The num-lines property of the TYPE_OR_GATE device sets the number of input lines it has. An assert() in or_irq_realize() restricts this to the maximum supported by the implementation. However we got the condition in the assert wrong: it should be using <=, because num-lines == MAX_OR_LINES is permitted, and means that all entries from 0 to MAX_OR_LINES-1 in the s->levels[] array are used.
We didn't notice this previously because no user has so far needed that many input lines. Reported-by: Guenter Roeck <[email protected]> Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Guenter Roeck <[email protected]> Message-id: [email protected] --- hw/core/or-irq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/core/or-irq.c b/hw/core/or-irq.c index 4bbdbcb321b..d8f3754e967 100644 --- a/hw/core/or-irq.c +++ b/hw/core/or-irq.c @@ -58,7 +58,7 @@ static void or_irq_realize(DeviceState *dev, Error **errp) { qemu_or_irq *s = OR_IRQ(dev); - assert(s->num_lines < MAX_OR_LINES); + assert(s->num_lines <= MAX_OR_LINES); qdev_init_gpio_in(dev, or_irq_handler, s->num_lines); } -- 2.20.1
