[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1879227] Re: Assertion failure in e1000e_write_lgcy_rx_descr
From: |
Thomas Huth |
Subject: |
[Bug 1879227] Re: Assertion failure in e1000e_write_lgcy_rx_descr |
Date: |
Tue, 15 Jun 2021 18:16:17 -0000 |
According to some automatic bisecting, it seems like this was fixed by
this commit here:
commit c2cb511634012344e3d0fe49a037a33b12d8a98a
hw/net/e1000e: advance desc_offset in case of null descriptor
** Changed in: qemu
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1879227
Title:
Assertion failure in e1000e_write_lgcy_rx_descr
Status in QEMU:
Fix Released
Bug description:
Hello,
While fuzzing, I found an input which triggers an assertion failure in
e1000e_write_lgcy_rx_descr:
qemu-system-i386: /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1283:
void e1000e_write_lgcy_rx_descr(E1000ECore *, uint8_t *, struct NetRxPkt *,
const E1000E_RSSInfo *, uint16_t): Assertion `!rss_info->enabled' failed.
Aborted
#3 0x00007ffff684d092 in __GI___assert_fail (assertion=0x5555583704c0 <str>
"!rss_info->enabled", file=0x555558361080 <str>
"/home/alxndr/Development/qemu/hw/net/e1000e_core.c", line=0x503,
function=0x555558370500 <__PRETTY_FUNCTION__.e1000e_write_lgcy_rx_descr> "void
e1000e_write_lgcy_rx_descr(E1000ECore *, uint8_t *, struct NetRxPkt *, const
E1000E_RSSInfo *, uint16_t)") at assert.c:101
#4 0x0000555557209937 in e1000e_write_lgcy_rx_descr (core=0x7fffee0dd4e0,
desc=0x7fffffff8720 "}}}}}}\253?", pkt=0x61100004b900, rss_info=0x7fffffff8c50,
length=0xcb) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1283
#5 0x0000555557206b0b in e1000e_write_rx_descr (core=0x7fffee0dd4e0,
desc=0x7fffffff8720 "}}}}}}\253?", pkt=0x61100004b900, rss_info=0x7fffffff8c50,
ps_hdr_len=0x0, written=0x7fffffff87c0) at
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1360
#6 0x00005555571f8507 in e1000e_write_packet_to_guest (core=0x7fffee0dd4e0,
pkt=0x61100004b900, rxr=0x7fffffff8c30, rss_info=0x7fffffff8c50) at
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1607
#7 0x00005555571f5670 in e1000e_receive_iov (core=0x7fffee0dd4e0,
iov=0x61900004e780, iovcnt=0x4) at
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:1709
#8 0x00005555571f1afc in e1000e_nc_receive_iov (nc=0x614000007460,
iov=0x61900004e780, iovcnt=0x4) at
/home/alxndr/Development/qemu/hw/net/e1000e.c:213
#9 0x00005555571d5977 in net_tx_pkt_sendv (pkt=0x631000028800,
nc=0x614000007460, iov=0x61900004e780, iov_cnt=0x4) at
/home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:544
#10 0x00005555571d50e4 in net_tx_pkt_send (pkt=0x631000028800,
nc=0x614000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:620
#11 0x00005555571d638f in net_tx_pkt_send_loopback (pkt=0x631000028800,
nc=0x614000007460) at /home/alxndr/Development/qemu/hw/net/net_tx_pkt.c:633
#12 0x000055555722b600 in e1000e_tx_pkt_send (core=0x7fffee0dd4e0,
tx=0x7fffee0fd748, queue_index=0x0) at
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:664
#13 0x0000555557229ca6 in e1000e_process_tx_desc (core=0x7fffee0dd4e0,
tx=0x7fffee0fd748, dp=0x7fffffff9440, queue_index=0x0) at
/home/alxndr/Development/qemu/hw/net/e1000e_core.c:743
#14 0x0000555557228ea5 in e1000e_start_xmit (core=0x7fffee0dd4e0,
txr=0x7fffffff9640) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:934
#15 0x000055555721c70f in e1000e_set_tdt (core=0x7fffee0dd4e0, index=0xe06,
val=0xcb) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:2451
#16 0x00005555571fa436 in e1000e_core_write (core=0x7fffee0dd4e0, addr=0x438,
val=0xcb, size=0x4) at /home/alxndr/Development/qemu/hw/net/e1000e_core.c:3261
#17 0x00005555571ed11c in e1000e_mmio_write (opaque=0x7fffee0da800,
