[Bug 1883728] [NEW] address_space_unmap: Assertion `mr != NULL' failed.

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Bug 1883728] [NEW] address_space_unmap: Assertion `mr != NULL' failed.
@ 2020-06-16 15:31 Bugs SysSec
  2020-06-17 11:44 ` [Bug 1883728] " Alex Bennée
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: Bugs SysSec @ 2020-06-16 15:31 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

To reproduce run the QEMU with the following command line:
```
qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
```

QEMU Version:
```
# qemu-5.0.0
$ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
$ x86_64-softmmu/qemu-system-x86_64 --version
QEMU emulator version 5.0.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
```

** Affects: qemu
     Importance: Undecided
         Status: New

** Attachment added: "xhci_assert1.zip"
   https://bugs.launchpad.net/bugs/1883728/+attachment/5384431/+files/xhci_assert1.zip

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883728

Title:
  address_space_unmap: Assertion `mr != NULL' failed.

Status in QEMU:
  New

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883728/+subscriptions


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 1883728] Re: address_space_unmap: Assertion `mr != NULL' failed.
  2020-06-16 15:31 [Bug 1883728] [NEW] address_space_unmap: Assertion `mr != NULL' failed Bugs SysSec
@ 2020-06-17 11:44 ` Alex Bennée
  2020-08-11 22:01 ` Alexander Bulekov
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Alex Bennée @ 2020-06-17 11:44 UTC (permalink / raw)
  To: qemu-devel

** Tags added: testcase

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883728

Title:
  address_space_unmap: Assertion `mr != NULL' failed.

Status in QEMU:
  New

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883728/+subscriptions


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 1883728] Re: address_space_unmap: Assertion `mr != NULL' failed.
  2020-06-16 15:31 [Bug 1883728] [NEW] address_space_unmap: Assertion `mr != NULL' failed Bugs SysSec
  2020-06-17 11:44 ` [Bug 1883728] " Alex Bennée
@ 2020-08-11 22:01 ` Alexander Bulekov
  2021-05-11 17:04 ` Thomas Huth
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Alexander Bulekov @ 2020-08-11 22:01 UTC (permalink / raw)
  To: qemu-devel

Here's a qtest reproducer:

cat << EOF | ./i386-softmmu/qemu-system-i386 \
-device nec-usb-xhci -trace usb\* \
-device usb-audio -device usb-storage,drive=mydrive \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001016
outl 0xcfc 0x3c319f0d
outl 0xcf8 0x80001004
outl 0xcfc 0xc77695e
writel 0x9f0d000000000040 0xffffd855
write 0x1d 0x1 0x27
write 0x2d 0x1 0x2e
write 0x17232 0x1 0x03
write 0x17254 0x1 0x05
write 0x17276 0x1 0x72
write 0x17278 0x1 0x02
write 0x3d 0x1 0x27
write 0x40 0x1 0x2e
write 0x41 0x1 0x72
write 0x42 0x1 0x01
write 0x4d 0x1 0x2e
write 0x4f 0x1 0x01
writeq 0x9f0d000000002000 0x5c05140100000000
writeq 0x9f0d000000002000 0x5c05140100000000
write 0x2008d 0x1 0x13
writeq 0x9f0d000000002000 0x100ef0100000009
write 0x200ad 0x1 0x27
write 0x200bd 0x1 0x5c
write 0x200cd 0x1 0x2e
write 0x200dd 0x1 0x2f
write 0x200e8 0x1 0x08
write 0x200ec 0x1 0xfe
write 0x200ed 0x1 0x08
write 0x200fd 0x1 0x05
write 0x2010d 0x1 0x2e
write 0x2011d 0x1 0x2f
write 0x2012d 0x1 0x08
write 0x20137 0x1 0x5e
write 0x2013a 0x1 0x2f
write 0x2013d 0x1 0x05
write 0x2014d 0x1 0x13
writeq 0x9f0d000000002000 0x100ef0100000009
EOF

