From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A54FEC48BE8 for ; Tue, 15 Jun 2021 18:22:07 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B783C610CD for ; Tue, 15 Jun 2021 18:22:06 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B783C610CD Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bugs.launchpad.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:47708 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ltDhN-0006J3-DG for qemu-devel@archiver.kernel.org; Tue, 15 Jun 2021 14:22:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56394) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ltDgD-0005D1-6X for qemu-devel@nongnu.org; Tue, 15 Jun 2021 14:20:53 -0400 Received: from indium.canonical.com ([91.189.90.7]:51088) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ltDg5-0002uV-IS for qemu-devel@nongnu.org; Tue, 15 Jun 2021 14:20:52 -0400 Received: from loganberry.canonical.com ([91.189.90.37]) by indium.canonical.com with esmtp (Exim 4.93 #5 (Debian)) id 1ltDg1-0007fS-40 for ; Tue, 15 Jun 2021 18:20:41 +0000 Received: from loganberry.canonical.com (localhost [127.0.0.1]) by loganberry.canonical.com (Postfix) with ESMTP id 1D2A12E8087 for ; Tue, 15 Jun 2021 18:20:41 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Date: Tue, 15 Jun 2021 18:13:18 -0000 From: Thomas Huth <1879223@bugs.launchpad.net> To: qemu-devel@nongnu.org X-Launchpad-Notification-Type: bug X-Launchpad-Bug: product=qemu; status=Fix Released; importance=Undecided; assignee=None; X-Launchpad-Bug-Information-Type: Public X-Launchpad-Bug-Private: no X-Launchpad-Bug-Security-Vulnerability: no X-Launchpad-Bug-Commenters: a1xndr th-huth X-Launchpad-Bug-Reporter: Alexander Bulekov (a1xndr) X-Launchpad-Bug-Modifier: Thomas Huth (th-huth) References: <158977172716.23291.11597359138247442087.malonedeb@gac.canonical.com> Message-Id: <162378079900.13849.6282565419157854727.malone@wampee.canonical.com> Subject: [Bug 1879223] Re: Assertion failure in e1000e_write_rx_descr X-Launchpad-Message-Rationale: Subscriber (QEMU) @qemu-devel-ml X-Launchpad-Message-For: qemu-devel-ml Precedence: bulk X-Generated-By: Launchpad (canonical.com); Revision="ed184eb8c3e03c8a0c3f47e69a5c546619a1af7c"; Instance="production" X-Launchpad-Hash: de84b375503200c55ef858de6aa1de9fa30393e8 Received-SPF: none client-ip=91.189.90.7; envelope-from=bounces@canonical.com; helo=indium.canonical.com X-Spam_score_int: -65 X-Spam_score: -6.6 X-Spam_bar: ------ X-Spam_report: (-6.6 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bug 1879223 <1879223@bugs.launchpad.net> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" According to some automatic bisecting, it seems like this was fixed by this commit here: commit c2cb511634012344e3d0fe49a037a33b12d8a98a (refs/bisect/bad) hw/net/e1000e: advance desc_offset in case of null descriptor ** Changed in: qemu Status: Incomplete =3D> Fix Released -- = You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1879223 Title: Assertion failure in e1000e_write_rx_descr Status in QEMU: Fix Released Bug description: Hello, While fuzzing, I found an input which triggers an assertion failure in e1000e_write_rx_descr: qemu-system-i386: /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1359= : void e1000e_write_rx_descr(E1000ECore *, uint8_t *, struct NetRxPkt *, co= nst