From 1bad4957c8c4d5367961cb3d5287b2f25a1d6847 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Mon, 30 Apr 2018 23:02:17 +0300 Subject: [PATCH 1/8] hw/rdma: Fix possible munmap call on a NULL pointer Coverity CID 1390620: we call munmap() on a NULL pointer. Reported-by: Peter Maydell Signed-off-by: Marcel Apfelbaum Reviewed-by: Yuval Shaia Message-Id: <20180430200223.4119-2-marcel.apfelbaum@gmail.com> --- hw/rdma/vmw/pvrdma_cmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index 99019d8741..f9dd78cb27 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -232,7 +232,7 @@ static int create_mr(PVRDMADev *dev, union pvrdma_cmd_req *req, cmd->start, cmd->length, host_virt, cmd->access_flags, &resp->mr_handle, &resp->lkey, &resp->rkey); - if (!resp->hdr.err) { + if (host_virt && !resp->hdr.err) { munmap(host_virt, cmd->length); } From b0197cf80a903aa1e401cc7ebdf8be8bc307297b Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Mon, 30 Apr 2018 23:02:18 +0300 Subject: [PATCH 2/8] hw/rdma: Fix possible usage of a NULL pointer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Coverity CID 1390586; The cq handle is provided by the guest and cannot be trusted to be previuosly allocated. Fix it by exiting the completion flow. Reported-by: Peter Maydell Signed-off-by: Marcel Apfelbaum Reviewed-by: Yuval Shaia Message-Id: <20180430200223.4119-3-marcel.apfelbaum@gmail.com> Reviewed-by: Philippe Mathieu-Daudé --- hw/rdma/vmw/pvrdma_qp_ops.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/rdma/vmw/pvrdma_qp_ops.c b/hw/rdma/vmw/pvrdma_qp_ops.c index 750ade6c31..99bb51111e 100644 --- a/hw/rdma/vmw/pvrdma_qp_ops.c +++ b/hw/rdma/vmw/pvrdma_qp_ops.c @@ -216,6 +216,7 @@ void pvrdma_cq_poll(RdmaDeviceResources *dev_res, uint32_t cq_handle) cq = rdma_rm_get_cq(dev_res, cq_handle); if (!cq) { pr_dbg("Invalid CQ# %d\n", cq_handle); + return; } rdma_backend_poll_cq(dev_res, &cq->backend_cq); From b9e34872b95af26076e2b456fd1c3e9dd65f3b19 Mon Sep 17 00:00:00 2001 From: Yuval Shaia Date: Mon, 30 Apr 2018 23:02:19 +0300 Subject: [PATCH 3/8] hw/rdma: Delete port's pkey table Support for PKEY is not yet implemented. Removing the unneeded table until a support will be added. Signed-off-by: Yuval Shaia Reviewed-by: Marcel Apfelbaum Message-Id: <20180430200223.4119-4-marcel.apfelbaum@gmail.com> --- hw/rdma/rdma_rm_defs.h | 3 +-- hw/rdma/vmw/pvrdma_main.c | 15 --------------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h index fc646da61f..45503f14e0 100644 --- a/hw/rdma/rdma_rm_defs.h +++ b/hw/rdma/rdma_rm_defs.h @@ -21,7 +21,7 @@ #define MAX_PORTS 1 #define MAX_PORT_GIDS 1 #define MAX_PORT_PKEYS 1 -#define MAX_PKEYS 1 +#define MAX_PKEYS MAX_PORT_PKEYS #define MAX_GIDS 2048 #define MAX_UCS 512 #define MAX_MR_SIZE (1UL << 27) @@ -87,7 +87,6 @@ typedef struct RdmaRmQP { typedef struct RdmaRmPort { union ibv_gid gid_tbl[MAX_PORT_GIDS]; enum ibv_port_state state; - int *pkey_tbl; /* TODO: Not yet supported */ } RdmaRmPort; typedef struct RdmaDeviceResources { diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index c552248c90..994220b58e 100644 --- a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -275,15 +275,6 @@ static void init_dsr_dev_caps(PVRDMADev *dev) pr_dbg("Initialized\n"); } -static void free_ports(PVRDMADev *dev) -{ - int i; - - for (i = 0; i < MAX_PORTS; i++) { - g_free(dev->rdma_dev_res.ports[i].gid_tbl); - } -} - static void init_ports(PVRDMADev *dev, Error **errp) { int i; @@ -292,10 +283,6 @@ static void init_ports(PVRDMADev *dev, Error **errp) for (i = 0; i < MAX_PORTS; i++) { dev->rdma_dev_res.ports[i].state = IBV_PORT_DOWN; - - dev->rdma_dev_res.ports[i].pkey_tbl = - g_malloc0(sizeof(*dev->rdma_dev_res.ports[i].pkey_tbl) * - MAX_PORT_PKEYS); } } @@ -622,8 +609,6 @@ static void