Assertion `addr < cache->len && 2 <= cache->len - addr' failed in address_space_stw_le_cached
Hello qemu team, An assertion failed issue was found in include/exec/memory_ldst_cached.h.inc:77 of QEMU in versions 6.2.0-rc2.
Reproduce
cat << EOF | \
./qemu-system-i386 -M pc -nodefaults -device megasas -device ahci -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0 -drive file=null-co://,format=raw,if=none,id=drive-virtio-disk0,cache=writeback -qtest stdio
outl 0xcf8 0x80003000
inw 0xcfc
outl 0xcf8 0x80003010
outl 0xcfc 0xffffffff
outl 0xcf8 0x80003010
inl 0xcfc
outl 0xcf8 0x80003010
outl 0xcfc 0xc001
outl 0xcf8 0x80003014
outl 0xcfc 0xffffffff
outl 0xcf8 0x80003014
inl 0xcfc
outl 0xcf8 0x80003014
outl 0xcfc 0xe0000000
outl 0xcf8 0x80003020
outl 0xcfc 0xffffffff
outl 0xcf8 0x80003020
inl 0xcfc
outl 0xcf8 0x80003020
outl 0xcfc 0xe0004000
outl 0xcf8 0x80003004
inw 0xcfc
outl 0xcf8 0x80003004
outw 0xcfc 0x7
outl 0xcf8 0x80003004
inw 0xcfc
writel 0xe000400c 0x240000fb
outl 0xc008 0x21000008
writew 0xe000486f 0xf8f8
outl 0xc00f 0xdc000040
outl 0xc00f 0x5a1f0040
writeq 0xe0004015 0x85462301daff9007
outl 0xc00f 0x65a5546
writel 0xe000400c 0x240000fb
outl 0xc008 0x21000008
writew 0xe000486f 0xf8f8
outl 0xc00f 0xdc000040
outl 0xc00f 0x5a1f0040
writeq 0xe0004015 0x85462301daff9007
outl 0xc00f 0x65a5546
EOFStack-Trace
i386: wrong value for queue_enable 85
qemu-fuzz-i386: /home/test/Desktop/qemu-6.2.0-rc2/include/exec/memory_ldst_cached.h.inc:77: void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint16_t, MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len - addr' failed.
==47368== ERROR: libFuzzer: deadly signal
#0 0x55cc5f6e3041 in __sanitizer_print_stack_trace (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2cc2041)
#1 0x55cc5f62e198 in fuzzer::PrintStackTrace() (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2c0d198)
#2 0x55cc5f6132e3 in fuzzer::Fuzzer::CrashCallback() (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2bf22e3)
#3 0x7efc0205a97f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1297f)
#4 0x7efc01671fb6 in __libc_signal_restore_set /build/glibc-S9d2JN/glibc-2.27/signal/../sysdeps/unix/sysv/linux/nptl-signals.h:80
#5 0x7efc01671fb6 in raise /build/glibc-S9d2JN/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:48
#6 0x7efc01673920 in abort /build/glibc-S9d2JN/glibc-2.27/stdlib/abort.c:79
#7 0x7efc01663489 in __assert_fail_base /build/glibc-S9d2JN/glibc-2.27/assert/assert.c:92
#8 0x7efc01663501 in __assert_fail /build/glibc-S9d2JN/glibc-2.27/assert/assert.c:101
#9 0x55cc60b8d788 in address_space_stw_le_cached /home/test/Desktop/qemu-6.2.0-rc2/include/exec/memory_ldst_cached.h.inc:77:5
#10 0x55cc60b8d788 in stw_le_phys_cached /home/test/Desktop/qemu-6.2.0-rc2/include/exec/memory_ldst_phys.h.inc:109:5
#11 0x55cc60b8d788 in virtio_stw_phys_cached /home/test/Desktop/qemu-6.2.0-rc2/include/hw/virtio/virtio-access.h:196:9
#12 0x55cc60b8d976 in vring_set_avail_event /home/test/Desktop/qemu-6.2.0-rc2/build/../hw/virtio/virtio.c:421:5
#13 0x55cc60b5ec2a in virtio_queue_split_set_notification /home/test/Desktop/qemu-6.2.0-rc2/build/../hw/virtio/virtio.c:430:9
#14 0x55cc60b5ec2a in virtio_queue_set_notification /home/test/Desktop/qemu-6.2.0-rc2/build/../hw/virtio/virtio.c:491:9
#15 0x55cc609805a7 in virtio_blk_handle_vq /home/test/Desktop/qemu-6.2.0-rc2/build/../hw/block/virtio-blk.c:795:13
#16 0x55cc60b9286f in virtio_queue_notify_aio_vq /home/test/Desktop/qemu-6.2.0-rc2/build/../hw/virtio/virtio.c:2311:15
#17 0x55cc619563f3 in aio_dispatch_handler /home/test/Desktop/qemu-6.2.0-rc2/build/../util/aio-posix.c:329:9
#18 0x55cc6194e902 in aio_dispatch_handlers /home/test/Desktop/qemu-6.2.0-rc2/build/../util/aio-posix.c:372:20
#19 0x55cc6194e902 in aio_dispatch /home/test/Desktop/qemu-6.2.0-rc2/build/../util/aio-posix.c:382:5
#20 0x55cc619c007c in aio_ctx_dispatch /home/test/Desktop/qemu-6.2.0-rc2/build/../util/async.c:311:5
#21 0x7efc02a58536 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c536)
#22 0x55cc61a118cc in glib_pollfds_poll /home/test/Desktop/qemu-6.2.0-rc2/build/../util/main-loop.c:232:9
#23 0x55cc61a118cc in os_host_main_loop_wait /home/test/Desktop/qemu-6.2.0-rc2/build/../util/main-loop.c:255:5
#24 0x55cc61a118cc in main_loop_wait /home/test/Desktop/qemu-6.2.0-rc2/build/../util/main-loop.c:531:11
#25 0x55cc5f70c5c6 in flush_events /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/fuzz/fuzz.c:49:9
#26 0x55cc5f71c326 in generic_fuzz /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/fuzz/generic_fuzz.c:716:17
#27 0x55cc5f70d0d3 in LLVMFuzzerTestOneInput /home/test/Desktop/qemu-6.2.0-rc2/build/../tests/qtest/fuzz/fuzz.c:151:5
#28 0x55cc5f6149a1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2bf39a1)
#29 0x55cc5f600112 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2bdf112)
#30 0x55cc5f605bc6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2be4bc6)
#31 0x55cc5f62e882 in main (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2c0d882)
#32 0x7efc01654bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#33 0x55cc5f5da7b9 in _start (/home/test/Desktop/qemu-6.2.0-rc2/build/qemu-fuzz-i386+0x2bb97b9)