----- Forwarded message from scan-admin@xxxxxxxxxxxx -----
> Date: Tue, 20 Mar 2018 23:19:18 +0000 (UTC)
> From: scan-admin@xxxxxxxxxxxx
> Subject: New Defects reported by Coverity Scan for rdma-core
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to rdma-core found with Coverity Scan.
>
> 101 new defect(s) introduced to rdma-core found with Coverity Scan.
> 100 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 101 defect(s)
>
>
> ** CID 1465990: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 1465990: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/ipathverbs/verbs.c: 544 in ipath_create_srq_v1()
> 538 int ret;
> 539
> 540 srq = malloc(sizeof *srq);
> 541 if (srq == NULL)
> 542 return NULL;
> 543
> >>> CID 1465990: Memory - corruptions (OVERRUN)
> >>> Overrunning struct type ib_uverbs_create_srq_resp of 16 bytes by passing it to a function which accesses it at byte offset 16.
> 544 ret = ibv_cmd_create_srq(pd, srq, attr, &cmd, sizeof cmd,
> 545 &resp, sizeof resp);
> 546 if (ret) {
> 547 free(srq);
> 548 return NULL;
> 549 }
>
> ** CID 1465989: Control flow issues (DEADCODE)
> /home/bart/software/infiniband/rdma-core/librdmacm/acm.c: 140 in ucma_ib_init()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465989: Control flow issues (DEADCODE)
> /home/bart/software/infiniband/rdma-core/librdmacm/acm.c: 140 in ucma_ib_init()
> 134
> 135 if (init)
> 136 return;
> 137
> 138 pthread_mutex_lock(&acm_lock);
> 139 if (init)
> >>> CID 1465989: Control flow issues (DEADCODE)
> >>> Execution cannot reach this statement: "goto unlock;".
> 140 goto unlock;
> 141
> 142 if (!ucma_set_server_port())
> 143 goto out;
> 144
> 145 sock = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_TCP);
>
> ** CID 1465988: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 1465988: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/hfi1verbs/verbs.c: 372 in hfi1_create_qp_v1()
> 366 int ret;
> 367
> 368 qp = malloc(sizeof *qp);
> 369 if (!qp)
> 370 return NULL;
> 371
> >>> CID 1465988: Memory - corruptions (OVERRUN)
> >>> Overrunning struct type ib_uverbs_create_qp_resp of 32 bytes by passing it to a function which accesses it at byte offset 32.
> 372 ret = ibv_cmd_create_qp(pd, qp, attr, &cmd, sizeof cmd,
> 373 &resp, sizeof resp);
> 374 if (ret) {
> 375 free(qp);
> 376 return NULL;
> 377 }
>
> ** CID 1465987: Uninitialized variables (UNINIT)
> /home/bart/software/infiniband/rdma-core/providers/ipathverbs/verbs.c: 168 in ipath_create_cq()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465987: Uninitialized variables (UNINIT)
> /home/bart/software/infiniband/rdma-core/providers/ipathverbs/verbs.c: 168 in ipath_create_cq()
> 162 if (ret) {
> 163 free(cq);
> 164 return NULL;
> 165 }
> 166
> 167 size = sizeof(struct ipath_cq_wc) + sizeof(struct ipath_wc) * cqe;
> >>> CID 1465987: Uninitialized variables (UNINIT)
> >>> Using uninitialized value "resp.offset" when calling "mmap".
> 168 cq->queue = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED,
> 169 context->cmd_fd, resp.offset);
> 170 if ((void *) cq->queue == MAP_FAILED) {
> 171 ibv_cmd_destroy_cq(&cq->ibv_cq);
> 172 free(cq);
> 173 return NULL;
>
> ** CID 1465986: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/mlx5/qp.c: 399 in copy_eth_inline_headers()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465986: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/mlx5/qp.c: 399 in copy_eth_inline_headers()
> 393 wr->num_sge);
> 394 return EINVAL;
> 395 }
> 396
> 397 if (likely(wr->sg_list[0].length >= MLX5_ETH_L2_INLINE_HEADER_SIZE)) {
> 398 inl_hdr_copy_size = MLX5_ETH_L2_INLINE_HEADER_SIZE;
> >>> CID 1465986: Memory - corruptions (OVERRUN)
> >>> Overrunning array "eseg->inline_hdr_start" of 2 bytes by passing it to a function which accesses it at byte offset 17 using argument "inl_hdr_copy_size" (which evaluates to 18).
