Assert failure in `usb_ep_get` : Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT` failed. Description of problem: Assert failure in `usb_ep_get` : Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT` failed. The TD PID needs to be either `USB_TOKEN_IN` or `USB_TOKEN_OUT` in `usb_ep_get`, but in the caller `uhci_handle_td` it may be `USB_TOKEN_SETUP`. An unprivileged guest user may be able to reach the assertion, I think this bug is quite akin to CVE-2024-3567 (https://gitlab.com/qemu-project/qemu/-/issues/2273) : Users are not directly able to craft URBs, however as a user, one might be able to find a kernel path that would send a TD with PID `USB_TOKEN_SETUP` to QEMU (which is called `USB_PID_SETUP` in Linux). For instance in the Linux Kernel, `uhci_submit_control` in `drivers/usb/host/uhci-q.c:789` does link a `USB_PID_SETUP` TD to the URB. Steps to reproduce: Minimized reproducer: ``` cat << EOF | ./qemu/build2/qemu-system-x86_64 -machine q35 -nodefaults \ -device \ ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 \ -device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,multifunction=on,masterbus=i\ ch9-ehci-1.0,firstport=0 -device ich9-usb-uhci2,bus=pcie.0,addr=1d.1,mul\ tifunction=on,masterbus=ich9-ehci-1.0,firstport=2 -device ich9-usb-uhci3\ ,bus=pcie.0,addr=1d.2,multifunction=on,masterbus=ich9-ehci-1.0,firstport\ =4 -drive if=none,id=usbcdrom,media=cdrom -device \ usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 -device \ usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom -qtest stdio outl 0xcf8 0x8000e900 inw 0xcfc outl 0xcf8 0x8000e920 outl 0xcfc 0xffffffff outl 0xcf8 0x8000e920 inl 0xcfc outl 0xcf8 0x8000e920 outl 0xcfc 0xc001 outl 0xcf8 0x8000e904 inw 0xcfc outl 0xcf8 0x8000e904 outw 0xcfc 0x7 outl 0xcf8 0x8000e904 inw 0xcfc outl 0xcf8 0x8000ef00 inw 0xcfc outl 0xcf8 0x8000ef10 outl 0xcfc 0xffffffff outl 0xcf8 0x8000ef10 inl 0xcfc outl 0xcf8 0x8000ef10 outl 0xcfc 0xe0000000 outl 0xcf8 0x8000ef04 inw 0xcfc outl 0xcf8 0x8000ef04 outw 0xcfc 0x7 outl 0xcf8 0x8000ef04 inw 0xcfc outl 0xcf8 0x8000ea00 inw 0xcfc outl 0xcf8 0x8000ea20 outl 0xcfc 0xffffffff outl 0xcf8 0x8000ea20 inl 0xcfc outl 0xcf8 0x8000ea20 outl 0xcfc 0xc021 outl 0xcf8 0x8000ea04 inw 0xcfc outl 0xcf8 0x8000ea04 outw 0xcfc 0x7 outl 0xcf8 0x8000ea04 inw 0xcfc outl 0xcf8 0x8000e800 inw 0xcfc outl 0xcf8 0x8000e820 outl 0xcfc 0xffffffff outl 0xcf8 0x8000e820 inl 0xcfc outl 0xcf8 0x8000e820 outl 0xcfc 0xc041 outl 0xcf8 0x8000e804 inw 0xcfc outl 0xcf8 0x8000e804 outw 0xcfc 0x7 outl 0xcf8 0x8000e804 inw 0xcfc outl 0xcf8 0x8000fa00 inw 0xcfc outl 0xcf8 0x8000fa20 outl 0xcfc 0xffffffff outl 0xcf8 0x8000fa20 inl 0xcfc outl 0xcf8 0x8000fa20 outl 0xcfc 0xc061 outl 0xcf8 0x8000fa24 outl 0xcfc 0xffffffff outl 0xcf8 0x8000fa24 inl 0xcfc outl 0xcf8 0x8000fa24 outl 0xcfc 0xe0001000 outl 0xcf8 0x8000fa04 inw 0xcfc outl 0xcf8 0x8000fa04 outw 0xcfc 0x7 outl 0xcf8 0x8000fa04 inw 0xcfc outl 0xcf8 0x8000ea20 outl 0xcfc 0x625f69a0 outb 0xc040 0x46 outb 0xc040 0x69 inb 0xc000 outb 0xc040 0x46 clock_step outb 0xc040 0x69 clock_step write 0x0 0x4 0x64657669 write 0x69766560 0x8 0x000000ff6c46f228 write 0x69766568 0x8 0x2d323334319c6c65 write 0xff000000 0x8 0x000000ff6c6f6766 write 0xff000008 0x8 0x8d6c65652d736400 outb 0xc040 0x69 outl 0xcf8 0x8000ef76 outw 0xcfc 0x6563 outb 0xc040 0x46 clock_step outb 0xc040 0x69 inb 0xc000 clock_step write 0x4 0x4 0x64657669 write 0x69766560 0x8 0x000000ff6c46f228 write 0x69766568 0x8 0x2d323334319c6c65 write 0xff000000 0x8 0x000000ff6c6f6766 write 0xff000008 0x8 0x8d6c65652d736400 outb 0xc040 0x69 outw 0xc003 0x6769 outb 0xc040 0x69 readq 0xe0000074 outb 0xc040 0x46 clock_step outb 0xc040 0x69 clock_step write 0x8 0x4 0x00000100 write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 write 0xff000000 0x8 0x6465766963656d69 write 0xff000008 0x8 0x740d00699b652d63 write 0x69766560 0x8 0x000000ff6c46f228 write 0x69766568 0x8 0x2d323334319c6c65 