::::::
:::::: Manual check reason: "low confidence bisect report"
:::::: Manual check reason: "low confidence static check first_new_problem:
net/ethtool/ioctl.c:1021:25: warning: use of uninitialized value
'info.<U62f8>.rule_cnt' [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]"
::::::
BCC: lkp(a)intel.com
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Al Viro <viro(a)zeniv.linux.org.uk>
CC: Christoph Hellwig <hch(a)lst.de>
CC: "Christian Brauner (Microsoft)" <brauner(a)kernel.org>
tree:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: a335366bad1364a07f49df9da1fdfa6d411a5f39
commit: 0e3c3b901c00364198d31482fa2552ccf2d5c899 No need of likely/unlikely on calls of
check_copy_size()
date: 3 months ago
:::::: branch date: 27 hours ago
:::::: commit date: 3 months ago
config: arm-randconfig-c002-20220917
compiler: arm-linux-gnueabi-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
chmod +x ~/bin/make.cross
#
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit...
git remote add linus
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout 0e3c3b901c00364198d31482fa2552ccf2d5c899
# save the config file
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross ARCH=arm
KBUILD_USERCFLAGS='-fanalyzer -Wno-error'
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp(a)intel.com>
gcc_analyzer warnings: (new ones prefixed by >>)
|
'ethtool_rxnfc_copy_from_user': event 28
|
|include/linux/once_lite.h:17:20:
| 17 | if (unlikely(__ret_do_once &&
!__already_done)) { \
| | ^
| | |
| | (28) following 'false'
branch...
include/asm-generic/bug.h:147:9: note: in expansion of macro 'DO_ONCE_LITE_IF'
| 147 | DO_ONCE_LITE_IF(condition, WARN_ON, 1)
| | ^~~~~~~~~~~~~~~
include/linux/thread_info.h:233:13: note: in expansion of macro 'WARN_ON_ONCE'
| 233 | if (WARN_ON_ONCE(bytes > INT_MAX))
| | ^~~~~~~~~~~~
|
'ethtool_rxnfc_copy_from_user': events 29-30
|
|include/linux/uaccess.h:152:21:
| 152 | n = _copy_from_user(to, from, n);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (29) ...to here
| | (30) calling
'_copy_from_user' from 'ethtool_rxnfc_copy_from_user'
|
+--> '_copy_from_user': event 31
|
| 113 | _copy_from_user(void *to, const void __user
*from, unsigned long n)
| | ^~~~~~~~~~~~~~~
| | |
| | (31) entry to '_copy_from_user'
|
'_copy_from_user': event 32
|
| 117 | if (!should_fail_usercopy() &&
likely(access_ok(from, n))) {
|
'_copy_from_user': event 33
|
|include/linux/compiler.h:78:42:
| 78 | # define unlikely(x)
__builtin_expect(!!(x), 0)
| |
^~~~~
| | |
| | (33)
...to here
include/linux/uaccess.h:121:13: note: in expansion of macro 'unlikely'
| 121 | if (unlikely(res))
| | ^~~~~~~~
|
'_copy_from_user': events 34-35
|
| 121 | if (unlikely(res))
| | ^
| | |
| | (34) following 'false'
branch...
| 122 | memset(to + (n - res), 0,
res);
| 123 | return res;
| | ~~~
| | |
| | (35) ...to here
|
<------+
|
'ethtool_rxnfc_copy_from_user': event 36
|
| 152 | n = _copy_from_user(to, from, n);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (36) returning to
'ethtool_rxnfc_copy_from_user' from '_copy_from_user'
|
'ethtool_rxnfc_copy_from_user': event 37
|
|net/ethtool/ioctl.c:886:12:
| 886 | if (copy_from_user(rxnfc, useraddr, size))
| | ^
| | |
| | (37) following 'false' branch
(when 'n == 0')...
