From patchwork Tue Jul 7 15:49:38 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Graf X-Patchwork-Id: 492378 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 7BC1E1402C7 for ; Wed, 8 Jul 2015 02:08:32 +1000 (AEST) Received: from localhost ([::1]:59200 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZCVQ6-0003NO-G3 for incoming@patchwork.ozlabs.org; Tue, 07 Jul 2015 12:08:30 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52360) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZCV85-0004tc-Ju for qemu-devel@nongnu.org; Tue, 07 Jul 2015 11:49:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZCV7z-0003nT-04 for qemu-devel@nongnu.org; Tue, 07 Jul 2015 11:49:53 -0400 Received: from cantor2.suse.de ([195.135.220.15]:44440 helo=mx2.suse.de) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZCV7y-0003ij-Mx; Tue, 07 Jul 2015 11:49:46 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 56225ADED; Tue, 7 Jul 2015 15:49:45 +0000 (UTC) From: Alexander Graf To: qemu-ppc@nongnu.org Date: Tue, 7 Jul 2015 17:49:38 +0200 Message-Id: <1436284182-5063-27-git-send-email-agraf@suse.de> X-Mailer: git-send-email 1.7.12.4 In-Reply-To: <1436284182-5063-1-git-send-email-agraf@suse.de> References: <1436284182-5063-1-git-send-email-agraf@suse.de> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] X-Received-From: 195.135.220.15 Cc: peter.maydell@linaro.org, Greg Kurz , qemu-devel@nongnu.org, David Gibson Subject: [Qemu-devel] [PULL 26/30] spapr_vty: lookup should only return valid VTY objects X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org From: David Gibson If a guest passes the reg property of a valid VIO object that is not a VTY to either H_GET_TERM_CHAR or H_PUT_TERM_CHAR, QEMU hits a dynamic cast assertion and aborts. PAPR+ says "Hypervisor checks the termno parameter for validity against the Vterm IOA unit addresses assigned to the partition, else return H_Parameter." This patch adds a type check to ensure vty_lookup() either returns a pointer to a valid VTY object or NULL. H_GET_TERM_CHAR and H_PUT_TERM_CHAR will now return H_PARAMETER to the guest instead of crashing. The patch has no effect on the reg == 0 hack used to implement the RTAS call display-character. Signed-off-by: Greg Kurz Signed-off-by: David Gibson Signed-off-by: Alexander Graf --- hw/char/spapr_vty.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/char/spapr_vty.c b/hw/char/spapr_vty.c index 1d53035..2d532af 100644 --- a/hw/char/spapr_vty.c +++ b/hw/char/spapr_vty.c @@ -228,6 +228,10 @@ VIOsPAPRDevice *vty_lookup(sPAPRMachineState *spapr, target_ulong reg) return spapr_vty_get_default(spapr->vio_bus); } + if (!object_dynamic_cast(OBJECT(sdev), TYPE_VIO_SPAPR_VTY_DEVICE)) { + return NULL; + } + return sdev; }