All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 1aba4be9 authored by Peter Maydell's avatar Peter Maydell

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

A smattering of fixes for problems that Coverity reported.

# gpg: Signature made Mon 17 Nov 2014 17:03:25 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  hcd-musb: fix dereference null return value
  target-cris/translate.c: fix out of bounds read
  shpc: fix error propaagation
  qemu-char: fix MISSING_COMMA
  acl: fix memory leak
  nvme: remove superfluous check
  loader: fix NEGATIVE_RETURNS
  qga: fix false negative argument passing
  mips_mipssim: fix use-after-free for filename
  l2tpv3: fix fd leak
  l2tpv3: fix possible double free
  libcacard: fix resource leak
Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents d8edf52a a9be7657
......@@ -583,8 +583,7 @@ static int nvme_start_ctrl(NvmeCtrl *n)
NVME_CC_IOCQES(n->bar.cc) > NVME_CTRL_CQES_MAX(n->id_ctrl.cqes) ||
NVME_CC_IOSQES(n->bar.cc) < NVME_CTRL_SQES_MIN(n->id_ctrl.sqes) ||
NVME_CC_IOSQES(n->bar.cc) > NVME_CTRL_SQES_MAX(n->id_ctrl.sqes) ||
!NVME_AQA_ASQS(n->bar.aqa) || NVME_AQA_ASQS(n->bar.aqa) > 4095 ||
!NVME_AQA_ACQS(n->bar.aqa) || NVME_AQA_ACQS(n->bar.aqa) > 4095) {
!NVME_AQA_ASQS(n->bar.aqa) || !NVME_AQA_ACQS(n->bar.aqa)) {
return -1;
}
......
......@@ -80,6 +80,13 @@ int load_image(const char *filename, uint8_t *addr)
if (fd < 0)
return -1;
size = lseek(fd, 0, SEEK_END);
if (size == -1) {
fprintf(stderr, "file %-20s: get size error: %s\n",
filename, strerror(errno));
close(fd);
return -1;
}
lseek(fd, 0, SEEK_SET);
if (read(fd, addr, size) != size) {
close(fd);
......@@ -748,6 +755,12 @@ int rom_add_file(const char *file, const char *fw_dir,
}
rom->addr = addr;
rom->romsize = lseek(fd, 0, SEEK_END);
if (rom->romsize == -1) {
fprintf(stderr, "rom: file %-20s: get size error: %s\n",
rom->name, strerror(errno));
goto err;
}
rom->datasize = rom->romsize;
rom->data = g_malloc0(rom->datasize);
lseek(fd, 0, SEEK_SET);
......
......@@ -197,7 +197,7 @@ mips_mipssim_init(MachineState *machine)
!kernel_filename && !qtest_enabled()) {
/* Bail out if we have neither a kernel image nor boot vector code. */
error_report("Could not load MIPS bios '%s', and no "
"-kernel argument was specified", filename);
"-kernel argument was specified", bios_name);
exit(1);
} else {
/* We have a boot vector start address. */
......
......@@ -559,8 +559,9 @@ void shpc_device_hot_unplug_request_cb(HotplugHandler *hotplug_dev,
uint8_t led;
int slot;
shpc_device_hotplug_common(PCI_DEVICE(dev), &slot, shpc, errp);
shpc_device_hotplug_common(PCI_DEVICE(dev), &slot, shpc, &local_err);
if (local_err) {
error_propagate(errp, local_err);
return;
}
......
......@@ -608,6 +608,7 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
USBDevice *dev;
USBEndpoint *uep;
int idx = epnum && dir;
int id;
int ttype;
/* ep->type[0,1] contains:
......@@ -625,8 +626,11 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
/* A wild guess on the FADDR semantics... */
dev = usb_find_device(&s->port, ep->faddr[idx]);
uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
(dev->addr << 16) | (uep->nr << 8) | pid, false, true);
id = pid;
if (uep) {
id |= (dev->addr << 16) | (uep->nr << 8);
}
usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
ep->packey[dir].ep = ep;
ep->packey[dir].dir = dir;
......
......@@ -597,7 +597,7 @@ connect_to_qemu(
const char *port
) {
struct addrinfo hints;
struct addrinfo *server;
struct addrinfo *server = NULL;
int ret, sock;
sock = socket(AF_INET, SOCK_STREAM, 0);
......@@ -629,9 +629,14 @@ connect_to_qemu(
if (verbose) {
printf("Connected (sizeof Header=%zd)!\n", sizeof(VSCMsgHeader));
}
freeaddrinfo(server);
return sock;
cleanup_socket:
if (server) {
freeaddrinfo(server);
}
closesocket(sock);
return -1;
}
......
......@@ -516,7 +516,7 @@ static void net_l2tpv3_cleanup(NetClientState *nc)
qemu_purge_queued_packets(nc);
l2tpv3_read_poll(s, false);
l2tpv3_write_poll(s, false);
if (s->fd > 0) {
if (s->fd >= 0) {
close(s->fd);
}
destroy_vector(s->msgvec, MAX_L2TPV3_MSGCNT, IOVSIZE);
......@@ -660,7 +660,6 @@ int net_init_l2tpv3(const NetClientOptions *opts,
if (fd == -1) {
fd = -errno;
error_report("l2tpv3_open : socket creation failed, errno = %d", -fd);
freeaddrinfo(result);
goto outerr;
}
if (bind(fd, (struct sockaddr *) result->ai_addr, result->ai_addrlen)) {
......@@ -746,7 +745,7 @@ int net_init_l2tpv3(const NetClientOptions *opts,
return 0;
outerr:
qemu_del_net_client(nc);
if (fd > 0) {
if (fd >= 0) {
close(fd);
}
if (result) {
......
......@@ -464,7 +464,7 @@ static const char * const mux_help[] = {
"% h print this help\n\r",
"% x exit emulator\n\r",
"% s save disk data back to file (if -snapshot)\n\r",
"% t toggle console timestamps\n\r"
"% t toggle console timestamps\n\r",
"% b send break (magic sysrq)\n\r",
"% c switch between console and monitor\n\r",
"% % sends %\n\r",
......
......@@ -603,8 +603,8 @@ static void process_event(JSONMessageParser *parser, QList *tokens)
error_free(err);
}
ret = send_response(s, QOBJECT(qdict));
if (ret) {
g_warning("error sending error response: %s", strerror(ret));
if (ret < 0) {
g_warning("error sending error response: %s", strerror(-ret));
}
}
......
......@@ -169,9 +169,7 @@ static int preg_sizes[] = {
static inline void t_gen_mov_TN_preg(TCGv tn, int r)
{
if (r < 0 || r > 15) {
fprintf(stderr, "wrong register read $p%d\n", r);
}
assert(r >= 0 && r <= 15);
if (r == PR_BZ || r == PR_WZ || r == PR_DZ) {
tcg_gen_mov_tl(tn, tcg_const_tl(0));
} else if (r == PR_VR) {
......@@ -182,9 +180,7 @@ static inline void t_gen_mov_TN_preg(TCGv tn, int r)
}
static inline void t_gen_mov_preg_TN(DisasContext *dc, int r, TCGv tn)
{
if (r < 0 || r > 15) {
fprintf(stderr, "wrong register write $p%d\n", r);
}
assert(r >= 0 && r <= 15);
if (r == PR_BZ || r == PR_WZ || r == PR_DZ) {
return;
} else if (r == PR_SRS) {
......
......@@ -132,7 +132,6 @@ int qemu_acl_insert(qemu_acl *acl,
const char *match,
int index)
{
qemu_acl_entry *entry;
qemu_acl_entry *tmp;
int i = 0;
......@@ -142,13 +141,14 @@ int qemu_acl_insert(qemu_acl *acl,
return qemu_acl_append(acl, deny, match);
}
entry = g_malloc(sizeof(*entry));
entry->match = g_strdup(match);
entry->deny = deny;
QTAILQ_FOREACH(tmp, &acl->entries, next) {
i++;
if (i == index) {
qemu_acl_entry *entry;
entry = g_malloc(sizeof(*entry));
entry->match = g_strdup(match);
entry->deny = deny;
QTAILQ_INSERT_BEFORE(tmp, entry, next);
acl->nentries++;
break;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment