versal/ospi: valid config write aborts on a bad owner cast (#3422) · Issues · QEMU / QEMU

versal/ospi: valid config write aborts on a bad owner cast

Title versal/ospi: valid config write aborts on a bad owner cast Version commit: 2339d0a1 tag: v10.2.0-690-g2339d0a1cf version: QEMU emulator version 10.2.50 (v10.2.0-690-g2339d0a1cf-dirty) Device and source file hw/ssi/xlnx-versal-ospi.c (`xlnx.versal-ospi` / `xlnx.usmp-gqspi` mapping on `amd-versal-virt`) After starting the board, `info mtree -f` shows the accessed register in `0xf1010000-0xf10100ff` (`xlnx.versal-ospi`), so the access at `0xf1010000` is in-range. Description of problem This is another `reg_array->mem.owner` bug, but in the Versal OSPI model. `xilinx_ospi_of_mr()` takes a `RegisterInfoArray *`, pulls `dev = reg_array->mem.owner`, and then does `XILINX_VERSAL_OSPI(dev)`. That is fine only if the memory region owner is the device object. It is not. `register_init_block32()` built the region with `OBJECT(r_array)` instead, so the first legal register write aborts on the cast. Key code: ```c /* hw/ssi/xlnx-versal-ospi.c */ static XlnxVersalOspi *xilinx_ospi_of_mr(void *mr_accessor) { RegisterInfoArray *reg_array = mr_accessor; Object *dev; dev = reg_array->mem.owner; assert(dev); return XILINX_VERSAL_OSPI(dev); } /* hw/core/register.c */ r->opaque = owner; memory_region_init_io(&r_array->mem, OBJECT(r_array), ops, r_array, device_prefix, memory_size); ``` Root cause analysis Input source: legal guest MMIO write to the OSPI config register block. Missing validation: helper recovers the device from the wrong owner object. Bug class: invalid object cast / host abort. Impact: the first in-range write aborts QEMU. Steps to Reproduce Configuration ```bash ./configure --target-list=aarch64-softmmu --enable-debug --disable-strip make -j"$(nproc)" ``` Reproducer (qtest) With the runtime layout confirmed first, this is the qtest sequence I used: ```bash cat <<'EOF' | ./qemu-system-aarch64 -audio none -display none -machine accel=qtest -M amd-versal-virt -nographic -monitor none -serial none -nodefaults -qtest stdio writel 0xf1010000 0x00000001 EOF ``` Observed output (excerpt) ```text [I 0.000000] OPENED [R +0.205928] writel 0xf1010000 0x00000001 /home/ubuntu/qemu_bug/qemu-2339d0a1cfac6ecc667e6e062a593865c1541c35/include/hw/ssi/xlnx-versal-ospi.h:62:XILINX_VERSAL_OSPI: Object 0x5e3037749000 is not an instance of type xlnx.versal-ospi [local] exit code: -6 ```

issue