summary refs log tree commit diff stats
path: root/results/classifier/118/none/1891354
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/none/1891354')
-rw-r--r--results/classifier/118/none/1891354423
1 files changed, 423 insertions, 0 deletions
diff --git a/results/classifier/118/none/1891354 b/results/classifier/118/none/1891354
new file mode 100644
index 000000000..76991651a
--- /dev/null
+++ b/results/classifier/118/none/1891354
@@ -0,0 +1,423 @@
+hypervisor: 0.736
+KVM: 0.733
+peripherals: 0.698
+TCG: 0.659
+i386: 0.656
+permissions: 0.654
+register: 0.652
+virtual: 0.640
+VMM: 0.640
+device: 0.620
+graphic: 0.620
+architecture: 0.619
+ppc: 0.613
+risc-v: 0.603
+performance: 0.594
+user-level: 0.587
+x86: 0.582
+semantic: 0.571
+mistranslation: 0.561
+vnc: 0.559
+arm: 0.551
+debug: 0.545
+assembly: 0.529
+network: 0.502
+files: 0.478
+boot: 0.477
+socket: 0.470
+PID: 0.463
+kernel: 0.442
+
+Heap-use-after-free in usb_packet_unmap
+
+Hello,
+Reproducer:
+
+cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
+-trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
+-drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
+-nodefaults -nographic -qtest stdio
+outl 0xcf8 0x80001010
+outl 0xcfc 0xc0202
+outl 0xcf8 0x80001004
+outl 0xcfc 0x1c77695e
+writel 0xc0040 0xffffd855
+writeq 0xc2000 0xff05140100000000
+write 0x1d 0x1 0x27
+write 0x2d 0x1 0x2e
+write 0x17232 0x1 0x03
+write 0x17254 0x1 0x05
+write 0x17276 0x1 0x72
+write 0x17278 0x1 0x02
+write 0x3d 0x1 0x27
+write 0x40 0x1 0x2e
+write 0x41 0x1 0x72
+write 0x42 0x1 0x01
+write 0x4d 0x1 0x2e
+write 0x4f 0x1 0x01
+write 0x2007c 0x1 0xc7
+writeq 0xc2000 0x5c05140100000000
+write 0x20070 0x1 0x80
+write 0x20078 0x1 0x08
+write 0x2007c 0x1 0xfe
+write 0x2007d 0x1 0x08
+write 0x20081 0x1 0xff
+write 0x20082 0x1 0x0b
+write 0x20089 0x1 0x8c
+write 0x2008d 0x1 0x04
+write 0x2009d 0x1 0x10
+writeq 0xc2000 0x2505ef019e092f00
+EOF
+
+20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
+READ of size 4 at 0x611000045030 thread T0
+    #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
+    #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
+    #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
+    #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
+    #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
+    #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
+    #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+    #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+    #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+    #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+    #10 0x55db78cfee6b in flatview_write exec.c:3216:14
+    #11 0x55db78cfee6b in address_space_write exec.c:3308:18
+    #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
+    #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
+    #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
+    #15 0x7fc5d7f1a897 in g_main_context_dispatch
+    #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
+    #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
+    #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
+    #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
+    #20 0x55db7a8860fd in main softmmu/main.c:49:5
+
+0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
+freed by thread T0 here:
+    #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
+    #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
+    #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
+    #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
+    #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
+    #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
+    #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+    #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+    #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+    #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+    #10 0x55db78cfee6b in flatview_write exec.c:3216:14
+    #11 0x55db78cfee6b in address_space_write exec.c:3308:18
+    #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
+    #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
+    #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
+    #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
+    #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
+    #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
+    #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
+    #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
+    #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+    #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+    #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+    #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+    #24 0x55db78cfee6b in flatview_write exec.c:3216:14
+    #25 0x55db78cfee6b in address_space_write exec.c:3308:18
+    #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
+    #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
+    #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
+    #29 0x7fc5d7f1a897 in g_main_context_dispatch
+
+previously allocated by thread T0 here:
+    #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
+    #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
+    #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
