[kbuild] net/ethtool/ioctl.c:1021:25: warning: use of uninitialized value 'info.<U62f8>.rule_cnt' [CWE-457]

:::::: :::::: Manual check reason: "low confidence bisect report" :::::: Manual check reason: "low confidence static check first_new_problem: net/ethtool/ioctl.c:1021:25: warning: use of uninitialized value 'info.<U62f8>.rule_cnt' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]" :::::: BCC: lkp(a)intel.com CC: kbuild-all(a)lists.01.org CC: linux-kernel(a)vger.kernel.org TO: Al Viro <viro(a)zeniv.linux.org.uk&gt; CC: Christoph Hellwig <hch(a)lst.de&gt; CC: "Christian Brauner (Microsoft)" <brauner(a)kernel.org&gt; tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: a335366bad1364a07f49df9da1fdfa6d411a5f39 commit: 0e3c3b901c00364198d31482fa2552ccf2d5c899 No need of likely/unlikely on calls of check_copy_size() date: 3 months ago :::::: branch date: 27 hours ago :::::: commit date: 3 months ago config: arm-randconfig-c002-20220917 compiler: arm-linux-gnueabi-gcc (GCC) 12.1.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit... git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git git fetch --no-tags linus master git checkout 0e3c3b901c00364198d31482fa2552ccf2d5c899 # save the config file COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross ARCH=arm KBUILD_USERCFLAGS='-fanalyzer -Wno-error' If you fix the issue, kindly add following tag where applicable Reported-by: kernel test robot <lkp(a)intel.com&gt; gcc_analyzer warnings: (new ones prefixed by >>) | 'ethtool_rxnfc_copy_from_user': event 28 | |include/linux/once_lite.h:17:20: | 17 | if (unlikely(__ret_do_once && !__already_done)) { \ | | ^ | | | | | (28) following 'false' branch... include/asm-generic/bug.h:147:9: note: in expansion of macro 'DO_ONCE_LITE_IF' | 147 | DO_ONCE_LITE_IF(condition, WARN_ON, 1) | | ^~~~~~~~~~~~~~~ include/linux/thread_info.h:233:13: note: in expansion of macro 'WARN_ON_ONCE' | 233 | if (WARN_ON_ONCE(bytes > INT_MAX)) | | ^~~~~~~~~~~~ | 'ethtool_rxnfc_copy_from_user': events 29-30 | |include/linux/uaccess.h:152:21: | 152 | n = _copy_from_user(to, from, n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) ...to here | | (30) calling '_copy_from_user' from 'ethtool_rxnfc_copy_from_user' | +--> '_copy_from_user': event 31 | | 113 | _copy_from_user(void *to, const void __user *from, unsigned long n) | | ^~~~~~~~~~~~~~~ | | | | | (31) entry to '_copy_from_user' | '_copy_from_user': event 32 | | 117 | if (!should_fail_usercopy() && likely(access_ok(from, n))) { | '_copy_from_user': event 33 | |include/linux/compiler.h:78:42: | 78 | # define unlikely(x) __builtin_expect(!!(x), 0) | | ^~~~~ | | | | | (33) ...to here include/linux/uaccess.h:121:13: note: in expansion of macro 'unlikely' | 121 | if (unlikely(res)) | | ^~~~~~~~ | '_copy_from_user': events 34-35 | | 121 | if (unlikely(res)) | | ^ | | | | | (34) following 'false' branch... | 122 | memset(to + (n - res), 0, res); | 123 | return res; | | ~~~ | | | | | (35) ...to here | <------+ | 'ethtool_rxnfc_copy_from_user': event 36 | | 152 | n = _copy_from_user(to, from, n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (36) returning to 'ethtool_rxnfc_copy_from_user' from '_copy_from_user' | 'ethtool_rxnfc_copy_from_user': event 37 | |net/ethtool/ioctl.c:886:12: | 886 | if (copy_from_user(rxnfc, useraddr, size)) | | ^ | | | | | (37) following 'false' branch (when 'n == 0')... | 'ethtool_rxnfc_copy_from_user': event 38 | |cc1: | (38): ...to here | <------+ | 'ethtool_get_rxnfc': events 39-42 | | 1000 | if (ethtool_rxnfc_copy_from_user(&info, useraddr, info_size)) | | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(39) returning to 'ethtool_get_rxnfc' from 'ethtool_rxnfc_copy_from_user' | | (40) following 'false' branch... |...... | 1006 | if (cmd == ETHTOOL_GRXFH && info.flow_type & FLOW_RSS) { | | ~ | | | | | (41) ...to here |...... | 1017 | if (info.cmd != cmd) | | ~~~~~~~~ | | | | | (42) use of uninitialized