OSS-Fuzz never came across this one. Probably fixed -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1892962
Title: Segfault in usb_bus_from_device Status in QEMU: Incomplete Bug description: Hello, Reproducer: cat << EOF | ./qemu-system-i386 -machine q35 \ -device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,\ multifunction=on,id=ich9-ehci-1 \ -device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,\ multifunction=on,masterbus=ich9-ehci-1.0,firstport=0 \ -device usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 \ -display none -nodefaults -qtest stdio -accel qtest outl 0xcf8 0x8000e803 outl 0xcfc 0xff00ff00 outl 0xcf8 0x8000e821 outb 0xcfc 0xff outl 0xff10 0x8500057e clock_step clock_step outb 0xff00 0x49 write 0x2 0x1 0x40 write 0x400006 0x1 0xfb write 0x400008 0x1 0x2d write 0x40000a 0x1 0xe0 write 0x40000c 0x1 0x16 write 0x40000e 0x1 0xfa write 0xfa001c 0x1 0x04 clock_step write 0x400006 0x1 0xfb write 0xfa001d 0x1 0xff clock_step write 0x8 0x1 0xe0 write 0xa 0x1 0x16 write 0x1600e6 0x1 0x9c write 0x1600e8 0x1 0xe1 write 0x1600eb 0x1 0x30 clock_step clock_step write 0x10 0x1 0xe0 write 0x12 0x1 0x16 write 0x1600e6 0x1 0x9c write 0x6 0x1 0x9c write 0x8 0x1 0xe1 write 0xa 0x1 0x40 write 0xb 0x1 0x30 clock_step write 0x14 0x1 0xe0 write 0x16 0x1 0x16 write 0x1600e6 0x1 0x9c write 0x6 0x1 0x9c clock_step write 0x18 0x1 0xe0 write 0x1a 0x1 0x16 write 0x1600e6 0x1 0x9c write 0x6 0x1 0x9c clock_step write 0x1c 0x1 0xe0 write 0x1e 0x1 0x16 write 0x1600e6 0x1 0x9c write 0x6 0x1 0x9c clock_step write 0x20 0x1 0xe0 write 0x22 0x1 0x16 write 0x1600e6 0x1 0x9c write 0x6 0x1 0x9c clock_step EOF The trace: ... [S +0.087589] OK [R +0.087596] write 0x1600e6 0x1 0x9c OK [S +0.087603] OK [R +0.087655] write 0x6 0x1 0x9c OK [S +0.087667] OK [R +0.087675] clock_step 784168@1598406646.189133:usb_uhci_frame_start nr 8 784168@1598406646.189141:usb_uhci_td_load qh 0x0, td 0x1600e0, ctrl 0x9c0180, token 0x300000e1 784168@1598406646.189147:usb_uhci_packet_add token 0x0, td 0x1600e0 784168@1598406646.189151:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043c00, state undef -> setup 784168@1598406646.189161:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043c00, state setup -> complete 784168@1598406646.189165:usb_uhci_packet_complete_success token 0x0, td 0x1600e0 784168@1598406646.189168:usb_uhci_packet_del token 0x0, td 0x1600e0 784168@1598406646.189174:usb_uhci_td_complete qh 0x0, td 0x1600e0 784168@1598406646.189179:usb_uhci_td_load qh 0x0, td 0x0, ctrl 0x9c0182, token 0x304000e1 784168@1598406646.189183:usb_uhci_packet_add token 0x0, td 0x0 784168@1598406646.189187:usb_packet_state_change bus 0, port 1, ep 0, packet 0x611000043d40, state undef -> setup /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12: runtime error: member access within null pointer of type 'USBDevice' (aka 'struct USBDevice') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12: runtime error: member access within null pointer of type 'DeviceState' (aka 'struct DeviceState') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in AddressSanitizer:DEADLYSIGNAL ================================================================= ==784168==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x5599c43df445 bp 0x7ffec2833e50 sp 0x7ffec2833dc0 T0) ==784168==The signal is caused by a READ memory access. ==784168==Hint: address points to the zero page. #0 0x5599c43df445 in usb_bus_from_device /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 #1 0x5599c43ea95c in usb_packet_set_state /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:549:23 #2 0x5599c43e8abd in usb_handle_packet /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/core.c:438:17 #3 0x5599c4b02497 in uhci_handle_td /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:892:9 #4 0x5599c4afbd26 in uhci_process_frame /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:1075:15 #5 0x5599c4aed2e3 in uhci_frame_timer /home/alxndr/Development/qemu/general-fuzz/build/../hw/usb/hcd-uhci.c:1174:9 #6 0x5599c7620917 in timerlist_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:572:9 #7 0x5599c7620e51 in qemu_clock_run_timers /home/alxndr/Development/qemu/general-fuzz/build/../util/qemu-timer.c:586:12 #8 0x5599c5f35a13 in qtest_clock_warp /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/cpus.c:507:9 #9 0x5599c61225d8 in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:665:9 #10 0x5599c611063e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9 #11 0x5599c610f3e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5 #12 0x5599c7215762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9 #13 0x5599c72158aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9 #14 0x5599c723b514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9 #15 0x5599c7127736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12 #16 0x7f62623914cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd) #17 0x5599c76b2c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9 #18 0x5599c76b0567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5 #19 0x5599c76aff47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11 #20 0x5599c5e8e08d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9 #21 0x5599c382051c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5 #22 0x7f6261b9acc9 in __libc_start_main csu/../csu/libc-start.c:308:16 #23 0x5599c3775cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/include/hw/usb.h:526:12 in usb_bus_from_device ==784168==ABORTING -Alex To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1892962/+subscriptions