CC: kbuild-all(a)lists.01.org TO: Kees Cook CC: Chao Yu , Chao Yu tree: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git kspp/uninit/macro head: 2d0e6f87039d3bbf4d54bf426ea7c51bb405b8cc commit: 4ee42e96f8519aa948c3eebe14ad67b82c02a2c2 [15/16] treewide: Remove uninitialized_var() usage :::::: branch date: 20 hours ago :::::: commit date: 20 hours ago config: x86_64-randconfig-m001-20200621 (attached as .config) compiler: gcc-9 (Debian 9.3.0-13) 9.3.0 If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot Reported-by: Dan Carpenter New smatch warnings: drivers/vhost/net.c:1080 get_rx_bufs() error: uninitialized symbol 'len'. drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c:642 _rtl92cu_init_chipn_two_out_ep_priority() error: uninitialized symbol 'valuelow'. drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c:644 _rtl92cu_init_chipn_two_out_ep_priority() error: uninitialized symbol 'valuehi'. drivers/net/wireless/broadcom/b43/xmit.c:457 b43_generate_txhdr() error: uninitialized symbol 'cts'. drivers/net/wireless/broadcom/b43/xmit.c:479 b43_generate_txhdr() error: uninitialized symbol 'rts'. drivers/net/wireless/broadcom/b43/xmit.c:497 b43_generate_txhdr() error: uninitialized symbol 'plcp'. drivers/net/wireless/broadcom/b43/xmit.c:517 b43_generate_txhdr() error: potentially dereferencing uninitialized 'hdr'. drivers/net/wireless/broadcom/b43/xmit.c:664 b43_rx() error: uninitialized symbol 'macstat'. drivers/net/wireless/broadcom/b43/xmit.c:719 b43_rx() error: uninitialized symbol 'chanstat'. drivers/net/wireless/broadcom/b43/xmit.c:771 b43_rx() error: uninitialized symbol 'mactime'. drivers/net/wireless/broadcom/b43/dma.c:67 b43_dma_address() error: uninitialized symbol 'addr'. Old smatch warnings: drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c:649 _rtl92cu_init_chipn_two_out_ep_priority() error: uninitialized symbol 'valuehi'. drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c:650 _rtl92cu_init_chipn_two_out_ep_priority() error: uninitialized symbol 'valuelow'. # https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=4ee42e96f8519aa948c3eebe14ad67b82c02a2c2 git remote add kees https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git git remote update kees git checkout 4ee42e96f8519aa948c3eebe14ad67b82c02a2c2 vim +/len +1080 drivers/vhost/net.c 03088137246065 Jason Wang 2016-03-04 1018 8dd014adfea6f1 David Stevens 2010-07-27 1019 /* This is a multi-buffer version of vhost_get_desc, that works if 8dd014adfea6f1 David Stevens 2010-07-27 1020 * vq has read descriptors only. 8dd014adfea6f1 David Stevens 2010-07-27 1021 * @vq - the relevant virtqueue 8dd014adfea6f1 David Stevens 2010-07-27 1022 * @datalen - data length we'll be reading 8dd014adfea6f1 David Stevens 2010-07-27 1023 * @iovcount - returned count of io vectors we fill 8dd014adfea6f1 David Stevens 2010-07-27 1024 * @log - vhost log 8dd014adfea6f1 David Stevens 2010-07-27 1025 * @log_num - log offset 94249369e99302 Jason Wang 2011-01-17 1026 * @quota - headcount quota, 1 for big buffer 8dd014adfea6f1 David Stevens 2010-07-27 1027 * returns number of buffer heads allocated, negative on error 8dd014adfea6f1 David Stevens 2010-07-27 1028 */ 8dd014adfea6f1 David Stevens 2010-07-27 1029 static int get_rx_bufs(struct vhost_virtqueue *vq, 8dd014adfea6f1 David Stevens 2010-07-27 1030 struct vring_used_elem *heads, 8dd014adfea6f1 David Stevens 2010-07-27 1031 int datalen, 8dd014adfea6f1 David Stevens 2010-07-27 1032 unsigned *iovcount, 8dd014adfea6f1 David Stevens 2010-07-27 1033 struct vhost_log *log, 94249369e99302 Jason Wang 2011-01-17 1034 unsigned *log_num, 94249369e99302 Jason Wang 2011-01-17 1035 unsigned int quota) 8dd014adfea6f1 David Stevens 2010-07-27 1036 { 8dd014adfea6f1 David Stevens 2010-07-27 1037 unsigned int out, in; 8dd014adfea6f1 David Stevens 2010-07-27 1038 int seg = 0; 8dd014adfea6f1 David Stevens 2010-07-27 1039 int headcount = 0; 8dd014adfea6f1 David Stevens 2010-07-27 1040 unsigned d; 8dd014adfea6f1 David Stevens 2010-07-27 1041 int r, nlogs = 0; 8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24 1042 /* len is always initialized before use since we are always called with 8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24 1043 * datalen > 0. 