qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1878323] Re: Assertion-failure in usb_detach

From: Alexander Bulekov
Subject: [Bug 1878323] Re: Assertion-failure in usb_detach
Date: Mon, 14 Jun 2021 23:22:47 -0000 
OSS-Fuzz never found it, though we are fuzzing a slightly different ehci
configuration there. I made a note of the arguments we should start
fuzzing on OSS-Fuzz, but I think this is safe to close.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878323

Title:
  Assertion-failure in usb_detach

Status in QEMU:
  Incomplete

Bug description:
  Hello,
  While fuzzing, I found an input that triggers an assertion-failure in 
usb_detach

  /home/alxndr/Development/qemu/hw/usb/core.c:69: void usb_detach(USBPort *): 
Assertion `dev->state != USB_STATE_NOTATTACHED' failed.
  #3  0x00007ffff6866092 in __GI___assert_fail (assertion=0x555557fd2040 <str> 
"dev->state != USB_STATE_NOTATTACHED", file=0x555557fd1ec0 <str> 
"/home/alxndr/Development/qemu/hw/usb/core.c", line=0x45, 
function=0x555557fd2000 <__PRETTY_FUNCTION__.usb_detach> "void 
usb_detach(USBPort *)") at assert.c:101
  #4  0x000055555723f0ce in usb_detach (port=0x62100002df30) at 
/home/alxndr/Development/qemu/hw/usb/core.c:69
  #5  0x00005555572a05a4 in ehci_reset (opaque=0x62100002d9f0) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:863
  #6  0x00005555572bf941 in ehci_opreg_write (ptr=0x62100002d9f0, addr=0x0, 
val=0xbebebebe, size=0x4) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1032
  #7  0x00005555564938b5 in memory_region_write_accessor (mr=0x62100002dcb0, 
addr=0x0, value=0x7fffffffaad0, size=0x4, shift=0x0, mask=0xffffffff, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:483
  #8  0x000055555649328a in access_with_adjusted_size (addr=0x0, 
value=0x7fffffffaad0, size=0x4, access_size_min=0x1, access_size_max=0x4, 
access_fn=0x555556493360 <memory_region_write_accessor>, mr=0x62100002dcb0, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:544
  #9  0x0000555556491df6 in memory_region_dispatch_write (mr=0x62100002dcb0, 
addr=0x0, data=0xbebebebe, op=MO_32, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:1476
  #10 0x00005555562cbbf4 in flatview_write_continue (fv=0x60600003e600, 
addr=0xe0000020, attrs=..., ptr=0x625000260000, len=0xfe0, addr1=0x0, l=0x4, 
mr=0x62100002dcb0) at /home/alxndr/Development/qemu/exec.c:3137
  #11 0x00005555562bbad9 in flatview_write (fv=0x60600003e600, addr=0xe0000000, 
attrs=..., buf=0x625000260000, len=0x1000) at 
/home/alxndr/Development/qemu/exec.c:3177
  #12 0x00005555562bb609 in address_space_write (as=0x62100002d328, 
addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at 
/home/alxndr/Development/qemu/exec.c:3268
  #13 0x00005555562c06a6 in address_space_unmap (as=0x62100002d328, 
buffer=0x625000260000, len=0x1000, is_write=0x1, access_len=0x1000) at 
/home/alxndr/Development/qemu/exec.c:3592
  #14 0x0000555557257d73 in dma_memory_unmap (as=0x62100002d328, 
buffer=0x625000260000, len=0x1000, dir=DMA_DIRECTION_FROM_DEVICE, 
access_len=0x1000) at /home/alxndr/Development/qemu/include/sysemu/dma.h:145
  #15 0x0000555557257c57 in usb_packet_unmap (p=0x6110000484c0, 
sgl=0x611000048548) at /home/alxndr/Development/qemu/hw/usb/libhw.c:65
  #16 0x00005555572a5953 in ehci_free_packet (p=0x611000048480) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:536
  #17 0x00005555572a4ed4 in ehci_cancel_queue (q=0x60d000004f10) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:584
  #18 0x00005555572a49ab in ehci_free_queue (q=0x60d000004f10, warn=0x0) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:611
  #19 0x00005555572b102d in ehci_queues_rip_device (ehci=0x62100002d9f0, 
dev=0x623000001d00, async=0x1) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:674
  #20 0x00005555572af7a3 in ehci_detach (port=0x62100002df78) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:733
