diff options
Diffstat (limited to '')
| -rw-r--r-- | results/classifier/108/other/1892 | 48 | ||||
| -rw-r--r-- | results/classifier/108/other/1892441 | 59 | ||||
| -rw-r--r-- | results/classifier/108/other/1892533 | 39 | ||||
| -rw-r--r-- | results/classifier/108/other/1892540 | 1292 | ||||
| -rw-r--r-- | results/classifier/108/other/1892541 | 63 | ||||
| -rw-r--r-- | results/classifier/108/other/1892544 | 505 | ||||
| -rw-r--r-- | results/classifier/108/other/1892604 | 137 | ||||
| -rw-r--r-- | results/classifier/108/other/1892761 | 34 | ||||
| -rw-r--r-- | results/classifier/108/other/1892962 | 151 | ||||
| -rw-r--r-- | results/classifier/108/other/1892963 | 341 | ||||
| -rw-r--r-- | results/classifier/108/other/1892966 | 204 | ||||
| -rw-r--r-- | results/classifier/108/other/1892978 | 823 |
12 files changed, 3696 insertions, 0 deletions
diff --git a/results/classifier/108/other/1892 b/results/classifier/108/other/1892 new file mode 100644 index 000000000..09715a1ce --- /dev/null +++ b/results/classifier/108/other/1892 @@ -0,0 +1,48 @@ +graphic: 0.751 +device: 0.473 +PID: 0.373 +boot: 0.319 +socket: 0.262 +performance: 0.262 +debug: 0.257 +files: 0.221 +semantic: 0.209 +vnc: 0.186 +permissions: 0.145 +network: 0.123 +other: 0.064 +KVM: 0.055 + +docs/system/devices/cxl.rst suggests qemu-system-aarch64 command lines which fail with "Property 'virt-8.2-machine.cxl' not found" +Description of problem: +When trying to run qemu-system-aarch64 with "-M virt,gic-version=3,cxl=on -m 4g,maxmem=8G,slots=8 -cpu max", get the following problem: +"qemu-system-aarch64: Property 'virt-8.2-machine.cxl' not found". Do I need to compile the QEMU with specific option? +Steps to reproduce: +1. Compile QEMU with "./config" "make -j6" +2. Compile Linux +``` +#!/bin/bash + +KERNEL_PATH=/users/LiuQun/linux/arch/arm64/boot/Image +DISK_IMG=/users/LiuQun/ARM_img/disk-image-22.04-server-arm64.img + +./build/qemu-system-aarch64 \ +-M virt,gic-version=3,cxl=on -m 4g,maxmem=8G,slots=8 -cpu max \ +-bios /users/LiuQun/ARM_img/QEMU_EFI.fd \ +-kernel $KERNEL_PATH \ +-drive file=$DISK_IMG,format=raw,if=none,id=drive-sata0-0-0 \ +-device virtio-blk-device,drive=drive-sata0-0-0 \ +-append "console=ttyAMA0 root=/dev/vda1 rdinit=/init acpi=off" \ +-object memory-backend-file,id=cxl-mem1,share=on,mem-path=cxl-window1,size=512M \ +-object memory-backend-file,id=cxl-label1,share=on,mem-path=cxl-label1,size=1K \ +-object memory-backend-file,id=cxl-label2,share=on,mem-path=cxl-label2,size=1K \ +-device pxb-cxl,id=cxl.0,bus=pcie.0,bus_nr=52,uid=0,len-window-base=1,window-base[0]=0x4c00000000,memdev[0]=cxl-mem1 \ +-device cxl-rp,id=rp0,bus=cxl.0,addr=0.0,chassis=0,slot=0,port=0 \ +-device cxl-rp,id=rp1,bus=cxl.0,addr=1.0,chassis=0,slot=1,port=1 \ +-device cxl-type3,bus=rp0,memdev=cxl-mem1,id=cxl-pmem0,size=256M,lsa=cxl-label1 \ +-device cxl-type3,bus=rp1,memdev=cxl-mem1,id=cxl-pmem1,size=256M,lsa=cxl-label2 \ +-nographic + +``` +Additional information: +The same problem happens with QEMU 8.1 diff --git a/results/classifier/108/other/1892441 b/results/classifier/108/other/1892441 new file mode 100644 index 000000000..3f64b6af0 --- /dev/null +++ b/results/classifier/108/other/1892441 @@ -0,0 +1,59 @@ +graphic: 0.778 +boot: 0.744 +device: 0.729 +other: 0.727 +performance: 0.715 +PID: 0.665 +vnc: 0.621 +semantic: 0.592 +files: 0.579 +permissions: 0.579 +socket: 0.490 +debug: 0.487 +network: 0.482 +KVM: 0.284 + +"No zIPL section in IPL2 record" error when emulating Debian 10.5.0 on s390x + +Hi, + +I want to emulate Debian 10.5.0 for the s390x architecture. +The Debian image is downloaded from the following link: +https://cdimage.debian.org/debian-cd/current/s390x/iso-cd/debian-10.5.0-s390x-netinst.iso + +Using the latest QEMU version 5.1.0, running the debian image using the given command: +qemu-system-s390x -boot d -m 4096 -hda debian.qcow -cdrom debian-10.5.0-s390x-netinst.iso -nographic + +causes the error output below: + +LOADPARM=[ ] +Using virtio-blk. +Using guessed DASD geometry. +Using ECKD scheme (block size 4096), CDL + +! No zIPL section in IPL2 record. ! + +As far as I know, the Debian CD ISO images are not bootable on s390x (they do not contain boot information according to the El-Torrito standard). Please open a bug against Debian instead if you want to have that changed. So far, you have to boot here manually instead (see http://people.redhat.com/~thuth/blog/qemu/2017/12/19/install-fedora.html for some more information). + + +Yes. For booting Debian images using QEMU (<= 5.0.0) I use this recipe: + +machine_args="-M s390-ccw-virtio -m 512" +disk_args="-drive file=debian86.img,if=none,format=raw,id=hd0 -device virtio-blk-ccw,drive=hd0" +net_args="" +display_args="-display gtk -monitor stdio" +common_args="$machine_args $disk_args $net_args $display_args" + +Pull kernel and initrd from the ftp server: +mkdir boot-for-install +(cd boot-for-install + wget ftp://ftp.de.debian.org/pub/debian/dists/jessie/main/installer-s390x/current/images/generic/kernel.debian + wget ftp://ftp.de.debian.org/pub/debian/dists/jessie/main/installer-s390x/current/images/generic/initrd.debian) + +Then, for running the installer: +qemu-system-s390x $common_args -kernel boot-for-install/kernel.debian -initrd boot-for-install/initrd.debian + +For booting from disk: +qemu-system-s390x $common_args -kernel boot/vmlinuz -initrd boot/initrd.img -append "root=/dev/vda2" + + diff --git a/results/classifier/108/other/1892533 b/results/classifier/108/other/1892533 new file mode 100644 index 000000000..b1a19a16c --- /dev/null +++ b/results/classifier/108/other/1892533 @@ -0,0 +1,39 @@ +semantic: 0.660 +device: 0.628 +other: 0.589 +graphic: 0.567 +network: 0.518 +performance: 0.509 +PID: 0.473 +socket: 0.451 +files: 0.441 +vnc: 0.323 +debug: 0.314 +KVM: 0.224 +boot: 0.224 +permissions: 0.191 + +Meson: Missing config-host.mak + +Wanted to give a try to the new build system, but a simple "meson build" gives that error: + +meson.build:15:0: ERROR: Failed to load /home/xclaesse/programmation/qemu/build/config-host.mak: [Errno 2] No such file or directory: '/home/xclaesse/programmation/qemu/build/config-host.mak' + +configure does not seems to work better: + +build$ ../configure +../configure: 232: shift: can't shift that many + + +Meson is still hidden, you need to use ../configure. + +"can't shift that many" will be fixed shortly (patch already on the list). + +btw, I'm surprised README does not mention meson, shouldn't you instruct that it's a build-dep? Maybe suggest pip install command? + +QEMU ships with the appropriate version of Meson included (see the "meson" directory), that's why it is not mentioned in the README. + +Anyway, does any of your build problems still persist with QEMU v6.0? Or could we close this ticket now? + +[Expired for QEMU because there has been no activity for 60 days.] + diff --git a/results/classifier/108/other/1892540 b/results/classifier/108/other/1892540 new file mode 100644 index 000000000..9db16b187 --- /dev/null +++ b/results/classifier/108/other/1892540 @@ -0,0 +1,1292 @@ +other: 0.912 +device: 0.893 +semantic: 0.890 +debug: 0.882 +permissions: 0.880 +boot: 0.874 +performance: 0.863 +vnc: 0.859 +KVM: 0.845 +PID: 0.844 +socket: 0.844 +graphic: 0.836 +files: 0.825 +network: 0.805 + +qemu can no longer boot NetBSD/sparc + +Booting NetBSD/sparc in qemu no longer works. It broke between qemu version 5.0.0 and 5.1.0, and a bisection identified the following as the offending commit: + + [5d971f9e672507210e77d020d89e0e89165c8fc9] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid" + +It's still broken as of 7fd51e68c34fcefdb4d6fd646ed3346f780f89f4. + +To reproduce, run + + wget http://ftp.netbsd.org/pub/NetBSD/NetBSD-9.0/images/NetBSD-9.0-sparc.iso + qemu-system-sparc -nographic -cdrom NetBSD-9.0-sparc.iso -boot d + +The expected behavior is that the guest boots to the prompt + + Installation medium to load the additional utilities from: + +The observed behavior is a panic: + + [ 1.0000050] system[0]: trap 0x29: pc=0xf0046b14 sfsr=0xb6 sfva=0x54000000 + [ 1.0000050] cpu0: data fault: pc=0xf0046b14 addr=0x54000000 sfsr=0xb6<PERR=0x0,LVL=0x0,AT=0x5,FT=0x5,FAV,OW> + [ 1.0000050] panic: kernel fault + [ 1.0000050] halted + +This happens because openbios accesses unassigned memory during the SBus scan: + +Probing SBus slot 0 offset 0 +invalid accepts: (null) addr 20000000 size: 1 +Probing SBus slot 1 offset 0 +invalid accepts: (null) addr 30000000 size: 1 +Probing SBus slot 2 offset 0 +invalid accepts: (null) addr 40000000 size: 1 +Probing SBus slot 3 offset 0 +Probing SBus slot 4 offset 0 +invalid accepts: (null) addr 60000000 size: 1 +Probing SBus slot 5 offset 0 + +Thread 4 "qemu-system-spa" hit Breakpoint 1, memory_region_access_valid (mr=0x555555df20c0 <io_mem_unassigned>, + addr=536870912, size=1, is_write=<optimized out>, attrs=...) + at .../softmmu/memory.c:1358 +1358 return false; + +(gdb) list + +1355 if (mr->ops->valid.accepts +1356 && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { +1357 fprintf(stderr, "invalid accepts: %s addr %"PRIx64 " size: %d\n", mr->name, addr, size); +1358 return false; +1359 } + +(gdb) p mr->ops->valid.accepts +$1 = (_Bool (*)(void *, hwaddr, unsigned int, _Bool, MemTxAttrs)) 0x555555736f10 <unassigned_mem_accepts> + +(gdb) list unassigned_mem_accepts +1271 +1272 static bool unassigned_mem_accepts(void *opaque, hwaddr addr, +1273 unsigned size, bool is_write, +1274 MemTxAttrs attrs) +1275 { +1276 return false; +1277 } + + + +The S24/TCX datasheet is listed as "Unable to locate" on [1]. + +However the NetBSD revision 1.32 of the driver introduced +64-bit accesses to the stippler and blitter [2]. It is safe +to assume these memory regions are 64-bit accessible. +QEMU implementation is 32-bit, so fill the 'impl' fields. + +[1] http://web.archive.org/web/20111209011516/http://wikis.sun.com/display/FOSSdocs/Home +[2] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/sbus/tcx.c.diff?r1=1.31&r2=1.32 + +Reported-by: Andreas Gustafsson <email address hidden> +Buglink: https://bugs.launchpad.net/bugs/1892540 +Fixes: 55d7bfe2293 ("tcx: Implement hardware acceleration") +Signed-off-by: Philippe Mathieu-Daudé <email address hidden> +--- + hw/display/tcx.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/hw/display/tcx.c b/hw/display/tcx.c +index 1fb45b1aab8..96c6898b149 100644 +--- a/hw/display/tcx.c ++++ b/hw/display/tcx.c +@@ -548,20 +548,28 @@ static const MemoryRegionOps tcx_stip_ops = { + .read = tcx_stip_readl, + .write = tcx_stip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static const MemoryRegionOps tcx_rstip_ops = { + .read = tcx_stip_readl, + .write = tcx_rstip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static uint64_t tcx_blit_readl(void *opaque, hwaddr addr, +@@ -650,10 +658,14 @@ static const MemoryRegionOps tcx_rblit_ops = { + .read = tcx_blit_readl, + .write = tcx_rblit_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static void tcx_invalidate_cursor_position(TCXState *s) +-- +2.26.2 + + + +The S24/TCX datasheet is listed as "Unable to locate" on [1]. + +However the NetBSD revision 1.32 of the driver introduced +64-bit accesses to the stippler and blitter [2]. It is safe +to assume these memory regions are 64-bit accessible. +QEMU implementation is 32-bit, so fill the 'impl' fields. + +[1] http://web.archive.org/web/20111209011516/http://wikis.sun.com/display/FOSSdocs/Home +[2] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/sbus/tcx.c.diff?r1=1.31&r2=1.32 + +Reported-by: Andreas Gustafsson <email address hidden> +Buglink: https://bugs.launchpad.net/bugs/1892540 +Fixes: 55d7bfe2293 ("tcx: Implement hardware acceleration") +Signed-off-by: Philippe Mathieu-Daudé <email address hidden> +--- +Since v1: +- added missing uncommitted staged changes... (tcx_blit_ops) +--- + hw/display/tcx.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/hw/display/tcx.c b/hw/display/tcx.c +index 1fb45b1aab8..96c6898b149 100644 +--- a/hw/display/tcx.c ++++ b/hw/display/tcx.c +@@ -548,20 +548,28 @@ static const MemoryRegionOps tcx_stip_ops = { + .read = tcx_stip_readl, + .write = tcx_stip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static const MemoryRegionOps tcx_rstip_ops = { + .read = tcx_stip_readl, + .write = tcx_rstip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static uint64_t tcx_blit_readl(void *opaque, hwaddr addr, +@@ -650,10 +658,14 @@ static const MemoryRegionOps tcx_rblit_ops = { + .read = tcx_blit_readl, + .write = tcx_rblit_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static void tcx_invalidate_cursor_position(TCXState *s) +-- +2.26.2 + + + +Le sam. 29 août 2020 18:14, Michael <email address hidden> a écrit : + +> Hello, +> +> since I wrote the NetBSD code in question, here are my 2 cent: +> +> On Sat, 29 Aug 2020 08:41:43 -0700 +> Richard Henderson <email address hidden> wrote: +> +> > On 8/22/20 7:21 AM, Philippe Mathieu-Daudé wrote: +> > > The S24/TCX datasheet is listed as "Unable to locate" on [1]. +> +> I don't have it either, but someone did a lot of reverse engineering +> and gave me his notes. The hardware isn't that complicated, but quite +> weird. +> +> > > However the NetBSD revision 1.32 of the driver introduced +> > > 64-bit accesses to the stippler and blitter [2]. It is safe +> > > to assume these memory regions are 64-bit accessible. +> > > QEMU implementation is 32-bit, so fill the 'impl' fields. +> +> IIRC the real hardware *requires* 64bit accesses for stipple and +> blitter operations to work. For stipples you write a 64bit word into +> STIP space, the address defines where in the framebuffer you want to +> draw, the data contain a 32bit bitmask, foreground colour and a ROP. +> BLIT space works similarly, the 64bit word contains an offset were to +> read pixels from, and how many you want to copy. +> + +Thanks Michael for this information! +If you don't mind I'll amend it to the commit description so there is a +reference for posterity. + +I'm waiting for *Andreas Gustafsson to test it then will repost.* + + +> have fun +> Michael +> + + +On Sat, Aug 22, 2020 at 02:21:27PM -0000, Philippe Mathieu-Daudé wrote: +> The S24/TCX datasheet is listed as "Unable to locate" on [1]. +> +> However the NetBSD revision 1.32 of the driver introduced +> 64-bit accesses to the stippler and blitter [2]. It is safe +> to assume these memory regions are 64-bit accessible. +> QEMU implementation is 32-bit, so fill the 'impl' fields. +> +> [1] http://web.archive.org/web/20111209011516/http://wikis.sun.com/display/FOSSdocs/Home +> [2] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/sbus/tcx.c.diff?r1=1.31&r2=1.32 +> +> Reported-by: Andreas Gustafsson <email address hidden> +> Buglink: https://bugs.launchpad.net/bugs/1892540 +> Fixes: 55d7bfe2293 ("tcx: Implement hardware acceleration") +> Signed-off-by: Philippe Mathieu-Daudé <email address hidden> + +Philippe, did you submit the patch on the mailing list +normally too? I don't seem to see it there. + +the patch seems to work for me: + +Tested-by: Michael S. Tsirkin <email address hidden> + + +CC Nathan who reported a similar failure. + +Nathan, does the patch below fix the issue for you? + +> --- +> Since v1: +> - added missing uncommitted staged changes... (tcx_blit_ops) +> --- + hw/display/tcx.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/hw/display/tcx.c b/hw/display/tcx.c +index 1fb45b1aab8..96c6898b149 100644 +--- a/hw/display/tcx.c ++++ b/hw/display/tcx.c +@@ -548,20 +548,28 @@ static const MemoryRegionOps tcx_stip_ops = { + .read = tcx_stip_readl, + .write = tcx_stip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static const MemoryRegionOps tcx_rstip_ops = { + .read = tcx_stip_readl, + .write = tcx_rstip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static uint64_t tcx_blit_readl(void *opaque, hwaddr addr, +@@ -650,10 +658,14 @@ static const MemoryRegionOps tcx_rblit_ops = { + .read = tcx_blit_readl, + .write = tcx_rblit_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static void tcx_invalidate_cursor_position(TCXState *s) + + +----------------------------------------------------------- + +I think you shouldn't specify .min_access_size in impl, since +that also allows 1 and 2 byte accesses from guest. + + + +> -- +> 2.26.2 +> +> -- +> You received this bug notification because you are subscribed to the bug +> report. +> https://bugs.launchpad.net/bugs/1892540 +> +> Title: +> qemu can no longer boot NetBSD/sparc +> +> Status in QEMU: +> New +> +> Bug description: +> Booting NetBSD/sparc in qemu no longer works. It broke between qemu +> version 5.0.0 and 5.1.0, and a bisection identified the following as +> the offending commit: +> +> [5d971f9e672507210e77d020d89e0e89165c8fc9] memory: Revert "memory: +> accept mismatching sizes in memory_region_access_valid" +> +> It's still broken as of 7fd51e68c34fcefdb4d6fd646ed3346f780f89f4. +> +> To reproduce, run +> +> wget http://ftp.netbsd.org/pub/NetBSD/NetBSD-9.0/images/NetBSD-9.0-sparc.iso +> qemu-system-sparc -nographic -cdrom NetBSD-9.0-sparc.iso -boot d +> +> The expected behavior is that the guest boots to the prompt +> +> Installation medium to load the additional utilities from: +> +> The observed behavior is a panic: +> +> [ 1.0000050] system[0]: trap 0x29: pc=0xf0046b14 sfsr=0xb6 sfva=0x54000000 +> [ 1.0000050] cpu0: data fault: pc=0xf0046b14 addr=0x54000000 sfsr=0xb6<PERR=0x0,LVL=0x0,AT=0x5,FT=0x5,FAV,OW> +> [ 1.0000050] panic: kernel fault +> [ 1.0000050] halted +> +> To manage notifications about this bug go to: +> https://bugs.launchpad.net/qemu/+bug/1892540/+subscriptions + + + +Philippe Mathieu-Daudé wrote: +> diff --git a/hw/display/tcx.c b/hw/display/tcx.c +> index 1fb45b1aab8..96c6898b149 100644 + +With this patch, the kernel boots successfully for me. +-- +Andreas Gustafsson, <email address hidden> + + +On 29/08/2020 17:45, Philippe Mathieu-Daudé wrote: + +> Le sam. 29 août 2020 18:14, Michael <<email address hidden> +> <mailto:<email address hidden>>> a écrit : +> +> Hello, +> +> since I wrote the NetBSD code in question, here are my 2 cent: +> +> On Sat, 29 Aug 2020 08:41:43 -0700 +> Richard Henderson <<email address hidden> +> <mailto:<email address hidden>>> wrote: +> +> > On 8/22/20 7:21 AM, Philippe Mathieu-Daudé wrote: +> > > The S24/TCX datasheet is listed as "Unable to locate" on [1]. +> +> I don't have it either, but someone did a lot of reverse engineering +> and gave me his notes. The hardware isn't that complicated, but quite +> weird. +> +> > > However the NetBSD revision 1.32 of the driver introduced +> > > 64-bit accesses to the stippler and blitter [2]. It is safe +> > > to assume these memory regions are 64-bit accessible. +> > > QEMU implementation is 32-bit, so fill the 'impl' fields. +> +> IIRC the real hardware *requires* 64bit accesses for stipple and +> blitter operations to work. For stipples you write a 64bit word into +> STIP space, the address defines where in the framebuffer you want to +> draw, the data contain a 32bit bitmask, foreground colour and a ROP. +> BLIT space works similarly, the 64bit word contains an offset were to +> read pixels from, and how many you want to copy. +> +> +> Thanks Michael for this information! +> If you don't mind I'll amend it to the commit description so there is a reference for +> posterity. +> +> I'm waiting for /Andreas Gustafsson to test it then will repost. + +Hi Philippe, + +Thanks for coming up with this patch! Looks fine to me, just wondering if it should +have a "Fixes: 5d971f9e67 ("memory: Revert "memory: accept mismatching sizes in +memory_region_access_valid"") tag rather than the original commit