lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sat, 8 Aug 2020 04:38:30 +0800
From:   kernel test robot <lkp@...el.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     kbuild-all@...ts.01.org, linux-kernel@...r.kernel.org,
        Chao Yu <yuchao0@...wei.com>, Chao Yu <chao@...nel.org>
Subject: drivers/vhost/net.c:1080 get_rx_bufs() error: uninitialized symbol
 'len'.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   5631c5e0eb9035d92ceb20fcd9cdb7779a3f5cc7
commit: 3f649ab728cda8038259d8f14492fe400fbab911 treewide: Remove uninitialized_var() usage
date:   3 weeks ago
config: x86_64-randconfig-m031-20200807 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>

smatch warnings:
drivers/vhost/net.c:1080 get_rx_bufs() error: uninitialized symbol 'len'.

vim +/len +1080 drivers/vhost/net.c

03088137246065 Jason Wang         2016-03-04  1018  
8dd014adfea6f1 David Stevens      2010-07-27  1019  /* This is a multi-buffer version of vhost_get_desc, that works if
8dd014adfea6f1 David Stevens      2010-07-27  1020   *	vq has read descriptors only.
8dd014adfea6f1 David Stevens      2010-07-27  1021   * @vq		- the relevant virtqueue
8dd014adfea6f1 David Stevens      2010-07-27  1022   * @datalen	- data length we'll be reading
8dd014adfea6f1 David Stevens      2010-07-27  1023   * @iovcount	- returned count of io vectors we fill
8dd014adfea6f1 David Stevens      2010-07-27  1024   * @log		- vhost log
8dd014adfea6f1 David Stevens      2010-07-27  1025   * @log_num	- log offset
94249369e99302 Jason Wang         2011-01-17  1026   * @quota       - headcount quota, 1 for big buffer
8dd014adfea6f1 David Stevens      2010-07-27  1027   *	returns number of buffer heads allocated, negative on error
8dd014adfea6f1 David Stevens      2010-07-27  1028   */
8dd014adfea6f1 David Stevens      2010-07-27  1029  static int get_rx_bufs(struct vhost_virtqueue *vq,
8dd014adfea6f1 David Stevens      2010-07-27  1030  		       struct vring_used_elem *heads,
8dd014adfea6f1 David Stevens      2010-07-27  1031  		       int datalen,
8dd014adfea6f1 David Stevens      2010-07-27  1032  		       unsigned *iovcount,
8dd014adfea6f1 David Stevens      2010-07-27  1033  		       struct vhost_log *log,
94249369e99302 Jason Wang         2011-01-17  1034  		       unsigned *log_num,
94249369e99302 Jason Wang         2011-01-17  1035  		       unsigned int quota)
8dd014adfea6f1 David Stevens      2010-07-27  1036  {
8dd014adfea6f1 David Stevens      2010-07-27  1037  	unsigned int out, in;
8dd014adfea6f1 David Stevens      2010-07-27  1038  	int seg = 0;
8dd014adfea6f1 David Stevens      2010-07-27  1039  	int headcount = 0;
8dd014adfea6f1 David Stevens      2010-07-27  1040  	unsigned d;
8dd014adfea6f1 David Stevens      2010-07-27  1041  	int r, nlogs = 0;
8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24  1042  	/* len is always initialized before use since we are always called with
8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24  1043  	 * datalen > 0.
8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24  1044  	 */
3f649ab728cda8 Kees Cook          2020-06-03  1045  	u32 len;
8dd014adfea6f1 David Stevens      2010-07-27  1046  
94249369e99302 Jason Wang         2011-01-17  1047  	while (datalen > 0 && headcount < quota) {
e0e9b406470b8d Jason Wang         2010-09-14  1048  		if (unlikely(seg >= UIO_MAXIOV)) {
8dd014adfea6f1 David Stevens      2010-07-27  1049  			r = -ENOBUFS;
8dd014adfea6f1 David Stevens      2010-07-27  1050  			goto err;
8dd014adfea6f1 David Stevens      2010-07-27  1051  		}
