blob: 2e3f3e6ba8d97362412f50e94156889cf0a87863 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
permissions: 0.837
TCG: 0.819
arm: 0.818
x86: 0.811
peripherals: 0.804
network: 0.804
device: 0.803
register: 0.801
debug: 0.801
ppc: 0.801
virtual: 0.793
semantic: 0.787
PID: 0.784
graphic: 0.784
files: 0.780
VMM: 0.771
mistranslation: 0.770
hypervisor: 0.768
socket: 0.768
vnc: 0.765
boot: 0.764
architecture: 0.763
risc-v: 0.761
performance: 0.758
i386: 0.755
KVM: 0.755
assembly: 0.749
user-level: 0.749
kernel: 0.742
Assertion `child->perm & BLK_PERM_WRITE' failed in bdrv_co_write_req_prepare through atapi
Maybe this is a duplicate of https://bugs.launchpad.net/qemu/+bug/1906693 ...
In any case, ATAPI is probably a lot more common than megasas, so this might be a more useful reproducer
==Reproducer==
cat << EOF | ./qemu-system-i386 -display none \
-m 512M -machine q35 -nodefaults \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device ide-cd,drive=disk0 -machine accel=qtest -qtest stdio
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe0000000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x06
write 0xe0000398 0x1 0x01
write 0x63 0x1 0x06
write 0x68 0x1 0x06
write 0x69 0x1 0xf8
write 0x6a 0x1 0xff
write 0xfff806 0x1 0x27
write 0xfff807 0x1 0x80
write 0xfff808 0x1 0x61
write 0x1005734 0x1 0x3f
write 0x1005774 0x1 0x20
write 0x1005784 0x1 0x34
write 0x10057a4 0x1 0x27
write 0x10057b4 0x1 0x3f
write 0x10057c3 0x1 0xce
write 0x10057d4 0x1 0x1a
write 0x10057e3 0x1 0xff
write 0x10057e4 0x1 0x3f
write 0x10057f4 0x1 0x38
write 0x1005814 0x1 0x3e
write 0x1005823 0x1 0x60
write 0x1005824 0x1 0x2d
write 0x1005833 0x1 0x74
write 0x1005834 0x1 0x01
write 0x1005863 0x1 0xff
write 0x1005883 0x1 0x5a
write 0x1005884 0x1 0x06
write 0xe00003b8 0x1 0x08
EOF
==Stack Trace==
i386: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x5a00)
qemu-fuzz-i386-target-generic-fuzz-ahci-atapi: ../block/io.c:1982: int
bdrv_co_write_req_prepare(BdrvChild *, int64_t, int64_t, BdrvTrackedRequest
*, int): Assertion `child->perm & BLK_PERM_WRITE' failed.
==279048== ERROR: libFuzzer: deadly signal
#0 0x560c92718f50 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:33:3
#1 0x560c926c2f98 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x560c926a7fd3 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
#3 0x7ff7d707038f in libpthread.so.0
#4 0x7ff7d66a8437 in raise
#5 0x7ff7d66aa039 in abort
#6 0x7ff7d66a0be6 in libc.so.6
#7 0x7ff7d66a0c91 in __assert_fail
#8 0x560c92f4fc79 in bdrv_co_write_req_prepare /src/qemu/block/io.c:1982:13
#9 0x560c92f4c974 in bdrv_aligned_pwritev /src/qemu/block/io.c:2065:11
#10 0x560c92f4b937 in bdrv_co_pwritev_part /src/qemu/block/io.c:2270:11
#11 0x560c92f392e7 in blk_do_pwritev_part /src/qemu/block/block-backend.c:1260:11
#12 0x560c92f39a55 in blk_aio_write_entry /src/qemu/block/block-backend.c:1476:17
#13 0x560c930d19d5 in coroutine_trampoline /src/qemu/util/coroutine-ucontext.c:173:9
#14 0x7ff7d66bd5df in libc.so.6
OSS-Fuzz link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30857
Not a duplicate of the other bug. Confirmed on development head beyond 6.0.
Please migrate this bug to gitlab and assign me.
--js
This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:
https://gitlab.com/qemu-project/qemu/-/issues/342
|