1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
Assertion failure in address_space_unmap through virtio-blk
Hello,
Reproducer:
cat << EOF | ./i386-softmmu/qemu-system-i386 \
-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
-device virtio-blk,drive=mydrive \
-nodefaults -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xc001
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xc006 0x3aff9090
outl 0xcf8 0x8000100e
outl 0xcfc 0x41005e1e
write 0x3b00002 0x1 0x5e
write 0x3b00004 0x1 0x5e
write 0x3aff5e6 0x1 0x11
write 0x3aff5eb 0x1 0xc6
write 0x3aff5ec 0x1 0xc6
write 0x7 0x1 0xff
write 0x8 0x1 0xfb
write 0xc 0x1 0x11
write 0xe 0x1 0x5e
write 0x5e8 0x1 0x11
write 0x5ec 0x1 0xc6
outl 0x410e 0x10e
EOF
qemu-fuzz-i386: /exec.c:3623: void address_space_unmap(AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed.
==789== ERROR: libFuzzer: deadly signal
#8 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
#9 in address_space_unmap /exec.c:3623:9
#10 in dma_memory_unmap /include/sysemu/dma.h:145:5
#11 in virtqueue_unmap_sg /hw/virtio/virtio.c:690:9
#12 in virtqueue_fill /hw/virtio/virtio.c:843:5
#13 in virtqueue_push /hw/virtio/virtio.c:917:5
#14 in virtio_blk_req_complete /hw/block/virtio-blk.c:83:5
#15 in virtio_blk_handle_request /hw/block/virtio-blk.c:671:13
#16 in virtio_blk_handle_vq /hw/block/virtio-blk.c:780:17
#17 in virtio_queue_notify_aio_vq /hw/virtio/virtio.c:2324:15
#18 in virtio_queue_host_notifier_aio_read /hw/virtio/virtio.c:3495:9
#19 in aio_dispatch_handler /util/aio-posix.c:328:9
#20 in aio_dispatch_handlers /util/aio-posix.c:371:20
#21 in aio_dispatch /util/aio-posix.c:381:5
#22 in aio_ctx_dispatch /util/async.c:306:5
#23 in g_main_context_dispatch
With -trace virtio\*
...
[S +0.099667] OK
[R +0.099681] write 0x5ec 0x1 0xc6
OK
[S +0.099690] OK
[R +0.099700] outl 0x410e 0x10e
29575@1596590112.074339:virtio_queue_notify vdev 0x62d000030590 n 0 vq 0x7f9b93fc9800
29575@1596590112.074423:virtio_blk_data_plane_start dataplane 0x60600000f260
OK
[S +0.099833] OK
29575@1596590112.076459:virtio_queue_notify vdev 0x62d000030590 n 0 vq 0x7f9b93fc9800
29575@1596590112.076642:virtio_blk_handle_read vdev 0x62d000030590 req 0x611000043e80 sector 0 nsectors 0
29575@1596590112.076651:virtio_blk_req_complete vdev 0x62d000030590 req 0x611000043e80 status 1
qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/exec.c:3623: void address_space_unmap(AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed.
-Alex
Hi Stefan,
This looks an awful lot like the one you looked at here:
https://<email address hidden>/msg705719.html
though this one is for virtio-pci, while that one was for virtio-mmio:
They are probably the same issue, but the original reproducer no longer
causes an asserion failure for me, so maybe there was already a fix..
-Alex
On 200805 0116, Alexander Bulekov wrote:
> Public bug reported:
>
> Hello,
> Reproducer:
> cat << EOF | ./i386-softmmu/qemu-system-i386 \
> -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> -device virtio-blk,drive=mydrive \
> -nodefaults -nographic -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xc001
> outl 0xcf8 0x80001014
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> outl 0xc006 0x3aff9090
> outl 0xcf8 0x8000100e
> outl 0xcfc 0x41005e1e
> write 0x3b00002 0x1 0x5e
> write 0x3b00004 0x1 0x5e
> write 0x3aff5e6 0x1 0x11
> write 0x3aff5eb 0x1 0xc6
> write 0x3aff5ec 0x1 0xc6
> write 0x7 0x1 0xff
> write 0x8 0x1 0xfb
> write 0xc 0x1 0x11
> write 0xe 0x1 0x5e
> write 0x5e8 0x1 0x11
> write 0x5ec 0x1 0xc6
> outl 0x410e 0x10e
> EOF
>
>
> qemu-fuzz-i386: /exec.c:3623: void address_space_unmap(AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed.
> ==789== ERROR: libFuzzer: deadly signal
> #8 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
> #9 in address_space_unmap /exec.c:3623:9
> #10 in dma_memory_unmap /include/sysemu/dma.h:145:5
> #11 in virtqueue_unmap_sg /hw/virtio/virtio.c:690:9
> #12 in virtqueue_fill /hw/virtio/virtio.c:843:5
> #13 in virtqueue_push /hw/virtio/virtio.c:917:5
> #14 in virtio_blk_req_complete /hw/block/virtio-blk.c:83:5
> #15 in virtio_blk_handle_request /hw/block/virtio-blk.c:671:13
> #16 in virtio_blk_handle_vq /hw/block/virtio-blk.c:780:17
> #17 in virtio_queue_notify_aio_vq /hw/virtio/virtio.c:2324:15
> #18 in virtio_queue_host_notifier_aio_read /hw/virtio/virtio.c:3495:9
> #19 in aio_dispatch_handler /util/aio-posix.c:328:9
> #20 in aio_dispatch_handlers /util/aio-posix.c:371:20
> #21 in aio_dispatch /util/aio-posix.c:381:5
> #22 in aio_ctx_dispatch /util/async.c:306:5
> #23 in g_main_context_dispatch
>
>
> With -trace virtio\*
>
> ...
