* [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes
@ 2018-04-30 20:02 Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 1/7] hw/rdma: Fix possible munmap call on a NULL pointer Marcel Apfelbaum
` (6 more replies)
0 siblings, 7 replies; 11+ messages in thread
From: Marcel Apfelbaum @ 2018-04-30 20:02 UTC (permalink / raw)
To: qemu-devel; +Cc: marcel.apfelbaum, yuval.shaia, peter.maydell
From: Marcel Apfelbaum <marcel@redhat.com>
Various fixes that were found by coverity. (run by Peter, thanks!)
Thanks,
Marcel
Marcel Apfelbaum (3):
hw/rdma: Fix possible munmap call on a NULL pointer
hw/rdma: Fix possible usage of a NULL pointer
hw/rdma: Fix possible out of bounds access to port GID index
Yuval Shaia (4):
hw/rdma: Delete port's pkey table
hw/rdma: Fix possible out of bounds access to GID table
hw/rdma: Fix possible out of bounds access to regs array
hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME
hw/rdma/rdma_backend.c | 2 +-
hw/rdma/rdma_rm.c | 2 --
hw/rdma/rdma_rm_defs.h | 9 ++++-----
hw/rdma/vmw/pvrdma.h | 6 +++---
hw/rdma/vmw/pvrdma_cmd.c | 10 +++++++---
hw/rdma/vmw/pvrdma_main.c | 19 ++-----------------
hw/rdma/vmw/pvrdma_qp_ops.c | 1 +
7 files changed, 18 insertions(+), 31 deletions(-)
--
2.14.3
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 1/7] hw/rdma: Fix possible munmap call on a NULL pointer
2018-04-30 20:02 [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes Marcel Apfelbaum
@ 2018-04-30 20:02 ` Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 2/7] hw/rdma: Fix possible usage of " Marcel Apfelbaum
` (5 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Marcel Apfelbaum @ 2018-04-30 20:02 UTC (permalink / raw)
To: qemu-devel; +Cc: marcel.apfelbaum, yuval.shaia, peter.maydell
Coverity CID 1390620: we call munmap() on a NULL pointer.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index 99019d8741..f9dd78cb27 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -232,7 +232,7 @@ static int create_mr(PVRDMADev *dev, union pvrdma_cmd_req *req,
cmd->start, cmd->length, host_virt,
cmd->access_flags, &resp->mr_handle,
&resp->lkey, &resp->rkey);
- if (!resp->hdr.err) {
+ if (host_virt && !resp->hdr.err) {
munmap(host_virt, cmd->length);
}
--
2.14.3
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 2/7] hw/rdma: Fix possible usage of a NULL pointer
2018-04-30 20:02 [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 1/7] hw/rdma: Fix possible munmap call on a NULL pointer Marcel Apfelbaum
@ 2018-04-30 20:02 ` Marcel Apfelbaum
2018-05-01 3:04 ` Philippe Mathieu-Daudé
2018-04-30 20:02 ` [Qemu-devel] [PATCH 3/7] hw/rdma: Delete port's pkey table Marcel Apfelbaum
` (4 subsequent siblings)
6 siblings, 1 reply; 11+ messages in thread
From: Marcel Apfelbaum @ 2018-04-30 20:02 UTC (permalink / raw)
To: qemu-devel; +Cc: marcel.apfelbaum, yuval.shaia, peter.maydell
Coverity CID 1390586; The cq handle is provided by the guest
and cannot be trusted to be previuosly allocated.
Fix it by exiting the completion flow.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
---
hw/rdma/vmw/pvrdma_qp_ops.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/rdma/vmw/pvrdma_qp_ops.c b/hw/rdma/vmw/pvrdma_qp_ops.c
index 750ade6c31..99bb51111e 100644
--- a/hw/rdma/vmw/pvrdma_qp_ops.c
+++ b/hw/rdma/vmw/pvrdma_qp_ops.c
@@ -216,6 +216,7 @@ void pvrdma_cq_poll(RdmaDeviceResources *dev_res, uint32_t cq_handle)
cq = rdma_rm_get_cq(dev_res, cq_handle);
if (!cq) {
pr_dbg("Invalid CQ# %d\n", cq_handle);
+ return;
}
rdma_backend_poll_cq(dev_res, &cq->backend_cq);
--
2.14.3
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 3/7] hw/rdma: Delete port's pkey table
2018-04-30 20:02 [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 1/7] hw/rdma: Fix possible munmap call on a NULL pointer Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 2/7] hw/rdma: Fix possible usage of " Marcel Apfelbaum
@ 2018-04-30 20:02 ` Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 4/7] hw/rdma: Fix possible out of bounds access to GID table Marcel Apfelbaum
` (3 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Marcel Apfelbaum @ 2018-04-30 20:02 UTC (permalink / raw)
To: qemu-devel; +Cc: marcel.apfelbaum, yuval.shaia, peter.maydell
From: Yuval Shaia <yuval.shaia@oracle.com>
Support for PKEY is not yet implemented. Removing the unneeded table
until a support will be added.
