Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

Support J327AP devices #37

Closed
asdfugil opened this issue Mar 21, 2022 · 11 comments
Closed

Support J327AP devices #37

asdfugil opened this issue Mar 21, 2022 · 11 comments
Labels
wontfix This will not be worked on

Comments

@asdfugil
Copy link

asdfugil commented Mar 21, 2022
edited
Loading

J327AP is AppleDisplay2,1 aka Studio Display
Currently, the kernel can boot to restored (not restored_external), and such a restore could be attempted.
There is a failed kernel patch: qemu-system-aarch64: Missing patch: AKSUC_handle, which is probably related to the problem below.
Anyways, the system successfully boots to ramdisk with bash running.
The firmware can be obtained from here, which is DarwinOS 15.4, although sw_vers still outputs iPhone OS.
Now, this is an OTA update, but the AssetData/ directory in it is the structure of an IPSW.
The problem
Stuck trying to create protecteted filesystems
To reproduce

  1. Extract the OTA update
  2. cd to the AssetData directory in the OTA update, we want to edit BuildManifest.plist such that idevicerestore will restored it.
  3. Create display.der with create_apticket.py, the board config should be j327ap
  4. In BuildManifest.plist, under SupportedProductTypes, change AppleDisplay12,1 to iPhone12,1
  5. ...under DeviceClass, change J327AP to N104AP
  6. Zips up every file in the AssetData directory to create a display.ipsw file
  7. create the qemu boot command, use the 018-26834-343.dmg file, which is a FactoryRamDisk as the other FactorySupportRamDisk does not seem to have restored. The following is my boot command:
${HOME}/qemu-t8030/build/qemu-system-x86_64 -smp 4 -m 768 \
-machine q35 \
-device virtio-vga,xres=640,yres=480 \
-enable-kvm \
-cpu qemu64 \
-usb \
-device usb-ehci,id=ehci \
-device usb-tcp-remote,bus=ehci.0 \
-drive file=${HOME}/vm_images/kali.qcow2 \
-net user,hostfwd=tcp::8122-:22 \
-net nic \
-monitor telnet:127.0.0.1:1236,server,nowait &
sleep 1
${HOME}/qemu-t8030/build/qemu-system-aarch64 -s -M t8030,trustcache-filename=018-26834-343.dmg.trustcache.out,ticket-filename=root_ticket.der \
-kernel kernelcache.release.j327.out \
-dtb DeviceTree.j327ap.im4p \
-append "kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1 wdt=-1" \
-initrd '018-26834-343.dmg.out'   \
-cpu max -smp 4 \
-m 2G -serial mon:stdio \
-drive file=nvme.1,format=raw,if=none,id=drive.1 \
-device nvme-ns,drive=drive.1,bus=nvme-bus.0,nsid=1,nstype=1,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvram,if=none,format=raw,id=nvram \
-device apple-nvram,drive=nvram,bus=nvme-bus.0,nsid=5,nstype=5,id=nvram,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.2,format=raw,if=none,id=drive.2 \
-device nvme-ns,drive=drive.2,bus=nvme-bus.0,nsid=2,nstype=2,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.3,format=raw,if=none,id=drive.3 \
-device nvme-ns,drive=drive.3,bus=nvme-bus.0,nsid=3,nstype=3,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.4,format=raw,if=none,id=drive.4 \
-device nvme-ns,drive=drive.4,bus=nvme-bus.0,nsid=4,nstype=4,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.6,format=raw,if=none,id=drive.6 \
-device nvme-ns,drive=drive.6,bus=nvme-bus.0,nsid=6,nstype=6,logical_block_size=4096,physical_block_size=4096 \
-drive file=nvme.7,format=raw,if=none,id=drive.7 \
-device nvme-ns,drive=drive.7,bus=nvme-bus.0,nsid=7,nstype=8,logical_block_size=4096,physical_block_size=4096 \
-monitor telnet:127.0.0.1:1235,server,nowait
  1. (Optional) modify the ramdisk and add a shell and stuff
  2. In the Linux VM, the device should show up as Apple Inc.,
  3. Try to restore the device: idevicerestore -P -d --erase --restore-mode -i 0x1122334455667788 display.ipsw -T display.der
  4. Wait until it reaches 97%
  5. Stuck trying to create protected filesystem
    Related restored log:
[08:19:36.0505-GMT]{4>9} CHECKPOINT BEGIN: (null):[0x0674] create_protected_filesystems
restore-step-ids = {0x1103067B:77;0x11030674:135}
restore-step-names = {0x1103067B:perform_restore_installing;0x11030674:create_protected_
filesystems}
restore-step-uptime = 217
restore-step-user-progress = 97
entering create_protected_filesystems
ramrod_display_set_granular_progress_forced: 97.000000
content-protect property not found
encryptable property not found
creating class d key for /mnt2

