qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1918917] Re: synchronous about on accessing unused I/O ports on aar

From: Dmitry Vyukov
Subject: [Bug 1918917] Re: synchronous about on accessing unused I/O ports on aarch64
Date: Fri, 12 Mar 2021 16:06:14 -0000 
The image is (gunzip it after download):
https://storage.googleapis.com/syzkaller/images/buildroot-arm64-2020.11.gz

Kernel:
https://storage.googleapis.com/syzkaller/temp/arm64-Image

qemu command line:

qemu-system-aarch64 \
        -machine virt,virtualization=on,graphics=on,usb=on -cpu cortex-a57 -smp 
2 -m 2G \
        -device virtio-blk-device,drive=hd0 \
        -drive if=none,format=raw,id=hd0,file=buildroot-arm64-2020.11 \
        -kernel arm64-Image \
        -nographic \
        -device virtio-rng-pci \
        -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net 
nic,model=virtio-net-pci \
        -append "root=/dev/vda earlyprintk=serial console=ttyAMA0 earlycon"

Reproducer:

#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
  int fd = syscall(__NR_openat, 0xffffffffffffff9cul, "/dev/ttyS3", 0ul, 0ul);
  char ch = 0;
  syscall(__NR_ioctl, fd, 0x5412, &ch); // TIOCSTI
  return 0;
}

Build with:
arch64-linux-gnu-gcc prog.c -static

scp to the VM and run. The image has password-less root ssh.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1918917

Title:
  synchronous about on accessing unused I/O ports on aarch64

Status in QEMU:
  New

Bug description:
  version: QEMU emulator version 5.2.0 (Debian 1:5.2+dfsg-6)
  command line: qemu-system-aarch64 \
        -machine virt,virtualization=on,graphics=on,usb=on -cpu cortex-a57 -smp 
2 -m 2G \
        -device virtio-blk-device,drive=hd0 \
        -drive if=none,format=raw,id=hd0,file=buildroot \
        -kernel arch/arm64/boot/Image \
        -nographic \
        -device virtio-rng-pci \
        -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net 
nic,model=virtio-net-pci \
        -append "root=/dev/vda earlyprintk=serial console=ttyAMA0 earlycon"

  I am observing "synchronous external abort" when kernel tries to
  access unused I/O ports (see below), while hardware/qemu should return
  0xffffffff in this case.

  This is factored out of this LKML thread where Arnd describes it in more 
details:
  
https://lore.kernel.org/lkml/CAK8P3a0HVu+x0T6+K3d0v1bvU-Pes0F0CSjqm5x=bxFgv5Y3mA@mail.gmail.com/

  Internal error: synchronous external abort: 96000050 [#1] PREEMPT SMP
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 0 PID: 11231 Comm: syz-executor.1 Not tainted 
5.12.0-rc2-syzkaller-00302-g28806e4d9b97 #0
  Hardware name: linux,dummy-virt (DT)
  pstate: 80000085 (Nzcv daIf -PAN -UAO -TCO BTYPE=--)
  pc : __raw_writeb arch/arm64/include/asm/io.h:27 [inline]
  pc : _outb include/asm-generic/io.h:501 [inline]
  pc : logic_outb+0x3c/0x114 lib/logic_pio.c:302
  lr : io_serial_out+0x80/0xc0 drivers/tty/serial/8250/8250_port.c:453
  sp : ffff000015f0f980
  x29: ffff000015f0f980 x28: ffff80001de0005d 
  x27: ffff80001601df00 x26: ffff000015f0fc90 
  x25: ffff80001de00000 x24: ffff80001de00000 
  x23: ffff00000e27f600 x22: 0000000000000000 
  x21: 0000000000000002 x20: 0000000000000002 
  x19: fffffbfffe800001 x18: ffff00006a678b48 
  x17: 0000000000000000 x16: 0000000000000000 
  x15: ffff8000197be810 x14: 1fffe00002be1f0e 
  x13: 1fffe00002be1e90 x12: ffff600002be1f39 
  x11: 1fffe00002be1f38 x10: ffff600002be1f38 
  x9 : dfff800000000000 x8 : 0000000000000003 
  x7 : 0000000000000001 x6 : 0000000000000004 
  x5 : ffff000015f0f9c0 x4 : dfff800000000000 
  x3 : 0000000000000001 x2 : 1ffff00003494e6b 
  x1 : fffffbfffe800000 x0 : 0000000000ffbffe 
  Call trace:
   _outb include/asm-generic/io.h:501 [inline]
   logic_outb+0x3c/0x114 lib/logic_pio.c:302
   io_serial_out+0x80/0xc0 drivers/tty/serial/8250/8250_port.c:453
   serial_out drivers/tty/serial/8250/8250.h:118 [inline]
   serial8250_set_THRI drivers/tty/serial/8250/8250.h:138 [inline]
   __start_tx drivers/tty/serial/8250/8250_port.c:1566 [inline]
   serial8250_start_tx+0x338/0x6c0 drivers/tty/serial/8250/8250_port.c:1666
   __uart_start.isra.0+0x10c/0x154 drivers/tty/serial/serial_core.c:127
   uart_start+0xe0/0x210 drivers/tty/serial/serial_core.c:137
   uart_flush_chars+0x10/0x20 drivers/tty/serial/serial_core.c:573
   __receive_buf drivers/tty/n_tty.c:1646 [inline]
   n_tty_receive_buf_common+0x588/0x22c0 drivers/tty/n_tty.c:1739
   n_tty_receive_buf+0x14/0x20 drivers/tty/n_tty.c:1768
   tiocsti drivers/tty/tty_io.c:2317 [inline]
   tty_ioctl+0xed0/0x1aec drivers/tty/tty_io.c:2718
   vfs_ioctl fs/ioctl.c:48 [inline]
   __do_sys_ioctl fs/ioctl.c:753 [inline]
   __se_sys_ioctl fs/ioctl.c:739 [inline]
   __arm64_sys_ioctl+0x120/0x18c fs/ioctl.c:739
   __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
   invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
   el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129
   do_el0_svc+0xa4/0xd0 arch/arm64/kernel/syscall.c:168
   el0_svc+0x24/0x34 arch/arm64/kernel/entry-common.c:416
   el0_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:432
   el0_sync+0x170/0x180 arch/arm64/kernel/entry.S:699
  Code: d2bfd001 f2df7fe1 f2ffffe1 8b010273 (39000274) 
  ---[ end trace 79cb47219936c254 ]---

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1918917/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]