxndr/Developme= nt/qemu/memory.c:544:18 #6 0x55b9dc73ddf5 in memory_region_dispatch_write /home/alxndr/Develo= pment/qemu/memory.c:1476:16 #7 0x55b9dc577bf3 in flatview_write_continue /home/alxndr/Development= /qemu/exec.c:3137:23 #8 0x55b9dc567ad8 in flatview_write /home/alxndr/Development/qemu/exe= c.c:3177:14 #9 0x55b9dc567608 in address_space_write /home/alxndr/Development/qem= u/exec.c:3268:18 #10 0x55b9dc723fe7 in cpu_outb /home/alxndr/Development/qemu/ioport.c= :60:5 #11 0x55b9dc72d3c0 in qtest_process_command /home/alxndr/Development/= qemu/qtest.c:392:13 #12 0x55b9dc72b186 in qtest_process_inbuf /home/alxndr/Development/qe= mu/qtest.c:710:9 #13 0x55b9dc72a8b3 in qtest_read /home/alxndr/Development/qemu/qtest.= c:722:5 #14 0x55b9ddc6e60b in qemu_chr_be_write_impl /home/alxndr/Development= /qemu/chardev/char.c:183:9 #15 0x55b9ddc6e75a in qemu_chr_be_write /home/alxndr/Development/qemu= /chardev/char.c:195:9 #16 0x55b9ddc77979 in fd_chr_read /home/alxndr/Development/qemu/chard= ev/char-fd.c:68:9 #17 0x55b9ddcff0e9 in qio_channel_fd_source_dispatch /home/alxndr/Dev= elopment/qemu/io/channel-watch.c:84:12 #18 0x7f7161eac897 in g_main_context_dispatch (/usr/lib/x86_64-linux-= gnu/libglib-2.0.so.0+0x4e897) #19 0x55b9ddebcb84 in glib_pollfds_poll /home/alxndr/Development/qemu= /util/main-loop.c:219:9 #20 0x55b9ddebb57d in os_host_main_loop_wait /home/alxndr/Development= /qemu/util/main-loop.c:242:5 #21 0x55b9ddebb176 in main_loop_wait /home/alxndr/Development/qemu/ut= il/main-loop.c:518:11 #22 0x55b9dcb4bd1d in qemu_main_loop /home/alxndr/Development/qemu/so= ftmmu/vl.c:1664:9 #23 0x55b9ddd1629c in main /home/alxndr/Development/qemu/softmmu/main= .c:49:5 #24 0x7f7160a5ce0a in __libc_start_main /build/glibc-GwnBeO/glibc-2.3= 0/csu/../csu/libc-start.c:308:16 #25 0x55b9dc49c819 in _start (/home/alxndr/Development/qemu/build/i38= 6-softmmu/qemu-system-i386+0xc9c819) = I can reproduce this in qemu 5.0 built with AddressSanitizer using these = qtest commands: cat << EOF | ./qemu-system-i386 \ -qtest stdio -nographic -monitor none -serial none \ -M pc-q35-5.0 outl 0xcf8 0x8400f841 outl 0xcfc 0xaa215d6d outl 0x6d30 0x2ef8ffbe outb 0xb2 0x20 EOF Please let me know if I can provide any further info. -Alex To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1878645/+subscriptions