From nobody Sun Feb 8 22:42:57 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639843764; cv=none; d=zohomail.com; s=zohoarc; b=Br3NzyygY+3lO2vhcffRsaBtMp/IzsH7dBz6nPYsRolMcfxi+nK3incB2Fx1stAtTM5iqfSYRqQV0UjIL/zVfV9zSxSjQnwYx6h9LUskvmHwCy03koIC1jC9oANegJ+auFtCNo1zdQQI0FImqFwJ5F/vQ+OiLZ8S4+wCAw8HaKw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639843764; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=KHvhFoJYpxrKY7F/gSTUJxZZxv0vnELqns4DeM0yqMI=; b=eVOz/+XDsgkGajXYxATuxv9UTDQsmVlVp6py17ZZQ2NLwhIiMJNFutPq6o0jx2VoAjSoMJljxiaH8g53YEOs0ldLIt/uXkduoTPCe1utiBFaCCt7yeGFjb86IagSS2NbYlc9+CbNIzR8Z/KnuyM67rw4OUvun6sOObGzH8GBu/g= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1639843764258705.3099936100903; Sat, 18 Dec 2021 08:09:24 -0800 (PST) Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-378-YR6nXLIuMr6eA9BvFEvclw-1; Sat, 18 Dec 2021 11:09:21 -0500 Received: by mail-wm1-f70.google.com with SMTP id bg20-20020a05600c3c9400b0033a9300b44bso2531448wmb.2 for ; Sat, 18 Dec 2021 08:09:21 -0800 (PST) Return-Path: Return-Path: Received: from x1w.. (174.red-83-50-185.dynamicip.rima-tde.net. [83.50.185.174]) by smtp.gmail.com with ESMTPSA id s8sm12307770wra.9.2021.12.18.08.09.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Dec 2021 08:09:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639843763; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KHvhFoJYpxrKY7F/gSTUJxZZxv0vnELqns4DeM0yqMI=; b=JaMhW8UyP0eD62o6ws6n6RJreIpWNj+eR2Tb0oxmPrNG6VP9OLrVI9spgz5cvkI+bzq4Vr wON+EWU3ync9gMBdSlCNoxafhdCRBep/koBd1z7fEXTYK7+t//Dv0CQQ3iZdfmWqKSIVnX adD16YTRZbDHj1OuM919Fan8B8cTeWI= X-MC-Unique: YR6nXLIuMr6eA9BvFEvclw-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KHvhFoJYpxrKY7F/gSTUJxZZxv0vnELqns4DeM0yqMI=; b=WyMIesA4DPi28KiyA/+Y+QNBzcK49cxrMfJ3ud4mbW+XM0JXPmGn6ifUdeQjX7TDaa /B9/dwDfeGJ7uGvUvxrBSH40URKoL1meEhndNLITWNJrkslUSyOG3Nr2VffZN8Q3bNNE DbHGqHZwH/Hd6DmNQ/sJOMDqdXsCu+uecbm56y/wSUF2b8AQnCCBdCRV1AUMwIRgjSEW b6L46larujXXHay02sMkc1BmG32JpxG1M3mWZiP3aJBZ7PH9W4scnZUIrZVaeiwHhQEz O05j+tmXZRsA5ZgdrPrHMPxsVuFBxwQwFP1d4lU1bjnUtXVp8GGEDr7I/RTuQ+KnuqKj 5HOg== X-Gm-Message-State: AOAM532zE2vXfdCWyMFh2hPsuby0ne9ns+jzLMn5pvwGFiw8+rIoXHat DWKTz/imoFCuH9hCHamSI8x08NKGP32Wwb0jDCoa9gGyRxgFdzqIku+m7bJY9I5TIAyulCZciER BZIDR+0V8zRAQtg== X-Received: by 2002:a5d:6702:: with SMTP id o2mr6263886wru.292.1639843760712; Sat, 18 Dec 2021 08:09:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJydhNuSyoNSHMqg9Xpi8ZPhL+v2vvtPFjLa7od9ARzn9n8KLsxEvmZM7tTMqyTTG/YKDBkoVg== X-Received: by 2002:a5d:6702:: with SMTP id o2mr6263877wru.292.1639843760492; Sat, 18 Dec 2021 08:09:20 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Volker=20R=C3=BCmelin?= , Laurent Vivier , Jon Maloy , crazybyte@protonmail.com, Thomas Huth , Gianluca Gabruelli , Mauro Matteo Cascella , Matt Parker , Alexander Bulekov , Paolo Bonzini , Qiuhao Li , Gerd Hoffmann , Martin Schrodt , Li Qiang , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [RFC PATCH 1/3] hw/audio/intel-hda: Do not ignore DMA overrun errors Date: Sat, 18 Dec 2021 17:09:10 +0100 Message-Id: <20211218160912.1591633-2-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211218160912.1591633-1-philmd@redhat.com> References: <20211218160912.1591633-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639843766125100001 Per the "High Definition Audio Specification" manual (rev. 1.0a), section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status": Response