[PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409

[PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409

[Bin Meng]

From: Bin Meng <bin.meng@windriver.com>

This series includes several fixes to CVE-2020-17380, CVE-2020-25085
and CVE-2021-3409 that are heap-based buffer overflow issues existing
in the sdhci model.

These CVEs are pretty much similar, and were filed using different
reproducers. With this series, current known reproducers I have
cannot be reproduced any more.

The implementation of this model may still have some issues, i.e.:
some codes do not strictly match the spec, but since this series
only aimes to address CVEs, such issue should be fixed in a separate
series in the future, if I have time :)


Bin Meng (4):
  hw/sd: sdhci: Don't transfer any data when command time out
  hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in
    progress
  hw/sd: sdhci: Correctly set the controller status for ADMA
  hw/sd: sdhci: Simplify updating s->prnsts in
    sdhci_sdma_transfer_multi_blocks()

 hw/sd/sdhci.c | 34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

-- 
2.7.4

[PATCH 1/4] hw/sd: sdhci: Don't transfer any data when command time out

[Bin Meng]

At the end of sdhci_send_command(), it starts a data transfer if the
command register indicates data is associated. But the data transfer
should only be initiated when the command execution has succeeded.

With this fix, the following reproducer:

outl 0xcf8 0x80001810
outl 0xcfc 0xe1068000
outl 0xcf8 0x80001804
outw 0xcfc 0x7
write 0xe106802c 0x1 0x0f
write 0xe1068004 0xc 0x2801d10101fffffbff28a384
write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
write 0xe1068003 0x1 0xfe

cannot be reproduced with the following QEMU command line:

$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
      -device sdhci-pci,sd-spec-version=3 \
      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
      -device sd-card,drive=mydrive \
      -monitor none -serial none -qtest stdio

Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-University Bochum)
Reported-by: Muhammad Ramdhan
Reported-by: Sergej Schumilo (Ruhr-University Bochum)
Reported-by: Simon Wrner (Ruhr-University Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---

 hw/sd/sdhci.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 8ffa539..1c5ab26 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
     SDRequest request;
     uint8_t response[16];
     int rlen;
+    bool timeout = false;
 
     s->errintsts = 0;
     s->acmd12errsts = 0;
@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
             trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
                                    s->rspreg[1], s->rspreg[0]);
         } else {
+            timeout = true;
             trace_sdhci_error("timeout waiting for command response");
             if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
                 s->errintsts |= SDHC_EIS_CMDTIMEOUT;
@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
 
     sdhci_update_irq(s);
 
-    if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+    if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
         s->data_count = 0;
         sdhci_data_transfer(s);
     }
-- 
2.7.4

[PATCH 2/4] hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress

[Bin Meng]

Per "SD Host Controller Standard Specification Version 7.00"
chapter 2.2.1 SDMA System Address Register:

This register can be accessed only if no transaction is executing
(i.e., after a transaction has stopped).

With this fix, the following reproducer:

https://paste.debian.net/plain/1185137

cannot be reproduced with the following QEMU command line:

$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
       -nodefaults -device sdhci-pci,sd-spec-version=3 \
       -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
       -device sd-card,drive=mydrive -qtest stdio

Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-University Bochum)
Reported-by: Muhammad Ramdhan
Reported-by: Sergej Schumilo (Ruhr-University Bochum)
Reported-by: Simon Wrner (Ruhr-University Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
---

 hw/sd/sdhci.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 1c5ab26..05cb281 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1122,15 +1122,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
 