pvrdma_exit(PCIDevice *pdev) pvrdma_qp_ops_fini(); - free_ports(dev); - rdma_rm_fini(&dev->rdma_dev_res); rdma_backend_fini(&dev->backend_dev); From c387e8a4ecee76479f4b83b58e2e8ab854ef74ee Mon Sep 17 00:00:00 2001 From: Yuval Shaia Date: Mon, 30 Apr 2018 23:02:20 +0300 Subject: [PATCH 4/8] hw/rdma: Fix possible out of bounds access to GID table Array size is MAX_PORT_GIDS, let's make sure the given index is in range. While there limit device table size to 1. Reported-by: Peter Maydell Signed-off-by: Yuval Shaia Reviewed-by: Marcel Apfelbaum Message-Id: <20180430200223.4119-5-marcel.apfelbaum@gmail.com> --- hw/rdma/rdma_rm_defs.h | 2 +- hw/rdma/vmw/pvrdma_cmd.c | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h index 45503f14e0..4d22a20e4c 100644 --- a/hw/rdma/rdma_rm_defs.h +++ b/hw/rdma/rdma_rm_defs.h @@ -20,9 +20,9 @@ #define MAX_PORTS 1 #define MAX_PORT_GIDS 1 +#define MAX_GIDS MAX_PORT_GIDS #define MAX_PORT_PKEYS 1 #define MAX_PKEYS MAX_PORT_PKEYS -#define MAX_GIDS 2048 #define MAX_UCS 512 #define MAX_MR_SIZE (1UL << 27) #define MAX_QP 1024 diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index f9dd78cb27..14255d609f 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -576,7 +576,7 @@ static int create_bind(PVRDMADev *dev, union pvrdma_cmd_req *req, pr_dbg("index=%d\n", cmd->index); - if (cmd->index > MAX_PORT_GIDS) { + if (cmd->index >= MAX_PORT_GIDS) { return -EINVAL; } @@ -603,7 +603,11 @@ static int destroy_bind(PVRDMADev *dev, union pvrdma_cmd_req *req, { struct pvrdma_cmd_destroy_bind *cmd = &req->destroy_bind; - pr_dbg("clear index %d\n", cmd->index); + pr_dbg("index=%d\n", cmd->index); + + if (cmd->index >= MAX_PORT_GIDS) { + return -EINVAL; + } memset(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw, 0, sizeof(dev->rdma_dev_res.ports[0].gid_tbl[cmd->index].raw)); From 350929172b0205dccf19c29b93ac41a406ef740d Mon Sep 17 00:00:00 2001 From: Yuval Shaia Date: Mon, 30 Apr 2018 23:02:21 +0300 Subject: [PATCH 5/8] hw/rdma: Fix possible out of bounds access to regs array Coverity (CID1390589, CID1390608). Array size is RDMA_BAR1_REGS_SIZE, let's make sure the given address is in range. While there also: 1. Adjust the size of this bar to reasonable size 2. Report the size of the array with sizeof(array) Reported-by: Peter Maydell Signed-off-by: Yuval Shaia Reviewed-by: Marcel Apfelbaum Message-Id: <20180430200223.4119-6-marcel.apfelbaum@gmail.com> --- hw/rdma/vmw/pvrdma.h | 6 +++--- hw/rdma/vmw/pvrdma_main.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/hw/rdma/vmw/pvrdma.h b/hw/rdma/vmw/pvrdma.h index 8c173cb824..0b46dc5a9b 100644 --- a/hw/rdma/vmw/pvrdma.h +++ b/hw/rdma/vmw/pvrdma.h @@ -31,7 +31,7 @@ #define RDMA_REG_BAR_IDX 1 #define RDMA_UAR_BAR_IDX 2 #define RDMA_BAR0_MSIX_SIZE (16 * 1024) -#define RDMA_BAR1_REGS_SIZE 256 +#define RDMA_BAR1_REGS_SIZE 64 #define RDMA_BAR2_UAR_SIZE (0x1000 * MAX_UCS) /* each uc gets page */ /* MSIX */ @@ -86,7 +86,7 @@ static inline int get_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t *val) { int idx = addr >> 2; - if (idx > RDMA_BAR1_REGS_SIZE) { + if (idx >= RDMA_BAR1_REGS_SIZE) { return -EINVAL; } @@ -99,7 +99,7 @@ static inline int set_reg_val(PVRDMADev *dev, hwaddr addr, uint32_t val) { int idx = addr >> 2; - if (idx > RDMA_BAR1_REGS_SIZE) { + if (idx >= RDMA_BAR1_REGS_SIZE) { return -EINVAL; } diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index 994220b58e..3ed7409763 100644 --- a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -449,14 +449,14 @@ static void init_bars(PCIDevice *pdev) /* BAR 1 - Registers */ memset(&dev->regs_data, 0, sizeof(dev->regs_data)); memory_region_init_io(&dev->regs, OBJECT(dev), ®s_ops, dev, - "pvrdma-regs", RDMA_BAR1_REGS_SIZE); + "pvrdma-regs", sizeof(dev->regs_data)); pci_register_bar(pdev, RDMA_REG_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY, &dev->regs); /* BAR 