mbox series

[0/5] hw: Replace some impossible checks by assertions

Message ID 20200901104043.91383-1-f4bug@amsat.org
Headers show
Series hw: Replace some impossible checks by assertions | expand

Message

Philippe Mathieu-Daudé Sept. 1, 2020, 10:40 a.m. UTC
Trivial patches removing unreachable code.

Philippe Mathieu-Daudé (5):
  hw/gpio/max7310: Remove impossible check
  hw/mips/fuloong2e: Convert pointless error message to an assert()
  hw/ppc/ppc4xx_pci: Use ARRAY_SIZE() instead of magic value
  hw/ppc/ppc4xx_pci: Replace pointless warning by assert()
  hw/isa/isa-bus: Replace hw_error() by assert()

 hw/gpio/max7310.c   | 4 ----
 hw/isa/isa-bus.c    | 9 ++-------
 hw/mips/fuloong2e.c | 5 +----
 hw/ppc/ppc4xx_pci.c | 8 +++-----
 4 files changed, 6 insertions(+), 20 deletions(-)

Comments

Richard Henderson Sept. 1, 2020, 5:50 p.m. UTC | #1
On 9/1/20 3:40 AM, Philippe Mathieu-Daudé wrote:
> As we can never have more than ISA_NUM_IRQS (16) ISA IRQs,
> replace the not very interesting hw_error() call by an
> assert() which is more useful to debug condition that can
> not happen.
> 
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  hw/isa/isa-bus.c | 9 ++-------
>  1 file changed, 2 insertions(+), 7 deletions(-)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~
David Gibson Sept. 2, 2020, 1:17 a.m. UTC | #2
On Tue, Sep 01, 2020 at 12:40:42PM +0200, Philippe Mathieu-Daudé wrote:
> We call pci_register_root_bus() to register 4 IRQs with the
> ppc4xx_pci_set_irq() handler. As it can only be called with
> values in the [0-4[ range, replace the pointless warning by
> an assert().
> 
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Acked-by: David Gibson <david@gibson.dropbear.id.au>

> ---
>  hw/ppc/ppc4xx_pci.c | 5 +----
>  1 file changed, 1 insertion(+), 4 deletions(-)
> 
> diff --git a/hw/ppc/ppc4xx_pci.c b/hw/ppc/ppc4xx_pci.c
> index cd3f192a138..503ef46b39a 100644
> --- a/hw/ppc/ppc4xx_pci.c
> +++ b/hw/ppc/ppc4xx_pci.c
> @@ -256,10 +256,7 @@ static void ppc4xx_pci_set_irq(void *opaque, int irq_num, int level)
>      qemu_irq *pci_irqs = opaque;
>  
>      trace_ppc4xx_pci_set_irq(irq_num);
> -    if (irq_num < 0) {
> -        fprintf(stderr, "%s: PCI irq %d\n", __func__, irq_num);
> -        return;
> -    }
> +    assert(irq_num >= 0);
>      qemu_set_irq(pci_irqs[irq_num], level);
>  }
>
Laurent Vivier Sept. 9, 2020, 1:25 p.m. UTC | #3
Le 01/09/2020 à 12:40, Philippe Mathieu-Daudé a écrit :
> As we can never have more than ISA_NUM_IRQS (16) ISA IRQs,
> replace the not very interesting hw_error() call by an
> assert() which is more useful to debug condition that can
> not happen.
> 
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  hw/isa/isa-bus.c | 9 ++-------
>  1 file changed, 2 insertions(+), 7 deletions(-)
> 
> diff --git a/hw/isa/isa-bus.c b/hw/isa/isa-bus.c
> index 58fde178f92..10bb7ffa43a 100644
> --- a/hw/isa/isa-bus.c
> +++ b/hw/isa/isa-bus.c
> @@ -21,7 +21,6 @@
>  #include "qemu/error-report.h"
>  #include "qemu/module.h"
>  #include "qapi/error.h"
> -#include "hw/hw.h"
>  #include "monitor/monitor.h"
>  #include "hw/sysbus.h"
>  #include "sysemu/sysemu.h"
> @@ -85,18 +84,14 @@ void isa_bus_irqs(ISABus *bus, qemu_irq *irqs)
>  qemu_irq isa_get_irq(ISADevice *dev, unsigned isairq)
>  {
>      assert(!dev || ISA_BUS(qdev_get_parent_bus(DEVICE(dev))) == isabus);
> -    if (isairq >= ISA_NUM_IRQS) {
> -        hw_error("isa irq %d invalid", isairq);
> -    }
> +    assert(isairq < ISA_NUM_IRQS);
>      return isabus->irqs[isairq];
>  }
>  
>  void isa_init_irq(ISADevice *dev, qemu_irq *p, unsigned isairq)
>  {
>      assert(dev->nirqs < ARRAY_SIZE(dev->isairq));
> -    if (isairq >= ISA_NUM_IRQS) {
> -        hw_error("isa irq %d invalid", isairq);
> -    }
> +    assert(isairq < ISA_NUM_IRQS);
>      dev->isairq[dev->nirqs] = isairq;
>      *p = isa_get_irq(dev, isairq);
>      dev->nirqs++;
> 

Applied to my trivial-patches branch.

Thanks,
Laurent
Nathan Chancellor Jan. 11, 2021, 1:11 a.m. UTC | #4
On Tue, Sep 01, 2020 at 12:40:42PM +0200, Philippe Mathieu-Daudé wrote:
> We call pci_register_root_bus() to register 4 IRQs with the

> ppc4xx_pci_set_irq() handler. As it can only be called with

> values in the [0-4[ range, replace the pointless warning by

> an assert().

