qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2 0/2] hw/block/nvme: coverity fixes
@ 2021-03-22 12:09 Klaus Jensen
  2021-03-22 12:09 ` [PATCH v2 1/2] hw/block/nvme: fix resource leak in nvme_dif_rw Klaus Jensen
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Klaus Jensen @ 2021-03-22 12:09 UTC (permalink / raw)
  To: qemu-devel
  Cc: Kevin Wolf, qemu-block, Klaus Jensen, Max Reitz, Klaus Jensen,
	Keith Busch

From: Klaus Jensen <k.jensen@samsung.com>

Fix two issues reported by coverity (CID 1451080 and 1451082).

v2:
  - replace [2/2] with a fix for the bad reference counting noticed by
    Max

Klaus Jensen (2):
  hw/block/nvme: fix resource leak in nvme_dif_rw
  hw/block/nvme: fix ref counting in nvme_format_ns

 hw/block/nvme-dif.c |  2 +-
 hw/block/nvme.c     | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

-- 
2.31.0



^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH v2 1/2] hw/block/nvme: fix resource leak in nvme_dif_rw
  2021-03-22 12:09 [PATCH v2 0/2] hw/block/nvme: coverity fixes Klaus Jensen
@ 2021-03-22 12:09 ` Klaus Jensen
       [not found]   ` <CGME20210329112015epcas5p4dc86c66a4f27d13d3689923d381c5fa6@epcas5p4.samsung.com>
  2021-03-22 12:09 ` [PATCH v2 2/2] hw/block/nvme: fix ref counting in nvme_format_ns Klaus Jensen
  2021-03-24 20:04 ` [PATCH v2 0/2] hw/block/nvme: coverity fixes Klaus Jensen
  2 siblings, 1 reply; 6+ messages in thread
From: Klaus Jensen @ 2021-03-22 12:09 UTC (permalink / raw)
  To: qemu-devel
  Cc: Kevin Wolf, qemu-block, Klaus Jensen, Max Reitz, Klaus Jensen,
	Keith Busch

From: Klaus Jensen <k.jensen@samsung.com>

If nvme_map_dptr() fails, nvme_dif_rw() will leak the bounce context.
Fix this by using the same error handling as everywhere else in the
function.

Reported-by: Coverity (CID 1451080)
Fixes: 146f720c5563 ("hw/block/nvme: end-to-end data protection")
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
 hw/block/nvme-dif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/block/nvme-dif.c b/hw/block/nvme-dif.c
index 2038d724bda5..e6f04faafb5f 100644
--- a/hw/block/nvme-dif.c
+++ b/hw/block/nvme-dif.c
@@ -432,7 +432,7 @@ uint16_t nvme_dif_rw(NvmeCtrl *n, NvmeRequest *req)
 
     status = nvme_map_dptr(n, &req->sg, mapped_len, &req->cmd);
     if (status) {
-        return status;
+        goto err;
     }
 
     ctx->data.bounce = g_malloc(len);
-- 
2.31.0



^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [PATCH v2 2/2] hw/block/nvme: fix ref counting in nvme_format_ns
  2021-03-22 12:09 [PATCH v2 0/2] hw/block/nvme: coverity fixes Klaus Jensen
  2021-03-22 12:09 ` [PATCH v2 1/2] hw/block/nvme: fix resource leak in nvme_dif_rw Klaus Jensen
@ 2021-03-22 12:09 ` Klaus Jensen
       [not found]   ` <CGME20210329124718epcas5p4781757a155f3fd07f8280c388f6fc073@epcas5p4.samsung.com>
  2021-03-24 20:04 ` [PATCH v2 0/2] hw/block/nvme: coverity fixes Klaus Jensen
  2 siblings, 1 reply; 6+ messages in thread
From: Klaus Jensen @ 2021-03-22 12:09 UTC (permalink / raw)
  To: qemu-devel
  Cc: Kevin Wolf, qemu-block, Klaus Jensen, Max Reitz, Klaus Jensen,
	Keith Busch

From: Klaus Jensen <k.jensen@samsung.com>

Max noticed that since blk_aio_pwrite_zeroes() may invoke the callback
before returning, the callbacks will never see *count == 0 and thus
never free the count variable or decrement num_formats causing a CQE to
never be posted.