> 399 memcpy(eseg->inline_hdr_start,
> 400 (void *)(uintptr_t)wr->sg_list[0].addr,
> 401 inl_hdr_copy_size);
> 402 } else {
> 403 for (j = 0; j < wr->num_sge && inl_hdr_size > 0; ++j) {
> 404 inl_hdr_copy_size = min(wr->sg_list[j].length,
>
> ** CID 1465985: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 1465985: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/mthca/verbs.c: 458 in mthca_modify_srq()
> 452 int mthca_modify_srq(struct ibv_srq *srq,
> 453 struct ibv_srq_attr *attr,
> 454 int attr_mask)
> 455 {
> 456 struct ibv_modify_srq cmd;
> 457
> >>> CID 1465985: Memory - corruptions (OVERRUN)
> >>> Overrunning struct type ibv_modify_srq of 24 bytes by passing it to a function which accesses it at byte offset 24.
> 458 return ibv_cmd_modify_srq(srq, attr, attr_mask, &cmd, sizeof cmd);
> 459 }
> 460
> 461 int mthca_query_srq(struct ibv_srq *srq,
> 462 struct ibv_srq_attr *attr)
> 463 {
>
> ** CID 1465984: Uninitialized variables (UNINIT)
> /home/bart/software/infiniband/rdma-core/providers/mlx4/verbs.c: 431 in mlx4_cmd_create_cq()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465984: Uninitialized variables (UNINIT)
> /home/bart/software/infiniband/rdma-core/providers/mlx4/verbs.c: 431 in mlx4_cmd_create_cq()
> 425 ret = ibv_cmd_create_cq(context, cq_attr->cqe, cq_attr->channel,
> 426 cq_attr->comp_vector,
> 427 ibv_cq_ex_to_cq(&cq->ibv_cq),
> 428 &cmd.ibv_cmd, sizeof(cmd),
> 429 &resp.ibv_resp, sizeof(resp));
> 430 if (!ret)
> >>> CID 1465984: Uninitialized variables (UNINIT)
> >>> Using uninitialized value "resp.cqn".
> 431 cq->cqn = resp.cqn;
> 432
> 433 return ret;
> 434
> 435 }
> 436
>
> ** CID 1465983: Resource leaks (RESOURCE_LEAK)
> /home/bart/software/infiniband/rdma-core/providers/i40iw/i40iw_umain.c: 173 in i40iw_ualloc_context()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465983: Resource leaks (RESOURCE_LEAK)
> /home/bart/software/infiniband/rdma-core/providers/i40iw/i40iw_umain.c: 173 in i40iw_ualloc_context()
> 167 ibv_pd = i40iw_ualloc_pd(&iwvctx->ibv_ctx.context);
> 168 if (!ibv_pd)
> 169 goto err_free;
> 170 ibv_pd->context = &iwvctx->ibv_ctx.context;
> 171 iwvctx->iwupd = to_i40iw_upd(ibv_pd);
> 172
> >>> CID 1465983: Resource leaks (RESOURCE_LEAK)
> >>> Variable "ibv_pd" going out of scope leaks the storage it points to.
> 173 return &iwvctx->ibv_ctx;
> 174
> 175 err_free:
> 176 fprintf(stderr, PFX "%s: failed to allocate context for device.\n", __func__);
> 177 verbs_uninit_context(&iwvctx->ibv_ctx);
> 178 free(iwvctx);
>
> ** CID 1465982: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 1465982: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/cxgb3/verbs.c: 303 in iwch_create_qp()
> 297
> 298 PDBG("%s enter qp\n", __FUNCTION__);
> 299 qhp = calloc(1, sizeof *qhp);
> 300 if (!qhp)
> 301 goto err1;
> 302
> >>> CID 1465982: Memory - corruptions (OVERRUN)
> >>> Overrunning struct type ib_uverbs_create_qp_resp of 32 bytes by passing it to a function which accesses it at byte offset 32.
> 303 ret = ibv_cmd_create_qp(pd, &qhp->ibv_qp, attr, &cmd.ibv_cmd,
> 304 sizeof cmd, &resp.ibv_resp, sizeof resp);
> 305 if (ret)
> 306 goto err2;
> 307
> 308 PDBG("%s qpid 0x%x physaddr %" PRIx64 " doorbell %" PRIx64
>
> ** CID 1465981: Insecure data handling (TAINTED_SCALAR)
> /home/bart/software/infiniband/rdma-core/libibverbs/memory.c: 154 in ibv_fork_init()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465981: Insecure data handling (TAINTED_SCALAR)
> /home/bart/software/infiniband/rdma-core/libibverbs/memory.c: 154 in ibv_fork_init()
> 148 tmp_aligned = (void *) ((uintptr_t) tmp & ~(size - 1));
> 149 } else {
> 150 size = page_size;
> 151 tmp_aligned = tmp;
> 152 }
> 153
> >>> CID 1465981: Insecure data handling (TAINTED_SCALAR)
> >>> Passing tainted variable "size" to a tainted sink.