idevicerestore log:

Requesting EAN Data (74)
Creating Protected Volume (67)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
FDR 0x5586d0a342c0 timeout waiting for command
FDR 0x5586d0a342c0 waiting for message...
No data to read (timeout)

Full serial output
Full idevicerestore log
@TrungNguyen1909
Copy link
Owner

Ayyyeee, Yes, the missing patch was made to specifically address this issue.

I don't really see any usage for supporting a display though. Does that even run apps or something? This, in fact, made me go to Apple's website to check.

@asdfugil
Copy link
Author

No, it cannot run non-apple code (when not hacked)

@iarchiveml
Copy link

It could be useful for security research....

@asdfugil
Copy link
Author

asdfugil commented Apr 6, 2022
edited
Loading

well, it's small in size and fast to setup so it is desirable in a CI environment as long as you don't need anything from the 'big' iOS (also I have been thinking about USB networking for some time, probably ssh port forwarding + iproxy + vpn server in linux vm)
although in that case I would use -loadvm...

@asdfugil
Copy link
Author

asdfugil commented Apr 6, 2022
edited
Loading

qemu-system-aarch64: Missing patch: AKSUC_handle

@TrungNguyen1909 Actually it happens with 15.4 iPhone 11 kernels as well, so it is more of an iOS 15.4 problem than AppleDisplay problem. In addition it doesn't even boot now (both display and iphone kernel)

This is the log of the iphone kernel:

Loading iOS 15.4...
kernel_low: 0xfffffff004000000
kernel_high: 0xfffffff00a00cb08
KPF: found apfs_vfsop_mount
KPF: found handle_eval_rootauth
KPF: Found AMFI hashtype check
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff007ca6228
kpf_amfi_callback: Found lookup_in_static_trust_cache
KPF: Found mac_mount
KPF: Found mac_mount
kpf_amfi_callback: Found AMFI (Leaf)
kpf_amfi_callback: start @ 0xfffffff009bf834c
kpf_amfi_callback: Found lookup_in_trust_cache_module
qemu-system-aarch64: Missing patch: AKSUC_handle
Qemu FB realize
g_virt_base: 0xfffffff004000000
g_phys_base: 0x0000000802000000
entry: 0x00000008062b04f0
boot_mode: 0
auto-boot=true
cmdline: [-restore kextlog=0xffff debug=0x14e -v launchd_missing_exec_no_panic=1 serial=3 wdt=-1 keepsyms=1 launchd_unsecure_cache=1]
iBoot version: qemu-t8030
Darwin Image4 Validator Version 4.2.0: Mon Feb 21 21:25:57 PST 2022; root:AppleImage4-158.100.11~2101/AppleImage4/RELEASE_ARM64E
AppleImage4: failed to read nvram property: oblit-inprogress: 2
AMFI is running in RESEARCH mode!
AMFI: UDID enforcement enabled
AUC:[0xffffffe3e7050170]::init(0xffffffe300609c20)

AUC:[0xffffffe3e7050170]::probe(0xffffffe3009680a0, 0xffffffeb06a4bdec)