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
hw/rdma/rdma_rm_defs.h | 3 +--
hw/rdma/vmw/pvrdma_main.c | 15 ---------------
2 files changed, 1 insertion(+), 17 deletions(-)
diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h
index fc646da61f..45503f14e0 100644
--- a/hw/rdma/rdma_rm_defs.h
+++ b/hw/rdma/rdma_rm_defs.h
@@ -21,7 +21,7 @@
#define MAX_PORTS 1
#define MAX_PORT_GIDS 1
#define MAX_PORT_PKEYS 1
-#define MAX_PKEYS 1
+#define MAX_PKEYS MAX_PORT_PKEYS
#define MAX_GIDS 2048
#define MAX_UCS 512
#define MAX_MR_SIZE (1UL << 27)
@@ -87,7 +87,6 @@ typedef struct RdmaRmQP {
typedef struct RdmaRmPort {
union ibv_gid gid_tbl[MAX_PORT_GIDS];
enum ibv_port_state state;
- int *pkey_tbl; /* TODO: Not yet supported */
} RdmaRmPort;
typedef struct RdmaDeviceResources {
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index c552248c90..994220b58e 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -275,15 +275,6 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
pr_dbg("Initialized\n");
}
-static void free_ports(PVRDMADev *dev)
-{
- int i;
-
- for (i = 0; i < MAX_PORTS; i++) {
- g_free(dev->rdma_dev_res.ports[i].gid_tbl);
- }
-}
-
static void init_ports(PVRDMADev *dev, Error **errp)
{
int i;
@@ -292,10 +283,6 @@ static void init_ports(PVRDMADev *dev, Error **errp)
for (i = 0; i < MAX_PORTS; i++) {
dev->rdma_dev_res.ports[i].state = IBV_PORT_DOWN;
-
- dev->rdma_dev_res.ports[i].pkey_tbl =
- g_malloc0(sizeof(*dev->rdma_dev_res.ports[i].pkey_tbl) *
- MAX_PORT_PKEYS);
}
}
@@ -622,8 +609,6 @@ static void pvrdma_exit(PCIDevice *pdev)
pvrdma_qp_ops_fini();
- free_ports(dev);
-
rdma_rm_fini(&dev->rdma_dev_res);
rdma_backend_fini(&dev->backend_dev);
--
2.14.3
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 4/7] hw/rdma: Fix possible out of bounds access to GID table
2018-04-30 20:02 [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes Marcel Apfelbaum
` (2 preceding siblings ...)
2018-04-30 20:02 ` [Qemu-devel] [PATCH 3/7] hw/rdma: Delete port's pkey table Marcel Apfelbaum
@ 2018-04-30 20:02 ` Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 5/7] hw/rdma: Fix possible out of bounds access to regs array Marcel Apfelbaum
` (2 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Marcel Apfelbaum @ 2018-04-30 20:02 UTC (permalink / raw)
To: qemu-devel; +Cc: marcel.apfelbaum, yuval.shaia, peter.maydell
From: Yuval Shaia <yuval.shaia@oracle.com>
Array size is MAX_PORT_GIDS, let's make sure the given index is in
range.
