| Message ID | 20180124215708.30400-1-frasse.iglesias@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] xilinx_spips: Correct usage of an uninitialized local variable | expand |
On 24 January 2018 at 21:57, Francisco Iglesias <frasse.iglesias@gmail.com> wrote: > Coverity found that the variable tx_rx in the function > xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This > patch corrects this by always initializing tx_rx to zeros. > > Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> > > --- > v3. Change to report errors on the num_busses property via the Error** > parameter when realizing the devices. > --- > v2. Add a sanity check on the num_busses property when realizing the > devices. > --- > hw/ssi/xilinx_spips.c | 18 +++++++++++++++++- > 1 file changed, 17 insertions(+), 1 deletion(-) > > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c > index 85c5d0c..8af36ca 100644 > --- a/hw/ssi/xilinx_spips.c > +++ b/hw/ssi/xilinx_spips.c > @@ -210,6 +210,9 @@ > #define SNOOP_NONE 0xEE > #define SNOOP_STRIPING 0 > > +#define MIN_NUM_BUSSES 1 > +#define MAX_NUM_BUSSES 2 > + > static inline int num_effective_busses(XilinxSPIPS *s) > { > return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS && > @@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) > for (;;) { > int i; > uint8_t tx = 0; > - uint8_t tx_rx[num_effective_busses(s)]; > + uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 }; > uint8_t dummy_cycles = 0; > uint8_t addr_length; > > @@ -1221,6 +1224,19 @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp) > > DB_PRINT_L(0, "realized spips\n"); > > + if (s->num_busses > MAX_NUM_BUSSES) { > + error_setg(errp, > + "requested number of SPI busses %u exceeds maximum %d", > + s->num_busses, MAX_NUM_BUSSES); > + return; > + } > + if (s->num_busses < MIN_NUM_BUSSES) { > + error_setg(errp, > + "requested number of SPI busses %u is below minimum %d", > + s->num_busses, MIN_NUM_BUSSES); > + return; > + } > + The usual plural of "bus" is "buses", but since it's in the QOM property name I guess we're stuck with "busses" here for consistency... Applied to target-arm.next, thanks. -- PMM
On Thursday, 25 January 2018, Peter Maydell <peter.maydell@linaro.org> wrote: > On 24 January 2018 at 21:57, Francisco Iglesias > <frasse.iglesias@gmail.com> wrote: > > Coverity found that the variable tx_rx in the function > > xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). > This > > patch corrects this by always initializing tx_rx to zeros. > > > > Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> > > > > --- > > v3. Change to report errors on the num_busses property via the Error** > > parameter when realizing the devices. > > --- > > v2. Add a sanity check on the num_busses property when realizing the > > devices. > > --- > > hw/ssi/xilinx_spips.c | 18 +++++++++++++++++- > > 1 file changed, 17 insertions(+), 1 deletion(-) > > > > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c > > index 85c5d0c..8af36ca 100644 > > --- a/hw/ssi/xilinx_spips.c > > +++ b/hw/ssi/xilinx_spips.c > > @@ -210,6 +210,9 @@ > > #define SNOOP_NONE 0xEE > > #define SNOOP_STRIPING 0 > > > > +#define MIN_NUM_BUSSES 1 > > +#define MAX_NUM_BUSSES 2 > > + > > static inline int num_effective_busses(XilinxSPIPS *s) > > { > > return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS && > > @@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS > *s) > > for (;;) { > > int i; > > uint8_t tx = 0; > > - uint8_t tx_rx[num_effective_busses(s)]; > > + uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 }; > > uint8_t dummy_cycles = 0; > > uint8_t addr_length; > > > > @@ -1221,6 +1224,19 @@ static void xilinx_spips_realize(DeviceState > *dev, Error **errp) > > > > DB_PRINT_L(0, "realized spips\n"); > > > > + if (s->num_busses > MAX_NUM_BUSSES) { > > + error_setg(errp, > > + "requested number of SPI busses %u exceeds maximum > %d", > > + s->num_busses, MAX_NUM_BUSSES); > > + return; > > + } > > + if (s->num_busses < MIN_NUM_BUSSES) { > > + error_setg(errp, > > + "requested number of SPI busses %u is below minimum > %d", > > + s->num_busses, MIN_NUM_BUSSES); > > + return; > > + } > > + > > The usual plural of "bus" is "buses", but since it's in the QOM > property name I guess we're stuck with "busses" here for consistency... > > > Applied to target-arm.next, thanks. > > -- PMM > Hi Peter, Thank you very much again for looking into this! Best regards, Francisco Iglesias
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index 85c5d0c..8af36ca 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -210,6 +210,9 @@ #define SNOOP_NONE 0xEE #define SNOOP_STRIPING 0 +#define MIN_NUM_BUSSES 1 +#define MAX_NUM_BUSSES 2 + static inline int num_effective_busses(XilinxSPIPS *s) { return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS && @@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) for (;;) { int i; uint8_t tx = 0; - uint8_t tx_rx[num_effective_busses(s)]; + uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 }; uint8_t dummy_cycles = 0; uint8_t addr_length; @@ -1221,6 +1224,19 @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp) DB_PRINT_L(0, "realized spips\n"); + if (s->num_busses > MAX_NUM_BUSSES) { + error_setg(errp, + "requested number of SPI busses %u exceeds maximum %d", + s->num_busses, MAX_NUM_BUSSES); + return; + } + if (s->num_busses < MIN_NUM_BUSSES) { + error_setg(errp, + "requested number of SPI busses %u is below minimum %d", + s->num_busses, MIN_NUM_BUSSES); + return; + } + s->spi = g_new(SSIBus *, s->num_busses); for (i = 0; i < s->num_busses; ++i) { char bus_name[16];
Coverity found that the variable tx_rx in the function xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This patch corrects this by always initializing tx_rx to zeros. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> --- v3. Change to report errors on the num_busses property via the Error** parameter when realizing the devices. --- v2. Add a sanity check on the num_busses property when realizing the devices. --- hw/ssi/xilinx_spips.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-)