AppleCredentialManager: init: called, instance = <ptr>.
ACMFirstResponderKernelService: init: called, .
ACMRM-S: init: called, starting PersistentStore service.
ACMRM-C: init: called, starting AccessoryCache service.
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache size = 16 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: acc-cache expiration = 2592000 (default).
ACMRM: init: called, starting TRM service.
ACMRM-A: init: called, starting TRM Analytics service.
ACMKernelService: initValueFromBootArgAliasesUInt32: analytics collection period = 86400 (default).
ACMKernelService: initValueFromBootArgAliasesUInt32: policy mode timeout = 259200 (default).
ACMRM-A: notifyStandardModeTimeoutChanged: called, value = 259200 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: (bounded) grace period timeout = 3600 (default).
ACMRM-A: notifyGracePeriodTimeoutChanged: called, value = 3600 (modified = YES).
ACMKernelService: initValueFromBootArgAliasesUInt32: enabled = 1 (default).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO* BtArg=NO LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO* LegHW=NO OSEnv=NO | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _loadDisabledByOSEnvironment: disabled by OSEnvironment: NO.
ACMRM: _disableBy: [TRM ENABLED=YES] (mask=0, DISABLED BY: Def=NO BtArg=NO LegHW=NO OSEnv=NO* | MngCo=NO DwnOS=NO ChkBd=NO coGSw=NO).
ACMRM: _mapAndPublishTRM: set TRM_PolicyTimeout = 259200.
ACMRM: _mapAndPublishTRM: sending kIOMessageServicePropertyChange(n=1) while DISABLED, TRM: 259200 -/ff 4294967295 -/ff miss=ff (CUR: 259200 -/ff 4294967295 -/ff).
AppleCredentialManager: init: returning, result = true, instance = <ptr>.
AppleIDV::init init
AppleARMBootPerf: Error: profile handoff region not found (2)
AppleARMBootPerf: Error: failed to publish profile data (2)
virtual bool CoreAnalyticsHub::start(IOService *)::114:CoreAnalyticsHub start
AppleSSE::start called
AppleSSE::start returning, result = 1
ApplePMGR: Starting AppleT8030PMGR
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AUC:[0xffffffe3e7050170]::start(0xffffffe3009680a0)

AppleGen0SPMIController[spmi2]:78: Start
AppleS8000AES::start: registers at phys:0x0x235008000/0x0x23d2d0000 virt:0x<ptr>/0x0x4000 / 0x<ptr>/0x0x4000
virtual bool AppleARMLightEmUp::start(IOService *): starting...
AppleS5L8960XUSBPhy::start: hsic disabled
Warning: arc4random not implemented
Warning: arc4random not implemented
Warning: arc4random not implemented
AppleSEPKeyStore:319:0: starting (BUILT: Feb 21 2022 21:37:54)
AppleSEPKeyStore:524:0: _sep_enabled = 1
AppleCredentialManager: start: called, instance = <ptr>.
ACMRM: _publishIOResource: AppleUSBRestrictedModeTimeout = 259200.
AppleGen0SPMIController[spmi1]:78: Start
AppleInterruptController::start: Num Shared Timestamps == 0
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleGen0SPMIController[spmi0]:78: Start
000002.879097 AppleNubSynopsysOTG3Device@: IOUSBDeviceController::prepareDefaults: model iPhone version 12.1
AppleCredentialManager: start: initializing power management.
AppleCredentialManager: start: will join SEPManager's PM tree in getSEPEndpoint().
AppleCredentialManager: start: registering notifications.
AppleCredentialManager: start: started, instance = <ptr>.
AppleCredentialManager: start: returning, result = true, instance = <ptr>.
AppleGPIOICController::start: this: <ptr>, _gpioicBaseAddress: <ptr>
AppleIDV::start started
AppleOLYHAL::probe: score = 1000
AppleOLYHAL::start: entry with provider 0x70b88d26c9
AMFIInitializeLocalSigningPublicKey: disabling local signing since we're in the restore environment
000003.052231 wlan0.A[1] start@1843:Default options property found with value 4
Identified Serial Port uart7 at 0x23521c000(<ptr>)
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(ANS2): start(<ptr>) - (Feb 21 2022@21:36:18)
Started AppleSerialShim for device: uart
AppleA7IOPNub: withRegistryEntry, 47: allocated nub <ptr>

