On 2020/5/11 上午10:59, Alexander Bulekov wrote:
Hello,
While fuzzing, I found an input that triggers an assertion failure in
virtio-net.c:
hw/net/virtio-net.c:533: void virtio_net_reset(VirtIODevice *): Assertion
`!virtio_net_get_subqueue(nc)->async_tx.elem' failed.
#9 0x55a33fa31b78 in virtio_net_reset hw/net/virtio-net.c:533:13
#10 0x55a33fc88412 in virtio_reset hw/virtio/virtio.c:1919:9
#11 0x55a341d82764 in virtio_bus_reset hw/virtio/virtio-bus.c:95:9
#12 0x55a341dba2de in virtio_pci_reset hw/virtio/virtio-pci.c:1824:5
#13 0x55a341db3e02 in virtio_pci_common_write hw/virtio/virtio-pci.c:1252:13
#14 0x55a33f62117b in memory_region_write_accessor memory.c:496:5
#15 0x55a33f6205e4 in access_with_adjusted_size memory.c:557:18
#16 0x55a33f61e177 in memory_region_dispatch_write memory.c:1488:16
I can reproduce it in a qemu 5.0 build using:
cat << EOF | qemu-system-i386 -M pc-q35-5.0 -netdev user,id=qtest-bn0 -device
virtio-net-pci,netdev=qtest-bn0 -display none -nodefaults -nographic -qtest stdio
outl 0xcf8 0x8820
outl 0xcfc 0xe0004000
outl 0xcf8 0x8824
outl 0xcfc 0xc021
outl 0xcf8 0x8804
outw 0xcfc 0x7
outl 0xcf8 0x889a
write 0xc021e0004016 0x16 0x01ff4f000100cd003d00f600
write 0x3d00d8 0xae
0x017a000a000d0084017a000a000f0084017a000a00110084017a000a00130084017a000a00150084017a000a00170084017a000a00190084017a000a001b0084017a000a001d0084017a000a001f0084017a000a00210084017a000a00230084017a000a
write 0xf60002 0x7 0x0a000b
write 0xc021e0004014 0x9 0x95a4b3c2d1e0effe0d
write 0xc021e0004014 0x2a3
0x00
EOF
I also uploaded the above trace, in case the formatting is broken:
curl https://paste.debian.net/plain/1146086 | qemu-system-i386 -M pc-q35-5.0
-netdev user,id=qtest-bn0 -device virtio-net-pci,netdev=qtest-bn0 -display none
-nodefaults -nographic -qtest stdio
Please let me know if I can provide any further info.
-Alex
I post a patch which seems to fix this issue.
Please have a look and try.
Thanks
