qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug 1890160] [NEW] Abort in vmxnet3_validate_queues

From: Philippe Mathieu-Daudé
Subject: Re: [Bug 1890160] [NEW] Abort in vmxnet3_validate_queues
Date: Mon, 3 Aug 2020 17:33:40 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 
Cc'ing Dmitry as he doesn't have lauchpad account :/

On 8/3/20 4:37 PM, Alexander Bulekov wrote:
> Public bug reported:
> 
> Hello,
> Reproducer:
> 
> cat << EOF | ./i386-softmmu/qemu-system-i386 \
> -device vmxnet3 -m 64 -nodefaults -qtest stdio -nographic
> outl 0xcf8 0x80001014
> outl 0xcfc 0xe0001000
> outl 0xcf8 0x80001018
> outl 0xcf8 0x80001004
> outw 0xcfc 0x7
> write 0x0 0x1 0xe1
> write 0x1 0x1 0xfe
> write 0x2 0x1 0xbe
> write 0x3 0x1 0xba
> write 0x3e 0x1 0xe1

struct Vmxnet3_MiscConf {
    struct Vmxnet3_DriverInfo driverInfo;
    __le64        uptFeatures;
    __le64        ddPA;         /* driver data PA */
    __le64        queueDescPA;  /* queue descriptor table PA */
    __le32        ddLen;        /* driver data len */
    __le32        queueDescLen; /* queue desc. table len in bytes */
    __le32        mtu;
    __le16        maxNumRxSG;
    u8        numTxQueues;
   ^^^
     \_________ @0x3e = 0xe1 = 225 queues (max is 8).

    u8        numRxQueues;
    __le32        reserved[4];

> writeq 0xe0001020 0xef0bff5ecafe0000
> EOF
> 
> ==============================================================
> qemu: hardware error: Bad TX queues number: 225
> 
>     #6 0x7f04b89d455a in abort 
> /build/glibc-GwnBeO/glibc-2.30/stdlib/abort.c:79:7
>     #7 0x558f5be89b67 in hw_error 
> /home/alxndr/Development/qemu/general-fuzz/softmmu/cpus.c:927:5
>     #8 0x558f5d3c3968 in vmxnet3_validate_queues 
> /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1388:9
>     #9 0x558f5d3bb716 in vmxnet3_activate_device 
> /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1449:5
>     #10 0x558f5d3b6fba in vmxnet3_handle_command 
> /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1576:9
>     #11 0x558f5d3b410f in vmxnet3_io_bar1_write 
> /home/alxndr/Development/qemu/general-fuzz/hw/net/vmxnet3.c:1772:9
>     #12 0x558f5bec4193 in memory_region_write_accessor 
> /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:483:5
>     #13 0x558f5bec3637 in access_with_adjusted_size 
> /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:544:18
>     #14 0x558f5bec1256 in memory_region_dispatch_write 
> /home/alxndr/Development/qemu/general-fuzz/softmmu/memory.c:1466:16
> 
> -Alex
> 
> ** Affects: qemu
>      Importance: Undecided
>          Status: New
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]