While there limit device table size to 1.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
hw/rdma/rdma_rm_defs.h | 2 +-
hw/rdma/vmw/pvrdma_cmd.c | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h
index 45503f14e0..4d22a20e4c 100644
--- a/hw/rdma/rdma_rm_defs.h
+++ b/hw/rdma/rdma_rm_defs.h
@@ -20,9 +20,9 @@
#define MAX_PORTS 1
#define MAX_PORT_GIDS 1
+#define MAX_GIDS MAX_PORT_GIDS
#define MAX_PORT_PKEYS 1
#define MAX_PKEYS MAX_PORT_PKEYS
-#define MAX_GIDS 2048
#define MAX_UCS 512
#define MAX_MR_SIZE (1UL << 27)
#define MAX_QP 1024
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index f9dd78cb27..14255d609f 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -576,7 +576,7 @@ static int create_bind(PVRDMADev *dev, union pvrdma_cmd_req *req,
pr_dbg("index=%d\n", cmd->index);
- if (cmd->index > MAX_PORT_GIDS) {
+ if (cmd->index >= MAX_PORT_GIDS) {
return -EINVAL;
}
@@ -603,7 +603,11 @@ static int destroy_bind(PVRDMADev *dev, union pvrdma_cmd_req *req,
{
struct pvrdma_cmd_destroy_bind *cmd = &req->destroy_bind;
- pr_dbg("clear index %d\n", cmd->index);
+ pr_dbg("index=%d\n", cmd->index);
+
+ if (cmd->index >= MAX_PORT_GIDS) {
+ return -EINVAL;
+ }
memset(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw, 0,
sizeof(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw));
--
2.14.3
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 5/7] hw/rdma: Fix possible out of bounds access to regs array
2018-04-30 20:02 [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes Marcel Apfelbaum
` (3 preceding siblings ...)
2018-04-30 20:02 ` [Qemu-devel] [PATCH 4/7] hw/rdma: Fix possible out of bounds access to GID table Marcel Apfelbaum
@ 2018-04-30 20:02 ` Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 6/7] hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index Marcel Apfelbaum
6 siblings, 0 replies; 11+ messages in thread
From: Marcel Apfelbaum @ 2018-04-30 20:02 UTC (permalink / raw)
To: qemu-devel; +Cc: marcel.apfelbaum, yuval.shaia, peter.maydell
From: Yuval Shaia <yuval.shaia@oracle.com>
Coverity (CID1390589, CID1390608).
Array size is RDMA_BAR1_REGS_SIZE, let's make sure the given address is
in range.
While there also:
1. Adjust the size of this bar to reasonable size
2. Report the size of the array with sizeof(array)
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
hw/rdma/vmw/pvrdma.h | 6 +++---
hw/rdma/vmw/pvrdma_main.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/hw/rdma/vmw/pvrdma.h b/hw/rdma/vmw/pvrdma.h
index 8c173cb824..0b46dc5a9b 100644
--- a/hw/rdma/vmw/pvrdma.h
+++ b/hw/rdma/vmw/pvrdma.h
@@ -31,7 +31,7 @@
#define RDMA_REG_BAR_IDX 1
#define RDMA_UAR_BAR_IDX 2
#define RDMA_BAR0_MSIX_SIZE (16 * 1024)
-#define RDMA_BAR1_REGS_SIZE 256
+#define RDMA_BAR1_REGS_SIZE 64
#define RDMA_BAR2_UAR_SIZE (0x1000 * MAX_UCS) /* each uc gets page */
/* MSIX */
@@ -86,7 +86,7 @@ static inline int get_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t *val)
{
int idx = addr >> 2;
- if (idx > RDMA_BAR1_REGS_SIZE) {
+ if (idx >= RDMA_BAR1_REGS_SIZE) {
return -EINVAL;
}
@@ -99,7 +99,7 @@ static inline int set_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t val)
{
int idx = addr >> 2;
- if (idx > RDMA_BAR1_REGS_SIZE) {
+ if (idx >= RDMA_BAR1_REGS_SIZE) {
return -EINVAL;
}
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 994220b58e..3ed7409763 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -449,14 +449,14 @@ static void init_bars(PCIDevice *pdev)
/* BAR 1 - Registers */
memset(&dev->regs_data, 0, sizeof(dev->regs_data));
memory_region_init_io(&dev->regs, OBJECT(dev), ®s_ops, dev,
- "pvrdma-regs", RDMA_BAR1_REGS_SIZE);
+ "pvrdma-regs", sizeof(dev->regs_data));
pci_register_bar(pdev, RDMA_REG_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
&dev->regs);
/* BAR 2 - UAR */
memset(&dev->uar_data, 0, sizeof(dev->uar_data));
memory_region_init_io(&dev->uar, OBJECT(dev), &uar_ops, dev, "rdma-uar",
- RDMA_BAR2_UAR_SIZE);
+ sizeof(dev->uar_data));
pci_register_bar(pdev, RDMA_UAR_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
&dev->uar);
}
--
2.14.3
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 6/7] hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME
2018-04-30 20:02 [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes Marcel Apfelbaum
` (4 preceding siblings ...)
