diff options
| author | Greg Kurz <groug@kaod.org> | 2018-08-24 17:30:04 +0200 |
|---|---|---|
| committer | David Gibson <david@gibson.dropbear.id.au> | 2018-08-28 11:31:23 +1000 |
| commit | bc9b1f10f29dd7e717e6b5a050cbe5fbe8537200 (patch) | |
| tree | e6b512d8c965cdf895641f94596de10d4a89fcbb | |
| parent | eceba3477e7fa9b2c0a711a60edbdb7bfa8e4dcd (diff) | |
| download | qemu-bc9b1f10f29dd7e717e6b5a050cbe5fbe8537200.zip qemu-bc9b1f10f29dd7e717e6b5a050cbe5fbe8537200.tar.gz qemu-bc9b1f10f29dd7e717e6b5a050cbe5fbe8537200.tar.bz2 | |
spapr_pci: fix potential NULL pointer dereference
Commit 2c88b098e76fd added a call to SPAPR_MACHINE_GET_CLASS(spapr) in
spapr_phb_realize() before we check spapr isn't NULL. This causes QEMU
to crash when starting a non-pseries machine with a sPAPR PHB.
This could be fixed by setting the smc variable after the null check,
but it seems more explicit to use a ternary operator to skip the call
to SPAPR_MACHINE_GET_CLASS() if spapr is NULL, since spapr_phb_realize()
will return immediately in this case.
This was reported by Coverity (CID 1395170 and 1395183).
Fixes: 2c88b098e76fde0c7fcc0476dd3f80ce58409505
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
| -rw-r--r-- | hw/ppc/spapr_pci.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c index 5cd676e..6bcb4f4 100644 --- a/hw/ppc/spapr_pci.c +++ b/hw/ppc/spapr_pci.c @@ -1559,7 +1559,7 @@ static void spapr_phb_realize(DeviceState *dev, Error **errp) sPAPRMachineState *spapr = (sPAPRMachineState *) object_dynamic_cast(qdev_get_machine(), TYPE_SPAPR_MACHINE); - sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr); + sPAPRMachineClass *smc = spapr ? SPAPR_MACHINE_GET_CLASS(spapr) : NULL; SysBusDevice *s = SYS_BUS_DEVICE(dev); sPAPRPHBState *sphb = SPAPR_PCI_HOST_BRIDGE(s); PCIHostState *phb = PCI_HOST_BRIDGE(s); |