[Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes

[Qemu-devel] [PATCH 0/7] hw/rdma: coverity fixes

[Marcel Apfelbaum]

From: Marcel Apfelbaum <marcel@redhat.com>

Various fixes that were found by coverity. (run by Peter, thanks!)

Thanks,
Marcel

Marcel Apfelbaum (3):
  hw/rdma: Fix possible munmap call on a NULL pointer
  hw/rdma: Fix possible usage of a NULL pointer
  hw/rdma: Fix possible out of bounds access to port GID index

Yuval Shaia (4):
  hw/rdma: Delete port's pkey table
  hw/rdma: Fix possible out of bounds access to GID table
  hw/rdma: Fix possible out of bounds access to regs array
  hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME

 hw/rdma/rdma_backend.c      |  2 +-
 hw/rdma/rdma_rm.c           |  2 --
 hw/rdma/rdma_rm_defs.h      |  9 ++++-----
 hw/rdma/vmw/pvrdma.h        |  6 +++---
 hw/rdma/vmw/pvrdma_cmd.c    | 10 +++++++---
 hw/rdma/vmw/pvrdma_main.c   | 19 ++-----------------
 hw/rdma/vmw/pvrdma_qp_ops.c |  1 +
 7 files changed, 18 insertions(+), 31 deletions(-)

-- 
2.14.3

[Qemu-devel] [PATCH 1/7] hw/rdma: Fix possible munmap call on a NULL pointer

[Marcel Apfelbaum]

Coverity CID 1390620: we call munmap() on a NULL pointer.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
---
 hw/rdma/vmw/pvrdma_cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index 99019d8741..f9dd78cb27 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -232,7 +232,7 @@ static int create_mr(PVRDMADev *dev, union pvrdma_cmd_req *req,
                                      cmd->start, cmd->length, host_virt,
                                      cmd->access_flags, &resp->mr_handle,
                                      &resp->lkey, &resp->rkey);
-    if (!resp->hdr.err) {
+    if (host_virt && !resp->hdr.err) {
         munmap(host_virt, cmd->length);
     }
 
-- 
2.14.3

[Qemu-devel] [PATCH 2/7] hw/rdma: Fix possible usage of a NULL pointer

[Marcel Apfelbaum]

Coverity CID 1390586; The cq handle is provided by the guest
and cannot be trusted to be previuosly allocated.
Fix it by exiting the completion flow.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
---
 hw/rdma/vmw/pvrdma_qp_ops.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/rdma/vmw/pvrdma_qp_ops.c b/hw/rdma/vmw/pvrdma_qp_ops.c
index 750ade6c31..99bb51111e 100644
--- a/hw/rdma/vmw/pvrdma_qp_ops.c
+++ b/hw/rdma/vmw/pvrdma_qp_ops.c
@@ -216,6 +216,7 @@ void pvrdma_cq_poll(RdmaDeviceResources *dev_res, uint32_t cq_handle)
     cq = rdma_rm_get_cq(dev_res, cq_handle);
     if (!cq) {
         pr_dbg("Invalid CQ# %d\n", cq_handle);
+        return;
     }
 
     rdma_backend_poll_cq(dev_res, &cq->backend_cq);
-- 
2.14.3

[Qemu-devel] [PATCH 3/7] hw/rdma: Delete port's pkey table

[Marcel Apfelbaum]

From: Yuval Shaia <yuval.shaia@oracle.com>

Support for PKEY is not yet implemented. Removing the unneeded table
until a support will be added.

Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
 hw/rdma/rdma_rm_defs.h    |  3 +--
 hw/rdma/vmw/pvrdma_main.c | 15 ---------------
 2 files changed, 1 insertion(+), 17 deletions(-)

diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h
index fc646da61f..45503f14e0 100644
--- a/hw/rdma/rdma_rm_defs.h
+++ b/hw/rdma/rdma_rm_defs.h
@@ -21,7 +21,7 @@
 #define MAX_PORTS             1
 #define MAX_PORT_GIDS         1
 #define MAX_PORT_PKEYS        1
-#define MAX_PKEYS             1
+#define MAX_PKEYS             MAX_PORT_PKEYS
 #define MAX_GIDS              2048
 #define MAX_UCS               512
 #define MAX_MR_SIZE           (1UL << 27)
@@ -87,7 +87,6 @@ typedef struct RdmaRmQP {
 typedef struct RdmaRmPort {
     union ibv_gid gid_tbl[MAX_PORT_GIDS];
     enum ibv_port_state state;
-    int *pkey_tbl; /* TODO: Not yet supported */
 } RdmaRmPort;
 
 typedef struct RdmaDeviceResources {
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index c552248c90..994220b58e 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -275,15 +275,6 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
     pr_dbg("Initialized\n");
 }
 
