Commit bc9b1f10 authored Aug 24, 2018 by Greg Kurz Committed by David Gibson Aug 28, 2018

spapr_pci: fix potential NULL pointer dereference



Commit 2c88b098 added a call to SPAPR_MACHINE_GET_CLASS(spapr) in
spapr_phb_realize() before we check spapr isn't NULL. This causes QEMU
to crash when starting a non-pseries machine with a sPAPR PHB.

This could be fixed by setting the smc variable after the null check,
but it seems more explicit to use a ternary operator to skip the call
to SPAPR_MACHINE_GET_CLASS() if spapr is NULL, since spapr_phb_realize()
will return immediately in this case.

This was reported by Coverity (CID 1395170 and 1395183).

Fixes: 2c88b098
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

parent eceba347

hw/ppc/spapr_pci.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1559,7 +1559,7 @@ static void spapr_phb_realize(DeviceState dev, Error *errp)
		sPAPRMachineState *spapr =
		(sPAPRMachineState *) object_dynamic_cast(qdev_get_machine(),
		TYPE_SPAPR_MACHINE);
		sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr);
		sPAPRMachineClass *smc = spapr ? SPAPR_MACHINE_GET_CLASS(spapr) : NULL;
		SysBusDevice *s = SYS_BUS_DEVICE(dev);
		sPAPRPHBState *sphb = SPAPR_PCI_HOST_BRIDGE(s);
		PCIHostState *phb = PCI_HOST_BRIDGE(s);