since that's how +other bugs exposed by that commit have been tagged? + + +ATB, + +Mark. + + +On 8/30/20 8:59 AM, Andreas Gustafsson wrote: +> Philippe Mathieu-Daudé wrote: +>> diff --git a/hw/display/tcx.c b/hw/display/tcx.c +>> index 1fb45b1aab8..96c6898b149 100644 +> +> With this patch, the kernel boots successfully for me. + +Thanks, can I add "Tested-by: Andreas Gustafsson <email address hidden>" +to the patch? + + +On 8/30/20 8:18 AM, <email address hidden> wrote: +> On Sat, Aug 22, 2020 at 02:21:27PM -0000, Philippe Mathieu-Daudé wrote: +>> The S24/TCX datasheet is listed as "Unable to locate" on [1]. +>> +>> However the NetBSD revision 1.32 of the driver introduced +>> 64-bit accesses to the stippler and blitter [2]. It is safe +>> to assume these memory regions are 64-bit accessible. +>> QEMU implementation is 32-bit, so fill the 'impl' fields. +>> +>> [1] http://web.archive.org/web/20111209011516/http://wikis.sun.com/display/FOSSdocs/Home +>> [2] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/sbus/tcx.c.diff?r1=1.31&r2=1.32 +>> +>> Reported-by: Andreas Gustafsson <email address hidden> +>> Buglink: https://bugs.launchpad.net/bugs/1892540 +>> Fixes: 55d7bfe2293 ("tcx: Implement hardware acceleration") +>> Signed-off-by: Philippe Mathieu-Daudé <email address hidden> +> +> Philippe, did you submit the patch on the mailing list +> normally too? I don't seem to see it there. + +Yes, Message-id: <email address hidden> +https://<email address hidden>/msg732515.html + +> +> the patch seems to work for me: +> +> Tested-by: Michael S. Tsirkin <email address hidden> + +Thanks! + +> +> +> CC Nathan who reported a similar failure. +> +> Nathan, does the patch below fix the issue for you? +> +>> --- +>> Since v1: +>> - added missing uncommitted staged changes... (tcx_blit_ops) +>> --- +> hw/display/tcx.c | 18 +++++++++++++++--- +> 1 file changed, 15 insertions(+), 3 deletions(-) +> +> diff --git a/hw/display/tcx.c b/hw/display/tcx.c +> index 1fb45b1aab8..96c6898b149 100644 +> --- a/hw/display/tcx.c +> +++ b/hw/display/tcx.c +> @@ -548,20 +548,28 @@ static const MemoryRegionOps tcx_stip_ops = { +> .read = tcx_stip_readl, +> .write = tcx_stip_writel, +> .endianness = DEVICE_NATIVE_ENDIAN, +> - .valid = { +> + .impl = { +> .min_access_size = 4, +> .max_access_size = 4, +> }, +> + .valid = { +> + .min_access_size = 4, +> + .max_access_size = 8, +> + }, +> }; +> +> static const MemoryRegionOps tcx_rstip_ops = { +> .read = tcx_stip_readl, +> .write = tcx_rstip_writel, +> .endianness = DEVICE_NATIVE_ENDIAN, +> - .valid = { +> + .impl = { +> .min_access_size = 4, +> .max_access_size = 4, +> }, +> + .valid = { +> + .min_access_size = 4, +> + .max_access_size = 8, +> + }, +> }; +> +> static uint64_t tcx_blit_readl(void *opaque, hwaddr addr, +> @@ -650,10 +658,14 @@ static const MemoryRegionOps tcx_rblit_ops = { +> .read = tcx_blit_readl, +> .write = tcx_rblit_writel, +> .endianness = DEVICE_NATIVE_ENDIAN, +> - .valid = { +> + .impl = { +> .min_access_size = 4, +> .max_access_size = 4, +> }, +> + .valid = { +> + .min_access_size = 4, +> + .max_access_size = 8, +> + }, +> }; +> +> static void tcx_invalidate_cursor_position(TCXState *s) +> +> +> ----------------------------------------------------------- +> +> I think you shouldn't specify .min_access_size in impl, since +> that also allows 1 and 2 byte accesses from guest. +> +> +> +>> -- +>> 2.26.2 +>> +>> -- +>> You received this bug notification because you are subscribed to the bug +>> report. +>> https://bugs.launchpad.net/bugs/1892540 +>> +>> Title: +>> qemu can no longer boot NetBSD/sparc +>> +>> Status in QEMU: +>> New +>> +>> Bug description: +>> Booting NetBSD/sparc in qemu no longer works. It broke between qemu +>> version 5.0.0 and 5.1.0, and a bisection identified the following as +>> the offending commit: +>> +>> [5d971f9e672507210e77d020d89e0e89165c8fc9] memory: Revert "memory: +>> accept mismatching sizes in memory_region_access_valid" +>> +>> It's still broken as of 7fd51e68c34fcefdb4d6fd646ed3346f780f89f4. +>> +>> To reproduce, run +>> +>> wget http://ftp.netbsd.org/pub/NetBSD/NetBSD-9.0/images/NetBSD-9.0-sparc.iso +>> qemu-system-sparc -nographic -cdrom NetBSD-9.0-sparc.iso -boot d +>> +>> The expected behavior is that the guest boots to the prompt +>> +>> Installation medium to load the additional utilities from: +>> +>> The observed behavior is a panic: +>> +>> [ 1.0000050] system[0]: trap 0x29: pc=0xf0046b14 sfsr=0xb6 sfva=0x54000000 +>> [ 1.0000050] cpu0: data fault: pc=0xf0046b14 addr=0x54000000 sfsr=0xb6<PERR=0x0,LVL=0x0,AT=0x5,FT=0x5,FAV,OW> +>> [ 1.0000050] panic: kernel fault +>> [ 1.0000050] halted +>> +>> To manage notifications about this bug go to: +>> https://bugs.launchpad.net/qemu/+bug/1892540/+subscriptions +> +> + + + +Philippe Mathieu-Daudé wrote: +> Thanks, can I add "Tested-by: Andreas Gustafsson <email address hidden>" +> to the patch? + +Fine by me. +-- +Andreas Gustafsson, <email address hidden> + + +On 01/09/2020 11:04, Andreas Gustafsson wrote: + +> Philippe Mathieu-Daudé wrote: +>> Thanks, can I add "Tested-by: Andreas Gustafsson <email address hidden>" +>> to the patch? +> +> Fine by me. + +I've added the above Tested-by tag (and also that from MST) and applied this to my +qemu-sparc branch. + + +ATB, + +Mark. + + +The S24/TCX datasheet is listed as "Unable to locate" on [1]. + +However the NetBSD revision 1.32 of the driver introduced +64-bit accesses to the stippler and blitter [2]. It is safe +to assume these memory regions are 64-bit accessible. +QEMU implementation is 32-bit, so fill the 'impl' fields. + +Michael Lorenz (author of the NetBSD code [2]) provided us with more +information in [3]: + +> IIRC the real hardware *requires* 64bit accesses for stipple and +> blitter operations to work. For stipples you write a 64bit word into +> STIP space, the address defines where in the framebuffer you want to +> draw, the data contain a 32bit bitmask, foreground colour and a ROP. +> BLIT space works similarly, the 64bit word contains an offset were to +> read pixels from, and how many you want to copy. +> +> One more thing since there seems to be some confusion - 64bit accesses +> on the framebuffer are fine as well. TCX/S24 is *not* an SBus device, +> even though its node says it is. +> S24 is a card that plugs into a special slot on the SS5 mainboard, +> which is shared with an SBus slot and looks a lot like a horizontal +> UPA slot. Both S24 and TCX are accessed through the Micro/TurboSPARC's +> AFX bus which is 64bit wide and intended for graphics. +> Early FFB docs even mentioned connecting to both AFX and UPA, +> no idea if that was ever realized in hardware though. + +[1] http://web.archive.org/web/20111209011516/http://wikis.sun.com/display/FOSSdocs/Home +[2] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/sbus/tcx.c.diff?r1=1.31&r2=1.32 +[3] https://<email address hidden>/msg734928.html + +Reported-by: Andreas Gustafsson <email address hidden> +Buglink: https://bugs.launchpad.net/bugs/1892540 +Fixes: 55d7bfe2293 ("tcx: Implement hardware acceleration") +Tested-by: Michael S. Tsirkin <email address hidden> +Reviewed-by: Richard Henderson <email address hidden> +Tested-by: Andreas Gustafsson <email address hidden> +Signed-off-by: Philippe Mathieu-Daudé <email address hidden> +--- +Since v2: +- added Michael's memories +- added R-b/T-b tags + +Since v1: +- added missing uncommitted staged changes... (tcx_blit_ops) +--- + hw/display/tcx.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/hw/display/tcx.c b/hw/display/tcx.c +index c9d5e45cd1f..878ecc8c506 100644 +--- a/hw/display/tcx.c ++++ b/hw/display/tcx.c +@@ -549,20 +549,28 @@ static const MemoryRegionOps tcx_stip_ops = { + .read = tcx_stip_readl, + .write = tcx_stip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static const MemoryRegionOps tcx_rstip_ops = { + .read = tcx_stip_readl, + .write = tcx_rstip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static uint64_t tcx_blit_readl(void *opaque, hwaddr addr, +@@ -651,10 +659,14 @@ static const MemoryRegionOps tcx_rblit_ops = { + .read = tcx_blit_readl, + .write = tcx_rblit_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static void tcx_invalidate_cursor_position(TCXState *s) +-- +2.26.2 + + + +On 8/30/20 9:32 AM, Mark Cave-Ayland wrote: +> On 29/08/2020 17:45, Philippe Mathieu-Daudé wrote: +> +>> Le sam. 29 août 2020 18:14, Michael <<email address hidden> +>> <mailto:<email address hidden>>> a écrit : +>> +>> Hello, +>> +>> since I wrote the NetBSD code in question, here are my 2 cent: +>> +>> On Sat, 29 Aug 2020 08:41:43 -0700 +>> Richard Henderson <<email address hidden> +>> <mailto:<email address hidden>>> wrote: +>> +>> > On 8/22/20 7:21 AM, Philippe Mathieu-Daudé wrote: +>> > > The S24/TCX datasheet is listed as "Unable to locate" on [1]. +>> +>> I don't have it either, but someone did a lot of reverse engineering +>> and gave me his notes. The hardware isn't that complicated, but quite +>> weird. +>> +>> > > However the NetBSD revision 1.32 of the driver introduced +>> > > 64-bit accesses to the stippler and blitter [2]. It is safe +>> > > to assume these memory regions are 64-bit accessible. +>> > > QEMU implementation is 32-bit, so fill the 'impl' fields. +>> +>> IIRC the real hardware *requires* 64bit accesses for stipple and +>> blitter operations to work. For stipples you write a 64bit word into +>> STIP space, the address defines where in the framebuffer you want to +>> draw, the data contain a 32bit bitmask, foreground colour and a ROP. +>> BLIT space works similarly, the 64bit word contains an offset were to +>> read pixels from, and how many you want to copy. +>> +>> +>> Thanks Michael for this information! +>> If you don't mind I'll amend it to the commit description so there is a reference for +>> posterity. +>> +>> I'm waiting for /Andreas Gustafsson to test it then will repost. +> +> Hi Philippe, +> +> Thanks for coming up with this patch! Looks fine to me, just wondering if it should +> have a "Fixes: 5d971f9e67 ("memory: Revert "memory: accept mismatching sizes in +> memory_region_access_valid"") tag rather than the original commit since that's how +> other bugs exposed by that commit have been tagged? + +I don't think so, the bug was present (hidden) *before* 5d971f9e67 and +we were incorrectly modelling it. I just posted a v3 including Michael +valuable memories :) + +> +> +> ATB, +> +> Mark. +> + + +On 24/10/2020 21:51, Philippe Mathieu-Daudé wrote: + +> The S24/TCX datasheet is listed as "Unable to locate" on [1]. +> +> However the NetBSD revision 1.32 of the driver introduced +> 64-bit accesses to the stippler and blitter [2]. It is safe +> to assume these memory regions are 64-bit accessible. +> QEMU implementation is 32-bit, so fill the 'impl' fields. +> +> Michael Lorenz (author of the NetBSD code [2]) provided us with more +> information in [3]: +> +>> IIRC the real hardware *requires* 64bit accesses for stipple and +>> blitter operations to work. For stipples you write a 64bit word into +>> STIP space, the address defines where in the framebuffer you want to +>> draw, the data contain a 32bit bitmask, foreground colour and a ROP. +>> BLIT space works similarly, the 64bit word contains an offset were to +>> read pixels from, and how many you want to copy. +>> +>> One more thing since there seems to be some confusion - 64bit accesses +>> on the framebuffer are fine as well. TCX/S24 is *not* an SBus device, +>> even though its node says it is. +>> S24 is a card that plugs into a special slot on the SS5 mainboard, +>> which is shared with an SBus slot and looks a lot like a horizontal +>> UPA slot. Both S24 and TCX are accessed through the Micro/TurboSPARC's +>> AFX bus which is 64bit wide and intended for graphics. +>> Early FFB docs even mentioned connecting to both AFX and UPA, +>> no idea if that was ever realized in hardware though. +> +> [1] http://web.archive.org/web/20111209011516/http://wikis.sun.com/display/FOSSdocs/Home +> [2] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/sbus/tcx.c.diff?r1=1.31&r2=1.32 +> [3] https://<email address hidden>/msg734928.html +> +> Reported-by: Andreas Gustafsson <email address hidden> +> Buglink: https://bugs.launchpad.net/bugs/1892540 +> Fixes: 55d7bfe2293 ("tcx: Implement hardware acceleration") +> Tested-by: Michael S. Tsirkin <email address hidden> +> Reviewed-by: Richard Henderson <email address hidden> +> Tested-by: Andreas Gustafsson <email address hidden> +> Signed-off-by: Philippe Mathieu-Daudé <email address hidden> +> --- +> Since v2: +> - added Michael's memories +> - added R-b/T-b tags +> +> Since v1: +> - added missing uncommitted staged changes... (tcx_blit_ops) +> --- +> hw/display/tcx.c | 18 +++++++++++++++--- +> 1 file changed, 15 insertions(+), 3 deletions(-) +> +> diff --git a/hw/display/tcx.c b/hw/display/tcx.c +> index c9d5e45cd1f..878ecc8c506 100644 +> --- a/hw/display/tcx.c +> +++ b/hw/display/tcx.c +> @@ -549,20 +549,28 @@ static const MemoryRegionOps tcx_stip_ops = { +> .read = tcx_stip_readl, +> .write = tcx_stip_writel, +> .endianness = DEVICE_NATIVE_ENDIAN, +> - .valid = { +> + .impl = { +> .min_access_size = 4, +> .max_access_size = 4, +> }, +> + .valid = { +> + .min_access_size = 4, +> + .max_access_size = 8, +> + }, +> }; +> +> static const MemoryRegionOps tcx_rstip_ops = { +> .read = tcx_stip_readl, +> .write = tcx_rstip_writel, +> .endianness = DEVICE_NATIVE_ENDIAN, +> - .valid = { +> + .impl = { +> .min_access_size = 4, +> .max_access_size = 4, +> }, +> + .valid = { +> + .min_access_size = 4, +> + .max_access_size = 8, +> + }, +> }; +> +> static uint64_t tcx_blit_readl(void *opaque, hwaddr addr, +> @@ -651,10 +659,14 @@ static const MemoryRegionOps tcx_rblit_ops = { +> .read = tcx_blit_readl, +> .write = tcx_rblit_writel, +> .endianness = DEVICE_NATIVE_ENDIAN, +> - .valid = { +> + .impl = { +> .min_access_size = 4, +> .max_access_size = 4, +> }, +> + .valid = { +> + .min_access_size = 4, +> + .max_access_size = 8, +> + }, +> }; +> +> static void tcx_invalidate_cursor_position(TCXState *s) + +I'd already queued v2 of this patch (see my earlier email) with the intent to send a +PR today, however I'll replace it with this v3 instead. + + +ATB, + +Mark. + + +On 10/25/20 11:55 AM, Mark Cave-Ayland wrote: +> On 24/10/2020 21:51, Philippe Mathieu-Daudé wrote: +> +>> The S24/TCX datasheet is listed as "Unable to locate" on [1]. +>> +>> However the NetBSD revision 1.32 of the driver introduced +>> 64-bit accesses to the stippler and blitter [2]. It is safe +>> to assume these memory regions are 64-bit accessible. +>> QEMU implementation is 32-bit, so fill the 'impl' fields. +>> +>> Michael Lorenz (author of the NetBSD code [2]) provided us with more +>> information in [3]: +>> +>>> IIRC the real hardware *requires* 64bit accesses for stipple and +>>> blitter operations to work. For stipples you write a 64bit word into +>>> STIP space, the address defines where in the framebuffer you want to +>>> draw, the data contain a 32bit bitmask, foreground colour and a ROP. +>>> BLIT space works similarly, the 64bit word contains an offset were to +>>> read pixels from, and how many you want to copy. +>>> +>>> One more thing since there seems to be some confusion - 64bit accesses +>>> on the framebuffer are fine as well. TCX/S24 is *not* an SBus device, +>>> even though its node says it is. +>>> S24 is a card that plugs into a special slot on the SS5 mainboard, +>>> which is shared with an SBus slot and looks a lot like a horizontal +>>> UPA slot. Both S24 and TCX are accessed through the Micro/TurboSPARC's +>>> AFX bus which is 64bit wide and intended for graphics. +>>> Early FFB docs even mentioned connecting to both AFX and UPA, +>>> no idea if that was ever realized in hardware though. +>> +>> [1] +>> http://web.archive.org/web/20111209011516/http://wikis.sun.com/display/FOSSdocs/Home +>> +>> [2] +>> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/sbus/tcx.c.diff?r1=1.31&r2=1.32 +>> +>> [3] https://<email address hidden>/msg734928.html +>> +>> Reported-by: Andreas Gustafsson <email address hidden> +>> Buglink: https://bugs.launchpad.net/bugs/1892540 +>> Fixes: 55d7bfe2293 ("tcx: Implement hardware acceleration") +>> Tested-by: Michael S. Tsirkin <email address hidden> +>> Reviewed-by: Richard Henderson <email address hidden> +>> Tested-by: Andreas Gustafsson <email address hidden> +>> Signed-off-by: Philippe Mathieu-Daudé <email address hidden> +>> --- +>> Since v2: +>> - added Michael's memories +>> - added R-b/T-b tags +>> +>> Since v1: +>> - added missing uncommitted staged changes... (tcx_blit_ops) +>> --- +>> hw/display/tcx.c | 18 +++++++++++++++--- +>> 1 file changed, 15 insertions(+), 3 deletions(-) +>> +>> diff --git a/hw/display/tcx.c b/hw/display/tcx.c +>> index c9d5e45cd1f..878ecc8c506 100644 +>> --- a/hw/display/tcx.c +>> +++ b/hw/display/tcx.c +>> @@ -549,20 +549,28 @@ static const MemoryRegionOps tcx_stip_ops = { +>> .read = tcx_stip_readl, +>> .write = tcx_stip_writel, +>> .endianness = DEVICE_NATIVE_ENDIAN, +>> - .valid = { +>> + .impl = { +>> .min_access_size = 4, +>> .max_access_size = 4, +>> }, +>> + .valid = { +>> + .min_access_size = 4, +>> + .max_access_size = 8, +>> + }, +>> }; +>> static const MemoryRegionOps tcx_rstip_ops = { +>> .read = tcx_stip_readl, +>> .write = tcx_rstip_writel, +>> .endianness = DEVICE_NATIVE_ENDIAN, +>> - .valid = { +>> + .impl = { +>> .min_access_size = 4, +>> .max_access_size = 4, +>> }, +>> + .valid = { +>> + .min_access_size = 4, +>> + .max_access_size = 8, +>> + }, +>> }; +>> static uint64_t tcx_blit_readl(void *opaque, hwaddr addr, +>> @@ -651,10 +659,14 @@ static const MemoryRegionOps tcx_rblit_ops = { +>> .read = tcx_blit_readl, +>> .write = tcx_rblit_writel, +>> .endianness = DEVICE_NATIVE_ENDIAN, +>> - .valid = { +>> + .impl = { +>> .min_access_size = 4, +>> .max_access_size = 4, +>> }, +>> + .valid = { +>> + .min_access_size = 4, +>> + .max_access_size = 8, +>> + }, +>> }; +>> static void tcx_invalidate_cursor_position(TCXState *s) +> +> I'd already queued v2 of this patch (see my earlier email) with the +> intent to send a PR today, however I'll replace it with this v3 instead. + +Thanks! Since there is no code change with v2, I assumed it wouldn't be +a problem to replace it, without having to re-run your tests. + +> +> +> ATB, +> +> Mark. +> + + +From: Philippe Mathieu-Daudé <email address hidden> + +The S24/TCX datasheet is listed as "Unable to locate" on [1]. + +However the NetBSD revision 1.32 of the driver introduced +64-bit accesses to the stippler and blitter [2]. It is safe +to assume these memory regions are 64-bit accessible. +QEMU implementation is 32-bit, so fill the 'impl' fields. + +Michael Lorenz (author of the NetBSD code [2]) provided us with more +information in [3]: + +> IIRC the real hardware *requires* 64bit accesses for stipple and +> blitter operations to work. For stipples you write a 64bit word into +> STIP space, the address defines where in the framebuffer you want to +> draw, the data contain a 32bit bitmask, foreground colour and a ROP. +> BLIT space works similarly, the 64bit word contains an offset were to +> read pixels from, and how many you want to copy. +> +> One more thing since there seems to be some confusion - 64bit accesses +> on the framebuffer are fine as well. TCX/S24 is *not* an SBus device, +> even though its node says it is. +> S24 is a card that plugs into a special slot on the SS5 mainboard, +> which is shared with an SBus slot and looks a lot like a horizontal +> UPA slot. Both S24 and TCX are accessed through the Micro/TurboSPARC's +> AFX bus which is 64bit wide and intended for graphics. +> Early FFB docs even mentioned connecting to both AFX and UPA, +> no idea if that was ever realized in hardware though. + +[1] http://web.archive.org/web/20111209011516/http://wikis.sun.com/display/FOSSdocs/Home +[2] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/sbus/tcx.c.diff?r1=1.31&r2=1.32 +[3] https://<email address hidden>/msg734928.html + +Cc: <email address hidden> +Reported-by: Andreas Gustafsson <email address hidden> +Buglink: https://bugs.launchpad.net/bugs/1892540 +Fixes: 55d7bfe2293 ("tcx: Implement hardware acceleration") +Tested-by: Michael S. Tsirkin <email address hidden> +Reviewed-by: Richard Henderson <email address hidden> +Tested-by: Andreas Gustafsson <email address hidden> +Signed-off-by: Philippe Mathieu-Daudé <email address hidden> +Message-Id: <email address hidden> +Signed-off-by: Mark Cave-Ayland <email address hidden> +--- + hw/display/tcx.