2018-04-30 20:02 ` [Qemu-devel] [PATCH 5/7] hw/rdma: Fix possible out of bounds access to regs array Marcel Apfelbaum
@ 2018-04-30 20:02 ` Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index Marcel Apfelbaum
6 siblings, 0 replies; 11+ messages in thread
From: Marcel Apfelbaum @ 2018-04-30 20:02 UTC (permalink / raw)
To: qemu-devel; +Cc: marcel.apfelbaum, yuval.shaia, peter.maydell
From: Yuval Shaia <yuval.shaia@oracle.com>
By a mistake this constant was defined twice - remove the duplication.
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
hw/rdma/rdma_rm.c | 2 --
hw/rdma/rdma_rm_defs.h | 4 ++--
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/hw/rdma/rdma_rm.c b/hw/rdma/rdma_rm.c
index 51a47d7292..415da15efe 100644
--- a/hw/rdma/rdma_rm.c
+++ b/hw/rdma/rdma_rm.c
@@ -21,8 +21,6 @@
#include "rdma_backend.h"
#include "rdma_rm.h"
-#define MAX_RM_TBL_NAME 16
-
/* Page directory and page tables */
#define PG_DIR_SZ { TARGET_PAGE_SIZE / sizeof(__u64) }
#define PG_TBL_SZ { TARGET_PAGE_SIZE / sizeof(__u64) }
diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h
index 4d22a20e4c..226011176d 100644
--- a/hw/rdma/rdma_rm_defs.h
+++ b/hw/rdma/rdma_rm_defs.h
@@ -34,9 +34,9 @@
#define MAX_QP_INIT_RD_ATOM 16
#define MAX_AH 64
-#define MAX_RMRESTBL_NAME_SZ 16
+#define MAX_RM_TBL_NAME 16
typedef struct RdmaRmResTbl {
- char name[MAX_RMRESTBL_NAME_SZ];
+ char name[MAX_RM_TBL_NAME];
QemuMutex lock;
unsigned long *bitmap;
size_t tbl_sz;
--
2.14.3
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index
2018-04-30 20:02 [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes Marcel Apfelbaum
` (5 preceding siblings ...)
2018-04-30 20:02 ` [Qemu-devel] [PATCH 6/7] hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME Marcel Apfelbaum
@ 2018-04-30 20:02 ` Marcel Apfelbaum
2018-04-30 21:14 ` Eric Blake
6 siblings, 1 reply; 11+ messages in thread
From: Marcel Apfelbaum @ 2018-04-30 20:02 UTC (permalink / raw)
To: qemu-devel; +Cc: marcel.apfelbaum, yuval.shaia, peter.maydell
Make sure the backend GID index is less then port's
git table length.
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
---
hw/rdma/rdma_backend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
index 5c7b3d8949..e9ced6f9ef 100644
--- a/hw/rdma/rdma_backend.c
+++ b/hw/rdma/rdma_backend.c
@@ -774,7 +774,7 @@ int rdma_backend_init(RdmaBackendDev *backend_dev,
goto out_destroy_comm_channel;
}
- if (backend_dev->backend_gid_idx > port_attr.gid_tbl_len) {
+ if (backend_dev->backend_gid_idx >= port_attr.gid_tbl_len) {
error_setg(errp, "Invalid backend_gid_idx, should be less than %d",
port_attr.gid_tbl_len);
goto out_destroy_comm_channel;
--
2.14.3
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index
2018-04-30 20:02 ` [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index Marcel Apfelbaum
@ 2018-04-30 21:14 ` Eric Blake
2018-05-01 8:58 ` Marcel Apfelbaum
0 siblings, 1 reply; 11+ messages in thread
From: Eric Blake @ 2018-04-30 21:14 UTC (permalink / raw)
To: Marcel Apfelbaum, qemu-devel; +Cc: peter.maydell, yuval.shaia
On 04/30/2018 03:02 PM, Marcel Apfelbaum wrote:
> Make sure the backend GID index is less then port's
> git table length.