RTBuddy(ANS2): Boot args override: wdt = -1
RTBuddy(SMC): start(<ptr>) - (Feb 21 2022@21:36:18)
RTBuddy(SMC): Boot args override: wdt = -1
RTBuddy(ANS2): Resuming...

RTBuddy(SMC): Resuming...

000003.112094 wlan0.A[2] start@2238: Raised adjustBusy(+1), getBusyState() -> 2
000003.112556 wlan0.A[3] setupNotifier@2303:Setting up notifier for CoreAnalyticsHub
Creating an object of AppleOLYHALPlatformFunctionEmbeddedAMFM class
virtual IOService *AppleANS2NVMeController::probe(IOService *, SInt32 *)::194:Found (ANS2) provider, returning score 100000
Starting AppleSMC kext(<ptr>) - (Feb 21 2022@21:35:07)
AppleSMCEmbedded::setPowerState(): ENTER powerStateOrdinal=1, _activeKeyCommand=17 newState=1
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleARMWatchdogTimer
not enabling long period watchdog (cleared SoC watchdog if enabled prior), panic SoC watchdog disabled
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
panic(cpu 3 caller 0xfffffff008681118): "SMC Key Payload SRAM Address is out of range" @AppleSMCEmbedded.cpp:1923
Debugger message: panic
Memory ID: 0x0
OS release type: Not set yet
OS version: Not set yet
Kernel version: Darwin Kernel Version 21.4.0: Mon Feb 21 21:27:53 PST 2022; root:xnu-8020.102.3~1/RELEASE_ARM64_T8030
Kernel UUID: FBC82EBF-40C8-3215-AD56-F56B3E60BEC1
iBoot version: qemu-t8030
secure boot?: YES
Paniclog version: 13
Kernel text base:  0xfffffff007004000
mach_absolute_time: 0x4944bf5
Epoch Time:        sec       usec
  Boot    : 0x00000000 0x00000000
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x00000000 0x00000000

Zone info:
  Foreign : 0xfffffff13c3e8000 - 0xfffffff13c3f8000
  Native  : 0xffffffe0007a8000 - 0xffffffe6007a8000
  Readonly: 0xffffffe0e6e0c000 - 0xffffffe133ad8000
  Metadata: 0xffffffeb031b0000 - 0xffffffeb076a0000
  Bitmaps : 0xffffffeb049b0000 - 0xffffffeb05f7c000

CORE 0: PC=0xfffffff007bd0d4c, LR=0xfffffff007b73bb0, FP=0xffffffeb06aabc50
CORE 1: PC=0xfffffff00827d164, LR=0xfffffff00827d164, FP=0xffffffeb07073e20
CORE 2: PC=0xfffffff007ca2144, LR=0xfffffff007bb18a8, FP=0xffffffeb07033dd0
CORE 3 is the one that panicked. Check the full backtrace for details.
Compressor Info: 0% of compressed pages limit (OK) and 0% of segments limit (OK) with 0 swapfiles and OK swap space
Panicked task 0xffffffe3e6d30668: 0 pages, 72 threads: pid 0: kernel_task
Panicked thread: 0xffffffe133b07058, backtrace: 0xffffffeb070637b0, tid: 278
                  lr: 0xfffffff007b60770  fp: 0xffffffeb070637f0
                  lr: 0xfffffff007b60488  fp: 0xffffffeb07063860
                  lr: 0xfffffff007caec5c  fp: 0xffffffeb07063880
                  lr: 0xfffffff007c9ff4c  fp: 0xffffffeb070638f0
                  lr: 0xfffffff007c9ece4  fp: 0xffffffeb070639b0
                  lr: 0xfffffff0082ad610  fp: 0xffffffeb070639c0
                  lr: 0xfffffff007b60164  fp: 0xffffffeb07063d50
                  lr: 0xfffffff007b60164  fp: 0xffffffeb07063db0
                  lr: 0xfffffff009bdc1fc  fp: 0xffffffeb07063dd0
                  lr: 0xfffffff008681118  fp: 0xffffffeb07063df0
                  lr: 0xfffffff008666bc0  fp: 0xffffffeb07063e70
                  lr: 0xfffffff0084cce34  fp: 0xffffffeb07063ea0
                  lr: 0xfffffff0081c78b4  fp: 0xffffffeb07063ee0
                  lr: 0xfffffff0081c8178  fp: 0xffffffeb07063f20
                  lr: 0xfffffff0082b4920  fp: 0x0000000000000000


