Re: [PATCH] can: etas_es58x: initialize rx_event_msg before calling es58x_check_msg_len()

From: Yujie Liu <yujie.liu@intel.com>
To: Vincent Mailhol <mailhol.vincent@wanadoo.fr>,
	Marc Kleine-Budde <mkl@pengutronix.de>,
	<linux-can@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>, kernel test robot <lkp@intel.com>
Subject: Re: [PATCH] can: etas_es58x: initialize rx_event_msg before calling es58x_check_msg_len()
Date: Mon, 7 Mar 2022 10:30:10 +0800	[thread overview]
Message-ID: <532da9fc-d241-a8a4-217a-22c1429d43a3@intel.com> (raw)
In-Reply-To: <20220306101302.708783-1-mailhol.vincent@wanadoo.fr>

Hi Vincent,

On 3/6/2022 18:13, Vincent Mailhol wrote:
> Function es58x_fd_rx_event() invokes the es58x_check_msg_len() macro:
> | 	ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
> While doing so, it deferences an uninitialized variable: *rx_event_msg.
> 
> This is actually harmless because es58x_check_msg_len() only uses
> preprocessors macro (sizeof() and __stringify()) on
> *rx_event_msg. c.f. [1].
> 
> Nonetheless, this pattern is confusing so the lines are reordered to
> make sure that rx_event_msg is correctly initialized.
> 
> This patch also fixes a false positive warning reported by cppcheck:
> 
> | cppcheck possible warnings: (new ones prefixed by >>, may not be real problems)
> |
> |     In file included from drivers/net/can/usb/etas_es58x/es58x_fd.c:
> |  >> drivers/net/can/usb/etas_es58x/es58x_fd.c:174:8: warning: Uninitialized variable: rx_event_msg [uninitvar]
> |      ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
> |            ^
> 
> [1] https://elixir.bootlin.com/linux/latest/source/drivers/net/can/usb/etas_es58x/es58x_core.h#L467
> 
> Reported-by: kernel test robot <yujie.liu@intel.com>
> Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
> ---
> As discussed in
> https://lore.kernel.org/linux-can/20220302130423.ddd2ulldffpo5lb2@pengutronix.de/T/#u,
> no need to backport this patch because this is not a fix.
> 
> @Yujie Liu: I added the "Reported-by: kernel test robot". This being a
> false positive, let me know if you would like to remove the tag in
> order not to mess with you statistics.

Actually we did some analysis similar to those in the report mail thread, and noticed
that it was a false positive, but we still sent out the report since the code at here
is not consistent with other function in the same patch. We should have made this
clearer in the original report.

Since "Reported-by" tag is dedicated for reporting a real bug, so please kindly remove
the tag in this patch, thanks.

Regards,
Yujie

> ---
>   drivers/net/can/usb/etas_es58x/es58x_fd.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/net/can/usb/etas_es58x/es58x_fd.c b/drivers/net/can/usb/etas_es58x/es58x_fd.c
> index 88d2540abbbe..c97ffa71fd75 100644
> --- a/drivers/net/can/usb/etas_es58x/es58x_fd.c
> +++ b/drivers/net/can/usb/etas_es58x/es58x_fd.c
> @@ -173,12 +173,11 @@ static int es58x_fd_rx_event_msg(struct net_device *netdev,
>   	const struct es58x_fd_rx_event_msg *rx_event_msg;
>   	int ret;
>   
> +	rx_event_msg = &es58x_fd_urb_cmd->rx_event_msg;
>   	ret = es58x_check_msg_len(es58x_dev->dev, *rx_event_msg, msg_len);
>   	if (ret)
>   		return ret;
>   
> -	rx_event_msg = &es58x_fd_urb_cmd->rx_event_msg;
> -
>   	return es58x_rx_err_msg(netdev, rx_event_msg->error_code,
>   				rx_event_msg->event_code,
>   				get_unaligned_le64(&rx_event_msg->timestamp));