8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24 1044 */ 4ee42e96f8519a Kees Cook 2020-06-03 1045 u32 len; 8dd014adfea6f1 David Stevens 2010-07-27 1046 94249369e99302 Jason Wang 2011-01-17 1047 while (datalen > 0 && headcount < quota) { e0e9b406470b8d Jason Wang 2010-09-14 1048 if (unlikely(seg >= UIO_MAXIOV)) { 8dd014adfea6f1 David Stevens 2010-07-27 1049 r = -ENOBUFS; 8dd014adfea6f1 David Stevens 2010-07-27 1050 goto err; 8dd014adfea6f1 David Stevens 2010-07-27 1051 } 47283bef7ed356 Michael S. Tsirkin 2014-06-05 1052 r = vhost_get_vq_desc(vq, vq->iov + seg, 8dd014adfea6f1 David Stevens 2010-07-27 1053 ARRAY_SIZE(vq->iov) - seg, &out, 8dd014adfea6f1 David Stevens 2010-07-27 1054 &in, log, log_num); a39ee449f96a2c Michael S. Tsirkin 2014-03-27 1055 if (unlikely(r < 0)) a39ee449f96a2c Michael S. Tsirkin 2014-03-27 1056 goto err; a39ee449f96a2c Michael S. Tsirkin 2014-03-27 1057 a39ee449f96a2c Michael S. Tsirkin 2014-03-27 1058 d = r; 8dd014adfea6f1 David Stevens 2010-07-27 1059 if (d == vq->num) { 8dd014adfea6f1 David Stevens 2010-07-27 1060 r = 0; 8dd014adfea6f1 David Stevens 2010-07-27 1061 goto err; 8dd014adfea6f1 David Stevens 2010-07-27 1062 } 8dd014adfea6f1 David Stevens 2010-07-27 1063 if (unlikely(out || in <= 0)) { 8dd014adfea6f1 David Stevens 2010-07-27 1064 vq_err(vq, "unexpected descriptor format for RX: " 8dd014adfea6f1 David Stevens 2010-07-27 1065 "out %d, in %d\n", out, in); 8dd014adfea6f1 David Stevens 2010-07-27 1066 r = -EINVAL; 8dd014adfea6f1 David Stevens 2010-07-27 1067 goto err; 8dd014adfea6f1 David Stevens 2010-07-27 1068 } 8dd014adfea6f1 David Stevens 2010-07-27 1069 if (unlikely(log)) { 8dd014adfea6f1 David Stevens 2010-07-27 1070 nlogs += *log_num; 8dd014adfea6f1 David Stevens 2010-07-27 1071 log += *log_num; 8dd014adfea6f1 David Stevens 2010-07-27 1072 } 8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24 1073 heads[headcount].id = cpu_to_vhost32(vq, d); 8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24 1074 len = iov_length(vq->iov + seg, in); 8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24 1075 heads[headcount].len = cpu_to_vhost32(vq, len); 8b38694a2dc8b1 Michael S. Tsirkin 2014-10-24 1076 datalen -= len; 8dd014adfea6f1 David Stevens 2010-07-27 1077 ++headcount; 8dd014adfea6f1 David Stevens 2010-07-27 1078 seg += in; 8dd014adfea6f1 David Stevens 2010-07-27 1079 } 99975cc6ada0d5 Michael S. Tsirkin 2015-01-07 @1080 heads[headcount - 1].len = cpu_to_vhost32(vq, len + datalen); 8dd014adfea6f1 David Stevens 2010-07-27 1081 *iovcount = seg; 8dd014adfea6f1 David Stevens 2010-07-27 1082 if (unlikely(log)) 8dd014adfea6f1 David Stevens 2010-07-27 1083 *log_num = nlogs; d8316f3991d207 Michael S. Tsirkin 2014-03-27 1084 d8316f3991d207 Michael S. Tsirkin 2014-03-27 1085 /* Detect overrun */ d8316f3991d207 Michael S. Tsirkin 2014-03-27 1086 if (unlikely(datalen > 0)) { d8316f3991d207 Michael S. Tsirkin 2014-03-27 1087 r = UIO_MAXIOV + 1; d8316f3991d207 Michael S. Tsirkin 2014-03-27 1088 goto err; d8316f3991d207 Michael S. Tsirkin 2014-03-27 1089 } 8dd014adfea6f1 David Stevens 2010-07-27 1090 return headcount; 8dd014adfea6f1 David Stevens 2010-07-27 1091 err: 8dd014adfea6f1 David Stevens 2010-07-27 1092 vhost_discard_vq_desc(vq, headcount); 8dd014adfea6f1 David Stevens 2010-07-27 1093 return r; 8dd014adfea6f1 David Stevens 2010-07-27 1094 } 8dd014adfea6f1 David Stevens 2010-07-27 1095 :::::: The code at line 1080 was first introduced by commit :::::: 99975cc6ada0d5f2675e83abecae05aba5f437d2 vhost/net: length miscalculation :::::: TO: Michael S. Tsirkin :::::: CC: Michael S. Tsirkin --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org