On 7/10/25 12:15 PM, Peter Maydell wrote: > The s390-pci-bus.c code, Coverity complains about a possible overflow > because get_table_index() can return -1 if the ett value passed in is > not one of the three permitted ZPCI_ETT_PT, ZPCI_ETT_ST, ZPCI_ETT_RT, > but the caller in table_translate() doesn't check this and instead > uses the return value directly in a calculation of the guest address > to read from. > > In fact this case cannot happen, because: > * get_table_index() is called only from table_translate() > * the only caller of table_translate() loops through the ett values > in the order RT, ST, PT until table_translate() returns 0 > * table_translate() will return 0 for the error cases and when > translate_iscomplete() returns true > * translate_iscomplete() is always true for ZPCI_ETT_PT > > So table_translate() is always called with a valid ett value. > > Instead of having the various functions called from table_translate() > return a default or dummy value when the ett argument is out of range, > use g_assert_not_reached() to indicate that this is impossible. > > Coverity: CID 1547609 > Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> > --- > Disclaimer: only tested with 'make check/make check-functional'
Reviewed-by: Matthew Rosato <mjros...@linux.ibm.com> Also to sanity check I ran various tests with s390x guests and a few different PCI passthrough devices using a guest IOMMU to drive table_translate frequently.