Overrun Interrupt Status (RIRBOIS): Hardware sets this bit to a 1 when an overrun occurs in the RIRB. An interrupt may be generated if the Response Overrun Interrupt Control bit is set. This bit will be set if the RIRB DMA engine is not able to write the incoming responses to memory before additional incoming responses overrun the internal FIFO. When hardware detects an overrun, it will drop the responses which overrun the buffer and set the RIRBOIS status bit to indicate the error condition. Optionally, if the RIRBOIC is set, the hardware will also generate an error to alert software to the problem. QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This function returns a MemTxResult indicating whether the DMA access was successful. Handle any MemTxResult error as "DMA engine is not able to write the incoming responses to memory" and raise the Overrun Interrupt flag when this case occurs. Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- hw/audio/intel-hda.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c index 2b55d521503..0c1017edbbf 100644 --- a/hw/audio/intel-hda.c +++ b/hw/audio/intel-hda.c @@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, boo= l solicited, uint32_t res IntelHDAState *d =3D container_of(bus, IntelHDAState, codecs); hwaddr addr; uint32_t wp, ex; + MemTxResult res =3D MEMTX_OK; =20 if (d->ics & ICH6_IRS_BUSY) { dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n", @@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bo= ol solicited, uint32_t res ex =3D (solicited ? 0 : (1 << 4)) | dev->cad; wp =3D (d->rirb_wp + 1) & 0xff; addr =3D intel_hda_addr(d->rirb_lbase, d->rirb_ubase); - stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); - stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + res |=3D stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); + res |=3D stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + if (res !=3D MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) { + d->rirb_sts |=3D ICH6_RBSTS_OVERRUN; + intel_hda_update_irq(d); + } d->rirb_wp =3D wp; =20 dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", --=20 2.33.1 From nobody Sun Feb 8 22:42:57 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639843770; cv=none; d=zohomail.com; s=zohoarc; b=NG6rzL5aTY7WrQEf9haOEd34QyIQNdawMdhbnTdTPSeUQ3wBqriVDVQDq7UVRLU5H4qRmiM7xsxWvQxuHwAXPfkF9/DkgSGBMJrxsUMeTfOFC7UHlB3bu6qklF1OzSlRRgiGx3d4JifqeSxmRu1y7ZzXXAB/e+CUXtcXDPd6hb4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639843770; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=lm+2VsrdWbkYCrKuR4VdYcv+nYRPOsvJEvTZMZQRV2Y=; b=jdU+dq63lLggBCD12tq0HyG/VptdkCel9cxmwMmjeHs5FvoiBQSVbmRP77TNUIXK/zVW3hajTwQSHbJn454ZRlPjBxvseGk1DFEjx9Ta9D02aTW8h/zAP3tdMUFtvTDXOtX3+XmR+rZVuyJe8xhCg28DqDRdPVm72/ucSYZsGCg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1639843770831521.534548750051; Sat, 18 Dec 2021 08:09:30 -0800 (PST) Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-139-_-w73lf-NC2pTowXFzn6zA-1; Sat, 18 Dec 2021 11:09:26 -0500 Received: by mail-wr1-f70.google.com with SMTP id t30-20020adfa2de000000b001a24004e1fbso1553172wra.10 for ; Sat, 18 Dec 2021 08:09:26 -0800 (PST) Return-Path: Return-Path: Received: from x1w.. (174.red-83-50-185.dynamicip.rima-tde.net. [83.50.185.174]) by smtp.gmail.com with ESMTPSA id n14sm12592890wrf.69.2021.12.18.08.09.