From patchwork Sat Dec 18 16:09:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12686155 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 25722C433F5 for ; Sat, 18 Dec 2021 16:11:08 +0000 (UTC) Received: from localhost ([::1]:59558 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mycIc-0002lZ-OW for qemu-devel@archiver.kernel.org; Sat, 18 Dec 2021 11:11:06 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54558) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mycH1-0001K8-J1 for qemu-devel@nongnu.org; Sat, 18 Dec 2021 11:09:27 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:58685) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mycGy-0001E0-Np for qemu-devel@nongnu.org; Sat, 18 Dec 2021 11:09:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639843763; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KHvhFoJYpxrKY7F/gSTUJxZZxv0vnELqns4DeM0yqMI=; b=JaMhW8UyP0eD62o6ws6n6RJreIpWNj+eR2Tb0oxmPrNG6VP9OLrVI9spgz5cvkI+bzq4Vr wON+EWU3ync9gMBdSlCNoxafhdCRBep/koBd1z7fEXTYK7+t//Dv0CQQ3iZdfmWqKSIVnX adD16YTRZbDHj1OuM919Fan8B8cTeWI= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-279-CmMFoVqZOamtXORQtN-ouA-1; Sat, 18 Dec 2021 11:09:22 -0500 X-MC-Unique: CmMFoVqZOamtXORQtN-ouA-1 Received: by mail-wr1-f70.google.com with SMTP id x20-20020adfbb54000000b001a0d044e20fso1565829wrg.11 for ; Sat, 18 Dec 2021 08:09:22 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KHvhFoJYpxrKY7F/gSTUJxZZxv0vnELqns4DeM0yqMI=; b=2EI2qeiqH4Fijj+lRyXHU0OFB0qzLr7LTZq+HbvGj9HPPZdcnUCK88iLgvAseWYuxF ev4mPFFk/4wvaih2DvdCUpD2SV2xFgq0oOsBFHewMdywzvbDArehFDC4Bx08P90ntS3l ad8SEVmyrowPSuElnoR1F1GPJjKdhgW1Dk3bKUmb+nh+4DNeGkSW0/DHKQwxldj1sJfV hBpql9MqI9YhnD0rB19kEIWqNYk2btgwCBJs0nkFb4MzB9duer3dSNHu6sb14Gt0nwn/ oeN1R8rYjdopFU/A1liK9IUj9AyfI13jrWqWrxz561NhOUrlwO5eKrs4yVNHhVFqXN8e o0og== X-Gm-Message-State: AOAM531ghIsTyaS0ITxYqYBQa6B3Wauo/jTCXqiHKjHCEnylc2HvEwG/ 2yKVZphOwf6afwzIFJnfRS3Gx/SryDHz0zF0RUJT0wXTSLJ8mgpAXpIJx9rgeVHtJrFp1INSw5T vpt3uyyIKBrkbgvs0N8E+4G32NmjNQe59Be+2AeRUlyptnO9qXXbv70A5odbcGPqh X-Received: by 2002:a5d:6702:: with SMTP id o2mr6263912wru.292.1639843760862; Sat, 18 Dec 2021 08:09:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJydhNuSyoNSHMqg9Xpi8ZPhL+v2vvtPFjLa7od9ARzn9n8KLsxEvmZM7tTMqyTTG/YKDBkoVg== X-Received: by 2002:a5d:6702:: with SMTP id o2mr6263877wru.292.1639843760492; Sat, 18 Dec 2021 08:09:20 -0800 (PST) Received: from x1w.. (174.red-83-50-185.dynamicip.rima-tde.net. [83.50.185.174]) by smtp.gmail.com with ESMTPSA id s8sm12307770wra.9.2021.12.18.08.09.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Dec 2021 08:09:20 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 1/3] hw/audio/intel-hda: Do not ignore DMA overrun errors Date: Sat, 18 Dec 2021 17:09:10 +0100 Message-Id: <20211218160912.1591633-2-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211218160912.1591633-1-philmd@redhat.com> References: <20211218160912.1591633-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.718, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Martin Schrodt , Thomas Huth , Gianluca Gabruelli , =?utf-8?q?Volker_R=C3=BCm?= =?utf-8?q?elin?= , Li Qiang , Mauro Matteo Cascella , Qiuhao Li , Jon Maloy , Alexander Bulekov , Paolo Bonzini , Gerd Hoffmann , crazybyte@protonmail.com, Matt Parker , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Per the "High Definition Audio Specification" manual (rev. 1.0a), section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status": Response Overrun Interrupt Status (RIRBOIS): Hardware sets this bit to a 1 when an overrun occurs in the RIRB. An interrupt may be generated if the Response Overrun Interrupt Control bit is set. This bit will be set if the RIRB DMA engine is not able to write the incoming responses to memory before additional incoming responses overrun the internal FIFO. When hardware detects an overrun, it will drop the responses which overrun the buffer and set the RIRBOIS status bit to indicate the error condition. Optionally, if the RIRBOIC is set, the hardware will also generate an error to alert software to the problem. QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This function returns a MemTxResult indicating whether the DMA access was successful. Handle any MemTxResult error as "DMA engine is not able to write the incoming responses to memory" and raise the Overrun Interrupt flag when this case occurs. Signed-off-by: Philippe Mathieu-Daudé --- hw/audio/intel-hda.