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/hw/display/tcx.c b/hw/display/tcx.c +index c9d5e45cd1..878ecc8c50 100644 +--- a/hw/display/tcx.c ++++ b/hw/display/tcx.c +@@ -549,20 +549,28 @@ static const MemoryRegionOps tcx_stip_ops = { + .read = tcx_stip_readl, + .write = tcx_stip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static const MemoryRegionOps tcx_rstip_ops = { + .read = tcx_stip_readl, + .write = tcx_rstip_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static uint64_t tcx_blit_readl(void *opaque, hwaddr addr, +@@ -651,10 +659,14 @@ static const MemoryRegionOps tcx_rblit_ops = { + .read = tcx_blit_readl, + .write = tcx_rblit_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static void tcx_invalidate_cursor_position(TCXState *s) +-- +2.20.1 + + + +Commit ae5643ecc6 "hw/display/tcx: Allow 64-bit accesses to framebuffer stippler +and blitter" enabled 64-bit access for the TCX framebuffer stippler and blitter +but missed applying the change to one of the blitter MemoryRegions. + +Whilst the original change works for me on my local NetBSD test image, the latest +NetBSD ISO panics on startup without this fix. + +Signed-off-by: Mark Cave-Ayland <email address hidden> +Fixes: ae5643ecc6 ("hw/display/tcx: Allow 64-bit accesses to framebuffer stippler and blitter") +Buglink: https://bugs.launchpad.net/bugs/1892540 +--- + hw/display/tcx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/display/tcx.c b/hw/display/tcx.c +index 878ecc8c50..3799d29b75 100644 +--- a/hw/display/tcx.c ++++ b/hw/display/tcx.c +@@ -649,10 +649,14 @@ static const MemoryRegionOps tcx_blit_ops = { + .read = tcx_blit_readl, + .write = tcx_blit_writel, + .endianness = DEVICE_NATIVE_ENDIAN, +- .valid = { ++ .impl = { + .min_access_size = 4, + .max_access_size = 4, + }, ++ .valid = { ++ .min_access_size = 4, ++ .max_access_size = 8, ++ }, + }; + + static const MemoryRegionOps tcx_rblit_ops = { +-- +2.20.1 + + + +On 11/20/20 9:17 AM, Mark Cave-Ayland wrote: +> Commit ae5643ecc6 "hw/display/tcx: Allow 64-bit accesses to framebuffer stippler +> and blitter" enabled 64-bit access for the TCX framebuffer stippler and blitter +> but missed applying the change to one of the blitter MemoryRegions. +> +> Whilst the original change works for me on my local NetBSD test image, the latest +> NetBSD ISO panics on startup without this fix. +> +> Signed-off-by: Mark Cave-Ayland <email address hidden> +> Fixes: ae5643ecc6 ("hw/display/tcx: Allow 64-bit accesses to framebuffer stippler and blitter") +> Buglink: https://bugs.launchpad.net/bugs/1892540 +> --- +> hw/display/tcx.c | 6 +++++- +> 1 file changed, 5 insertions(+), 1 deletion(-) + +Reviewed-by: Philippe Mathieu-Daudé <email address hidden> + + +Is this bug now fixed, or are there still more patches not yet in master? + + +On 21/11/2020 23:46, Peter Maydell wrote: + +> Is this bug now fixed, or are there still more patches not yet in +> master? + +The additional for-5.2 patch above is still needed: I've just submitted it to +Travis-CI, and assuming it passes I'll send a PR later. + + +ATB, + +Mark. + + +On 20/11/2020 08:17, Mark Cave-Ayland wrote: + +> Commit ae5643ecc6 "hw/display/tcx: Allow 64-bit accesses to framebuffer stippler +> and blitter" enabled 64-bit access for the TCX framebuffer stippler and blitter +> but missed applying the change to one of the blitter MemoryRegions. +> +> Whilst the original change works for me on my local NetBSD test image, the latest +> NetBSD ISO panics on startup without this fix. +> +> Signed-off-by: Mark Cave-Ayland <email address hidden> +> Fixes: ae5643ecc6 ("hw/display/tcx: Allow 64-bit accesses to framebuffer stippler and blitter") +> Buglink: https://bugs.launchpad.net/bugs/1892540 +> --- +> hw/display/tcx.c | 6 +++++- +> 1 file changed, 5 insertions(+), 1 deletion(-) +> +> diff --git a/hw/display/tcx.c b/hw/display/tcx.c +> index 878ecc8c50..3799d29b75 100644 +> --- a/hw/display/tcx.c +> +++ b/hw/display/tcx.c +> @@ -649,10 +649,14 @@ static const MemoryRegionOps tcx_blit_ops = { +> .read = tcx_blit_readl, +> .write = tcx_blit_writel, +> .endianness = DEVICE_NATIVE_ENDIAN, +> - .valid = { +> + .impl = { +> .min_access_size = 4, +> .max_access_size = 4, +> }, +> + .valid = { +> + .min_access_size = 4, +> + .max_access_size = 8, +> + }, +> }; +> +> static const MemoryRegionOps tcx_rblit_ops = { + +Adding CC to qemu-stable so that this follow-up fix also gets applied to 5.1.1. + + +ATB, + +Mark. + + +This should now be fixed in master as of 48e5c7f34c "hw/display/tcx: add missing 64-bit access for framebuffer blitter". + + +ATB, + +Mark. + + +Seems to at least do the innital part of the boot ok. +I got to shell at least: not sure how far I'm supposed to get +or which options to choose. + + + +Released with QEMU v5.2.0. + diff --git a/results/classifier/108/other/1892541 b/results/classifier/108/other/1892541 new file mode 100644 index 000000000..ee82f3277 --- /dev/null +++ b/results/classifier/108/other/1892541 @@ -0,0 +1,63 @@ +other: 0.945 +permissions: 0.940 +device: 0.932 +graphic: 0.931 +network: 0.920 +PID: 0.920 +socket: 0.917 +vnc: 0.916 +boot: 0.913 +debug: 0.902 +files: 0.900 +performance: 0.891 +KVM: 0.820 +semantic: 0.807 + +qemu 5.1 on windows 10 with whpx can not install Windows 7 guest + +Command install and start win7 + +qemu-system-x86_64 -smbios type=1,uuid=e77aacd6-0acb-4a5c-9a83-a80d029b36f1 -smp 2,sockets=1,cores=2,maxcpus=2 -nodefaults -boot menu=on,strict=on,reboot-timeout=1000 -m 8192 ^ +-readconfig pve-q35-4.0.cfg ^ +-device vmgenid,guid=6d4865f5-353e-4cf1-b8ca-f5abbd062736 -device usb-tablet,id=tablet,bus=ehci.0,port=1 -device VGA,id=vga,bus=pcie.0,addr=0x1 ^ +-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 ^ +-drive file=en_windows_7_ultimate_with_sp1_x64_dvd_u_677332.iso,if=none,id=drive-ide2,media=cdrom,aio=threads ^ +-device ide-cd,bus=ide.1,unit=0,drive=drive-ide2,id=ide2,bootindex=200 -device ahci,id=ahci0,multifunction=on,bus=pci.0,addr=0x7 ^ +-drive id=drive-sata0,if=none,file=win7.qcow2,format=qcow2,cache=none,aio=native,detect-zeroes=on ^ +-device ide-hd,bus=ahci0.0,drive=drive-sata0,id=sata0,bootindex=100 ^ +-netdev type=tap,id=mynet0,ifname=tap1,script=no,downscript=no ^ +-device e1000,netdev=mynet0,mac=52:55:00:d1:55:10,bus=pci.0,addr=0x12,id=net0,bootindex=300 ^ +-machine type=q35,accel=whpx + +The QEMU project is currently moving its bug tracking to another system. +For this we need to know which bugs are still valid and which could be +closed already. Thus we are setting the bug state to "Incomplete" now. + +If the bug has already been fixed in the latest upstream version of QEMU, +then please close this ticket as "Fix released". + +If it is not fixed yet and you think that this bug report here is still +valid, then you have two options: + +1) If you already have an account on gitlab.com, please open a new ticket +for this problem in our new tracker here: + + https://gitlab.com/qemu-project/qemu/-/issues + +and then close this ticket here on Launchpad (or let it expire auto- +matically after 60 days). Please mention the URL of this bug ticket on +Launchpad in the new ticket on GitLab. + +2) If you don't have an account on gitlab.com and don't intend to get +one, but still would like to keep this ticket opened, then please switch +the state back to "New" or "Confirmed" within the next 60 days (other- +wise it will get closed as "Expired"). We will then eventually migrate +the ticket automatically to the new system (but you won't be the reporter +of the bug in the new system and thus you won't get notified on changes +anymore). + +Thank you and sorry for the inconvenience. + + +[Expired for QEMU because there has been no activity for 60 days.] + diff --git a/results/classifier/108/other/1892544 b/results/classifier/108/other/1892544 new file mode 100644 index 000000000..ade2ca590 --- /dev/null +++ b/results/classifier/108/other/1892544 @@ -0,0 +1,505 @@ +other: 0.937 +vnc: 0.929 +permissions: 0.926 +graphic: 0.924 +KVM: 0.924 +PID: 0.911 +device: 0.909 +files: 0.908 +performance: 0.907 +socket: 0.905 +semantic: 0.892 +debug: 0.877 +network: 0.870 +boot: 0.851 + +meson qemu 5.2 can not built with msys2 + +pacman -S base-devel mingw-w64-x86_64-toolchain git +pacman -S mingw-w64-x86_64-python mingw-w64-x86_64-python-setuptools +pacman -S mingw-w64-x86_64-spice-protocol + +cd /mingw64/bin +cp x86_64-w64-mingw32-gcc-ar.exe x86_64-w64-mingw32-ar.exe +cp x86_64-w64-mingw32-gcc-ranlib.exe x86_64-w64-mingw32-ranlib.exe +cp windres.exe x86_64-w64-mingw32-windres.exe +cp nm.exe x86_64-w64-mingw32-nm.exe +cp objcopy.exe x86_64-w64-mingw32-objcopy.exe +cd ~ +cd qemu.org-x64 + + +../qemu.org/configure \ + --python=python3 \ + --cross-prefix=x86_64-w64-mingw32- --enable-gtk --enable-sdl \ + --enable-capstone=git \ + --enable-stack-protector \ + --enable-gnutls \ + --enable-nettle \ + --enable-vnc \ + --enable-vnc-sasl \ + --enable-vnc-jpeg \ + --enable-vnc-png \ + --enable-membarrier \ + --enable-slirp=git \ + --disable-kvm \ + --enable-hax \ + --enable-whpx \ + --disable-spice \ + --enable-lzo \ + --enable-snappy \ + --enable-bzip2 \ + --enable-vdi \ + --enable-qcow1 \ + --enable-tools \ + --enable-libusb \ + --enable-usb-redir \ + --disable-libnfs \ + --enable-libssh + +error output +``` +$ ../qemu.org/configure \ +> --python=python3 \ +> --cross-prefix=x86_64-w64-mingw32- --enable-gtk --enable-sdl \ +> --enable-capstone=git \ +> --enable-stack-protector \ +> --enable-gnutls \ +> --enable-nettle \ +> --enable-vnc \ +> --enable-vnc-sasl \ +> --enable-vnc-jpeg \ +> --enable-vnc-png \ +> --enable-membarrier \ +> --enable-slirp=git \ +> --disable-kvm \ +> --enable-hax \ +> --enable-whpx \ +> --disable-spice \ +> --enable-lzo \ +> --enable-snappy \ +> --enable-bzip2 \ +> --enable-vdi \ +> --enable-qcow1 \ +> --enable-tools \ +> --enable-libusb \ +> --enable-usb-redir \ +> --disable-libnfs \ +> --enable-libssh +ln: 无法创建符号链接 'aarch64-softmmu/qemu-system-aarch64': No such file or directory +ln: 无法创建符号链接 'alpha-softmmu/qemu-system-alpha': No such file or directory +ln: 无法创建符号链接 'arm-softmmu/qemu-system-arm': No such file or directory +ln: 无法创建符号链接 'avr-softmmu/qemu-system-avr': No such file or directory +ln: 无法创建符号链接 'cris-softmmu/qemu-system-cris': No such file or directory +ln: 无法创建符号链接 'hppa-softmmu/qemu-system-hppa': No such file or directory +ln: 无法创建符号链接 'i386-softmmu/qemu-system-i386': No such file or directory +ln: 无法创建符号链接 'lm32-softmmu/qemu-system-lm32': No such file or directory +ln: 无法创建符号链接 'm68k-softmmu/qemu-system-m68k': No such file or directory +ln: 无法创建符号链接 'microblazeel-softmmu/qemu-system-microblazeel': No such file or directory +ln: 无法创建符号链接 'microblaze-softmmu/qemu-system-microblaze': No such file or directory +ln: 无法创建符号链接 'mips64el-softmmu/qemu-system-mips64el': No such file or directory +ln: 无法创建符号链接 'mips64-softmmu/qemu-system-mips64': No such file or directory +ln: 无法创建符号链接 'mipsel-softmmu/qemu-system-mipsel': No such file or directory +ln: 无法创建符号链接 'mips-softmmu/qemu-system-mips': No such file or directory +ln: 无法创建符号链接 'moxie-softmmu/qemu-system-moxie': No such file or directory +ln: 无法创建符号链接 'nios2-softmmu/qemu-system-nios2': No such file or directory +ln: 无法创建符号链接 'or1k-softmmu/qemu-system-or1k': No such file or directory +ln: 无法创建符号链接 'ppc64-softmmu/qemu-system-ppc64': No such file or directory +ln: 无法创建符号链接 'ppc-softmmu/qemu-system-ppc': No such file or directory +ln: 无法创建符号链接 'riscv32-softmmu/qemu-system-riscv32': No such file or directory +ln: 无法创建符号链接 'riscv64-softmmu/qemu-system-riscv64': No such file or directory +ln: 无法创建符号链接 'rx-softmmu/qemu-system-rx': No such file or directory +ln: 无法创建符号链接 's390x-softmmu/qemu-system-s390x': No such file or directory +ln: 无法创建符号链接 'sh4eb-softmmu/qemu-system-sh4eb': No such file or directory +ln: 无法创建符号链接 'sh4-softmmu/qemu-system-sh4': No such file or directory +ln: 无法创建符号链接 'sparc64-softmmu/qemu-system-sparc64': No such file or directory +ln: 无法创建符号链接 'sparc-softmmu/qemu-system-sparc': No such file or directory +ln: 无法创建符号链接 'tricore-softmmu/qemu-system-tricore': No such file or directory +ln: 无法创建符号链接 'unicore32-softmmu/qemu-system-unicore32': No such file or directory +ln: 无法创建符号链接 'x86_64-softmmu/qemu-system-x86_64': No such file or directory +ln: 无法创建符号链接 'xtensaeb-softmmu/qemu-system-xtensaeb': No such file or directory +ln: 无法创建符号链接 'xtensa-softmmu/qemu-system-xtensa': No such file or directory +cross containers no + +NOTE: guest cross-compilers enabled: cc +The Meson build system +Version: 0.55.0 +Source dir: E:/CI-Cor-Ready/xemu/qemu.org +Build dir: E:/CI-Cor-Ready/xemu/qemu.org-x64 +Build type: cross build +Using 'PKG_CONFIG_PATH' from environment with value: 'C:\\CI-Tools\\msys64\\mingw64\\lib\\pkgconfig;C:\\CI-Tools\\msys64\\mingw64\\share\\pkgconfig' +Project name: qemu +Project version: 5.1.50 +C compiler for the build machine: cc (gcc 10.2.0 "cc (Rev1, Built by MSYS2 project) 10.2.0") +C linker for the build machine: cc ld.bfd 2.34 +C compiler for the host machine: x86_64-w64-mingw32-gcc (gcc 10.2.0 "x86_64-w64-mingw32-gcc (Rev1, Built by MSYS2 project) 10.2.0") +C linker for the host machine: x86_64-w64-mingw32-gcc ld.bfd 2.34 +Build machine cpu family: x86_64 +Build machine cpu: x86_64 +Host machine cpu family: x86 +Host machine cpu: x86_64 +Target machine cpu family: x86 +Target machine cpu: x86_64 +../qemu.org/meson.build:9: WARNING: Module unstable-keyval has no backwards or forwards compatibility and might not exist in future releases. +Program sh found: YES +Program python3 found: YES (C:/CI-Tools/msys64/mingw64/bin/python3.exe) +C++ compiler for the host machine: x86_64-w64-mingw32-g++ (gcc 10.2.0 "x86_64-w64-mingw32-g++ (Rev1, Built by MSYS2 project) 10.2.0") +C++ linker for the host machine: x86_64-w64-mingw32-g++ ld.bfd 2.34 +Configuring ninjatool using configuration +Library m found: YES +Library util found: NO +Library ws2_32 found: YES +Library winmm found: YES +Windows resource compiler: GNU windres (GNU Binutils) 2.34 +Library aio found: NO +Library rt found: NO +Found pkg-config: C:\CI-Tools\msys64\mingw64\bin/x86_64-w64-mingw32-pkg-config.EXE (0.29.2) +Using 'PKG_CONFIG_PATH' from environment with value: 'C:\\CI-Tools\\msys64\\mingw64\\lib\\pkgconfig;C:\\CI-Tools\\msys64\\mingw64\\share\\pkgconfig' +Run-time dependency sdl2 found: YES 2.0.12 +Found CMake: NO +Run-time dependency sdl-image found: NO (tried pkgconfig and cmake) +Using 'PKG_CONFIG_PATH' from environment with value: 'C:\\CI-Tools\\msys64\\mingw64\\lib\\pkgconfig;C:\\CI-Tools\\msys64\\mingw64\\share\\pkgconfig' +Run-time dependency libpng found: YES 1.6.37 +Has header "jpeglib.h" : YES +Library jpeg found: YES +Has header "sasl/sasl.h" : YES +Library sasl2 found: YES +Configuring config-host.h using configuration +Program scripts/minikconf.py found: YES +Configuring aarch64-softmmu-config-target.h using configuration +Configuring aarch64-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/aarch64-softmmu-config-devices.mak.d +Configuring aarch64-softmmu-config-devices.h using configuration +Configuring alpha-softmmu-config-target.h using configuration +Configuring alpha-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/alpha-softmmu-config-devices.mak.d +Configuring alpha-softmmu-config-devices.h using configuration +Configuring arm-softmmu-config-target.h using configuration +Configuring arm-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/arm-softmmu-config-devices.mak.d +Configuring arm-softmmu-config-devices.h using configuration +Configuring avr-softmmu-config-target.h using configuration +Configuring avr-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/avr-softmmu-config-devices.mak.d +Configuring avr-softmmu-config-devices.h using configuration +Configuring cris-softmmu-config-target.h using configuration +Configuring cris-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/cris-softmmu-config-devices.mak.d +Configuring cris-softmmu-config-devices.h using configuration +Configuring hppa-softmmu-config-target.h using configuration +Configuring hppa-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/hppa-softmmu-config-devices.mak.d +Configuring hppa-softmmu-config-devices.h using configuration +Configuring i386-softmmu-config-target.h using configuration +Configuring i386-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/i386-softmmu-config-devices.mak.d +Configuring i386-softmmu-config-devices.h using configuration +Configuring lm32-softmmu-config-target.h using configuration +Configuring lm32-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/lm32-softmmu-config-devices.mak.d +Configuring lm32-softmmu-config-devices.h using configuration +Configuring m68k-softmmu-config-target.h using configuration +Configuring m68k-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/m68k-softmmu-config-devices.mak.d +Configuring m68k-softmmu-config-devices.h using configuration +Configuring microblazeel-softmmu-config-target.h using configuration +Configuring microblazeel-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/microblazeel-softmmu-config-devices.mak.d +Configuring microblazeel-softmmu-config-devices.h using configuration +Configuring microblaze-softmmu-config-target.h using configuration +Configuring microblaze-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/microblaze-softmmu-config-devices.mak.d +Configuring microblaze-softmmu-config-devices.h using configuration +Configuring mips64el-softmmu-config-target.h using configuration +Configuring mips64el-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/mips64el-softmmu-config-devices.mak.d +Configuring mips64el-softmmu-config-devices.h using configuration +Configuring mips64-softmmu-config-target.h using configuration +Configuring mips64-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/mips64-softmmu-config-devices.mak.d +Configuring mips64-softmmu-config-devices.h using configuration +Configuring mipsel-softmmu-config-target.h using configuration +Configuring mipsel-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/mipsel-softmmu-config-devices.mak.d +Configuring mipsel-softmmu-config-devices.h using configuration +Configuring mips-softmmu-config-target.h using configuration +Configuring mips-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/mips-softmmu-config-devices.mak.d +Configuring mips-softmmu-config-devices.h using configuration +Configuring moxie-softmmu-config-target.h using configuration +Configuring moxie-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/moxie-softmmu-config-devices.mak.d +Configuring moxie-softmmu-config-devices.h using configuration +Configuring nios2-softmmu-config-target.h using configuration +Configuring