Skip to content

Assertion `core->delayed_causes == 0` failed in hw/net/e1000e_core.c:353 during fuzzing

Host environment

  • Operating system: Ubuntu 20.04

  • OS/kernel version: Linux 5.4.0-148

  • Architecture: x86_64

  • QEMU flavor: qemu-system-x86_64

  • QEMU version: commit at 17780edd

  • QEMU command line:

    QEMU_FUZZ_ARGS="-M q35 -nodefaults -device e1000e,netdev=net0 -netdev user,id=net0" \ QEMU_FUZZ_OBJECTS="*e1000e*" ./qemu-fuzz-x86_64 --fuzz-target=generic-fuzz

Description of problem

Got an assertion failure core->delayed_causes == 0 when fuzzing e1000e.

Steps to reproduce

Minimized reproducer for the error:

cat << EOF | ./qemu-system-x86_64 -display none -machine accel=qtest, -m 512M -M q35 \
-nodefaults -device e1000e,netdev=net0 -netdev user,id=net0 -qtest \
/dev/null -qtest stdio
outl 0xcf8 0x80000810
outl 0xcfc 0xe0000000
outl 0xcf8 0x80000804
outw 0xcfc 0x06
write 0xe000042a 0x2 0x0241
write 0xe0000402 0x2 0x0200
write 0x400b 0x1 0x88
write 0xe0000438 0x4 0x01040000
outl 0xcf8 0x800008a3
outb 0xcfc 0x80
EOF

Additional information

The crash report triggered by the reproducer is:

qemu-fuzz-x86_64: /../hw/net/e1000e_core.c:353: uint32_t e1000e_intmgr_collect_delayed_causes(E1000ECore *): Assertion `core->delayed_causes == 0' failed.
==2036033== ERROR: libFuzzer: deadly signal
    #0 0x5606ff6c555e in __sanitizer_print_stack_trace ../../../llvm-project-15.0.0.src/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x5606ff607bb1 in fuzzer::PrintStackTrace() ../../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:38
    #2 0x5606ff5e2486 in fuzzer::Fuzzer::CrashCallback() (.part.0) ../../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:18
    #3 0x5606ff5e254d in fuzzer::Fuzzer::CrashCallback() ../../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:205:1
    #4 0x5606ff5e254d in fuzzer::Fuzzer::StaticCrashSignalCallback() ../../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:204:19
    #5 0x7f7490e4e41f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #6 0x7f7490c4200a in __libc_signal_restore_set /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/internal-signals.h:86:3
    #7 0x7f7490c4200a in raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:48:3
    #8 0x7f7490c21858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7
    #9 0x7f7490c21728 in __assert_fail_base /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:92:3
    #10 0x7f7490c32fd5 in __assert_fail /build/glibc-SzIz7B/glibc-2.31/assert/assert.c:101:3
    #11 0x5606ffd20c33 in e1000e_intmgr_collect_delayed_causes ../hw/net/e1000e_core.c:353:9
    #12 0x5606ffd20c33 in e1000e_set_interrupt_cause ../hw/net/e1000e_core.c:2203:12
    #13 0x5606ffd1bd1b in e1000e_receive_internal ../hw/net/e1000e_core.c:1751:9
    #14 0x56070055a58a in qemu_deliver_packet_iov ../net/net.c:820:15
    #15 0x56070055e215 in qemu_net_queue_deliver ../net/queue.c:164:11
    #16 0x56070055f9ca in qemu_net_queue_flush ../net/queue.c:286:15
    #17 0x56070054f5c8 in qemu_flush_or_purge_queued_packets ../net/net.c:681:9
    #18 0x5606ffd14ff5 in e1000e_start_recv ../hw/net/e1000e_core.c:983:9
    #19 0x5606ffd3c33b in e1000e_set_rx_control ../hw/net/e1000e_core.c:1959:9
    #20 0x5606ffd20fe8 in e1000e_core_write ../hw/net/e1000e_core.c:3306:9
    #21 0x560700caeb43 in memory_region_write_accessor ../softmmu/memory.c:493:5
    #22 0x560700cae2ca in access_with_adjusted_size ../softmmu/memory.c:569:18
    #23 0x560700cad670 in memory_region_dispatch_write ../softmmu/memory.c
    #24 0x560700cf7d6f in flatview_write_continue ../softmmu/physmem.c:2677:23
    #25 0x560700cef213 in flatview_write ../softmmu/physmem.c:2719:12
    #26 0x560700ceef27 in address_space_write ../softmmu/physmem.c:2815:18
    #27 0x560700420b2f in qtest_process_command ../softmmu/qtest.c:558:13
    #28 0x56070041ecfb in qtest_process_inbuf ../softmmu/qtest.c:810:9
    #29 0x56070041eb19 in qtest_server_inproc_recv ../softmmu/qtest.c:941:9
    #30 0x56070126a792 in qtest_sendf ../tests/qtest/libqtest.c:607:5
    #31 0x56070126ae9e in qtest_write ../tests/qtest/libqtest.c:1072:5
    #32 0x56070126ae9e in qtest_writel ../tests/qtest/libqtest.c:1088:5
    #33 0x5606ff7058cb in __wrap_qtest_writel ../tests/qtest/fuzz/qtest_wrappers.c:180:9
    #34 0x5606ff70d5f2 in op_write ../tests/qtest/fuzz/generic_fuzz.c:485:13
    #35 0x5606ff70bd2f in generic_fuzz ../tests/qtest/fuzz/generic_fuzz.c:666:13
    #36 0x5606ff7008e7 in LLVMFuzzerTestOneInput ../tests/qtest/fuzz/fuzz.c:158:5
    #37 0x5606ff5e2d08 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) ../../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:612:15
    #38 0x5606ff5c6124 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) ../../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:21
    #39 0x5606ff5d2b0a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) ../../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:19
    #40 0x5606ff5bd8d6 in main ../../../llvm-project-15.0.0.src/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30
    #41 0x7f7490c23082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #42 0x5606ff5bd95d in _start (./qemu-fuzz-x86_64+0x1ef595d)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information