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c index 2b55d521503..0c1017edbbf 100644 --- a/hw/audio/intel-hda.c +++ b/hw/audio/intel-hda.c @@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res IntelHDAState *d = container_of(bus, IntelHDAState, codecs); hwaddr addr; uint32_t wp, ex; + MemTxResult res = MEMTX_OK; if (d->ics & ICH6_IRS_BUSY) { dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n", @@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res ex = (solicited ? 0 : (1 << 4)) | dev->cad; wp = (d->rirb_wp + 1) & 0xff; addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); - stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); - stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + res |= stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); + res |= stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + if (res != MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) { + d->rirb_sts |= ICH6_RBSTS_OVERRUN; + intel_hda_update_irq(d); + } d->rirb_wp = wp; dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", From patchwork Sat Dec 18 16:09:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12686157 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id F161EC433EF for ; Sat, 18 Dec 2021 16:13:02 +0000 (UTC) Received: from localhost ([::1]:34920 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mycKT-0005Bq-T2 for qemu-devel@archiver.kernel.org; Sat, 18 Dec 2021 11:13:01 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54574) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mycH3-0001Kb-Ma for qemu-devel@nongnu.org; Sat, 18 Dec 2021 11:09:30 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:54941) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mycH2-0001Fh-8K for qemu-devel@nongnu.org; Sat, 18 Dec 2021 11:09:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639843767; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lm+2VsrdWbkYCrKuR4VdYcv+nYRPOsvJEvTZMZQRV2Y=; b=Cdg2s4hdAuMPFXW9zjMJFBqbD+oxgT08Gn4r9mDRABqBe122FESrii4+nlWBbj76fS3khR qeFJFj6ho0p3IJnbNTnrKnQD4qJlbnLAEcApemgxXv7FMihyJlHloBGnqFv5yiu7Q8X3Nc FqxrstVhBprZ1VncTkt27pBtdHvBYIE= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-577-tN3FPqBQPG-MufXLjIXnhg-1; Sat, 18 Dec 2021 11:09:27 -0500 X-MC-Unique: tN3FPqBQPG-MufXLjIXnhg-1 Received: by mail-wr1-f70.google.com with SMTP id q21-20020adfab15000000b001a24b36e47eso1551548wrc.2 for ; Sat, 18 Dec 2021 08:09:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lm+2VsrdWbkYCrKuR4VdYcv+nYRPOsvJEvTZMZQRV2Y=; b=4TPN0EZ7WxMMNTs/C/bKovGpo43tj81nIRaZ11bgv7xNMhHolzGyDZnuQjhWqlgoiX KxOpWj1HUKxORyUh1JgynxYUPx4rSHJY2eo9s6nUVjsSjEYqVtOxwk8GTpgaS+NLcaPV r5yTlAjZPpS7pBkmcnycFRnXC44zC3MYNftzzu94LfNa558DZQFzs6WfgN8v9e+Bmdbz FU/OnZTXqZJ7+9TJoDqaR2fuR6P+JeO1UFdQtIWl5eZD+F9z5ZtuERzsfAK2VxDh9hIL KWEDv0dVk8HCEC7kzknXup1agHchcOmmRFxKEWfKi4VMDeM0yc52fhC6CCpNrX6qTndY kDSw== X-Gm-Message-State: AOAM531wX4JnTuOZQuWn9++C1JADS1B+6y+QsLwI4KzSFSAM+F5LXcz/ fdQrr85fsYDIH2MNXiRzloC+FiIji7PesFQyaac9qlMiweoQnpJysK53GR7HTfhgQWA0aNPbHyR OICPOkydaSCLn2mQVhujWViSIXp1ZlAquKYCQB4CbCOM15QKBKvU9bg5m7oszcc0C X-Received: by 2002:a1c:ed18:: with SMTP id l24mr14300493wmh.99.1639843765517; Sat, 18 Dec 2021 08:09:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzpIma0FuFr5JTICHr7wNGKHr9Iab9Z1P81sMyy5GzyOWGYrxYrYfy3H2ujCfeZEWs7/X/aGw== X-Received: by 2002:a1c:ed18:: with SMTP id l24mr14300465wmh.99.1639843765253; Sat, 18 Dec 2021 08:09:25 -0800 (PST) Received: from x1w.. (174.red-83-50-185.dynamicip.rima-tde.net. [83.50.185.174]) by smtp.gmail.com with ESMTPSA id n14sm12592890wrf.69.2021.12.18.08.09.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Dec 2021 08:09:24 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 2/3] hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO devices) Date: Sat, 18 Dec 2021 17:09:11 +0100 Message-Id: <20211218160912.1591633-3-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211218160912.1591633-1-philmd@redhat.com> References: <20211218160912.1591633-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.718, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Martin Schrodt , Thomas Huth , Gianluca Gabruelli , =?utf-8?q?Volker_R=C3=BCm?= =?utf-8?q?elin?