nios2-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/nios2-softmmu-config-devices.mak.d +Configuring nios2-softmmu-config-devices.h using configuration +Configuring or1k-softmmu-config-target.h using configuration +Configuring or1k-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/or1k-softmmu-config-devices.mak.d +Configuring or1k-softmmu-config-devices.h using configuration +Configuring ppc64-softmmu-config-target.h using configuration +Configuring ppc64-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/ppc64-softmmu-config-devices.mak.d +Configuring ppc64-softmmu-config-devices.h using configuration +Configuring ppc-softmmu-config-target.h using configuration +Configuring ppc-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/ppc-softmmu-config-devices.mak.d +Configuring ppc-softmmu-config-devices.h using configuration +Configuring riscv32-softmmu-config-target.h using configuration +Configuring riscv32-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/riscv32-softmmu-config-devices.mak.d +Configuring riscv32-softmmu-config-devices.h using configuration +Configuring riscv64-softmmu-config-target.h using configuration +Configuring riscv64-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/riscv64-softmmu-config-devices.mak.d +Configuring riscv64-softmmu-config-devices.h using configuration +Configuring rx-softmmu-config-target.h using configuration +Configuring rx-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/rx-softmmu-config-devices.mak.d +Configuring rx-softmmu-config-devices.h using configuration +Configuring s390x-softmmu-config-target.h using configuration +Configuring s390x-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/s390x-softmmu-config-devices.mak.d +Configuring s390x-softmmu-config-devices.h using configuration +Configuring sh4eb-softmmu-config-target.h using configuration +Configuring sh4eb-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/sh4eb-softmmu-config-devices.mak.d +Configuring sh4eb-softmmu-config-devices.h using configuration +Configuring sh4-softmmu-config-target.h using configuration +Configuring sh4-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/sh4-softmmu-config-devices.mak.d +Configuring sh4-softmmu-config-devices.h using configuration +Configuring sparc64-softmmu-config-target.h using configuration +Configuring sparc64-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/sparc64-softmmu-config-devices.mak.d +Configuring sparc64-softmmu-config-devices.h using configuration +Configuring sparc-softmmu-config-target.h using configuration +Configuring sparc-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/sparc-softmmu-config-devices.mak.d +Configuring sparc-softmmu-config-devices.h using configuration +Configuring tricore-softmmu-config-target.h using configuration +Configuring tricore-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/tricore-softmmu-config-devices.mak.d +Configuring tricore-softmmu-config-devices.h using configuration +Configuring unicore32-softmmu-config-target.h using configuration +Configuring unicore32-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/unicore32-softmmu-config-devices.mak.d +Configuring unicore32-softmmu-config-devices.h using configuration +Configuring x86_64-softmmu-config-target.h using configuration +Configuring x86_64-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/x86_64-softmmu-config-devices.mak.d +Configuring x86_64-softmmu-config-devices.h using configuration +Configuring xtensaeb-softmmu-config-target.h using configuration +Configuring xtensaeb-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/xtensaeb-softmmu-config-devices.mak.d +Configuring xtensaeb-softmmu-config-devices.h using configuration +Configuring xtensa-softmmu-config-target.h using configuration +Configuring xtensa-softmmu-config-devices.mak with command +Reading depfile: E:/CI-Cor-Ready/xemu/qemu.org-x64/meson-private/xtensa-softmmu-config-devices.mak.d +Configuring xtensa-softmmu-config-devices.h using configuration +Program scripts/grepy.sh found: YES +Configuring config-all-devices.mak with command +Program scripts/hxtool found: YES +Program scripts/shaderinclude.pl found: YES +Program scripts/qapi-gen.py found: YES +Program scripts/qemu-version.sh found: YES +Run-time dependency threads found: YES +Program keycodemapdb/tools/keymap-gen found: YES +Program scripts/decodetree.py found: YES +Program ../scripts/modules/module_block.py found: YES +Program x86_64-w64-mingw32-nm found: YES +Program scripts/undefsym.sh found: YES +Program scripts/feature_to_c.sh found: YES +Program wixl found: NO +Program bzip2 found: YES +Configuring 50-edk2-i386-secure.json using configuration +Configuring 50-edk2-x86_64-secure.json using configuration +Configuring 60-edk2-aarch64.json using configuration +Configuring 60-edk2-arm.json using configuration +Configuring 60-edk2-i386.json using configuration +Configuring 60-edk2-x86_64.json using configuration +Program diff found: YES +Build targets in project: 331 + +qemu 5.1.50 + + Install prefix: c:/Program Files/QEMU + BIOS directory: c:/Program Files/QEMU + firmware path: ${prefix}/share/qemu-firmware + binary directory: c:/Program Files/QEMU + library directory: c:/Program Files/QEMU/lib + module directory: c:/Program Files/QEMU/lib + libexec directory: c:/Program Files/QEMU/libexec + include directory: c:/Program Files/QEMU/include + config directory: c:/Program Files/QEMU + local state directory: queried at runtime + Build directory: E:/CI-Cor-Ready/xemu/qemu.org-x64 + Source path: E:/CI-Cor-Ready/xemu/qemu.org + GIT binary: git + GIT submodules: ui/keycodemapdb tests/fp/berkeley-testfloat-3 tests/fp/berkeley-softfloat-3 meson dtc capstone slirp + C compiler: x86_64-w64-mingw32-gcc + Host C compiler: cc + C++ compiler: x86_64-w64-mingw32-g++ + ARFLAGS: rv + CFLAGS: -O2 -g -fPIE -DPIE -mthreads -std=gnu99 -Wall + QEMU_CFLAGS: -IC:/CI-Tools/msys64/mingw64/include/pixman-1 -I/e/CI-Cor-Ready/xemu/qemu.org/dtc/libfdt -Werror -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -IC:/CI-Tools/msys64/mingw64/include -pthread -mms-bitfields -IC:/CI-Tools/msys64/mingw64/include -IC:/CI-Tools/msys64/mingw64/include/glib-2.0 -IC:/CI-Tools/msys64/mingw64/lib/glib-2.0/include -IC:/CI-Tools/msys64/mingw64/include -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi -fstack-protector-strong -IC:/CI-Tools/msys64/mingw64/include -IC:/CI-Tools/msys64/mingw64/include/p11-kit-1 -IC:/CI-Tools/msys64/mingw64/include -I/e/CI-Cor-Ready/xemu/qemu.org/capstone/include + QEMU_LDFLAGS: -L/e/CI-Cor-Ready/xemu/qemu.org-x64/dtc/libfdt -m64 -fstack-protector-strong + make: make + install: install + python: C:/CI-Tools/msys64/mingw64/bin/python3.exe (version: 3.8) + sphinx-build: + genisoimage: + slirp support: YES + smbd: "/usr/sbin/smbd" + module support: NO + host CPU: x86 + host endianness: little + target list: aarch64-softmmu alpha-softmmu arm-softmmu avr-softmmu cris-softmmu hppa-softmmu i386-softmmu lm32-softmmu m68k-softmmu microblazeel-softmmu microblaze-softmmu mips64el-softmmu mips64-softmmu mipsel-softmmu mips-softmmu moxie-softmmu nios2-softmmu or1k-softmmu ppc64-softmmu ppc-softmmu riscv32-softmmu riscv64-softmmu rx-softmmu s390x-softmmu sh4eb-softmmu sh4-softmmu sparc64-softmmu sparc-softmmu tricore-softmmu unicore32-softmmu x86_64-softmmu xtensaeb-softmmu xtensa-softmmu + gprof enabled: NO + sparse enabled: NO + strip binaries: YES + profiler: NO + static build: YES + SDL support: YES + SDL image support: NO + GTK support: YES + GTK GL support: NO + VTE support: NO + TLS priority: "NORMAL" + GNUTLS support: YES + libgcrypt: NO + nettle: YES + XTS: YES + libtasn1: YES + PAM: NO + iconv support: YES + curses support: NO + virgl support: NO + curl support: YES + mingw32 support: YES + Audio drivers: dsound + Block whitelist (rw): + Block whitelist (ro): + VirtFS support: NO + Multipath support: NO + VNC support: YES + VNC SASL support: YES + VNC JPEG support: YES + VNC PNG support: YES + xen support: NO + brlapi support: NO + Documentation: NO + PIE: YES + vde support: NO + netmap support: NO + Linux AIO support: NO + Linux io_uring support: NO + ATTR/XATTR support: NO + Install blobs: YES + malloc trim support: NO + RDMA support: NO + PVRDMA support: NO + fdt support: YES + membarrier: YES + preadv support: NO + fdatasync: NO + madvise: NO + posix_madvise: NO + posix_memalign: NO + libcap-ng support: NO + vhost-net support: NO + vhost-crypto support: NO + vhost-scsi support: NO + vhost-vsock support: NO + vhost-user support: NO + vhost-user-fs support: NO + vhost-vdpa support: NO + Trace backends: log + spice support: NO + rbd support: NO + xfsctl support: NO + smartcard support: NO + libusb: YES + usb net redir: YES + OpenGL support: NO + OpenGL dmabufs: NO + libiscsi support: NO + libnfs support: NO + build guest agent: YES + QGA VSS support: NO + QGA w32 disk info: YES + QGA MSI support: NO + seccomp support: NO + coroutine backend: win32 + coroutine pool: YES + debug stack usage: NO + mutex debugging: NO + crypto afalg: NO + GlusterFS support: NO + gcov: NO + TPM support: NO + libssh support: YES + QOM debugging: YES + Live block migration: YES + lzo support: YES + snappy support: YES + bzip2 support: YES + lzfse support: NO + zstd support: YES + NUMA host support: NO + libxml2: YES + tcmalloc support: NO + jemalloc support: NO + avx2 optimization: YES + avx512f optimization: NO + replication support: YES + bochs support: YES + cloop support: YES + dmg support: YES + qcow v1 support: YES + vdi support: YES + vvfat support: YES + qed support: YES + parallels support: YES + sheepdog support: YES + capstone: YES + libpmem support: NO + libdaxctl support: NO + libudev: NO + default devices: YES + plugin support: NO + fuzzing support: NO + gdb: /mingw64/bin/gdb + thread sanitizer: NO + rng-none: NO + Linux keyring: NO + +Traceback (most recent call last): + File "E:/CI-Cor-Ready/xemu/qemu.org/meson/mesonbuild/mesonmain.py", line 131, in run + return options.run_func(options) + File "E:/CI-Cor-Ready/xemu/qemu.org/meson/mesonbuild/msetup.py", line 245, in run + app.generate() + File "E:/CI-Cor-Ready/xemu/qemu.org/meson/mesonbuild/msetup.py", line 159, in generate + self._generate(env) + File "E:/CI-Cor-Ready/xemu/qemu.org/meson/mesonbuild/msetup.py", line 215, in _generate + intr.backend.generate() + File "E:/CI-Cor-Ready/xemu/qemu.org/meson/mesonbuild/backend/ninjabackend.py", line 483, in generate + ninja = environment.detect_ninja_command_and_version(log=True) + File "E:/CI-Cor-Ready/xemu/qemu.org/meson/mesonbuild/environment.py", line 167, in detect_ninja_command_and_version + p, found = Popen_safe([n, '--version'])[0:2] + File "E:/CI-Cor-Ready/xemu/qemu.org/meson/mesonbuild/mesonlib.py", line 1197, in Popen_safe + p, o, e = Popen_safe_legacy(args, write=write, stdout=stdout, stderr=stderr, **kwargs) + File "E:/CI-Cor-Ready/xemu/qemu.org/meson/mesonbuild/mesonlib.py", line 1213, in Popen_safe_legacy + p = subprocess.Popen(args, universal_newlines=False, close_fds=False, + File "C:/CI-Tools/msys64/mingw64/lib/python3.8/subprocess.py", line 854, in __init__ + self._execute_child(args, executable, preexec_fn, close_fds, + File "C:/CI-Tools/msys64/mingw64/lib/python3.8/subprocess.py", line 1307, in _execute_child + hp, ht, pid, tid = _winapi.CreateProcess(executable, args, +OSError: [WinError 193] %1 不是有效的 Win32 应用程序。 + +ERROR: meson setup failed +``` + +As far as I know, MSYS2 was finally working again after the change to the meson build system, so this should have been fixed. If there are still problems left, please open a new ticket in the new issue tracker at gitlab: https://gitlab.com/qemu-project/qemu/-/issues + diff --git a/results/classifier/108/other/1892604 b/results/classifier/108/other/1892604 new file mode 100644 index 000000000..658173935 --- /dev/null +++ b/results/classifier/108/other/1892604 @@ -0,0 +1,137 @@ +graphic: 0.731 +vnc: 0.677 +KVM: 0.654 +other: 0.653 +semantic: 0.619 +permissions: 0.618 +PID: 0.602 +performance: 0.576 +network: 0.547 +socket: 0.538 +device: 0.535 +boot: 0.529 +debug: 0.442 +files: 0.422 + +qemu-system-arm: ../hw/usb/hcd-dwc2.c:666: dwc2_glbreg_read: Assertion `addr <= GINTSTS2' failed. + +When trying to run the 2016-05-27 Raspbian image on the emulated raspi2 platform, the system boots but shortly after the login prompt QEMU (master; commit ID ca489cd037e4d50dc6c40570a167504ad7e5a521) dies with: + +qemu-system-arm: ../hw/usb/hcd-dwc2.c:666: dwc2_glbreg_read: Assertion `addr <= GINTSTS2' failed. + +Steps to reproduce: + +1. Get the image: wget http://downloads.raspberrypi.org/raspbian/images/raspbian-2016-05-31/2016-05-27-raspbian-jessie.zip + +2. Extract the kernel image and DTB: + +sudo losetup -f --show -P 2016-05-27-raspbian-jessie.img +sudo mkdir /mnt/rpi +sudo mount /dev/loop11p1 /mnt/rpi/ +cp /mnt/rpi/kernel7.img . +cp /mnt/rpi/bcm2709-rpi-2-b.dtb . +sudo umount /mnt/rpi +sudo losetup -d /dev/loop11 + +3. Run QEMU: +qemu-system-arm -M raspi2 -m 1G -dtb bcm2709-rpi-2-b.dtb -kernel kernel7.img -append "rw earlyprintk loglevel=8 console=ttyAMA0,115200 dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2" -sd 2016-05-27-raspbian-jessie.img -smp 4 -serial stdio -display none + +A few seconds after the login prompt is displayed, QEMU will exit with the assertion failure. + +I also tried changing all of the asserts to if statements that (for MMIO reads) returned 0 and (for writes) just returned, but this resulted in a non-responsive system. + +Note for bisection: it looks like it works fine as of tag stable-4.2 . + +What happens if you add "dwc_otg.fiq_fsm_enable=0" to the kernel command +line? This is noted as a requirement in the changelog at +https://wiki.qemu.org/ChangeLog/5.1 + +Yep, it looks like that works! Sorry for the bogus report, I didn't think to check the Changelog. + +It is still a bug in QEMU -- we shouldn't allow guest behaviour to make QEMU assert(). If there's unimplemented functionality in the USB controller model that can be logged with qemu_log_mask(LOG_UNIMP, ...) + + +Hmm, yes agreed. I started a 2-week holiday on Monday, I can work on +this after I get back on Sept. 7 + +for me the output is: +% qemu-system-arm -M raspi2 -m 1G -dtb bcm2709-rpi-2-b.dtb -kernel kernel7.img -append "rw earlyprintk loglevel=8 console=ttyAMA0,115200 dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2" -sd 2016-05-27-raspbian-jessie.img -smp 4 -serial stdio -display none + +WARNING: Image format was not specified for '2016-05-27-raspbian-jessie.img' and probing guessed raw. + Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted. + Specify the 'raw' format explicitly to remove the restrictions. +qemu-system-arm: Invalid SD card size: 3.74 GiB +SD card size has to be a power of 2, e.g. 4 GiB. +You can resize disk images with 'qemu-img resize <imagefile> <new-size>' +(note that this will lose data if you make the image smaller than it currently is). + + +That part is easily fixed by running + +qemu-img resize 2016-05-27-raspbian-jessie.img 4G + +ah, well then its the same error: +qemu-system-arm: /build/qemu/src/qemu-5.1.0/hw/usb/hcd-dwc2.c:666: dwc2_glbreg_read: Assertion `addr <= GINTSTS2' failed. + + +Are you able to modify the -append string to add "dwc_otg.fiq_fsm_enable=0", and if so does it fix the problem? + +Nope: + +qemu-system-arm -M raspi2 -m 1G -dtb bcm2709-rpi-2-b.dtb -kernel kernel7.img -append "rw earlyprintk loglevel=8 console=ttyAMA0,115200 dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2 dwc_otg.fiq_fsm_enable=0" -sd 2016-05-27-raspbian-jessie.img -smp 4 -serial stdio -display none + +raspberrypi login: qemu-system-arm: /build/qemu/src/qemu-5.1.0/hw/usb/hcd-dwc2.c:666: dwc2_glbreg_read: Assertion `addr <= GINTSTS2' failed. +[1] 65608 abort (core dumped) qemu-system-arm -M raspi2 -m 1G -dtb bcm2709-rpi-2-b.dtb -kernel kernel7.img + +Hmm, that's odd. I will try to reproduce this. + +Something very strange is going on with the dwc_otg driver in 2016-05-27-raspbian-jessie.img. Something is reading and writing incrementally throughout the register space of the hcd-dwc2 host. +And adding the "dwc_otg.fiq_fsm_enable=0" kernel option does not fix it. + +Brendan, Petunia, is there a reason why you are testing with such an old version of Raspbian? I used 2019-09-26-raspbian-buster.img when developing the hcd-dwc2 emulation, and it works fine, other than needing the "dwc_otg.fiq_fsm_enable=0" kernel option. + +The URL to the image I used is http://downloads.raspberrypi.org/raspbian/images/raspbian-2019-09-30/2019-09-26-raspbian-buster.zip + +For my use case the newer image is fine too. I'm mildly curious what the dwc_otg driver is doing in the older image though. + +I also tried http://downloads.raspberrypi.org/raspbian/images/raspbian-2016-09-28/2016-09-23-raspbian-jessie.zip, which is the next Raspbian release after the cursed one, and it works OK too. So I assume any release after that will also work OK. Just in case anyone wants to use the older releases because they are smaller than the later ones. + +So I dug into this a little more, and it looks like this issue has nothing to do with hcd-dwc2, other than it served as a canary because of the assert that fired. With hcd-dwc2 removed from the build, the 2016-05-27 Raspbian image still doesn't work, it hangs shortly after the login prompt appears on the console, before the GUI starts. + +I tested with Qemu 4.0.0 and 4.2.1 and they are fine. The issue started with Qemu 5.0.0. hcd-dwc2 wasn't introduced until 5.1.0, so it can't be the root cause. + +Since the issue doesn't seem to appear with any Raspbian distro since 2016-05-27, I don't know if anyone will be motivated to look into this any further. Should we just close this bug? + +The QEMU project is currently moving its bug tracking to another system. +For this we need to know which bugs are still valid and which could be +closed already. Thus we are setting the bug state to "Incomplete" now. + +If the bug has already been fixed in the latest upstream version of QEMU, +then please close this ticket as "Fix released". + +If it is not fixed yet and you think that this bug report here is still +valid, then you have two options: + +1) If you already have an account on gitlab.com, please open a new ticket +for this problem in our new tracker here: + + https://gitlab.com/qemu-project/qemu/-/issues + +and then close this ticket here on Launchpad (or let it expire auto- +matically after 60 days). Please mention the URL of this bug ticket on +Launchpad in the new ticket on GitLab. + +2) If you don't have an account on gitlab.com and don't intend to get +one, but still would like to keep this ticket opened, then please switch +the state back to "New" or "Confirmed" within the next 60 days (other- +wise it will get closed as "Expired"). We will then eventually migrate +the ticket automatically to the new system (but you won't be the reporter +of the bug in the new system and thus you won't get notified on changes +anymore). + +Thank you and sorry for the inconvenience. + + +Fixed in commit 69958d8a3d9 +("usb: hcd-dwc2: change assert()s to qemu_log_mask(LOG_GUEST_ERROR...)") + diff --git a/results/classifier/108/other/1892761 b/results/classifier/108/other/1892761 new file mode 100644 index 000000000..dd4d3d0ee --- /dev/null +++ b/results/classifier/108/other/1892761 @@ -0,0 +1,34 @@ +graphic: 0.903 +device: 0.862 +performance: 0.683 +other: 0.641 +socket: 0.638 +network: 0.597 +vnc: 0.475 +semantic: 0.469 +boot: 0.399 +PID: 0.390 +KVM: 0.368 +debug: 0.355 +files: 0.251 +permissions: 0.112 + +Heap-use-after-free through double-fetch in ehci + +Hello, +I don't have a qtest reproducer