Message ID | 20210322120944.225643-3-its@irrelevant.dk |
---|---|
State | New |
Headers | show |
Series | hw/block/nvme: coverity fixes | expand |
On Mon, Mar 22, 2021 at 01:09:44PM +0100, Klaus Jensen wrote: >From: Klaus Jensen <k.jensen@samsung.com> > >Max noticed that since blk_aio_pwrite_zeroes() may invoke the callback >before returning, the callbacks will never see *count == 0 and thus >never free the count variable or decrement num_formats causing a CQE to >never be posted. > >Coverity (CID 1451082) also picked up on the fact that count would not >be free'ed if the namespace was of zero size. > >Fix both of these issues by explicitly checking *count and finalize for >the given namespace if --(*count) is zero. Enqueing a CQE if there are >no AIOs outstanding after this case is already handled by nvme_format() >by inspecting *num_formats. > >Reported-by: Max Reitz <mreitz@redhat.com> >Reported-by: Coverity (CID 1451082) >Fixes: dc04d25e2f3f ("hw/block/nvme: add support for the format nvm command") >Signed-off-by: Klaus Jensen <k.jensen@samsung.com> >--- > hw/block/nvme.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > >diff --git a/hw/block/nvme.c b/hw/block/nvme.c >index 6842b01ab58b..c54ec3c9523c 100644 >--- a/hw/block/nvme.c >+++ b/hw/block/nvme.c >@@ -5009,9 +5009,15 @@ static uint16_t nvme_format_ns(NvmeCtrl *n, NvmeNamespace *ns, uint8_t lbaf, > > } > >- (*count)--; >+ if (--(*count)) { >+ return NVME_NO_COMPLETE; >+ } > >- return NVME_NO_COMPLETE; >+ g_free(count); >+ ns->status = 0x0; >+ (*num_formats)--; >+ >+ return NVME_SUCCESS; > } Reviewed-by: Gollu Appalanaidu <anaidu.gollu@samsung.com> > > static uint16_t nvme_format(NvmeCtrl *n, NvmeRequest *req) >-- >2.31.0 > >
diff --git a/hw/block/nvme.c b/hw/block/nvme.c index 6842b01ab58b..c54ec3c9523c 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -5009,9 +5009,15 @@ static uint16_t nvme_format_ns(NvmeCtrl *n, NvmeNamespace *ns, uint8_t lbaf, } - (*count)--; + if (--(*count)) { + return NVME_NO_COMPLETE; + } - return NVME_NO_COMPLETE; + g_free(count); + ns->status = 0x0; + (*num_formats)--; + + return NVME_SUCCESS; } static uint16_t nvme_format(NvmeCtrl *n, NvmeRequest *req)