= , Li Qiang , Mauro Matteo Cascella , Qiuhao Li , Jon Maloy , Alexander Bulekov , Paolo Bonzini , Gerd Hoffmann , crazybyte@protonmail.com, Matt Parker , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Issue #542 reports a reentrancy problem when the DMA engine accesses the HDA controller I/O registers. Fix by restricting the DMA engine to memories regions (forbidding MMIO devices such the HDA controller). Reported-by: OSS-Fuzz (Issue 28435) Reported-by: Alexander Bulekov Resolves: https://gitlab.com/qemu-project/qemu/-/issues/542 Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth --- Likely intel_hda_xfer() and intel_hda_corb_run() should be restricted too. --- hw/audio/intel-hda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c index 0c1017edbbf..3aa57d274e6 100644 --- a/hw/audio/intel-hda.c +++ b/hw/audio/intel-hda.c @@ -345,7 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response) { - const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + const MemTxAttrs attrs = { .memory = true }; HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); IntelHDAState *d = container_of(bus, IntelHDAState, codecs); hwaddr addr; From patchwork Sat Dec 18 16:09:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 12686159 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A21E4C433F5 for ; Sat, 18 Dec 2021 16:15:00 +0000 (UTC) Received: from localhost ([::1]:37084 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mycMN-0006eY-Dg for qemu-devel@archiver.kernel.org; Sat, 18 Dec 2021 11:14:59 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54602) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mycHC-0001O6-Jj for qemu-devel@nongnu.org; Sat, 18 Dec 2021 11:09:38 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:50950) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mycH7-0001Fv-FD for qemu-devel@nongnu.org; Sat, 18 Dec 2021 11:09:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639843772; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mZLLuHODOVtMhLOmlPDrG/zfRVSd45IQnERlOjWYvas=; b=gjxvLhGqSlroR5C+Y/kVYCY2ckP6FVHlmcN41yNVW0dv97rQH+Daz7Ffn4LG3dxw8JR3Zc fqtxB/RIrbRJt3sNyOP+jnbCTqvr8/91PpIJVsFzyguh2Vp4K5Bb7YFACnSsjYgngreON+ Dq9A7WsDNeNZV98BmGJWl6hrHpxL7JA= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-665-EmTd8TF9NHmZEZSSTQiABA-1; Sat, 18 Dec 2021 11:09:31 -0500 X-MC-Unique: EmTd8TF9NHmZEZSSTQiABA-1 Received: by mail-wm1-f72.google.com with SMTP id ay34-20020a05600c1e2200b00337fd217772so2532701wmb.4 for ; Sat, 18 Dec 2021 08:09:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mZLLuHODOVtMhLOmlPDrG/zfRVSd45IQnERlOjWYvas=; b=sw5fxSySmXVdqOYLooCpKI4KFAqC7C67Q+Esa1PQaWiwLHHrQIoklx5kGk39+89bO8 tIjlXQWPPoc2OLnKpkOgJCGKYA95j1IvjBU588W+w0RiMz67qzp/e7fVyr/4uWIb9A/0 f9D9lu6n5LfHz1chdTnVsTWYnwalR/XtBc9+6BEs8GXpDjZh+e/3Nq2I0mAQtsH9QkFq +ge+r2nuyMuzqjTMGoipjeZA8hL0/PlxNtod5F6OX5ygLqVSMrqKBWLL86htsyQe2q/N c4o5n+N3Zs2+69KIuij6zSjVETD2oypWaU4pfAzjqhYbGbWsSG25iPqnS/ngwTtqTci8 SchA== X-Gm-Message-State: AOAM531mUtezrV4XAutiIarDxRhqYTU30Imjb6o/UzO2ECC3K/eQb/z+ WndWh8SIewu05zMmYaUG4Y286nZVbH2qy0CnxNMsoFHN0O1NzcVrvVIRwhQsfYVDrR1xVCsZCfO bqh6iswqlxwP2vOZbmhixpho+BE6lEnC3o9DKHu7uoRrc92xO3i8h6ajljtaW//KQ X-Received: by 2002:adf:c10e:: with SMTP id r14mr6754497wre.558.1639843770383; Sat, 18 Dec 2021 08:09:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJyV0Q8eVxVaJaRWWfXlcaGLDWvjAxh0d+CSuVEv7p8MtpoE3df6WB3U5XeDOscbWdhOhApZPA== X-Received: by 2002:adf:c10e:: with SMTP id r14mr6754473wre.558.1639843770140; Sat, 18 Dec 2021 08:09:30 -0800 (PST) Received: from x1w.. (174.red-83-50-185.dynamicip.rima-tde.net. [83.50.185.174]) by smtp.gmail.com with ESMTPSA id k6sm8432876wrc.38.2021.12.18.08.09.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Dec 2021 08:09:29 -0800 (PST) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH 3/3] tests/qtest/intel-hda-test: Add reproducer for issue #542 Date: Sat, 18 Dec 2021 17:09:12 +0100 Message-Id: <20211218160912.1591633-4-philmd@redhat.com> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211218160912.1591633-1-philmd@redhat.com> References: <20211218160912.1591633-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass client-ip=170.10.129.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.718, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Martin Schrodt , Thomas Huth , Gianluca Gabruelli , =?utf-8?q?Volker_R=C3=BCm?= =?utf-8?q?elin?