* [PATCH] As reported in qemu-project/qemu#3324
@ 2026-03-26 15:27 Zexiang Zhang
2026-03-29 7:31 ` Aditya Gupta
0 siblings, 1 reply; 5+ messages in thread
From: Zexiang Zhang @ 2026-03-26 15:27 UTC (permalink / raw)
To: qemu-devel
Cc: adityag, Nicholas Piggin, Harsh Prateek Bora,
open list:sPAPR (pseries), kiki, Zexiang Zhang
From: kiki <Chan9Yan9@gmail.com>
A malformed IVE value can result in an invalid server field being
passed to icp_irq(). The function assumes the server id is valid and
may access invalid state otherwise, potentially leading to a crash.
Fix this by validating the server id before using it and ignoring
invalid values.
Reported-by: Zexiang Zhang <chan9yan9@gmail.com>
Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com>
---
hw/intc/xics.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/intc/xics.c b/hw/intc/xics.c
index 1d40c4386d..25c7b0c8a5 100644
--- a/hw/intc/xics.c
+++ b/hw/intc/xics.c
@@ -222,6 +222,13 @@ void icp_irq(ICSState *ics, int server, int nr, uint8_t priority)
trace_xics_icp_irq(server, nr, priority);
+ if (!icp) {
+ qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
+ server, nr);
+ ics_reject(ics, nr);
+ return;
+ }
+
if ((priority >= CPPR(icp))
|| (XISR(icp) && (icp->pending_priority <= priority))) {
ics_reject(ics, nr);
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] As reported in qemu-project/qemu#3324
2026-03-26 15:27 [PATCH] As reported in qemu-project/qemu#3324 Zexiang Zhang
@ 2026-03-29 7:31 ` Aditya Gupta
2026-03-29 20:34 ` Alex Bennée
0 siblings, 1 reply; 5+ messages in thread
From: Aditya Gupta @ 2026-03-29 7:31 UTC (permalink / raw)
To: Zexiang Zhang
Cc: qemu-devel, Nicholas Piggin, Harsh Prateek Bora,
open list:sPAPR (pseries)
Hello Zexiang,
On 26/03/26 11:27PM, Zexiang Zhang wrote:
> From: kiki <Chan9Yan9@gmail.com>
>
> A malformed IVE value can result in an invalid server field being
> passed to icp_irq(). The function assumes the server id is valid and
> may access invalid state otherwise, potentially leading to a crash.
>
> Fix this by validating the server id before using it and ignoring
> invalid values.
>
> Reported-by: Zexiang Zhang <chan9yan9@gmail.com>
> Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com>
About subject, can you change the subject to decribe the fix, something
like 'ppc/pnv: Fix Null Pointer Deref in PHB3', what do you say ?
There's a build error:
../hw/intc/xics.c: In function ‘icp_irq’:
../hw/intc/xics.c:226:9: error: implicit declaration of function ‘qemu_log_mask’; did you mean ‘qemu_log’? [-Wimplicit-function-declaration]
226 | qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
| ^~~~~~~~~~~~~
| qemu_log
../hw/intc/xics.c:226:9: error: nested extern declaration of ‘qemu_log_mask’ [-Werror=nested-externs]
../hw/intc/xics.c:226:23: error: ‘LOG_GUEST_ERROR’ undeclared (first use in this function); did you mean ‘MOD_ESTERROR’?
226 | qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
| ^~~~~~~~~~~~~~~
| MOD_ESTERROR
../hw/intc/xics.c:226:23: note: each undeclared identifier is reported only once for each function it appears in
cc1: all warnings being treated as errors
Add '#include "qemu/log.h", maybe after osdep.h include, to fix above
error.
Also, I will recommend running 'make check-functional-ppc64 -j4' to test
the patch before post.
> ---
> hw/intc/xics.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/hw/intc/xics.c b/hw/intc/xics.c
> index 1d40c4386d..25c7b0c8a5 100644
> --- a/hw/intc/xics.c
> +++ b/hw/intc/xics.c
> @@ -222,6 +222,13 @@ void icp_irq(ICSState *ics, int server, int nr, uint8_t priority)
>
> trace_xics_icp_irq(server, nr, priority);
>
> + if (!icp) {
> + qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
> + server, nr);
> + ics_reject(ics, nr);
> + return;
> + }
> +
> if ((priority >= CPPR(icp))
> || (XISR(icp) && (icp->pending_priority <= priority))) {
> ics_reject(ics, nr);
The change looks good to me. Can you post a v2 with the subject and
build fixed ?
Thanks,
- Aditya G
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] As reported in qemu-project/qemu#3324
2026-03-29 7:31 ` Aditya Gupta
@ 2026-03-29 20:34 ` Alex Bennée
2026-04-22 11:01 ` Aditya Gupta
0 siblings, 1 reply; 5+ messages in thread
From: Alex Bennée @ 2026-03-29 20:34 UTC (permalink / raw)
To: Aditya Gupta
Cc: Zexiang Zhang, qemu-devel, Nicholas Piggin, Harsh Prateek Bora,
open list:sPAPR (pseries)
Aditya Gupta <adityag@linux.ibm.com> writes:
> Hello Zexiang,
>
> On 26/03/26 11:27PM, Zexiang Zhang wrote:
>> From: kiki <Chan9Yan9@gmail.com>
>>
>> A malformed IVE value can result in an invalid server field being
>> passed to icp_irq(). The function assumes the server id is valid and
>> may access invalid state otherwise, potentially leading to a crash.