-static void free_ports(PVRDMADev *dev)
-{
-    int i;
-
-    for (i = 0; i < MAX_PORTS; i++) {
-        g_free(dev->rdma_dev_res.ports[i].gid_tbl);
-    }
-}
-
 static void init_ports(PVRDMADev *dev, Error **errp)
 {
     int i;
@@ -292,10 +283,6 @@ static void init_ports(PVRDMADev *dev, Error **errp)
 
     for (i = 0; i < MAX_PORTS; i++) {
         dev->rdma_dev_res.ports[i].state = IBV_PORT_DOWN;
-
-        dev->rdma_dev_res.ports[i].pkey_tbl =
-            g_malloc0(sizeof(*dev->rdma_dev_res.ports[i].pkey_tbl) *
-                      MAX_PORT_PKEYS);
     }
 }
 
@@ -622,8 +609,6 @@ static void pvrdma_exit(PCIDevice *pdev)
 
     pvrdma_qp_ops_fini();
 
-    free_ports(dev);
-
     rdma_rm_fini(&dev->rdma_dev_res);
 
     rdma_backend_fini(&dev->backend_dev);
-- 
2.14.3

[Qemu-devel] [PATCH 4/7] hw/rdma: Fix possible out of bounds access to GID table

[Marcel Apfelbaum]

From: Yuval Shaia <yuval.shaia@oracle.com>

Array size is MAX_PORT_GIDS, let's make sure the given index is in
range.

While there limit device table size to 1.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
 hw/rdma/rdma_rm_defs.h   | 2 +-
 hw/rdma/vmw/pvrdma_cmd.c | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h
index 45503f14e0..4d22a20e4c 100644
--- a/hw/rdma/rdma_rm_defs.h
+++ b/hw/rdma/rdma_rm_defs.h
@@ -20,9 +20,9 @@
 
 #define MAX_PORTS             1
 #define MAX_PORT_GIDS         1
+#define MAX_GIDS              MAX_PORT_GIDS
 #define MAX_PORT_PKEYS        1
 #define MAX_PKEYS             MAX_PORT_PKEYS
-#define MAX_GIDS              2048
 #define MAX_UCS               512
 #define MAX_MR_SIZE           (1UL << 27)
 #define MAX_QP                1024
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index f9dd78cb27..14255d609f 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -576,7 +576,7 @@ static int create_bind(PVRDMADev *dev, union pvrdma_cmd_req *req,
 
     pr_dbg("index=%d\n", cmd->index);
 
-    if (cmd->index > MAX_PORT_GIDS) {
+    if (cmd->index >= MAX_PORT_GIDS) {
         return -EINVAL;
     }
 
@@ -603,7 +603,11 @@ static int destroy_bind(PVRDMADev *dev, union pvrdma_cmd_req *req,
 {
     struct pvrdma_cmd_destroy_bind *cmd = &req->destroy_bind;
 
-    pr_dbg("clear index %d\n", cmd->index);
+    pr_dbg("index=%d\n", cmd->index);
+
+    if (cmd->index >= MAX_PORT_GIDS) {
+        return -EINVAL;
+    }
 
     memset(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw, 0,
            sizeof(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw));
-- 
2.14.3

[Qemu-devel] [PATCH 5/7] hw/rdma: Fix possible out of bounds access to regs array

[Marcel Apfelbaum]

From: Yuval Shaia <yuval.shaia@oracle.com>

Coverity (CID1390589, CID1390608).
Array size is RDMA_BAR1_REGS_SIZE, let's make sure the given address is
in range.