+    #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+    #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+    #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+    #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+    #7 0x55db78cfee6b in flatview_write exec.c:3216:14
+    #8 0x55db78cfee6b in address_space_write exec.c:3308:18
+    #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
+    #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
+    #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
+    #12 0x7fc5d7f1a897 in g_main_context_dispatch
+
+-Alex
+
+On 200813 0024, Li Qiang wrote:
+> Alexander Bulekov <email address hidden> 于2020年8月13日周四 上午12:21写道:
+> >
+> > Public bug reported:
+> >
+> > Hello,
+> > Reproducer:
+> >
+> > cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
+> > -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
+> > -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
+> > -nodefaults -nographic -qtest stdio
+> > outl 0xcf8 0x80001010
+> > outl 0xcfc 0xc0202
+> > outl 0xcf8 0x80001004
+> > outl 0xcfc 0x1c77695e
+> > writel 0xc0040 0xffffd855
+> > writeq 0xc2000 0xff05140100000000
+> > write 0x1d 0x1 0x27
+> > write 0x2d 0x1 0x2e
+> > write 0x17232 0x1 0x03
+> > write 0x17254 0x1 0x05
+> > write 0x17276 0x1 0x72
+> > write 0x17278 0x1 0x02
+> > write 0x3d 0x1 0x27
+> > write 0x40 0x1 0x2e
+> > write 0x41 0x1 0x72
+> > write 0x42 0x1 0x01
+> > write 0x4d 0x1 0x2e
+> > write 0x4f 0x1 0x01
+> > write 0x2007c 0x1 0xc7
+> > writeq 0xc2000 0x5c05140100000000
+> > write 0x20070 0x1 0x80
+> > write 0x20078 0x1 0x08
+> > write 0x2007c 0x1 0xfe
+> > write 0x2007d 0x1 0x08
+> > write 0x20081 0x1 0xff
+> > write 0x20082 0x1 0x0b
+> > write 0x20089 0x1 0x8c
+> > write 0x2008d 0x1 0x04
+> > write 0x2009d 0x1 0x10
+> > writeq 0xc2000 0x2505ef019e092f00
+> > EOF
+> >
+> > 20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
+> > READ of size 4 at 0x611000045030 thread T0
+> >     #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
+> >     #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
+> >     #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
+> >     #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
+> >     #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
+> >     #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
+> >     #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+> >     #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+> >     #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+> >     #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+> >     #10 0x55db78cfee6b in flatview_write exec.c:3216:14
+> >     #11 0x55db78cfee6b in address_space_write exec.c:3308:18
+> >     #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
+> >     #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
+> >     #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
+> >     #15 0x7fc5d7f1a897 in g_main_context_dispatch
+> >     #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
+> >     #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
+> >     #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
+> >     #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
+> >     #20 0x55db7a8860fd in main softmmu/main.c:49:5
+> >
+> > 0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
+> > freed by thread T0 here:
+> >     #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
+> >     #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
+> >     #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
+> >     #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
+> >     #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
+> >     #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
+> >     #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+> >     #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+> >     #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+> >     #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+> >     #10 0x55db78cfee6b in flatview_write exec.c:3216:14
+> >     #11 0x55db78cfee6b in address_space_write exec.c:3308:18
+> >     #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
+> >     #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
+> >     #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
+> >     #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
+> >     #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
+> >     #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
+> >     #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
+> >     #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
+> >     #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+> >     #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+> >     #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+> >     #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+> >     #24 0x55db78cfee6b in flatview_write exec.c:3216:14
+> >     #25 0x55db78cfee6b in address_space_write exec.c:3308:18
+> >     #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
+> >     #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
+> >     #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
+> >     #29 0x7fc5d7f1a897 in g_main_context_dispatch
+> >
+> 
+> This issue as far as I can see, is the DMA to MMIO issue.
+
+Another one - Interesting...
+So it joins these:
+https://bugs.launchpad.net/qemu/+bug/1888606
+https://bugs.launchpad.net/qemu/+bug/1886362
+
+Could this one be dealt with by moving xhci_reset into a BH?
