The num-lines property of the TYPE_OR_GATE device sets the number
of input lines it has. An assert() in or_irq_realize() restricts
this to the maximum supported by the implementation. However we
got the condition in the assert wrong: it should be using <=,
because num-lines == MAX_OR_LINES is permitted, and means that
all entries from 0 to MAX_OR_LINES-1 in the s->levels[] array
are used.
We didn't notice this previously because no user has so far
needed that many input lines.
Reported-by: Guenter Roeck <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
---
hw/core/or-irq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/core/or-irq.c b/hw/core/or-irq.c
index 18d63831cd3..2be18333811 100644
--- a/hw/core/or-irq.c
+++ b/hw/core/or-irq.c
@@ -58,7 +58,7 @@ static void or_irq_realize(DeviceState *dev, Error **errp)
{
qemu_or_irq *s = OR_IRQ(dev);
- assert(s->num_lines < MAX_OR_LINES);
+ assert(s->num_lines <= MAX_OR_LINES);
qdev_init_gpio_in(dev, or_irq_handler, s->num_lines);
}