     switch (offset & ~0x3) {
     case SDHC_SYSAD:
-        s->sdmasysad = (s->sdmasysad & mask) | value;
-        MASKED_WRITE(s->sdmasysad, mask, value);
-        /* Writing to last byte of sdmasysad might trigger transfer */
-        if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
-                s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
-            if (s->trnmod & SDHC_TRNS_MULTI) {
-                sdhci_sdma_transfer_multi_blocks(s);
-            } else {
-                sdhci_sdma_transfer_single_block(s);
+        if (!TRANSFERRING_DATA(s->prnsts)) {
+            s->sdmasysad = (s->sdmasysad & mask) | value;
+            MASKED_WRITE(s->sdmasysad, mask, value);
+            /* Writing to last byte of sdmasysad might trigger transfer */
+            if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
+                SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+                if (s->trnmod & SDHC_TRNS_MULTI) {
+                    sdhci_sdma_transfer_multi_blocks(s);
+                } else {
+                    sdhci_sdma_transfer_single_block(s);
+                }
             }
         }
         break;
-- 
2.7.4

[PATCH 3/4] hw/sd: sdhci: Correctly set the controller status for ADMA

[Bin Meng]

When an ADMA transfer is started, the codes forget to set the
controller status to indicate a transfer is in progress.

With this fix, the following 2 reproducers:

https://paste.debian.net/plain/1185136
https://paste.debian.net/plain/1185141

cannot be reproduced with the following QEMU command line:

$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
      -nodefaults -device sdhci-pci,sd-spec-version=3 \
      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
      -device sd-card,drive=mydrive -qtest stdio

Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-University Bochum)
Reported-by: Muhammad Ramdhan
Reported-by: Sergej Schumilo (Ruhr-University Bochum)
Reported-by: Simon Wrner (Ruhr-University Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
---

 hw/sd/sdhci.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 05cb281..0b0ca6f 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -769,7 +769,9 @@ static void sdhci_do_adma(SDHCIState *s)
 
         switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
         case SDHC_ADMA_ATTR_ACT_TRAN:  /* data transfer */
+            s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
             if (s->trnmod & SDHC_TRNS_READ) {
+                s->prnsts |= SDHC_DOING_READ;
                 while (length) {
                     if (s->data_count == 0) {
                         sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
@@ -797,6 +799,7 @@ static void sdhci_do_adma(SDHCIState *s)
                     }
                 }
             } else {
+                s->prnsts |= SDHC_DOING_WRITE;
                 while (length) {
                     begin = s->data_count;
                     if ((length + begin) < block_size) {
-- 
2.7.4

[PATCH 4/4] hw/sd: sdhci: Simplify updating s->prnsts in sdhci_sdma_transfer_multi_blocks()

[Bin Meng]

s->prnsts is updated in both branches of the if () else () statement.
Move the common bits outside so that it is cleaner.

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
---

 hw/sd/sdhci.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 0b0ca6f..7a2003b 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -598,9 +598,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
         page_aligned = true;
     }
 
+    s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
     if (s->trnmod & SDHC_TRNS_READ) {
-        s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT |
-                SDHC_DAT_LINE_ACTIVE;
+        s->prnsts |= SDHC_DOING_READ;
         while (s->blkcnt) {
             if (s->data_count == 0) {
                 sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
@@ -627,8 +627,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
             }
         }
     } else {
-        s->prnsts |= SDHC_DOING_WRITE | SDHC_DATA_INHIBIT |
-                SDHC_DAT_LINE_ACTIVE;
+        s->prnsts |= SDHC_DOING_WRITE;
         while (s->blkcnt) {
             begin = s->data_count;
             if (((boundary_count + begin) < block_size) && page_aligned) {
-- 
2.7.4

Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409

[Alexander Bulekov]

Hi Bin,
Thank you for this. I ran through the OSS-Fuzz tests again, and it found
one thing:

Maybe this is already much better than the current state of the code, so
this one can be fixed in a later patch?

cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
-m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \
-device sd-card,drive=mydrive \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xe000002c 0x1 0x05
write 0xe0000005 0x1 0x02
write 0xe0000007 0x1 0x01
write 0xe0000028 0x1 0x10
write 0x0 0x1 0x23
write 0x2 0x1 0x08
write 0xe000000c 0x1 0x01
write 0xe000000e 0x1 0x20
write 0xe000000f 0x1 0x00
write 0xe000000c 0x1 0x32
write 0xe0000004 0x2 0x0200
write 0xe0000028 0x1 0x00
write 0xe0000003 0x1 0x40
EOF