> 

> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

> ---

>  hw/ppc/ppc4xx_pci.c | 5 +----

>  1 file changed, 1 insertion(+), 4 deletions(-)

> 

> diff --git a/hw/ppc/ppc4xx_pci.c b/hw/ppc/ppc4xx_pci.c

> index cd3f192a138..503ef46b39a 100644

> --- a/hw/ppc/ppc4xx_pci.c

> +++ b/hw/ppc/ppc4xx_pci.c

> @@ -256,10 +256,7 @@ static void ppc4xx_pci_set_irq(void *opaque, int irq_num, int level)

>      qemu_irq *pci_irqs = opaque;

>  

>      trace_ppc4xx_pci_set_irq(irq_num);

> -    if (irq_num < 0) {

> -        fprintf(stderr, "%s: PCI irq %d\n", __func__, irq_num);

> -        return;

> -    }

> +    assert(irq_num >= 0);

>      qemu_set_irq(pci_irqs[irq_num], level);

>  }

>  

> -- 

> 2.26.2

> 

> 


Hopefully reporting this here is okay, I find Launchpad hard to use but
I can file it there if need be.

The assertion added by this patch triggers while trying to boot a
ppc44x_defconfig Linux kernel:

$ qemu-system-ppc \
    -machine bamboo \
    -no-reboot \
    -append console=ttyS0 \
    -display none \
    -kernel uImage \
    -m 128m \
    -nodefaults \
    -serial mon:stdio
Linux version 5.11.0-rc3 (nathan@ubuntu-m3-large-x86) (powerpc-linux-gcc (GCC) 10.2.0, GNU ld (GNU Binutils) 2.35) #1 Sun Jan 10 15:52:24 MST 2021
Using PowerPC 44x Platform machine description
ioremap() called early from find_legacy_serial_ports+0x64c/0x794. Use early_ioremap() instead
printk: bootconsole [udbg0] enabled
-----------------------------------------------------
phys_mem_size     = 0x8000000
dcache_bsize      = 0x20
icache_bsize      = 0x20
cpu_features      = 0x0000000000000100
  possible        = 0x0000000040000100
  always          = 0x0000000000000100
cpu_user_features = 0x8c008000 0x00000000
mmu_features      = 0x00000008
-----------------------------------------------------
Zone ranges:
  Normal   [mem 0x0000000000000000-0x0000000007ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x0000000000000000-0x0000000007ffffff]
Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
MMU: Allocated 1088 bytes of context maps for 255 contexts
Built 1 zonelists, mobility grouping on.  Total pages: 32448
Kernel command line: console=ttyS0
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
mem auto-init: stack:off, heap alloc:off, heap free:off
Memory: 122712K/131072K available (5040K kernel code, 236K rwdata, 1260K rodata, 200K init, 134K bss, 8360K reserved, 0K cma-reserved)
Kernel virtual memory layout:
  * 0xffbdf000..0xfffff000  : fixmap
  * 0xffbdd000..0xffbdf000  : early ioremap
  * 0xd1000000..0xffbdd000  : vmalloc & ioremap
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS: 512, nr_irqs: 512, preallocated irqs: 16
UIC0 (32 IRQ sources) at DCR 0xc0
random: get_random_u32 called from start_kernel+0x370/0x508 with crng_init=0
clocksource: timebase: mask: 0xffffffffffffffff max_cycles: 0x5c4093a7d1, max_idle_ns: 440795210635 ns
clocksource: timebase mult[2800000] shift[24] registered
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
futex hash table entries: 256 (order: -1, 3072 bytes, linear)
NET: Registered protocol family 16
DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations

PCI host bridge /plb/pci@ec000000 (primary) ranges:
 MEM 0x00000000a0000000..0x00000000bfffffff -> 0x00000000a0000000
  IO 0x00000000e8000000..0x00000000e800ffff -> 0x0000000000000000
4xx PCI DMA offset set to 0x00000000
4xx PCI DMA window base to 0x0000000000000000
DMA window size 0x0000000080000000
PCI: Probing PCI hardware
PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [io  0x0000-0xffff]
pci_bus 0000:00: root bus resource [mem 0xa0000000-0xbfffffff]
pci_bus 0000:00: root bus resource [bus 00-ff]
pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to ff
pci 0000:00:00.0: [1014:027f] type 00 class 0x068000
qemu-system-ppc: ../hw/ppc/ppc4xx_pci.c:259: ppc4xx_pci_set_irq: Assertion `irq_num >= 0' failed.

On v5.2.0, it looks like a higher assertion triggers, added by
commit 459ca8bfa4 ("pci: Assert irqnum is between 0 and bus->nirqs in
pci_bus_change_irq_level").

qemu-system-ppc: ../hw/pci/pci.c:253: pci_bus_change_irq_level: Assertion `irq_num >= 0' failed.

I have uploaded the kernel image here:

https://github.com/nathanchance/bug-files/blob/8edf230441bd8eda067973fdf0eb063c94f04379/qemu-0270d74ef886235051c13c39b0de88500c628a02/uImage

Cheers,
Nathan
Philippe Mathieu-Daudé Jan. 11, 2021, 10:04 a.m. UTC | #5
+Peter

On 1/11/21 2:11 AM, Nathan Chancellor wrote:
> On Tue, Sep 01, 2020 at 12:40:42PM +0200, Philippe Mathieu-Daudé wrote:

>> We call pci_register_root_bus() to register 4 IRQs with the

>> ppc4xx_pci_set_irq() handler. As it can only be called with

>> values in the [0-4[ range, replace the pointless warning by

>> an assert().

>>

>> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

>> ---

>>  hw/ppc/ppc4xx_pci.c | 5 +----

>>  1 file changed, 1 insertion(+), 4 deletions(-)

>>

>> diff --git a/hw/ppc/ppc4xx_pci.c b/hw/ppc/ppc4xx_pci.c

>> index cd3f192a138..503ef46b39a 100644

>> --- a/hw/ppc/ppc4xx_pci.c

>> +++ b/hw/ppc/ppc4xx_pci.c

>> @@ -256,10 +256,7 @@ static void ppc4xx_pci_set_irq(void *opaque, int irq_num, int level)

>>      qemu_irq *pci_irqs = opaque;

>>  

>>      trace_ppc4xx_pci_set_irq(irq_num);

>> -    if (irq_num < 0) {

>> -        fprintf(stderr, "%s: PCI irq %d\n", __func__, irq_num);

>> -        return;

>> -    }

>> +    assert(irq_num >= 0);

>>      qemu_set_irq(pci_irqs[irq_num], level);

>>  }

>>  

>> -- 

>> 2.26.2

>>

>>

> 

> Hopefully reporting this here is okay, I find Launchpad hard to use but

> I can file it there if need be.