addr=0x438, val=0xcb, size=0x4) at
/home/alxndr/Development/qemu/hw/net/e1000e.c:109
#18 0x00005555565e78b2 in memory_region_write_accessor (mr=0x7fffee0dd110,
addr=0x438, value=0x7fffffff9cb0, size=0x4, shift=0x0, mask=0xffffffff,
attrs=...) at /home/alxndr/Development/qemu/memory.c:483
#19 0x00005555565e7212 in access_with_adjusted_size (addr=0x438,
value=0x7fffffff9cb0, size=0x1, access_size_min=0x4, access_size_max=0x4,
access_fn=0x5555565e72e0 <memory_region_write_accessor>, mr=0x7fffee0dd110,
attrs=...) at /home/alxndr/Development/qemu/memory.c:544
#20 0x00005555565e5c31 in memory_region_dispatch_write (mr=0x7fffee0dd110,
addr=0x438, data=0xcb, op=MO_8, attrs=...) at
/home/alxndr/Development/qemu/memory.c:1476
#21 0x00005555563f04b9 in flatview_write_continue (fv=0x606000037880,
addr=0xe1020438, attrs=..., ptr=0x61900009ba80, len=0x1, addr1=0x438, l=0x1,
mr=0x7fffee0dd110) at /home/alxndr/Development/qemu/exec.c:3137
#22 0x00005555563df2dd in flatview_write (fv=0x606000037880, addr=0xe10200a8,
attrs=..., buf=0x61900009ba80, len=0x391) at
/home/alxndr/Development/qemu/exec.c:3177
I can reproduce this in qemu 5.0 using these qtest commands:
cat << EOF | ./qemu-system-i386 \
-qtest stdio -nographic -monitor none -serial none \
-M pc-q35-5.0
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001014
outl 0xcf8 0x80001004
outw 0xcfc 0x7
outl 0xcf8 0x800010a2
write 0xe1025008 0x4 0xfbffa3fa
write 0xed040c 0x3 0x080047
write 0xe1020077 0x3c2
0xce0004ed0000000000cb008405120002e100000000ff000801ffff02ce0004ed0000000000cb008405120002e100000000ff000a01ffff02ce0004ed0000000000cb008405120002e100000000ff000c01ffff02ce0004ed0000000000cb008405120002e100000000ff000e01ffff02ce0004ed0000000000cb008405120002e100000000ff001001ffff02ce0004ed0000000000cb008405120002e100000000ff001201ffff02ce0004ed0000000000cb008405120002e100000000ff001401ffff02ce0004ed0000000000cb008405120002e100000000ff001601ffff02ce0004ed0000000000cb008405120002e100000000ff001801ffff02ce0004ed0000000000cb008405120002e100000000ff001a01ffff02ce0004ed0000000000cb008405120002e100000000ff001c01ffff02ce0004ed0000000000cb008405120002e100000000ff001e01ffff02ce0004ed0000000000cb008405120002e100000000ff002001ffff02ce0004ed0000000000cb008405120002e100000000ff002201ffff02ce0004ed0000000000cb008405120002e100000000ff002401ffff02ce0004ed0000000000cb008405120002e100000000ff002601ffff02ce0004ed0000000000cb008405120002e100000000ff002801ffff02ce0004ed0000000000cb008405120002e100000000ff002a01ffff02ce0004ed0000000000cb008405120002e100000000ff002c01ffff02ce0004ed0000000000cb008405120002e100000000ff002e01ffff02ce0004ed0000000000cb008405120002e100000000ff003001ffff02ce0004ed0000000000cb008405120002e100000000ff003201ffff02ce0004ed0000000000cb008405120002e100000000ff003401ffff02ce0004ed0000000000cb008405120002e100000000ff003601ffff02ce0004ed0000000000cb008405120002e100000000ff003801ffff02ce0004ed0000000000cb008405120002e100000000ff003a01ffff02ce0004ed0000000000cb008405120002e100000000ff003c01ffff02ce0004ed0000000000cb008405120002e100000000ff003e01ffff02ce0004ed0000000000cb008405120002e100000000ff004001ffff02ce0004ed0000000000cb008405120002e100000000ff004201ffff02ce0004ed0000000000cb008405120002e100000000ff004401ffff02ce0004ed0000000000cb008405120002e100000000ff004601ffff02ce0004ed0000000000cb008405120002e100000000ff004801ffff02ce0004ed0000000000cb008405120002e100000000ff004a01ffff02ce0004ed0000000000cb
EOF
Also attaching them to this report, in case they are formatted incorrectly:
./qemu-system-i386 \
-qtest stdio -nographic -monitor none -serial none \
-M pc-q35-5.0 < attachment
Please let me know if I can provide any further info.
-Alex
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1879227/+subscriptions