Coverity (CID 1451082) also picked up on the fact that count would not
be free'ed if the namespace was of zero size.

Fix both of these issues by explicitly checking *count and finalize for
the given namespace if --(*count) is zero. Enqueing a CQE if there are
no AIOs outstanding after this case is already handled by nvme_format()
by inspecting *num_formats.

Reported-by: Max Reitz <mreitz@redhat.com>
Reported-by: Coverity (CID 1451082)
Fixes: dc04d25e2f3f ("hw/block/nvme: add support for the format nvm command")
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
---
 hw/block/nvme.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hw/block/nvme.c b/hw/block/nvme.c
index 6842b01ab58b..c54ec3c9523c 100644
--- a/hw/block/nvme.c
+++ b/hw/block/nvme.c
@@ -5009,9 +5009,15 @@ static uint16_t nvme_format_ns(NvmeCtrl *n, NvmeNamespace *ns, uint8_t lbaf,
 
     }
 
-    (*count)--;
+    if (--(*count)) {
+        return NVME_NO_COMPLETE;
+    }
 
-    return NVME_NO_COMPLETE;
+    g_free(count);
+    ns->status = 0x0;
+    (*num_formats)--;
+
+    return NVME_SUCCESS;
 }
 
 static uint16_t nvme_format(NvmeCtrl *n, NvmeRequest *req)
-- 
2.31.0



^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH v2 0/2] hw/block/nvme: coverity fixes
  2021-03-22 12:09 [PATCH v2 0/2] hw/block/nvme: coverity fixes Klaus Jensen
  2021-03-22 12:09 ` [PATCH v2 1/2] hw/block/nvme: fix resource leak in nvme_dif_rw Klaus Jensen
  2021-03-22 12:09 ` [PATCH v2 2/2] hw/block/nvme: fix ref counting in nvme_format_ns Klaus Jensen
@ 2021-03-24 20:04 ` Klaus Jensen
  2 siblings, 0 replies; 6+ messages in thread
From: Klaus Jensen @ 2021-03-24 20:04 UTC (permalink / raw)
  To: qemu-devel; +Cc: Kevin Wolf, Keith Busch, Klaus Jensen, qemu-block, Max Reitz

[-- Attachment #1: Type: text/plain, Size: 591 bytes --]

On Mar 22 13:09, Klaus Jensen wrote:
> From: Klaus Jensen <k.jensen@samsung.com>
> 
> Fix two issues reported by coverity (CID 1451080 and 1451082).
> 
> v2:
>   - replace [2/2] with a fix for the bad reference counting noticed by
>     Max
> 
> Klaus Jensen (2):
>   hw/block/nvme: fix resource leak in nvme_dif_rw
>   hw/block/nvme: fix ref counting in nvme_format_ns
> 
>  hw/block/nvme-dif.c |  2 +-
>  hw/block/nvme.c     | 10 ++++++++--
>  2 files changed, 9 insertions(+), 3 deletions(-)
> 

Gentle ping on this so Peter can get the coverity issues off the list ;)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2 1/2] hw/block/nvme: fix resource leak in nvme_dif_rw
       [not found]   ` <CGME20210329112015epcas5p4dc86c66a4f27d13d3689923d381c5fa6@epcas5p4.samsung.com>
@ 2021-03-29 11:17     ` Gollu Appalanaidu
  0 siblings, 0 replies; 6+ messages in thread
From: Gollu Appalanaidu @ 2021-03-29 11:17 UTC (permalink / raw)
  To: Klaus Jensen
  Cc: Kevin Wolf, qemu-block, Klaus Jensen, qemu-devel, Max Reitz, Keith Busch

[-- Attachment #1: Type: text/plain, Size: 1000 bytes --]