> 

> The assertion added by this patch triggers while trying to boot a

> ppc44x_defconfig Linux kernel:

> 

> $ qemu-system-ppc \

>     -machine bamboo \

>     -no-reboot \

>     -append console=ttyS0 \

>     -display none \

>     -kernel uImage \

>     -m 128m \

>     -nodefaults \

>     -serial mon:stdio

> Linux version 5.11.0-rc3 (nathan@ubuntu-m3-large-x86) (powerpc-linux-gcc (GCC) 10.2.0, GNU ld (GNU Binutils) 2.35) #1 Sun Jan 10 15:52:24 MST 2021

> Using PowerPC 44x Platform machine description

> ioremap() called early from find_legacy_serial_ports+0x64c/0x794. Use early_ioremap() instead

...
> PCI: Probing PCI hardware

> PCI host bridge to bus 0000:00

> pci_bus 0000:00: root bus resource [io  0x0000-0xffff]

> pci_bus 0000:00: root bus resource [mem 0xa0000000-0xbfffffff]

> pci_bus 0000:00: root bus resource [bus 00-ff]

> pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to ff

> pci 0000:00:00.0: [1014:027f] type 00 class 0x068000

> qemu-system-ppc: ../hw/ppc/ppc4xx_pci.c:259: ppc4xx_pci_set_irq: Assertion `irq_num >= 0' failed.

> 

> On v5.2.0, it looks like a higher assertion triggers, added by

> commit 459ca8bfa4 ("pci: Assert irqnum is between 0 and bus->nirqs in

> pci_bus_change_irq_level").

> 

> qemu-system-ppc: ../hw/pci/pci.c:253: pci_bus_change_irq_level: Assertion `irq_num >= 0' failed.


Running with '-trace ppc4xx_pci\*':

1275265@1610357661.994462:ppc4xx_pci_map_irq devfn 0x0 irq 0 -> 0
1275265@1610357661.994480:ppc4xx_pci_set_irq PCI irq -1

(gdb) bt
#0  0x00007fc70a8a19e5 in raise () at /lib64/libc.so.6
#1  0x00007fc70a88a895 in abort () at /lib64/libc.so.6
#2  0x00007fc70a88a769 in _nl_load_domain.cold () at /lib64/libc.so.6
#3  0x00007fc70a899e76 in annobin_assert.c_end () at /lib64/libc.so.6
#4  0x0000560953c2bfe0 in ppc4xx_pci_set_irq (opaque=0x560955dcf9a0,
irq_num=-1, level=0) at hw/ppc/ppc4xx_pci.c:259
#5  0x0000560953a20474 in pci_change_irq_level (pci_dev=0x560955dd0e40,
irq_num=-1, change=0) at hw/pci/pci.c:262
#6  0x0000560953a1d028 in pci_update_irq_disabled (d=0x560955dd0e40,
was_irq_disabled=0) at hw/pci/pci.c:1375
#7  0x0000560953a1ccb3 in pci_default_write_config (d=0x560955dd0e40,
addr=4, val_in=1030, l=2) at hw/pci/pci.c:1415
#8  0x0000560953978977 in pci_host_config_write_common
(pci_dev=0x560955dd0e40, addr=4, limit=256, val=1030, len=2) at
hw/pci/pci_host.c:83
#9  0x0000560953978cb9 in pci_data_write (s=0x560955dd0210,
addr=2147483652, val=1030, len=2) at hw/pci/pci_host.c:120
#10 0x0000560953978eeb in pci_host_data_write (opaque=0x560955dcf350,
addr=0, val=1030, len=2) at hw/pci/pci_host.c:167

How can irq be -1? pci_update_irq_disabled() hasn't been updated
since commit a7b15a5cc626 (2009-12-23):

1368 static void pci_update_irq_disabled(PCIDevice *d, int was_irq_disabled)
1369 {
1370     int i, disabled = pci_irq_disabled(d);
1371     if (disabled == was_irq_disabled)
1372         return;
1373     for (i = 0; i < PCI_NUM_PINS; ++i) {
1374         int state = pci_irq_state(d, i);
1375         pci_change_irq_level(d, i, disabled ? -state : state);
1376     }
1377 }

Let's rebuild using --enable-sanitizers to check an overflow occured:

1286013@1610358549.342593:ppc4xx_pci_map_irq devfn 0x0 irq 0 -> 0
=================================================================
==1286011==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200004f78c at pc 0x55b6d738454c bp 0x7f779b9f7810 sp 0x7f779b9f7808
READ of size 4 at 0x60200004f78c thread T2
    #0 0x55b6d738454b in pci_change_irq_level hw/pci/pci.c:261:29
    #1 0x55b6d73763be in pci_update_irq_disabled hw/pci/pci.c:1375:9
    #2 0x55b6d7374e2d in pci_default_write_config hw/pci/pci.c:1415:9
    #3 0x55b6d70cb8ec in pci_host_config_write_common hw/pci/pci_host.c:83:5
    #4 0x55b6d70cc43f in pci_data_write hw/pci/pci_host.c:120:5
    #5 0x55b6d70ccd43 in pci_host_data_write hw/pci/pci_host.c:167:9
    #6 0x55b6d8505348 in memory_region_write_accessor softmmu/memory.c:483:5
    #7 0x55b6d8504c1a in access_with_adjusted_size softmmu/memory.c:544:18
    #8 0x55b6d8503316 in memory_region_dispatch_write
softmmu/memory.c:1465:16
    #9 0x55b6d878ab51 in flatview_write_continue exec.c:3177:23
    #10 0x55b6d8779046 in flatview_write exec.c:3217:14
    #11 0x55b6d879d1ab in subpage_write exec.c:2829:12
    #12 0x55b6d8505af7 in memory_region_write_with_attrs_accessor
softmmu/memory.c:503:12
    #13 0x55b6d8504af4 in access_with_adjusted_size softmmu/memory.c:539:18
    #14 0x55b6d850376e in memory_region_dispatch_write
softmmu/memory.c:1472:13
    #15 0x55b6d8485b60 in io_writex accel/tcg/cputlb.c:1121:9
    #16 0x55b6d845ef8b in store_helper accel/tcg/cputlb.c:2140:13
    #17 0x55b6d845f558 in helper_le_stw_mmu accel/tcg/cputlb.c:2194:5
    #18 0x7f77a40c0252  (<unknown module>)

