All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed
From: Alexander Bulekov <1892962@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1892962] Re: Segfault in usb_bus_from_device
Date: Mon, 14 Jun 2021 23:52:39 -0000	[thread overview]
Message-ID: <162371476003.10319.184913073577116179.malone@soybean.canonical.com> (raw)
In-Reply-To: 159840670040.15692.684020983379862709.malonedeb@soybean.canonical.com

OSS-Fuzz never came across this one. Probably fixed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1892962

Title:
  Segfault in usb_bus_from_device

Status in QEMU:
  Incomplete

Bug description:
  Hello,
  Reproducer:

  cat << EOF | ./qemu-system-i386 -machine q35 \
  -device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\
  multifunction=on,id=ich9-ehci-1 \
  -device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,\
  multifunction=on,masterbus=ich9-ehci-1.0,firstport=0 \
  -device usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 \
  -display none -nodefaults -qtest stdio -accel qtest
  outl 0xcf8 0x8000e803
  outl 0xcfc 0xff00ff00
  outl 0xcf8 0x8000e821
  outb 0xcfc 0xff
  outl 0xff10 0x8500057e
  clock_step
  clock_step
  outb 0xff00 0x49
  write 0x2 0x1 0x40
  write 0x400006 0x1 0xfb
  write 0x400008 0x1 0x2d
  write 0x40000a 0x1 0xe0
  write 0x40000c 0x1 0x16
  write 0x40000e 0x1 0xfa
  write 0xfa001c 0x1 0x04
  clock_step
  write 0x400006 0x1 0xfb
  write 0xfa001d 0x1 0xff
  clock_step
  write 0x8 0x1 0xe0
  write 0xa 0x1 0x16
  write 0x1600e6 0x1 0x9c
  write 0x1600e8 0x1 0xe1
  write 0x1600eb 0x1 0x30
  clock_step
  clock_step
  write 0x10 0x1 0xe0
  write 0x12 0x1 0x16
  write 0x1600e6 0x1 0x9c
  write 0x6 0x1 0x9c
  write 0x8 0x1 0xe1
  write 0xa 0x1 0x40
  write 0xb 0x1 0x30
  clock_step
  write 0x14 0x1 0xe0
  write 0x16 0x1 0x16
  write 0x1600e6 0x1 0x9c
  write 0x6 0x1 0x9c
  clock_step
  write 0x18 0x1 0xe0
  write 0x1a 0x1 0x16
  write 0x1600e6 0x1 0x9c
  write 0x6 0x1 0x9c
  clock_step
  write 0x1c 0x1 0xe0
  write 0x1e 0x1 0x16
  write 0x1600e6 0x1 0x9c
  write 0x6 0x1 0x9c
  clock_step
  write 0x20 0x1 0xe0
  write 0x22 0x1 0x16
  write 0x1600e6 0x1 0x9c
  write 0x6 0x1 0x9c
  clock_step
  EOF

  The trace:

  ...
  [S +0.087589] OK
  [R +0.087596] write 0x1600e6 0x1 0x9c
  OK
  [S +0.087603] OK
  [R +0.087655] write 0x6 0x1 0x9c
  OK
  [S +0.087667] OK
  [R +0.087675] clock_step
  784168@1598406646.189133:usb_uhci_frame_start nr 8
  784168@1598406646.189141:usb_uhci_td_load qh 0x0, td 0x1600e0, ctrl 0x9c0180, token 0x300000e1
  784168@1598406646.189147:usb_uhci_packet_add token 0x0, td 0x1600e0
  784168@1598406646.189151:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043c00, state undef -> setup
  784168@1598406646.189161:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043c00, state setup -> complete
  784168@1598406646.189165:usb_uhci_packet_complete_success token 0x0, td 0x1600e0
  784168@1598406646.189168:usb_uhci_packet_del token 0x0, td 0x1600e0
  784168@1598406646.189174:usb_uhci_td_complete qh 0x0, td 0x1600e0
  784168@1598406646.189179:usb_uhci_td_load qh 0x0, td 0x0, ctrl 0x9c0182, token 0x304000e1
  784168@1598406646.189183:usb_uhci_packet_add token 0x0, td 0x0
  784168@1598406646.189187:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043d40, state undef -> setup
  /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12: runtime error: member access within null pointer of type 'USBDevice' (aka 'struct USBDevice')
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in 
  /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12: runtime error: member access within null pointer of type 'DeviceState' (aka 'struct DeviceState')
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in 
  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==784168==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x5599c43df445 bp 0x7ffec2833e50 sp 0x7ffec2833dc0 T0)
  ==784168==The signal is caused by a READ memory access.
  ==784168==Hint: address points to the zero page.
      #0 0x5599c43df445 in usb_bus_from_device /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12
      #1 0x5599c43ea95c in usb_packet_set_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:549:23
      #2 0x5599c43e8abd in usb_handle_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:438:17
      #3 0x5599c4b02497 in uhci_handle_td /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:892:9
      #4 0x5599c4afbd26 in uhci_process_frame /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:1075:15
      #5 0x5599c4aed2e3 in uhci_frame_timer /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:1174:9
      #6 0x5599c7620917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9
      #7 0x5599c7620e51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12
      #8 0x5599c5f35a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9
      #9 0x5599c61225d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9
      #10 0x5599c611063e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
      #11 0x5599c610f3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
      #12 0x5599c7215762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
      #13 0x5599c72158aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
      #14 0x5599c723b514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
      #15 0x5599c7127736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
      #16 0x7f62623914cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
      #17 0x5599c76b2c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
      #18 0x5599c76b0567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
      #19 0x5599c76aff47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
      #20 0x5599c5e8e08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
      #21 0x5599c382051c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
      #22 0x7f6261b9acc9 in __libc_start_main csu/../csu/libc-start.c:308:16
      #23 0x5599c3775cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)

  AddressSanitizer can not provide additional info.
  SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in usb_bus_from_device
  ==784168==ABORTING

  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1892962/+subscriptions


  parent reply	other threads:[~2021-06-15  0:02 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-26  1:51 [Bug 1892962] [NEW] Segfault in usb_bus_from_device Alexander Bulekov
2021-05-17 19:17 ` [Bug 1892962] " Thomas Huth
2021-06-14 23:52 ` Alexander Bulekov [this message]
2021-06-16  9:42 ` Thomas Huth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=162371476003.10319.184913073577116179.malone@soybean.canonical.com \
    --to=1892962@bugs.launchpad.net \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.