All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] bpf: fix unitialized warning
@ 2026-07-04  4:03 Stephen Hemminger
  2026-07-04 16:12 ` Stephen Hemminger
  2026-07-06 12:18 ` Marat Khalili
  0 siblings, 2 replies; 3+ messages in thread
From: Stephen Hemminger @ 2026-07-04  4:03 UTC (permalink / raw)
  To: dev; +Cc: Stephen Hemminger, Konstantin Ananyev, Marat Khalili

Coverity complains unitialized use of structure.

Coverity ID: 504611
Fixes: 17509d474226 ("bpf/validate: fix BPF_ADD of pointer to a scalar")

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 lib/bpf/bpf_validate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index f9960088a2..44db85a5a3 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -659,7 +659,7 @@ eval_apply_mask(struct bpf_reg_val *rv, uint64_t mask)
 static void
 eval_add(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, uint64_t msk)
 {
-	struct bpf_reg_val rs_buf;
+	struct bpf_reg_val rs_buf = { 0 };
 	struct bpf_reg_val rv;
 
 	if (RTE_BPF_ARG_PTR_TYPE(rs->v.type) != 0) {
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] bpf: fix unitialized warning
  2026-07-04  4:03 [PATCH] bpf: fix unitialized warning Stephen Hemminger
@ 2026-07-04 16:12 ` Stephen Hemminger
  2026-07-06 12:18 ` Marat Khalili
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Hemminger @ 2026-07-04 16:12 UTC (permalink / raw)
  To: dev; +Cc: Konstantin Ananyev, Marat Khalili

On Fri,  3 Jul 2026 21:03:22 -0700
Stephen Hemminger <stephen@networkplumber.org> wrote:

> Coverity complains unitialized use of structure.
> 
> Coverity ID: 504611
> Fixes: 17509d474226 ("bpf/validate: fix BPF_ADD of pointer to a scalar")
> 
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---

Ignore AI review of this patch. The CI AI review is using weak AI
model and no tooling; it ends up hallucinating about code that doesn't exist.
Better AI reviewing the reviewer sees...

Coverity 504611 is a true positive. eval_fill_max_bound() sets u, s,
v.type, and mask, but not v.size or v.buf_size. In eval_add() the
pointer+pointer path does eval_fill_max_bound(&rs_buf, msk); *rd =
rs_buf; on a fresh local, so the struct copy propagates the
uninitialized v.size/v.buf_size. Zero-init at declaration closes
exactly that.

The AI review is quoting code that isn't there. eval_add() has no
rs_buf = *rs; and no eval_apply_mask(&rs_buf, ...) call. That snippet
looks reconstructed from the diff hunk header (eval_apply_mask, the
preceding function) rather than the function actually being patched.
Its central claim, that rs_buf is only touched via rs = &rs_buf inside
the if, is wrong: the uninitialized read is the *rd = rs_buf copy, and
rs then reads it after the block. 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [PATCH] bpf: fix unitialized warning
  2026-07-04  4:03 [PATCH] bpf: fix unitialized warning Stephen Hemminger
  2026-07-04 16:12 ` Stephen Hemminger
@ 2026-07-06 12:18 ` Marat Khalili
  1 sibling, 0 replies; 3+ messages in thread
From: Marat Khalili @ 2026-07-06 12:18 UTC (permalink / raw)
  To: Stephen Hemminger, dev@dpdk.org; +Cc: Konstantin Ananyev

> -----Original Message-----
> From: Stephen Hemminger <stephen@networkplumber.org>
> Sent: Saturday 4 July 2026 05:03
> To: dev@dpdk.org
> Cc: Stephen Hemminger <stephen@networkplumber.org>; Konstantin Ananyev <konstantin.ananyev@huawei.com>;
> Marat Khalili <marat.khalili@huawei.com>
> Subject: [PATCH] bpf: fix unitialized warning
> 
> Coverity complains unitialized use of structure.
> 
> Coverity ID: 504611
> Fixes: 17509d474226 ("bpf/validate: fix BPF_ADD of pointer to a scalar")
> 
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
>  lib/bpf/bpf_validate.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
> index f9960088a2..44db85a5a3 100644
> --- a/lib/bpf/bpf_validate.c
> +++ b/lib/bpf/bpf_validate.c
> @@ -659,7 +659,7 @@ eval_apply_mask(struct bpf_reg_val *rv, uint64_t mask)
>  static void
>  eval_add(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, uint64_t msk)
>  {
> -	struct bpf_reg_val rs_buf;
> +	struct bpf_reg_val rs_buf = { 0 };
>  	struct bpf_reg_val rv;
> 
>  	if (RTE_BPF_ARG_PTR_TYPE(rs->v.type) != 0) {
> --
> 2.53.0

The bug is real. Based on the intended meaning should then be:

	struct bpf_reg_val rs_buf = { .v.type = RTE_BPF_ARG_RAW };

Setting type to 0 (RTE_BPF_ARG_UNDEF) is too harsh disallowing even reading,
while we only want to disallow dereferencing the result.

(Unfortunately, this whole dimension is still a massive TODO, this check is not
even present on other ALU operations, and neither do sanitized tests pass which
would catch this problem earlier.)

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-06 12:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-04  4:03 [PATCH] bpf: fix unitialized warning Stephen Hemminger
2026-07-04 16:12 ` Stephen Hemminger
2026-07-06 12:18 ` Marat Khalili

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.