Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S936274AbcJUWRL (ORCPT <rfc822;w@1wt.eu>);
        Fri, 21 Oct 2016 18:17:11 -0400
Received: from mout.kundenserver.de ([212.227.126.131]:62023 "EHLO
        mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S935703AbcJUWQ5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Oct 2016 18:16:57 -0400
From: Arnd Bergmann <arnd@arndb.de>
To: Jiri Pirko <jiri@resnulli.us>
Cc: "David S. Miller" <davem@davemloft.net>,
        Alexander Duyck <aduyck@mirantis.com>,
        Tom Herbert <tom@herbertland.com>, Jiri Pirko <jiri@mellanox.com>,
        Hadar Hen Zion <hadarh@mellanox.com>,
        Gao Feng <fgao@48lvckh6395k16k5.yundunddos.com>,
        Eric Garver <e@erig.me>, Amir Vadai <amir@vadai.me>,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] flow_dissector: avoid uninitialized variable access
Date: Sat, 22 Oct 2016 00:16:29 +0200
Message-ID: <3516805.IZ705sLgKU@wuerfel>
User-Agent: KMail/5.1.3 (Linux/4.4.0-34-generic; KDE/5.18.0; x86_64; ; )
In-Reply-To: <5467015.N4DG5uA0DU@wuerfel>
References: <20161021155626.4020344-1-arnd@arndb.de> <20161021163118.GA2155@nanopsycho.orion> <5467015.N4DG5uA0DU@wuerfel>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Provags-ID: V03:K0:OvfMsSo9PPLTHRHtubm8Hb4HvftOIM+sBArrnkbtqJtDERl3oTm
 QALOrKi81PFPEqQ6nG4UTY1EHWAZ0yt23js8kLuZPGqPeQDSX8jEUAC/rANqCYAqLEnLT+7
 5+dWVuVQgcntSDB67aGJ41L4uJ5MwSoK/mZOYXOxhtyB4ihpXO6JixC5Wbb0iABOu2uFdgE
 2FZsnaVXgPK5oDb0+qErQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:m+iXl9Tkk40=:G20zn9OlqJ90pAFf4yo03N
 RNvdC9tXE3RW64akmWBGu5w1pco8LsCDIezuXREz4pDfgYLIFcSCFx4KPfPMJLtjuWjDZl9pz
 pWxbHXpU374Mq82P7GkpFatCr+TJTm92G6VJGPfRT33qGOnFq09iDbJdDiIeNo+u16zxZPmgB
 6e7PMLphpUJXnFOaYZer4skk27Wp6QCCwuDuAD2hzz/d/PiMcA4uXhCvEpoBFBPGkqijAt5K9
 WPNR/Sz/2/65Qz06KRXtSGBA0EU+jnWPUJGWn8fo7NNcly7DIgxCdrP0NmmwsAErEa3k23u3e
 fenQLcJZy+KMXASB0eoT7xJEeqc/AjDuDfPODc2r6l1N/WAKPOKZ63MlhTOjYYKDSdeVEgm6x
 j1yA0ilv0UbNMaz+7ssFwdvhZvx1cv67Cejz/Z8pG8EyCJHe8GGG2u3brHzPbt6riRlQYO/k+
 AFyBNnvCRB1hYcOyc+jU+LbcmdICa7EbE68b54SZzwZndzbnpspKmgsrqZoBNaaGBiGYHpGnd
 e34rWJTDB0v5qBpoVGCzKae6fc0kSRYsQo7cUlyOiZ+tKsZGqzqbHxoeq3V6Hv3+Hia1SU5gu
 bP0uJXV5c1FCFeVkAjF5t77cw7Z9zAxcYIBqRGhicW0TE9KpNadQo97ftDRiIbozfWrDuzzEr
 Iks4Gw/7NlOH3t1R/8HbG6uE1ApTqdKpRfbjq9uKhMif35XORVaTUmbRdj9fh9RxwvIbERHlr
 LndoAUR0fTLXybg0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 876
Lines: 25

On Friday, October 21, 2016 11:05:45 PM CEST Arnd Bergmann wrote:
> 
> Can you explain why "dissector_uses_key(flow_dissector,
> FLOW_DISSECTOR_KEY_VLAN) && skb_vlan_tag_present(skb)" implies
> "eth_type_vlan(proto))"?
> 
> If I add uninitialized_var() here, I would at least put that in
> a comment here.

Found it now myself: if skb_vlan_tag_present(skb), then we don't
access 'vlan', otherwise we know it is initialized because
eth_type_vlan(proto) has to be true.
 
> On a related note, I also don't see how
> "dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_VLAN)"
> implies that skb is non-NULL. I guess this is related to the
> first one.

I'm still unsure about this one.

I also found something else that is suspicious: 'vlan' points
to the local _vlan variable, but that has gone out of scope
by the time we access the pointer, which doesn't seem safe.

	Arnd