==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x615000031880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128
READ of size 4 at 0x615000031880 thread T0
#0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5
#1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1
#2 0x55d070f2c6d8 in flatview_write_continue build/../softmmu/physmem.c:2775:19
#3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
#4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18
#5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
#6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12
#7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12
#8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks build/../hw/sd/sdhci.c:619:13
#9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21
#10 0x55d07123b1ac in memory_region_write_accessor build/../softmmu/memory.c:491:5
#11 0x55d07123acab in access_with_adjusted_size build/../softmmu/memory.c:552:18
#12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c
#13 0x55d070f2c29b in flatview_write_continue build/../softmmu/physmem.c:2776:23
#14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
#15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18


-Alex

On 210215 2311, Bin Meng wrote:
> From: Bin Meng <bin.meng@windriver.com>
> 
> This series includes several fixes to CVE-2020-17380, CVE-2020-25085
> and CVE-2021-3409 that are heap-based buffer overflow issues existing
> in the sdhci model.
> 
> These CVEs are pretty much similar, and were filed using different
> reproducers. With this series, current known reproducers I have
> cannot be reproduced any more.
> 
> The implementation of this model may still have some issues, i.e.:
> some codes do not strictly match the spec, but since this series
> only aimes to address CVEs, such issue should be fixed in a separate
> series in the future, if I have time :)
> 
> 
> Bin Meng (4):
>   hw/sd: sdhci: Don't transfer any data when command time out
>   hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in
>     progress
>   hw/sd: sdhci: Correctly set the controller status for ADMA
>   hw/sd: sdhci: Simplify updating s->prnsts in
>     sdhci_sdma_transfer_multi_blocks()
> 
>  hw/sd/sdhci.c | 34 ++++++++++++++++++++--------------
>  1 file changed, 20 insertions(+), 14 deletions(-)
> 
> -- 
> 2.7.4
> 

Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409

[Bin Meng]

Hi Alex,

On Tue, Feb 16, 2021 at 12:48 AM Alexander Bulekov <alxndr@bu.edu> wrote:
>
> Hi Bin,
> Thank you for this. I ran through the OSS-Fuzz tests again, and it found
> one thing:

Thanks for testing. Are there instructions to run OSS-Fuzz tests myself?

> Maybe this is already much better than the current state of the code, so
> this one can be fixed in a later patch?

Depend on when Philippe can pick up this sereis, but I can also try to
have a quick look :)

>
> cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
> -m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \
> -device sd-card,drive=mydrive \
> -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
> -nographic -qtest stdio
> outl 0xcf8 0x80001010
> outl 0xcfc 0xe0000000
> outl 0xcf8 0x80001001
> outl 0xcfc 0x06000000
> write 0xe000002c 0x1 0x05
> write 0xe0000005 0x1 0x02
> write 0xe0000007 0x1 0x01
> write 0xe0000028 0x1 0x10
> write 0x0 0x1 0x23
> write 0x2 0x1 0x08
> write 0xe000000c 0x1 0x01
> write 0xe000000e 0x1 0x20
> write 0xe000000f 0x1 0x00
> write 0xe000000c 0x1 0x32
> write 0xe0000004 0x2 0x0200
> write 0xe0000028 0x1 0x00
> write 0xe0000003 0x1 0x40
> EOF
>
>
> ==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x615000031880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128
> READ of size 4 at 0x615000031880 thread T0
> #0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5
> #1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1
> #2 0x55d070f2c6d8 in flatview_write_continue build/../softmmu/physmem.c:2775:19
> #3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
> #4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18
> #5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
> #6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12
> #7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12
> #8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks build/../hw/sd/sdhci.c:619:13
> #9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21
> #10 0x55d07123b1ac in memory_region_write_accessor build/../softmmu/memory.c:491:5
> #11 0x55d07123acab in access_with_adjusted_size build/../softmmu/memory.c:552:18
> #12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c
> #13 0x55d070f2c29b in flatview_write_continue build/../softmmu/physmem.c:2776:23
> #14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
> #15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18