for this crash because it involves a DMA double-fetch, and I don't think we can reproduce those with qtest. + +Instead, I attached the pseudo-qtest trace produced by the fuzzer, along with some trace events. +The lines annotated with [DMA] are write commands that were triggered by a callback from a DMA read by the device. The lines annotated with [DOUBLE-FETCH] are DMA accesses that hit the same address more than once (possible double-fetches). + +I am still thinking of nicer ways of presenting this trace and providing a reproducer. +-Alex + + + +Hi Alexander! Have you ever been able to create a reproducer for this problem? + +No. If we figure out some way to consistently reproduce double-fetches in a non-fuzzer build, I'll report the issue again, but this can probably be closed + +Ok, let's close this one since it was not reproducible. If you find a reproducer, please open a new ticket in the gitlab tracker instead. + diff --git a/results/classifier/108/other/1892962 b/results/classifier/108/other/1892962 new file mode 100644 index 000000000..22397215f --- /dev/null +++ b/results/classifier/108/other/1892962 @@ -0,0 +1,151 @@ +other: 0.917 +permissions: 0.915 +device: 0.892 +vnc: 0.882 +performance: 0.873 +graphic: 0.862 +KVM: 0.859 +socket: 0.854 +files: 0.852 +debug: 0.836 +semantic: 0.831 +PID: 0.823 +boot: 0.796 +network: 0.782 + +Segfault in usb_bus_from_device + +Hello, +Reproducer: + +cat << EOF | ./qemu-system-i386 -machine q35 \ +-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\ +multifunction=on,id=ich9-ehci-1 \ +-device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,\ +multifunction=on,masterbus=ich9-ehci-1.0,firstport=0 \ +-device usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 \ +-display none -nodefaults -qtest stdio -accel qtest +outl 0xcf8 0x8000e803 +outl 0xcfc 0xff00ff00 +outl 0xcf8 0x8000e821 +outb 0xcfc 0xff +outl 0xff10 0x8500057e +clock_step +clock_step +outb 0xff00 0x49 +write 0x2 0x1 0x40 +write 0x400006 0x1 0xfb +write 0x400008 0x1 0x2d +write 0x40000a 0x1 0xe0 +write 0x40000c 0x1 0x16 +write 0x40000e 0x1 0xfa +write 0xfa001c 0x1 0x04 +clock_step +write 0x400006 0x1 0xfb +write 0xfa001d 0x1 0xff +clock_step +write 0x8 0x1 0xe0 +write 0xa 0x1 0x16 +write 0x1600e6 0x1 0x9c +write 0x1600e8 0x1 0xe1 +write 0x1600eb 0x1 0x30 +clock_step +clock_step +write 0x10 0x1 0xe0 +write 0x12 0x1 0x16 +write 0x1600e6 0x1 0x9c +write 0x6 0x1 0x9c +write 0x8 0x1 0xe1 +write 0xa 0x1 0x40 +write 0xb 0x1 0x30 +clock_step +write 0x14 0x1 0xe0 +write 0x16 0x1 0x16 +write 0x1600e6 0x1 0x9c +write 0x6 0x1 0x9c +clock_step +write 0x18 0x1 0xe0 +write 0x1a 0x1 0x16 +write 0x1600e6 0x1 0x9c +write 0x6 0x1 0x9c +clock_step +write 0x1c 0x1 0xe0 +write 0x1e 0x1 0x16 +write 0x1600e6 0x1 0x9c +write 0x6 0x1 0x9c +clock_step +write 0x20 0x1 0xe0 +write 0x22 0x1 0x16 +write 0x1600e6 0x1 0x9c +write 0x6 0x1 0x9c +clock_step +EOF + +The trace: + +... +[S +0.087589] OK +[R +0.087596] write 0x1600e6 0x1 0x9c +OK +[S +0.087603] OK +[R +0.087655] write 0x6 0x1 0x9c +OK +[S +0.087667] OK +[R +0.087675] clock_step +784168@1598406646.189133:usb_uhci_frame_start nr 8 +784168@1598406646.189141:usb_uhci_td_load qh 0x0, td 0x1600e0, ctrl 0x9c0180, token 0x300000e1 +784168@1598406646.189147:usb_uhci_packet_add token 0x0, td 0x1600e0 +784168@1598406646.189151:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043c00, state undef -> setup +784168@1598406646.189161:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043c00, state setup -> complete +784168@1598406646.189165:usb_uhci_packet_complete_success token 0x0, td 0x1600e0 +784168@1598406646.189168:usb_uhci_packet_del token 0x0, td 0x1600e0 +784168@1598406646.189174:usb_uhci_td_complete qh 0x0, td 0x1600e0 +784168@1598406646.189179:usb_uhci_td_load qh 0x0, td 0x0, ctrl 0x9c0182, token 0x304000e1 +784168@1598406646.189183:usb_uhci_packet_add token 0x0, td 0x0 +784168@1598406646.189187:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043d40, state undef -> setup +/home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12: runtime error: member access within null pointer of type 'USBDevice' (aka 'struct USBDevice') +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in +/home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12: runtime error: member access within null pointer of type 'DeviceState' (aka 'struct DeviceState') +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in +AddressSanitizer:DEADLYSIGNAL +================================================================= +==784168==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x5599c43df445 bp 0x7ffec2833e50 sp 0x7ffec2833dc0 T0) +==784168==The signal is caused by a READ memory access. +==784168==Hint: address points to the zero page. + #0 0x5599c43df445 in usb_bus_from_device /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 + #1 0x5599c43ea95c in usb_packet_set_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:549:23 + #2 0x5599c43e8abd in usb_handle_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:438:17 + #3 0x5599c4b02497 in uhci_handle_td /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:892:9 + #4 0x5599c4afbd26 in uhci_process_frame /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:1075:15 + #5 0x5599c4aed2e3 in uhci_frame_timer /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:1174:9 + #6 0x5599c7620917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9 + #7 0x5599c7620e51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12 + #8 0x5599c5f35a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9 + #9 0x5599c61225d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9 + #10 0x5599c611063e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9 + #11 0x5599c610f3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5 + #12 0x5599c7215762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9 + #13 0x5599c72158aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9 + #14 0x5599c723b514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9 + #15 0x5599c7127736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12 + #16 0x7f62623914cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd) + #17 0x5599c76b2c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9 + #18 0x5599c76b0567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5 + #19 0x5599c76aff47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11 + #20 0x5599c5e8e08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9 + #21 0x5599c382051c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5 + #22 0x7f6261b9acc9 in __libc_start_main csu/../csu/libc-start.c:308:16 + #23 0x5599c3775cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in usb_bus_from_device +==784168==ABORTING + +-Alex + +This does not crash for me anymore, so I guess it has been fixed already. Could you still reproduce the crash with the latest version of QEMU? + +OSS-Fuzz never came across this one. Probably fixed + +Ok, let's assume it's fixed - so I'm closing this now. + diff --git a/results/classifier/108/other/1892963 b/results/classifier/108/other/1892963 new file mode 100644 index 000000000..d939c11c5 --- /dev/null +++ b/results/classifier/108/other/1892963 @@ -0,0 +1,341 @@ +KVM: 0.838 +other: 0.826 +graphic: 0.770 +vnc: 0.722 +device: 0.718 +performance: 0.712 +permissions: 0.679 +semantic: 0.638 +debug: 0.626 +network: 0.615 +boot: 0.607 +socket: 0.595 +files: 0.595 +PID: 0.582 + +Heap-use-after-free in put_dwords through ehci_flush_qh + +Hello, +Reproducer: + +cat << EOF | ./qemu-system-i386 -machine q35 \ +-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\ +multifunction=on,id=ich9-ehci-1 \ +-drive if=none,id=usbcdrom,media=cdrom \ +-device usb-storage,bus=ich9-ehci-1.0,\ +port=2,drive=usbcdrom \ +-display none -nodefaults -qtest stdio -accel qtest +outl 0xcf8 0x8000ef02 +outl 0xcfc 0xfbff0061 +outl 0xcf8 0x8000ef11 +outl 0xcfc 0x60606060 +writeq 0x60606065 0xb70560ff84ffff7f +writeq 0x60606065 0xff0004fe050000ff +writeq 0x60606020 0xff015e5c057b0039 +writeq 0x60606033 0x846c8a0200000611 +write 0x2000004 0x4 0x4a606060 +write 0x8 0x4 0x97a98095 +write 0x0 0x4 0x4a606060 +write 0x4 0x4 0x97a98095 +write 0xc 0x4 0x4a606060 +write 0x10 0x4 0x97a98095 +write 0x14 0x4 0x4a606060 +write 0x18 0x4 0x97a98095 +write 0x1c 0x4 0x4a606060 +clock_step +EOF + +The trace: +797726@1598407357.169284:usb_port_claim bus 0, port 2 +797726@1598407357.169585:usb_port_attach bus 0, port 2, devspeed full+high+super, portspeed high +797726@1598407357.169598:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD +797726@1598407357.169608:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0 +797726@1598407357.186943:usb_ehci_reset === RESET === +797726@1598407357.186960:usb_ehci_port_detach detach port #1, owner ehci +797726@1598407357.186968:usb_ehci_irq level 0, frindex 0x0000, sts 0x4, mask 0x0 +797726@1598407357.186976:usb_ehci_irq level 0, frindex 0x0000, sts 0x1000, mask 0x0 +797726@1598407357.186984:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD +797726@1598407357.186989:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0 +[R +0.073737] outl 0xcf8 0x8000ef02 +OK +[S +0.073774] OK +[R +0.073801] outl 0xcfc 0xfbff0061 +OK +[S +0.075074] OK +[R +0.075108] outl 0xcf8 0x8000ef11 +OK +[S +0.075126] OK +[R +0.075135] outl 0xcfc 0x60606060 +OK +[S +0.076290] OK +[R +0.076317] writeq 0x60606065 0xb70560ff84ffff7f +797726@1598407357.194959:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x560ff84 +797726@1598407357.194967:usb_ehci_port_reset reset port #1 - 1 +797726@1598407357.194971:usb_ehci_port_suspend port #1 +797726@1598407357.194975:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x601183 (old: 0x1003) +OK +[S +0.076363] OK +[R +0.076377] writeq 0x60606065 0xff0004fe050000ff +797726@1598407357.195005:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x4fe05 +797726@1598407357.195011:usb_ehci_port_reset reset port #1 - 0 +797726@1598407357.195019:usb_ehci_port_detach detach port #1, owner ehci +797726@1598407357.195026:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0 +797726@1598407357.195034:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD +797726@1598407357.195038:usb_ehci_irq level 0, frindex 0x0000, sts 0x1004, mask 0x0 +797726@1598407357.195049:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1005 (old: 0x601183) +OK +[S +0.076439] OK +[R +0.076457] writeq 0x60606020 0xff015e5c057b0039 +797726@1598407357.195087:usb_ehci_opreg_write wr mmio 0x0020 [USBCMD] = 0x57b0039 +attempt to set frame list size -- value 8 +797726@1598407357.195097:usb_ehci_usbsts usbsts HALT 0 +797726@1598407357.195105:usb_ehci_opreg_change ch mmio 0x0020 [USBCMD] = 0x57b0031 (old: 0x80000) +797726@1598407357.195111:usb_ehci_opreg_write wr mmio 0x0024 [USBSTS] = 0xff015e5c +797726@1598407357.195117:usb_ehci_usbsts usbsts PCD 0 +797726@1598407357.195120:usb_ehci_usbsts usbsts FLR 0 +797726@1598407357.195124:usb_ehci_usbsts usbsts HSE 0 +797726@1598407357.195127:usb_ehci_irq level 0, frindex 0x0000, sts 0x0, mask 0x0 +797726@1598407357.195132:usb_ehci_opreg_change ch mmio 0x0024 [USBSTS] = 0x0 (old: 0x4) +OK +[S +0.076519] OK +[R +0.076534] writeq 0x60606033 0x846c8a0200000611 +797726@1598407357.195164:usb_ehci_opreg_write wr mmio 0x0034 [P-LIST BASE] = 0x2000006 +ehci: PERIODIC list base register set while periodic schedule + is enabled and HC is enabled +797726@1598407357.195174:usb_ehci_opreg_change ch mmio 0x0034 [P-LIST BASE] = 0x2000006 (old: 0x0) +OK +[S +0.076562] OK +[R +0.076574] write 0x2000004 0x4 0x4a606060 +OK +[S +0.076855] OK +[R +0.076869] write 0x8 0x4 0x97a98095 +OK +[S +0.077214] OK +[R +0.077225] write 0x0 0x4 0x4a606060 +OK +[S +0.077233] OK +[R +0.077242] write 0x4 0x4 0x97a98095 +OK +[S +0.077250] OK +[R +0.077258] write 0xc 0x4 0x4a606060 +OK +[S +0.077266] OK +[R +0.077274] write 0x10 0x4 0x97a98095 +OK +[S +0.077281] OK +[R +0.077289] write 0x14 0x4 0x4a606060 +OK +[S +0.077295] OK +[R +0.077304] write 0x18 0x4 0x97a98095 +OK +[S +0.077310] OK +[R +0.077325] write 0x1c 0x4 0x4a606060 +OK +[S +0.077333] OK +[R +0.077340] clock_step +OK 27462700 +[S +0.077415] OK 27462700 +797726@1598407357.196115:usb_ehci_state periodic schedule ACTIVE +797726@1598407357.196123:usb_ehci_usbsts usbsts PSS 1 +797726@1598407357.196137:usb_ehci_state periodic schedule FETCH ENTRY +797726@1598407357.196145:usb_ehci_state periodic schedule FETCH QH +797726@1598407357.196154:usb_ehci_queue_action q 0x60d0000050b0: alloc +797726@1598407357.196168:usb_ehci_opreg_read rd mmio 0x0040 [unknown] = 0x0 +797726@1598407357.196176:usb_ehci_opreg_read rd mmio 0x0044 [unknown] = 0x0 +797726@1598407357.196182:usb_ehci_opreg_read rd mmio 0x0048 [unknown] = 0x0 +797726@1598407357.196188:usb_ehci_opreg_read rd mmio 0x004c [unknown] = 0x0 +797726@1598407357.196195:usb_ehci_opreg_read rd mmio 0x0050 [unknown] = 0x0 +797726@1598407357.196201:usb_ehci_opreg_read rd mmio 0x0054 [unknown] = 0x0 +797726@1598407357.196206:usb_ehci_opreg_read rd mmio 0x0058 [unknown] = 0x0 +797726@1598407357.196211:usb_ehci_opreg_read rd mmio 0x005c [unknown] = 0x0 +797726@1598407357.196217:usb_ehci_opreg_read rd mmio 0x0060 [CONFIGFLAG] = 0x0 +797726@1598407357.196224:usb_ehci_portsc_read rd mmio 0x0044 [port 0] = 0x1000 +797726@1598407357.196230:usb_ehci_portsc_read rd mmio 0x0048 [port 1] = 0x1005 +797726@1598407357.196237:usb_ehci_portsc_read rd mmio 0x004c [port 2] = 0x1000 +797726@1598407357.196243:usb_ehci_qh_ptrs q 0x60d0000050b0 - QH @ 0x60606040: next 0x00000000 qtds 0x00000000,0x00000000,0x00000000 +797726@1598407357.196249:usb_ehci_qh_fields QH @ 0x60606040 - rl 0, mplen 0, eps 0, ep 0, dev 0 +797726@1598407357.196255:usb_ehci_qh_bits QH @ 0x60606040 - c 0, h 0, dtc 0, i 0 +797726@1598407357.196262:usb_ehci_queue_action q 0x60d0000050b0: reset +797726@1598407357.196275:usb_ehci_state periodic schedule ADVANCEQUEUE +797726@1598407357.196281:usb_ehci_state periodic schedule FETCH QTD +797726@1598407357.196300:usb_ehci_qtd_ptrs q 0x60d0000050b0 - QTD @ 0x00000000: next 0x6060604a altnext 0x9580a997 +797726@1598407357.196306:usb_ehci_qtd_fields QTD @ 0x00000000 - tbytes 5504, cpage 2, cerr 2, pid 1 +797726@1598407357.196311:usb_ehci_qtd_bits QTD @ 0x00000000 - ioc 1, active 1, halt 0, babble 1, xacterr 0 +797726@1598407357.196323:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: alloc +797726@1598407357.196327:usb_ehci_state periodic schedule EXECUTE +797726@1598407357.196346:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0x0 +797726@1598407357.196351:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0x0 (old: 0x0) +797726@1598407357.196359:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0x6060604a +797726@1598407357.196363:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0x6060604a (old: 0x0) +797726@1598407357.196370:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0x9580a981 +797726@1598407357.196374:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0x9580a981 (old: 0x0) +797726@1598407357.196380:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0x1580a997 +797726@1598407357.196385:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0x1580a997 (old: 0x0) +797726@1598407357.196392:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0x6060604a +797726@1598407357.196396:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0x6060604a (old: 0x0) +797726@1598407357.196403:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0x9580a900 +797726@1598407357.196407:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0) +797726@1598407357.196415:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0x60606040 +797726@1598407357.196422:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x601040 (old: 0x1000) +797726@1598407357.196428:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0x9580a997 +797726@1598407357.196432:usb_ehci_port_reset reset port #1 - 1 +797726@1598407357.196437:usb_ehci_port_suspend port #1 +797726@1598407357.196441:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x1185 (old: 0x1005) +797726@1598407357.196448:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0x6060604a +797726@1598407357.196453:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x601040 (old: 0x1000) +797726@1598407357.196474:usb_packet_state_change bus 0, port 2, ep 0, packet 0x6110000443c0, state undef -> setup +797726@1598407357.196505:usb_ehci_opreg_write wr mmio 0x004c [unknown] = 0xbebebebe +797726@1598407357.196509:usb_ehci_opreg_change ch mmio 0x004c [unknown] = 0xbebebebe (old: 0x0) +797726@1598407357.196516:usb_ehci_opreg_write wr mmio 0x0050 [unknown] = 0xbebebebe +797726@1598407357.196520:usb_ehci_opreg_change ch mmio 0x0050 [unknown] = 0xbebebebe (old: 0x6060604a) +797726@1598407357.196527:usb_ehci_opreg_write wr mmio 0x0054 [unknown] = 0xbebebebe +797726@1598407357.196530:usb_ehci_opreg_change ch mmio 0x0054 [unknown] = 0xbebebebe (old: 0x9580a981) +797726@1598407357.196540:usb_ehci_opreg_write wr mmio 0x0058 [unknown] = 0xbebebebe +797726@1598407357.196544:usb_ehci_opreg_change ch mmio 0x0058 [unknown] = 0xbebebebe (old: 0x1580a997) +797726@1598407357.196550:usb_ehci_opreg_write wr mmio 0x005c [unknown] = 0xbebebebe +797726@1598407357.196554:usb_ehci_opreg_change ch mmio 0x005c [unknown] = 0xbebebebe (old: 0x6060604a) +797726@1598407357.196560:usb_ehci_opreg_write wr mmio 0x0060 [CONFIGFLAG] = 0xbebebebe +797726@1598407357.196563:usb_ehci_opreg_change ch mmio 0x0060 [CONFIGFLAG] = 0x0 (old: 0x0) +797726@1598407357.196569:usb_ehci_portsc_write wr mmio 0x0044 [port 0] = 0xbebebebe +797726@1598407357.196573:usb_ehci_port_suspend port #0 +797726@1598407357.196577:usb_ehci_port_resume port #0 +797726@1598407357.196580:usb_ehci_portsc_change ch mmio 0x0044 [port 0] = 0x301000 (old: 0x601040) +797726@1598407357.196586:usb_ehci_portsc_write wr mmio 0x0048 [port 1] = 0xbebebebe +797726@1598407357.196590:usb_ehci_port_reset reset port #1 - 0 +797726@1598407357.196596:usb_ehci_port_detach detach port #1, owner ehci +797726@1598407357.196602:usb_ehci_queue_action q 0x60d0000050b0: free +797726@1598407357.196606:usb_ehci_queue_action q 0x60d0000050b0: cancel +797726@1598407357.196610:usb_ehci_packet_action q 0x60d0000050b0 p 0x611000044380: free +797726@1598407357.196626:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0 +797726@1598407357.196636:usb_ehci_port_attach attach port #1, owner ehci, device QEMU USB MSD +797726@1598407357.196642:usb_ehci_irq level 0, frindex 0x0008, sts 0x4004, mask 0x0 +797726@1598407357.196655:usb_ehci_port_suspend port #1 +797726@1598407357.196659:usb_ehci_portsc_change ch mmio 0x0048 [port 1] = 0x301085 (old: 0x1185) +797726@1598407357.196669:usb_ehci_portsc_write wr mmio 0x004c [port 2] = 0xbebebebe +797726@1598407357.196674:usb_ehci_port_suspend port #2 +797726@1598407357.196679:usb_ehci_port_resume port #2 +797726@1598407357.196684:usb_ehci_portsc_change ch mmio 0x004c [port 2] = 0x301000 (old: 0x601040) +797726@1598407357.196694:usb_ehci_portsc_write wr mmio 0x0050 [port 3] = 0xbebebebe +797726@1598407357.196699:usb_ehci_port_suspend port #3 +797726@1598407357.196704:usb_ehci_portsc_change ch mmio 0x0050 [port 3] = 0x301080 (old: 0x1000) +797726@1598407357.196712:usb_ehci_portsc_write wr mmio 0x0054 [port 4] = 0xbebebebe +797726@1598407357.196716:usb_ehci_port_suspend port #4 +797726@1598407357.196718:usb_ehci_portsc_change ch mmio 0x0054 [port 4] = 0x301080 (old: 0x1000) +797726@1598407357.196724:usb_ehci_portsc_write wr mmio 0x0058 [port 5] = 0xbebebebe +797726@1598407357.196729:usb_ehci_port_suspend port #5 +797726@1598407357.196733:usb_ehci_portsc_change ch mmio 0x0058 [port 5] = 0x301080 (old: 