* [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
@ 2021-04-26 3:19 Alexander Bulekov
2021-04-29 14:26 ` Philippe Mathieu-Daudé
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Alexander Bulekov @ 2021-04-26 3:19 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
** Affects: qemu
Importance: Undecided
Status: New
** Tags: fuzzer
** Tags removed: fuzz
** Tags added: fuzzer
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1926111
Title:
Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
Status in QEMU:
New
Bug description:
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1926111/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
2021-04-26 3:19 [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write Alexander Bulekov
@ 2021-04-29 14:26 ` Philippe Mathieu-Daudé
2021-04-29 14:26 ` Philippe Mathieu-Daudé
2021-06-01 9:00 ` [Bug 1926111] " Thomas Huth
` (3 subsequent siblings)
4 siblings, 1 reply; 7+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-04-29 14:26 UTC (permalink / raw)
To: Bug 1926111, qemu-devel; +Cc: Alexander Bulekov, Jason Wang, Dmitry Fleytman
Cc'ing maintainers.
./scripts/get_maintainer.pl -f hw/net/vmxnet3.c
Dmitry Fleytman <dmitry.fleytman@gmail.com> (maintainer:Vmware)
Jason Wang <jasowang@redhat.com> (odd fixer:Network devices)
On 4/26/21 5:19 AM, Alexander Bulekov wrote:
> Public bug reported:
>
> === Stacktrace ===
>
> qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
> ==602353== ERROR: libFuzzer: deadly signal
> #5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
> #6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
> #7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
> #8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
> #9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
> #10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
> #11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
> #12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
> #13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
> #14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
> #15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
>
> === Reproducer ===
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
> 512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
> user,id=net0 -qtest stdio
> outl 0xcf8 0x80000810
> outl 0xcfc 0xe0000000
> outl 0xcf8 0x80000814
> outl 0xcf8 0x80000804
> outw 0xcfc 0x7
> outl 0xcf8 0x80000815
> outl 0xcfc 0xffff00b5
> write 0x0 0x1 0xe1
> write 0x1 0x1 0xfe
> write 0x2 0x1 0xbe
> write 0x3 0x1 0xba
> write 0xff00b020 0x4 0x0000feca
> write 0xe0000630 0x1 0x00
> EOF
>
>
> === Testcase ===
>
> /*
> * Autogenerated Fuzzer Test Case
> *
> * This work is licensed under the terms of the GNU GPL, version 2 or later.
> * See the COPYING file in the top-level directory.
> */
>
> #include "qemu/osdep.h"
>
> #include "libqos/libqtest.h"
>
> static void test_fuzz(void) {
> QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
> "-device vmxnet3,netdev=net0 -netdev user,id=net0");
> qtest_outl(s, 0xcf8, 0x80000810);
> qtest_outl(s, 0xcfc, 0xe0000000);
> qtest_outl(s, 0xcf8, 0x80000814);
> qtest_outl(s, 0xcf8, 0x80000804);
> qtest_outw(s, 0xcfc, 0x7);
> qtest_outl(s, 0xcf8, 0x80000815);
> qtest_outl(s, 0xcfc, 0xffff00b5);
> qtest_bufwrite(s, 0x0, "\xe1", 0x1);
> qtest_bufwrite(s, 0x1, "\xfe", 0x1);
> qtest_bufwrite(s, 0x2, "\xbe", 0x1);
> qtest_bufwrite(s, 0x3, "\xba", 0x1);
> qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
> qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
> qtest_quit(s);
> }
> int main(int argc, char **argv) {
> const char *arch = qtest_get_arch();
>
> g_test_init(&argc, &argv, NULL);
>
> if (strcmp(arch, "i386") == 0) {
> qtest_add_func("fuzz/test_fuzz", test_fuzz);
> }
>
> return g_test_run();
> }
>
>
> === OSS-Fuzz Report ===
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
> https://oss-fuzz.com/testcase?key=6071483232288768
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>
>
> ** Tags: fuzzer
>
> ** Tags removed: fuzz
> ** Tags added: fuzzer
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
2021-04-29 14:26 ` Philippe Mathieu-Daudé
@ 2021-04-29 14:26 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 7+ messages in thread
From: Philippe Mathieu-Daudé @ 2021-04-29 14:26 UTC (permalink / raw)
To: qemu-devel
Cc'ing maintainers.