...
[S +0.017146] OK
[R +0.017149] writeq 0x9f0d000000002000 0x5c05140100000000
30899@1597183147.299108:usb_xhci_doorbell_write off 0x0000, val 0x00000000
30899@1597183147.299112:usb_xhci_fetch_trb addr 0x0000000000000000, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
30899@1597183147.299115:usb_xhci_doorbell_write off 0x0004, val 0x5c051401
OK
[S +0.017162] OK
[R +0.017166] writeq 0x9f0d000000002000 0x5c05140100000000
30899@1597183147.299124:usb_xhci_doorbell_write off 0x0000, val 0x00000000
30899@1597183147.299126:usb_xhci_fetch_trb addr 0x0000000000000010, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
30899@1597183147.299129:usb_xhci_slot_enable slotid 1
30899@1597183147.299132:usb_xhci_fetch_trb addr 0x0000000000000020, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002e00
30899@1597183147.299134:usb_xhci_fetch_trb addr 0x0000000000000030, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
30899@1597183147.299137:usb_xhci_slot_enable slotid 2
30899@1597183147.299139:usb_xhci_fetch_trb addr 0x0000000000000040, CR_ADDRESS_DEVICE, p 0x000000000001722e, s 0x00000000, c 0x01002e00
30899@1597183147.299144:usb_xhci_slot_address slotid 1, port 1
30899@1597183147.299148:usb_xhci_ep_enable slotid 1, epid 1
30899@1597183147.299151:usb_xhci_fetch_trb addr 0x0000000000000050, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
30899@1597183147.299154:usb_xhci_doorbell_write off 0x0004, val 0x5c051401
30899@1597183147.299157:usb_xhci_ep_kick slotid 1, epid 1, streamid 23557
30899@1597183147.299161:usb_xhci_fetch_trb addr 0x0000000000020070, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
OK
[S +0.017210] OK
[R +0.017214] write 0x2008d 0x1 0x13
OK
[S +0.017219] OK
[R +0.017223] writeq 0x9f0d000000002000 0x100ef0100000009
30899@1597183147.299181:usb_xhci_doorbell_write off 0x0000, val 0x00000009
30899@1597183147.299183:usb_xhci_doorbell_write off 0x0004, val 0x0100ef01
30899@1597183147.299185:usb_xhci_ep_kick slotid 1, epid 1, streamid 256
30899@1597183147.299189:usb_xhci_fetch_trb addr 0x0000000000020080, TR_STATUS, p 0x0000000000000000, s 0x00000000, c 0x00001300
30899@1597183147.299191:usb_xhci_xfer_start 0x5622548f9760: slotid 1, epid 1, streamid 0
TRB_SETUP 1300 1300 1300 0
30899@1597183147.299196:usb_xhci_fetch_trb addr 0x0000000000020090, TRB_RESERVED, p 0x0000000000000000, s 0x00000000, c 0x00000000
OK
[S +0.017244] OK
[R +0.017248] write 0x200ad 0x1 0x27
OK
[S +0.017338] OK
[R +0.017342] writeq 0x9f0d000000002000 0x100ef0100000009
30899@1597183147.299300:usb_xhci_doorbell_write off 0x0000, val 0x00000009
30899@1597183147.299302:usb_xhci_doorbell_write off 0x0004, val 0x0100ef01
30899@1597183147.299304:usb_xhci_ep_kick slotid 1, epid 1, streamid 256
30899@1597183147.299308:usb_xhci_fetch_trb addr 0x00000000000200a0, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700
30899@1597183147.299310:usb_xhci_xfer_start 0x5622548f9890: slotid 1, epid 1, streamid 0
TRB_SETUP 2700 2700 2700 0
30899@1597183147.299315:usb_xhci_fetch_trb addr 0x00000000000200b0, CR_NOOP, p 0x0000000000000000, s 0x00000000, c 0x00005c00
30899@1597183147.299318:usb_xhci_xfer_start 0x5622548f99a0: slotid 1, epid 1, streamid 0
TRB_SETUP 5c00 5c00 5c00 0
30899@1597183147.299322:usb_xhci_fetch_trb addr 0x00000000000200c0, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002e00
30899@1597183147.299325:usb_xhci_xfer_start 0x5622548f9ab0: slotid 1, epid 1, streamid 0
TRB_SETUP 2e00 2e00 2e00 0
30899@1597183147.299329:usb_xhci_fetch_trb addr 0x00000000000200d0, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002f00
30899@1597183147.299331:usb_xhci_xfer_start 0x5622548f9c10: slotid 1, epid 1, streamid 0
TRB_SETUP 2f00 2f00 2f00 0
30899@1597183147.299337:usb_xhci_fetch_trb addr 0x00000000000200e0, TR_SETUP, p 0x0000000000000000, s 0x00000008, c 0x000008fe
30899@1597183147.299340:usb_xhci_fetch_trb addr 0x00000000000200f0, TR_NORMAL, p 0x0000000000000000, s 0x00000000, c 0x00000500
30899@1597183147.299342:usb_xhci_fetch_trb addr 0x0000000000020100, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002e00
30899@1597183147.299345:usb_xhci_fetch_trb addr 0x0000000000020110, CR_ADDRESS_DEVICE, p 0x0000000000000000, s 0x00000000, c 0x00002f00
30899@1597183147.299348:usb_xhci_fetch_trb addr 0x0000000000020120, TR_SETUP, p 0x0000000000000000, s 0x00000000, c 0x00000800
30899@1597183147.299351:usb_xhci_fetch_trb addr 0x0000000000020130, TR_NORMAL, p 0x5e00000000000000, s 0x002f0000, c 0x00000500
30899@1597183147.299353:usb_xhci_fetch_trb addr 0x0000000000020140, TR_STATUS, p 0x0000000000000000, s 0x00000000, c 0x00001300
30899@1597183147.299356:usb_xhci_xfer_start 0x5622548f9d70: slotid 1, epid 1, streamid 0
TRB_SETUP 8fe 1300 8fe 8
30899@1597183147.299361:usb_packet_state_change bus 0, port 1, ep 0, packet 0x5622548f9d78, state undef -> setup
30899@1597183147.299466:usb_packet_state_change bus 0, port 1, ep 0, packet 0x5622548f9d78, state setup -> complete
qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/exec.c:3623: void address_space_unmap(AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed.