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Dec 2021 08:09:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639843769; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lm+2VsrdWbkYCrKuR4VdYcv+nYRPOsvJEvTZMZQRV2Y=; b=LJk43c5q8vi5/C7+hL6ud8YDahyRQjLrW1syVvxDFSullb2PTqUDjnFCFeDydHOUIU/rNH Fe2MfLQkuFP45hTxRU4WLNLatMoGlf3Pe0mBPstHMMmXmDLFXSmzAF8STsa2Cbo+vHVRnJ exasQ7+XI1Ay2giJ+yjFPtF/fGPUPSQ= X-MC-Unique: _-w73lf-NC2pTowXFzn6zA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lm+2VsrdWbkYCrKuR4VdYcv+nYRPOsvJEvTZMZQRV2Y=; b=WrySH7HrJeW9Kg/JMr3Qf3TVB7tjQJFENba1/JBIbAe6sethLfzXsV4Wb2CsCA9ZoE l/sJSewoG1ecigJ5Y9ZAYi++5zQmojJEBBhjAzZzm9qX25c9VPGeEUVfUpTs+VZ9PGBR vJ4S2wBNgXbFj/m93oQOQGQ9cxgnrrVyqPbj9PpRnI/WrvgbDrglhpu0ZOqPhaVIEexm zU2qUj0q5NVxv25onRNS1pbMtrDMjvdTwcs9n/ei+DQD/LTNmMO3COPYY5FeDt6YKZOu xQQQHm40UOfVNYf9JdCfp+y1c6SuqbbmUcN07gaw7E1xyukflkXm95O+L+1n3/JFSumg VwaQ== X-Gm-Message-State: AOAM531yaRbdi6Us6638z7vcd4S7fkco4QS1045RCsBcl8UQCf+QIEs3 ggmckmOOIL25+R2G/mB3J4Ls4Gn/wZ8EfYzyb/qWhxxV+iyrs6ZjDzFy8J4ZRpmz3WVi2VCScbg 0saT6CnzEZo0ezg== X-Received: by 2002:a1c:ed18:: with SMTP id l24mr14300478wmh.99.1639843765465; Sat, 18 Dec 2021 08:09:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzpIma0FuFr5JTICHr7wNGKHr9Iab9Z1P81sMyy5GzyOWGYrxYrYfy3H2ujCfeZEWs7/X/aGw== X-Received: by 2002:a1c:ed18:: with SMTP id l24mr14300465wmh.99.1639843765253; Sat, 18 Dec 2021 08:09:25 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Volker=20R=C3=BCmelin?= , Laurent Vivier , Jon Maloy , crazybyte@protonmail.com, Thomas Huth , Gianluca Gabruelli , Mauro Matteo Cascella , Matt Parker , Alexander Bulekov , Paolo Bonzini , Qiuhao Li , Gerd Hoffmann , Martin Schrodt , Li Qiang , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [RFC PATCH 2/3] hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO devices) Date: Sat, 18 Dec 2021 17:09:11 +0100 Message-Id: <20211218160912.1591633-3-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211218160912.1591633-1-philmd@redhat.com> References: <20211218160912.1591633-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639843773375100001 Issue #542 reports a reentrancy problem when the DMA engine accesses the HDA controller I/O registers. Fix by restricting the DMA engine to memories regions (forbidding MMIO devices such the HDA controller). Reported-by: OSS-Fuzz (Issue 28435) Reported-by: Alexander Bulekov Resolves: https://gitlab.com/qemu-project/qemu/-/issues/542 Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Thomas Huth --- Likely intel_hda_xfer() and intel_hda_corb_run() should be restricted too. --- hw/audio/intel-hda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c index 0c1017edbbf..3aa57d274e6 100644 --- a/hw/audio/intel-hda.c +++ b/hw/audio/intel-hda.c @@ -345,7 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) =20 static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32= _t response) { - const MemTxAttrs attrs =3D MEMTXATTRS_UNSPECIFIED; + const MemTxAttrs attrs =3D { .memory =3D true }; HDACodecBus *bus =3D HDA_BUS(dev->qdev.parent_bus); IntelHDAState *d =3D container_of(bus, IntelHDAState, codecs); hwaddr addr; --=20 2.33.1 From nobody Sun Feb 8 22:42:57 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639843775; cv=none; d=zohomail.com; s=zohoarc; b=nea8jNldtk4NoTF6oMsu9KfUqi56XeDS3q6ZXy7ZV4nww/FGAVdj62+ysCBvjItKcRR8Srw3hVwtJdalkuDjbL6mqczoGgDSZDdRA0zv2OjZTn/0Vnbkuy78TVWdGPJ0mLcxAbmNwMrP1HdA4Uc6YO9GCYBhu0sia8dqM8V8oN4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639843775; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=mZLLuHODOVtMhLOmlPDrG/zfRVSd45IQnERlOjWYvas=; b=BhO5Yrk9reCwb6Xjd5uKtU0Zx12cad8frd+IWTJiLx9Ygxq9USTJeI+rvLpFGwS1xMJkd66svR5OSCzhSBYgQ5qrqs2rkQRPcd7db/5ptF2a2RVBwxp1N7FbqENv8wHhEgflDKAG+IJQcU2XzP0mct9eRcqH3/YYeyaFzmMm47Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1639843775831635.0916102914717; Sat, 