./scripts/get_maintainer.pl -f hw/net/vmxnet3.c
Dmitry Fleytman <dmitry.fleytman@gmail.com> (maintainer:Vmware)
Jason Wang <jasowang@redhat.com> (odd fixer:Network devices)
On 4/26/21 5:19 AM, Alexander Bulekov wrote:
> Public bug reported:
>
> === Stacktrace ===
>
> qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
> ==602353== ERROR: libFuzzer: deadly signal
> #5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
> #6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
> #7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
> #8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
> #9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
> #10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
> #11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
> #12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
> #13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
> #14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
> #15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
>
> === Reproducer ===
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
> 512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
> user,id=net0 -qtest stdio
> outl 0xcf8 0x80000810
> outl 0xcfc 0xe0000000
> outl 0xcf8 0x80000814
> outl 0xcf8 0x80000804
> outw 0xcfc 0x7
> outl 0xcf8 0x80000815
> outl 0xcfc 0xffff00b5
> write 0x0 0x1 0xe1
> write 0x1 0x1 0xfe
> write 0x2 0x1 0xbe
> write 0x3 0x1 0xba
> write 0xff00b020 0x4 0x0000feca
> write 0xe0000630 0x1 0x00
> EOF
>
>
> === Testcase ===
>
> /*
> * Autogenerated Fuzzer Test Case
> *
> * This work is licensed under the terms of the GNU GPL, version 2 or later.
> * See the COPYING file in the top-level directory.
> */
>
> #include "qemu/osdep.h"
>
> #include "libqos/libqtest.h"
>
> static void test_fuzz(void) {
> QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
> "-device vmxnet3,netdev=net0 -netdev user,id=net0");
> qtest_outl(s, 0xcf8, 0x80000810);
> qtest_outl(s, 0xcfc, 0xe0000000);
> qtest_outl(s, 0xcf8, 0x80000814);
> qtest_outl(s, 0xcf8, 0x80000804);
> qtest_outw(s, 0xcfc, 0x7);
> qtest_outl(s, 0xcf8, 0x80000815);
> qtest_outl(s, 0xcfc, 0xffff00b5);
> qtest_bufwrite(s, 0x0, "\xe1", 0x1);
> qtest_bufwrite(s, 0x1, "\xfe", 0x1);
> qtest_bufwrite(s, 0x2, "\xbe", 0x1);
> qtest_bufwrite(s, 0x3, "\xba", 0x1);
> qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
> qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
> qtest_quit(s);
> }
> int main(int argc, char **argv) {
> const char *arch = qtest_get_arch();
>
> g_test_init(&argc, &argv, NULL);
>
> if (strcmp(arch, "i386") == 0) {
> qtest_add_func("fuzz/test_fuzz", test_fuzz);
> }
>
> return g_test_run();
> }
>
>
> === OSS-Fuzz Report ===
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
> https://oss-fuzz.com/testcase?key=6071483232288768
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>
>
> ** Tags: fuzzer
>
> ** Tags removed: fuzz
> ** Tags added: fuzzer
>
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1926111
Title:
Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
Status in QEMU:
New
Bug description:
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1926111/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1926111] Re: Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
2021-04-26 3:19 [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write Alexander Bulekov
2021-04-29 14:26 ` Philippe Mathieu-Daudé
@ 2021-06-01 9:00 ` Thomas Huth
2021-07-15 10:43 ` Thomas Huth
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2021-06-01 9:00 UTC (permalink / raw)
To: qemu-devel
I can reproduce this issue with the latest version of QEMU. Marking as
"Confirmed"
** Changed in: qemu
Status: New => Confirmed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1926111
Title:
Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
Status in QEMU:
Confirmed
Bug description:
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1926111/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1926111] Re: Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
2021-04-26 3:19 [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write Alexander Bulekov
2021-04-29 14:26 ` Philippe Mathieu-Daudé
2021-06-01 9:00 ` [Bug 1926111] " Thomas Huth
@ 2021-07-15 10:43 ` Thomas Huth
2021-07-19 15:03 ` Thomas Huth
2021-08-25 7:06 ` Thomas Huth
4 siblings, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2021-07-15 10:43 UTC (permalink / raw)
To: qemu-devel
Suggested fix: https://lore.kernel.org/qemu-
devel/20210715103755.1035566-1-thuth@redhat.com/
** Changed in: qemu
Status: Confirmed => In Progress
** Changed in: qemu
Assignee: (unassigned) => Thomas Huth (th-huth)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1926111
Title:
Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
Status in QEMU:
In Progress
Bug description:
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1926111/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1926111] Re: Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
2021-04-26 3:19 [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write Alexander Bulekov
` (2 preceding siblings ...)