#8 0x7f8f9e7e6091 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
#9 0x55f7507b374a in address_space_unmap exec.c:3623:9
#10 0x55f750baeab8 in dma_memory_unmap include/sysemu/dma.h:145:5
#11 0x55f750baea1b in usb_packet_unmap hw/usb/libhw.c:65:9
#12 0x55f750bcbb73 in xhci_xfer_unmap hw/usb/hcd-xhci.c:1487:5
#13 0x55f750bcba3d in xhci_try_complete_packet hw/usb/hcd-xhci.c:1642:9
#14 0x55f750bcc888 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1728:5
#15 0x55f750bcb306 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
#16 0x55f750bd04e9 in xhci_kick_ep hw/usb/hcd-xhci.c:1861:5
#17 0x55f750bd253c in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
#18 0x55f75091def1 in memory_region_write_accessor softmmu/memory.c:483:5
#19 0x55f75091ddf3 in access_with_adjusted_size softmmu/memory.c:544:18
#20 0x55f75091dac5 in memory_region_dispatch_write softmmu/memory.c
#21 0x55f7507b51e2 in flatview_write_continue exec.c:3176:23
#22 0x55f7507b2a30 in flatview_write exec.c:3216:14
#23 0x55f7507b2968 in address_space_write exec.c:3308:18
#24 0x55f750929e3b in qtest_process_command softmmu/qtest.c

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883728

Title:
  address_space_unmap: Assertion `mr != NULL' failed.

