Message ID | 20201214045807.41003-7-david@gibson.dropbear.id.au |
---|---|
State | New |
Headers | show |
Series | [PULL,01/30] spapr/xive: Turn some sanity checks into assertions | expand |
On Mon, 14 Dec 2020 at 04:58, David Gibson <david@gibson.dropbear.id.au> wrote: > > From: Greg Kurz <groug@kaod.org> > > We currently detect that a PHB index is already in use at plug time. > But this can be decteted at pre-plug in order to error out earlier. > > This allows to pass &error_abort to spapr_drc_attach() and to end > up with a plug handler that doesn't need to report errors anymore. > > Signed-off-by: Greg Kurz <groug@kaod.org> > Message-Id: <20201120234208.683521-8-groug@kaod.org> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Hi; this change seems to have nudged one of Coverity's heuristics into deciding that spapr_drc_by_id() can return NULL (because its return value is checked here, I suspect), so it reports CID 1437757, 1437758, where spapr_add_lmbs() and spapr_memory_unplug_request() both take the return value of spapr_drc_by_id() and pass it directly to spapr_drc_index(), which will crash if it is passed a NULL pointer. Is it impossible for spapr_drc_by_id() to return NULL in those functions (ie Coverity false positive) or is there a missing error check ? thanks -- PMM
On Tue, 15 Dec 2020 16:56:36 +0000 Peter Maydell <peter.maydell@linaro.org> wrote: > On Mon, 14 Dec 2020 at 04:58, David Gibson <david@gibson.dropbear.id.au> wrote: > > > > From: Greg Kurz <groug@kaod.org> > > > > We currently detect that a PHB index is already in use at plug time. > > But this can be decteted at pre-plug in order to error out earlier. > > > > This allows to pass &error_abort to spapr_drc_attach() and to end > > up with a plug handler that doesn't need to report errors anymore. > > > > Signed-off-by: Greg Kurz <groug@kaod.org> > > Message-Id: <20201120234208.683521-8-groug@kaod.org> > > Signed-off-by: David Gibson <david@gibson.dropbear.id.au> > > Hi; this change seems to have nudged one of Coverity's > heuristics into deciding that spapr_drc_by_id() can return > NULL (because its return value is checked here, I suspect), > so it reports CID 1437757, 1437758, where spapr_add_lmbs() > and spapr_memory_unplug_request() both take the return value > of spapr_drc_by_id() and pass it directly to spapr_drc_index(), > which will crash if it is passed a NULL pointer. > > Is it impossible for spapr_drc_by_id() to return NULL in > those functions (ie Coverity false positive) or is there > a missing error check ? > No, all DRC objects are created before any of these two functions are called. Each function happens to loop over the full list of memory DRCs a few line above the offending call sites and already assert spapr_drc_by_id() doesn't return NULL. But I guess Coverity isn't smart enough to detect that. I'll post a patch to add some more assertions. > thanks > -- PMM
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index 28d266f7a7..ac115b0987 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -3886,6 +3886,7 @@ static bool spapr_phb_pre_plug(HotplugHandler *hotplug_dev, DeviceState *dev, SpaprPhbState *sphb = SPAPR_PCI_HOST_BRIDGE(dev); SpaprMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr); const unsigned windows_supported = spapr_phb_windows_supported(sphb); + SpaprDrc *drc; if (dev->hotplugged && !smc->dr_phb_enabled) { error_setg(errp, "PHB hotplug not supported for this machine"); @@ -3897,6 +3898,12 @@ static bool spapr_phb_pre_plug(HotplugHandler *hotplug_dev, DeviceState *dev, return false; } + drc = spapr_drc_by_id(TYPE_SPAPR_DRC_PHB, sphb->index); + if (drc && drc->dev) { + error_setg(errp, "PHB %d already attached", sphb->index); + return false; + } + /* * This will check that sphb->index doesn't exceed the maximum number of * PHBs for the current machine type. @@ -3910,8 +3917,7 @@ static bool spapr_phb_pre_plug(HotplugHandler *hotplug_dev, DeviceState *dev, errp); } -static void spapr_phb_plug(HotplugHandler *hotplug_dev, DeviceState *dev, - Error **errp) +static void spapr_phb_plug(HotplugHandler *hotplug_dev, DeviceState *dev) { SpaprMachineState *spapr = SPAPR_MACHINE(OBJECT(hotplug_dev)); SpaprMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr); @@ -3927,9 +3933,8 @@ static void spapr_phb_plug(HotplugHandler *hotplug_dev, DeviceState *dev, /* hotplug hooks should check it's enabled before getting this far */ assert(drc); - if (!spapr_drc_attach(drc, dev, errp)) { - return; - } + /* spapr_phb_pre_plug() already checked the DRC is attachable */ + spapr_drc_attach(drc, dev, &error_abort); if (hotplugged) { spapr_hotplug_req_add_by_index(drc); @@ -3997,7 +4002,7 @@ static void spapr_machine_device_plug(HotplugHandler *hotplug_dev, } else if (object_dynamic_cast(OBJECT(dev), TYPE_SPAPR_CPU_CORE)) { spapr_core_plug(hotplug_dev, dev, errp); } else if (object_dynamic_cast(OBJECT(dev), TYPE_SPAPR_PCI_HOST_BRIDGE)) { - spapr_phb_plug(hotplug_dev, dev, errp); + spapr_phb_plug(hotplug_dev, dev); } else if (object_dynamic_cast(OBJECT(dev), TYPE_SPAPR_TPM_PROXY)) { spapr_tpm_proxy_plug(hotplug_dev, dev, errp); }