Bug 1801977

Summary: [RHEL-8.3/RDMA/rdma-core] Chelsio provider specific potential Coverity issues
Product: Red Hat Enterprise Linux 8 Reporter: Honggang LI <honli>
Component: rdma-coreAssignee: Honggang LI <honli>
Status: CLOSED WONTFIX QA Contact: Infiniband QE <infiniband-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: hwkernel-mgr, linville, rdma-dev-team, viskulka
Target Milestone: rc   
Target Release: 8.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-11 12:28:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Honggang LI 2020-02-12 02:58:41 UTC 
Description of problem:

Error: CLANG_WARNING:
rdma-core-28.0/providers/cxgb4/cq.c:745:15: warning: Dereference of null pointer
#        wc->qp_num = qhp->wq.sq.qid;
#                     ^
rdma-core-28.0/providers/cxgb4/cq.c:895:6: note: Assuming the condition is true
#        if (t4_cq_in_error(&chp->cq)) {
#            ^~~~~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/cq.c:895:2: note: Taking true branch
#        if (t4_cq_in_error(&chp->cq)) {
#        ^
rdma-core-28.0/providers/cxgb4/cq.c:900:6: note: Assuming 'num_entries' is not equal to 0
#        if (!num_entries)
#            ^~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/cq.c:900:2: note: Taking false branch
#        if (!num_entries)
#        ^
rdma-core-28.0/providers/cxgb4/cq.c:904:20: note: Assuming 'npolled' is < 'num_entries'
#        for (npolled = 0; npolled < num_entries; ++npolled) {
#                          ^~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/cq.c:904:2: note: Loop condition is true.  Entering loop body
#        for (npolled = 0; npolled < num_entries; ++npolled) {
#        ^
rdma-core-28.0/providers/cxgb4/cq.c:906:10: note: Calling 'c4iw_poll_cq_one'
#                        err = c4iw_poll_cq_one(chp, wc + npolled);
#                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/cq.c:708:6: note: 'ret' is 0
#        if (ret) {
#            ^~~
rdma-core-28.0/providers/cxgb4/cq.c:708:2: note: Taking false branch
#        if (ret) {
#        ^
rdma-core-28.0/providers/cxgb4/cq.c:727:8: note: Calling 'get_qhp'
#        qhp = get_qhp(chp->rhp, CQE_QPID(&rd_cqe->com));
#              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/cq.c:727:8: note: Returning from 'get_qhp'
#        qhp = get_qhp(chp->rhp, CQE_QPID(&rd_cqe->com));
#              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/cq.c:727:2: note: Value assigned to 'qhp'
#        qhp = get_qhp(chp->rhp, CQE_QPID(&rd_cqe->com));
#        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/cq.c:728:6: note: Assuming 'qhp' is null
#        if (!qhp)
#            ^~~~
rdma-core-28.0/providers/cxgb4/cq.c:728:2: note: Taking true branch
#        if (!qhp)
#        ^
rdma-core-28.0/providers/cxgb4/cq.c:738:9: note: 'srq' is null
#                      srq ? &srq->wq : NULL);
#                      ^~~
rdma-core-28.0/providers/cxgb4/cq.c:738:9: note: '?' condition is false
rdma-core-28.0/providers/cxgb4/cq.c:739:6: note: Assuming 'ret' is 0
#        if (ret)
#            ^~~
rdma-core-28.0/providers/cxgb4/cq.c:739:2: note: Taking false branch
#        if (ret)
#        ^
rdma-core-28.0/providers/cxgb4/cq.c:745:15: note: Dereference of null pointer
#        wc->qp_num = qhp->wq.sq.qid;
#                     ^~~~~~~~~~~~~~
#  743|   	INC_STAT(cqe);
#  744|   	wc->wr_id = cookie;
#  745|-> 	wc->qp_num = qhp->wq.sq.qid;
#  746|   	wc->vendor_err = CQE_STATUS(com);
#  747|   	wc->wc_flags = 0;

Error: NEGATIVE_RETURNS (CWE-394):
rdma-core-28.0/providers/cxgb4/dev.c:405: negative_return_fn: Function "sysconf(_SC_PAGESIZE)" returns a negative number.
rdma-core-28.0/providers/cxgb4/dev.c:405: assign: Assigning: "c4iw_page_size" = "sysconf(_SC_PAGESIZE)".
rdma-core-28.0/providers/cxgb4/dev.c:406: negative_returns: "c4iw_page_size" is passed to a parameter that cannot be negative.
#  404|   
#  405|   	c4iw_page_size = sysconf(_SC_PAGESIZE);
#  406|-> 	c4iw_page_shift = long_log2(c4iw_page_size);
#  407|   	c4iw_page_mask = ~(c4iw_page_size - 1);
#  408|   

Error: CLANG_WARNING:
rdma-core-28.0/providers/cxgb4/qp.c:129:3: warning: Value stored to 'srcp' is never read
#                srcp += len;
#                ^       ~~~
rdma-core-28.0/providers/cxgb4/qp.c:129:3: note: Value stored to 'srcp' is never read
#                srcp += len;
#                ^       ~~~
#  127|   		memcpy(dstp, srcp, len);
#  128|   		dstp += len;
#  129|-> 		srcp += len;
#  130|   	}
#  131|   	len = ROUND_UP(plen + 8, 16) - (plen + 8);

