Bug 1801982

Summary: [RHEL-8.3/RDMA/rdma-core] qedr provider specific potential Coverity issues
Product: Red Hat Enterprise Linux 8 Reporter: Honggang LI <honli>
Component: rdma-coreAssignee: Honggang LI <honli>
Status: CLOSED ERRATA QA Contact: zguo <zguo>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: mchopra, rdma-dev-team, zguo
Target Milestone: rc   
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rdma-core-29.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:37:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1813407, 1825061    

Description Honggang LI 2020-02-12 03:22:40 UTC 
Description of problem:

Error: CLANG_WARNING:
rdma-core-28.0/providers/qedr/qelr_main.c:184:20: warning: The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage
#        cmd.context_flags |= QEDR_ALLOC_UCTX_DB_REC;
#        ~~~~~~~~~~~~~~~~~ ^
rdma-core-28.0/providers/qedr/qelr_main.c:176:6: note: Assuming 'ctx' is non-null
#        if (!ctx)
#            ^~~~
rdma-core-28.0/providers/qedr/qelr_main.c:176:2: note: Taking false branch
#        if (!ctx)
#        ^
rdma-core-28.0/providers/qedr/qelr_main.c:184:20: note: The left expression of the compound assignment is an uninitialized value. The computed value will also be garbage
#        cmd.context_flags |= QEDR_ALLOC_UCTX_DB_REC;
#        ~~~~~~~~~~~~~~~~~ ^
#  182|   	qelr_set_debug_mask();
#  183|   
#  184|-> 	cmd.context_flags |= QEDR_ALLOC_UCTX_DB_REC;
#  185|   	if (ibv_cmd_get_context(&ctx->ibv_ctx, &cmd.ibv_cmd, sizeof(cmd),
#  186|   				&resp.ibv_resp, sizeof(resp)))

Error: OVERRUN (CWE-119):
rdma-core-28.0/providers/qedr/qelr_verbs.c:459: overrun-buffer-val: Overrunning struct type _KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_SRQ of 16 bytes by passing it to a function which accesses it at byte offset 16.
#  457|   	pthread_spin_init(&srq->lock, PTHREAD_PROCESS_PRIVATE);
#  458|   	qelr_create_srq_configure_req(srq, &req);
#  459|-> 	ret = ibv_cmd_create_srq(pd, &srq->ibv_srq, init_attr, &req.ibv_cmd,
#  460|   				    sizeof(req), &resp.ibv_resp, sizeof(resp));
#  461|   	if (ret) {

Error: OVERRUN (CWE-119):
rdma-core-28.0/providers/qedr/qelr_verbs.c:743: overrun-buffer-val: Overrunning struct type _KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_QP of 32 bytes by passing it to a function which accesses it at byte offset 32.
#  741|   	qelr_create_qp_configure_req(qp, &req);
#  742|   
#  743|-> 	rc = ibv_cmd_create_qp(pd, &qp->ibv_qp, attrs, &req.ibv_cmd,
#  744|   			       sizeof(req), &resp.ibv_resp, sizeof(resp));
#  745|   	if (rc) {



Version-Release number of selected component (if applicable):
The source rpm had been created from git upstrema repo. The last upstream
commit id is 4cb982f9773b5c06437b57341d65528d077129b9 .

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Honggang LI 2020-02-12 03:29:10 UTC 
Hi, Manish
 Could Marvell please review and fix qedr Coverity issues if necessary?
Comment 2 Honggang LI 2020-02-21 02:55:33 UTC 
The first issue had been fixed in upstream. Rest two issues are not qedr specific. Set devel+ flag.


rdma-core (master)]$ git show 9bb0fcf83c305ab88811d3de068977700d3eb78b
commit 9bb0fcf83c305ab88811d3de068977700d3eb78b
Author: Michal Kalderon <michal.kalderon>
Date:   Wed Feb 12 17:32:52 2020 +0200

    libqedr: Fix user context allocation forward compatibility
    
    The user context alloc request structure introduced a new field
    to indicate doorbell recovery is supported. This field was added so
    that additional features could be added in the future by setting a
    capability flag. However, the field wasn't zeroed, and was initialized
    using "|=" instead of "=" leading to garbage in the other bits.
    For forward compatability, we need to make sure all other bits are
    zero.
    
    Cc: stable # v27 v28
    Fixes: d9b2ba480af5 ("libqedr: Add support for Doorbell Overflow Recovery")
    Signed-off-by: Ariel Elior <ariel.elior>
    Signed-off-by: Michal Kalderon <michal.kalderon>

diff --git a/providers/qedr/qelr_main.c b/providers/qedr/qelr_main.c
index 06edef51e13f..e7045cae3999 100644
--- a/providers/qedr/qelr_main.c
+++ b/providers/qedr/qelr_main.c
@@ -181,7 +181,7 @@ static struct verbs_context *qelr_alloc_context(struct ibv_device *ibdev,
        qelr_open_debug_file(ctx);
        qelr_set_debug_mask();
 
-       cmd.context_flags |= QEDR_ALLOC_UCTX_DB_REC;
+       cmd.context_flags = QEDR_ALLOC_UCTX_DB_REC;
        if (ibv_cmd_get_context(&ctx->ibv_ctx, &cmd.ibv_cmd, sizeof(cmd),
                                &resp.ibv_resp, sizeof(resp)))
                goto cmd_err;
Comment 8 errata-xmlrpc 2020-11-04 01:37:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rdma-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4456