value 'info.cmd' here | 1021 | if (info.rule_cnt > 0) { | ~~~~^~~~~~~~~ 'dev_ethtool': event 1 | | 3027 | int dev_ethtool(struct net *net, struct ifreq *ifr, void __user *useraddr) | | ^~~~~~~~~~~ | | | | | (1) entry to 'dev_ethtool' | 'dev_ethtool': event 2 | |include/linux/uaccess.h:152:21: | 152 | n = _copy_from_user(to, from, n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) calling '_copy_from_user' from 'dev_ethtool' | +--> '_copy_from_user': event 3 | | 113 | _copy_from_user(void *to, const void __user *from, unsigned long n) | | ^~~~~~~~~~~~~~~ | | | | | (3) entry to '_copy_from_user' | '_copy_from_user': events 4-5 | |include/asm-generic/access_ok.h:40:32: | 40 | return (size <= limit) && (addr <= (limit - size)); | | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (5) ...to here | | (4) following 'true' branch (when 'n <= 1056964608')... | <------+ | 'dev_ethtool': event 6 | |include/linux/uaccess.h:152:21: | 152 | n = _copy_from_user(to, from, n); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (6) returning to 'dev_ethtool' from '_copy_from_user' | 'dev_ethtool': events 7-11 | |net/ethtool/ioctl.c:3033:12: | 3033 | if (copy_from_user(&ethcmd, useraddr, sizeof(ethcmd))) | | ^ | | | | | (7) following 'false' branch (when 'n == 0')... |...... | 3036 | state = kzalloc(sizeof(*state), GFP_KERNEL); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) ...to here | 3037 | if (!state) | | ~ | | | | | (9) following 'false' branch (when 'state' is non-NULL)... |...... | 3040 | switch (ethcmd) { | | ~~~~~~ | | | | | (10) ...to here |...... | 3051 | rc = __dev_ethtool(net, ifr, useraddr, ethcmd, state); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (11) calling '__dev_ethtool' from 'dev_ethtool' | +--> '__dev_ethtool': events 12-19 | | 2728 | __dev_ethtool(struct net *net, struct ifreq *ifr, void __user *useraddr, | | ^~~~~~~~~~~~~ | | | | | (12) entry to '__dev_ethtool' |...... | 2737 | if (!dev) | | ~ | | | | | (13) following 'false' branch (when 'dev' is non-NULL)... |...... | 2740 | if (ethcmd == ETHTOOL_PERQUEUE) { | | ~ | | | | | (14) ...to here |...... | 2793 | if (!netif_device_present(dev)) { | | ~ | | | | | (15) following 'true' branch... |...... | 2798 | if (dev->ethtool_ops->begin) { | | ~~~~~~~~~~~~~~~~ | | | | | (16) ...to here |...... | 2805 | switch (ethcmd) { | | ~~~~~~ | | | vim +1021 net/ethtool/ioctl.c 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 979 97f8aefbbfb5aa net/core/ethtool.c chavey 2010-04-07 980 static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev, bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 981 u32 cmd, void __user *useraddr) 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 982 { 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 983 struct ethtool_rxnfc info; bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 984 size_t info_size = sizeof(info); 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 985 const struct ethtool_ops *ops = dev->ethtool_ops; 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 986 int ret; 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 987 void *rule_buf = NULL; 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 988 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 989 if (!ops->get_rxnfc) 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 990 return -EOPNOTSUPP; 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 991 bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 992 /* struct ethtool_rxnfc was originally defined for bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 993 * ETHTOOL_{G,S}RXFH with only the cmd, flow_type and data bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 994 * members. User-space might still be using that bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 995 * definition. */ bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 996 if (cmd == ETHTOOL_GRXFH) bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 