|
'ethtool_rxnfc_copy_from_user': event 38
|
|cc1:
| (38): ...to here
|
<------+
|
'ethtool_get_rxnfc': events 39-42
|
| 1000 | if (ethtool_rxnfc_copy_from_user(&info,
useraddr, info_size))
| |
~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | ||
| | |(39) returning to 'ethtool_get_rxnfc'
from 'ethtool_rxnfc_copy_from_user'
| | (40) following 'false' branch...
|......
| 1006 | if (cmd == ETHTOOL_GRXFH && info.flow_type
& FLOW_RSS) {
| | ~
| | |
| | (41) ...to here
|......
| 1017 | if (info.cmd != cmd)
| | ~~~~~~~~
| | |
| | (42) use of uninitialized value
'info.cmd' here
|
> net/ethtool/ioctl.c:1021:25: warning: use of uninitialized value
'info.<U62f8>.rule_cnt' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
1021 | if (info.rule_cnt > 0) {
| ~~~~^~~~~~~~~
'dev_ethtool': event 1
|
| 3027 | int dev_ethtool(struct net *net, struct ifreq *ifr, void __user
*useraddr)
| | ^~~~~~~~~~~
| | |
| | (1) entry to 'dev_ethtool'
|
'dev_ethtool': event 2
|
|include/linux/uaccess.h:152:21:
| 152 | n = _copy_from_user(to, from, n);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) calling '_copy_from_user' from
'dev_ethtool'
|
+--> '_copy_from_user': event 3
|
| 113 | _copy_from_user(void *to, const void __user *from, unsigned long
n)
| | ^~~~~~~~~~~~~~~
| | |
| | (3) entry to '_copy_from_user'
|
'_copy_from_user': events 4-5
|
|include/asm-generic/access_ok.h:40:32:
| 40 | return (size <= limit) && (addr <= (limit -
size));
| | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (5) ...to here
| | (4) following 'true' branch
(when 'n <= 1056964608')...
|
<------+
|
'dev_ethtool': event 6
|
|include/linux/uaccess.h:152:21:
| 152 | n = _copy_from_user(to, from, n);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (6) returning to 'dev_ethtool' from
'_copy_from_user'
|
'dev_ethtool': events 7-11
|
|net/ethtool/ioctl.c:3033:12:
| 3033 | if (copy_from_user(ðcmd, useraddr, sizeof(ethcmd)))
| | ^
| | |
| | (7) following 'false' branch (when 'n ==
0')...
|......
| 3036 | state = kzalloc(sizeof(*state), GFP_KERNEL);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (8) ...to here
| 3037 | if (!state)
| | ~
| | |
| | (9) following 'false' branch (when 'state' is
non-NULL)...
|......
| 3040 | switch (ethcmd) {
| | ~~~~~~
| | |
| | (10) ...to here
|......
| 3051 | rc = __dev_ethtool(net, ifr, useraddr, ethcmd, state);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (11) calling '__dev_ethtool' from
'dev_ethtool'
|
+--> '__dev_ethtool': events 12-19
|
| 2728 | __dev_ethtool(struct net *net, struct ifreq *ifr, void __user
*useraddr,
| | ^~~~~~~~~~~~~
| | |
| | (12) entry to '__dev_ethtool'
|......
| 2737 | if (!dev)
| | ~
| | |
| | (13) following 'false' branch (when
'dev' is non-NULL)...
|......
| 2740 | if (ethcmd == ETHTOOL_PERQUEUE) {
| | ~
| | |
| | (14) ...to here
|......
| 2793 | if (!netif_device_present(dev)) {
| | ~
| | |
| | (15) following 'true' branch...
|......
| 2798 | if (dev->ethtool_ops->begin) {
| | ~~~~~~~~~~~~~~~~
| | |
| | (16) ...to here
|......
