Public bug reported: Maybe this is a duplicate of https://bugs.launchpad.net/qemu/+bug/1906693 ... In any case, ATAPI is probably a lot more common than megasas, so this might be a more useful reproducer
==Reproducer== cat << EOF | ./qemu-system-i386 -display none \ -m 512M -machine q35 -nodefaults \ -drive file=null-co://,if=none,format=raw,id=disk0 \ -device ide-cd,drive=disk0 -machine accel=qtest -qtest stdio outl 0xcf8 0x8000fa24 outl 0xcfc 0xe0000000 outl 0xcf8 0x8000fa04 outw 0xcfc 0x06 write 0xe0000398 0x1 0x01 write 0x63 0x1 0x06 write 0x68 0x1 0x06 write 0x69 0x1 0xf8 write 0x6a 0x1 0xff write 0xfff806 0x1 0x27 write 0xfff807 0x1 0x80 write 0xfff808 0x1 0x61 write 0x1005734 0x1 0x3f write 0x1005774 0x1 0x20 write 0x1005784 0x1 0x34 write 0x10057a4 0x1 0x27 write 0x10057b4 0x1 0x3f write 0x10057c3 0x1 0xce write 0x10057d4 0x1 0x1a write 0x10057e3 0x1 0xff write 0x10057e4 0x1 0x3f write 0x10057f4 0x1 0x38 write 0x1005814 0x1 0x3e write 0x1005823 0x1 0x60 write 0x1005824 0x1 0x2d write 0x1005833 0x1 0x74 write 0x1005834 0x1 0x01 write 0x1005863 0x1 0xff write 0x1005883 0x1 0x5a write 0x1005884 0x1 0x06 write 0xe00003b8 0x1 0x08 EOF ==Stack Trace== i386: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x5a00) qemu-fuzz-i386-target-generic-fuzz-ahci-atapi: ../block/io.c:1982: int bdrv_co_write_req_prepare(BdrvChild *, int64_t, int64_t, BdrvTrackedRequest *, int): Assertion `child->perm & BLK_PERM_WRITE' failed. ==279048== ERROR: libFuzzer: deadly signal #0 0x560c92718f50 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:33:3 #1 0x560c926c2f98 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5 #2 0x560c926a7fd3 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3 #3 0x7ff7d707038f in libpthread.so.0 #4 0x7ff7d66a8437 in raise #5 0x7ff7d66aa039 in abort #6 0x7ff7d66a0be6 in libc.so.6 #7 0x7ff7d66a0c91 in __assert_fail #8 0x560c92f4fc79 in bdrv_co_write_req_prepare /src/qemu/block/io.c:1982:13 #9 0x560c92f4c974 in bdrv_aligned_pwritev /src/qemu/block/io.c:2065:11 #10 0x560c92f4b937 in bdrv_co_pwritev_part /src/qemu/block/io.c:2270:11 #11 0x560c92f392e7 in blk_do_pwritev_part /src/qemu/block/block-backend.c:1260:11 #12 0x560c92f39a55 in blk_aio_write_entry /src/qemu/block/block-backend.c:1476:17 #13 0x560c930d19d5 in coroutine_trampoline /src/qemu/util/coroutine-ucontext.c:173:9 #14 0x7ff7d66bd5df in libc.so.6 OSS-Fuzz link: https://bugs.chromium.org/p/oss- fuzz/issues/detail?id=30857 ** Affects: qemu Importance: Undecided Status: New ** Tags: fuzzer ** Summary changed: - Assertion Failure in bdrv_co_write_req_prepare through atapi + Assertion `child->perm & BLK_PERM_WRITE' failed in bdrv_co_write_req_prepare through atapi -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1915535 Title: Assertion `child->perm & BLK_PERM_WRITE' failed in bdrv_co_write_req_prepare through atapi Status in QEMU: New Bug description: Maybe this is a duplicate of https://bugs.launchpad.net/qemu/+bug/1906693 ... In any case, ATAPI is probably a lot more common than megasas, so this might be a more useful reproducer ==Reproducer== cat << EOF | ./qemu-system-i386 -display none \ -m 512M -machine q35 -nodefaults \ -drive file=null-co://,if=none,format=raw,id=disk0 \ -device ide-cd,drive=disk0 -machine accel=qtest -qtest stdio outl 0xcf8 0x8000fa24 outl 0xcfc 0xe0000000 outl 0xcf8 0x8000fa04 outw 0xcfc 0x06 write 0xe0000398 0x1 0x01 write 0x63 0x1 0x06 write 0x68 0x1 0x06 write 0x69 0x1 0xf8 write 0x6a 0x1 0xff write 0xfff806 0x1 0x27 write 0xfff807 0x1 0x80 write 0xfff808 0x1 0x61 write 0x1005734 0x1 0x3f write 0x1005774 0x1 0x20 write 0x1005784 0x1 0x34 write 0x10057a4 0x1 0x27 write 0x10057b4 0x1 0x3f write 0x10057c3 0x1 0xce write 0x10057d4 0x1 0x1a write 0x10057e3 0x1 0xff write 0x10057e4 0x1 0x3f write 0x10057f4 0x1 0x38 write 0x1005814 0x1 0x3e write 0x1005823 0x1 0x60 write 0x1005824 0x1 0x2d write 0x1005833 0x1 0x74 write 0x1005834 0x1 0x01 write 0x1005863 0x1 0xff write 0x1005883 0x1 0x5a write 0x1005884 0x1 0x06 write 0xe00003b8 0x1 0x08 EOF ==Stack Trace== i386: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0x5a00) qemu-fuzz-i386-target-generic-fuzz-ahci-atapi: ../block/io.c:1982: int bdrv_co_write_req_prepare(BdrvChild *, int64_t, int64_t, BdrvTrackedRequest *, int): Assertion `child->perm & BLK_PERM_WRITE' failed. ==279048== ERROR: libFuzzer: deadly signal #0 0x560c92718f50 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:33:3 #1 0x560c926c2f98 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5 #2 0x560c926a7fd3 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3 #3 0x7ff7d707038f in libpthread.so.0 #4 0x7ff7d66a8437 in raise #5 0x7ff7d66aa039 in abort #6 0x7ff7d66a0be6 in libc.so.6 #7 0x7ff7d66a0c91 in __assert_fail #8 0x560c92f4fc79 in bdrv_co_write_req_prepare /src/qemu/block/io.c:1982:13 #9 0x560c92f4c974 in bdrv_aligned_pwritev /src/qemu/block/io.c:2065:11 #10 0x560c92f4b937 in bdrv_co_pwritev_part /src/qemu/block/io.c:2270:11 #11 0x560c92f392e7 in blk_do_pwritev_part /src/qemu/block/block-backend.c:1260:11 #12 0x560c92f39a55 in blk_aio_write_entry /src/qemu/block/block-backend.c:1476:17 #13 0x560c930d19d5 in coroutine_trampoline /src/qemu/util/coroutine-ucontext.c:173:9 #14 0x7ff7d66bd5df in libc.so.6 OSS-Fuzz link: https://bugs.chromium.org/p/oss- fuzz/issues/detail?id=30857 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1915535/+subscriptions
