The issues with guest-triggered aborts started with commit ab32b78cd1
"audio: Simplify audio_bug() removing old code" which introduced an
abort() in function audio_bug(). The abort() was there before, but it
was only compiled in for debugging purposes.
After this commit issue https://bugs.launchpad.net/bugs/1910603 showed
up. This bug was mitigated with commits a2cd86a94a ("hw/audio/sb16:
Avoid assertion by restricting I/O sampling rate range") and 60e543f5ce
("hw/audio/sb16: Restrict I/O sampling rate range for command 41h/42h").
The issue was only mitigated because I can still trigger the same abort.
To reproduce start a FreeDOS QEMU guest with:
./qemu-system-i386 -machine pc,pcspk-audiodev=audio0 \
-device sb16,audiodev=audio0 \
-audiodev
pa,id=audio0,timer-period=170,out.mixing-engine=on,out.buffer-length=181 \
-drive ...
On the guest enter the out port sequence from launchpad bug #1910603:
C:\> debug
-o 22c 41
-o 22c 0
-o 22c 4
-o 22c 1c
On the host:
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
audio_pcm_sw_alloc_resources_out passed invalid arguments to audio_calloc
nmemb=0 size=16 (len=0)
Aborted (core dumped)
Here is another example to trigger the same abort. Start a Linux guest
with an AC97 audio device:
./qemu-system-x86_64 -machine q35,pcspk-audiodev=audio0 \
-device AC97,bus=pcie.0,addr=0x1b,audiodev=audio0 \
-audiodev pa,id=audio0 \
- ...
Open a shell on the guest:
~>sudo lspci -s '00:1b.0' -nn -vv
00:1b.0 Multimedia audio controller [0401]: Intel Corporation 82801AA
AC'97 Audio Controller [8086:2415] (rev 01)
Subsystem: Red Hat, Inc. QEMU Virtual Machine [1af4:1100]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR+ FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 16
Region 0: I/O ports at c000 [size=1K]
Region 1: I/O ports at c400 [size=256]
Kernel driver in use: snd_intel8x0
Kernel modules: snd_intel8x0
~># IOBAR0 + 0x2c
~>sudo outw 0xc02c 1
On the host:
A bug was just triggered in audio_calloc
Save all your work and restart without audio
I am sorry
Context:
audio_pcm_sw_alloc_resources_out passed invalid arguments to audio_calloc
nmemb=0 size=16 (len=0)
Aborted (core dumped)
Remove the abort() in audio_bug() to avoid this class of guest-triggered
aborts.
Volker Rümelin (2):
Revert "audio: Log context for audio bug"
audio: remove abort() in audio_bug()
audio/audio.c | 24 ++++++++++++------------
audio/audio_template.h | 27 +++++++++++++++------------
2 files changed, 27 insertions(+), 24 deletions(-)
--
2.35.3