On 7/15/21 9:32 PM, Thomas Huth wrote: > QEMU currently crashes when it's started like this: > > cat << EOF | ./qemu-system-i386 -device vmxnet3 -nodefaults -qtest stdio > outl 0xcf8 0x80001014 > outl 0xcfc 0xe0001000 > outl 0xcf8 0x80001018 > outl 0xcf8 0x80001004 > outw 0xcfc 0x7 > outl 0xcf8 0x80001083 > write 0x0 0x1 0xe1 > write 0x1 0x1 0xfe > write 0x2 0x1 0xbe > write 0x3 0x1 0xba > writeq 0xe0001020 0xefefff5ecafe0000 > writeq 0xe0001020 0xffff5e5ccafe0002 > EOF > > It hits this assertion: > > qemu-system-i386: ../qemu/hw/net/net_tx_pkt.c:453: net_tx_pkt_reset: > Assertion `pkt->raw' failed. > > This happens because net_tx_pkt_init() is called with max_frags == 0 and > thus the allocation > > p->raw = g_new(struct iovec, max_frags); > > results in a NULL pointer that cause the
"that causes"? Reviewed-by: Philippe Mathieu-Daudé <f4...@amsat.org> > > assert(pkt->raw); > > in net_tx_pkt_reset() to fail later. To fix this issue we can check > that max_raw_frags was not zero before asserting that pkt->raw is > a non-NULL pointer. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1890157 > Signed-off-by: Thomas Huth <th...@redhat.com> > --- > hw/net/net_tx_pkt.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > > diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c > index 1f9aa59eca..1cb1125d9f 100644 > --- a/hw/net/net_tx_pkt.c > +++ b/hw/net/net_tx_pkt.c > @@ -450,11 +450,13 @@ void net_tx_pkt_reset(struct NetTxPkt *pkt) > pkt->payload_len = 0; > pkt->payload_frags = 0; > > - assert(pkt->raw); > - for (i = 0; i < pkt->raw_frags; i++) { > - assert(pkt->raw[i].iov_base); > - pci_dma_unmap(pkt->pci_dev, pkt->raw[i].iov_base, > pkt->raw[i].iov_len, > - DMA_DIRECTION_TO_DEVICE, 0); > + if (pkt->max_raw_frags > 0) { > + assert(pkt->raw); > + for (i = 0; i < pkt->raw_frags; i++) { > + assert(pkt->raw[i].iov_base); > + pci_dma_unmap(pkt->pci_dev, pkt->raw[i].iov_base, > + pkt->raw[i].iov_len, DMA_DIRECTION_TO_DEVICE, 0); > + } > } > pkt->raw_frags = 0; > >