0x1000) +================================================================= +==797726==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000443e8 at pc 0x5574af0ef59d bp 0x7fff5b343a00 sp 0x7fff5b3439f8 +READ of size 4 at 0x6110000443e8 thread T0 + #0 0x5574af0ef59c in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28 + #1 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5 + #2 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9 + #3 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13 + #4 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21 + #5 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9 + #6 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17 + #7 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5 + #8 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13 + #9 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5 + #10 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5 + #11 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc) + #12 0x5574b2339c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9 + #13 0x5574b2337567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5 + #14 0x5574b2336f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11 + #15 0x5574b0b1508d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9 + #16 0x5574ae4a751c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5 + #17 0x7f44ce1e5cc9 in __libc_start_main csu/../csu/libc-start.c:308:16 + #18 0x5574ae3fccf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9) + +0x6110000443e8 is located 104 bytes inside of 248-byte region [0x611000044380,0x611000044478) +freed by thread T0 here: + #0 0x5574ae4751bd in free (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d291bd) + #1 0x5574ae5e71a1 in ehci_free_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:541:5 + #2 0x5574ae5e3662 in ehci_cancel_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:584:9 + #3 0x5574ae5e174c in ehci_free_queue /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:611:17 + #4 0x5574ae608300 in ehci_queues_rip_device /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:674:9 + #5 0x5574ae6034ba in ehci_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:732:5 + #6 0x5574af06427f in usb_detach /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:70:5 + #7 0x5574af064607 in usb_port_reset /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:79:5 + #8 0x5574ae63af7a in ehci_port_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:993:13 + #9 0x5574b0e31de0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #10 0x5574b0e312bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #11 0x5574b0e2ef70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #12 0x5574b0a8d8a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #13 0x5574b0a76878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #14 0x5574b0a763a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #15 0x5574b0a7dff7 in address_space_unmap /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3634:9 + #16 0x5574af0f0262 in dma_memory_unmap /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:145:5 + #17 0x5574af0f0143 in usb_packet_unmap /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:65:9 + #18 0x5574af0ee924 in usb_packet_map /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:54:5 + #19 0x5574ae630c2f in ehci_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1376:9 + #20 0x5574ae619cfe in ehci_state_execute /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1942:13 + #21 0x5574ae60e8d9 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2083:21 + #22 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9 + #23 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17 + #24 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5 + #25 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13 + #26 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5 + #27 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5 + #28 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc) + +previously allocated by thread T0 here: + #0 0x5574ae4755b2 in calloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d295b2) + #1 0x7f44ce9e2210 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56210) + #2 0x5574ae6175be in ehci_state_fetchqtd /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:1844:13 + #3 0x5574ae60e7f1 in ehci_advance_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2073:21 + #4 0x5574ae60c753 in ehci_advance_periodic_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2213:9 + #5 0x5574ae5d9df3 in ehci_work_bh /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-ehci.c:2299:17 + #6 0x5574b21013c2 in aio_bh_call /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:136:5 + #7 0x5574b2102dc2 in aio_bh_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:164:13 + #8 0x5574b211a84b in aio_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/aio-posix.c:380:5 + #9 0x5574b210c29e in aio_ctx_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../util/async.c:306:5 + #10 0x7f44ce9dc5fc in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505fc) + +SUMMARY: AddressSanitizer: heap-use-after-free /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/libhw.c:64:28 in usb_packet_unmap +Shadow bytes around the buggy address: + 0x0c2280000820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2280000830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2280000840: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd + 0x0c2280000850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c2280000860: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa +=>0x0c2280000870: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd + 0x0c2280000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa + 0x0c2280000890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c22800008a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c22800008b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c22800008c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc +==797726==ABORTING + +-Alex + +I can still reproduce this issue when compiling the current version of QEMU with Clang + asan. Marking as "Confirmed". + +I moved this report over to QEMU's new bug tracker on gitlab.com. +Please continue with the discussion here: + +https://gitlab.com/qemu-project/qemu/-/issues/541 + +Thanks for moving it over! ... let's close this one here on Launchpad now. + + diff --git a/results/classifier/108/other/1892966 b/results/classifier/108/other/1892966 new file mode 100644 index 000000000..04626832e --- /dev/null +++ b/results/classifier/108/other/1892966 @@ -0,0 +1,204 @@ +KVM: 0.740 +vnc: 0.702 +graphic: 0.693 +other: 0.654 +permissions: 0.627 +debug: 0.620 +performance: 0.619 +device: 0.594 +semantic: 0.576 +files: 0.546 +PID: 0.523 +boot: 0.521 +network: 0.519 +socket: 0.479 + +Null-pointer dereference in blk_bs through ide_cancel_dma_sync + +Hello, +Reproducer: +cat << EOF | ./qemu-system-i386 -M pc \ +-drive file=null-co://,if=none,format=raw,id=disk0 \ +-device ide-hd,drive=disk0,bus=ide.1,unit=1 \ +-display none -nodefaults -display none -qtest stdio -accel qtest +outw 0x176 0x35b3 +outb 0x376 0x5f +outb 0x376 0x40 +outl 0xcf8 0x80000904 +outl 0xcfc 0x5c0525b7 +outb 0x176 0x0 +outl 0xcf8 0x8000091e +outl 0xcfc 0xd7580584 +write 0x187 0x1 0x34 +write 0x277 0x1 0x34 +write 0x44f 0x1 0x5c +write 0x53f 0x1 0x5c +write 0x717 0x1 0x34 +write 0x807 0x1 0x34 +write 0x9df 0x1 0x5c +write 0xbb7 0x1 0x34 +write 0xca7 0x1 0x34 +write 0xe7f 0x1 0x5c +write 0xf6f 0x1 0x5c +outb 0xd758 0x5f +outb 0xd758 0x40 +EOF + + +Trace: +[S +0.083320] OK +[R +0.083328] outb 0xd758 0x5f +OK +[S +0.084167] OK +[R +0.084183] outb 0xd758 0x40 +../block/block-backend.c:714:17: runtime error: member access within null pointer of type 'BlockBackend' (aka 'struct BlockBackend') +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/block-backend.c:714:17 in +AddressSanitizer:DEADLYSIGNAL +================================================================= +==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0) +==843136==The signal is caused by a READ memory access. +==843136==Hint: address points to the zero page. + #0 0x5593520d8ebc in blk_bs /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 + #1 0x5593520d2d07 in blk_drain /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28 + #2 0x55935096e9dc in ide_cancel_dma_sync /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9 + #3 0x55934f96b9ed in bmdma_cmd_writeb /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13 + #4 0x55934fea0547 in bmdma_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9 + #5 0x55935175dde0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #6 0x55935175d2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #7 0x55935175af70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #8 0x5593513b98a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #9 0x5593513a2878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #10 0x5593513a23a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #11 0x559351803e07 in cpu_outb /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5 + #12 0x5593516c7b6d in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13 + #13 0x5593516c363e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9 + #14 0x5593516c23e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5 + #15 0x5593527c8762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9 + #16 0x5593527c88aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9 + #17 0x5593527ee514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9 + #18 0x5593526da736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12 + #19 0x7f3be18ef4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd) + #20 0x559352c65c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9 + #21 0x559352c63567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5 + #22 0x559352c62f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11 + #23 0x55935144108d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9 + #24 0x55934edd351c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5 + #25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16 + #26 0x55934ed28cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 in blk_bs +==843136==ABORTING + +-Alex + +This problem does not trigger anymore for me with the current version of QEMU. Could you please check whether you can still reproduce it somehow with the latest version? + +Probably fixed.. Appears there was some attempt, but I'm not sure if it +ever got merged: +https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html + +OSS-Fuzz never saw it, so it was probably fixed sometime before November. +-Alex + +On 210527 1434, Thomas Huth wrote: +> This problem does not trigger anymore for me with the current version of +> QEMU. Could you please check whether you can still reproduce it somehow +> with the latest version? +> +> ** Changed in: qemu +> Status: New => Incomplete +> +> -- +> You received this bug notification because you are subscribed to the bug +> report. +> https://bugs.launchpad.net/bugs/1892966 +> +> Title: +> Null-pointer dereference in blk_bs through ide_cancel_dma_sync +> +> Status in QEMU: +> Incomplete +> +> Bug description: +> Hello, +> Reproducer: +> cat << EOF | ./qemu-system-i386 -M pc \ +> -drive file=null-co://,if=none,format=raw,id=disk0 \ +> -device ide-hd,drive=disk0,bus=ide.1,unit=1 \ +> -display none -nodefaults -display none -qtest stdio -accel qtest +> outw 0x176 0x35b3 +> outb 0x376 0x5f +> outb 0x376 0x40 +> outl 0xcf8 0x80000904 +> outl 0xcfc 0x5c0525b7 +> outb 0x176 0x0 +> outl 0xcf8 0x8000091e +> outl 0xcfc 0xd7580584 +> write 0x187 0x1 0x34 +> write 0x277 0x1 0x34 +> write 0x44f 0x1 0x5c +> write 0x53f 0x1 0x5c +> write 0x717 0x1 0x34 +> write 0x807 0x1 0x34 +> write 0x9df 0x1 0x5c +> write 0xbb7 0x1 0x34 +> write 0xca7 0x1 0x34 +> write 0xe7f 0x1 0x5c +> write 0xf6f 0x1 0x5c +> outb 0xd758 0x5f +> outb 0xd758 0x40 +> EOF +> +> +> Trace: +> [S +0.083320] OK +> [R +0.083328] outb 0xd758 0x5f +> OK +> [S +0.084167] OK +> [R +0.084183] outb 0xd758 0x40 +> ../block/block-backend.c:714:17: runtime error: member access within null pointer of type 'BlockBackend' (aka 'struct BlockBackend') +> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/block-backend.c:714:17 in +> AddressSanitizer:DEADLYSIGNAL +> ================================================================= +> ==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0) +> ==843136==The signal is caused by a READ memory access. +> ==843136==Hint: address points to the zero page. +> #0 0x5593520d8ebc in blk_bs /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 +> #1 0x5593520d2d07 in blk_drain /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28 +> #2 0x55935096e9dc in ide_cancel_dma_sync /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9 +> #3 0x55934f96b9ed in bmdma_cmd_writeb /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13 +> #4 0x55934fea0547 in bmdma_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9 +> #5 0x55935175dde0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #6 0x55935175d2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #7 0x55935175af70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #8 0x5593513b98a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #9 0x5593513a2878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #10 0x5593513a23a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #11 0x559351803e07 in cpu_outb /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5 +> #12 0x5593516c7b6d in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13 +> #13 0x5593516c363e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9 +> #14 0x5593516c23e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5 +> #15 0x5593527c8762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9 +> #16 0x5593527c88aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9 +> #17 0x5593527ee514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9 +> #18 0x5593526da736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12 +> #19 0x7f3be18ef4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd) +> #20 0x559352c65c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9 +> #21 0x559352c63567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5 +> #22 0x559352c62f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11 +> #23 0x55935144108d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9 +> #24 0x55934edd351c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5 +> #25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16 +> #26 0x55934ed28cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9) +> +> AddressSanitizer can not provide additional info. +> SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 in blk_bs +> ==843136==ABORTING +> +> -Alex +> +> To manage notifications about this bug go to: +> https://bugs.launchpad.net/qemu/+bug/1892966/+subscriptions + + diff --git a/results/classifier/108/other/1892978 b/results/classifier/108/other/1892978 new file mode 100644 index 000000000..4b1429e69 --- /dev/null +++ b/results/classifier/108/other/1892978 @@ -0,0 +1,823 @@ +other: 0.922 +graphic: 0.866 +performance: 0.822 +semantic: 0.821 +KVM: 0.816 +vnc: 0.806 +debug: 0.803 +device: 0.783 +files: 0.767 +permissions: 0.767 +PID: 0.761 +socket: 0.748 +boot: 0.748 +network: 0.745 + +Heap-use-after-free in e1000e_write_packet_to_guest + +Hello, +Reproducer: +cat << EOF | ./qemu-system-i386 \ +-display none -m 64 -netdev user,id=qtest-bn0 \ +-device e1000e,netdev=qtest-bn0 -display none \ +-nodefaults -accel qtest -qtest stdio +outl 0xcf8 0x80001004 +outl 0xcfc 0x3b2e84ce +outl 0xcf8 0x80001013 +outw 0xcfc 0x2499 +writew 0x990000ff 0x5ea2 +writeq 0x99000429 0x133a940000188101 +outl 0xcfc 0x9b890e04 +writeq 0x4000119 0x5000055ec751c0d +write 0x10707 0x1 0x07 +write 0x51 0x1 0x04 +write 0x53 0x1 0x04 +write 0x140 0x1 0x07 +write 0x141 0x1 0x07 +write 0x142 0x1 0x01 +write 0x148 0x1 0x40 +write 0x14a 0x1 0x7d +write 0x14b 0x1 0xff +writeq 0x4000401 0x413001600027d +EOF + + +The stacktrace: + +[S +0.090759] OK +[R +0.090767] writeq 0x4000401 0x413001600027d +================================================================= +==935641==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900006cc88 at pc 0x555613393d45 bp 0x7fff92f8b7f0 sp 0x7fff92f8b7e8 +READ of size 8 at 0x61900006cc88 thread T0 + #0 0x555613393d44 in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1587:41 + #1 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #2 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #3 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #4 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #5 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #6 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #7 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #8 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #9 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #10 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #11 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #12 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #13 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #14 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #15 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #16 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #17 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #18 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #19 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #20 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #21 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #22 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #23 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #24 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #25 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #26 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #27 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #28 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #29 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #30 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #31 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #32 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #33 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #34 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #35 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #36 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #37 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #38 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #39 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #40 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #41 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #42 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #43 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #44 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #45 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #46 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #47 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #48 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #49 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #50 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #51 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #52 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #53 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #54 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #55 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #56 