0x60200004f78c is located 4 bytes to the left of 16-byte region
[0x60200004f790,0x60200004f7a0)
allocated by thread T0 here:
    #0 0x55b6d6ab9227 in calloc (qemu-system-ppc+0x1a9f227)
    #1 0x7f77f3ab19b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)
    #2 0x55b6d7370ef0 in pci_register_root_bus hw/pci/pci.c:493:5
    #3 0x55b6d7dec5de in ppc4xx_pcihost_realize hw/ppc/ppc4xx_pci.c:318:9
    #4 0x55b6d8a04ffb in device_set_realized hw/core/qdev.c:864:13
    #5 0x55b6d89309e8 in property_set_bool qom/object.c:2202:5
    #6 0x55b6d8928f92 in object_property_set qom/object.c:1349:5
    #7 0x55b6d891aa29 in object_property_set_qobject qom/qom-qobject.c:28:10
    #8 0x55b6d8929d71 in object_property_set_bool qom/object.c:1416:15
    #9 0x55b6d89f76fc in qdev_realize hw/core/qdev.c:379:12
    #10 0x55b6d89f7734 in qdev_realize_and_unref hw/core/qdev.c:386:11
    #11 0x55b6d7ccc37e in sysbus_realize_and_unref hw/core/sysbus.c:261:12
    #12 0x55b6d7ccc0a3 in sysbus_create_varargs hw/core/sysbus.c:236:5
    #13 0x55b6d7dbce60 in bamboo_init hw/ppc/ppc440_bamboo.c:212:11
    #14 0x55b6d6c3cdae in machine_run_board_init hw/core/machine.c:1144:5
    #15 0x55b6d86893ee in qemu_init softmmu/vl.c:4355:5
    #16 0x55b6d6af0f49 in main softmmu/main.c:49:5
    #17 0x7f77f23bd041 in __libc_start_main (/lib64/libc.so.6+0x27041)

Thread T2 created by T0 here:
    #0 0x55b6d6a32bb6 in pthread_create (qemu-system-ppc+0x1a18bb6)
    #1 0x55b6d92a1df4 in qemu_thread_create util/qemu-thread-posix.c:558:11
    #2 0x55b6d8807dc5 in qemu_tcg_init_vcpu softmmu/cpus.c:1926:13
    #3 0x55b6d8807142 in qemu_init_vcpu softmmu/cpus.c:2047:9
    #4 0x55b6d7e79f88 in ppc_cpu_realize
target/ppc/translate_init.c.inc:10146:5
    #5 0x55b6d8a04ffb in device_set_realized hw/core/qdev.c:864:13
    #6 0x55b6d89309e8 in property_set_bool qom/object.c:2202:5
    #7 0x55b6d8928f92 in object_property_set qom/object.c:1349:5
    #8 0x55b6d891aa29 in object_property_set_qobject qom/qom-qobject.c:28:10
    #9 0x55b6d8929d71 in object_property_set_bool qom/object.c:1416:15
    #10 0x55b6d89f76fc in qdev_realize hw/core/qdev.c:379:12
    #11 0x55b6d724d4db in cpu_create hw/core/cpu.c:62:10
    #12 0x55b6d7dbc024 in bamboo_init hw/ppc/ppc440_bamboo.c:183:11
    #13 0x55b6d6c3cdae in machine_run_board_init hw/core/machine.c:1144:5
    #14 0x55b6d86893ee in qemu_init softmmu/vl.c:4355:5
    #15 0x55b6d6af0f49 in main softmmu/main.c:49:5
    #16 0x7f77f23bd041 in __libc_start_main (/lib64/libc.so.6+0x27041)

SUMMARY: AddressSanitizer: heap-buffer-overflow hw/pci/pci.c:261:29 in
pci_change_irq_level
Shadow bytes around the buggy address:
  0x0c0480001ea0: fa fa fd fd fa fa fd fd fa fa 00 06 fa fa 00 02
  0x0c0480001eb0: fa fa fd fd fa fa fd fd fa fa 00 06 fa fa 00 02
  0x0c0480001ec0: fa fa fd fd fa fa fd fd fa fa 00 06 fa fa 00 02
  0x0c0480001ed0: fa fa 00 00 fa fa 00 00 fa fa 00 01 fa fa 05 fa
  0x0c0480001ee0: fa fa 06 fa fa fa fd fd fa fa 06 fa fa fa 00 03
=>0x0c0480001ef0: fa[fa]00 00 fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480001f00: fa fa fd fa fa fa 00 01 fa fa fd fd fa fa fd fa
  0x0c0480001f10: fa fa fd fd fa fa 00 02 fa fa fd fa fa fa 00 02
  0x0c0480001f20: fa fa 05 fa fa fa 07 fa fa fa 00 01 fa fa 07 fa
  0x0c0480001f30: fa fa 05 fa fa fa 07 fa fa fa fd fd fa fa 00 02
  0x0c0480001f40: fa fa 05 fa fa fa 07 fa fa fa 00 01 fa fa 07 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1286011==ABORTING

I see this sysbus_create_varargs() call in bamboo_init()
has recently been updated by Peter in commit 0270d74ef88
("hw/ppc/ppc440_bamboo: Drop use of ppcuic_init()").

