[U-Boot] [PATCH 1/3] nvme: Fix wrong ndev->queues memset
memset() was given a sizeof(NVME_Q_NUM * sizeof(struct nvme_queue *) to clear, which is wrong.
Reported-by: Coverity (CID: 166729) Signed-off-by: Bin Meng bmeng.cn@gmail.com ---
drivers/nvme/nvme.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/nvme/nvme.c b/drivers/nvme/nvme.c index ec32d0d..4448754 100644 --- a/drivers/nvme/nvme.c +++ b/drivers/nvme/nvme.c @@ -791,8 +791,7 @@ static int nvme_probe(struct udevice *udev) printf("Error: %s: Out of memory!\n", udev->name); goto free_nvme; } - memset(ndev->queues, 0, - sizeof(NVME_Q_NUM * sizeof(struct nvme_queue *))); + memset(ndev->queues, 0, NVME_Q_NUM * sizeof(struct nvme_queue *));
ndev->prp_pool = malloc(MAX_PRP_POOL); if (!ndev->prp_pool) {
"lbas" with type "u16" (16 bits, unsigned) is promoted in "lbas << ns->lba_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long long" (64 bits, unsigned). If "lbas << ns->lba_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
Fix it by casting "lbas" to "u32".
Reported-by: Coverity (CID: 166730) Signed-off-by: Bin Meng bmeng.cn@gmail.com ---
drivers/nvme/nvme.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/nvme.c b/drivers/nvme/nvme.c index 4448754..59d54eb 100644 --- a/drivers/nvme/nvme.c +++ b/drivers/nvme/nvme.c @@ -723,7 +723,7 @@ static ulong nvme_blk_rw(struct udevice *udev, lbaint_t blknr, &c, NULL, IO_TIMEOUT); if (status) break; - temp_len -= lbas << ns->lba_shift; + temp_len -= (u32)lbas << ns->lba_shift; buffer += lbas << ns->lba_shift; }
On Sat, Sep 02, 2017 at 08:15:36AM -0700, Bin Meng wrote:
"lbas" with type "u16" (16 bits, unsigned) is promoted in "lbas << ns->lba_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long long" (64 bits, unsigned). If "lbas << ns->lba_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
Fix it by casting "lbas" to "u32".
Reported-by: Coverity (CID: 166730) Signed-off-by: Bin Meng bmeng.cn@gmail.com
Reviewed-by: Tom Rini trini@konsulko.com
On Sat, Sep 02, 2017 at 08:15:36AM -0700, Bin Meng wrote:
"lbas" with type "u16" (16 bits, unsigned) is promoted in "lbas << ns->lba_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long long" (64 bits, unsigned). If "lbas << ns->lba_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
Fix it by casting "lbas" to "u32".
Reported-by: Coverity (CID: 166730) Signed-off-by: Bin Meng bmeng.cn@gmail.com Reviewed-by: Tom Rini trini@konsulko.com
Applied to u-boot/master, thanks!
Execution cannot reach this statement: "nr_io_queues = result;"
Reported-by: Coverity (CID: 166731) Signed-off-by: Bin Meng bmeng.cn@gmail.com ---
drivers/nvme/nvme.c | 3 --- 1 file changed, 3 deletions(-)
diff --git a/drivers/nvme/nvme.c b/drivers/nvme/nvme.c index 59d54eb..1c3519b 100644 --- a/drivers/nvme/nvme.c +++ b/drivers/nvme/nvme.c @@ -562,9 +562,6 @@ static int nvme_setup_io_queues(struct nvme_dev *dev) if (result <= 0) return result;
- if (result < nr_io_queues) - nr_io_queues = result; - dev->max_qid = nr_io_queues;
/* Free previously allocated queues */
On Sat, Sep 02, 2017 at 08:15:37AM -0700, Bin Meng wrote:
Execution cannot reach this statement: "nr_io_queues = result;"
Reported-by: Coverity (CID: 166731) Signed-off-by: Bin Meng bmeng.cn@gmail.com
Reviewed-by: Tom Rini trini@konsulko.com
On Sat, Sep 02, 2017 at 08:15:37AM -0700, Bin Meng wrote:
Execution cannot reach this statement: "nr_io_queues = result;"
Reported-by: Coverity (CID: 166731) Signed-off-by: Bin Meng bmeng.cn@gmail.com Reviewed-by: Tom Rini trini@konsulko.com
Applied to u-boot/master, thanks!
On Sat, Sep 02, 2017 at 08:15:35AM -0700, Bin Meng wrote:
memset() was given a sizeof(NVME_Q_NUM * sizeof(struct nvme_queue *) to clear, which is wrong.
Reported-by: Coverity (CID: 166729) Signed-off-by: Bin Meng bmeng.cn@gmail.com
Reviewed-by: Tom Rini trini@konsulko.com
On Sat, Sep 02, 2017 at 08:15:35AM -0700, Bin Meng wrote:
memset() was given a sizeof(NVME_Q_NUM * sizeof(struct nvme_queue *) to clear, which is wrong.
Reported-by: Coverity (CID: 166729) Signed-off-by: Bin Meng bmeng.cn@gmail.com Reviewed-by: Tom Rini trini@konsulko.com
Applied to u-boot/master, thanks!
participants (2)
-
Bin Meng -
Tom Rini