[PULL,06/30] spapr: Do PHB hoplug sanity check at pre-plug

Message ID	20201214045807.41003-7-david@gibson.dropbear.id.au
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: David Gibson <david@gibson.dropbear.id.au> To: peter.maydell@linaro.org Subject: [PULL 06/30] spapr: Do PHB hoplug sanity check at pre-plug Date: Mon, 14 Dec 2020 15:57:43 +1100 Message-Id: <20201214045807.41003-7-david@gibson.dropbear.id.au> In-Reply-To: <20201214045807.41003-1-david@gibson.dropbear.id.au> References: <20201214045807.41003-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=203.11.71.1; envelope-from=dgibson@ozlabs.org; helo=ozlabs.org X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action Precedence: list Cc: David Gibson <david@gibson.dropbear.id.au>, qemu-ppc@nongnu.org, qemu-devel@nongnu.org, groug@kaod.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	[PULL,01/30] spapr/xive: Turn some sanity checks into assertions \| expand [PULL,01/30] spapr/xive: Turn some sanity checks into assertions [PULL,02/30] spapr/xics: Drop unused argument to xics_kvm_has_broken_disconnect() [PULL,03/30] spapr: Do PCI device hotplug sanity checks at pre-plug only [PULL,04/30] spapr: Do NVDIMM/PC-DIMM device hotplug sanity checks at pre-plug only [PULL,05/30] spapr: Make PHB placement functions and spapr_pre_plug_phb() return status [PULL,06/30] spapr: Do PHB hoplug sanity check at pre-plug [PULL,07/30] spapr: Do TPM proxy hotplug sanity checks at pre-plug [PULL,08/30] target/ppc: replaced the TODO with LOG_UNIMP and add break for silence warnings [PULL,09/30] ppc: Add a missing break for PPC6xx_INPUT_TBEN [PULL,10/30] ppc/translate: Fix unordered f64/f128 comparisons [PULL,11/30] ppc/translate: Turn the helper macros into functions [PULL,12/30] ppc/translate: Delay NaN checking after comparison [PULL,13/30] ppc/translate: Raise exceptions after setting the cc [PULL,14/30] ppc/translate: Rewrite gen_lxvdsx to use gvec primitives [PULL,15/30] hw/ppc/spapr_tpm_proxy: Fix hexadecimal format string specifier [PULL,16/30] xive: Add trace events [PULL,17/30] spapr: Fix pre-2.10 dummy ICP hack [PULL,18/30] spapr: Abort if ppc_set_compat() fails for hot-plugged CPUs [PULL,19/30] spapr: Simplify error path of spapr_core_plug() [PULL,20/30] spapr: spapr_drc_attach() cannot fail [PULL,21/30] target/ppc: Remove "compat" property of server class POWER CPUs [PULL,22/30] hw/ppc: Do not re-read the clock on pre_save if doing savevm [PULL,23/30] MAINTAINERS: Add Greg Kurz as co-maintainer for ppc [PULL,24/30] ppc/e500: Free irqs array to avoid memleak [PULL,25/30] ppc/translate: Use POWERPC_MMU_64 to detect 64-bit MMU models [PULL,26/30] target/ppc: Introduce an mmu_is_64bit() helper [PULL,27/30] spapr: Pass sPAPR machine state down to spapr_pci_switch_vga() [PULL,28/30] spapr: Don't use qdev_get_machine() in spapr_msi_write() [PULL,29/30] spapr: Pass sPAPR machine state to some RTAS events handling functions [PULL,30/30] spapr.c: set a 'kvm-type' default value instead of relying on NULL

Message ID

20201214045807.41003-7-david@gibson.dropbear.id.au

State

New

Headers

From: David Gibson <david@gibson.dropbear.id.au>
To: peter.maydell@linaro.org
Subject: [PULL 06/30] spapr: Do PHB hoplug sanity check at pre-plug
Date: Mon, 14 Dec 2020 15:57:43 +1100
Message-Id: <20201214045807.41003-7-david@gibson.dropbear.id.au>
In-Reply-To: <20201214045807.41003-1-david@gibson.dropbear.id.au>
References: <20201214045807.41003-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=203.11.71.1; envelope-from=dgibson@ozlabs.org;
 helo=ozlabs.org
X-Spam_score_int: -17
X-Spam_score: -1.8
X-Spam_bar: -
X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: David Gibson <david@gibson.dropbear.id.au>, qemu-ppc@nongnu.org,
 qemu-devel@nongnu.org, groug@kaod.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

[PULL,01/30] spapr/xive: Turn some sanity checks into assertions | expand

Commit Message

David Gibson Dec. 14, 2020, 4:57 a.m. UTC

From: Greg Kurz <groug@kaod.org>

We currently detect that a PHB index is already in use at plug time.
But this can be decteted at pre-plug in order to error out earlier.

This allows to pass &error_abort to spapr_drc_attach() and to end
up with a plug handler that doesn't need to report errors anymore.