= , Li Qiang , Mauro Matteo Cascella , Qiuhao Li , Jon Maloy , Alexander Bulekov , Paolo Bonzini , Gerd Hoffmann , crazybyte@protonmail.com, Matt Parker , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Include the qtest reproducer provided by Alexander Bulekov in https://gitlab.com/qemu-project/qemu/-/issues/542. Without the previous commit, we get: $ make check-qtest-i386 ... Running test tests/qtest/intel-hda-test AddressSanitizer:DEADLYSIGNAL ================================================================= ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0 #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356 #1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15 #2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15 #3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10 #4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 #9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 #10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 #11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 #12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 #13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 #14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 #15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 #16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 #17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 #18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 #19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 #20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 #21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 #22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 #23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 #24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 #29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1 #30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1 #31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12 #32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5 #33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5 #34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5 #35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9 #36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5 #37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9 #38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5 #39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5 #40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18 #41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16 #42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23 #43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12 #44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18 #45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16 #46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12 #47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12 #48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12 ... SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal ==1580408==ABORTING Broken pipe Aborted (core dumped) Signed-off-by: Philippe Mathieu-Daudé Acked-by: Thomas Huth --- tests/qtest/intel-hda-test.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tests/qtest/intel-hda-test.c b/tests/qtest/intel-hda-test.c index fc25ccc33cc..a58c98e4d11 100644 --- a/tests/qtest/intel-hda-test.c +++ b/tests/qtest/intel-hda-test.c @@ -29,11 +29,45 @@ static void ich9_test(void) qtest_end(); } +/* + * https://gitlab.com/qemu-project/qemu/-/issues/542 + * Used to trigger: + * AddressSanitizer: stack-overflow + */ +static void test_issue542_ich6(void) +{ + QTestState *s; + + s = qtest_init("-nographic -nodefaults -M pc-q35-6.2 " + "-device intel-hda,id=" HDA_ID CODEC_DEVICES); + + qtest_outl(s, 0xcf8, 0x80000804); + qtest_outw(s, 0xcfc, 0x06); + qtest_bufwrite(s, 0xff0d060f, "\x03", 1); + qtest_bufwrite(s, 0x0, "\x12", 1); + qtest_bufwrite(s, 0x2, "\x2a", 1); + qtest_writeb(s, 0x0, 0x12); + qtest_writeb(s, 0x2, 0x2a); + qtest_outl(s, 0xcf8, 0x80000811); + qtest_outl(s, 0xcfc, 0x006a4400); + qtest_bufwrite(s, 0x6a44005a, "\x01", 1); + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); + qtest_bufwrite(s, 0x6a44005c, "\x02", 1); + qtest_bufwrite(s, 0x6a442050, "\x00\x00\x44\x6a", 4); + qtest_bufwrite(s, 0x6a44204a, "\x01", 1); + qtest_bufwrite(s, 0x6a44204c, "\x02", 1); + qtest_quit(s); +} + int main(int argc, char **argv) { g_test_init(&argc, &argv, NULL); qtest_add_func("/intel-hda/ich6", ich6_test); qtest_add_func("/intel-hda/ich9", ich9_test); + qtest_add_func("/intel-hda/fuzz/issue542", test_issue542_ich6); return g_test_run(); }