hcd-xhci.c

Alexander Bulekov Tue, 03 Nov 2020 06:31:17 -0800

*** This bug is a duplicate of bug 1883732 ***
    https://bugs.launchpad.net/bugs/1883732


This looks like a duplicate of
https://bugs.launchpad.net/qemu/+bug/1883732

** This bug has been marked a duplicate of bug 1883732
   xhci_kick_epctx: Assertion `ring->dequeue != 0' failed.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1902612

Title:
  assert issue locates in xhci_kick_epctx() in  hw/usb/hcd-xhci.c

Status in QEMU:
  New

Bug description:
  Hello,

  I found an assertion failure through hw/usb/hcd-xhci.c.

  This was found in latest version 5.1.0.

  An assertion-failure flaw was found in xhci_kick_epctx() in  hw/usb
  /hcd-xhci.c .  XHCI  slot's endpoint context is enabled in
  xhci_configure_slot(), whose ep_ctx structure is controlled by user.
  With uninitialized endPoint context  could trigger
  assert(ring->dequeue != 0).    The guest system could use this flaw to
  crash the qemu resulting in denial of service.

  To reproduce the assertion failure, please run the QEMU with following
  command line.

  $ qemu-system-x86_64 -enable-kvm -boot c -m 2G -drive
  format=qcow2,file=./ubuntu.img -nic
  user,model=rtl8139,hostfwd=tcp:0.0.0.0:5555-:22 -device nec-usb-
  xhci,id=xhci -device usb-tablet,bus=xhci.0,port=1,id=usbdev1

  The poc is attached.