Running with current master (7b09f127738) the assert is
not reached:

Linux version 5.11.0-rc3 (nathan@ubuntu-m3-large-x86) (powerpc-linux-gcc
(GCC) 10.2.0, GNU ld (GNU Binutils) 2.35) #1 Sun Jan 10 15:52:24 MST 2021
Using PowerPC 44x Platform machine description
ioremap() called early from find_legacy_serial_ports+0x64c/0x794. Use
early_ioremap() instead
printk: bootconsole [udbg0] enabled
-----------------------------------------------------
phys_mem_size     = 0x8000000
dcache_bsize      = 0x20
icache_bsize      = 0x20
cpu_features      = 0x0000000000000100
  possible        = 0x0000000040000100
  always          = 0x0000000000000100
cpu_user_features = 0x8c008000 0x00000000
mmu_features      = 0x00000008
-----------------------------------------------------
Zone ranges:
  Normal   [mem 0x0000000000000000-0x0000000007ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x0000000000000000-0x0000000007ffffff]
Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
MMU: Allocated 1088 bytes of context maps for 255 contexts
Built 1 zonelists, mobility grouping on.  Total pages: 32448
Kernel command line: console=ttyS0
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
mem auto-init: stack:off, heap alloc:off, heap free:off
Memory: 122712K/131072K available (5040K kernel code, 236K rwdata, 1260K
rodata, 200K init, 134K bss, 8360K reserved, 0K cma-reserved)
Kernel virtual memory layout:
  * 0xffbdf000..0xfffff000  : fixmap
  * 0xffbdd000..0xffbdf000  : early ioremap
  * 0xd1000000..0xffbdd000  : vmalloc & ioremap
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS: 512, nr_irqs: 512, preallocated irqs: 16
Oops: Exception in kernel mode, sig: 4 [#1]
BE PAGE_SIZE=4K PowerPC 44x Platform
Modules linked in:
CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0-rc3 #1
NIP:  c0019e58 LR: c062e3a0 CTR: c0019e58
REGS: c067fe90 TRAP: 0700   Not tainted  (5.11.0-rc3)
MSR:  000a1000 <CE,ME>  CR: 84000224  XER: 20000000

GPR00: c062e370 c067ff50 c065c300 c0019e58 00000000 c0019238 c067fde0
c065c300
GPR08: 00000000 00000000 c066fca4 00000066 84000222 00000000 00000000
00000000
GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 c0000010
00000000
GPR24: c0651594 c0651594 c0690000 c7ffe080 c0690000 c05c6f64 c0680000
c0802100
NIP [c0019e58] __mtdcr_table+0xc20/0x3ff8
LR [c062e3a0] uic_init_one+0x13c/0x214
Call Trace:
[c067ff50] [c062e370] uic_init_one+0x10c/0x214 (unreliable)
[c067ff80] [c062e4f8] uic_init_tree+0x80/0x174
[c067ffb0] [c0627af8] start_kernel+0x33c/0x508
[c067fff0] [c0000044] _start+0x44/0x88
Instruction dump:
7c9f2b86 4e800020 7c603286 4e800020 7c803386 4e800020 7c613286 4e800020
7c813386 4e800020 7c623286 4e800020 <7c823386> 4e800020 7c633286 4e800020
random: get_random_bytes called from oops_exit+0x44/0x84 with crng_init=0
---[ end trace 0000000000000000 ]---

Kernel panic - not syncing: Attempted to kill the idle task!
Rebooting in 180 seconds..

I suppose we can end this thread as NOTABUG.

Thanks for testing and your report,

Phil.
Nathan Chancellor Jan. 11, 2021, 4:46 p.m. UTC | #6
On Mon, Jan 11, 2021 at 11:04:25AM +0100, Philippe Mathieu-Daudé wrote:
> +Peter

> 

> On 1/11/21 2:11 AM, Nathan Chancellor wrote:

> > On Tue, Sep 01, 2020 at 12:40:42PM +0200, Philippe Mathieu-Daudé wrote:

> >> We call pci_register_root_bus() to register 4 IRQs with the

> >> ppc4xx_pci_set_irq() handler. As it can only be called with

> >> values in the [0-4[ range, replace the pointless warning by

> >> an assert().

> >>

> >> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

> >> ---

> >>  hw/ppc/ppc4xx_pci.c | 5 +----

> >>  1 file changed, 1 insertion(+), 4 deletions(-)

> >>

> >> diff --git a/hw/ppc/ppc4xx_pci.c b/hw/ppc/ppc4xx_pci.c

> >> index cd3f192a138..503ef46b39a 100644

> >> --- a/hw/ppc/ppc4xx_pci.c

> >> +++ b/hw/ppc/ppc4xx_pci.c

> >> @@ -256,10 +256,7 @@ static void ppc4xx_pci_set_irq(void *opaque, int irq_num, int level)

> >>      qemu_irq *pci_irqs = opaque;

> >>  

> >>      trace_ppc4xx_pci_set_irq(irq_num);

> >> -    if (irq_num < 0) {

> >> -        fprintf(stderr, "%s: PCI irq %d\n", __func__, irq_num);

> >> -        return;

> >> -    }

> >> +    assert(irq_num >= 0);

> >>      qemu_set_irq(pci_irqs[irq_num], level);

> >>  }

> >>  

> >> -- 

> >> 2.26.2

> >>

> >>

> > 

> > Hopefully reporting this here is okay, I find Launchpad hard to use but

> > I can file it there if need be.

> > 

> > The assertion added by this patch triggers while trying to boot a

> > ppc44x_defconfig Linux kernel:

> > 

> > $ qemu-system-ppc \

> >     -machine bamboo \

> >     -no-reboot \

> >     -append console=ttyS0 \

> >     -display none \

> >     -kernel uImage \

> >     -m 128m \

> >     -nodefaults \

> >     -serial mon:stdio

> > Linux version 5.11.0-rc3 (nathan@ubuntu-m3-large-x86) (powerpc-linux-gcc (GCC) 10.2.0, GNU ld (GNU Binutils) 2.35) #1 Sun Jan 10 15:52:24 MST 2021

> > Using PowerPC 44x Platform machine description

> > ioremap() called early from find_legacy_serial_ports+0x64c/0x794. Use early_ioremap() instead

> ...