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #57 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #58 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #59 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #60 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #61 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #62 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #63 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #64 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #65 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #66 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #67 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #68 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #69 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #70 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #71 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #72 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #73 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #74 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #75 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #76 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #77 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #78 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #79 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #80 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #81 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #82 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #83 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #84 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #85 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #86 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #87 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #88 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #89 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #90 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #91 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #92 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #93 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #94 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #95 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #96 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #97 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #98 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #99 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #100 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #101 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #102 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #103 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #104 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #105 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #106 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #107 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #108 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #109 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #110 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #111 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #112 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #113 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #114 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #115 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #116 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #117 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #118 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #119 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #120 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #121 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #122 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #123 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #124 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #125 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #126 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #127 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #128 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #129 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #130 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #131 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #132 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #133 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #134 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #135 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #136 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #137 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #138 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #139 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #140 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #141 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #142 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #143 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #144 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #145 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #146 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #147 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #148 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #149 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #150 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #151 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #152 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #153 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #154 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #155 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #156 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #157 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #158 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #159 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #160 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #161 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #162 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #163 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #164 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #165 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #166 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #167 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #168 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #169 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #170 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #171 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #172 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #173 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #174 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #175 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #176 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #177 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #178 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #179 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #180 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #181 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #182 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #183 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #184 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #185 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #186 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #187 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #188 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #189 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #190 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #191 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #192 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #193 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #194 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #195 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #196 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #197 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #198 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #199 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #200 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #201 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #202 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #203 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #204 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #205 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #206 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #207 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #208 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #209 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #210 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #211 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #212 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #213 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #214 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #215 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #216 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #217 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #218 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #219 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #220 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #221 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #222 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #223 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #224 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #225 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #226 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #227 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #228 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #229 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #230 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #231 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #232 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #233 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #234 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #235 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #236 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #237 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #238 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #239 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #240 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #241 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #242 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #243 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #244 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #245 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #246 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #247 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #248 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #249 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + +0x61900006cc88 is located 8 bytes inside of 1056-byte region [0x61900006cc80,0x61900006d0a0) +freed by thread T0 here: + #0 0x5556126ce1bd in free (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d291bd) + #1 0x555613e2af31 in net_rx_pkt_iovec_realloc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:80:9 + #2 0x555613e18eaa in net_rx_pkt_pull_data /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:103:9 + #3 0x555613e1b5cd in net_rx_pkt_attach_iovec_ex /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:158:5 + #4 0x55561338da6e in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1695:5 + #5 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #6 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #7 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #8 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #9 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #10 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #11 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #12 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #13 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #14 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #15 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #16 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #17 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #18 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #19 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #20 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #21 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #22 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #23 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #24 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #25 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #26 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #27 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #28 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #29 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + +previously allocated by thread T0 here: + #0 0x5556126ce43d in malloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2943d) + #1 0x7fc45f5171b8 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x561b8) + #2 0x555613e18eaa in net_rx_pkt_pull_data /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:103:9 + #3 0x555613e1b5cd in net_rx_pkt_attach_iovec_ex /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:158:5 + #4 0x55561338da6e in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1695:5 + #5 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + #6 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 + #7 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 + #8 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 + #9 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 + #10 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 + #11 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 + #12 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 + #13 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 + #14 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 + #15 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 + #16 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 + #17 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 + #18 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 + #19 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 + #20 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 + #21 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 + #22 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 + #23 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 + #24 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 + #25 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 + #26 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 + #27 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 + #28 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 + #29 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 + +SUMMARY: AddressSanitizer: heap-use-after-free /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1587:41 in e1000e_write_packet_to_guest +Shadow bytes around the buggy address: + 0x0c3280005940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c3280005950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c3280005960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c3280005970: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c3280005980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c3280005990: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c32800059a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c32800059b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c32800059c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c32800059d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c32800059e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc +==935641==ABORTING + +-Alex + +This problem does not reproduce for me with the latest version of QEMU anymore. I assume it has been fixed sometime during the past months? Could you please check whether you can still reproduce it with the current version of QEMU? + +I'm this was fixed by Jason's qemu_receive_packet patches. OSS-Fuzz +hasn't seen it in many months + +On 210527 1421, Thomas Huth wrote: +> This problem does not reproduce for me with the latest version of QEMU +> anymore. I assume it has been fixed sometime during the past months? +> Could you please check whether you can still reproduce it with the +> current version of QEMU? +> +> ** Changed in: qemu +> Status: New => Incomplete +> +> -- +> You received this bug notification because you are subscribed to the bug +> report. +> https://bugs.launchpad.net/bugs/1892978 +> +> Title: +> Heap-use-after-free in e1000e_write_packet_to_guest +> +> Status in QEMU: +> Incomplete +> +> Bug description: +> Hello, +> Reproducer: +> cat << EOF | ./qemu-system-i386 \ +> -display none -m 64 -netdev user,id=qtest-bn0 \ +> -device e1000e,netdev=qtest-bn0 -display none \ +> -nodefaults -accel qtest -qtest stdio +> outl 0xcf8 0x80001004 +> outl 0xcfc 0x3b2e84ce +> outl 0xcf8 0x80001013 +> outw 0xcfc 0x2499 +> writew 0x990000ff 0x5ea2 +> writeq 0x99000429 0x133a940000188101 +> outl 0xcfc 0x9b890e04 +> writeq 0x4000119 0x5000055ec751c0d +> write 0x10707 0x1 0x07 +> write 0x51 0x1 0x04 +> write 0x53 0x1 0x04 +> write 0x140 0x1 0x07 +> write 0x141 0x1 0x07 +> write 0x142 0x1 0x01 +> write 0x148 0x1 0x40 +> write 0x14a 0x1 0x7d +> write 0x14b 0x1 0xff +> writeq 0x4000401 0x413001600027d +> EOF +> +> +> The stacktrace: +> +> [S +0.090759] OK +> [R +0.090767] writeq 0x4000401 0x413001600027d +> ================================================================= +> ==935641==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900006cc88 at pc 0x555613393d45 bp 0x7fff92f8b7f0 sp 0x7fff92f8b7e8 +> READ of size 8 at 0x61900006cc88 thread T0 +> #0 0x555613393d44 in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1587:41 +> #1 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #2 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #3 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #4 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #5 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #6 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #7 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #8 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #9 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #10 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #11 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #12 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #13 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #14 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #15 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #16 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #17 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #18 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #19 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #20 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #21 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #22 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #23 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #24 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #25 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #26 