mirror of https://github.com/xemu-project/xemu.git
hw/ufs: Fix code coverity issues
Fixed four ufs-related coverity issues. The coverity issues and fixes are as follows 1. CID 1519042: Security issue with the rand() function Changed to use a fixed value (0xab) instead of rand() as the value for testing 2. CID 1519043: Dereference after null check Removed useless (redundant) null checks 3. CID 1519050: Out-of-bounds access issue Fix to pass an array type variable to find_first_bit and find_next_bit using DECLARE_BITMAP() 4. CID 1519051: Out-of-bounds read issue Fix incorrect range check for lun Fix coverity CID: 1519042 1519043 1519050 1519051 Signed-off-by: Jeuk Kim <jeuk20.kim@samsung.com>
This commit is contained in:
parent
63011373ad
commit
97970dae53
16
hw/ufs/lu.c
16
hw/ufs/lu.c
|
@ -1345,13 +1345,12 @@ static void ufs_lu_realize(SCSIDevice *dev, Error **errp)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (lu->qdev.conf.blk) {
|
ctx = blk_get_aio_context(lu->qdev.conf.blk);
|
||||||
ctx = blk_get_aio_context(lu->qdev.conf.blk);
|
aio_context_acquire(ctx);
|
||||||
aio_context_acquire(ctx);
|
if (!blkconf_blocksizes(&lu->qdev.conf, errp)) {
|
||||||
if (!blkconf_blocksizes(&lu->qdev.conf, errp)) {
|
goto out;
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
lu->qdev.blocksize = UFS_BLOCK_SIZE;
|
lu->qdev.blocksize = UFS_BLOCK_SIZE;
|
||||||
blk_get_geometry(lu->qdev.conf.blk, &nb_sectors);
|
blk_get_geometry(lu->qdev.conf.blk, &nb_sectors);
|
||||||
nb_blocks = nb_sectors / (lu->qdev.blocksize / BDRV_SECTOR_SIZE);
|
nb_blocks = nb_sectors / (lu->qdev.blocksize / BDRV_SECTOR_SIZE);
|
||||||
|
@ -1367,10 +1366,9 @@ static void ufs_lu_realize(SCSIDevice *dev, Error **errp)
|
||||||
}
|
}
|
||||||
|
|
||||||
ufs_lu_brdv_init(lu, errp);
|
ufs_lu_brdv_init(lu, errp);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
if (ctx) {
|
aio_context_release(ctx);
|
||||||
aio_context_release(ctx);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void ufs_lu_unrealize(SCSIDevice *dev)
|
static void ufs_lu_unrealize(SCSIDevice *dev)
|
||||||
|
|
10
hw/ufs/ufs.c
10
hw/ufs/ufs.c
|
@ -258,7 +258,7 @@ static void ufs_irq_check(UfsHc *u)
|
||||||
|
|
||||||
static void ufs_process_db(UfsHc *u, uint32_t val)
|
static void ufs_process_db(UfsHc *u, uint32_t val)
|
||||||
{
|
{
|
||||||
unsigned long doorbell;
|
DECLARE_BITMAP(doorbell, UFS_MAX_NUTRS);
|
||||||
uint32_t slot;
|
uint32_t slot;
|
||||||
uint32_t nutrs = u->params.nutrs;
|
uint32_t nutrs = u->params.nutrs;
|
||||||
UfsRequest *req;
|
UfsRequest *req;
|
||||||
|
@ -268,8 +268,8 @@ static void ufs_process_db(UfsHc *u, uint32_t val)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
doorbell = val;
|
doorbell[0] = val;
|
||||||
slot = find_first_bit(&doorbell, nutrs);
|
slot = find_first_bit(doorbell, nutrs);
|
||||||
|
|
||||||
while (slot < nutrs) {
|
while (slot < nutrs) {
|
||||||
req = &u->req_list[slot];
|
req = &u->req_list[slot];
|
||||||
|
@ -285,7 +285,7 @@ static void ufs_process_db(UfsHc *u, uint32_t val)
|
||||||
|
|
||||||
trace_ufs_process_db(slot);
|
trace_ufs_process_db(slot);
|
||||||
req->state = UFS_REQUEST_READY;
|
req->state = UFS_REQUEST_READY;
|
||||||
slot = find_next_bit(&doorbell, nutrs, slot + 1);
|
slot = find_next_bit(doorbell, nutrs, slot + 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
qemu_bh_schedule(u->doorbell_bh);
|
qemu_bh_schedule(u->doorbell_bh);
|
||||||
|
@ -838,7 +838,7 @@ static QueryRespCode ufs_read_unit_desc(UfsRequest *req)
|
||||||
uint8_t lun = req->req_upiu.qr.index;
|
uint8_t lun = req->req_upiu.qr.index;
|
||||||
|
|
||||||
if (lun != UFS_UPIU_RPMB_WLUN &&
|
if (lun != UFS_UPIU_RPMB_WLUN &&
|
||||||
(lun > UFS_MAX_LUS || u->lus[lun] == NULL)) {
|
(lun >= UFS_MAX_LUS || u->lus[lun] == NULL)) {
|
||||||
trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, lun);
|
trace_ufs_err_query_invalid_index(req->req_upiu.qr.opcode, lun);
|
||||||
return UFS_QUERY_RESULT_INVALID_INDEX;
|
return UFS_QUERY_RESULT_INVALID_INDEX;
|
||||||
}
|
}
|
||||||
|
|
|
@ -497,7 +497,7 @@ static void ufstest_read_write(void *obj, void *data, QGuestAllocator *alloc)
|
||||||
g_assert_cmpuint(block_size, ==, 4096);
|
g_assert_cmpuint(block_size, ==, 4096);
|
||||||
|
|
||||||
/* Write data */
|
/* Write data */
|
||||||
memset(write_buf, rand() % 255 + 1, block_size);
|
memset(write_buf, 0xab, block_size);
|
||||||
ufs_send_scsi_command(ufs, 0, 1, write_cdb, write_buf, block_size, NULL, 0,
|
ufs_send_scsi_command(ufs, 0, 1, write_cdb, write_buf, block_size, NULL, 0,
|
||||||
&utrd, &rsp_upiu);
|
&utrd, &rsp_upiu);
|
||||||
g_assert_cmpuint(le32_to_cpu(utrd.header.dword_2), ==, UFS_OCS_SUCCESS);
|
g_assert_cmpuint(le32_to_cpu(utrd.header.dword_2), ==, UFS_OCS_SUCCESS);
|
||||||
|
|
Loading…
Reference in New Issue