  Backtrace is as follows:
  #0  0x00007f6dfd4c4f47 in __GI_raise (sig=sig@entry=0x6) at 
../sysdeps/unix/sysv/linux/raise.c:51
  #1  0x00007f6dfd4c68b1 in __GI_abort () at abort.c:79
  #2  0x00007f6dfd4b642a in __assert_fail_base (fmt=0x7f6dfd63da38 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55e9b9d38a64 
"ring->dequeue != 0", file=file@entry=0x55e9b9d388c0 "hw/usb/hcd-xhci.c", 
line=line@entry=0x7a3, function=function@entry=0x55e9b9d3a5c0 
<__PRETTY_FUNCTION__.29754> "xhci_kick_epctx") at assert.c:92
  #3  0x00007f6dfd4b64a2 in __GI___assert_fail 
(assertion=assertion@entry=0x55e9b9d38a64 "ring->dequeue != 0", 
file=file@entry=0x55e9b9d388c0 "hw/usb/hcd-xhci.c", line=line@entry=0x7a3, 
function=function@entry=0x55e9b9d3a5c0 <__PRETTY_FUNCTION__.29754> 
"xhci_kick_epctx") at assert.c:101
  #4  0x000055e9b9a3292f in xhci_kick_epctx (epctx=0x7f6da836b510, 
streamid=streamid@entry=0x0) at hw/usb/hcd-xhci.c:1955
  #5  0x000055e9b9a3c64b in xhci_kick_ep (streamid=0x0, epid=0x1, slotid=0x11, 
xhci=0x7f6df8b38010) at hw/usb/hcd-xhci.c:1861
  #6  0x000055e9b9a3c64b in xhci_doorbell_write (ptr=0x7f6df8b38010, reg=0x11, 
val=0x1, size=<optimized out>) at hw/usb/hcd-xhci.c:3162
  #7  0x000055e9b977d274 in memory_region_write_accessor (mr=0x7f6df8b38d80, 
addr=0x44, value=<optimized out>, size=0x1, shift=<optimized out>, 
mask=<optimized out>, attrs=...) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:483
  #8  0x000055e9b977ad86 in access_with_adjusted_size (addr=addr@entry=0x44, 
value=value@entry=0x7f6dfb915f88, size=size@entry=0x1, 
access_size_min=<optimized out>, access_size_max=<optimized out>, 
access_fn=0x55e9b977d1f0 <memory_region_write_accessor>, mr=0x7f6df8b38d80, 
attrs=...) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:544
  #9  0x000055e9b977f4c8 in memory_region_dispatch_write 
(mr=mr@entry=0x7f6df8b38d80, addr=0x44, data=<optimized out>, op=<optimized 
out>, attrs=attrs@entry=...) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:1483
  #10 0x000055e9b972c691 in flatview_write_continue 
(fv=fv@entry=0x7f6da951f750, addr=addr@entry=0xfebf2044, attrs=..., 
ptr=ptr@entry=0x7f6dfb9160e0, len=len@entry=0x1, addr1=<optimized out>, 
l=<optimized out>, mr=0x7f6df8b38d80) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/exec.c:3137
  #11 0x000055e9b972c826 in flatview_write (fv=0x7f6da951f750, addr=0xfebf2044, 
attrs=..., buf=buf@entry=0x7f6dfb9160e0, len=0x1) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/exec.c:3177
  #12 0x000055e9b972c89a in subpage_write (opaque=<optimized out>, 
addr=<optimized out>, value=<optimized out>, len=<optimized out>, attrs=...) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/exec.c:2789
  #13 0x000055e9b977b269 in memory_region_write_with_attrs_accessor 
(mr=0x7f6da9534650, addr=0x44, value=<optimized out>, size=0x1, 
shift=<optimized out>, mask=<optimized out>, attrs=...) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:503
  #14 0x000055e9b977ad86 in access_with_adjusted_size (addr=addr@entry=0x44, 
value=value@entry=0x7f6dfb9161f8, size=size@entry=0x1, 
access_size_min=<optimized out>, access_size_max=<optimized out>, 
access_fn=0x55e9b977b1e0 <memory_region_write_with_attrs_accessor>, 
mr=0x7f6da9534650, attrs=...) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:544
  #15 0x000055e9b977f4c8 in memory_region_dispatch_write (mr=0x7f6da9534650, 
addr=addr@entry=0x44, data=<optimized out>, data@entry=0x1, op=op@entry=MO_8, 
attrs=...) at /home/zjusvn/qemu5-hypervisor/qemu-5.0.0/memory.c:1483
  #16 0x000055e9b979021f in io_writex (env=env@entry=0x55e9baed5b50, 
iotlbentry=iotlbentry@entry=0x7f6da8b8bc10, mmu_idx=mmu_idx@entry=0x1, 
val=val@entry=0x1, addr=addr@entry=0x7fbba0601044, 
retaddr=retaddr@entry=0x7f6db9d90d48, op=MO_8) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cputlb.c:1084
  #17 0x000055e9b9794c42 in store_helper (op=MO_8, retaddr=0x7f6db9d90d48, 
oi=<optimized out>, val=<optimized out>, addr=0x7fbba0601044, 
env=0x55e9baed5b50) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cputlb.c:1954
  #18 0x000055e9b9794c42 in helper_ret_stb_mmu (env=0x55e9baed5b50, 
addr=0x7fbba0601044, val=0x1, oi=<optimized out>, retaddr=0x7f6db9d90d48) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cputlb.c:2056
  #19 0x00007f6db9d90d48 in code_gen_buffer ()
  #20 0x000055e9b97a5217 in cpu_tb_exec (itb=<optimized out>, 
cpu=0x7f6db9d240c0 <code_gen_buffer+97665171>) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cpu-exec.c:172
  #21 0x000055e9b97a5217 in cpu_loop_exec_tb (tb_exit=<synthetic pointer>, 
last_tb=<synthetic pointer>, tb=<optimized out>, cpu=0x7f6db9d240c0 
<code_gen_buffer+97665171>) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cpu-exec.c:619
  #22 0x000055e9b97a5217 in cpu_exec (cpu=cpu@entry=0x55e9baecd2f0) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/accel/tcg/cpu-exec.c:732
  #23 0x000055e9b976ff9f in tcg_cpu_exec (cpu=0x55e9baecd2f0) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/cpus.c:1405
  #24 0x000055e9b97723cb in qemu_tcg_cpu_thread_fn 
(arg=arg@entry=0x55e9baecd2f0) at 
/home/zjusvn/qemu5-hypervisor/qemu-5.0.0/cpus.c:1713
  #25 0x000055e9b9be7d66 in qemu_thread_start (args=<optimized out>) at 
util/qemu-thread-posix.c:519
  #26 0x00007f6dfd87e6db in start_thread (arg=0x7f6dfb917700) at 
pthread_create.c:463
  #27 0x00007f6dfd5a7a3f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1902612/+subscriptions

[Bug 1902612] Re: assert issue locates in xhci_kick_epctx() in hw/usb/hcd-xhci.c

Reply via email to