997 info_size = (offsetof(struct ethtool_rxnfc, data) + bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 998 sizeof(info.data)); bf988435bd5b53 net/core/ethtool.c Ben Hutchings 2010-06-28 999 dd98d2895de648 net/ethtool/ioctl.c Arnd Bergmann 2021-07-22 1000 if (ethtool_rxnfc_copy_from_user(&info, useraddr, info_size)) 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1001 return -EFAULT; 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1002 84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1003 /* If FLOW_RSS was requested then user-space must be using the 84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1004 * new definition, as FLOW_RSS is newer. 84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1005 */ 84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1006 if (cmd == ETHTOOL_GRXFH && info.flow_type & FLOW_RSS) { 84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1007 info_size = sizeof(info); dd98d2895de648 net/ethtool/ioctl.c Arnd Bergmann 2021-07-22 1008 if (ethtool_rxnfc_copy_from_user(&info, useraddr, info_size)) 84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1009 return -EFAULT; d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1010 /* Since malicious users may modify the original data, d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1011 * we need to check whether FLOW_RSS is still requested. d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1012 */ d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1013 if (!(info.flow_type & FLOW_RSS)) d656fe49e33df4 net/core/ethtool.c Wenwen Wang 2018-04-30 1014 return -EINVAL; 84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1015 } 84a1d9c4820080 net/core/ethtool.c Edward Cree 2018-03-08 1016 2bb3207dbbd4d3 net/core/ethtool.c Wenwen Wang 2018-10-09 1017 if (info.cmd != cmd) 2bb3207dbbd4d3 net/core/ethtool.c Wenwen Wang 2018-10-09 1018 return -EINVAL; 2bb3207dbbd4d3 net/core/ethtool.c Wenwen Wang 2018-10-09 1019 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1020 if (info.cmd == ETHTOOL_GRXCLSRLALL) { 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 @1021 if (info.rule_cnt > 0) { db048b69037e7f net/core/ethtool.c Ben Hutchings 2010-06-28 1022 if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) 6396bb221514d2 net/core/ethtool.c Kees Cook 2018-06-12 1023 rule_buf = kcalloc(info.rule_cnt, sizeof(u32), 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1024 GFP_USER); 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1025 if (!rule_buf) 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1026 return -ENOMEM; 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1027 } 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1028 } 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1029 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1030 ret = ops->get_rxnfc(dev, &info, rule_buf); 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1031 if (ret < 0) 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1032 goto err_out; 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1033 dd98d2895de648 net/ethtool/ioctl.c Arnd Bergmann 2021-07-22 1034 ret = ethtool_rxnfc_copy_to_user(useraddr, &info, info_size, rule_buf); 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1035 err_out: 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1036 kfree(rule_buf); 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1037 59089d8d162ddc net/core/ethtool.c Santwona Behera 2009-02-20 1038 return ret; 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1039 } 0853ad66b14feb net/core/ethtool.c Santwona Behera 2008-07-02 1040 :::::: The code at line 1021 was first introduced by commit :::::: 59089d8d162ddcb5c434672e915331964d38a754 ethtool: Add RX pkt classification interface :::::: TO: Santwona Behera <santwona.behera(a)sun.com&gt; :::::: CC: David S. Miller <davem(a)davemloft.net&gt; -- 0-DAY CI Kernel Test Service https://01.org/lkp