READ memory access in /hw/acpi/pcihp.c

Hello qemu team, An invalid pointer initialization issue was found in /hw/acpi/pcihp.c:470:9 of QEMU in versions 6.2.0-rc2.

Reproducer

  cat << EOF | ./qemu-system-i386 \
  -M pc -nodefaults -netdev user,id=user0 -device virtio-net,netdev=user0 \
  -qtest stdio
  outl 0xcf8 0x80000b00
  inw 0xcfc
  outl 0xcf8 0x80000b04
  inw 0xcfc
  outl 0xcf8 0x80000b04
  outw 0xcfc 0x7
  outl 0xcf8 0x80000b04
  inw 0xcfc
  outl 0xcf8 0x80000000
  inw 0xcfc
  outl 0xcf8 0x80000004
  inw 0xcfc
  outl 0xcf8 0x80000004
  outw 0xcfc 0x7
  outl 0xcf8 0x80000004
  inw 0xcfc
  outl 0xcf8 0x80000800
  inw 0xcfc
  outl 0xcf8 0x80000804
  inw 0xcfc
  outl 0xcf8 0x80000804
  outw 0xcfc 0x7
  outl 0xcf8 0x80000804
  inw 0xcfc
  outl 0xcf8 0x80000900
  inw 0xcfc
  outl 0xcf8 0x80000920
  outl 0xcfc 0xffffffff
  outl 0xcf8 0x80000920
  inl 0xcfc
  outl 0xcf8 0x80000920
  outl 0xcfc 0xc001
  outl 0xcf8 0x80000904
  inw 0xcfc
  outl 0xcf8 0x80000904
  outw 0xcfc 0x7
  outl 0xcf8 0x80000904
  inw 0xcfc
  outl 0xcf8 0x80001000
  inw 0xcfc
  outl 0xcf8 0x80001010
  outl 0xcfc 0xffffffff
  outl 0xcf8 0x80001010
  inl 0xcfc
  outl 0xcf8 0x80001010
  outl 0xcfc 0xc021
  outl 0xcf8 0x80001014
  outl 0xcfc 0xffffffff
  outl 0xcf8 0x80001014
  inl 0xcfc
  outl 0xcf8 0x80001014
  outl 0xcfc 0xe0000000
  outl 0xcf8 0x80001020
  outl 0xcfc 0xffffffff
  outl 0xcf8 0x80001020
  inl 0xcfc
  outl 0xcf8 0x80001020
  outl 0xcfc 0xe0004000
  outl 0xcf8 0x80001004
  inw 0xcfc
  outl 0xcf8 0x80001004
  outw 0xcfc 0x7
  outl 0xcf8 0x80001004
  inw 0xcfc
  clock_step
  outl 0xae10 0x15
  outl 0xae10 0x585a5564
  outl 0xae10 0x15
  outl 0xcf8 0x80000b06
  outl 0xcfc 0xdd58fb5a
  outl 0xae14 0x64296572
  clock_step
  outl 0xae10 0x15
  outl 0xae10 0x585a5564
  outl 0xae10 0x15
  outl 0xcf8 0x80000b06
  outl 0xcfc 0xdd58fb5a
  outl 0xae14 0x64296572
  EOF

Stack-Trace

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4191==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x564df8697958 bp 0x7ffe620c13f0 sp 0x7ffe620c12a0 T0)
==4191==The signal is caused by a READ memory access.
==4191==Hint: address points to the zero page.
    #0 0x564df8697958 in pci_write /home/test/Desktop/qemu-6.2.0-rc2/build/../hw/acpi/pcihp.c:470:9
    #1 0x564df941eb3c in memory_region_write_accessor /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/memory.c:492:5
    #2 0x564df941e63b in access_with_adjusted_size /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/memory.c:554:18
    #3 0x564df941de40 in memory_region_dispatch_write /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/memory.c
    #4 0x564df93fbe1b in flatview_write_continue /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/physmem.c:2782:23
    #5 0x564df93f15ab in flatview_write /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/physmem.c:2822:14
    #6 0x564df93f15ab in address_space_write /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/physmem.c:2914:18
    #7 0x564df9408182 in cpu_outl /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/ioport.c:80:5
    #8 0x564df9461975 in qtest_process_command /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/qtest.c:499:13
    #9 0x564df945f6e7 in qtest_process_inbuf /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/qtest.c:813:9
    #10 0x564df945f43d in qtest_server_inproc_recv /home/test/Desktop/qemu-6.2.0-rc2/build/../softmmu/qtest.c:945:9
    #11 0x564df9f43460 in qtest_sendf /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/libqtest.c:448:5
    #12 0x564df9f43a3e in qtest_out /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/libqtest.c:1018:5
    #13 0x564df9f43a3e in qtest_outl /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/libqtest.c:1034:5
    #14 0x564df82aee6d in op_out /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/fuzz/generic_fuzz.c:403:13
    #15 0x564df82ad1e5 in generic_fuzz /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/fuzz/generic_fuzz.c:713:17
    #16 0x564df829d45b in LLVMFuzzerTestOneInput /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/fuzz/fuzz.c:151:5
    #17 0x564df81a4c61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2ca8c61)
    #18 0x564df81a61a5 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2caa1a5)
    #19 0x564df81903ea in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2c943ea)
    #20 0x564df8195e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2c99e86)
    #21 0x564df81beb42 in main (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2cc2b42)
    #22 0x7ffa92067bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #23 0x564df816aa79 in _start (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2c6ea79)

reproduce.c