Bug 1801981
| Summary: | [RHEL-8.3/RDMA/rdma-core] Intel provider specific potential Coverity issues | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Honggang LI <honli> |
| Component: | rdma-core | Assignee: | Honggang LI <honli> |
| Status: | CLOSED NOTABUG | QA Contact: | Infiniband QE <infiniband-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | hwkernel-mgr, rdma-dev-team |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-03 06:44:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
All OVERRUN warnings are not provider specific, as it in the common code used by all providers.
The UNINIT warnings are false positive. I'm closing this bug as NOTABUG.
void *mmap(void *addr, size_t length, int prot, int flags,
int fd, off_t offset);
All UNINIT warnings complaint the last parameter 'offset' may be uninitialized. For example,
Error: UNINIT (CWE-457):
rdma-core-28.0/providers/ipathverbs/verbs.c:151: var_decl: Declaring variable "resp" without initializer.
rdma-core-28.0/providers/ipathverbs/verbs.c:168: uninit_use_in_call: Using uninitialized value "resp.offset" when calling "mmap".
# 166|
# 167| size = sizeof(struct ipath_cq_wc) + sizeof(struct ipath_wc) * cqe;
# 168|-> cq->queue = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED,
# 169| context->cmd_fd, resp.offset);
# 170| if ((void *) cq->queue == MAP_FAILED) {
function 'ibv_cmd_create_cq' in line 159 set the offset.
==> 159 ret = ibv_cmd_create_cq(context, cqe, channel, comp_vector,
160 &cq->ibv_cq, NULL, 0,
161 &resp.ibv_resp, sizeof resp);
162 if (ret) {
163 free(cq);
164 return NULL;
165 }
166
167 size = sizeof(struct ipath_cq_wc) + sizeof(struct ipath_wc) * cqe;
>>168 cq->queue = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED,
169 context->cmd_fd, resp.offset);
|
Description of problem: Error: OVERRUN (CWE-119): rdma-core-28.0/providers/hfi1verbs/verbs.c:328: overrun-buffer-val: Overrunning struct type ib_uverbs_create_qp_resp of 32 bytes by passing it to a function which accesses it at byte offset 32. # 326| return NULL; # 327| # 328|-> ret = ibv_cmd_create_qp(pd, &qp->ibv_qp, attr, &cmd, sizeof cmd, # 329| &resp.ibv_resp, sizeof resp); # 330| if (ret) { Error: OVERRUN (CWE-119): rdma-core-28.0/providers/hfi1verbs/verbs.c:372: overrun-buffer-val: Overrunning struct type ib_uverbs_create_qp_resp of 32 bytes by passing it to a function which accesses it at byte offset 32. # 370| return NULL; # 371| # 372|-> ret = ibv_cmd_create_qp(pd, qp, attr, &cmd, sizeof cmd, # 373| &resp, sizeof resp); # 374| if (ret) { Error: OVERRUN (CWE-119): rdma-core-28.0/providers/hfi1verbs/verbs.c:532: overrun-buffer-val: Overrunning struct type ib_uverbs_create_srq_resp of 16 bytes by passing it to a function which accesses it at byte offset 16. # 530| return NULL; # 531| # 532|-> ret = ibv_cmd_create_srq(pd, &srq->ibv_srq, attr, &cmd, sizeof cmd, # 533| &resp.ibv_resp, sizeof resp); # 534| if (ret) { Error: OVERRUN (CWE-119): rdma-core-28.0/providers/hfi1verbs/verbs.c:568: overrun-buffer-val: Overrunning struct type ib_uverbs_create_srq_resp of 16 bytes by passing it to a function which accesses it at byte offset 16. # 566| return NULL; # 567| # 568|-> ret = ibv_cmd_create_srq(pd, srq, attr, &cmd, sizeof cmd, # 569| &resp, sizeof resp); # 570| if (ret) { ******************************************************************************************************* Error: UNINIT (CWE-457): rdma-core-28.0/providers/ipathverbs/verbs.c:151: var_decl: Declaring variable "resp" without initializer. rdma-core-28.0/providers/ipathverbs/verbs.c:168: uninit_use_in_call: Using uninitialized value "resp.offset" when