Coverity found that the variable tx_rx in the function
xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This
patch corrects this by always initializing tx_rx to zeros.
Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
---
v3. Change to report errors on the num_busses property via the Error**
parameter when realizing the devices.
---
v2. Add a sanity check on the num_busses property when realizing the
devices.
---
hw/ssi/xilinx_spips.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index 85c5d0c..8af36ca 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -210,6 +210,9 @@
#define SNOOP_NONE 0xEE
#define SNOOP_STRIPING 0
+#define MIN_NUM_BUSSES 1
+#define MAX_NUM_BUSSES 2
+
static inline int num_effective_busses(XilinxSPIPS *s)
{
return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS &&
@@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s)
for (;;) {
int i;
uint8_t tx = 0;
- uint8_t tx_rx[num_effective_busses(s)];
+ uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 };
uint8_t dummy_cycles = 0;
uint8_t addr_length;
@@ -1221,6 +1224,19 @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp)
DB_PRINT_L(0, "realized spips\n");
+ if (s->num_busses > MAX_NUM_BUSSES) {
+ error_setg(errp,
+ "requested number of SPI busses %u exceeds maximum %d",
+ s->num_busses, MAX_NUM_BUSSES);
+ return;
+ }
+ if (s->num_busses < MIN_NUM_BUSSES) {
+ error_setg(errp,
+ "requested number of SPI busses %u is below minimum %d",
+ s->num_busses, MIN_NUM_BUSSES);
+ return;
+ }
+
s->spi = g_new(SSIBus *, s->num_busses);
for (i = 0; i < s->num_busses; ++i) {
char bus_name[16];
--
2.9.3
On 24 January 2018 at 21:57, Francisco Iglesias <frasse.iglesias@gmail.com> wrote: > Coverity found that the variable tx_rx in the function > xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). This > patch corrects this by always initializing tx_rx to zeros. > > Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> > > --- > v3. Change to report errors on the num_busses property via the Error** > parameter when realizing the devices. > --- > v2. Add a sanity check on the num_busses property when realizing the > devices. > --- > hw/ssi/xilinx_spips.c | 18 +++++++++++++++++- > 1 file changed, 17 insertions(+), 1 deletion(-) > > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c > index 85c5d0c..8af36ca 100644 > --- a/hw/ssi/xilinx_spips.c > +++ b/hw/ssi/xilinx_spips.c > @@ -210,6 +210,9 @@ > #define SNOOP_NONE 0xEE > #define SNOOP_STRIPING 0 > > +#define MIN_NUM_BUSSES 1 > +#define MAX_NUM_BUSSES 2 > + > static inline int num_effective_busses(XilinxSPIPS *s) > { > return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS && > @@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) > for (;;) { > int i; > uint8_t tx = 0; > - uint8_t tx_rx[num_effective_busses(s)]; > + uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 }; > uint8_t dummy_cycles = 0; > uint8_t addr_length; > > @@ -1221,6 +1224,19 @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp) > > DB_PRINT_L(0, "realized spips\n"); > > + if (s->num_busses > MAX_NUM_BUSSES) { > + error_setg(errp, > + "requested number of SPI busses %u exceeds maximum %d", > + s->num_busses, MAX_NUM_BUSSES); > + return; > + } > + if (s->num_busses < MIN_NUM_BUSSES) { > + error_setg(errp, > + "requested number of SPI busses %u is below minimum %d", > + s->num_busses, MIN_NUM_BUSSES); > + return; > + } > + The usual plural of "bus" is "buses", but since it's in the QOM property name I guess we're stuck with "busses" here for consistency... Applied to target-arm.next, thanks. -- PMM
On Thursday, 25 January 2018, Peter Maydell <peter.maydell@linaro.org> wrote: > On 24 January 2018 at 21:57, Francisco Iglesias > <frasse.iglesias@gmail.com> wrote: > > Coverity found that the variable tx_rx in the function > > xilinx_spips_flush_txfifo was being used uninitialized (CID 1383841). > This > > patch corrects this by always initializing tx_rx to zeros. > > > > Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> > > > > --- > > v3. Change to report errors on the num_busses property via the Error** > > parameter when realizing the devices. > > --- > > v2. Add a sanity check on the num_busses property when realizing the > > devices. > > --- > > hw/ssi/xilinx_spips.c | 18 +++++++++++++++++- > > 1 file changed, 17 insertions(+), 1 deletion(-) > > > > diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c > > index 85c5d0c..8af36ca 100644 > > --- a/hw/ssi/xilinx_spips.c > > +++ b/hw/ssi/xilinx_spips.c > > @@ -210,6 +210,9 @@ > > #define SNOOP_NONE 0xEE > > #define SNOOP_STRIPING 0 > > > > +#define MIN_NUM_BUSSES 1 > > +#define MAX_NUM_BUSSES 2 > > + > > static inline int num_effective_busses(XilinxSPIPS *s) > > { > > return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS && > > @@ -573,7 +576,7 @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS > *s) > > for (;;) { > > int i; > > uint8_t tx = 0; > > - uint8_t tx_rx[num_effective_busses(s)]; > > + uint8_t tx_rx[MAX_NUM_BUSSES] = { 0 }; > > uint8_t dummy_cycles = 0; > > uint8_t addr_length; > > > > @@ -1221,6 +1224,19 @@ static void xilinx_spips_realize(DeviceState > *dev, Error **errp) > > > > DB_PRINT_L(0, "realized spips\n"); > > > > + if (s->num_busses > MAX_NUM_BUSSES) { > > + error_setg(errp, > > + "requested number of SPI busses %u exceeds maximum > %d", > > + s->num_busses, MAX_NUM_BUSSES); > > + return; > > + } > > + if (s->num_busses < MIN_NUM_BUSSES) { > > + error_setg(errp, > > + "requested number of SPI busses %u is below minimum > %d", > > + s->num_busses, MIN_NUM_BUSSES); > > + return; > > + } > > + > > The usual plural of "bus" is "buses", but since it's in the QOM > property name I guess we're stuck with "busses" here for consistency... > > > Applied to target-arm.next, thanks. > > -- PMM > Hi Peter, Thank you very much again for looking into this! Best regards, Francisco Iglesias
© 2016 - 2024 Red Hat, Inc.