clock_step write 0xc 0x4 0x000000ff write 0xff000000 0x8 0x0000010000000069 write 0xff000008 0x8 0x636c395f61707269 write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 outw 0xc003 0x6f00 outb 0xc040 0x69 outl 0xc053 0x6378616d clock_step write 0x10 0x4 0x000000ff write 0xff000000 0x8 0x6465766963656d69 write 0xff000008 0x8 0x740d00699b652d63 write 0x69766560 0x8 0x000000ff6c46f228 write 0x69766568 0x8 0x2d323334319c6c65 outb 0xc051 0x6d outb 0xc04f 0x61 outb 0xc040 0x69 clock_step write 0x14 0x4 0x000000ff write 0xff000000 0x8 0x0000010000000069 write 0xff000008 0x8 0x636c395f61707269 write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 EOF ``` # Additional information The crash report triggered by the reproducer is: ``` [R +0.033173] outl 0xcf8 0x8000e900 [S +0.033189] [R +0.033195] inw 0xcfc [S +0.033205] [R +0.033212] outl 0xcf8 0x8000e920 [S +0.033218] [R +0.033222] outl 0xcfc 0xffffffff [S +0.033231] [R +0.033235] outl 0xcf8 0x8000e920 [S +0.033241] [R +0.033245] inl 0xcfc [S +0.033250] [R +0.033255] outl 0xcf8 0x8000e920 [S +0.033261] [R +0.033265] outl 0xcfc 0xc001 [S +0.033271] [R +0.033275] outl 0xcf8 0x8000e904 [S +0.033281] [R +0.033285] inw 0xcfc [S +0.033290] [R +0.033295] outl 0xcf8 0x8000e904 [S +0.033300] [R +0.033306] outw 0xcfc 0x7 [S +0.033755] [R +0.033767] outl 0xcf8 0x8000e904 [S +0.033774] [R +0.033779] inw 0xcfc [S +0.033785] [R +0.033792] outl 0xcf8 0x8000ef00 [S +0.033798] [R +0.033802] inw 0xcfc [S +0.033808] [R +0.033813] outl 0xcf8 0x8000ef10 [S +0.033818] [R +0.033840] outl 0xcfc 0xffffffff [S +0.033848] [R +0.033853] outl 0xcf8 0x8000ef10 [S +0.033859] [R +0.033864] inl 0xcfc [S +0.033870] [R +0.033875] outl 0xcf8 0x8000ef10 [S +0.033880] [R +0.033884] outl 0xcfc 0xe0000000 [S +0.033891] [R +0.033895] outl 0xcf8 0x8000ef04 [S +0.033901] [R +0.033904] inw 0xcfc [S +0.033909] [R +0.033916] outl 0xcf8 0x8000ef04 [S +0.033922] [R +0.033926] outw 0xcfc 0x7 [S +0.034381] [R +0.034389] outl 0xcf8 0x8000ef04 [S +0.034395] [R +0.034399] inw 0xcfc [S +0.034405] [R +0.034412] outl 0xcf8 0x8000ea00 [S +0.034417] [R +0.034421] inw 0xcfc [S +0.034427] [R +0.034431] outl 0xcf8 0x8000ea20 [S +0.034437] [R +0.034441] outl 0xcfc 0xffffffff [S +0.034448] [R +0.034452] outl 0xcf8 0x8000ea20 [S +0.034457] [R +0.034463] inl 0xcfc [S +0.034469] [R +0.034474] outl 0xcf8 0x8000ea20 [S +0.034480] [R +0.034484] outl 0xcfc 0xc021 [S +0.034490] [R +0.034494] outl 0xcf8 0x8000ea04 [S +0.034500] [R +0.034504] inw 0xcfc [S +0.034509] [R +0.034515] outl 0xcf8 0x8000ea04 [S +0.034521] [R +0.034525] outw 0xcfc 0x7 [S +0.034948] [R +0.034955] outl 0xcf8 0x8000ea04 [S +0.034961] [R +0.034965] inw 0xcfc [S +0.034971] [R +0.034989] outl 0xcf8 0x8000e800 [S +0.034996] [R +0.035000] inw 0xcfc [S +0.035005] [R +0.035010] outl 0xcf8 0x8000e820 [S +0.035016] [R +0.035020] outl 0xcfc 0xffffffff [S +0.035027] [R +0.035033] outl 0xcf8 0x8000e820 [S +0.035039] [R +0.035043] inl 0xcfc [S +0.035048] [R +0.035053] outl 0xcf8 0x8000e820 [S +0.035059] [R +0.035065] outl 0xcfc 0xc041 [S +0.035071] [R +0.035075] outl 0xcf8 0x8000e804 [S +0.035081] [R +0.035084] inw 0xcfc [S +0.035089] [R +0.035094] outl 0xcf8 0x8000e804 [S +0.035100] [R +0.035103] outw 0xcfc 0x7 [S +0.035525] [R +0.035532] outl 0xcf8 0x8000e804 [S +0.035538] [R +0.035542] inw 0xcfc [S +0.035548] [R +0.035553] outl 0xcf8 0x8000fa00 [S +0.035558] [R +0.035562] inw 0xcfc [S +0.035567] [R +0.035572] outl 0xcf8 0x8000fa20 [S +0.035578] [R +0.035581] outl 0xcfc 0xffffffff [S +0.035589] [R +0.035594] outl 0xcf8 0x8000fa20 [S +0.035600] [R +0.035604] inl 0xcfc [S +0.035609] [R +0.035613] outl 0xcf8 0x8000fa20 [S +0.035618] [R +0.035623] outl 0xcfc 0xc061 [S +0.035629] [R +0.035633] outl 0xcf8 0x8000fa24 [S +0.035638] [R +0.035642] outl 0xcfc 0xffffffff [S +0.035648] [R +0.035652] outl 0xcf8 0x8000fa24 [S +0.035658] [R +0.035664] inl 0xcfc [S +0.035669] [R +0.035673] outl 0xcf8 0x8000fa24 [S +0.035679] [R +0.035683] outl 0xcfc 0xe0001000 [S +0.035689] [R +0.035696] outl 0xcf8 0x8000fa04 [S +0.035702] [R +0.035706] inw 0xcfc [S +0.035711] [R +0.035716] outl 0xcf8 0x8000fa04 [S +0.035722] [R +0.035725] outw 0xcfc 0x7 [S +0.036402] [R +0.036412] outl 0xcf8 0x8000fa04 [S +0.036418] [R +0.036422] inw 0xcfc [S +0.036434] [R +0.036442] outl 0xcf8 0x8000ea20 [S +0.036448] [R +0.036463] outl 0xcfc 0x625f69a0 [S +0.036906] [I +0.036981] CLOSED x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x46 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x69 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] inb 0xc000 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x46 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] clock_step x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x69 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] clock_step [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x0 0x4 0x64657669 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000000 0x8 0x000000ff6c6f6766 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000008 0x8 0x8d6c65652d736400 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x69 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outl 0xcf8 0x8000ef76 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outw 0xcfc 0x6563 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x46 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] clock_step x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x69 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] inb 0xc000 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] clock_step [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x4 0x4 0x64657669 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000000 0x8 0x000000ff6c6f6766 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000008 0x8 0x8d6c65652d736400 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x69 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outw 0xc003 0x6769 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x69 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] readq 0xe0000074 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x46 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] clock_step x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x69 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] clock_step [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x8 0x4 0x00000100 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000000 0x8 0x6465766963656d69 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000008 0x8 0x740d00699b652d63 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] clock_step [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xc 0x4 0x000000ff [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000000 0x8 0x0000010000000069 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000008 0x8 0x636c395f61707269 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outw 0xc003 0x6f00 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x69 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outl 0xc053 0x6378616d x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] clock_step [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x10 0x4 0x000000ff [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000000 0x8 0x6465766963656d69 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000008 0x8 0x740d00699b652d63 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x69766560 0x8 0x000000ff6c46f228 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x69766568 0x8 0x2d323334319c6c65 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc051 0x6d x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc04f 0x61 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] outb 0xc040 0x69 x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] clock_step [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x14 0x4 