Function es58x_fd_rx_event() invokes the es58x_check_msg_len() macro:
| ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
While doing so, it deferences an uninitialized variable: *rx_event_msg.
This is actually harmless because es58x_check_msg_len() only uses
preprocessors macro (sizeof() and __stringify()) on
*rx_event_msg. c.f. [1].
Nonetheless, this pattern is confusing so the lines are reordered to
make sure that rx_event_msg is correctly initialized.
This patch also fixes a false positive warning reported by cppcheck:
| cppcheck possible warnings: (new ones prefixed by >>, may not be real problems)
|
| In file included from drivers/net/can/usb/etas_es58x/es58x_fd.c:
| >> drivers/net/can/usb/etas_es58x/es58x_fd.c:174:8: warning: Uninitialized variable: rx_event_msg [uninitvar]
| ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
| ^
[1] https://elixir.bootlin.com/linux/latest/source/drivers/net/can/usb/etas_es58x/es58x_core.h#L467
Reported-by: kernel test robot <[email protected]>
Signed-off-by: Vincent Mailhol <[email protected]>
---
As discussed in
https://lore.kernel.org/linux-can/[email protected]/T/#u,
no need to backport this patch because this is not a fix.
@Yujie Liu: I added the "Reported-by: kernel test robot". This being a
false positive, let me know if you would like to remove the tag in
order not to mess with you statistics.
---
drivers/net/can/usb/etas_es58x/es58x_fd.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/can/usb/etas_es58x/es58x_fd.c b/drivers/net/can/usb/etas_es58x/es58x_fd.c
index 88d2540abbbe..c97ffa71fd75 100644
--- a/drivers/net/can/usb/etas_es58x/es58x_fd.c
+++ b/drivers/net/can/usb/etas_es58x/es58x_fd.c
@@ -173,12 +173,11 @@ static int es58x_fd_rx_event_msg(struct net_device *netdev,
const struct es58x_fd_rx_event_msg *rx_event_msg;
int ret;
+ rx_event_msg = &es58x_fd_urb_cmd->rx_event_msg;
ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
if (ret)
return ret;
- rx_event_msg = &es58x_fd_urb_cmd->rx_event_msg;
-
return es58x_rx_err_msg(netdev, rx_event_msg->error_code,
rx_event_msg->event_code,
get_unaligned_le64(&rx_event_msg->timestamp));
--
2.34.1
Hi Vincent,
On 3/6/2022 18:13, Vincent Mailhol wrote:
> Function es58x_fd_rx_event() invokes the es58x_check_msg_len() macro:
> | ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
> While doing so, it deferences an uninitialized variable: *rx_event_msg.
>
> This is actually harmless because es58x_check_msg_len() only uses
> preprocessors macro (sizeof() and __stringify()) on
> *rx_event_msg. c.f. [1].
>
> Nonetheless, this pattern is confusing so the lines are reordered to
> make sure that rx_event_msg is correctly initialized.
>
> This patch also fixes a false positive warning reported by cppcheck:
>
> | cppcheck possible warnings: (new ones prefixed by >>, may not be real problems)
> |
> | In file included from drivers/net/can/usb/etas_es58x/es58x_fd.c:
> | >> drivers/net/can/usb/etas_es58x/es58x_fd.c:174:8: warning: Uninitialized variable: rx_event_msg [uninitvar]
> | ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
> | ^
>
> [1] https://elixir.bootlin.com/linux/latest/source/drivers/net/can/usb/etas_es58x/es58x_core.h#L467
>
> Reported-by: kernel test robot <[email protected]>
> Signed-off-by: Vincent Mailhol <[email protected]>
> ---
> As discussed in
> https://lore.kernel.org/linux-can/[email protected]/T/#u,
> no need to backport this patch because this is not a fix.
>
> @Yujie Liu: I added the "Reported-by: kernel test robot". This being a
> false positive, let me know if you would like to remove the tag in
> order not to mess with you statistics.
Actually we did some analysis similar to those in the report mail thread, and noticed
that it was a false positive, but we still sent out the report since the code at here
is not consistent with other function in the same patch. We should have made this
clearer in the original report.
Since "Reported-by" tag is dedicated for reporting a real bug, so please kindly remove
the tag in this patch, thanks.
Regards,
Yujie
> ---
> drivers/net/can/usb/etas_es58x/es58x_fd.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/net/can/usb/etas_es58x/es58x_fd.c b/drivers/net/can/usb/etas_es58x/es58x_fd.c
> index 88d2540abbbe..c97ffa71fd75 100644
> --- a/drivers/net/can/usb/etas_es58x/es58x_fd.c
> +++ b/drivers/net/can/usb/etas_es58x/es58x_fd.c
> @@ -173,12 +173,11 @@ static int es58x_fd_rx_event_msg(struct net_device *netdev,
> const struct es58x_fd_rx_event_msg *rx_event_msg;
> int ret;
>
> + rx_event_msg = &es58x_fd_urb_cmd->rx_event_msg;
> ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
> if (ret)
> return ret;
>
> - rx_event_msg = &es58x_fd_urb_cmd->rx_event_msg;
> -
> return es58x_rx_err_msg(netdev, rx_event_msg->error_code,
> rx_event_msg->event_code,
> get_unaligned_le64(&rx_event_msg->timestamp));
On 06.03.2022 19:13:02, Vincent Mailhol wrote:
> Function es58x_fd_rx_event() invokes the es58x_check_msg_len() macro:
> | ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
> While doing so, it deferences an uninitialized variable: *rx_event_msg.
>
> This is actually harmless because es58x_check_msg_len() only uses
> preprocessors macro (sizeof() and __stringify()) on
> *rx_event_msg. c.f. [1].
>
> Nonetheless, this pattern is confusing so the lines are reordered to
> make sure that rx_event_msg is correctly initialized.
>
> This patch also fixes a false positive warning reported by cppcheck:
>
> | cppcheck possible warnings: (new ones prefixed by >>, may not be real problems)
> |
> | In file included from drivers/net/can/usb/etas_es58x/es58x_fd.c:
> | >> drivers/net/can/usb/etas_es58x/es58x_fd.c:174:8: warning: Uninitialized variable: rx_event_msg [uninitvar]
> | ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
> | ^
>
> [1] https://elixir.bootlin.com/linux/latest/source/drivers/net/can/usb/etas_es58x/es58x_core.h#L467
>
> Reported-by: kernel test robot <[email protected]>
> Signed-off-by: Vincent Mailhol <[email protected]>
Applied to linux-can-next/testing, fixed some typos and removed the
Reported-by tag.
regards,
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung West/Dortmund | Phone: +49-231-2826-924 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |