The num-lines property of the TYPE_OR_GATE device sets the number of input lines it has. An assert() in or_irq_realize() restricts this to the maximum supported by the implementation. However we got the condition in the assert wrong: it should be using <=, because num-lines == MAX_OR_LINES is permitted, and means that all entries from 0 to MAX_OR_LINES-1 in the s->levels[] array are used.
We didn't notice this previously because no user has so far needed that many input lines. Reported-by: Guenter Roeck <li...@roeck-us.net> Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> Reviewed-by: Guenter Roeck <li...@roeck-us.net> Message-id: 20200120142235.10432-1-peter.mayd...@linaro.org --- hw/core/or-irq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/core/or-irq.c b/hw/core/or-irq.c index 4bbdbcb321b..d8f3754e967 100644 --- a/hw/core/or-irq.c +++ b/hw/core/or-irq.c @@ -58,7 +58,7 @@ static void or_irq_realize(DeviceState *dev, Error **errp) { qemu_or_irq *s = OR_IRQ(dev); - assert(s->num_lines < MAX_OR_LINES); + assert(s->num_lines <= MAX_OR_LINES); qdev_init_gpio_in(dev, or_irq_handler, s->num_lines); } -- 2.20.1