hypervisor: 0.882 virtual: 0.874 peripherals: 0.870 debug: 0.867 performance: 0.863 permissions: 0.862 risc-v: 0.857 user-level: 0.855 device: 0.854 graphic: 0.851 register: 0.842 TCG: 0.813 vnc: 0.793 semantic: 0.791 architecture: 0.790 VMM: 0.788 arm: 0.779 mistranslation: 0.777 ppc: 0.775 x86: 0.775 i386: 0.764 KVM: 0.760 boot: 0.749 files: 0.745 assembly: 0.733 kernel: 0.729 PID: 0.726 socket: 0.689 network: 0.670 [OSS-Fuzz] ahci: stack overflow in ahci_cond_start_engines === Reproducer === while true; do cat << EOF; done | ./qemu-system-i386 -machine q35 -nodefaults -nographic -qtest stdio -accel qtest outl 0xcf8 0x8000fa27 outl 0xcfc 0x37414537 outl 0xcf8 0x8000fa01 outl 0xcfc 0x4606ce74 writew 0x37000f01 0x215a writeq 0x37000100 0xfffaf writeq 0x37000115 0xffff373d27004037 outl 0xcf8 0x8000fa01 outl 0xcfc 0x4606ce74 writeq 0x370000ff 0x3700011500 writeq 0x37000115 0xc41ffffff035a5a outl 0xcf8 0x8000ea04 outb 0xcfc 0x15 outl 0xcf8 0x8000ea00 outw 0xcfc 0x5a1f writeq 0x37000115 0x100007765746972 writeq 0x37000115 0xbf00000000000000 outl 0xcf8 0x8000ea04 outb 0xcfc 0x15 outl 0xcf8 0x8000fa46 outb 0xcfc 0xff clock_step writeq 0x37000115 0xaf writeq 0x37000115 0x6301275541af7415 writeq 0x37000115 0xafaf5a5a743715 outb 0x64 0xfe EOF === Stack Trace === ==887446==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe567cae0c (pc 0x7fdd9100819e bp 0x7ffe567cb2b0 sp 0x7ffe567cad40 T887446) #0 vfprintf #1 fprintf #2 ahci_mem_write /src/qemu/hw/ide/ahci.c:468:9 #3 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #4 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #5 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #6 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #7 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #8 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #9 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9 #10 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5 #11 map_page /src/qemu/hw/ide/ahci.c:249:9 #12 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5 #13 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14 #14 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9 #15 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9 #16 memory_region_write_accessor /src/qemu/softmmu/memory.c:491:5 #17 access_with_adjusted_size /src/qemu/softmmu/memory.c:552:18 #18 memory_region_dispatch_write /src/qemu/softmmu/memory.c:0:13 #19 flatview_write_continue /src/qemu/softmmu/physmem.c:2759:23 #20 flatview_write /src/qemu/softmmu/physmem.c:2799:14 #21 address_space_write /src/qemu/softmmu/physmem.c:2891:18 #22 address_space_unmap /src/qemu/softmmu/physmem.c:3217:9 #23 dma_memory_unmap /src/qemu/include/sysemu/dma.h:226:5 #24 map_page /src/qemu/hw/ide/ahci.c:249:9 #25 ahci_map_clb_address /src/qemu/hw/ide/ahci.c:748:5 #26 ahci_cond_start_engines /src/qemu/hw/ide/ahci.c:276:14 #27 ahci_port_write /src/qemu/hw/ide/ahci.c:339:9 #28 ahci_mem_write /src/qemu/hw/ide/ahci.c:513:9 ... Repeat until we run out of stack Having a quick look, the problem might be in ahci_cond_start_engines() which calls ahci_map_clb_address(), then ahci_map_fis_address() fails and we return without calling ahci_unmap_clb_address(). And ahci_port_write(AHCI_PORT_REG_CMD) doesn't check ahci_cond_start_engines() return value, calling ahci_init_d2h() even if former failed. This is an automated cleanup. This bug report has been moved to QEMU's new bug tracker on gitlab.com and thus gets marked as 'expired' now. Please continue with the discussion here: https://gitlab.com/qemu-project/qemu/-/issues/62