+-Alex
+
+> Thanks,
+> Li Qiang
+> 
+> 
+> > previously allocated by thread T0 here:
+> >     #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
+> >     #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
+> >     #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
+> >     #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+> >     #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+> >     #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+> >     #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+> >     #7 0x55db78cfee6b in flatview_write exec.c:3216:14
+> >     #8 0x55db78cfee6b in address_space_write exec.c:3308:18
+> >     #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
+> >     #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
+> >     #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
+> >     #12 0x7fc5d7f1a897 in g_main_context_dispatch
+> >
+> > -Alex
+> >
+> > ** Affects: qemu
+> >      Importance: Undecided
+> >          Status: New
+> >
+> > --
+> > You received this bug notification because you are a member of qemu-
+> > devel-ml, which is subscribed to QEMU.
+> > https://bugs.launchpad.net/bugs/1891354
+> >
+> > Title:
+> >   Heap-use-after-free in usb_packet_unmap
+> >
+> > Status in QEMU:
+> >   New
+> >
+> > Bug description:
+> >   Hello,
+> >   Reproducer:
+> >
+> >   cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
+> >   -trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
+> >   -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
+> >   -nodefaults -nographic -qtest stdio
+> >   outl 0xcf8 0x80001010
+> >   outl 0xcfc 0xc0202
+> >   outl 0xcf8 0x80001004
+> >   outl 0xcfc 0x1c77695e
+> >   writel 0xc0040 0xffffd855
+> >   writeq 0xc2000 0xff05140100000000
+> >   write 0x1d 0x1 0x27
+> >   write 0x2d 0x1 0x2e
+> >   write 0x17232 0x1 0x03
+> >   write 0x17254 0x1 0x05
+> >   write 0x17276 0x1 0x72
+> >   write 0x17278 0x1 0x02
+> >   write 0x3d 0x1 0x27
+> >   write 0x40 0x1 0x2e
+> >   write 0x41 0x1 0x72
+> >   write 0x42 0x1 0x01
+> >   write 0x4d 0x1 0x2e
+> >   write 0x4f 0x1 0x01
+> >   write 0x2007c 0x1 0xc7
+> >   writeq 0xc2000 0x5c05140100000000
+> >   write 0x20070 0x1 0x80
+> >   write 0x20078 0x1 0x08
+> >   write 0x2007c 0x1 0xfe
+> >   write 0x2007d 0x1 0x08
+> >   write 0x20081 0x1 0xff
+> >   write 0x20082 0x1 0x0b
+> >   write 0x20089 0x1 0x8c
+> >   write 0x2008d 0x1 0x04
+> >   write 0x2009d 0x1 0x10
+> >   writeq 0xc2000 0x2505ef019e092f00
+> >   EOF
+> >
+> >   20091==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000045030 at pc 0x55db79edeef2 bp 0x7ffc4020b2b0 sp 0x7ffc4020b2a8
+> >   READ of size 4 at 0x611000045030 thread T0
+> >       #0 0x55db79edeef1 in usb_packet_unmap hw/usb/libhw.c:64:28
+> >       #1 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
+> >       #2 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
+> >       #3 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
+> >       #4 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
+> >       #5 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
+> >       #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+> >       #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+> >       #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+> >       #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+> >       #10 0x55db78cfee6b in flatview_write exec.c:3216:14
+> >       #11 0x55db78cfee6b in address_space_write exec.c:3308:18
+> >       #12 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
+> >       #13 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
+> >       #14 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
+> >       #15 0x7fc5d7f1a897 in g_main_context_dispatch
+> >       #16 0x55db7aa571b3 in glib_pollfds_poll util/main-loop.c:217:9
+> >       #17 0x55db7aa571b3 in os_host_main_loop_wait util/main-loop.c:240:5
+> >       #18 0x55db7aa571b3 in main_loop_wait util/main-loop.c:516:11
+> >       #19 0x55db79315008 in qemu_main_loop softmmu/vl.c:1676:9
+> >       #20 0x55db7a8860fd in main softmmu/main.c:49:5
+> >
+> >   0x611000045030 is located 48 bytes inside of 256-byte region [0x611000045000,0x611000045100)
+> >   freed by thread T0 here:
+> >       #0 0x55db78cac16d in free (build/i386-softmmu/qemu-system-i386+0x250e16d)
+> >       #1 0x55db79f7c0e8 in xhci_ep_nuke_xfers hw/usb/hcd-xhci.c:1252:9
+> >       #2 0x55db79f7b454 in xhci_disable_ep hw/usb/hcd-xhci.c:1279:5
+> >       #3 0x55db79f79af7 in xhci_disable_slot hw/usb/hcd-xhci.c:2048:13
+> >       #4 0x55db79f5aea3 in xhci_reset hw/usb/hcd-xhci.c:2706:9
+> >       #5 0x55db79f82f49 in xhci_oper_write hw/usb/hcd-xhci.c:2966:13
+> >       #6 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+> >       #7 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+> >       #8 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+> >       #9 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+> >       #10 0x55db78cfee6b in flatview_write exec.c:3216:14
+> >       #11 0x55db78cfee6b in address_space_write exec.c:3308:18
+> >       #12 0x55db78d01fe7 in address_space_unmap exec.c:3634:9
+> >       #13 0x55db79edebbb in dma_memory_unmap include/sysemu/dma.h:145:5
+> >       #14 0x55db79edebbb in usb_packet_unmap hw/usb/libhw.c:65:9
+> >       #15 0x55db79ede66f in usb_packet_map hw/usb/libhw.c:54:5
+> >       #16 0x55db79f6d5f1 in xhci_setup_packet hw/usb/hcd-xhci.c:1618:5
+> >       #17 0x55db79f67143 in xhci_fire_ctl_transfer hw/usb/hcd-xhci.c:1722:9
+> >       #18 0x55db79f67143 in xhci_kick_epctx hw/usb/hcd-xhci.c:1991:13
+> >       #19 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
+> >       #20 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+> >       #21 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+> >       #22 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+> >       #23 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+> >       #24 0x55db78cfee6b in flatview_write exec.c:3216:14
+> >       #25 0x55db78cfee6b in address_space_write exec.c:3308:18
+> >       #26 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
+> >       #27 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
+> >       #28 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
+> >       #29 0x7fc5d7f1a897 in g_main_context_dispatch
+> >
+> >   previously allocated by thread T0 here:
+> >       #0 0x55db78cac562 in calloc (build/i386-softmmu/qemu-system-i386+0x250e562)
+> >       #1 0x7fc5d7f20548 in g_malloc0 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x54548)
+> >       #2 0x55db79f8837d in xhci_doorbell_write hw/usb/hcd-xhci.c:3162:13
+> >       #3 0x55db792c6b8e in memory_region_write_accessor softmmu/memory.c:483:5
+> >       #4 0x55db792c658b in access_with_adjusted_size softmmu/memory.c:544:18
+> >       #5 0x55db792c5d9b in memory_region_dispatch_write softmmu/memory.c
+> >       #6 0x55db78d094d2 in flatview_write_continue exec.c:3176:23
+> >       #7 0x55db78cfee6b in flatview_write exec.c:3216:14
+> >       #8 0x55db78cfee6b in address_space_write exec.c:3308:18
+> >       #9 0x55db793072a9 in qtest_process_command softmmu/qtest.c:452:13
+> >       #10 0x55db79304087 in qtest_process_inbuf softmmu/qtest.c:710:9
+> >       #11 0x55db7a7d7293 in fd_chr_read chardev/char-fd.c:68:9
+> >       #12 0x7fc5d7f1a897 in g_main_context_dispatch
+> >
+> >   -Alex
+> >
+> > To manage notifications about this bug go to:
+> > https://bugs.launchpad.net/qemu/+bug/1891354/+subscriptions
+> >
+> 
+
+
+Still reproduces with current version of QEMU (if it has been built with Clang + asan enabled). Marking as "Confirmed"
+
+I moved this report over to QEMU's new bug tracker on gitlab.com.
+Please continue with the discussion here:
+
+https://gitlab.com/qemu-project/qemu/-/issues/540
+
+Thanks for moving it over! ... let's close this one here on Launchpad now.
+
+