> [S +0.099667] OK
> [R +0.099681] write 0x5ec 0x1 0xc6
> OK
> [S +0.099690] OK
> [R +0.099700] outl 0x410e 0x10e
> 29575@1596590112.074339:virtio_queue_notify vdev 0x62d000030590 n 0 vq 0x7f9b93fc9800
> 29575@1596590112.074423:virtio_blk_data_plane_start dataplane 0x60600000f260
> OK
> [S +0.099833] OK
> 29575@1596590112.076459:virtio_queue_notify vdev 0x62d000030590 n 0 vq 0x7f9b93fc9800
> 29575@1596590112.076642:virtio_blk_handle_read vdev 0x62d000030590 req 0x611000043e80 sector 0 nsectors 0
> 29575@1596590112.076651:virtio_blk_req_complete vdev 0x62d000030590 req 0x611000043e80 status 1
> qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/exec.c:3623: void address_space_unmap(AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed.
>
>
> -Alex
>
> ** Affects: qemu
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of qemu-
> devel-ml, which is subscribed to QEMU.
> https://bugs.launchpad.net/bugs/1890360
>
> Title:
> Assertion failure in address_space_unmap through virtio-blk
>
> Status in QEMU:
> New
>
> Bug description:
> Hello,
> Reproducer:
> cat << EOF | ./i386-softmmu/qemu-system-i386 \
> -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
> -device virtio-blk,drive=mydrive \
> -nodefaults -nographic -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xc001
> outl 0xcf8 0x80001014
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> outl 0xc006 0x3aff9090
> outl 0xcf8 0x8000100e
> outl 0xcfc 0x41005e1e
> write 0x3b00002 0x1 0x5e
> write 0x3b00004 0x1 0x5e
> write 0x3aff5e6 0x1 0x11
> write 0x3aff5eb 0x1 0xc6
> write 0x3aff5ec 0x1 0xc6
> write 0x7 0x1 0xff
> write 0x8 0x1 0xfb
> write 0xc 0x1 0x11
> write 0xe 0x1 0x5e
> write 0x5e8 0x1 0x11
> write 0x5ec 0x1 0xc6
> outl 0x410e 0x10e
> EOF
>
>
> qemu-fuzz-i386: /exec.c:3623: void address_space_unmap(AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed.
> ==789== ERROR: libFuzzer: deadly signal
> #8 in __assert_fail /build/glibc-GwnBeO/glibc-2.30/assert/assert.c:101:3
> #9 in address_space_unmap /exec.c:3623:9
> #10 in dma_memory_unmap /include/sysemu/dma.h:145:5
> #11 in virtqueue_unmap_sg /hw/virtio/virtio.c:690:9
> #12 in virtqueue_fill /hw/virtio/virtio.c:843:5
> #13 in virtqueue_push /hw/virtio/virtio.c:917:5
> #14 in virtio_blk_req_complete /hw/block/virtio-blk.c:83:5
> #15 in virtio_blk_handle_request /hw/block/virtio-blk.c:671:13
> #16 in virtio_blk_handle_vq /hw/block/virtio-blk.c:780:17
> #17 in virtio_queue_notify_aio_vq /hw/virtio/virtio.c:2324:15
> #18 in virtio_queue_host_notifier_aio_read /hw/virtio/virtio.c:3495:9
> #19 in aio_dispatch_handler /util/aio-posix.c:328:9
> #20 in aio_dispatch_handlers /util/aio-posix.c:371:20
> #21 in aio_dispatch /util/aio-posix.c:381:5
> #22 in aio_ctx_dispatch /util/async.c:306:5
> #23 in g_main_context_dispatch
>
>
> With -trace virtio\*
>
> ...
> [S +0.099667] OK
> [R +0.099681] write 0x5ec 0x1 0xc6
> OK
> [S +0.099690] OK
> [R +0.099700] outl 0x410e 0x10e
> 29575@1596590112.074339:virtio_queue_notify vdev 0x62d000030590 n 0 vq 0x7f9b93fc9800
> 29575@1596590112.074423:virtio_blk_data_plane_start dataplane 0x60600000f260
> OK
> [S +0.099833] OK
> 29575@1596590112.076459:virtio_queue_notify vdev 0x62d000030590 n 0 vq 0x7f9b93fc9800
> 29575@1596590112.076642:virtio_blk_handle_read vdev 0x62d000030590 req 0x611000043e80 sector 0 nsectors 0
> 29575@1596590112.076651:virtio_blk_req_complete vdev 0x62d000030590 req 0x611000043e80 status 1
> qemu-system-i386: /home/alxndr/Development/qemu/general-fuzz/exec.c:3623: void address_space_unmap(AddressSpace *, void *, hwaddr, _Bool, hwaddr): Assertion `mr != NULL' failed.
>
>
> -Alex
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1890360/+subscriptions
>
Fix:
commit 7bd04a041addcdef6a03e6498aafaea55ca6e88b
Author: Stefan Hajnoczi <email address hidden>
Date: Thu Sep 17 10:44:54 2020 +0100
virtio-blk: undo destructive iov_discard_*() operations
Released with QEMU v5.2.0.
|