Check the return status of the xen_host_pci_get_* functions we call in
xen_pt_msix_init(), and fail device init if the reads failed rather than
ploughing ahead. (Spotted by Coverity: CID 777338.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
Disclaimer: compile tested only!
The only other Xen-related Coverity issue outstanding is that
we don't check the return value of net_hub_id_for_client() in
xen_config_dev_nic(), but that's too complicated for me to figure
out what the right thing to do is (or if it's even a bug at all).
---
hw/xen/xen_pt_msi.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
index 62add0639f..ff9a79f5d2 100644
--- a/hw/xen/xen_pt_msi.c
+++ b/hw/xen/xen_pt_msi.c
@@ -535,7 +535,11 @@ int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base)
return -1;
}
- xen_host_pci_get_word(hd, base + PCI_MSIX_FLAGS, &control);
+ rc = xen_host_pci_get_word(hd, base + PCI_MSIX_FLAGS, &control);
+ if (rc) {
+ XEN_PT_ERR(d, "Failed to read PCI_MSIX_FLAGS field\n");
+ return rc;
+ }
total_entries = control & PCI_MSIX_FLAGS_QSIZE;
total_entries += 1;
@@ -554,7 +558,11 @@ int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base)
+ XC_PAGE_SIZE - 1)
& XC_PAGE_MASK);
- xen_host_pci_get_long(hd, base + PCI_MSIX_TABLE, &table_off);
+ rc = xen_host_pci_get_long(hd, base + PCI_MSIX_TABLE, &table_off);
+ if (rc) {
+ XEN_PT_ERR(d, "Failed to read PCI_MSIX_TABLE field\n");
+ goto error_out;
+ }
bar_index = msix->bar_index = table_off & PCI_MSIX_FLAGS_BIRMASK;
table_off = table_off & ~PCI_MSIX_FLAGS_BIRMASK;
msix->table_base = s->real_device.io_regions[bar_index].base_addr;
--
2.11.0
On Sun, 9 Jul 2017, Peter Maydell wrote:
> Check the return status of the xen_host_pci_get_* functions we call in
> xen_pt_msix_init(), and fail device init if the reads failed rather than
> ploughing ahead. (Spotted by Coverity: CID 777338.)
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
I'll add it to my queue
> ---
> Disclaimer: compile tested only!
>
> The only other Xen-related Coverity issue outstanding is that
> we don't check the return value of net_hub_id_for_client() in
> xen_config_dev_nic(), but that's too complicated for me to figure
> out what the right thing to do is (or if it's even a bug at all).
> ---
> hw/xen/xen_pt_msi.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
> index 62add0639f..ff9a79f5d2 100644
> --- a/hw/xen/xen_pt_msi.c
> +++ b/hw/xen/xen_pt_msi.c
> @@ -535,7 +535,11 @@ int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base)
> return -1;
> }
>
> - xen_host_pci_get_word(hd, base + PCI_MSIX_FLAGS, &control);
> + rc = xen_host_pci_get_word(hd, base + PCI_MSIX_FLAGS, &control);
> + if (rc) {
> + XEN_PT_ERR(d, "Failed to read PCI_MSIX_FLAGS field\n");
> + return rc;
> + }
> total_entries = control & PCI_MSIX_FLAGS_QSIZE;
> total_entries += 1;
>
> @@ -554,7 +558,11 @@ int xen_pt_msix_init(XenPCIPassthroughState *s, uint32_t base)
> + XC_PAGE_SIZE - 1)
> & XC_PAGE_MASK);
>
> - xen_host_pci_get_long(hd, base + PCI_MSIX_TABLE, &table_off);
> + rc = xen_host_pci_get_long(hd, base + PCI_MSIX_TABLE, &table_off);
> + if (rc) {
> + XEN_PT_ERR(d, "Failed to read PCI_MSIX_TABLE field\n");
> + goto error_out;
> + }
> bar_index = msix->bar_index = table_off & PCI_MSIX_FLAGS_BIRMASK;
> table_off = table_off & ~PCI_MSIX_FLAGS_BIRMASK;
> msix->table_base = s->real_device.io_regions[bar_index].base_addr;
> --
> 2.11.0
>
>
© 2016 - 2025 Red Hat, Inc.