  #21 0x000055555723f15c in usb_detach (port=0x62100002df78) at 
/home/alxndr/Development/qemu/hw/usb/core.c:70
  #22 0x00005555572a05a4 in ehci_reset (opaque=0x62100002d9f0) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:863
  #23 0x00005555572bf941 in ehci_opreg_write (ptr=0x62100002d9f0, addr=0x0, 
val=0xbebebebe, size=0x4) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1032
  #24 0x00005555564938b5 in memory_region_write_accessor (mr=0x62100002dcb0, 
addr=0x0, value=0x7fffffffc410, size=0x4, shift=0x0, mask=0xffffffff, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:483
  #25 0x000055555649328a in access_with_adjusted_size (addr=0x0, 
value=0x7fffffffc410, size=0x4, access_size_min=0x1, access_size_max=0x4, 
access_fn=0x555556493360 <memory_region_write_accessor>, mr=0x62100002dcb0, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:544
  #26 0x0000555556491df6 in memory_region_dispatch_write (mr=0x62100002dcb0, 
addr=0x0, data=0xbebebebe, op=MO_32, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:1476
  #27 0x00005555562cbbf4 in flatview_write_continue (fv=0x60600003e600, 
addr=0xe0000020, attrs=..., ptr=0x625000260000, len=0xfe0, addr1=0x0, l=0x4, 
mr=0x62100002dcb0) at /home/alxndr/Development/qemu/exec.c:3137
  #28 0x00005555562bbad9 in flatview_write (fv=0x60600003e600, addr=0xe0000000, 
attrs=..., buf=0x625000260000, len=0x1000) at 
/home/alxndr/Development/qemu/exec.c:3177
  #29 0x00005555562bb609 in address_space_write (as=0x62100002d328, 
addr=0xe0000000, attrs=..., buf=0x625000260000, len=0x1000) at 
/home/alxndr/Development/qemu/exec.c:3268
  #30 0x00005555562c06a6 in address_space_unmap (as=0x62100002d328, 
buffer=0x625000260000, len=0x1000, is_write=0x1, access_len=0x1000) at 
/home/alxndr/Development/qemu/exec.c:3592
  #31 0x0000555557257d73 in dma_memory_unmap (as=0x62100002d328, 
buffer=0x625000260000, len=0x1000, dir=DMA_DIRECTION_FROM_DEVICE, 
access_len=0x1000) at /home/alxndr/Development/qemu/include/sysemu/dma.h:145
  #32 0x0000555557257c57 in usb_packet_unmap (p=0x6110000484c0, 
sgl=0x611000048548) at /home/alxndr/Development/qemu/hw/usb/libhw.c:65
  #33 0x00005555572aa87e in ehci_execute_complete (q=0x60d000004f10) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1324
  #34 0x00005555572a7b8c in ehci_state_executing (q=0x60d000004f10) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:1973
  #35 0x00005555572b3685 in ehci_advance_state (ehci=0x62100002d9f0, async=0x1) 
at /home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2094
  #36 0x00005555572b2db9 in ehci_advance_async_state (ehci=0x62100002d9f0) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2152
  #37 0x00005555572a29c3 in ehci_work_bh (opaque=0x62100002d9f0) at 
/home/alxndr/Development/qemu/hw/usb/hcd-ehci.c:2320
  #38 0x0000555557bfba60 in aio_bh_call (bh=0x60400001cd90) at 
/home/alxndr/Development/qemu/util/async.c:136

  
  I can reproduce it in qemu 5.0 using the commands in the attachment:

  qemu-system-i386 \
  -qtest stdio -nographic -monitor none -serial none \
  -M pc-q35-5.0 -machine q35 \
  -device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,multifunction=on,id=ich9-ehci-1 \
  -device 
ich9-usb-uhci1,bus=pcie.0,addr=1d.0,multifunction=on,masterbus=ich9-ehci-1.0,firstport=0
 \
  -device 
ich9-usb-uhci2,bus=pcie.0,addr=1d.1,multifunction=on,masterbus=ich9-ehci-1.0,firstport=2
 \
  -device 
ich9-usb-uhci3,bus=pcie.0,addr=1d.2,multifunction=on,masterbus=ich9-ehci-1.0,firstport=4
 \
  -drive if=none,id=usbcdrom,media=cdrom \
  -device usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 \
  -device usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom \
  -display none -nodefaults -nographic < attachment

  Please let me know if I can provide any further info.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878323/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]