1From be5a8cf347d0c47ee3e933dde075526fd8bd5c40 Mon Sep 17 00:00:00 2001 2From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> 3Date: Sat, 18 Dec 2021 17:09:10 +0100 4Subject: [PATCH] hw/audio/intel-hda: Do not ignore DMA overrun errors 5MIME-Version: 1.0 6Content-Type: text/plain; charset=utf8 7Content-Transfer-Encoding: 8bit 8 9Per the "High Definition Audio Specification" manual (rev. 1.0a), 10section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status": 11 12 Response Overrun Interrupt Status (RIRBOIS): 13 14 Hardware sets this bit to a 1 when an overrun occurs in the RIRB. 15 An interrupt may be generated if the Response Overrun Interrupt 16 Control bit is set. 17 18 This bit will be set if the RIRB DMA engine is not able to write 19 the incoming responses to memory before additional incoming 20 responses overrun the internal FIFO. 21 22 When hardware detects an overrun, it will drop the responses which 23 overrun the buffer and set the RIRBOIS status bit to indicate the 24 error condition. Optionally, if the RIRBOIC is set, the hardware 25 will also generate an error to alert software to the problem. 26 27QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This 28function returns a MemTxResult indicating whether the DMA access 29was successful. 30Handle any MemTxResult error as "DMA engine is not able to write the 31incoming responses to memory" and raise the Overrun Interrupt flag 32when this case occurs. 33 34CVE: CVE-2021-3611 35Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=be5a8cf347d0c47ee3e933dde075526fd8bd5c40] 36 37Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> 38Message-Id: <20211218160912.1591633-2-philmd@redhat.com> 39Signed-off-by: Thomas Huth <thuth@redhat.com> 40Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> 41--- 42 hw/audio/intel-hda.c | 9 +++++++-- 43 1 file changed, 7 insertions(+), 2 deletions(-) 44 45diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c 46index 5f8a878..47a36ac 100644 47--- a/hw/audio/intel-hda.c 48+++ b/hw/audio/intel-hda.c 49@@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res 50 IntelHDAState *d = container_of(bus, IntelHDAState, codecs); 51 hwaddr addr; 52 uint32_t wp, ex; 53+ MemTxResult res = MEMTX_OK; 54 55 if (d->ics & ICH6_IRS_BUSY) { 56 dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n", 57@@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res 58 ex = (solicited ? 0 : (1 << 4)) | dev->cad; 59 wp = (d->rirb_wp + 1) & 0xff; 60 addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); 61- stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); 62- stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); 63+ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); 64+ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); 65+ if (res != MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) { 66+ d->rirb_sts |= ICH6_RBSTS_OVERRUN; 67+ intel_hda_update_irq(d); 68+ } 69 d->rirb_wp = wp; 70 71 dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", 72-- 731.8.3.1 74 75