> > PCI: Probing PCI hardware

> > PCI host bridge to bus 0000:00

> > pci_bus 0000:00: root bus resource [io  0x0000-0xffff]

> > pci_bus 0000:00: root bus resource [mem 0xa0000000-0xbfffffff]

> > pci_bus 0000:00: root bus resource [bus 00-ff]

> > pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to ff

> > pci 0000:00:00.0: [1014:027f] type 00 class 0x068000

> > qemu-system-ppc: ../hw/ppc/ppc4xx_pci.c:259: ppc4xx_pci_set_irq: Assertion `irq_num >= 0' failed.

> > 

> > On v5.2.0, it looks like a higher assertion triggers, added by

> > commit 459ca8bfa4 ("pci: Assert irqnum is between 0 and bus->nirqs in

> > pci_bus_change_irq_level").

> > 

> > qemu-system-ppc: ../hw/pci/pci.c:253: pci_bus_change_irq_level: Assertion `irq_num >= 0' failed.

> 

> Running with '-trace ppc4xx_pci\*':

> 

> 1275265@1610357661.994462:ppc4xx_pci_map_irq devfn 0x0 irq 0 -> 0

> 1275265@1610357661.994480:ppc4xx_pci_set_irq PCI irq -1

> 

> (gdb) bt

> #0  0x00007fc70a8a19e5 in raise () at /lib64/libc.so.6

> #1  0x00007fc70a88a895 in abort () at /lib64/libc.so.6

> #2  0x00007fc70a88a769 in _nl_load_domain.cold () at /lib64/libc.so.6

> #3  0x00007fc70a899e76 in annobin_assert.c_end () at /lib64/libc.so.6

> #4  0x0000560953c2bfe0 in ppc4xx_pci_set_irq (opaque=0x560955dcf9a0,

> irq_num=-1, level=0) at hw/ppc/ppc4xx_pci.c:259

> #5  0x0000560953a20474 in pci_change_irq_level (pci_dev=0x560955dd0e40,

> irq_num=-1, change=0) at hw/pci/pci.c:262

> #6  0x0000560953a1d028 in pci_update_irq_disabled (d=0x560955dd0e40,

> was_irq_disabled=0) at hw/pci/pci.c:1375

> #7  0x0000560953a1ccb3 in pci_default_write_config (d=0x560955dd0e40,

> addr=4, val_in=1030, l=2) at hw/pci/pci.c:1415

> #8  0x0000560953978977 in pci_host_config_write_common

> (pci_dev=0x560955dd0e40, addr=4, limit=256, val=1030, len=2) at

> hw/pci/pci_host.c:83

> #9  0x0000560953978cb9 in pci_data_write (s=0x560955dd0210,

> addr=2147483652, val=1030, len=2) at hw/pci/pci_host.c:120

> #10 0x0000560953978eeb in pci_host_data_write (opaque=0x560955dcf350,

> addr=0, val=1030, len=2) at hw/pci/pci_host.c:167

> 

> How can irq be -1? pci_update_irq_disabled() hasn't been updated

> since commit a7b15a5cc626 (2009-12-23):

> 

> 1368 static void pci_update_irq_disabled(PCIDevice *d, int was_irq_disabled)

> 1369 {

> 1370     int i, disabled = pci_irq_disabled(d);

> 1371     if (disabled == was_irq_disabled)

> 1372         return;

> 1373     for (i = 0; i < PCI_NUM_PINS; ++i) {

> 1374         int state = pci_irq_state(d, i);

> 1375         pci_change_irq_level(d, i, disabled ? -state : state);

> 1376     }

> 1377 }

> 

> Let's rebuild using --enable-sanitizers to check an overflow occured:

> 

> 1286013@1610358549.342593:ppc4xx_pci_map_irq devfn 0x0 irq 0 -> 0

> =================================================================

> ==1286011==ERROR: AddressSanitizer: heap-buffer-overflow on address

> 0x60200004f78c at pc 0x55b6d738454c bp 0x7f779b9f7810 sp 0x7f779b9f7808

> READ of size 4 at 0x60200004f78c thread T2

>     #0 0x55b6d738454b in pci_change_irq_level hw/pci/pci.c:261:29

>     #1 0x55b6d73763be in pci_update_irq_disabled hw/pci/pci.c:1375:9

>     #2 0x55b6d7374e2d in pci_default_write_config hw/pci/pci.c:1415:9

>     #3 0x55b6d70cb8ec in pci_host_config_write_common hw/pci/pci_host.c:83:5

>     #4 0x55b6d70cc43f in pci_data_write hw/pci/pci_host.c:120:5

>     #5 0x55b6d70ccd43 in pci_host_data_write hw/pci/pci_host.c:167:9

>     #6 0x55b6d8505348 in memory_region_write_accessor softmmu/memory.c:483:5

>     #7 0x55b6d8504c1a in access_with_adjusted_size softmmu/memory.c:544:18

>     #8 0x55b6d8503316 in memory_region_dispatch_write

> softmmu/memory.c:1465:16

>     #9 0x55b6d878ab51 in flatview_write_continue exec.c:3177:23

>     #10 0x55b6d8779046 in flatview_write exec.c:3217:14

>     #11 0x55b6d879d1ab in subpage_write exec.c:2829:12

>     #12 0x55b6d8505af7 in memory_region_write_with_attrs_accessor

> softmmu/memory.c:503:12

>     #13 0x55b6d8504af4 in access_with_adjusted_size softmmu/memory.c:539:18

>     #14 0x55b6d850376e in memory_region_dispatch_write

> softmmu/memory.c:1472:13

>     #15 0x55b6d8485b60 in io_writex accel/tcg/cputlb.c:1121:9

>     #16 0x55b6d845ef8b in store_helper accel/tcg/cputlb.c:2140:13

>     #17 0x55b6d845f558 in helper_le_stw_mmu accel/tcg/cputlb.c:2194:5

>     #18 0x7f77a40c0252  (<unknown module>)

