Null Dereference in ahci-hd device Description of problem: Issue was found by fuzzing. With some qtest commands we can crash qemu-system-x86_64 because of Null dereference. Steps to reproduce: Command: ``` cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest -m 512M -machine q35 -nodefaults -drive file=null-co://,if=none,format=raw,id=disk0 -device ide-hd,drive=disk0 -qtest stdio outl 0xcf8 0x8000fa24 outl 0xcfc 0xe0000000 outl 0xcf8 0x8000fa04 outw 0xcfc 0x06 write 0xe00003b8 0x1 0x01 write 0x0 0x1 0x27 write 0x1 0x1 0x80 write 0x2 0x1 0x20 write 0x7 0x1 0x01 write 0xe0000398 0x1 0x01 write 0xe0000398 0x1 0x00 write 0xe0000398 0x1 0x01 EOF ``` Results in ``` [I 0.000001] OPENED [R +0.082978] outl 0xcf8 0x8000fa24 [S +0.083040] OK OK [R +0.083070] outl 0xcfc 0xe0000000 [S +0.083115] OK OK [R +0.083132] outl 0xcf8 0x8000fa04 [S +0.083152] OK OK [R +0.083180] outw 0xcfc 0x06 [S +0.084233] OK OK [R +0.084291] write 0xe00003b8 0x1 0x01 [S +0.084344] OK OK [R +0.084384] write 0x0 0x1 0x27 [S +0.085007] OK OK [R +0.085041] write 0x1 0x1 0x80 [S +0.085055] OK OK [R +0.085071] write 0x2 0x1 0x20 [S +0.085084] OK OK [R +0.085096] write 0x7 0x1 0x01 [S +0.085110] OK OK [R +0.085123] write 0xe0000398 0x1 0x01 [S +0.085254] OK OK [R +0.085294] write 0xe0000398 0x1 0x00 [S +0.085324] OK OK [R +0.085349] write 0xe0000398 0x1 0x01 [S +0.085408] OK OK ../hw/ide/ahci.c:1377:46: runtime error: member access within null pointer of type 'AHCICmdHdr' (aka 'struct AHCICmdHdr') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/ide/ahci.c:1377:46 in ../hw/ide/ahci.c:1377:46: runtime error: load of null pointer of type 'uint16_t' (aka 'unsigned short') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/ide/ahci.c:1377:46 in AddressSanitizer:DEADLYSIGNAL ================================================================= ==2547739==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55abf3a79f9c bp 0x7ffc213000d0 sp 0x7ffc212fffa0 T0) ==2547739==The signal is caused by a READ memory access. ==2547739==Hint: address points to the zero page. #0 0x55abf3a79f9c in ahci_pio_transfer /home/artemiin/Work/original_qemu/build/../hw/ide/ahci.c:1377:46 #1 0x55abf3a8a396 in ide_transfer_start_norecurse /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:581:5 #2 0x55abf3aab79e in ide_transfer_start /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:588:9 #3 0x55abf3aab79e in ide_sector_read_cb /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:789:5 #4 0x55abf3a8d6e2 in ide_buffered_readv_cb /home/artemiin/Work/original_qemu/build/../hw/ide/core.c:684:9 #5 0x55abf4f31d33 in blk_aio_complete /home/artemiin/Work/original_qemu/build/../block/block-backend.c:1552:9 #6 0x55abf545010b in aio_bh_call /home/artemiin/Work/original_qemu/build/../util/async.c:172:5 #7 0x55abf545089f in aio_bh_poll /home/artemiin/Work/original_qemu/build/../util/async.c:219:13 #8 0x55abf53e746a in aio_dispatch /home/artemiin/Work/original_qemu/build/../util/aio-posix.c:424:5 #9 0x55abf545469a in aio_ctx_dispatch /home/artemiin/Work/original_qemu/build/../util/async.c:361:5 #10 0x7f358845b7a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) (BuildId: 9f90bd7bbfcf84a1f1c5a6102f70e6264837b9d4) #11 0x55abf5455787 in glib_pollfds_poll /home/artemiin/Work/original_qemu/build/../util/main-loop.c:287:9 #12 0x55abf5455787 in os_host_main_loop_wait /home/artemiin/Work/original_qemu/build/../util/main-loop.c:310:5 #13 0x55abf5455787 in main_loop_wait /home/artemiin/Work/original_qemu/build/../util/main-loop.c:589:11 #14 0x55abf425c296 in qemu_main_loop /home/artemiin/Work/original_qemu/build/../system/runstate.c:835:9 #15 0x55abf51df1c6 in qemu_default_main /home/artemiin/Work/original_qemu/build/../system/main.c:48:14 #16 0x55abf51df1a1 in main /home/artemiin/Work/original_qemu/build/../system/main.c:76:9 #17 0x7f3587219249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #18 0x7f3587219304 in __libc_start_main csu/../csu/libc-start.c:360:3 #19 0x55abf353be60 in _start (/home/artemiin/Work/original_qemu/build/qemu-system-x86_64+0x1828e60) (BuildId: f91712a3af40a999ce35e39809ce00f92c35ae25) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/artemiin/Work/original_qemu/build/../hw/ide/ahci.c:1377:46 in ahci_pio_transfer ==2547739==ABORTING ``` Additional information: This issue may need a complicated patch so I ask developers to take a look at this issue.