Dev news

Commit 56bd07a859 for qemu.org

commit 56bd07a8594795d40e781124512cd4e72ba2fbee
Author: Jamin Lin <jamin_lin@aspeedtech.com>
Date:   Wed Mar 11 02:13:20 2026 +0000

    hw/i3c/dw-i3c: Fix uninitialized data use in short transfer

    Coverity reports that dw_i3c_short_transfer() may pass an
    uninitialized buffer to dw_i3c_send().

    The immediate cause is the use of `data[len] += arg.byte0`, which
    reads from an uninitialized element of the buffer. Replace this with
    a simple assignment.

    Additionally, avoid calling dw_i3c_send() when the constructed payload
    length is zero. In that case the transfer has no data phase, so the
    controller can transition to the idle state directly.

    This resolves the Coverity UNINIT warning and clarifies the handling
    of zero-length short transfers.

    Resolves: Coverity CID 1645555
    Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
    Reviewed-by: Nabih Estefan <nabihestefan@google.com>
    Reviewed-by: Cédric Le Goater <clg@redhat.com>
    Message-ID: <20260311021319.1053774-1-jamin_lin@aspeedtech.com>
    Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

diff --git a/hw/i3c/dw-i3c.c b/hw/i3c/dw-i3c.c
index e9bdfd6af2..d87d42be89 100644
--- a/hw/i3c/dw-i3c.c
+++ b/hw/i3c/dw-i3c.c
@@ -1213,7 +1213,7 @@ static void dw_i3c_short_transfer(DWI3C *s, DWI3CTransferCmd cmd,
          * ignored.
          */
         if (cmd.dbp) {
-            data[len] += arg.byte0;
+            data[len] = arg.byte0;
             len++;
         }
     }
@@ -1228,10 +1228,16 @@ static void dw_i3c_short_transfer(DWI3C *s, DWI3CTransferCmd cmd,
         len++;
     }

-    if (dw_i3c_send(s, data, len, &bytes_sent, is_i2c)) {
-        err = DW_I3C_RESP_QUEUE_ERR_I2C_NACK;
+    if (len > 0) {
+        if (dw_i3c_send(s, data, len, &bytes_sent, is_i2c)) {
+            err = DW_I3C_RESP_QUEUE_ERR_I2C_NACK;
+        } else {
+            /* Only go to an idle state on a successful transfer. */
+            ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
+                             DW_I3C_TRANSFER_STATE_IDLE);
+        }
     } else {
-        /* Only go to an idle state on a successful transfer. */
+        /* No payload bytes for this short transfer. */
         ARRAY_FIELD_DP32(s->regs, PRESENT_STATE, CM_TFR_ST_STATUS,
                          DW_I3C_TRANSFER_STATE_IDLE);
     }