From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46167) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZAAV6-0006WJ-3h for qemu-devel@nongnu.org; Wed, 01 Jul 2015 01:24:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZAAV4-00074v-WD for qemu-devel@nongnu.org; Wed, 01 Jul 2015 01:24:00 -0400 Date: Wed, 1 Jul 2015 15:23:17 +1000 From: David Gibson Message-ID: <20150701052317.GB5538@voom.redhat.com> References: <1435722703-12515-1-git-send-email-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline In-Reply-To: <1435722703-12515-1-git-send-email-david@gibson.dropbear.id.au> Subject: Re: [Qemu-devel] [PATCH] spapr_vty: lookup should only return valid VTY objects List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: agraf@suse.de, peter.myadell@linaro.org, qemu-stable@nongnu.org Cc: aik@ozlabs.ru, Greg Kurz , qemu-ppc@nongnu.org, qemu-devel@nongnu.org, mdroth@linux.vnet.ibm.com --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Ugh, sorry, this version is buggy, I'll resend. On Wed, Jul 01, 2015 at 01:51:43PM +1000, David Gibson wrote: > From: Greg Kurz >=20 > If a guest passes the reg property of a valid VIO object that is not a VTY > to either H_GET_TERM_CHAR or H_PUT_TERM_CHAR, QEMU hits a dynamic cast > assertion and aborts. >=20 > PAPR+ says "Hypervisor checks the termno parameter for validity against t= he > Vterm IOA unit addresses assigned to the partition, else return H_Paramet= er." >=20 > This patch adds a type check to ensure vty_lookup() either returns a poin= ter > to a valid VTY object or NULL. H_GET_TERM_CHAR and H_PUT_TERM_CHAR will > now return H_PARAMETER to the guest instead of crashing. >=20 > The patch has no effect on the reg =3D=3D 0 hack used to implement the RT= AS call > display-character. >=20 > Signed-off-by: Greg Kurz > Signed-off-by: David Gibson > --- > hw/char/spapr_vty.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > I've already merged this into spapr-next and it will be in the next > batch I send if not merged before that. >=20 > But I think this is an important enough fix (it allows the guest to > crash qemu) that it should probably be fastracked into mainline and > stable. >=20 > diff --git a/hw/char/spapr_vty.c b/hw/char/spapr_vty.c > index 1d53035..f407cd0 100644 > --- a/hw/char/spapr_vty.c > +++ b/hw/char/spapr_vty.c > @@ -228,7 +228,7 @@ VIOsPAPRDevice *vty_lookup(sPAPRMachineState *spapr, = target_ulong reg) > return spapr_vty_get_default(spapr->vio_bus); > } > =20 > - return sdev; > + return object_dynamic_cast(sdev, TYPE_VIO_SPAPR_VTY_DEVICE); > } > =20 > static void spapr_vty_register_types(void) --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVk3lFAAoJEGw4ysog2bOSa2kP/1tJ3XdxW4psCqpon+WxLK70 tVGTfaR33AQlUeGDzEpPub/JWRTxtRQJlnAvnzHXFTSkEzeJTwJ6HvZT+F3VYwsb Dm5qA4UTExMZcAuytBvfAC7KylIZXLQQnUi/EXDcJeLBfRHpUDPb7SaM4J9Pky36 H5MIDaqvrG92ME4qyQTMaWd0XBvtCJWg97oXUSu110OjvYReolMB9jbCYyfS8iP3 EMNU6aUpKrt7mPZCGFe8T4a/Kp5s2ap4Xu3a+gHh3ZXPHjsjnNhsNknoNvnkvKtf 1MKvw8WSFa9GHGMOcxWpXptKANoQyxvWwMPLSoStjkiO9Kkqj8IwuHX5VnmETnjg hIdq51H8QL7AXrOhgbs9luY0yNoVw2S7obuEtWVZG+i/2sOZQA95fjQULEBb7Rpv Bm9T928SgCJmgWc0yOXtycaHk9szpNyUBYpyhfTKFCYfdOFDVeII8Rrj0Q1cufPz yMNSl4yv3bwp9yNg7C2ZU70vcrTVy2X2Imf512E70mN1i4wZ/EziXWi9yXt7qXsN pfaJAbOiLEtDDKNiddwZmB1mdYM9GILWITrwoqs/JjYGR+ReFooGrlTs0MyDizSe 9Y3/qHnB1BMgZSPrJ9vH7KDuqVNbw7RBdVqSVLDir8ek9y1wgvzpy2Pz93doFmNy PMiPaxqgoGnbswc3TL5j =71xO -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7--