> 154 ret = madvise(tmp_aligned, size, MADV_DONTFORK) ||
> 155 madvise(tmp_aligned, size, MADV_DOFORK);
> 156
> 157 free(tmp);
> 158
> 159 if (ret)
>
> ** CID 1465980: (BUFFER_SIZE)
> /home/bart/software/infiniband/rdma-core/providers/mlx5/qp.c: 672 in mlx5_post_send_underlay()
> /home/bart/software/infiniband/rdma-core/providers/mlx5/qp.c: 672 in mlx5_post_send_underlay()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465980: (BUFFER_SIZE)
> /home/bart/software/infiniband/rdma-core/providers/mlx5/qp.c: 672 in mlx5_post_send_underlay()
> 666 inl_hdr_copy_size = MLX5_IPOIB_INLINE_MIN_HEADER_SIZE;
> 667 /* We expect at least 4 bytes as part of first entry to hold the IPoIB header */
> 668 if (unlikely(wr->sg_list[0].length < inl_hdr_copy_size))
> 669 return EINVAL;
> 670 }
> 671
> >>> CID 1465980: (BUFFER_SIZE)
> >>> You might overrun the 2 byte destination string "eseg->inline_hdr_start" by writing the maximum 18 bytes from "(void *)(uintptr_t)(wr->sg_list + 0).addr".
> 672 memcpy(eseg->inline_hdr_start, (void *)(uintptr_t)wr->sg_list[0].addr,
> 673 inl_hdr_copy_size);
> 674 eseg->inline_hdr_sz = htobe16(inl_hdr_copy_size);
> 675 size += sizeof(struct mlx5_wqe_eth_seg);
> 676 seg += sizeof(struct mlx5_wqe_eth_seg);
> 677
> /home/bart/software/infiniband/rdma-core/providers/mlx5/qp.c: 672 in mlx5_post_send_underlay()
> 666 inl_hdr_copy_size = MLX5_IPOIB_INLINE_MIN_HEADER_SIZE;
> 667 /* We expect at least 4 bytes as part of first entry to hold the IPoIB header */
> 668 if (unlikely(wr->sg_list[0].length < inl_hdr_copy_size))
> 669 return EINVAL;
> 670 }
> 671
> >>> CID 1465980: (BUFFER_SIZE)
> >>> You might overrun the 2 byte destination string "eseg->inline_hdr_start" by writing the maximum 4 bytes from "(void *)(uintptr_t)(wr->sg_list + 0).addr".
> 672 memcpy(eseg->inline_hdr_start, (void *)(uintptr_t)wr->sg_list[0].addr,
> 673 inl_hdr_copy_size);
> 674 eseg->inline_hdr_sz = htobe16(inl_hdr_copy_size);
> 675 size += sizeof(struct mlx5_wqe_eth_seg);
> 676 seg += sizeof(struct mlx5_wqe_eth_seg);
> 677
>
> ** CID 1465979: Uninitialized variables (UNINIT)
> /home/bart/software/infiniband/rdma-core/providers/rxe/rxe.c: 300 in rxe_create_srq()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465979: Uninitialized variables (UNINIT)
> /home/bart/software/infiniband/rdma-core/providers/rxe/rxe.c: 300 in rxe_create_srq()
> 294 if ((void *)srq->rq.queue == MAP_FAILED) {
> 295 ibv_cmd_destroy_srq(&srq->ibv_srq);
> 296 free(srq);
> 297 return NULL;
> 298 }
> 299
> >>> CID 1465979: Uninitialized variables (UNINIT)
> >>> Using uninitialized value "resp.mi". Field "resp.mi.offset" is uninitialized.
> 300 srq->mmap_info = resp.mi;
> 301 srq->rq.max_sge = attr->attr.max_sge;
> 302 pthread_spin_init(&srq->rq.lock, PTHREAD_PROCESS_PRIVATE);
> 303
> 304 return &srq->ibv_srq;
> 305 }
>
> ** CID 1465978: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 1465978: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/ipathverbs/verbs.c: 349 in ipath_create_qp_v1()
> 343 int ret;
> 344
> 345 qp = malloc(sizeof *qp);
> 346 if (!qp)
> 347 return NULL;
> 348
> >>> CID 1465978: Memory - corruptions (OVERRUN)
> >>> Overrunning struct type ib_uverbs_create_qp_resp of 32 bytes by passing it to a function which accesses it at byte offset 32.