E1000E_RSSInfo *, size_t, uint16_t (*)[4]): Assertion `ps_hdr_len =3D= =3D 0' failed. Aborted #3 0x00007ffff684d092 in __GI___assert_fail (assertion=3D0x5555583703e0 = "ps_hdr_len =3D=3D 0", file=3D0x555558361080 "/home/alxndr/Deve= lopment/qemu/hw/net/e1000e_core.c", line=3D0x54f, function=3D0x555558370420= <__PRETTY_FUNCTION__.e1000e_write_rx_descr> "void e1000e_write_rx_descr(E1= 000ECore *, uint8_t *, struct NetRxPkt *, const E1000E_RSSInfo *, size_t, u= int16_t (*)[4])") at assert.c:101 #4 0x0000555557206a58 in e1000e_write_rx_descr (core=3D0x7fffee0dd4e0, d= esc=3D0x7fffffff8720 "", pkt=3D0x0, rss_info=3D0x7fffffff8c50, ps_hdr_len= =3D0x2a, written=3D0x7fffffff87c0) at /home/alxndr/Development/qemu/hw/net/= e1000e_core.c:1359 #5 0x00005555571f8507 in e1000e_write_packet_to_guest (core=3D0x7fffee0d= d4e0, pkt=3D0x61100004b900, rxr=3D0x7fffffff8c30, rss_info=3D0x7fffffff8c50= ) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1607 #6 0x00005555571f5670 in e1000e_receive_iov (core=3D0x7fffee0dd4e0, iov= =3D0x61900004e780, iovcnt=3D0x4) at /home/alxndr/Development/qemu/hw/net/e1= 000e_core.c:1709 #7 0x00005555571f1afc in e1000e_nc_receive_iov (nc=3D0x614000007460, iov= =3D0x61900004e780, iovcnt=3D0x4) at /home/alxndr/Development/qemu/hw/net/e1= 000e.c:213 #8 0x00005555571d5977 in net_tx_pkt_sendv (pkt=3D0x631000028800, nc=3D0x= 614000007460, iov=3D0x61900004e780, iov_cnt=3D0x4) at /home/alxndr/Developm= ent/qemu/hw/net/net_tx_pkt.c:544 #9 0x00005555571d50e4 in net_tx_pkt_send (pkt=3D0x631000028800, nc=3D0x6= 14000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620 #10 0x00005555571d638f in net_tx_pkt_send_loopback (pkt=3D0x631000028800,= nc=3D0x614000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:= 633 #11 0x000055555722b600 in e1000e_tx_pkt_send (core=3D0x7fffee0dd4e0, tx= =3D0x7fffee0fd748, queue_index=3D0x0) at /home/alxndr/Development/qemu/hw/n= et/e1000e_core.c:664 #12 0x0000555557229ca6 in e1000e_process_tx_desc (core=3D0x7fffee0dd4e0, = tx=3D0x7fffee0fd748, dp=3D0x7fffffff9440, queue_index=3D0x0) at /home/alxnd= r/Development/qemu/hw/net/e1000e_core.c:743 #13 0x0000555557228ea5 in e1000e_start_xmit (core=3D0x7fffee0dd4e0, txr= =3D0x7fffffff9640) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934 #14 0x000055555721c70f in e1000e_set_tdt (core=3D0x7fffee0dd4e0, index=3D= 0xe06, val=3D0xcb) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:24= 51 #15 0x00005555571fa436 in e1000e_core_write (core=3D0x7fffee0dd4e0, addr= =3D0x438, val=3D0xcb, size=3D0x4) at /home/alxndr/Development/qemu/hw/net/e= 1000e_core.c:3261 #16 0x00005555571ed11c in e1000e_mmio_write (opaque=3D0x7fffee0da800, add= r=3D0x438, val=3D0xcb, size=3D0x4) at /home/alxndr/Development/qemu/hw/net/= e1000e.c:109 #17 0x00005555565e78b2 in memory_region_write_accessor (mr=3D0x7fffee0dd1= 10, addr=3D0x438, value=3D0x7fffffff9cb0, size=3D0x4, shift=3D0x0, mask=3D0= xffffffff, attrs=3D...) at /home/alxndr/Development/qemu/memory.c:483 #18 0x00005555565e7212 in access_with_adjusted_size (addr=3D0x438, value= =3D0x7fffffff9cb0, size=3D0x1, access_size_min=3D0x4, access_size_max=3D0x4= , access_fn=3D0x5555565e72e0 , mr=3D0x7fffee0= dd110, attrs=3D...) at /home/alxndr/Development/qemu/memory.c:544 #19 0x00005555565e5c31 in memory_region_dispatch_write (mr=3D0x7fffee0dd1= 10, addr=3D0x438, data=3D0xcb, op=3DMO_8, attrs=3D...) at /home/alxndr/Deve= lopment/qemu/memory.c:1476 #20 0x00005555563f04b9 in flatview_write_continue (fv=3D0x606000037880, a= ddr=3D0xe1020438, attrs=3D..., ptr=3D0x61900009ba80, len=3D0x1, addr1=3D0x4= 38, l=3D0x1, mr=3D0x7fffee0dd110) at /home/alxndr/Development/qemu/exec.c:3= 137 #21 0x00005555563df2dd in flatview_write (fv=3D0x606000037880, addr=3D0xe= 1020077, attrs=3D..., buf=3D0x61900009ba80, len=3D0x3c2) at /home/alxndr/De= velopment/qemu/exec.c:3177 #22 0x00005555563deded in address_space_write (as=3D0x6080000027a0, addr= =3D0xe1020077, attrs=3D..., buf=3D0x61900009ba80, len=3D0x3c2) at /home/alx= ndr/Development/qemu/exec.c:3268 I can reproduce this in qemu 5.0 using these qtest commands: cat << EOF | ./qemu-system-i386 \ -qtest stdio -nographic -monitor none -serial none \ -M pc-q35-5.0 outl 0xcf8 0x80001010 outl 0xcfc 0xe1020000 outl 0xcf8 0x80001014 outl 0xcf8 0x80001004 outw 0xcfc 0x7 outl 0xcf8 0x800010a2 write 0xe1025008 0x4 0xfbffa3fa write 0xed040c 0x3 0x080047 write 0xe1020077 0x3c2 0xce0004ed0000000000cb008405120002e100000000ff0008= 01ffff02ce0004ed0000000000cb008405120002e100000000ff000a01ffff02ce0004ed000= 0000000cb008405120002e100000000ff000c01ffff02ce0004ed0000000000cb0084051200= 02e100000000ff000e01ffff02ce0004ed0000000000cb008405120002e100000000ff00100= 1ffff02ce0004ed0000000000cb008405120002e100000000ff001201ffff02ce0004ed0000= 000000cb008405120002e100000000ff001401ffff02ce0004ed0000000000cb00840512000= 2e100000000ff001601ffff02ce0004ed0000000000cb008405120002e100000000ff001801= ffff02ce0004ed0000000000cb008405120002e100000000ff001a01ffff02ce0004ed00000= 00000cb008405120002e100000000ff001c01ffff02ce0004ed0000000000cb008405120002= e100000000ff001e01ffff02ce0004ed0000000000cb008405120002e100000000ff002001f= fff02ce0004ed0000000000cb008405120002e100000000ff002201ffff02ce0004ed000000= 0000cb008405120002e100000000ff002401ffff02ce0004ed0000000000cb008405120002e= 100000000ff002601ffff02ce0004ed0000000000cb008405120002e100000000ff002801ff= ff02ce0004ed0000000000cb008405120002e100000000ff002a01ffff02ce0004ed0000000= 000cb008405120002e100000000ff002c01ffff02ce0004ed0000000000cb008405120002e1= 00000000ff002e01ffff02ce0004ed0000000000cb008405120002e100000000ff003001fff= f02ce0004ed0000000000cb008405120002e100000000ff003201ffff02ce0004ed00000000= 00cb008405120002e100000000ff003401ffff02ce0004ed0000000000cb008405120002e10= 0000000ff003601ffff02ce0004ed0000000000cb008405120002e100000000ff003801ffff= 02ce0004ed0000000000cb008405120002e100000000ff003a01ffff02ce0004ed000000000= 0cb008405120002e100000000ff003c01ffff02ce0004ed0000000000cb008405120002e100= 000000ff003e01ffff02ce0004ed0000000000cb008405120002e100000000ff004001ffff0= 2ce0004ed0000000000cb008405120002e100000000ff004201ffff02ce0004ed0000000000= cb008405120002e100000000ff004401ffff02ce0004ed0000000000cb008405120002e1000= 00000ff004601ffff02ce0004ed0000000000cb008405120002e100000000ff004801ffff02= ce0004ed0000000000cb008405120002e100000000ff004a01ffff02ce0004ed0000000000cb EOF Also attaching them to this report, in case they are formatted incorrectl= y: ./qemu-system-i386 \ -qtest stdio -nographic -monitor none -serial none \ -M pc-q35-5.0 < attachment Please let me know if I can provide any further info. -Alex To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1879223/+subscriptions