>>
>> Fix this by validating the server id before using it and ignoring
>> invalid values.
>>
>> Reported-by: Zexiang Zhang <chan9yan9@gmail.com>
>> Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com>
>
> About subject, can you change the subject to decribe the fix, something
> like 'ppc/pnv: Fix Null Pointer Deref in PHB3', what do you say ?
>
> There's a build error:
>
> ../hw/intc/xics.c: In function ‘icp_irq’:
> ../hw/intc/xics.c:226:9: error: implicit declaration of function ‘qemu_log_mask’; did you mean ‘qemu_log’? [-Wimplicit-function-declaration]
> 226 | qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
> | ^~~~~~~~~~~~~
> | qemu_log
> ../hw/intc/xics.c:226:9: error: nested extern declaration of ‘qemu_log_mask’ [-Werror=nested-externs]
> ../hw/intc/xics.c:226:23: error: ‘LOG_GUEST_ERROR’ undeclared (first use in this function); did you mean ‘MOD_ESTERROR’?
> 226 | qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
> | ^~~~~~~~~~~~~~~
> | MOD_ESTERROR
> ../hw/intc/xics.c:226:23: note: each undeclared identifier is reported only once for each function it appears in
> cc1: all warnings being treated as errors
>
> Add '#include "qemu/log.h", maybe after osdep.h include, to fix above
> error.
>
> Also, I will recommend running 'make check-functional-ppc64 -j4' to test
> the patch before post.
>
>> ---
>> hw/intc/xics.c | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/hw/intc/xics.c b/hw/intc/xics.c
>> index 1d40c4386d..25c7b0c8a5 100644
>> --- a/hw/intc/xics.c
>> +++ b/hw/intc/xics.c
>> @@ -222,6 +222,13 @@ void icp_irq(ICSState *ics, int server, int nr, uint8_t priority)
>>
>> trace_xics_icp_irq(server, nr, priority);
>>
>> + if (!icp) {
>> + qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
>> + server, nr);
>> + ics_reject(ics, nr);
>> + return;
>> + }
>> +
>> if ((priority >= CPPR(icp))
>> || (XISR(icp) && (icp->pending_priority <= priority))) {
>> ics_reject(ics, nr);
>
> The change looks good to me. Can you post a v2 with the subject and
> build fixed ?
The bug fix link can go in:
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3324
just above your sign off.
>
> Thanks,
> - Aditya G
--
Alex Bennée
Virtualisation Tech Lead @ Linaro
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] As reported in qemu-project/qemu#3324
2026-03-29 20:34 ` Alex Bennée
@ 2026-04-22 11:01 ` Aditya Gupta
0 siblings, 0 replies; 5+ messages in thread
From: Aditya Gupta @ 2026-04-22 11:01 UTC (permalink / raw)
To: Alex Bennée
Cc: Zexiang Zhang, qemu-devel, Nicholas Piggin, Harsh Prateek Bora,
open list:sPAPR (pseries), Gautam Menghani
On 30/03/26 02:04, Alex Bennée wrote:
> Aditya Gupta <adityag@linux.ibm.com> writes:
> ...
> if ((priority >= CPPR(icp))
> || (XISR(icp) && (icp->pending_priority <= priority))) {
> ics_reject(ics, nr);
>> The change looks good to me. Can you post a v2 with the subject and
>> build fixed ?
> The bug fix link can go in:
>
> Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3324
>
> just above your sign off.
Hey Zexiang,
Ping, planning to send a v2 for this ?
cc +gautam
Thanks,
- Aditya G
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] As reported in qemu-project/qemu#3324
@ 2026-03-26 15:25 Zexiang Zhang
0 siblings, 0 replies; 5+ messages in thread
From: Zexiang Zhang @ 2026-03-26 15:25 UTC (permalink / raw)
To: qemu-devel
Cc: Nicholas Piggin, Harsh Prateek Bora, open list:sPAPR (pseries),
kiki, Zexiang Zhang
From: kiki <Chan9Yan9@gmail.com>
A malformed IVE value can result in an invalid server field being
passed to icp_irq(). The function assumes the server id is valid and
may access invalid state otherwise, potentially leading to a crash.
Fix this by validating the server id before using it and ignoring
invalid values.
Reported-by: Zexiang Zhang <chan9yan9@gmail.com>
Signed-off-by: Zexiang Zhang <chan9yan9@gmail.com>
---
hw/intc/xics.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/intc/xics.c b/hw/intc/xics.c
index 1d40c4386d..25c7b0c8a5 100644
--- a/hw/intc/xics.c
+++ b/hw/intc/xics.c
@@ -222,6 +222,13 @@ void icp_irq(ICSState *ics, int server, int nr, uint8_t priority)
trace_xics_icp_irq(server, nr, priority);
+ if (!icp) {
+ qemu_log_mask(LOG_GUEST_ERROR, "XICS: invalid server %d for IRQ 0x%x\n",
+ server, nr);
+ ics_reject(ics, nr);
+ return;
+ }
+
if ((priority >= CPPR(icp))
|| (XISR(icp) && (icp->pending_priority <= priority))) {
ics_reject(ics, nr);
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-22 11:02 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-26 15:27 [PATCH] As reported in qemu-project/qemu#3324 Zexiang Zhang
2026-03-29 7:31 ` Aditya Gupta
2026-03-29 20:34 ` Alex Bennée
2026-04-22 11:01 ` Aditya Gupta
-- strict thread matches above, loose matches on Subject: below --
2026-03-26 15:25 Zexiang Zhang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.