** Stackshot Succeeded ** Bytes Traced 8606 (Uncompressed 26896) **
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleARMWatchdogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> AppleT8030PMGR
IOPlatformPanicAction -> AppleARMWatchdogTimer
IOPlatformPanicAction -> RTBuddyV2
IOPlatformPanicAction -> RTBuddyV2

Please go to https://panic.apple.com to report this panic

iOS 15.3.1 also crashes with this panic, iOS 14.3 is fine.
Using commit 259dacf with FastSim workaround

@TrungNguyen1909
Copy link
Owner

@asdfugil I just pushed the fix for the "The SRAM Address out of range" panic (9e0db8d). Also found that myself a few day ago.

@asdfugil
Copy link
Author

asdfugil commented Apr 13, 2022
edited
Loading

the temp fix here until iOS 15.4 is fixed is to use the iOS 15.3.1 kernel + devicetree + 15.4 ramdisk to do the restore
even if what's being restored is the display, the iphone one can be used.

but of course iOS 15.3.1 restores still does not work fully due to #31 . but at least it can boot from NAND.

@asdfugil
Copy link
Author

asdfugil commented Apr 24, 2022
edited
Loading

the hardware difference between the two devices are negligible right now (aside from RAM(?) as it may only have 3GiB like iPad 9 (also means that T8030 machines could actually support 3 GiB RAM)), so this is mostly about controling the last string in line 317 and line 319 of hw/arm/xnu.c

qemu-t8030/hw/arm/t8030.c

Line 317 in ff04a57

set_dtb_prop(tms->device_tree, "compatible", 28, (uint8_t *)"N104DEV\0iPhone12,1\0AppleARM\0$");

to
J327DEV\0AppleDisplay2,1\0AppleARM\0$
or
J327AP\0AppleDisplay2,1\0AppleARM\0$
as well as adding into

qemu-t8030/hw/arm/xnu.c

Line 39 in ff04a57

static const char *KEEP_COMP[] = {

of course this is just cosmetics

the restore error at the start of the issue is just a coincidence for iOS 15.4, that should really be filed separately...

@TrungNguyen1909
Copy link
Owner

@asdfugil, frankly, I don't see any practical point emulating a AppleDisplay, given that we haven't even emulated any kind of proper display yet...

@TrungNguyen1909 TrungNguyen1909 added the wontfix This will not be worked on label Apr 25, 2022
@iarchiveml
Copy link

The only practical use for this might be to reverse engineer Apple’s color calibration and audio software or something like that. It’s much less useful than an iPhone due to it not being a fully featured device. Most people want this simply because they are Apple enthusiasts.

@asdfugil
Copy link
Author

asdfugil commented Apr 25, 2022
edited
Loading

...none of which is emulated yet, so really is not useful.