18 Dec 2021 08:09:35 -0800 (PST) Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-627-OXH5wnSOPJaipXJVedKaPA-1; Sat, 18 Dec 2021 11:09:31 -0500 Received: by mail-wm1-f71.google.com with SMTP id m14-20020a05600c3b0e00b0033308dcc933so2532546wms.7 for ; Sat, 18 Dec 2021 08:09:31 -0800 (PST) Return-Path: Return-Path: Received: from x1w.. (174.red-83-50-185.dynamicip.rima-tde.net. [83.50.185.174]) by smtp.gmail.com with ESMTPSA id k6sm8432876wrc.38.2021.12.18.08.09.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Dec 2021 08:09:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639843774; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mZLLuHODOVtMhLOmlPDrG/zfRVSd45IQnERlOjWYvas=; b=ORWcoOlJzeNqQN1MAaNBob+3OSnXuSOViyvg5CPtnhldfgBdRN7fOgpqcbmGfuvuqa4mAj 28QxOjK/WsKw7f4G6LIEiOcfUFtWs0uLPXdB5zTfyvG+BApix0vH5B3y/npdpJbmhR6rNB C0eg1EYq/2G7PSQIKey4Yt1XaxWYp6c= X-MC-Unique: OXH5wnSOPJaipXJVedKaPA-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mZLLuHODOVtMhLOmlPDrG/zfRVSd45IQnERlOjWYvas=; b=Z6nG382+RK609v9sE7CU8ttKkupWjSXhhUqJ16BkiqRc0Hp82GNBj4226G6H0lcH8y gIV8gkxJexwIZ+Shwok0yWMfh9qdUslYtEqT+tq2Y65rD3WU8g7TbOAAlcZkq8kEIx1m EJq4S3fHiYSYsHY/WL1O7jCqxf5iUb6bPNNTZx/vpMj1fzKzOco9UqbgtIB74+JFg5Cf aWF9xXj/kmBWCiHDpxXOKvsiZZP+dJaVAS3L9R69EIVlw1vagDRKZM9UL2qD2MXu6+d/ 78DQvM+hXWR8zKuoOYhLECHDpGPJxbLooyPM6oSzH3NGFwo8rPgjK4bT9uQIIINGwUhj d1gw== X-Gm-Message-State: AOAM532n3inHGxSGnbRkrHvPJM7Urfgw2JfnD0/MBq7USZXfTW86ENEZ rw7V1vx6ISm5UaMlqUXrzO6Hx4syBfxEFIWlY6sF2Yu9XhZGDUp5g2oBVdMBe7xJLpoleMcryP9 zMQ+cyaizVFN0ZQ== X-Received: by 2002:adf:c10e:: with SMTP id r14mr6754479wre.558.1639843770305; Sat, 18 Dec 2021 08:09:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJyV0Q8eVxVaJaRWWfXlcaGLDWvjAxh0d+CSuVEv7p8MtpoE3df6WB3U5XeDOscbWdhOhApZPA== X-Received: by 2002:adf:c10e:: with SMTP id r14mr6754473wre.558.1639843770140; Sat, 18 Dec 2021 08:09:30 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Volker=20R=C3=BCmelin?= , Laurent Vivier , Jon Maloy , crazybyte@protonmail.com, Thomas Huth , Gianluca Gabruelli , Mauro Matteo Cascella , Matt Parker , Alexander Bulekov , Paolo Bonzini , Qiuhao Li , Gerd Hoffmann , Martin Schrodt , Li Qiang , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [RFC PATCH 3/3] tests/qtest/intel-hda-test: Add reproducer for issue #542 Date: Sat, 18 Dec 2021 17:09:12 +0100 Message-Id: <20211218160912.1591633-4-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211218160912.1591633-1-philmd@redhat.com> References: <20211218160912.1591633-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639843778003100001 Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/542. Without the previous commit, we get: $ make check-qtest-i386 ... Running test tests/qtest/intel-hda-test AddressSanitizer:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D1580408=3D=3DERROR: AddressSanitizer: stack-overflow on address 0x7= ffc3d566fe0 #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:3= 56 #1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15 #2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15 #3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10 #4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 #9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 #10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 #11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 #12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 #13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 #14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 #15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 #16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 #17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 #18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 #19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 #20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 #21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:= 16 #22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 #23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 #24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 #29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 #30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 #31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 #32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 #33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 #34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 #35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 #36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 #37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 #38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 #39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 #40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 #41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:= 16 #42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 #43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 #44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 ... SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in addres= s_space_translate_internal =3D=3D1580408=3D=3DABORTING Broken pipe Aborted (core dumped) Signed-off-by: Philippe Mathieu-Daud=C3=A9 Acked-by: Thomas Huth --- tests/qtest/intel-hda-test.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tests/qtest/intel-hda-test.c b/tests/qtest/intel-hda-test.c index fc25ccc33cc..a58c98e4d11 100644 --- a/tests/qtest/intel-hda-test.c +++ b/tests/qtest/intel-hda-test.c @@ -29,11 +29,45 @@ static void ich9_test(void) qtest_end(); } =20 +/* + * https://gitlab.com/qemu-project/qemu/-/issues/542 + * Used to trigger: + * AddressSanitizer: stack-overflow + */ +static void test_issue542_ich6(void) +{ + QTestState *s; + + s =3D qtest_init("-nographic -nodefaults -M pc-q35-6.2 " + "-device intel-hda,id=3D" HDA_ID CODEC_DEVICES); + + qtest_outl(s, 0xcf8, 0x80000804); + qtest_outw(s, 0xcfc, 0x06); + qtest_bufwrite(s, 0xff0d060f, "\x03", 1); + qtest_bufwrite(s, 0x0, "\x12", 1); + qtest_bufwrite(s, 0x2, "\x2a", 1); + qtest_writeb(s, 0x0, 0x12); + qtest_writeb(s, 0x2, 0x2a); + qtest_outl(s, 0xcf8, 0x80000811); + qtest_outl(s, 0xcfc, 0x006a4400); + qtest_bufwrite(s, 0x6a44005a, "\x01", 1); + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); + qtest_quit(s); +} + int main(int argc, char **argv) { g_test_init(&argc, &argv, NULL); qtest_add_func("/intel-hda/ich6", ich6_test); qtest_add_func("/intel-hda/ich9", ich9_test); + qtest_add_func("/intel-hda/fuzz/issue542", test_issue542_ich6); =20 return g_test_run(); } --=20 2.33.1