* [Qemu-devel] [PATCH v3] xilinx_spips: Correct usage of an uninitialized local variable
@ 2018-01-24 21:57 Francisco Iglesias
2018-01-25 10:20 ` Peter Maydell
0 siblings, 1 reply; 3+ messages in thread
From: Francisco Iglesias @ 2018-01-24 21:57 UTC (permalink / raw)
To: qemu-devel; +Cc: edgari, alistai, francisco.iglesias, peter.maydell
Coverity found that the variable tx_rx in the function
xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
patch corrects this by always initializing tx_rx to zeros.
Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
---
v3. Change to report errors on the num_busses property via the Error**
parameter when realizing the devices.
---
v2. Add a sanity check on the num_busses property when realizing the
devices.
---
hw/ssi/xilinx_spips.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 85c5d0c..8af36ca 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -210,6 +210,9 @@
#define SNOOP_NONE 0xEE
#define SNOOP_STRIPING 0
+#define MIN_NUM_BUSSES 1
+#define MAX_NUM_BUSSES 2
+
static inline int num_effective_busses(XilinxSPIPS *s)
{
return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
@@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s)
for (;;) {
int i;
uint8_t tx = 0;
- uint8_t tx_rx[num_effective_busses(s)];
+ uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 };
uint8_t dummy_cycles = 0;
uint8_t addr_length;
@@ -1221,6 +1224,19 @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp)
DB_PRINT_L(0, "realized spips\n");
+ if (s->num_busses > MAX_NUM_BUSSES) {
+ error_setg(errp,
+ "requested number of SPI busses %u exceeds maximum %d",
+ s->num_busses, MAX_NUM_BUSSES);
+ return;
+ }
+ if (s->num_busses < MIN_NUM_BUSSES) {
+ error_setg(errp,
+ "requested number of SPI busses %u is below minimum %d",
+ s->num_busses, MIN_NUM_BUSSES);
+ return;
+ }
+
s->spi = g_new(SSIBus *, s->num_busses);
for (i = 0; i < s->num_busses; ++i) {
char bus_name[16];
--
2.9.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH v3] xilinx_spips: Correct usage of an uninitialized local variable
2018-01-24 21:57 [Qemu-devel] [PATCH v3] xilinx_spips: Correct usage of an uninitialized local variable Francisco Iglesias
@ 2018-01-25 10:20 ` Peter Maydell
2018-01-25 14:24 ` francisco iglesias
0 siblings, 1 reply; 3+ messages in thread
From: Peter Maydell @ 2018-01-25 10:20 UTC (permalink / raw)
To: Francisco Iglesias
Cc: QEMU Developers, Edgar Iglesias, Alistair Francis, Francisco Iglesias
On 24 January 2018 at 21:57, Francisco Iglesias
<frasse.iglesias@gmail.com> wrote:
> Coverity found that the variable tx_rx in the function
> xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
> patch corrects this by always initializing tx_rx to zeros.
>
> Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
>
> ---
> v3. Change to report errors on the num_busses property via the Error**
> parameter when realizing the devices.
> ---
> v2. Add a sanity check on the num_busses property when realizing the
> devices.
> ---
> hw/ssi/xilinx_spips.c | 18 +++++++++++++++++-
> 1 file changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> index 85c5d0c..8af36ca 100644
> --- a/hw/ssi/xilinx_spips.c
> +++ b/hw/ssi/xilinx_spips.c
> @@ -210,6 +210,9 @@
> #define SNOOP_NONE 0xEE
> #define SNOOP_STRIPING 0
>
> +#define MIN_NUM_BUSSES 1
> +#define MAX_NUM_BUSSES 2
> +
> static inline int num_effective_busses(XilinxSPIPS *s)
> {
> return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
> @@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s)
> for (;;) {
> int i;
> uint8_t tx = 0;
> - uint8_t tx_rx[num_effective_busses(s)];
> + uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 };
> uint8_t dummy_cycles = 0;
> uint8_t addr_length;
>
> @@ -1221,6 +1224,19 @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp)
>
> DB_PRINT_L(0, "realized spips\n");
>
> + if (s->num_busses > MAX_NUM_BUSSES) {
> + error_setg(errp,
> + "requested number of SPI busses %u exceeds maximum %d",
> + s->num_busses, MAX_NUM_BUSSES);
> + return;
> + }
> + if (s->num_busses < MIN_NUM_BUSSES) {
> + error_setg(errp,
> + "requested number of SPI busses %u is below minimum %d",
> + s->num_busses, MIN_NUM_BUSSES);
> + return;
> + }
> +
The usual plural of "bus" is "buses", but since it's in the QOM
property name I guess we're stuck with "busses" here for consistency...
