All of lore.kernel.org
 help / color / mirror / Atom feed
From: Keith Busch <kbusch@kernel.org>
To: Klaus Jensen <its@irrelevant.dk>
Cc: "Kevin Wolf" <kwolf@redhat.com>,
	"Peter Maydell" <peter.maydell@linaro.org>,
	Qemu-block <qemu-block@nongnu.org>,
	"Dmitry Fomichev" <Dmitry.Fomichev@wdc.com>,
	"Klaus Jensen" <k.jensen@samsung.com>,
	"QEMU Developers" <qemu-devel@nongnu.org>,
	"Max Reitz" <mreitz@redhat.com>,
	"Javier Gonzalez" <javier.gonz@samsung.com>,
	"Maxim Levitsky" <mlevitsk@redhat.com>,
	"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [PATCH v3 07/18] hw/block/nvme: add support for the get log page command
Date: Tue, 29 Sep 2020 15:34:20 -0700	[thread overview]
Message-ID: <20200929223420.GB508696@dhcp-10-100-145-180.wdl.wdc.com> (raw)
In-Reply-To: <20200929214600.GA377237@apples.localdomain>

On Tue, Sep 29, 2020 at 11:46:00PM +0200, Klaus Jensen wrote:
> On Sep 29 14:11, Peter Maydell wrote:
> > > +static uint16_t nvme_fw_log_info(NvmeCtrl *n, NvmeCmd *cmd, uint32_t buf_len,
> > > +                                 uint64_t off, NvmeRequest *req)
> > > +{
> > > +    uint32_t trans_len;
> > > +    uint64_t prp1 = le64_to_cpu(cmd->dptr.prp1);
> > > +    uint64_t prp2 = le64_to_cpu(cmd->dptr.prp2);
> > > +    NvmeFwSlotInfoLog fw_log = {
> > > +        .afi = 0x1,
> > > +    };
> > > +
> > > +    strpadcpy((char *)&fw_log.frs1, sizeof(fw_log.frs1), "1.0", ' ');
> > > +
> > > +    if (off > sizeof(fw_log)) {
> > > +        return NVME_INVALID_FIELD | NVME_DNR;
> > > +    }
> > > +
> > > +    trans_len = MIN(sizeof(fw_log) - off, buf_len);
> > > +
> > > +    return nvme_dma_read_prp(n, (uint8_t *) &fw_log + off, trans_len, prp1,
> > > +                             prp2);
> > 
> > Coverity warns about the same structure here (CID 1432411).
> > 
> > thanks
> > -- PMM
> 
> Hi Peter,
> 
> Thanks. This is somewhere in the middle of a bunch of patches I got
> merged I think, commit 94a7897c41db? I just requested Coverity access.
> 
> What happens is that nvme_dma_read_prp will call into nvme_map_prp which
> wont map anything because len is 0. This will cause the statically
> allocated QEMUSGList and QEMUIOVector in the request to be
> uninitialized. Returning from nvme_map_prp, nvme_dma_read_prp will
> notice that req->qsg.nsg is zero so it will default to the iov and move
> into qemu_iovec_{to,from}_buf(&req->iov, ...). In there we actually pass
> the NULL struct iovec, but since there is a __builtin_constant_p(bytes)
> condition at the end of it all, we never follow it.
> 
> Not "serious" I think, but definitely not good. We will of course fix
> this up.
> 
> @keith, do you agree with my analysis?

Yeah, looks safe as-is, but we're missing out on returning the spec
required 'Invalid Field'.


  reply	other threads:[~2020-09-29 22:35 UTC|newest]

