Re: [Qemu-devel] [PATCH v2] xilinx_spips: Correct usage of an uninitialized local variable
On Monday, 22 January 2018, Peter Maydell wrote:
> On 17 January 2018 at 21:34, Francisco Iglesias
> wrote:
> > Coverity found that the variable tx_rx in the function
> > xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841).
> This
> > patch corrects this by always initializing tx_rx to zeros.
> >
> > Signed-off-by: Francisco Iglesias
> >
> > ---
> > v2. Add a sanity check on the num_busses property when realizing the
> > devices.
> > ---
> > hw/ssi/xilinx_spips.c | 13 -
> > 1 file changed, 12 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> > index 85c5d0c..12f1de9 100644
> > --- a/hw/ssi/xilinx_spips.c
> > +++ b/hw/ssi/xilinx_spips.c
> > @@ -210,6 +210,9 @@
> > #define SNOOP_NONE 0xEE
> > #define SNOOP_STRIPING 0
> >
> > +#define MIN_NUM_BUSSES 1
> > +#define MAX_NUM_BUSSES 2
> > +
> > static inline int num_effective_busses(XilinxSPIPS *s)
> > {
> > return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
> > @@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS
> *s)
> > for (;;) {
> > int i;
> > uint8_t tx = 0;
> > -uint8_t tx_rx[num_effective_busses(s)];
> > +uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 };
> > uint8_t dummy_cycles = 0;
> > uint8_t addr_length;
> >
> > @@ -1221,6 +1224,14 @@ static void xilinx_spips_realize(DeviceState
> *dev, Error **errp)
> >
> > DB_PRINT_L(0, "realized spips\n");
> >
> > +if (s->num_busses < MIN_NUM_BUSSES || s->num_busses >
> MAX_NUM_BUSSES) {
> > +qemu_log_mask(LOG_GUEST_ERROR,
> > + "%s: Invalid number of spi busses requested, "
> > + "will default to use one bus\n",
> > + __func__);
> > +s->num_busses = 1;
>
> Realize functions should report errors in their parameters via the Error**
> parameter (which will cause the realize operation to fail, which the caller
> can deal with appropriately). Here's an example from the realize function
> for the GICv3:
>
> if (s->num_irq > GICV3_MAXIRQ) {
> error_setg(errp,
>"requested %u interrupt lines exceeds GIC maximum %d",
>s->num_irq, GICV3_MAXIRQ);
> return;
> }
>
> (Note no trailing \n required for error_setg strings, unlike
> qemu_log_mask.)
>
> thanks
> -- PMM
>
Hi Peter,
Thank you very much for reviewing the patch again! I'll correct this in the
next version (3) of the patch.
Best regards,
Francisco Iglesias
Re: [Qemu-devel] [PATCH v2] xilinx_spips: Correct usage of an uninitialized local variable
On 17 January 2018 at 21:34, Francisco Iglesias
wrote:
> Coverity found that the variable tx_rx in the function
> xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
> patch corrects this by always initializing tx_rx to zeros.
>
> Signed-off-by: Francisco Iglesias
>
> ---
> v2. Add a sanity check on the num_busses property when realizing the
> devices.
> ---
> hw/ssi/xilinx_spips.c | 13 -
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index 85c5d0c..12f1de9 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -210,6 +210,9 @@
> #define SNOOP_NONE 0xEE
> #define SNOOP_STRIPING 0
>
> +#define MIN_NUM_BUSSES 1
> +#define MAX_NUM_BUSSES 2
> +
> static inline int num_effective_busses(XilinxSPIPS *s)
> {
> return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
> @@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s)
> for (;;) {
> int i;
> uint8_t tx = 0;
> -uint8_t tx_rx[num_effective_busses(s)];
> +uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 };
> uint8_t dummy_cycles = 0;
> uint8_t addr_length;
>
> @@ -1221,6 +1224,14 @@ static void xilinx_spips_realize(DeviceState *dev,
> Error **errp)
>
> DB_PRINT_L(0, "realized spips\n");
>
> +if (s->num_busses < MIN_NUM_BUSSES || s->num_busses > MAX_NUM_BUSSES) {
> +qemu_log_mask(LOG_GUEST_ERROR,
> + "%s: Invalid number of spi busses requested, "
> + "will default to use one bus\n",
> + __func__);
> +s->num_busses = 1;
Realize functions should report errors in their parameters via the Error**
parameter (which will cause the realize operation to fail, which the caller
can deal with appropriately). Here's an example from the realize function
for the GICv3:
if (s->num_irq > GICV3_MAXIRQ) {
error_setg(errp,
"requested %u interrupt lines exceeds GIC maximum %d",
s->num_irq, GICV3_MAXIRQ);
return;
}
(Note no trailing \n required for error_setg strings, unlike qemu_log_mask.)
thanks
-- PMM
[Qemu-devel] [PATCH v2] xilinx_spips: Correct usage of an uninitialized local variable
Coverity found that the variable tx_rx in the function
xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
patch corrects this by always initializing tx_rx to zeros.
Signed-off-by: Francisco Iglesias
---
v2. Add a sanity check on the num_busses property when realizing the
devices.
---
hw/ssi/xilinx_spips.c | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 85c5d0c..12f1de9 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -210,6 +210,9 @@
#define SNOOP_NONE 0xEE
#define SNOOP_STRIPING 0
+#define MIN_NUM_BUSSES 1
+#define MAX_NUM_BUSSES 2
+
static inline int num_effective_busses(XilinxSPIPS *s)
{
return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
@@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s)
for (;;) {
int i;
uint8_t tx = 0;
-uint8_t tx_rx[num_effective_busses(s)];
+uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 };
uint8_t dummy_cycles = 0;
uint8_t addr_length;
@@ -1221,6 +1224,14 @@ static void xilinx_spips_realize(DeviceState *dev, Error
**errp)
DB_PRINT_L(0, "realized spips\n");
+if (s->num_busses < MIN_NUM_BUSSES || s->num_busses > MAX_NUM_BUSSES) {
+qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: Invalid number of spi busses requested, "
+ "will default to use one bus\n",
+ __func__);
+s->num_busses = 1;
+}
+
s->spi = g_new(SSIBus *, s->num_busses);
for (i = 0; i < s->num_busses; ++i) {
char bus_name[16];
--
2.9.3