While there also:
1. Adjust the size of this bar to reasonable size
2. Report the size of the array with sizeof(array)

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
 hw/rdma/vmw/pvrdma.h      | 6 +++---
 hw/rdma/vmw/pvrdma_main.c | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/hw/rdma/vmw/pvrdma.h b/hw/rdma/vmw/pvrdma.h
index 8c173cb824..0b46dc5a9b 100644
--- a/hw/rdma/vmw/pvrdma.h
+++ b/hw/rdma/vmw/pvrdma.h
@@ -31,7 +31,7 @@
 #define RDMA_REG_BAR_IDX     1
 #define RDMA_UAR_BAR_IDX     2
 #define RDMA_BAR0_MSIX_SIZE  (16 * 1024)
-#define RDMA_BAR1_REGS_SIZE  256
+#define RDMA_BAR1_REGS_SIZE  64
 #define RDMA_BAR2_UAR_SIZE   (0x1000 * MAX_UCS) /* each uc gets page */
 
 /* MSIX */
@@ -86,7 +86,7 @@ static inline int get_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t *val)
 {
     int idx = addr >> 2;
 
-    if (idx > RDMA_BAR1_REGS_SIZE) {
+    if (idx >= RDMA_BAR1_REGS_SIZE) {
         return -EINVAL;
     }
 
@@ -99,7 +99,7 @@ static inline int set_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t val)
 {
     int idx = addr >> 2;
 
-    if (idx > RDMA_BAR1_REGS_SIZE) {
+    if (idx >= RDMA_BAR1_REGS_SIZE) {
         return -EINVAL;
     }
 
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 994220b58e..3ed7409763 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -449,14 +449,14 @@ static void init_bars(PCIDevice *pdev)
     /* BAR 1 - Registers */
     memset(&dev->regs_data, 0, sizeof(dev->regs_data));
     memory_region_init_io(&dev->regs, OBJECT(dev), &regs_ops, dev,
-                          "pvrdma-regs", RDMA_BAR1_REGS_SIZE);
+                          "pvrdma-regs", sizeof(dev->regs_data));
     pci_register_bar(pdev, RDMA_REG_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
                      &dev->regs);
 
     /* BAR 2 - UAR */
     memset(&dev->uar_data, 0, sizeof(dev->uar_data));
     memory_region_init_io(&dev->uar, OBJECT(dev), &uar_ops, dev, "rdma-uar",
-                          RDMA_BAR2_UAR_SIZE);
+                          sizeof(dev->uar_data));
     pci_register_bar(pdev, RDMA_UAR_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY,
                      &dev->uar);
 }
-- 
2.14.3

[Qemu-devel] [PATCH 6/7] hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME

[Marcel Apfelbaum]

From: Yuval Shaia <yuval.shaia@oracle.com>

By a mistake this constant was defined twice - remove the duplication.

Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
 hw/rdma/rdma_rm.c      | 2 --
 hw/rdma/rdma_rm_defs.h | 4 ++--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/hw/rdma/rdma_rm.c b/hw/rdma/rdma_rm.c
index 51a47d7292..415da15efe 100644
--- a/hw/rdma/rdma_rm.c
+++ b/hw/rdma/rdma_rm.c
@@ -21,8 +21,6 @@
 #include "rdma_backend.h"
 #include "rdma_rm.h"
 
-#define MAX_RM_TBL_NAME 16
-
 /* Page directory and page tables */
 #define PG_DIR_SZ { TARGET_PAGE_SIZE / sizeof(__u64) }
 #define PG_TBL_SZ { TARGET_PAGE_SIZE / sizeof(__u64) }
diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h
index 4d22a20e4c..226011176d 100644
--- a/hw/rdma/rdma_rm_defs.h
+++ b/hw/rdma/rdma_rm_defs.h
@@ -34,9 +34,9 @@
 #define MAX_QP_INIT_RD_ATOM   16
 #define MAX_AH                64
 
-#define MAX_RMRESTBL_NAME_SZ 16
+#define MAX_RM_TBL_NAME 16
 typedef struct RdmaRmResTbl {
-    char name[MAX_RMRESTBL_NAME_SZ];
+    char name[MAX_RM_TBL_NAME];
     QemuMutex lock;
     unsigned long *bitmap;
     size_t tbl_sz;
-- 
2.14.3

[Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index

[Marcel Apfelbaum]

Make sure the backend GID index is less then port's
git table length.

Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
---
 hw/rdma/rdma_backend.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
index 5c7b3d8949..e9ced6f9ef 100644
--- a/hw/rdma/rdma_backend.c
+++ b/hw/rdma/rdma_backend.c
@@ -774,7 +774,7 @@ int rdma_backend_init(RdmaBackendDev *backend_dev,
         goto out_destroy_comm_channel;
     }
 
-    if (backend_dev->backend_gid_idx > port_attr.gid_tbl_len) {
+    if (backend_dev->backend_gid_idx >= port_attr.gid_tbl_len) {
         error_setg(errp, "Invalid backend_gid_idx, should be less than %d",
                    port_attr.gid_tbl_len);
         goto out_destroy_comm_channel;
-- 
2.14.3

Re: [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index

[Eric Blake]

On 04/30/2018 03:02 PM, Marcel Apfelbaum wrote:
> Make sure the backend GID index is less then port's
> git table length.

s/git/gid/

> 
> Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
> Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
> ---
>   hw/rdma/rdma_backend.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
> index 5c7b3d8949..e9ced6f9ef 100644
> --- a/hw/rdma/rdma_backend.c
> +++ b/hw/rdma/rdma_backend.c
> @@ -774,7 +774,7 @@ int rdma_backend_init(RdmaBackendDev *backend_dev,
>           goto out_destroy_comm_channel;
>       }
>   
> -    if (backend_dev->backend_gid_idx > port_attr.gid_tbl_len) {
> +    if (backend_dev->backend_gid_idx >= port_attr.gid_tbl_len) {
>           error_setg(errp, "Invalid backend_gid_idx, should be less than %d",
>                      port_attr.gid_tbl_len);
>           goto out_destroy_comm_channel;
> 

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PATCH 2/7] hw/rdma: Fix possible usage of a NULL pointer

[Philippe Mathieu-Daudé]

On 04/30/2018 05:02 PM, Marcel Apfelbaum wrote:
> Coverity CID 1390586; The cq handle is provided by the guest
> and cannot be trusted to be previuosly allocated.
> Fix it by exiting the completion flow.
> 
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
> Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

> ---
>  hw/rdma/vmw/pvrdma_qp_ops.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/hw/rdma/vmw/pvrdma_qp_ops.c b/hw/rdma/vmw/pvrdma_qp_ops.c
> index 750ade6c31..99bb51111e 100644
> --- a/hw/rdma/vmw/pvrdma_qp_ops.c
> +++ b/hw/rdma/vmw/pvrdma_qp_ops.c
> @@ -216,6 +216,7 @@ void pvrdma_cq_poll(RdmaDeviceResources *dev_res, uint32_t cq_handle)
>      cq = rdma_rm_get_cq(dev_res, cq_handle);
>      if (!cq) {
>          pr_dbg("Invalid CQ# %d\n", cq_handle);
> +        return;
>      }
>  
>      rdma_backend_poll_cq(dev_res, &cq->backend_cq);
> 

Re: [Qemu-devel] [PATCH 7/7] hw/rdma: Fix possible out of bounds access to port GID index

[Marcel Apfelbaum]

On 05/01/2018 12:14 AM, Eric Blake wrote:
> On 04/30/2018 03:02 PM, Marcel Apfelbaum wrote:
>> Make sure the backend GID index is less then port's
>> git table length.
>
> s/git/gid/
>

Thanks, I will fix in the pull request
Marcel

>>
>> Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
>> Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
>> ---
>>   hw/rdma/rdma_backend.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
>> index 5c7b3d8949..e9ced6f9ef 100644
>> --- a/hw/rdma/rdma_backend.c
>> +++ b/hw/rdma/rdma_backend.c
>> @@ -774,7 +774,7 @@ int rdma_backend_init(RdmaBackendDev *backend_dev,
>>           goto out_destroy_comm_channel;
>>       }
>>   -    if (backend_dev->backend_gid_idx > port_attr.gid_tbl_len) {
>> +    if (backend_dev->backend_gid_idx >= port_attr.gid_tbl_len) {
>>           error_setg(errp, "Invalid backend_gid_idx, should be less 
>> than %d",
>>                      port_attr.gid_tbl_len);
>>           goto out_destroy_comm_channel;
>>
>