Bug 1801985

Summary: [RHEL-8.3/RDMA/rdma-core] vmw_pvrdma provider specific potential Coverity issues
Product: Red Hat Enterprise Linux 8 Reporter: Honggang LI <honli>
Component: rdma-coreAssignee: Honggang LI <honli>
Status: CLOSED ERRATA QA Contact: zguo <zguo>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: aditr, bryantan, gchua, hwkernel-mgr, jhansen, rdma-dev-team, vdasa, zguo
Target Milestone: rc   
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rdma-core-29.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:37:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1813407, 1825061    

Description Honggang LI 2020-02-12 03:34:59 UTC 
Description of problem:

Error: OVERRUN (CWE-119):
rdma-core-28.0/providers/vmw_pvrdma/qp.c:143: overrun-buffer-val: Overrunning struct type _KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_SRQ of 16 bytes by passing it to a function which accesses it at byte offset 16.
#  141|   	cmd.buf_size = srq->buf.length;
#  142|   
#  143|-> 	ret = ibv_cmd_create_srq(pd, &srq->ibv_srq, attr,
#  144|   				 &cmd.ibv_cmd, sizeof(cmd),
#  145|   				 &resp.ibv_resp, sizeof(resp));

Error: OVERRUN (CWE-119):
rdma-core-28.0/providers/vmw_pvrdma/qp.c:284: overrun-buffer-val: Overrunning struct type _KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_QP of 32 bytes by passing it to a function which accesses it at byte offset 32.
#  282|   	cmd.qp_addr = (uintptr_t) qp;
#  283|   
#  284|-> 	if (ibv_cmd_create_qp(pd, &qp->ibv_qp, attr, &cmd.ibv_cmd, sizeof(cmd),
#  285|   			      &resp.ibv_resp, sizeof(resp)))
#  286|   		goto err_free;

Error: LOCK (CWE-765):
rdma-core-28.0/providers/vmw_pvrdma/qp.c:464: unlock: "pthread_spin_unlock" unlocks "qp->sq.lock".
rdma-core-28.0/providers/vmw_pvrdma/qp.c:555: double_unlock: "pthread_spin_unlock" unlocks "qp->sq.lock" while it is unlocked.
#  553|   	}
#  554|   
#  555|-> 	pthread_spin_unlock(&qp->sq.lock);
#  556|   
#  557|   	return ret;


Version-Release number of selected component (if applicable):
The source rpm had been created from git upstream repo. The last upstream
commit id is 4cb982f9773b5c06437b57341d65528d077129b9 

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Honggang LI 2020-02-12 03:40:36 UTC 
Hi, Adit
 Could you please review and fix these issues for vmw_pvrdma?
Comment 2 Adit Ranadive 2020-02-12 08:39:55 UTC 
Thanks Honggang. Bryan, is it possible for you to take a look? The 3rd one is an easy fix. I'm not sure about the first two.
Comment 3 Bryan Tan 2020-02-12 11:14:43 UTC 
Thanks Honggang for filing this. I have a fix for review internally for the 3rd issue that Adit pointed out. For the first two, seems like it is by design: https://github.com/linux-rdma/rdma-core/blob/v28.0/libibverbs/cmd.c#L924 this has been around for a while, and isn't specific to vmw_pvrdma. The struct in question (_KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_QP) is always part of another struct that has a union following it: https://github.com/linux-rdma/rdma-core/blob/v28.0/libibverbs/kern-abi.h#L147 . Honggang, has Coverity been run on rdma-core before? We should be seeing the same warnings for all other device libraries as well.
Comment 4 Honggang LI 2020-02-13 01:46:56 UTC 
(In reply to Bryan Tan from comment #3)
> Thanks Honggang for filing this. I have a fix for review internally for the
> 3rd issue that Adit pointed out. 

Thanks for fix this.

> For the first two, seems like it is by
> design:
> https://github.com/linux-rdma/rdma-core/blob/v28.0/libibverbs/cmd.c#L924
> this has been around for a while, and isn't specific to vmw_pvrdma. The
> struct in question (_KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_QP) is always
> part of another struct that has a union following it:
> https://github.com/linux-rdma/rdma-core/blob/v28.0/libibverbs/kern-abi.
> h#L147 . Honggang, has Coverity been run on rdma-core before? We should be
> seeing the same warnings for all other device libraries as well.

Yes, you are right. It is not wmv_pvrdma specific. We are seeing the same
warning for ALL other device drivers. So, please feel free to ignore them
for vmv_pvrdma.
Comment 5 Bryan Tan 2020-02-19 11:11:44 UTC 
The double unlock has been fixed in rdma-core: https://github.com/linux-rdma/rdma-core/commit/d8a052e08c5874cf210c07eb19ffb6b7ba00b460

The commit is also in the stable branches (for example, https://github.com/linux-rdma/rdma-core/commit/05700e697777edc3fe30c24349e14ea4ae4a1813)
Comment 6 Honggang LI 2020-02-21 02:49:31 UTC 
(In reply to Bryan Tan from comment #5)
> The double unlock has been fixed in rdma-core:
> https://github.com/linux-rdma/rdma-core/commit/
> d8a052e08c5874cf210c07eb19ffb6b7ba00b460
> 
> The commit is also in the stable branches (for example,
> https://github.com/linux-rdma/rdma-core/commit/
> 05700e697777edc3fe30c24349e14ea4ae4a1813)

Thanks for fix this. Set devel+ flag.
Comment 13 errata-xmlrpc 2020-11-04 01:37:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rdma-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4456