| 2805 | switch (ethcmd) {
| | ~~~~~~
| | |
vim +1021 net/ethtool/ioctl.c
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 979
97f8aefbbfb5aa net/core/ethtool.c chavey 2010-04-07 980 static
noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 981 u32 cmd, void
__user *useraddr)
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 982 {
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 983 struct ethtool_rxnfc
info;
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 984 size_t info_size =
sizeof(info);
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 985 const struct
ethtool_ops *ops = dev->ethtool_ops;
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 986 int ret;
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 987 void *rule_buf =
NULL;
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 988
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 989 if
(!ops->get_rxnfc)
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 990 return
-EOPNOTSUPP;
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 991
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 992 /* struct
ethtool_rxnfc was originally defined for
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 993 * ETHTOOL_{G,S}RXFH
with only the cmd, flow_type and data
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 994 * members.
User-space might still be using that
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 995 * definition. */
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 996 if (cmd ==
ETHTOOL_GRXFH)
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 997 info_size =
(offsetof(struct ethtool_rxnfc, data) +
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 998
sizeof(info.data));
bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 999
dd98d2895de648 net/ethtool/ioctl.c Arnd Bergmann 2021-07-22 1000 if
(ethtool_rxnfc_copy_from_user(&info, useraddr, info_size))
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1001 return -EFAULT;
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1002
84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1003 /* If FLOW_RSS was
requested then user-space must be using the
84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1004 * new definition,
as FLOW_RSS is newer.
84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1005 */
84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1006 if (cmd ==
ETHTOOL_GRXFH && info.flow_type & FLOW_RSS) {
84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1007 info_size =
sizeof(info);
dd98d2895de648 net/ethtool/ioctl.c Arnd Bergmann 2021-07-22 1008 if
(ethtool_rxnfc_copy_from_user(&info, useraddr, info_size))
84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1009 return -EFAULT;
d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1010 /* Since malicious
users may modify the original data,
d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1011 * we need to check
whether FLOW_RSS is still requested.
d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1012 */
d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1013 if
(!(info.flow_type & FLOW_RSS))
d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1014 return -EINVAL;
84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1015 }
84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1016
2bb3207dbbd4d3 net/core/ethtool.c Wenwen Wang 2018-10-09 1017 if (info.cmd !=
cmd)
2bb3207dbbd4d3 net/core/ethtool.c Wenwen Wang 2018-10-09 1018 return -EINVAL;
2bb3207dbbd4d3 net/core/ethtool.c Wenwen Wang 2018-10-09 1019
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1020 if (info.cmd ==
ETHTOOL_GRXCLSRLALL) {
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 @1021 if (info.rule_cnt
> 0) {
db048b69037e7f net/core/ethtool.c Ben Hutchings 2010-06-28 1022 if (info.rule_cnt
<= KMALLOC_MAX_SIZE / sizeof(u32))
6396bb221514d2 net/core/ethtool.c Kees Cook 2018-06-12 1023 rule_buf =
kcalloc(info.rule_cnt, sizeof(u32),
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1024 GFP_USER);
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1025 if (!rule_buf)
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1026 return -ENOMEM;
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1027 }
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1028 }
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1029
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1030 ret =
ops->get_rxnfc(dev, &info, rule_buf);
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1031 if (ret < 0)
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1032 goto err_out;
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1033
dd98d2895de648 net/ethtool/ioctl.c Arnd Bergmann 2021-07-22 1034 ret =
ethtool_rxnfc_copy_to_user(useraddr, &info, info_size, rule_buf);
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1035 err_out:
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1036 kfree(rule_buf);
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1037
59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1038 return ret;
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1039 }
0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1040
:::::: The code at line 1021 was first introduced by commit
:::::: 59089d8d162ddcb5c434672e915331964d38a754 ethtool: Add RX pkt classification
interface
:::::: TO: Santwona Behera <santwona.behera(a)sun.com>
:::::: CC: David S. Miller <davem(a)davemloft.net>
--
0-DAY CI Kernel Test Service
https://01.org/lkp