0x000000ff [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000000 0x8 0x0000010000000069 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0xff000008 0x8 0x636c395f61707269 [DMA] x86_64: GLib: g_timer_elapsed: assertion 'timer != NULL' failed [R +0.000000] write 0x10000 0x10 0x000000ff6c46f2282d00363939333336 qemu-fuzz-x86_64: ../hw/usb/core.c:744: struct USBEndpoint *usb_ep_get(USBDevice *, int, int): Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed. ==892641== ERROR: libFuzzer: deadly signal #0 0x557dd985fc41 in __sanitizer_print_stack_trace (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x20b2c41) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) #1 0x557dd97cfa58 in fuzzer::PrintStackTrace() (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2022a58) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) #2 0x557dd97b5ae3 in fuzzer::Fuzzer::CrashCallback() (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2008ae3) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) #3 0x7fd7e623c45f (/lib/x86_64-linux-gnu/libc.so.6+0x3c45f) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1) #4 0x7fd7e629152a in __pthread_kill_implementation nptl/pthread_kill.c:43:17 #5 0x7fd7e629152a in __pthread_kill_internal nptl/pthread_kill.c:78:10 #6 0x7fd7e629152a in pthread_kill nptl/pthread_kill.c:89:10 #7 0x7fd7e623c3b5 in raise signal/../sysdeps/posix/raise.c:26:13 #8 0x7fd7e622287b in abort stdlib/abort.c:79:7 #9 0x7fd7e622279a in __assert_fail_base assert/assert.c:92:3 #10 0x7fd7e6233b65 in __assert_fail assert/assert.c:101:3 #11 0x557dda3b67c6 in usb_ep_get /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/core.c:744:5 #12 0x557dda3d8820 in uhci_handle_td /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:819:14 #13 0x557dda3d41ed in uhci_process_frame /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:1022:15 #14 0x557dda3cbf7e in uhci_frame_timer /home/hypervisor/qemu_fuzz/qemu/build2/../hw/usb/hcd-uhci.c:1121:9 #15 0x557ddb90c0ff in timerlist_run_timers /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:576:9 #16 0x557ddb90d3e8 in qemu_clock_run_timers /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:590:12 #17 0x557ddb90d3e8 in qemu_clock_advance_virtual_time /home/hypervisor/qemu_fuzz/qemu/build2/../util/qemu-timer.c:696:9 #18 0x557dda67fa2f in qtest_process_command /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:722:9 #19 0x557dda67b3bb in qtest_process_inbuf /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:776:9 #20 0x557dda67acf6 in qtest_server_inproc_recv /home/hypervisor/qemu_fuzz/qemu/build2/../system/qtest.c:907:9 #21 0x557ddb5fa3e2 in qtest_sendf /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/libqtest.c:640:5 #22 0x557ddb5fa4f4 in qtest_clock_step_next /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/libqtest.c:1009:5 #23 0x557ddb67c2ef in generic_fuzz /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/fuzz/generic_fuzz.c:667:13 #24 0x557ddb66e807 in LLVMFuzzerTestOneInput /home/hypervisor/qemu_fuzz/qemu/build2/../tests/qtest/fuzz/fuzz.c:158:5 #25 0x557dd97b6f52 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2009f52) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) #26 0x557dd97a1080 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1ff4080) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) #27 0x557dd97a6d07 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1ff9d07) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) #28 0x557dd97d0292 in main (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x2023292) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) #29 0x7fd7e6223a8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #30 0x7fd7e6223b48 in __libc_start_main csu/../csu/libc-start.c:360:3 #31 0x557dd979b884 in _start (/home/hypervisor/qemu_fuzz/qemu/build2/qemu-fuzz-x86_64+0x1fee884) (BuildId: 1208fb4c12f2da2381e7763dabbbdabaf2db65e5) ```