Error: CLANG_WARNING:
rdma-core-28.0/providers/cxgb4/qp.c:604:3: warning: 4th function call argument is an uninitialized value
#                t4_ring_sq_db(&qhp->wq, idx, dev_is_t4(qhp->rhp),
#                ^
rdma-core-28.0/providers/cxgb4/qp.c:478:2: note: 'len16' declared without an initial value
#        u8 uninitialized_var(len16);
#        ^~~~~~~~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/t4.h:49:12: note: expanded from macro 'u8'
##define u8 uint8_t
#           ^
rdma-core-28.0/providers/cxgb4/qp.c:489:6: note: Assuming the condition is false
#        if (t4_wq_in_error(&qhp->wq)) {
#            ^~~~~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/qp.c:489:2: note: Taking false branch
#        if (t4_wq_in_error(&qhp->wq)) {
#        ^
rdma-core-28.0/providers/cxgb4/qp.c:495:6: note: Assuming 'num_wrs' is not equal to 0
#        if (num_wrs == 0) {
#            ^~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/qp.c:495:2: note: Taking false branch
#        if (num_wrs == 0) {
#        ^
rdma-core-28.0/providers/cxgb4/qp.c:510:6: note: Assuming field 'write_cmpl_supported' is false
#        if (qhp->rhp->write_cmpl_supported &&
#            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/qp.c:510:37: note: Left side of '&&' is false
#        if (qhp->rhp->write_cmpl_supported &&
#                                           ^
rdma-core-28.0/providers/cxgb4/qp.c:524:2: note: Loop condition is false. Execution continues on line 603
#        while (wr) {
#        ^
rdma-core-28.0/providers/cxgb4/qp.c:603:2: note: Taking true branch
#        if (t4_wq_db_enabled(&qhp->wq)) {
#        ^
rdma-core-28.0/providers/cxgb4/qp.c:604:3: note: 4th function call argument is an uninitialized value
#                t4_ring_sq_db(&qhp->wq, idx, dev_is_t4(qhp->rhp),
#                ^
#  602|   	}
#  603|   	if (t4_wq_db_enabled(&qhp->wq)) {
#  604|-> 		t4_ring_sq_db(&qhp->wq, idx, dev_is_t4(qhp->rhp),
#  605|   			      len16, wqe);
#  606|   	} else

Error: CLANG_WARNING:
rdma-core-28.0/providers/cxgb4/qp.c:759:3: warning: 5th function call argument is an uninitialized value
#                t4_ring_rq_db(&qhp->wq, idx, dev_is_t4(qhp->rhp),
#                ^
rdma-core-28.0/providers/cxgb4/qp.c:706:20: note: 'wqe' declared without an initial value
#        union t4_recv_wr *wqe, lwqe;
#                          ^~~
rdma-core-28.0/providers/cxgb4/qp.c:713:6: note: Assuming the condition is false
#        if (t4_wq_in_error(&qhp->wq)) {
#            ^~~~~~~~~~~~~~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/qp.c:713:2: note: Taking false branch
#        if (t4_wq_in_error(&qhp->wq)) {
#        ^
rdma-core-28.0/providers/cxgb4/qp.c:720:6: note: Assuming 'num_wrs' is not equal to 0
#        if (num_wrs == 0) {
#            ^~~~~~~~~~~~
rdma-core-28.0/providers/cxgb4/qp.c:720:2: note: Taking false branch
#        if (num_wrs == 0) {
#        ^
rdma-core-28.0/providers/cxgb4/qp.c:725:2: note: Loop condition is false. Execution continues on line 758
#        while (wr) {
#        ^
rdma-core-28.0/providers/cxgb4/qp.c:758:2: note: Taking true branch
#        if (t4_wq_db_enabled(&qhp->wq))
#        ^
rdma-core-28.0/providers/cxgb4/qp.c:759:3: note: 5th function call argument is an uninitialized value
#                t4_ring_rq_db(&qhp->wq, idx, dev_is_t4(qhp->rhp),
#                ^
#  757|   	}
#  758|   	if (t4_wq_db_enabled(&qhp->wq))
#  759|-> 		t4_ring_rq_db(&qhp->wq, idx, dev_is_t4(qhp->rhp),
#  760|   			      len16, wqe);
#  761|   	else

Error: OVERRUN (CWE-119):
rdma-core-28.0/providers/cxgb4/verbs.c:283: overrun-buffer-val: Overrunning struct type _KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_SRQ of 16 bytes by passing it to a function which accesses it at byte offset 16.
#  281|   		goto err;
#  282|   
#  283|-> 	ret = ibv_cmd_create_srq(pd, &srq->ibv_srq, attr, &cmd,
#  284|   			sizeof(cmd), &resp.ibv_resp, sizeof(resp));
#  285|   	if (ret)

Error: OVERRUN (CWE-119):
rdma-core-28.0/providers/cxgb4/verbs.c:422: overrun-buffer-val: Overrunning struct type _KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_QP of 32 bytes by passing it to a function which accesses it at byte offset 32.
#  420|   		goto err1;
#  421|   
#  422|-> 	ret = ibv_cmd_create_qp(pd, &qhp->ibv_qp, attr, &cmd,
#  423|   				sizeof cmd, &resp.ibv_resp, sizeof resp);
#  424|   	if (ret)

Error: OVERRUN (CWE-119):
rdma-core-28.0/providers/cxgb4/verbs.c:526: overrun-buffer-val: Overrunning struct type _KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_QP of 32 bytes by passing it to a function which accesses it at byte offset 32.
#  524|   		goto err1;
#  525|   
#  526|-> 	ret = ibv_cmd_create_qp(pd, &qhp->ibv_qp, attr, &cmd,
#  527|   				sizeof cmd, &resp.ibv_resp, sizeof resp);
#  528|   	if (ret)


Version-Release number of selected component (if applicable):
The source rpm had been created from git upstrema repo. The last upstream
commit id is 4cb982f9773b5c06437b57341d65528d077129b9 .


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Honggang LI 2020-02-13 04:48:53 UTC 
Hi, Vishal

 Could you please review and fix these Chelsio specific potential Coverity issues?

Thanks