Signed-off-by: Greg Kurz <groug@kaod.org>
Message-Id: <20201120234208.683521-8-groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 hw/ppc/spapr.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

Comments

Peter Maydell Dec. 15, 2020, 4:56 p.m. UTC | #1

On Mon, 14 Dec 2020 at 04:58, David Gibson <david@gibson.dropbear.id.au> wrote:
>
> From: Greg Kurz <groug@kaod.org>
>
> We currently detect that a PHB index is already in use at plug time.
> But this can be decteted at pre-plug in order to error out earlier.
>
> This allows to pass &error_abort to spapr_drc_attach() and to end
> up with a plug handler that doesn't need to report errors anymore.
>
> Signed-off-by: Greg Kurz <groug@kaod.org>
> Message-Id: <20201120234208.683521-8-groug@kaod.org>
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

Hi; this change seems to have nudged one of Coverity's
heuristics into deciding that spapr_drc_by_id() can return
NULL (because its return value is checked here, I suspect),
so it reports CID 1437757, 1437758, where spapr_add_lmbs()
and spapr_memory_unplug_request() both take the return value
of spapr_drc_by_id() and pass it directly to spapr_drc_index(),
which will crash if it is passed a NULL pointer.

Is it impossible for spapr_drc_by_id() to return NULL in
those functions (ie Coverity false positive) or is there
a missing error check ?

thanks
-- PMM

Greg Kurz Dec. 15, 2020, 5:31 p.m. UTC | #2

On Tue, 15 Dec 2020 16:56:36 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:

> On Mon, 14 Dec 2020 at 04:58, David Gibson <david@gibson.dropbear.id.au> wrote:
> >
> > From: Greg Kurz <groug@kaod.org>
> >
> > We currently detect that a PHB index is already in use at plug time.
> > But this can be decteted at pre-plug in order to error out earlier.
> >
> > This allows to pass &error_abort to spapr_drc_attach() and to end
> > up with a plug handler that doesn't need to report errors anymore.
> >
> > Signed-off-by: Greg Kurz <groug@kaod.org>
> > Message-Id: <20201120234208.683521-8-groug@kaod.org>
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> 
> Hi; this change seems to have nudged one of Coverity's
> heuristics into deciding that spapr_drc_by_id() can return
> NULL (because its return value is checked here, I suspect),
> so it reports CID 1437757, 1437758, where spapr_add_lmbs()
> and spapr_memory_unplug_request() both take the return value
> of spapr_drc_by_id() and pass it directly to spapr_drc_index(),
> which will crash if it is passed a NULL pointer.
> 
> Is it impossible for spapr_drc_by_id() to return NULL in
> those functions (ie Coverity false positive) or is there
> a missing error check ?
> 

No, all DRC objects are created before any of these two
functions are called. Each function happens to loop over
the full list of memory DRCs a few line above the offending
call sites and already assert spapr_drc_by_id() doesn't
return NULL. But I guess Coverity isn't smart enough to
detect that.

I'll post a patch to add some more assertions.

> thanks
> -- PMM

diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 28d266f7a7..ac115b0987 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -3886,6 +3886,7 @@  static bool spapr_phb_pre_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
     SpaprPhbState *sphb = SPAPR_PCI_HOST_BRIDGE(dev);
     SpaprMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr);
     const unsigned windows_supported = spapr_phb_windows_supported(sphb);
+    SpaprDrc *drc;
 
     if (dev->hotplugged && !smc->dr_phb_enabled) {
         error_setg(errp, "PHB hotplug not supported for this machine");
@@ -3897,6 +3898,12 @@  static bool spapr_phb_pre_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
         return false;
     }
 
+    drc = spapr_drc_by_id(TYPE_SPAPR_DRC_PHB, sphb->index);
+    if (drc && drc->dev) {
+        error_setg(errp, "PHB %d already attached", sphb->index);
+        return false;
+    }
+
     /*
      * This will check that sphb->index doesn't exceed the maximum number of
      * PHBs for the current machine type.
@@ -3910,8 +3917,7 @@  static bool spapr_phb_pre_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
                            errp);
 }
 
-static void spapr_phb_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
-                           Error **errp)
+static void spapr_phb_plug(HotplugHandler *hotplug_dev, DeviceState *dev)
 {
     SpaprMachineState *spapr = SPAPR_MACHINE(OBJECT(hotplug_dev));
     SpaprMachineClass *smc = SPAPR_MACHINE_GET_CLASS(spapr);
@@ -3927,9 +3933,8 @@  static void spapr_phb_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
     /* hotplug hooks should check it's enabled before getting this far */
     assert(drc);
 
-    if (!spapr_drc_attach(drc, dev, errp)) {
-        return;
-    }
+    /* spapr_phb_pre_plug() already checked the DRC is attachable */
+    spapr_drc_attach(drc, dev, &error_abort);
 
     if (hotplugged) {
         spapr_hotplug_req_add_by_index(drc);
@@ -3997,7 +4002,7 @@  static void spapr_machine_device_plug(HotplugHandler *hotplug_dev,
     } else if (object_dynamic_cast(OBJECT(dev), TYPE_SPAPR_CPU_CORE)) {
         spapr_core_plug(hotplug_dev, dev, errp);
     } else if (object_dynamic_cast(OBJECT(dev), TYPE_SPAPR_PCI_HOST_BRIDGE)) {
-        spapr_phb_plug(hotplug_dev, dev, errp);
+        spapr_phb_plug(hotplug_dev, dev);
     } else if (object_dynamic_cast(OBJECT(dev), TYPE_SPAPR_TPM_PROXY)) {
         spapr_tpm_proxy_plug(hotplug_dev, dev, errp);
     }

[PULL,06/30] spapr: Do PHB hoplug sanity check at pre-plug

Commit Message

Comments

Patch