On Mon, Mar 22, 2021 at 01:09:43PM +0100, Klaus Jensen wrote:
>From: Klaus Jensen <k.jensen@samsung.com>
>
>If nvme_map_dptr() fails, nvme_dif_rw() will leak the bounce context.
>Fix this by using the same error handling as everywhere else in the
>function.
>
>Reported-by: Coverity (CID 1451080)
>Fixes: 146f720c5563 ("hw/block/nvme: end-to-end data protection")
>Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
>---
> hw/block/nvme-dif.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/hw/block/nvme-dif.c b/hw/block/nvme-dif.c
>index 2038d724bda5..e6f04faafb5f 100644
>--- a/hw/block/nvme-dif.c
>+++ b/hw/block/nvme-dif.c
>@@ -432,7 +432,7 @@ uint16_t nvme_dif_rw(NvmeCtrl *n, NvmeRequest *req)
>
>     status = nvme_map_dptr(n, &req->sg, mapped_len, &req->cmd);
>     if (status) {
>-        return status;
>+        goto err;
Looks good to me.
>     }
>
>     ctx->data.bounce = g_malloc(len);
>-- 
Reviewed-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
>2.31.0
>
>

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH v2 2/2] hw/block/nvme: fix ref counting in nvme_format_ns
       [not found]   ` <CGME20210329124718epcas5p4781757a155f3fd07f8280c388f6fc073@epcas5p4.samsung.com>
@ 2021-03-29 12:44     ` Gollu Appalanaidu
  0 siblings, 0 replies; 6+ messages in thread
From: Gollu Appalanaidu @ 2021-03-29 12:44 UTC (permalink / raw)
  To: Klaus Jensen
  Cc: Kevin Wolf, qemu-block, Klaus Jensen, qemu-devel, Max Reitz, Keith Busch

[-- Attachment #1: Type: text/plain, Size: 1621 bytes --]

On Mon, Mar 22, 2021 at 01:09:44PM +0100, Klaus Jensen wrote:
>From: Klaus Jensen <k.jensen@samsung.com>
>
>Max noticed that since blk_aio_pwrite_zeroes() may invoke the callback
>before returning, the callbacks will never see *count == 0 and thus
>never free the count variable or decrement num_formats causing a CQE to
>never be posted.
>
>Coverity (CID 1451082) also picked up on the fact that count would not
>be free'ed if the namespace was of zero size.
>
>Fix both of these issues by explicitly checking *count and finalize for
>the given namespace if --(*count) is zero. Enqueing a CQE if there are
>no AIOs outstanding after this case is already handled by nvme_format()
>by inspecting *num_formats.
>
>Reported-by: Max Reitz <mreitz@redhat.com>
>Reported-by: Coverity (CID 1451082)
>Fixes: dc04d25e2f3f ("hw/block/nvme: add support for the format nvm command")
>Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
>---
> hw/block/nvme.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
>diff --git a/hw/block/nvme.c b/hw/block/nvme.c
>index 6842b01ab58b..c54ec3c9523c 100644
>--- a/hw/block/nvme.c
>+++ b/hw/block/nvme.c
>@@ -5009,9 +5009,15 @@ static uint16_t nvme_format_ns(NvmeCtrl *n, NvmeNamespace *ns, uint8_t lbaf,
>
>     }
>
>-    (*count)--;
>+    if (--(*count)) {
>+        return NVME_NO_COMPLETE;
>+    }
>
>-    return NVME_NO_COMPLETE;
>+    g_free(count);
>+    ns->status = 0x0;
>+    (*num_formats)--;
>+
>+    return NVME_SUCCESS;
> }
Reviewed-by: Gollu Appalanaidu <anaidu.gollu@samsung.com>
>
> static uint16_t nvme_format(NvmeCtrl *n, NvmeRequest *req)
>-- 
>2.31.0
>
>

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-03-29 13:17 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-22 12:09 [PATCH v2 0/2] hw/block/nvme: coverity fixes Klaus Jensen
2021-03-22 12:09 ` [PATCH v2 1/2] hw/block/nvme: fix resource leak in nvme_dif_rw Klaus Jensen
     [not found]   ` <CGME20210329112015epcas5p4dc86c66a4f27d13d3689923d381c5fa6@epcas5p4.samsung.com>
2021-03-29 11:17     ` Gollu Appalanaidu
2021-03-22 12:09 ` [PATCH v2 2/2] hw/block/nvme: fix ref counting in nvme_format_ns Klaus Jensen
     [not found]   ` <CGME20210329124718epcas5p4781757a155f3fd07f8280c388f6fc073@epcas5p4.samsung.com>
2021-03-29 12:44     ` Gollu Appalanaidu
2021-03-24 20:04 ` [PATCH v2 0/2] hw/block/nvme: coverity fixes Klaus Jensen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).