2021-07-15 10:43 ` Thomas Huth
@ 2021-07-19 15:03 ` Thomas Huth
2021-08-25 7:06 ` Thomas Huth
4 siblings, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2021-07-19 15:03 UTC (permalink / raw)
To: qemu-devel
Fix has been included here:
https://gitlab.com/qemu-project/qemu/-/commit/6a932c4ed8748b08c58c
** Changed in: qemu
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1926111
Title:
Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
Status in QEMU:
Fix Committed
Bug description:
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1926111/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug 1926111] Re: Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
2021-04-26 3:19 [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write Alexander Bulekov
` (3 preceding siblings ...)
2021-07-19 15:03 ` Thomas Huth
@ 2021-08-25 7:06 ` Thomas Huth
4 siblings, 0 replies; 7+ messages in thread
From: Thomas Huth @ 2021-08-25 7:06 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1926111
Title:
Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write
Status in QEMU:
Fix Released
Bug description:
=== Stacktrace ===
qemu-fuzz-i386: ../hw/net/vmxnet3.c:1096: void vmxnet3_io_bar0_write(void *, hwaddr, uint64_t, unsigned int): Assertion `tx_queue_idx <= s->txq_num' failed.
==602353== ERROR: libFuzzer: deadly signal
#5 0x7fe4b93a7ce0 in raise signal/../sysdeps/unix/sysv/linux/raise.c:48:3
#6 0x7fe4b9391536 in abort stdlib/abort.c:79:7
#7 0x7fe4b939140e in __assert_fail_base assert/assert.c:92:3
#8 0x7fe4b93a0661 in __assert_fail assert/assert.c:101:3
#9 0x563e6cf5ebb5 in vmxnet3_io_bar0_write hw/net/vmxnet3.c:1096:9
#10 0x563e6eefdb00 in memory_region_write_accessor softmmu/memory.c:491:5
#11 0x563e6eefcfdd in access_with_adjusted_size softmmu/memory.c:552:18
#12 0x563e6eefac90 in memory_region_dispatch_write softmmu/memory.c:1502:16
#13 0x563e6e834e16 in flatview_write_continue softmmu/physmem.c:2746:23
#14 0x563e6e81cd38 in flatview_write softmmu/physmem.c:2786:14
#15 0x563e6e81c868 in address_space_write softmmu/physmem.c:2878:18
=== Reproducer ===
cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
512M -machine q35 -nodefaults -device vmxnet3,netdev=net0 -netdev \
user,id=net0 -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000814
outl 0xcf8 0x80000804
outw 0xcfc 0x7
outl 0xcf8 0x80000815
outl 0xcfc 0xffff00b5
write 0x0 0x1 0xe1
write 0x1 0x1 0xfe
write 0x2 0x1 0xbe
write 0x3 0x1 0xba
write 0xff00b020 0x4 0x0000feca
write 0xe0000630 0x1 0x00
EOF
=== Testcase ===
/*
* Autogenerated Fuzzer Test Case
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
static void test_fuzz(void) {
QTestState *s = qtest_init(" -display none , -m 512M -machine q35 -nodefaults "
"-device vmxnet3,netdev=net0 -netdev user,id=net0");
qtest_outl(s, 0xcf8, 0x80000810);
qtest_outl(s, 0xcfc, 0xe0000000);
qtest_outl(s, 0xcf8, 0x80000814);
qtest_outl(s, 0xcf8, 0x80000804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x80000815);
qtest_outl(s, 0xcfc, 0xffff00b5);
qtest_bufwrite(s, 0x0, "\xe1", 0x1);
qtest_bufwrite(s, 0x1, "\xfe", 0x1);
qtest_bufwrite(s, 0x2, "\xbe", 0x1);
qtest_bufwrite(s, 0x3, "\xba", 0x1);
qtest_bufwrite(s, 0xff00b020, "\x00\x00\xfe\xca", 0x4);
qtest_bufwrite(s, 0xe0000630, "\x00", 0x1);
qtest_quit(s);
}
int main(int argc, char **argv) {
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0) {
qtest_add_func("fuzz/test_fuzz", test_fuzz);
}
return g_test_run();
}
=== OSS-Fuzz Report ===
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33603
https://oss-fuzz.com/testcase?key=6071483232288768
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1926111/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-08-25 7:19 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-26 3:19 [Bug 1926111] [NEW] Assertion `tx_queue_idx <= s->txq_num' failed in vmxnet3_io_bar0_write Alexander Bulekov
2021-04-29 14:26 ` Philippe Mathieu-Daudé
2021-04-29 14:26 ` Philippe Mathieu-Daudé
2021-06-01 9:00 ` [Bug 1926111] " Thomas Huth
2021-07-15 10:43 ` Thomas Huth
2021-07-19 15:03 ` Thomas Huth
2021-08-25 7:06 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).