Fuzzing the Linux kernel with syzkaller allowed to find how to crash qemu using a special SCSI_IOCTL_SEND_COMMAND. It hits the assertion in ide_dma_cb() introduced in the commit a718978ed58a in July 2015.
This patch series fixes incorrect handling of some PRDTs in ide_dma_cb() and improves the ide-test to cover more PRDT cases (including one that causes that particular qemu crash). Changes from v2 (thanks to Kevin Wolf for the feedback): - the assertion about prepare_buf() return value is improved; - the patch order is reversed to keep the tree bisectable; - the unit-test performance is improved -- now it runs 8 seconds instead of 3 minutes on my laptop. Alexander Popov (2): ide: Fix incorrect handling of some PRDTs in ide_dma_cb() tests/ide-test: Create a single unit-test covering more PRDT cases hw/ide/core.c | 30 +++++--- tests/ide-test.c | 174 ++++++++++++++++++++--------------------------- 2 files changed, 96 insertions(+), 108 deletions(-) -- 2.23.0