Applied to target-arm.next, thanks.
-- PMM
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] [PATCH v3] xilinx_spips: Correct usage of an uninitialized local variable
2018-01-25 10:20 ` Peter Maydell
@ 2018-01-25 14:24 ` francisco iglesias
0 siblings, 0 replies; 3+ messages in thread
From: francisco iglesias @ 2018-01-25 14:24 UTC (permalink / raw)
To: Peter Maydell
Cc: QEMU Developers, Edgar Iglesias, Alistair Francis, Francisco Iglesias
On Thursday, 25 January 2018, Peter Maydell <peter.maydell@linaro.org>
wrote:
> On 24 January 2018 at 21:57, Francisco Iglesias
> <frasse.iglesias@gmail.com> wrote:
> > Coverity found that the variable tx_rx in the function
> > xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841).
> This
> > patch corrects this by always initializing tx_rx to zeros.
> >
> > Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
> >
> > ---
> > v3. Change to report errors on the num_busses property via the Error**
> > parameter when realizing the devices.
> > ---
> > v2. Add a sanity check on the num_busses property when realizing the
> > devices.
> > ---
> > hw/ssi/xilinx_spips.c | 18 +++++++++++++++++-
> > 1 file changed, 17 insertions(+), 1 deletion(-)
> >
> > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
> > index 85c5d0c..8af36ca 100644
> > --- a/hw/ssi/xilinx_spips.c
> > +++ b/hw/ssi/xilinx_spips.c
> > @@ -210,6 +210,9 @@
> > #define SNOOP_NONE 0xEE
> > #define SNOOP_STRIPING 0
> >
> > +#define MIN_NUM_BUSSES 1
> > +#define MAX_NUM_BUSSES 2
> > +
> > static inline int num_effective_busses(XilinxSPIPS *s)
> > {
> > return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
> > @@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS
> *s)
> > for (;;) {
> > int i;
> > uint8_t tx = 0;
> > - uint8_t tx_rx[num_effective_busses(s)];
> > + uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 };
> > uint8_t dummy_cycles = 0;
> > uint8_t addr_length;
> >
> > @@ -1221,6 +1224,19 @@ static void xilinx_spips_realize(DeviceState
> *dev, Error **errp)
> >
> > DB_PRINT_L(0, "realized spips\n");
> >
> > + if (s->num_busses > MAX_NUM_BUSSES) {
> > + error_setg(errp,
> > + "requested number of SPI busses %u exceeds maximum
> %d",
> > + s->num_busses, MAX_NUM_BUSSES);
> > + return;
> > + }
> > + if (s->num_busses < MIN_NUM_BUSSES) {
> > + error_setg(errp,
> > + "requested number of SPI busses %u is below minimum
> %d",
> > + s->num_busses, MIN_NUM_BUSSES);
> > + return;
> > + }
> > +
>
> The usual plural of "bus" is "buses", but since it's in the QOM
> property name I guess we're stuck with "busses" here for consistency...
>
>
> Applied to target-arm.next, thanks.
>
> -- PMM
>
Hi Peter,
Thank you very much again for looking into this!
Best regards,
Francisco Iglesias
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-01-25 14:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-24 21:57 [Qemu-devel] [PATCH v3] xilinx_spips: Correct usage of an uninitialized local variable Francisco Iglesias
2018-01-25 10:20 ` Peter Maydell
2018-01-25 14:24 ` francisco iglesias
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.