lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <3b376171-8ca8-a4ad-cbbb-8deeb3cd9bca@canonical.com>
Date:   Thu, 15 Oct 2020 13:12:48 +0100
From:   Colin Ian King <colin.king@...onical.com>
To:     Diana Craciun <diana.craciun@....nxp.com>, kvm@...r.kernel.org
Cc:     Bharat Bhushan <Bharat.Bhushan@....com>,
        Diana Craciun <diana.craciun@....nxp.com>,
        Eric Auger <eric.auger@...hat.com>,
        Alex Williamson <alex.williamson@...hat.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: re: vfio/fsl-mc: trigger an interrupt via eventfd

Hi,

Static analysis with Coverity on linux-next today has detected an issue
in the following commit:

commit cc0ee20bd96971c10eba9a83ecf1c0733078a083
Author: Diana Craciun <diana.craciun@....nxp.com>
Date:   Mon Oct 5 20:36:52 2020 +0300

    vfio/fsl-mc: trigger an interrupt via eventfd


The analysis is as follows:

106 static int vfio_fsl_mc_set_irq_trigger(struct vfio_fsl_mc_device *vdev,
107                                       unsigned int index, unsigned
int start,
108                                       unsigned int count, u32 flags,
109                                       void *data)
110 {
111        struct fsl_mc_device *mc_dev = vdev->mc_dev;
112        int ret, hwirq;
113        struct vfio_fsl_mc_irq *irq;
114        struct device *cont_dev = fsl_mc_cont_dev(&mc_dev->dev);
115        struct fsl_mc_device *mc_cont = to_fsl_mc_device(cont_dev);
116

cond_const: Condition count != 1U, taking false branch. Now the value of
count is equal to 1.

117        if (start != 0 || count != 1)
118                return -EINVAL;
119
120        mutex_lock(&vdev->reflck->lock);
121        ret = fsl_mc_populate_irq_pool(mc_cont,
122                        FSL_MC_IRQ_POOL_MAX_TOTAL_IRQS);
123        if (ret)
124                goto unlock;
125
126        ret = vfio_fsl_mc_irqs_allocate(vdev);
127        if (ret)
128                goto unlock;
129        mutex_unlock(&vdev->reflck->lock);
130

const: At condition count, the value of count must be equal to 1.
dead_error_condition: The condition !count cannot be true.

Logically dead code (DEADCODE)
dead_error_line: Execution cannot reach the expression flags & 1U inside
this statement: if (!count && flags & 1U)

 ....
131        if (!count && (flags & VFIO_IRQ_SET_DATA_NONE))
132                return vfio_set_trigger(vdev, index, -1);

At line 131, count is 1 because of the check and return on lines
117-118.  !count is 0, and so 0 && (flags & VFIO_IRQ_SET_DATA_NONE) is
always false, so the vfio_set_trigger is never called. I suspect that
was not the intention.

Colin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