@asdfugil asdfugil mentioned this issue Apr 27, 2022
Closed
shannon2893 pushed a commit to shannon2893/qemu-t8030 that referenced this issue Jul 25, 2022
@philmd @huth
tests/qtest/intel-hda-test: Add reproducer for issue #542
19a5452 
Include the qtest reproducer provided by Alexander Bulekov
in https://gitlab.com/qemu-project/qemu/-/issues/542.
Without the previous commit, we get:

  $ make check-qtest-i386
  ...
  Running test tests/qtest/intel-hda-test
  AddressSanitizer:DEADLYSIGNAL
  =================================================================
  ==1580408==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc3d566fe0
      #0 0x63d297cf in address_space_translate_internal softmmu/physmem.c:356
      TrungNguyen1909#1 0x63d27260 in flatview_do_translate softmmu/physmem.c:499:15
      TrungNguyen1909#2 0x63d27af5 in flatview_translate softmmu/physmem.c:565:15
      TrungNguyen1909#3 0x63d4ce84 in flatview_write softmmu/physmem.c:2850:10
      TrungNguyen1909#4 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#5 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#6 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#7 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#8 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#9 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#10 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#11 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#12 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#13 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#14 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#15 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#16 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#17 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#18 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#19 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#20 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#21 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#22 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#23 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#24 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#25 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#26 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      #27 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#28 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      TrungNguyen1909#29 0x62ae5ec0 in stl_le_dma include/sysemu/dma.h:275:1
      TrungNguyen1909#30 0x62ae5ba2 in stl_le_pci_dma include/hw/pci/pci.h:871:1
      TrungNguyen1909#31 0x62ad59a6 in intel_hda_response hw/audio/intel-hda.c:372:12
      TrungNguyen1909#32 0x62ad2afb in hda_codec_response hw/audio/intel-hda.c:107:5
      TrungNguyen1909#33 0x62aec4e1 in hda_audio_command hw/audio/hda-codec.c:655:5
      TrungNguyen1909#34 0x62ae05d9 in intel_hda_send_command hw/audio/intel-hda.c:307:5
      TrungNguyen1909#35 0x62adff54 in intel_hda_corb_run hw/audio/intel-hda.c:342:9
      TrungNguyen1909#36 0x62adc13b in intel_hda_set_corb_wp hw/audio/intel-hda.c:548:5
      TrungNguyen1909#37 0x62ae5942 in intel_hda_reg_write hw/audio/intel-hda.c:977:9
      TrungNguyen1909#38 0x62ada10a in intel_hda_mmio_write hw/audio/intel-hda.c:1054:5
      TrungNguyen1909#39 0x63d8f383 in memory_region_write_accessor softmmu/memory.c:492:5
      TrungNguyen1909#40 0x63d8ecc1 in access_with_adjusted_size softmmu/memory.c:554:18
      TrungNguyen1909#41 0x63d8d5d6 in memory_region_dispatch_write softmmu/memory.c:1504:16
      TrungNguyen1909#42 0x63d5e85e in flatview_write_continue softmmu/physmem.c:2812:23
      TrungNguyen1909#43 0x63d4d05b in flatview_write softmmu/physmem.c:2854:12
      TrungNguyen1909#44 0x63d4cb18 in address_space_write softmmu/physmem.c:2950:18
      TrungNguyen1909#45 0x63d4d387 in address_space_rw softmmu/physmem.c:2960:16
      TrungNguyen1909#46 0x62ae12f2 in dma_memory_rw_relaxed include/sysemu/dma.h:89:12
      TrungNguyen1909#47 0x62ae104a in dma_memory_rw include/sysemu/dma.h:132:12
      TrungNguyen1909#48 0x62ae6157 in dma_memory_write include/sysemu/dma.h:173:12
      ...
  SUMMARY: AddressSanitizer: stack-overflow softmmu/physmem.c:356 in address_space_translate_internal
  ==1580408==ABORTING
  Broken pipe
  Aborted (core dumped)

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20211218160912.1591633-4-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TrungNguyen1909 @asdfugil @iarchiveml