[Bug 1878255] Re: Assertion failure in bdrv_aio_cancel, through ide

[Alexander Bulekov]

> Not all of those register writes are actually important for the bug,
so I simplified them to the fewest writes and fewest bits.

Thanks for bringing this up. I tried to trim long write commands from
both "sides", but there can still be useless data in the middle. I'll
work on something that can split them up so only the relevant data
remains in the future.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1878255

Title:
  Assertion failure in bdrv_aio_cancel, through ide

Status in QEMU:
  New

Bug description:
  Hello,
  While fuzzing, I found an input that triggers an assertion failure in 
bdrv_aio_cancel, through ide:

  #1  0x00007ffff685755b in __GI_abort () at abort.c:79
  #2  0x0000555556a8d396 in bdrv_aio_cancel (acb=0x607000061290) at 
/home/alxndr/Development/qemu/block/io.c:2746
  #3  0x0000555556a58525 in blk_aio_cancel (acb=0x2) at 
/home/alxndr/Development/qemu/block/block-backend.c:1540
  #4  0x0000555556552f5b in ide_reset (s=<optimized out>) at 
/home/alxndr/Development/qemu/hw/ide/core.c:1318
  #5  0x0000555556552aeb in ide_bus_reset (bus=0x62d000017398) at 
/home/alxndr/Development/qemu/hw/ide/core.c:2422
  #6  0x0000555556579ba5 in ahci_reset_port (s=<optimized out>, port=<optimized 
out>) at /home/alxndr/Development/qemu/hw/ide/ahci.c:650
  #7  0x000055555657bd8d in ahci_port_write (s=0x61e000014d70, port=0x2, 
offset=<optimized out>, val=0x10) at 
/home/alxndr/Development/qemu/hw/ide/ahci.c:360
  #8  0x000055555657bd8d in ahci_mem_write (opaque=<optimized out>, 
addr=<optimized out>, val=<optimized out>, size=<optimized out>) at 
/home/alxndr/Development/qemu/hw/ide/ahci.c:513
  #9  0x00005555560028d7 in memory_region_write_accessor (mr=<optimized out>, 
addr=<optimized out>, value=<optimized out>, size=<optimized out>, 
shift=<optimized out>, mask=<optimized out>, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:483
  #10 0x0000555556002280 in access_with_adjusted_size (addr=<optimized out>, 
value=<optimized out>, size=<optimized out>, access_size_min=<optimized out>, 
access_size_max=<optimized out>, access_fn=<optimized out>, mr=0x61e000014da0, 
attrs=...) at /home/alxndr/Development/qemu/memory.c:544
  #11 0x0000555556002280 in memory_region_dispatch_write (mr=<optimized out>, 
addr=<optimized out>, data=0x10, op=<optimized out>, attrs=...) at 
/home/alxndr/Development/qemu/memory.c:1476
  #12 0x0000555555f171d4 in flatview_write_continue (fv=<optimized out>, 
addr=0xe106c22c, attrs=..., ptr=<optimized out>, len=0x1, addr1=0x7fffffffb8d0, 
l=<optimized out>, mr=0x61e000014da0) at 
/home/alxndr/Development/qemu/exec.c:3137
  #13 0x0000555555f0fb98 in flatview_write (fv=0x60600003b180, addr=<optimized 
out>, attrs=..., buf=<optimized out>, len=<optimized out>) at 
/home/alxndr/Development/qemu/exec.c:3177

  I can reproduce it in qemu 5.0 using:

  cat << EOF | ~/Development/qemu/build/i386-softmmu/qemu-system-i386 -qtest 
stdio -monitor none -serial none -M pc-q35-5.0  -nographic
  outl 0xcf8 0x8000fa24
  outl 0xcfc 0xe106c000
  outl 0xcf8 0x8000fa04
  outw 0xcfc 0x7
  outl 0xcf8 0x8000fb20
  write 0x0 0x3 0x2780e7
  write 0xe106c22c 0xd 0x1130c218021130c218021130c2
  write 0xe106c218 0x15 0x110010110010110010110010110010110010110010
  EOF

  I also attached the commands to this launchpad report, in case the
  formatting is broken:

  qemu-system-i386 -qtest stdio -monitor none -serial none -M pc-q35-5.0
  -nographic < attachment

  Please let me know if I can provide any further info.
  -Alex

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1878255/+subscriptions