2 - UAR */ memset(&dev->uar_data, 0, sizeof(dev->uar_data)); memory_region_init_io(&dev->uar, OBJECT(dev), &uar_ops, dev, "rdma-uar", - RDMA_BAR2_UAR_SIZE); + sizeof(dev->uar_data)); pci_register_bar(pdev, RDMA_UAR_BAR_IDX, PCI_BASE_ADDRESS_SPACE_MEMORY, &dev->uar); } From 6c080b9ea6efbc277cfa7afc7d4f9d8cc3a9020b Mon Sep 17 00:00:00 2001 From: Yuval Shaia Date: Mon, 30 Apr 2018 23:02:22 +0300 Subject: [PATCH 6/8] hw/rdma: Delete duplicate definition of MAX_RM_TBL_NAME By a mistake this constant was defined twice - remove the duplication. Signed-off-by: Yuval Shaia Reviewed-by: Marcel Apfelbaum Message-Id: <20180430200223.4119-7-marcel.apfelbaum@gmail.com> --- hw/rdma/rdma_rm.c | 2 -- hw/rdma/rdma_rm_defs.h | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/hw/rdma/rdma_rm.c b/hw/rdma/rdma_rm.c index 51a47d7292..415da15efe 100644 --- a/hw/rdma/rdma_rm.c +++ b/hw/rdma/rdma_rm.c @@ -21,8 +21,6 @@ #include "rdma_backend.h" #include "rdma_rm.h" -#define MAX_RM_TBL_NAME 16 - /* Page directory and page tables */ #define PG_DIR_SZ { TARGET_PAGE_SIZE / sizeof(__u64) } #define PG_TBL_SZ { TARGET_PAGE_SIZE / sizeof(__u64) } diff --git a/hw/rdma/rdma_rm_defs.h b/hw/rdma/rdma_rm_defs.h index 4d22a20e4c..226011176d 100644 --- a/hw/rdma/rdma_rm_defs.h +++ b/hw/rdma/rdma_rm_defs.h @@ -34,9 +34,9 @@ #define MAX_QP_INIT_RD_ATOM 16 #define MAX_AH 64 -#define MAX_RMRESTBL_NAME_SZ 16 +#define MAX_RM_TBL_NAME 16 typedef struct RdmaRmResTbl { - char name[MAX_RMRESTBL_NAME_SZ]; + char name[MAX_RM_TBL_NAME]; QemuMutex lock; unsigned long *bitmap; size_t tbl_sz; From d18a530d8589257cd81960284df8730ef869cabe Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Mon, 30 Apr 2018 23:02:23 +0300 Subject: [PATCH 7/8] hw/rdma: Fix possible out of bounds access to port GID index Make sure the backend GID index is less then port's gid table length. Signed-off-by: Marcel Apfelbaum Reviewed-by: Yuval Shaia Message-Id: <20180430200223.4119-8-marcel.apfelbaum@gmail.com> --- hw/rdma/rdma_backend.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c index 5c7b3d8949..e9ced6f9ef 100644 --- a/hw/rdma/rdma_backend.c +++ b/hw/rdma/rdma_backend.c @@ -774,7 +774,7 @@ int rdma_backend_init(RdmaBackendDev *backend_dev, goto out_destroy_comm_channel; } - if (backend_dev->backend_gid_idx > port_attr.gid_tbl_len) { + if (backend_dev->backend_gid_idx >= port_attr.gid_tbl_len) { error_setg(errp, "Invalid backend_gid_idx, should be less than %d", port_attr.gid_tbl_len); goto out_destroy_comm_channel; From fe355cbda28b5e3dfc6a70b902343b84c466aa17 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Thu, 26 Apr 2018 11:45:23 +0300 Subject: [PATCH 8/8] MAINTAINERS: update Marcel Apfelbaum email Use my gmail account for maintainer tasks. Signed-off-by: Marcel Apfelbaum Message-Id: <20180426084523.10565-1-marcel@redhat.com> Reviewed-by: Yuval Shaia --- MAINTAINERS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 24b70169bc..459e3594e1 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -909,7 +909,7 @@ X86 Machines ------------ PC M: Michael S. Tsirkin -M: Marcel Apfelbaum +M: Marcel Apfelbaum S: Supported F: include/hw/i386/ F: hw/i386/ @@ -959,7 +959,7 @@ F: include/hw/timer/mc146818rtc* Machine core M: Eduardo Habkost -M: Marcel Apfelbaum +M: Marcel Apfelbaum S: Supported F: hw/core/machine.c F: hw/core/null-machine.c @@ -1033,7 +1033,7 @@ F: hw/ipack/ PCI M: Michael S. Tsirkin -M: Marcel Apfelbaum +M: Marcel Apfelbaum S: Supported F: include/hw/pci/* F: hw/misc/pci-testdev.c @@ -2075,7 +2075,7 @@ F: docs/block-replication.txt PVRDMA M: Yuval Shaia -M: Marcel Apfelbaum +M: Marcel Apfelbaum S: Maintained F: hw/rdma/* F: hw/rdma/vmw/*