s/git/gid/
>
> Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
> Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
> ---
> hw/rdma/rdma_backend.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
> index 5c7b3d8949..e9ced6f9ef 100644
> --- a/hw/rdma/rdma_backend.c
> +++ b/hw/rdma/rdma_backend.c
> @@ -774,7 +774,7 @@ int rdma_backend_init(RdmaBackendDev *backend_dev,
> goto out_destroy_comm_channel;
> }
>
> - if (backend_dev->backend_gid_idx > port_attr.gid_tbl_len) {
> + if (backend_dev->backend_gid_idx >= port_attr.gid_tbl_len) {
> error_setg(errp, "Invalid backend_gid_idx, should be less than %d",
> port_attr.gid_tbl_len);
> goto out_destroy_comm_channel;
>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Qemu-devel] [PATCH 2/7] hw/rdma: Fix possible usage of a NULL pointer
2018-04-30 20:02 ` [Qemu-devel] [PATCH 2/7] hw/rdma: Fix possible usage of " Marcel Apfelbaum
@ 2018-05-01 3:04 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 11+ messages in thread
From: Philippe Mathieu-Daudé @ 2018-05-01 3:04 UTC (permalink / raw)
To: Marcel Apfelbaum, qemu-devel; +Cc: peter.maydell, yuval.shaia
On 04/30/2018 05:02 PM, Marcel Apfelbaum wrote:
> Coverity CID 1390586; The cq handle is provided by the guest
> and cannot be trusted to be previuosly allocated.
> Fix it by exiting the completion flow.
>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
> Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> hw/rdma/vmw/pvrdma_qp_ops.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/hw/rdma/vmw/pvrdma_qp_ops.c b/hw/rdma/vmw/pvrdma_qp_ops.c
> index 750ade6c31..99bb51111e 100644
> --- a/hw/rdma/vmw/pvrdma_qp_ops.c
> +++ b/hw/rdma/vmw/pvrdma_qp_ops.c
> @@ -216,6 +216,7 @@ void pvrdma_cq_poll(RdmaDeviceResources *dev_res, uint32_t cq_handle)
> cq = rdma_rm_get_cq(dev_res, cq_handle);
> if (!cq) {
> pr_dbg("Invalid CQ# %d\n", cq_handle);
> + return;
> }
>
> rdma_backend_poll_cq(dev_res, &cq->backend_cq);
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index
2018-04-30 21:14 ` Eric Blake
@ 2018-05-01 8:58 ` Marcel Apfelbaum
0 siblings, 0 replies; 11+ messages in thread
From: Marcel Apfelbaum @ 2018-05-01 8:58 UTC (permalink / raw)
To: Eric Blake, qemu-devel; +Cc: peter.maydell, yuval.shaia
On 05/01/2018 12:14 AM, Eric Blake wrote:
> On 04/30/2018 03:02 PM, Marcel Apfelbaum wrote:
>> Make sure the backend GID index is less then port's
>> git table length.
>
> s/git/gid/
>
Thanks, I will fix in the pull request
Marcel
>>
>> Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
>> Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
>> ---
>> hw/rdma/rdma_backend.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
>> index 5c7b3d8949..e9ced6f9ef 100644
>> --- a/hw/rdma/rdma_backend.c
>> +++ b/hw/rdma/rdma_backend.c
>> @@ -774,7 +774,7 @@ int rdma_backend_init(RdmaBackendDev *backend_dev,
>> goto out_destroy_comm_channel;
>> }
>> - if (backend_dev->backend_gid_idx > port_attr.gid_tbl_len) {
>> + if (backend_dev->backend_gid_idx >= port_attr.gid_tbl_len) {
>> error_setg(errp, "Invalid backend_gid_idx, should be less
>> than %d",
>> port_attr.gid_tbl_len);
>> goto out_destroy_comm_channel;
>>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2018-05-01 8:58 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-30 20:02 [Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 1/7] hw/rdma: Fix possible munmap call on a NULL pointer Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 2/7] hw/rdma: Fix possible usage of " Marcel Apfelbaum
2018-05-01 3:04 ` Philippe Mathieu-Daudé
2018-04-30 20:02 ` [Qemu-devel] [PATCH 3/7] hw/rdma: Delete port's pkey table Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 4/7] hw/rdma: Fix possible out of bounds access to GID table Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 5/7] hw/rdma: Fix possible out of bounds access to regs array Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 6/7] hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME Marcel Apfelbaum
2018-04-30 20:02 ` [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index Marcel Apfelbaum
2018-04-30 21:14 ` Eric Blake
2018-05-01 8:58 ` Marcel Apfelbaum
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.