From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55672) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZA93G-000336-1s for qemu-devel@nongnu.org; Tue, 30 Jun 2015 23:51:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZA93C-0007c7-Nz for qemu-devel@nongnu.org; Tue, 30 Jun 2015 23:51:10 -0400 Received: from ozlabs.org ([103.22.144.67]:42123) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZA93C-0007Z7-DO for qemu-devel@nongnu.org; Tue, 30 Jun 2015 23:51:06 -0400 Date: Wed, 1 Jul 2015 13:46:56 +1000 From: David Gibson Message-ID: <20150701034656.GM26353@voom.redhat.com> References: <20150630120431.11866.32507.stgit@bahia.lab.toulouse-stg.fr.ibm.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5fECsWged6836Ycf" Content-Disposition: inline In-Reply-To: <20150630120431.11866.32507.stgit@bahia.lab.toulouse-stg.fr.ibm.com> Subject: Re: [Qemu-devel] [PATCH] spapr_vty: lookup should only return valid VTY objects List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Greg Kurz Cc: qemu-devel@nongnu.org --5fECsWged6836Ycf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 30, 2015 at 02:04:31PM +0200, Greg Kurz wrote: > If a guest passes the reg property of a valid VIO object that is not a VTY > to either H_GET_TERM_CHAR or H_PUT_TERM_CHAR, QEMU hits a dynamic cast > assertion and aborts. >=20 > PAPR+ says "Hypervisor checks the termno parameter for validity against t= he > Vterm IOA unit addresses assigned to the partition, else return H_Paramet= er." >=20 > This patch adds a type check to ensure vty_lookup() either returns a poin= ter > to a valid VTY object or NULL. H_GET_TERM_CHAR and H_PUT_TERM_CHAR will > now return H_PARAMETER to the guest instead of crashing. >=20 > The patch has no effect on the reg =3D=3D 0 hack used to implement the RT= AS call > display-character. >=20 > Signed-off-by: Greg Kurz Ouch. That's a nasty bug that's been in there for a long time. I've applied this to spapr-next. We should also push to the stable branch. > --- > hw/char/spapr_vty.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/hw/char/spapr_vty.c b/hw/char/spapr_vty.c > index 4e464bd15a54..7eeacde31d27 100644 > --- a/hw/char/spapr_vty.c > +++ b/hw/char/spapr_vty.c > @@ -228,7 +228,7 @@ VIOsPAPRDevice *vty_lookup(sPAPREnvironment *spapr, t= arget_ulong reg) > return spapr_vty_get_default(spapr->vio_bus); > } > =20 > - return sdev; > + return object_dynamic_cast(sdev, TYPE_VIO_SPAPR_VTY_DEVICE); > } > =20 > static void spapr_vty_register_types(void) >=20 --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --5fECsWged6836Ycf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVk2KvAAoJEGw4ysog2bOSExoP/36JHMF1pNhOg/VbiEgZKgjJ HIfvQa1hXLQp1k72/dBsjQnTmhXiEVFq/iPnMaOfj4FR842hEo2CG8P3sK/3BV8q UN+StxjQR9FjXd7AQlOsbhBM2WeeiEG9E1Gek5doNqghCqxHwIGeiH1hN8jDepOh dzsSiVs3e2mfW5RwhnTB2g1EsckIi0AtuzegdodTIBknuZi0B6Hrnc5FirwqN6K/ cX0fJ1xcdEMx06IxanZ+af6+gZl0R7aggQVd+PJYyW416yAncn/kMh9UO3x/k7Bg Wwk5IAW+0E7zXSAKQerRgIo83nF2F1QljHq3hZq+YrH0O0ac1Vsr4NHggX9thqiv N+mIQq6WPCMhnhmpqvf0B3q3w5b2XlaB+LY37BiWGp5nu8JsDVj2UQ1zkC3LIT/H l9oG65jvGnp5S7QmN9TXYfbBXYmhsEJxfcX2qrOgEvQif/8qGV+dOWDwhIt+oGG/ u24ZWqy8vTn0zsAdY8rMVUCJxyFae+vofJE7qBOswynzE2LFz3TRzIStDOaPj8Fc X3wWidrvkI1lpLU7nOJvlX2sXfj8sNRo3d3tlv0AveMpCGWTvgsWetD5Cxv+jGKz nuuWNbnYy19m4vaaQrr2R30xQuuPKeECDXRP9jIl+1WjGxrI5W0UMqnNjiIAPBBL rBLtWnNFnzD1w2Bj6qx4 =B/Dz -----END PGP SIGNATURE----- --5fECsWged6836Ycf--