Hi Shameer,
On 6/23/26 9:51 AM, Shameer Kolothum wrote:
> smmuv3_accel_event_read_validate() returns true for EAGAIN/EINTR, but
> no data has been read into the buffer. Callers treat true as success and
> proceed to use the uninitialized buffer. Return false instead and guard
> warn_report_err_once() against NULL Error in both callers.
>
> Resolves: Coverity CID 1660057
> Fixes: d4aea0f75b ("hw/arm/smmuv3-accel: Introduce common helper for veventq
> read")
> Reported-by: Peter Maydell <[email protected]>
> Signed-off-by: Shameer Kolothum <[email protected]>
> ---
> hw/arm/smmuv3-accel.c | 6 ++++--
> hw/arm/tegra241-cmdqv.c | 4 +++-
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/hw/arm/smmuv3-accel.c b/hw/arm/smmuv3-accel.c
> index 80900c2521..6d402d2ba6 100644
> --- a/hw/arm/smmuv3-accel.c
> +++ b/hw/arm/smmuv3-accel.c
> @@ -451,7 +451,7 @@ bool smmuv3_accel_event_read_validate(IOMMUFDVeventq
> *veventq, uint32_t type,
> bytes = read(veventq->veventq_fd, buf, size);
> if (bytes <= 0) {
> if (errno == EAGAIN || errno == EINTR) {
> - return true;
> + return false;
> }
> error_setg(errp, "vEVENTQ(type %u id %u): read failed (%m)", type,
> id);
> return false;
> @@ -491,7 +491,9 @@ static void smmuv3_accel_event_read(void *opaque)
> if (!smmuv3_accel_event_read_validate(veventq,
> IOMMU_VEVENTQ_TYPE_ARM_SMMUV3,
> &buf,
> sizeof(buf), &local_err)) {
> - warn_report_err_once(local_err);
> + if (local_err) {
> + warn_report_err_once(local_err);
> + }
> return;
> }
> smmuv3_propagate_event(s, (Evt *)&buf.vevent);
> diff --git a/hw/arm/tegra241-cmdqv.c b/hw/arm/tegra241-cmdqv.c
> index 29c488e0e4..bb0b417e90 100644
> --- a/hw/arm/tegra241-cmdqv.c
> +++ b/hw/arm/tegra241-cmdqv.c
> @@ -845,7 +845,9 @@ static void tegra241_cmdqv_event_read(void *opaque)
> if (!smmuv3_accel_event_read_validate(veventq,
> IOMMU_VEVENTQ_TYPE_TEGRA241_CMDQV,
> &buf, sizeof(buf), &local_err)) {
> - warn_report_err_once(local_err);
> + if (local_err) {
This is not aligned with the general policy. If a function taking an
error handle fails (and returns false), it should set errp.
Don't you have a way to initialize buf in smmuv3_accel_event_read() and
only call smmuv3_propagate_event() if the hdr of vevnt is checked valid?
Thanks
Eric
> + warn_report_err_once(local_err);
> + }
> return;
> }
>