Public bug reported:
libFuzzer found:
qemu-fuzz-arm: hw/core/ptimer.c:377: void ptimer_transaction_begin(ptimer_state
*): Assertion `!s->in_transaction' failed.
==6041== ERROR: libFuzzer: deadly signal
#8 0x7fcaba320565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x563b46f91637 in ptimer_transaction_begin (qemu-fuzz-arm+0x1af1637)
#10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-arm+0x222c4c6)
#11 0x563b476cd004 in imx_epit_write (qemu-fuzz-arm+0x222d004)
#12 0x563b46582377 in memory_region_write_accessor (qemu-fuzz-arm+0x10e2377)
#13 0x563b46581ee3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e1ee3)
#14 0x563b46580a83 in memory_region_dispatch_write (qemu-fuzz-arm+0x10e0a83)
#15 0x563b463c5022 in flatview_write_continue (qemu-fuzz-arm+0xf25022)
#16 0x563b463b4ea2 in flatview_write (qemu-fuzz-arm+0xf14ea2)
#17 0x563b463b49d4 in address_space_write (qemu-fuzz-arm+0xf149d4)
Reproducer:
qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
writel 0x53f94000 0x110000
EOF
qemu-system-arm: hw/core/ptimer.c:377: ptimer_transaction_begin: Assertion
`!s->in_transaction' failed.
Aborted (core dumped)
(gdb) bt
#1 0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
#2 0x00007f4aa4daa769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f4aa4db8566 in annobin_assert.c_end () at /lib64/libc.so.6
#4 0x000055ee85400164 in ptimer_transaction_begin (s=0x55ee873bc4c0) at
hw/core/ptimer.c:377
#5 0x000055ee855c7936 in imx_epit_reset (dev=0x55ee871725c0) at
hw/timer/imx_epit.c:111
#6 0x000055ee855c7d1b in imx_epit_write (opaque=0x55ee871725c0, offset=0,
value=1114112, size=4) at hw/timer/imx_epit.c:209
#7 0x000055ee8513db85 in memory_region_write_accessor (mr=0x55ee871728f0,
addr=0, value=0x7fff3012d6f8, size=4, shift=0, mask=4294967295, attrs=...) at
memory.c:483
#8 0x000055ee8513dd96 in access_with_adjusted_size (addr=0,
value=0x7fff3012d6f8, size=4, access_size_min=1, access_size_max=4, access_fn=
0x55ee8513daa2 <memory_region_write_accessor>, mr=0x55ee871728f0,
attrs=...) at memory.c:545
#9 0x000055ee85140cbd in memory_region_dispatch_write (mr=0x55ee871728f0,
addr=0, data=1114112, op=MO_32, attrs=...) at memory.c:1477
#10 0x000055ee850deba5 in flatview_write_continue (fv=0x55ee87181bd0,
addr=1408843776, attrs=..., ptr=0x7fff3012d900, len=4, addr1=0, l=4,
mr=0x55ee871728f0) at exec.c:3147
#11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776,
attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
#12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560,
addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289
** Affects: qemu
Importance: Undecided
Status: New
** Tags: arm
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880424
Title:
I/O write make imx_epit_reset() crash
Status in QEMU:
New
Bug description:
libFuzzer found:
qemu-fuzz-arm: hw/core/ptimer.c:377: void
ptimer_transaction_begin(ptimer_state *): Assertion `!s->in_transaction' failed.
==6041== ERROR: libFuzzer: deadly signal
#8 0x7fcaba320565 in __GI___assert_fail (/lib64/libc.so.6+0x30565)
#9 0x563b46f91637 in ptimer_transaction_begin (qemu-fuzz-arm+0x1af1637)
#10 0x563b476cc4c6 in imx_epit_reset (qemu-fuzz-arm+0x222c4c6)
#11 0x563b476cd004 in imx_epit_write (qemu-fuzz-arm+0x222d004)
#12 0x563b46582377 in memory_region_write_accessor
(qemu-fuzz-arm+0x10e2377)
#13 0x563b46581ee3 in access_with_adjusted_size (qemu-fuzz-arm+0x10e1ee3)
#14 0x563b46580a83 in memory_region_dispatch_write
(qemu-fuzz-arm+0x10e0a83)
#15 0x563b463c5022 in flatview_write_continue (qemu-fuzz-arm+0xf25022)
#16 0x563b463b4ea2 in flatview_write (qemu-fuzz-arm+0xf14ea2)
#17 0x563b463b49d4 in address_space_write (qemu-fuzz-arm+0xf149d4)
Reproducer:
qemu-system-arm -M kzm -display none -S -qtest stdio << 'EOF'
writel 0x53f94000 0x110000
EOF
qemu-system-arm: hw/core/ptimer.c:377: ptimer_transaction_begin: Assertion
`!s->in_transaction' failed.
Aborted (core dumped)
(gdb) bt
#1 0x00007f4aa4daa895 in abort () at /lib64/libc.so.6
#2 0x00007f4aa4daa769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3 0x00007f4aa4db8566 in annobin_assert.c_end () at /lib64/libc.so.6
#4 0x000055ee85400164 in ptimer_transaction_begin (s=0x55ee873bc4c0) at
hw/core/ptimer.c:377
#5 0x000055ee855c7936 in imx_epit_reset (dev=0x55ee871725c0) at
hw/timer/imx_epit.c:111
#6 0x000055ee855c7d1b in imx_epit_write (opaque=0x55ee871725c0, offset=0,
value=1114112, size=4) at hw/timer/imx_epit.c:209
#7 0x000055ee8513db85 in memory_region_write_accessor (mr=0x55ee871728f0,
addr=0, value=0x7fff3012d6f8, size=4, shift=0, mask=4294967295, attrs=...) at
memory.c:483
#8 0x000055ee8513dd96 in access_with_adjusted_size (addr=0,
value=0x7fff3012d6f8, size=4, access_size_min=1, access_size_max=4, access_fn=
0x55ee8513daa2 <memory_region_write_accessor>, mr=0x55ee871728f0,
attrs=...) at memory.c:545
#9 0x000055ee85140cbd in memory_region_dispatch_write (mr=0x55ee871728f0,
addr=0, data=1114112, op=MO_32, attrs=...) at memory.c:1477
#10 0x000055ee850deba5 in flatview_write_continue (fv=0x55ee87181bd0,
addr=1408843776, attrs=..., ptr=0x7fff3012d900, len=4, addr1=0, l=4,
mr=0x55ee871728f0) at exec.c:3147
#11 0x000055ee850decf3 in flatview_write (fv=0x55ee87181bd0, addr=1408843776,
attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3190
#12 0x000055ee850df05d in address_space_write (as=0x55ee8730a560,
addr=1408843776, attrs=..., buf=0x7fff3012d900, len=4) at exec.c:3289
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880424/+subscriptions
