From: David Gibson <david@gibson.dropbear.id.au>
To: agraf@suse.de, peter.myadell@linaro.org, qemu-stable@nongnu.org
Cc: aik@ozlabs.ru, Greg Kurz <gkurz@linux.vnet.ibm.com>,
qemu-ppc@nongnu.org, qemu-devel@nongnu.org,
mdroth@linux.vnet.ibm.com
Subject: Re: [Qemu-devel] [PATCH] spapr_vty: lookup should only return valid VTY objects
Date: Wed, 1 Jul 2015 15:23:17 +1000 [thread overview]
Message-ID: <20150701052317.GB5538@voom.redhat.com> (raw)
In-Reply-To: <1435722703-12515-1-git-send-email-david@gibson.dropbear.id.au>
[-- Attachment #1: Type: text/plain, Size: 1978 bytes --]
Ugh, sorry, this version is buggy, I'll resend.
On Wed, Jul 01, 2015 at 01:51:43PM +1000, David Gibson wrote:
> From: Greg Kurz <gkurz@linux.vnet.ibm.com>
>
> If a guest passes the reg property of a valid VIO object that is not a VTY
> to either H_GET_TERM_CHAR or H_PUT_TERM_CHAR, QEMU hits a dynamic cast
> assertion and aborts.
>
> PAPR+ says "Hypervisor checks the termno parameter for validity against the
> Vterm IOA unit addresses assigned to the partition, else return H_Parameter."
>
> This patch adds a type check to ensure vty_lookup() either returns a pointer
> to a valid VTY object or NULL. H_GET_TERM_CHAR and H_PUT_TERM_CHAR will
> now return H_PARAMETER to the guest instead of crashing.
>
> The patch has no effect on the reg == 0 hack used to implement the RTAS call
> display-character.
>
> Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
> hw/char/spapr_vty.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> I've already merged this into spapr-next and it will be in the next
> batch I send if not merged before that.
>
> But I think this is an important enough fix (it allows the guest to
> crash qemu) that it should probably be fastracked into mainline and
> stable.
>
> diff --git a/hw/char/spapr_vty.c b/hw/char/spapr_vty.c
> index 1d53035..f407cd0 100644
> --- a/hw/char/spapr_vty.c
> +++ b/hw/char/spapr_vty.c
> @@ -228,7 +228,7 @@ VIOsPAPRDevice *vty_lookup(sPAPRMachineState *spapr, target_ulong reg)
> return spapr_vty_get_default(spapr->vio_bus);
> }
>
> - return sdev;
> + return object_dynamic_cast(sdev, TYPE_VIO_SPAPR_VTY_DEVICE);
> }
>
> static void spapr_vty_register_types(void)
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2015-07-01 5:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-01 3:51 [Qemu-devel] [PATCH] spapr_vty: lookup should only return valid VTY objects David Gibson
2015-07-01 5:23 ` David Gibson [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-06-30 12:04 Greg Kurz
2015-06-30 12:31 ` Greg Kurz
2015-07-01 3:46 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150701052317.GB5538@voom.redhat.com \
--to=david@gibson.dropbear.id.au \
--cc=agraf@suse.de \
--cc=aik@ozlabs.ru \
--cc=gkurz@linux.vnet.ibm.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=peter.myadell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.