> 

> 0x60200004f78c is located 4 bytes to the left of 16-byte region

> [0x60200004f790,0x60200004f7a0)

> allocated by thread T0 here:

>     #0 0x55b6d6ab9227 in calloc (qemu-system-ppc+0x1a9f227)

>     #1 0x7f77f3ab19b0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x589b0)

>     #2 0x55b6d7370ef0 in pci_register_root_bus hw/pci/pci.c:493:5

>     #3 0x55b6d7dec5de in ppc4xx_pcihost_realize hw/ppc/ppc4xx_pci.c:318:9

>     #4 0x55b6d8a04ffb in device_set_realized hw/core/qdev.c:864:13

>     #5 0x55b6d89309e8 in property_set_bool qom/object.c:2202:5

>     #6 0x55b6d8928f92 in object_property_set qom/object.c:1349:5

>     #7 0x55b6d891aa29 in object_property_set_qobject qom/qom-qobject.c:28:10

>     #8 0x55b6d8929d71 in object_property_set_bool qom/object.c:1416:15

>     #9 0x55b6d89f76fc in qdev_realize hw/core/qdev.c:379:12

>     #10 0x55b6d89f7734 in qdev_realize_and_unref hw/core/qdev.c:386:11

>     #11 0x55b6d7ccc37e in sysbus_realize_and_unref hw/core/sysbus.c:261:12

>     #12 0x55b6d7ccc0a3 in sysbus_create_varargs hw/core/sysbus.c:236:5

>     #13 0x55b6d7dbce60 in bamboo_init hw/ppc/ppc440_bamboo.c:212:11

>     #14 0x55b6d6c3cdae in machine_run_board_init hw/core/machine.c:1144:5

>     #15 0x55b6d86893ee in qemu_init softmmu/vl.c:4355:5

>     #16 0x55b6d6af0f49 in main softmmu/main.c:49:5

>     #17 0x7f77f23bd041 in __libc_start_main (/lib64/libc.so.6+0x27041)

> 

> Thread T2 created by T0 here:

>     #0 0x55b6d6a32bb6 in pthread_create (qemu-system-ppc+0x1a18bb6)

>     #1 0x55b6d92a1df4 in qemu_thread_create util/qemu-thread-posix.c:558:11

>     #2 0x55b6d8807dc5 in qemu_tcg_init_vcpu softmmu/cpus.c:1926:13

>     #3 0x55b6d8807142 in qemu_init_vcpu softmmu/cpus.c:2047:9

>     #4 0x55b6d7e79f88 in ppc_cpu_realize

> target/ppc/translate_init.c.inc:10146:5

>     #5 0x55b6d8a04ffb in device_set_realized hw/core/qdev.c:864:13

>     #6 0x55b6d89309e8 in property_set_bool qom/object.c:2202:5

>     #7 0x55b6d8928f92 in object_property_set qom/object.c:1349:5

>     #8 0x55b6d891aa29 in object_property_set_qobject qom/qom-qobject.c:28:10

>     #9 0x55b6d8929d71 in object_property_set_bool qom/object.c:1416:15

>     #10 0x55b6d89f76fc in qdev_realize hw/core/qdev.c:379:12

>     #11 0x55b6d724d4db in cpu_create hw/core/cpu.c:62:10

>     #12 0x55b6d7dbc024 in bamboo_init hw/ppc/ppc440_bamboo.c:183:11

>     #13 0x55b6d6c3cdae in machine_run_board_init hw/core/machine.c:1144:5

>     #14 0x55b6d86893ee in qemu_init softmmu/vl.c:4355:5

>     #15 0x55b6d6af0f49 in main softmmu/main.c:49:5

>     #16 0x7f77f23bd041 in __libc_start_main (/lib64/libc.so.6+0x27041)

> 

> SUMMARY: AddressSanitizer: heap-buffer-overflow hw/pci/pci.c:261:29 in

> pci_change_irq_level

> Shadow bytes around the buggy address:

>   0x0c0480001ea0: fa fa fd fd fa fa fd fd fa fa 00 06 fa fa 00 02

>   0x0c0480001eb0: fa fa fd fd fa fa fd fd fa fa 00 06 fa fa 00 02

>   0x0c0480001ec0: fa fa fd fd fa fa fd fd fa fa 00 06 fa fa 00 02

>   0x0c0480001ed0: fa fa 00 00 fa fa 00 00 fa fa 00 01 fa fa 05 fa

>   0x0c0480001ee0: fa fa 06 fa fa fa fd fd fa fa 06 fa fa fa 00 03

> =>0x0c0480001ef0: fa[fa]00 00 fa fa fd fa fa fa fd fa fa fa fd fa

>   0x0c0480001f00: fa fa fd fa fa fa 00 01 fa fa fd fd fa fa fd fa

>   0x0c0480001f10: fa fa fd fd fa fa 00 02 fa fa fd fa fa fa 00 02

>   0x0c0480001f20: fa fa 05 fa fa fa 07 fa fa fa 00 01 fa fa 07 fa

>   0x0c0480001f30: fa fa 05 fa fa fa 07 fa fa fa fd fd fa fa 00 02

>   0x0c0480001f40: fa fa 05 fa fa fa 07 fa fa fa 00 01 fa fa 07 fa

> Shadow byte legend (one shadow byte represents 8 application bytes):

>   Addressable:           00

>   Partially addressable: 01 02 03 04 05 06 07

>   Heap left redzone:       fa

>   Freed heap region:       fd

>   Stack left redzone:      f1

>   Stack mid redzone:       f2

>   Stack right redzone:     f3

>   Stack after return:      f5

>   Stack use after scope:   f8

>   Global redzone:          f9

>   Global init order:       f6

>   Poisoned by user:        f7

>   Container overflow:      fc

>   Array cookie:            ac

>   Intra object redzone:    bb

>   ASan internal:           fe

>   Left alloca redzone:     ca

>   Right alloca redzone:    cb

>   Shadow gap:              cc

> ==1286011==ABORTING

> 

> I see this sysbus_create_varargs() call in bamboo_init()

> has recently been updated by Peter in commit 0270d74ef88

> ("hw/ppc/ppc440_bamboo: Drop use of ppcuic_init()").

> 

> Running with current master (7b09f127738) the assert is

> not reached:

> 

> Linux version 5.11.0-rc3 (nathan@ubuntu-m3-large-x86) (powerpc-linux-gcc

> (GCC) 10.2.0, GNU ld (GNU Binutils) 2.35) #1 Sun Jan 10 15:52:24 MST 2021

> Using PowerPC 44x Platform machine description

> ioremap() called early from find_legacy_serial_ports+0x64c/0x794. Use

> early_ioremap() instead

> printk: bootconsole [udbg0] enabled

> -----------------------------------------------------

> phys_mem_size     = 0x8000000

> dcache_bsize      = 0x20

> icache_bsize      = 0x20

> cpu_features      = 0x0000000000000100

>   possible        = 0x0000000040000100

>   always          = 0x0000000000000100

> cpu_user_features = 0x8c008000 0x00000000

> mmu_features      = 0x00000008

> -----------------------------------------------------

> Zone ranges:

>   Normal   [mem 0x0000000000000000-0x0000000007ffffff]

> Movable zone start for each node

> Early memory node ranges

>   node   0: [mem 0x0000000000000000-0x0000000007ffffff]

> Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]

> MMU: Allocated 1088 bytes of context maps for 255 contexts

> Built 1 zonelists, mobility grouping on.  Total pages: 32448

> Kernel command line: console=ttyS0

> Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)

> Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)

> mem auto-init: stack:off, heap alloc:off, heap free:off

> Memory: 122712K/131072K available (5040K kernel code, 236K rwdata, 1260K

> rodata, 200K init, 134K bss, 8360K reserved, 0K cma-reserved)

> Kernel virtual memory layout:

>   * 0xffbdf000..0xfffff000  : fixmap

>   * 0xffbdd000..0xffbdf000  : early ioremap

>   * 0xd1000000..0xffbdd000  : vmalloc & ioremap

> SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1

> NR_IRQS: 512, nr_irqs: 512, preallocated irqs: 16

> Oops: Exception in kernel mode, sig: 4 [#1]

> BE PAGE_SIZE=4K PowerPC 44x Platform

> Modules linked in:

> CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0-rc3 #1

> NIP:  c0019e58 LR: c062e3a0 CTR: c0019e58

> REGS: c067fe90 TRAP: 0700   Not tainted  (5.11.0-rc3)

> MSR:  000a1000 <CE,ME>  CR: 84000224  XER: 20000000

> 

> GPR00: c062e370 c067ff50 c065c300 c0019e58 00000000 c0019238 c067fde0

> c065c300

> GPR08: 00000000 00000000 c066fca4 00000066 84000222 00000000 00000000

> 00000000

> GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 c0000010

> 00000000

> GPR24: c0651594 c0651594 c0690000 c7ffe080 c0690000 c05c6f64 c0680000

> c0802100

> NIP [c0019e58] __mtdcr_table+0xc20/0x3ff8

> LR [c062e3a0] uic_init_one+0x13c/0x214

> Call Trace:

> [c067ff50] [c062e370] uic_init_one+0x10c/0x214 (unreliable)

> [c067ff80] [c062e4f8] uic_init_tree+0x80/0x174

> [c067ffb0] [c0627af8] start_kernel+0x33c/0x508

> [c067fff0] [c0000044] _start+0x44/0x88

> Instruction dump:

> 7c9f2b86 4e800020 7c603286 4e800020 7c803386 4e800020 7c613286 4e800020

> 7c813386 4e800020 7c623286 4e800020 <7c823386> 4e800020 7c633286 4e800020

> random: get_random_bytes called from oops_exit+0x44/0x84 with crng_init=0

> ---[ end trace 0000000000000000 ]---

> 

> Kernel panic - not syncing: Attempted to kill the idle task!

> Rebooting in 180 seconds..

> 

> I suppose we can end this thread as NOTABUG.

> 

> Thanks for testing and your report,

> 

> Phil.


For what it's worth, I initially ran into this assertion on v5.2.0,
which does not include Peter's commit since it is only in master (and
I reported a problem with separately). If they are indeed related then
fair enough :) thanks for taking a look.

Cheers,
Nathan
Peter Maydell Jan. 11, 2021, 5:41 p.m. UTC | #7
On Mon, 11 Jan 2021 at 01:11, Nathan Chancellor
<natechancellor@gmail.com> wrote:
>

> On Tue, Sep 01, 2020 at 12:40:42PM +0200, Philippe Mathieu-Daudé wrote:

> > We call pci_register_root_bus() to register 4 IRQs with the

> > ppc4xx_pci_set_irq() handler. As it can only be called with

> > values in the [0-4[ range, replace the pointless warning by

> > an assert().

> >

> > Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>


> Hopefully reporting this here is okay, I find Launchpad hard to use but

> I can file it there if need be.

>

> The assertion added by this patch triggers while trying to boot a

> ppc44x_defconfig Linux kernel:


This is the same issue reported here by Guenter:
https://lore.kernel.org/qemu-devel/3f0f8fc6-6148-a76e-1088-b7882b0bbcaf@roeck-us.net/
It's still there in master (you can see it if you apply my fix
https://patchew.org/QEMU/20210111171623.18871-1-peter.maydell@linaro.org/
to get past the earlier kernel panic).

The QEMU code as it stands for the Bamboo PCI interrupts is clearly
wrong. The problem is that I don't know what the hardware's
actual behaviour is, so it's hard to fix the model...
A comment in hw/ppc/ppc4xx_pci.c claims
"On Bamboo, all pins from each slot are tied to a single board IRQ."
Code in hw/ppc/ppc440_bamboo.c wires four irq lines from the
PCI controller up to UIC lines 25, 26, 27, 28.

Does anybody have documentation for this board ? What is Linux
expecting the PCI IRQ wiring to be (not necessarily an indication
that that's what the h/w does, but a useful clue :-)) ?

thanks
-- PMM