Regards,
Bin

Re: [PATCH 0/4] hw/sd: sdhci: Fixes to CVE-2020-17380, CVE-2020-25085, CVE-2021-3409

[Alexander Bulekov]

On 210216 0855, Bin Meng wrote:
> Hi Alex,
> 
> On Tue, Feb 16, 2021 at 12:48 AM Alexander Bulekov <alxndr@bu.edu> wrote:
> >
> > Hi Bin,
> > Thank you for this. I ran through the OSS-Fuzz tests again, and it found
> > one thing:
> 
> Thanks for testing. Are there instructions to run OSS-Fuzz tests myself?

Yes we have some documentation in docs/devel/fuzzing.rst, but it
doesn't talk about using the OSS-Fuzz corpus.  The OSS-Fuzz corpus is
private, by default, but I uploaded a copy of the current sdhci corpus
here:
https://drive.google.com/file/d/1PcwFbY9YXPdaJ3aapIV2BI-bN5mbBgif/view?usp=sharing

To build the fuzzer, you need clang:

build the fuzzers
$ CC=clang CXX=clang++ ../configure --enable-fuzzing --enable-sanitizers \
--disable-werror
$ ninja -j`nproc` qemu-fuzz-i386

untar the corpus somewhere (~300 MB uncompressed)
$ tar -xvf sdhci-corpus.tar.gz

run through all the inputs once
$ ./qemu-fuzz-i386 --fuzz-target=generic-fuzz-sdhci-v3 \
  ~/path/to/corpus/qemu_qemu-fuzz-i386-target-generic-fuzz-sdhci-v3/* &> out

That will take some minutes, but you can look at the out file and search
for "ERROR" to find crashing inputs. 

-Alex
> 
> > Maybe this is already much better than the current state of the code, so
> > this one can be fixed in a later patch?
> 
> Depend on when Philippe can pick up this sereis, but I can also try to
> have a quick look :)
> 
> >
> > cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \
> > -m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \
> > -device sd-card,drive=mydrive \
> > -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
> > -nographic -qtest stdio
> > outl 0xcf8 0x80001010
> > outl 0xcfc 0xe0000000
> > outl 0xcf8 0x80001001
> > outl 0xcfc 0x06000000
> > write 0xe000002c 0x1 0x05
> > write 0xe0000005 0x1 0x02
> > write 0xe0000007 0x1 0x01
> > write 0xe0000028 0x1 0x10
> > write 0x0 0x1 0x23
> > write 0x2 0x1 0x08
> > write 0xe000000c 0x1 0x01
> > write 0xe000000e 0x1 0x20
> > write 0xe000000f 0x1 0x00
> > write 0xe000000c 0x1 0x32
> > write 0xe0000004 0x2 0x0200
> > write 0xe0000028 0x1 0x00
> > write 0xe0000003 0x1 0x40
> > EOF
> >
> >
> > ==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address
> > 0x615000031880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128
> > READ of size 4 at 0x615000031880 thread T0
> > #0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5
> > #1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1
> > #2 0x55d070f2c6d8 in flatview_write_continue build/../softmmu/physmem.c:2775:19
> > #3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
> > #4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18
> > #5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12
> > #6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12
> > #7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12
> > #8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks build/../hw/sd/sdhci.c:619:13
> > #9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21
> > #10 0x55d07123b1ac in memory_region_write_accessor build/../softmmu/memory.c:491:5
> > #11 0x55d07123acab in access_with_adjusted_size build/../softmmu/memory.c:552:18
> > #12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c
> > #13 0x55d070f2c29b in flatview_write_continue build/../softmmu/physmem.c:2776:23
> > #14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14
> > #15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18
> 
> Regards,
> Bin