* [PATCH] bpf: fix unitialized warning
@ 2026-07-04 4:03 Stephen Hemminger
2026-07-04 16:12 ` Stephen Hemminger
2026-07-06 12:18 ` Marat Khalili
0 siblings, 2 replies; 3+ messages in thread
From: Stephen Hemminger @ 2026-07-04 4:03 UTC (permalink / raw)
To: dev; +Cc: Stephen Hemminger, Konstantin Ananyev, Marat Khalili
Coverity complains unitialized use of structure.
Coverity ID: 504611
Fixes: 17509d474226 ("bpf/validate: fix BPF_ADD of pointer to a scalar")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/bpf/bpf_validate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index f9960088a2..44db85a5a3 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -659,7 +659,7 @@ eval_apply_mask(struct bpf_reg_val *rv, uint64_t mask)
static void
eval_add(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, uint64_t msk)
{
- struct bpf_reg_val rs_buf;
+ struct bpf_reg_val rs_buf = { 0 };
struct bpf_reg_val rv;
if (RTE_BPF_ARG_PTR_TYPE(rs->v.type) != 0) {
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] bpf: fix unitialized warning
2026-07-04 4:03 [PATCH] bpf: fix unitialized warning Stephen Hemminger
@ 2026-07-04 16:12 ` Stephen Hemminger
2026-07-06 12:18 ` Marat Khalili
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Hemminger @ 2026-07-04 16:12 UTC (permalink / raw)
To: dev; +Cc: Konstantin Ananyev, Marat Khalili
On Fri, 3 Jul 2026 21:03:22 -0700
Stephen Hemminger <stephen@networkplumber.org> wrote:
> Coverity complains unitialized use of structure.
>
> Coverity ID: 504611
> Fixes: 17509d474226 ("bpf/validate: fix BPF_ADD of pointer to a scalar")
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
Ignore AI review of this patch. The CI AI review is using weak AI
model and no tooling; it ends up hallucinating about code that doesn't exist.
Better AI reviewing the reviewer sees...
Coverity 504611 is a true positive. eval_fill_max_bound() sets u, s,
v.type, and mask, but not v.size or v.buf_size. In eval_add() the
pointer+pointer path does eval_fill_max_bound(&rs_buf, msk); *rd =
rs_buf; on a fresh local, so the struct copy propagates the
uninitialized v.size/v.buf_size. Zero-init at declaration closes
exactly that.
The AI review is quoting code that isn't there. eval_add() has no
rs_buf = *rs; and no eval_apply_mask(&rs_buf, ...) call. That snippet
looks reconstructed from the diff hunk header (eval_apply_mask, the
preceding function) rather than the function actually being patched.
Its central claim, that rs_buf is only touched via rs = &rs_buf inside
the if, is wrong: the uninitialized read is the *rd = rs_buf copy, and
rs then reads it after the block.
^ permalink raw reply [flat|nested] 3+ messages in thread* RE: [PATCH] bpf: fix unitialized warning
2026-07-04 4:03 [PATCH] bpf: fix unitialized warning Stephen Hemminger
2026-07-04 16:12 ` Stephen Hemminger
@ 2026-07-06 12:18 ` Marat Khalili
1 sibling, 0 replies; 3+ messages in thread
From: Marat Khalili @ 2026-07-06 12:18 UTC (permalink / raw)
To: Stephen Hemminger, dev@dpdk.org; +Cc: Konstantin Ananyev
> -----Original Message-----
> From: Stephen Hemminger <stephen@networkplumber.org>
> Sent: Saturday 4 July 2026 05:03
> To: dev@dpdk.org
> Cc: Stephen Hemminger <stephen@networkplumber.org>; Konstantin Ananyev <konstantin.ananyev@huawei.com>;
> Marat Khalili <marat.khalili@huawei.com>
> Subject: [PATCH] bpf: fix unitialized warning
>
> Coverity complains unitialized use of structure.
>
> Coverity ID: 504611
> Fixes: 17509d474226 ("bpf/validate: fix BPF_ADD of pointer to a scalar")
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
> lib/bpf/bpf_validate.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
> index f9960088a2..44db85a5a3 100644
> --- a/lib/bpf/bpf_validate.c
> +++ b/lib/bpf/bpf_validate.c
> @@ -659,7 +659,7 @@ eval_apply_mask(struct bpf_reg_val *rv, uint64_t mask)
> static void
> eval_add(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, uint64_t msk)
> {
> - struct bpf_reg_val rs_buf;
> + struct bpf_reg_val rs_buf = { 0 };
> struct bpf_reg_val rv;
>
> if (RTE_BPF_ARG_PTR_TYPE(rs->v.type) != 0) {
> --
> 2.53.0
The bug is real. Based on the intended meaning should then be:
struct bpf_reg_val rs_buf = { .v.type = RTE_BPF_ARG_RAW };
Setting type to 0 (RTE_BPF_ARG_UNDEF) is too harsh disallowing even reading,
while we only want to disallow dereferencing the result.
(Unfortunately, this whole dimension is still a massive TODO, this check is not
even present on other ALU operations, and neither do sanitized tests pass which
would catch this problem earlier.)
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-06 12:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-04 4:03 [PATCH] bpf: fix unitialized warning Stephen Hemminger
2026-07-04 16:12 ` Stephen Hemminger
2026-07-06 12:18 ` Marat Khalili
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.