From mboxrd@z Thu Jan  1 00:00:00 1970
From: Petr Machata <petrm@mellanox.com>
Subject: Re: Passing uninitialised local variable
Date: Mon, 09 Apr 2018 15:23:07 +0300
Message-ID: <wiho9is602c.fsf@dev-r-vrt-156.mtr.labs.mlnx>
References: <20180328112014.GA11484@himanshu-Vostro-3559>
        <5ABD5735.1050608@broadcom.com>
Mime-Version: 1.0
Content-Type: text/plain
Cc: Himanshu Jha <himanshujha199640@gmail.com>,
        franky.lin@broadcom.com, hante.meuleman@broadcom.com,
        chi-hsien.lin@cypress.com, wright.feng@cypress.com,
        kvalo@codeaurora.org, johannes.berg@intel.com,
        linux-wireless@vger.kernel.org,
        brcm80211-dev-list.pdl@broadcom.com,
        brcm80211-dev-list@cypress.com, netdev@vger.kernel.org
To: Arend van Spriel <arend.vanspriel@broadcom.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-eopbgr30070.outbound.protection.outlook.com ([40.107.3.70]:45112
        "EHLO EUR03-AM5-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751754AbeDIMXh (ORCPT <rfc822;netdev@vger.kernel.org>);
        Mon, 9 Apr 2018 08:23:37 -0400
In-Reply-To: <5ABD5735.1050608@broadcom.com> (Arend van Spriel's message of
        "Thu, 29 Mar 2018 23:14:29 +0200")
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Arend van Spriel <arend.vanspriel@broadcom.com> writes:

> On 3/28/2018 1:20 PM, Himanshu Jha wrote:
>> I recently found that a local variable in passed uninitialised to the
>> function at
>>
>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:2950
>>
>>                  u32 var;
>>                  err = brcmf_fil_iovar_int_get(ifp, "dtim_assoc", &var);

>>
>> s32
>> brcmf_fil_iovar_int_get(struct brcmf_if *ifp, char *name, u32 *data)
>> {
>>          __le32 data_le = cpu_to_le32(*data);

>> }
>>
>> We can cleary see that 'var' in used uninitialised in the very first line
>> which is an undefined behavior.
>
> Why undefined? We copy some stack data and we do transfer that to the device. However in this case
> the device does nothing with it and it is simply overwritten by the response.

"Undefined behavior" is a technical term for when there are no
guarantees as to what the result of executing a given code will be. None
at all--it might for example abort, and that would be perfectly valid as
well. (To be clear, this is not about the device, but about the CPU that
this code runs on.)

Uninitialized reads are one example of a code construct that invokes
undefined behavior.

Thanks,
Petr