Status in QEMU:
  New

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883728/+subscriptions


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 1883728] Re: address_space_unmap: Assertion `mr != NULL' failed.
  2020-06-16 15:31 [Bug 1883728] [NEW] address_space_unmap: Assertion `mr != NULL' failed Bugs SysSec
  2020-06-17 11:44 ` [Bug 1883728] " Alex Bennée
  2020-08-11 22:01 ` Alexander Bulekov
@ 2021-05-11 17:04 ` Thomas Huth
  2021-05-11 18:37 ` Alexander Bulekov
  2021-05-12  5:04 ` Thomas Huth
  4 siblings, 0 replies; 6+ messages in thread
From: Thomas Huth @ 2021-05-11 17:04 UTC (permalink / raw)
  To: qemu-devel

Can you still reproduce this assert with QEMU v6.0 ? For me, it does not
seem to run into the assert() anymore, so I assume this has been fixed
within the last months?

** Changed in: qemu
       Status: New => Incomplete

** Tags added: fuzzer usb

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883728

Title:
  address_space_unmap: Assertion `mr != NULL' failed.

Status in QEMU:
  Incomplete

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883728/+subscriptions


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 1883728] Re: address_space_unmap: Assertion `mr != NULL' failed.
  2020-06-16 15:31 [Bug 1883728] [NEW] address_space_unmap: Assertion `mr != NULL' failed Bugs SysSec
                   ` (2 preceding siblings ...)
  2021-05-11 17:04 ` Thomas Huth
@ 2021-05-11 18:37 ` Alexander Bulekov
  2021-05-12  5:04 ` Thomas Huth
  4 siblings, 0 replies; 6+ messages in thread
From: Alexander Bulekov @ 2021-05-11 18:37 UTC (permalink / raw)
  To: qemu-devel

OSS-Fuzz never picked up on this one, so I'm guessing it was fixed sometime between 5.1 and 5.2. 
Not a fun section to bisect, but looks like it was fixed by 21bc31524e ("hw: xhci: check return value of 'usb_packet_map'")

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883728

Title:
  address_space_unmap: Assertion `mr != NULL' failed.

Status in QEMU:
  Incomplete

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883728/+subscriptions


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 1883728] Re: address_space_unmap: Assertion `mr != NULL' failed.
  2020-06-16 15:31 [Bug 1883728] [NEW] address_space_unmap: Assertion `mr != NULL' failed Bugs SysSec
                   ` (3 preceding siblings ...)
  2021-05-11 18:37 ` Alexander Bulekov
@ 2021-05-12  5:04 ` Thomas Huth
  4 siblings, 0 replies; 6+ messages in thread
From: Thomas Huth @ 2021-05-12  5:04 UTC (permalink / raw)
  To: qemu-devel

Ok, thanks for checking! So seems like this has been fixed, thus I'm
closing the bug. If it happens again, please open a new ticket in our
new gitlab issue tracker.

** Changed in: qemu
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1883728

Title:
  address_space_unmap: Assertion `mr != NULL' failed.

Status in QEMU:
  Fix Released

Bug description:
  To reproduce run the QEMU with the following command line:
  ```
  qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio
  ```

  QEMU Version:
  ```
  # qemu-5.0.0
  $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make
  $ x86_64-softmmu/qemu-system-x86_64 --version
  QEMU emulator version 5.0.0
  Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1883728/+subscriptions


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-05-12  5:12 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-16 15:31 [Bug 1883728] [NEW] address_space_unmap: Assertion `mr != NULL' failed Bugs SysSec
2020-06-17 11:44 ` [Bug 1883728] " Alex Bennée
2020-08-11 22:01 ` Alexander Bulekov
2021-05-11 17:04 ` Thomas Huth
2021-05-11 18:37 ` Alexander Bulekov
2021-05-12  5:04 ` Thomas Huth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).