Thread overview: 60+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-06  6:12 [PATCH v3 00/18] hw/block/nvme: bump to v1.3 Klaus Jensen
2020-07-06  6:12 ` [PATCH v3 01/18] hw/block/nvme: bump spec data structures " Klaus Jensen
2020-07-08 19:19   ` Dmitry Fomichev
2020-07-08 21:24     ` Klaus Jensen
2020-07-08 21:47       ` Dmitry Fomichev
2020-07-09  6:17         ` Klaus Jensen
2020-07-06  6:12 ` [PATCH v3 02/18] hw/block/nvme: fix missing endian conversion Klaus Jensen
2020-07-06  9:50   ` Philippe Mathieu-Daudé
2020-07-08 19:20   ` Dmitry Fomichev
2020-07-29  8:49   ` Maxim Levitsky
2020-07-06  6:12 ` [PATCH v3 03/18] hw/block/nvme: additional tracing Klaus Jensen
2020-07-06  9:50   ` Philippe Mathieu-Daudé
2020-07-08 19:21   ` Dmitry Fomichev
2020-07-29  8:52   ` Maxim Levitsky
2020-07-06  6:12 ` [PATCH v3 04/18] hw/block/nvme: add support for the abort command Klaus Jensen
2020-07-06  6:12 ` [PATCH v3 05/18] hw/block/nvme: add temperature threshold feature Klaus Jensen
2020-07-08 19:24   ` Dmitry Fomichev
2020-07-06  6:12 ` [PATCH v3 06/18] hw/block/nvme: mark fw slot 1 as read-only Klaus Jensen
2020-07-29  9:14   ` Maxim Levitsky
2020-07-06  6:12 ` [PATCH v3 07/18] hw/block/nvme: add support for the get log page command Klaus Jensen
2020-07-08 19:22   ` Dmitry Fomichev
2020-07-29 10:24   ` Maxim Levitsky
2020-07-29 11:44     ` Klaus Jensen
2020-07-29 18:35       ` Maxim Levitsky
2020-09-29 13:11   ` Peter Maydell
2020-09-29 21:46     ` Klaus Jensen
2020-09-29 22:34       ` Keith Busch [this message]
2020-09-29 22:42         ` Klaus Jensen
2020-09-29 22:57           ` Keith Busch
2020-07-06  6:12 ` [PATCH v3 08/18] hw/block/nvme: add support for the asynchronous event request command Klaus Jensen
2020-07-29 10:43   ` Maxim Levitsky
2020-07-29 13:37     ` Klaus Jensen
2020-07-29 18:45       ` Maxim Levitsky
2020-07-29 20:08         ` Klaus Jensen
2020-07-30  8:50           ` Maxim Levitsky
2020-07-06  6:12 ` [PATCH v3 09/18] hw/block/nvme: move NvmeFeatureVal into hw/block/nvme.h Klaus Jensen
2020-07-29 10:46   ` Maxim Levitsky
2020-07-06  6:12 ` [PATCH v3 10/18] hw/block/nvme: flush write cache when disabled Klaus Jensen
2020-07-29 11:03   ` Maxim Levitsky
2020-07-06  6:12 ` [PATCH v3 11/18] hw/block/nvme: add remaining mandatory controller parameters Klaus Jensen
2020-07-29 11:31   ` Maxim Levitsky
2020-07-06  6:12 ` [PATCH v3 12/18] hw/block/nvme: support the get/set features select and save fields Klaus Jensen
2020-07-08 19:25   ` Dmitry Fomichev
2020-07-29 13:17   ` Maxim Levitsky
2020-07-29 13:48     ` Klaus Jensen
2020-07-29 18:47       ` Maxim Levitsky
2020-07-06  6:12 ` [PATCH v3 13/18] hw/block/nvme: make sure ncqr and nsqr is valid Klaus Jensen
2020-07-06  6:12 ` [PATCH v3 14/18] hw/block/nvme: support identify namespace descriptor list Klaus Jensen
2020-07-29 13:25   ` Maxim Levitsky
2020-07-06  6:13 ` [PATCH v3 15/18] hw/block/nvme: reject invalid nsid values in active namespace id list Klaus Jensen
2020-07-06  9:47   ` Philippe Mathieu-Daudé
2020-07-08 19:26   ` Dmitry Fomichev
2020-07-29 13:27   ` Maxim Levitsky
2020-07-06  6:13 ` [PATCH v3 16/18] hw/block/nvme: enforce valid queue creation sequence Klaus Jensen
2020-07-06  6:13 ` [PATCH v3 17/18] hw/block/nvme: provide the mandatory subnqn field Klaus Jensen
2020-07-06  9:47   ` Philippe Mathieu-Daudé
2020-07-08 19:26   ` Dmitry Fomichev
2020-07-29 13:34   ` Maxim Levitsky
2020-07-06  6:13 ` [PATCH v3 18/18] hw/block/nvme: bump supported version to v1.3 Klaus Jensen
2020-07-20  9:13 ` [PATCH v3 00/18] hw/block/nvme: bump " Klaus Jensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200929223420.GB508696@dhcp-10-100-145-180.wdl.wdc.com \
    --to=kbusch@kernel.org \
    --cc=Dmitry.Fomichev@wdc.com \
    --cc=its@irrelevant.dk \
    --cc=javier.gonz@samsung.com \
    --cc=k.jensen@samsung.com \
    --cc=kwolf@redhat.com \
    --cc=mlevitsk@redhat.com \
    --cc=mreitz@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=philmd@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.