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #27 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #28 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #29 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #30 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #31 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #32 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #33 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #34 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #35 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #36 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #37 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #38 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #39 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #40 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #41 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #42 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #43 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #44 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #45 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #46 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #47 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #48 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #49 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #50 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #51 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #52 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #53 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #54 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #55 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #56 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #57 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #58 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #59 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #60 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #61 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #62 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #63 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #64 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #65 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #66 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #67 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #68 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #69 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #70 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #71 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #72 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #73 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #74 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #75 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #76 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #77 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #78 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #79 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #80 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #81 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #82 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #83 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #84 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #85 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #86 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #87 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #88 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #89 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #90 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #91 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #92 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #93 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #94 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #95 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #96 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #97 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #98 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #99 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #100 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #101 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #102 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #103 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #104 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #105 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #106 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #107 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #108 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #109 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #110 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #111 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #112 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #113 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #114 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #115 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #116 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #117 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #118 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #119 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #120 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #121 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #122 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #123 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #124 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #125 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #126 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #127 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #128 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #129 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #130 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #131 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #132 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #133 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #134 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #135 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #136 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #137 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #138 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #139 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #140 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #141 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #142 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #143 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #144 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #145 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #146 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #147 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #148 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #149 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #150 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #151 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #152 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #153 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #154 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #155 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #156 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #157 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #158 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #159 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #160 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #161 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #162 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #163 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #164 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #165 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #166 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #167 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #168 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #169 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #170 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #171 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #172 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #173 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #174 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #175 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #176 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #177 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #178 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #179 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #180 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #181 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #182 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #183 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #184 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #185 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #186 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #187 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #188 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #189 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #190 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #191 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #192 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #193 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #194 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #195 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #196 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #197 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #198 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #199 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #200 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #201 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #202 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #203 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #204 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #205 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #206 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #207 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #208 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #209 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #210 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #211 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #212 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #213 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #214 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #215 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #216 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #217 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #218 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #219 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #220 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #221 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #222 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #223 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #224 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #225 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #226 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #227 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #228 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #229 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #230 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #231 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #232 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #233 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #234 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #235 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #236 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #237 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #238 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #239 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #240 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #241 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #242 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #243 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #244 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #245 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #246 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #247 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #248 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #249 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> +> 0x61900006cc88 is located 8 bytes inside of 1056-byte region [0x61900006cc80,0x61900006d0a0) +> freed by thread T0 here: +> #0 0x5556126ce1bd in free (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d291bd) +> #1 0x555613e2af31 in net_rx_pkt_iovec_realloc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:80:9 +> #2 0x555613e18eaa in net_rx_pkt_pull_data /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:103:9 +> #3 0x555613e1b5cd in net_rx_pkt_attach_iovec_ex /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:158:5 +> #4 0x55561338da6e in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1695:5 +> #5 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #6 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #7 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #8 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #9 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #10 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #11 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #12 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #13 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #14 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #15 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #16 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #17 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #18 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #19 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #20 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #21 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #22 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #23 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #24 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #25 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #26 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #27 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #28 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #29 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> +> previously allocated by thread T0 here: +> #0 0x5556126ce43d in malloc (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2d2943d) +> #1 0x7fc45f5171b8 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x561b8) +> #2 0x555613e18eaa in net_rx_pkt_pull_data /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:103:9 +> #3 0x555613e1b5cd in net_rx_pkt_attach_iovec_ex /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_rx_pkt.c:158:5 +> #4 0x55561338da6e in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1695:5 +> #5 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> #6 0x555612812581 in net_tx_pkt_sendv /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:556:9 +> #7 0x55561280fbc8 in net_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:633:9 +> #8 0x555612813f38 in net_tx_pkt_send_loopback /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/net_tx_pkt.c:646:11 +> #9 0x5556133f8c07 in e1000e_tx_pkt_send /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:664:16 +> #10 0x5556133f5359 in e1000e_process_tx_desc /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:743:17 +> #11 0x5556133f302f in e1000e_start_xmit /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:934:9 +> #12 0x5556133daba8 in e1000e_set_tctl /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:2431:9 +> #13 0x55561339901b in e1000e_core_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:3265:9 +> #14 0x555613190f26 in e1000e_mmio_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:109:5 +> #15 0x55561508ade0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5 +> #16 0x55561508a2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18 +> #17 0x555615087f70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16 +> #18 0x555614ce68a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23 +> #19 0x555614ccf878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14 +> #20 0x555614ccf3a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18 +> #21 0x555614ccfc40 in address_space_rw /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3318:16 +> #22 0x5556133b76c7 in dma_memory_rw_relaxed /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:87:18 +> #23 0x5556133b6ff5 in dma_memory_rw /home/alxndr/Development/qemu/general-fuzz/include/sysemu/dma.h:110:12 +> #24 0x5556133b6f3d in pci_dma_rw /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:790:5 +> #25 0x5556133b526a in pci_dma_write /home/alxndr/Development/qemu/general-fuzz/include/hw/pci/pci.h:803:12 +> #26 0x5556133b403f in e1000e_write_to_rx_buffers /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1412:9 +> #27 0x555613393bae in e1000e_write_packet_to_guest /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1582:21 +> #28 0x55561338e419 in e1000e_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1709:9 +> #29 0x55561319680b in e1000e_nc_receive_iov /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e.c:213:12 +> +> SUMMARY: AddressSanitizer: heap-use-after-free /home/alxndr/Development/qemu/general-fuzz/build/../hw/net/e1000e_core.c:1587:41 in e1000e_write_packet_to_guest +> Shadow bytes around the buggy address: +> 0x0c3280005940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +> 0x0c3280005950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +> 0x0c3280005960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +> 0x0c3280005970: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa +> 0x0c3280005980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +> =>0x0c3280005990: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd +> 0x0c32800059a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +> 0x0c32800059b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +> 0x0c32800059c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +> 0x0c32800059d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +> 0x0c32800059e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd +> Shadow byte legend (one shadow byte represents 8 application bytes): +> Addressable: 00 +> Partially addressable: 01 02 03 04 05 06 07 +> Heap left redzone: fa +> Freed heap region: fd +> Stack left redzone: f1 +> Stack mid redzone: f2 +> Stack right redzone: f3 +> Stack after return: f5 +> Stack use after scope: f8 +> Global redzone: f9 +> Global init order: f6 +> Poisoned by user: f7 +> Container overflow: fc +> Array cookie: ac +> Intra object redzone: bb +> ASan internal: fe +> Left alloca redzone: ca +> Right alloca redzone: cb +> Shadow gap: cc +> ==935641==ABORTING +> +> -Alex +> +> To manage notifications about this bug go to: +> https://bugs.launchpad.net/qemu/+bug/1892978/+subscriptions + + +Ok, thanks, so let's mark it as fixed now :-) + |