47283bef7ed356 Michael S. Tsirkin 2014-06-05  1052  		r = vhost_get_vq_desc(vq, vq->iov + seg,
8dd014adfea6f1 David Stevens      2010-07-27  1053  				      ARRAY_SIZE(vq->iov) - seg, &out,
8dd014adfea6f1 David Stevens      2010-07-27  1054  				      &in, log, log_num);
a39ee449f96a2c Michael S. Tsirkin 2014-03-27  1055  		if (unlikely(r < 0))
a39ee449f96a2c Michael S. Tsirkin 2014-03-27  1056  			goto err;
a39ee449f96a2c Michael S. Tsirkin 2014-03-27  1057  
a39ee449f96a2c Michael S. Tsirkin 2014-03-27  1058  		d = r;
8dd014adfea6f1 David Stevens      2010-07-27  1059  		if (d == vq->num) {
8dd014adfea6f1 David Stevens      2010-07-27  1060  			r = 0;
8dd014adfea6f1 David Stevens      2010-07-27  1061  			goto err;
8dd014adfea6f1 David Stevens      2010-07-27  1062  		}
8dd014adfea6f1 David Stevens      2010-07-27  1063  		if (unlikely(out || in <= 0)) {
8dd014adfea6f1 David Stevens      2010-07-27  1064  			vq_err(vq, "unexpected descriptor format for RX: "
8dd014adfea6f1 David Stevens      2010-07-27  1065  				"out %d, in %d\n", out, in);
8dd014adfea6f1 David Stevens      2010-07-27  1066  			r = -EINVAL;
8dd014adfea6f1 David Stevens      2010-07-27  1067  			goto err;
8dd014adfea6f1 David Stevens      2010-07-27  1068  		}
8dd014adfea6f1 David Stevens      2010-07-27  1069  		if (unlikely(log)) {
8dd014adfea6f1 David Stevens      2010-07-27  1070  			nlogs += *log_num;
8dd014adfea6f1 David Stevens      2010-07-27  1071  			log += *log_num;
8dd014adfea6f1 David Stevens      2010-07-27  1072  		}
8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24  1073  		heads[headcount].id = cpu_to_vhost32(vq, d);
8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24  1074  		len = iov_length(vq->iov + seg, in);
8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24  1075  		heads[headcount].len = cpu_to_vhost32(vq, len);
8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24  1076  		datalen -= len;
8dd014adfea6f1 David Stevens      2010-07-27  1077  		++headcount;
8dd014adfea6f1 David Stevens      2010-07-27  1078  		seg += in;
8dd014adfea6f1 David Stevens      2010-07-27  1079  	}
99975cc6ada0d5 Michael S. Tsirkin 2015-01-07 @1080  	heads[headcount - 1].len = cpu_to_vhost32(vq, len + datalen);
8dd014adfea6f1 David Stevens      2010-07-27  1081  	*iovcount = seg;
8dd014adfea6f1 David Stevens      2010-07-27  1082  	if (unlikely(log))
8dd014adfea6f1 David Stevens      2010-07-27  1083  		*log_num = nlogs;
d8316f3991d207 Michael S. Tsirkin 2014-03-27  1084  
d8316f3991d207 Michael S. Tsirkin 2014-03-27  1085  	/* Detect overrun */
d8316f3991d207 Michael S. Tsirkin 2014-03-27  1086  	if (unlikely(datalen > 0)) {
d8316f3991d207 Michael S. Tsirkin 2014-03-27  1087  		r = UIO_MAXIOV + 1;
d8316f3991d207 Michael S. Tsirkin 2014-03-27  1088  		goto err;
d8316f3991d207 Michael S. Tsirkin 2014-03-27  1089  	}
8dd014adfea6f1 David Stevens      2010-07-27  1090  	return headcount;
8dd014adfea6f1 David Stevens      2010-07-27  1091  err:
8dd014adfea6f1 David Stevens      2010-07-27  1092  	vhost_discard_vq_desc(vq, headcount);
8dd014adfea6f1 David Stevens      2010-07-27  1093  	return r;
8dd014adfea6f1 David Stevens      2010-07-27  1094  }
8dd014adfea6f1 David Stevens      2010-07-27  1095  

:::::: The code at line 1080 was first introduced by commit
:::::: 99975cc6ada0d5f2675e83abecae05aba5f437d2 vhost/net: length miscalculation

:::::: TO: Michael S. Tsirkin <mst@...hat.com>
:::::: CC: Michael S. Tsirkin <mst@...hat.com>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (31874 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