[PATCH 0/2] audio: prevent a class of guest-triggered aborts

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/2] audio: prevent a class of guest-triggered aborts

From:	Volker Rümelin
Subject:	[PATCH 0/2] audio: prevent a class of guest-triggered aborts
Date:	Sat, 17 Sep 2022 15:15:04 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0

The issues with guest-triggered aborts started with commit ab32b78cd1"audio: Simplify audio_bug() removing old code" which introduced anabort() in function audio_bug(). The abort() was there before, but itwas only compiled in for debugging purposes.

After this commit issue https://bugs.launchpad.net/bugs/1910603 showedup. This bug was mitigated with commits a2cd86a94a ("hw/audio/sb16:Avoid assertion by restricting I/O sampling rate range") and 60e543f5ce("hw/audio/sb16: Restrict I/O sampling rate range for command 41h/42h").The issue was only mitigated because I can still trigger the same abort.


To reproduce start a FreeDOS QEMU guest with:

./qemu-system-i386 -machine pc,pcspk-audiodev=audio0 \
 -device sb16,audiodev=audio0 \

-audiodevpa,id=audio0,timer-period=170,out.mixing-engine=on,out.buffer-length=181 \

 -drive ...

On the guest enter the out port sequence from launchpad bug #1910603:
C:\> debug
-o 22c 41
-o 22c 0
-o 22c 4
-o 22c 1c

On the host:
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
audio_pcm_sw_alloc_resources_out passed invalid arguments to audio_calloc
nmemb=0 size=16 (len=0)
Aborted (core dumped)

Here is another example to trigger the same abort. Start a Linux guestwith an AC97 audio device:


./qemu-system-x86_64 -machine q35,pcspk-audiodev=audio0 \
 -device AC97,bus=pcie.0,addr=0x1b,audiodev=audio0 \
 -audiodev pa,id=audio0 \
 - ...

Open a shell on the guest:
~>sudo lspci -s '00:1b.0' -nn -vv

00:1b.0 Multimedia audio controller [0401]: Intel Corporation 82801AAAC'97 Audio Controller [8086:2415] (rev 01)

    Subsystem: Red Hat, Inc. QEMU Virtual Machine [1af4:1100]

Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-Stepping- SERR+ FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort-<TAbort- <MAbort- >SERR- <PERR- INTx-

    Latency: 0
    Interrupt: pin A routed to IRQ 16
    Region 0: I/O ports at c000 [size=1K]
    Region 1: I/O ports at c400 [size=256]
    Kernel driver in use: snd_intel8x0
    Kernel modules: snd_intel8x0

~># IOBAR0 + 0x2c
~>sudo outw 0xc02c 1

On the host:
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
audio_pcm_sw_alloc_resources_out passed invalid arguments to audio_calloc
nmemb=0 size=16 (len=0)
Aborted (core dumped)

Remove the abort() in audio_bug() to avoid this class of guest-triggeredaborts.


Volker Rümelin (2):
  Revert "audio: Log context for audio bug"
  audio: remove abort() in audio_bug()

 audio/audio.c          | 24 ++++++++++++------------
 audio/audio_template.h | 27 +++++++++++++++------------
 2 files changed, 27 insertions(+), 24 deletions(-)

--
2.35.3

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/2] audio: prevent a class of guest-triggered aborts, Volker Rümelin <=
- [PATCH 1/2] Revert "audio: Log context for audio bug", Volker Rümelin, 2022/09/17
- [PATCH 2/2] audio: remove abort() in audio_bug(), Volker Rümelin, 2022/09/17

Prev by Date: Re: [PATCH 2/4] target/m68k: increase size of m68k CPU features from uint32_t to uint64_t
Next by Date: [PATCH 1/2] Revert "audio: Log context for audio bug"
Previous by thread: [PATCH] Remove unused MAX_IDE_BUS define
Next by thread: [PATCH 1/2] Revert "audio: Log context for audio bug"
Index(es):
- Date
- Thread