calling "mmap". # 166| # 167| size = sizeof(struct ipath_cq_wc) + sizeof(struct ipath_wc) * cqe; # 168|-> cq->queue = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, # 169| context->cmd_fd, resp.offset); # 170| if ((void *) cq->queue == MAP_FAILED) { Error: UNINIT (CWE-457): rdma-core-28.0/providers/ipathverbs/verbs.c:205: var_decl: Declaring variable "resp" without initializer. rdma-core-28.0/providers/ipathverbs/verbs.c:222: uninit_use_in_call: Using uninitialized value "resp.offset" when calling "mmap". # 220| size = sizeof(struct ipath_cq_wc) + # 221| (sizeof(struct ipath_wc) * cq->ibv_cq.cqe); # 222|-> cq->queue = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, # 223| ibcq->context->cmd_fd, resp.offset); # 224| ret = errno; Error: OVERRUN (CWE-119): rdma-core-28.0/providers/ipathverbs/verbs.c:305: overrun-buffer-val: Overrunning struct type ib_uverbs_create_qp_resp of 32 bytes by passing it to a function which accesses it at byte offset 32. # 303| return NULL; # 304| # 305|-> ret = ibv_cmd_create_qp(pd, &qp->ibv_qp, attr, &cmd, sizeof cmd, # 306| &resp.ibv_resp, sizeof resp); # 307| if (ret) { Error: UNINIT (CWE-457): rdma-core-28.0/providers/ipathverbs/verbs.c:296: var_decl: Declaring variable "resp" without initializer. rdma-core-28.0/providers/ipathverbs/verbs.c:323: uninit_use_in_call: Using uninitialized value "resp.offset" when calling "mmap". # 321| (sizeof(struct ibv_sge) * qp->rq.max_sge)) * # 322| qp->rq.size; # 323|-> qp->rq.rwq = mmap(NULL, size, # 324| PROT_READ | PROT_WRITE, MAP_SHARED, # 325| pd->context->cmd_fd, resp.offset); Error: OVERRUN (CWE-119): rdma-core-28.0/providers/ipathverbs/verbs.c:349: overrun-buffer-val: Overrunning struct type ib_uverbs_create_qp_resp of 32 bytes by passing it to a function which accesses it at byte offset 32. # 347| return NULL; # 348| # 349|-> ret = ibv_cmd_create_qp(pd, qp, attr, &cmd, sizeof cmd, # 350| &resp, sizeof resp); # 351| if (ret) { Error: OVERRUN (CWE-119): rdma-core-28.0/providers/ipathverbs/verbs.c:508: overrun-buffer-val: Overrunning struct type ib_uverbs_create_srq_resp of 16 bytes by passing it to a function which accesses it at byte offset 16. # 506| return NULL; # 507| # 508|-> ret = ibv_cmd_create_srq(pd, &srq->ibv_srq, attr, &cmd, sizeof cmd, # 509| &resp.ibv_resp, sizeof resp); # 510| if (ret) { Error: UNINIT (CWE-457): rdma-core-28.0/providers/ipathverbs/verbs.c:500: var_decl: Declaring variable "resp" without initializer. rdma-core-28.0/providers/ipathverbs/verbs.c:520: uninit_use_in_call: Using uninitialized value "resp.offset" when calling "mmap". # 518| (sizeof(struct ipath_rwqe) + # 519| (sizeof(struct ibv_sge) * srq->rq.max_sge)) * srq->rq.size; # 520|-> srq->rq.rwq = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, # 521| pd->context->cmd_fd, resp.offset); # 522| if ((void *) srq->rq.rwq == MAP_FAILED) { Error: OVERRUN (CWE-119): rdma-core-28.0/providers/ipathverbs/verbs.c:544: overrun-buffer-val: Overrunning struct type ib_uverbs_create_srq_resp of 16 bytes by passing it to a function which accesses it at byte offset 16. # 542| return NULL; # 543| # 544|-> ret = ibv_cmd_create_srq(pd, srq, attr, &cmd, sizeof cmd, # 545| &resp, sizeof resp); # 546| if (ret) { Version-Release number of selected component (if applicable): The source rpm had been created from git upstrema repo. The last upstream commit id is 4cb982f9773b5c06437b57341d65528d077129b9 . How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: RHEL8 no longer support qib driver. This bug also include Coverity report for qib. If those qib issue got addressed in upstream, it will be benefit for rhel7.