> 349 ret = ibv_cmd_create_qp(pd, qp, attr, &cmd, sizeof cmd,
> 350 &resp, sizeof resp);
> 351 if (ret) {
> 352 free(qp);
> 353 return NULL;
> 354 }
>
> ** CID 1465977: Program hangs (LOCK)
> /home/bart/software/infiniband/rdma-core/providers/mlx5/verbs.c: 1824 in create_qp()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465977: Program hangs (LOCK)
> /home/bart/software/infiniband/rdma-core/providers/mlx5/verbs.c: 1824 in create_qp()
> 1818 err_free_qp_buf:
> 1819 mlx5_free_qp_buf(ctx, qp);
> 1820
> 1821 err:
> 1822 free(qp);
> 1823
> >>> CID 1465977: Program hangs (LOCK)
> >>> Returning without unlocking "ctx->qp_table_mutex".
> 1824 return NULL;
> 1825 }
> 1826
> 1827 struct ibv_qp *mlx5_create_qp(struct ibv_pd *pd,
> 1828 struct ibv_qp_init_attr *attr)
> 1829 {
>
> ** CID 1465976: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 1465976: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/mthca/verbs.c: 421 in mthca_create_srq()
> 415 } else {
> 416 cmd.db_page = cmd.db_index = 0;
> 417 }
> 418
> 419 cmd.lkey = srq->mr->lkey;
> 420
> >>> CID 1465976: Memory - corruptions (OVERRUN)
> >>> Overrunning struct type ib_uverbs_create_srq_resp of 16 bytes by passing it to a function which accesses it at byte offset 16.
> 421 ret = ibv_cmd_create_srq(pd, &srq->ibv_srq, attr,
> 422 &cmd.ibv_cmd, sizeof cmd,
> 423 &resp.ibv_resp, sizeof resp);
> 424 if (ret)
> 425 goto err_db;
> 426
>
> ** CID 1465929: Uninitialized variables (UNINIT)
>
>
> ________________________________________________________________________________________________________
> *** CID 1465929: Uninitialized variables (UNINIT)
> /home/bart/software/infiniband/rdma-core/providers/mlx5/verbs.c: 923 in mlx5_create_srq()
> 917 pthread_mutex_lock(&ctx->srq_table_mutex);
> 918 ret = ibv_cmd_create_srq(pd, ibsrq, attr, &cmd.ibv_cmd, sizeof(cmd),
> 919 &resp.ibv_resp, sizeof(resp));
> 920 if (ret)
> 921 goto err_db;
> 922
> >>> CID 1465929: Uninitialized variables (UNINIT)
> >>> Using uninitialized value "resp.srqn" when calling "mlx5_store_srq".
> 923 ret = mlx5_store_srq(ctx, resp.srqn, srq);
> 924 if (ret)
> 925 goto err_destroy;
> 926
> 927 pthread_mutex_unlock(&ctx->srq_table_mutex);
> 928
>
> ** CID 1465928: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 1465928: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/mlx4/verbs.c: 730 in mlx4_modify_srq()
> 724 int mlx4_modify_srq(struct ibv_srq *srq,
> 725 struct ibv_srq_attr *attr,
> 726 int attr_mask)
> 727 {
> 728 struct ibv_modify_srq cmd;
> 729
> >>> CID 1465928: Memory - corruptions (OVERRUN)
> >>> Overrunning struct type ibv_modify_srq of 24 bytes by passing it to a function which accesses it at byte offset 24.
> 730 return ibv_cmd_modify_srq(srq, attr, attr_mask, &cmd, sizeof cmd);
> 731 }
> 732
> 733 int mlx4_query_srq(struct ibv_srq *srq,
> 734 struct ibv_srq_attr *attr)
> 735 {
>
> ** CID 1465927: Error handling issues (CHECKED_RETURN)
> /home/bart/software/infiniband/rdma-core/ibacm/prov/acmp/src/acmp.c: 1320 in acmp_comp_handler()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465927: Error handling issues (CHECKED_RETURN)
> /home/bart/software/infiniband/rdma-core/ibacm/prov/acmp/src/acmp.c: 1320 in acmp_comp_handler()
> 1314 acm_log(0, "Error: failed to set cancel state for dev %s\n",
> 1315 dev->verbs->device->name);
> 1316 pthread_exit(NULL);
> 1317 }
> 1318 while (1) {
> 1319 pthread_testcancel();
> >>> CID 1465927: Error handling issues (CHECKED_RETURN)
> >>> Calling "ibv_get_cq_event" without checking return value (as is done elsewhere 4 out of 5 times).
> 1320 ibv_get_cq_event(dev->channel, &cq, (void *) &ep);
> 1321
> 1322 cnt = 0;
> 1323 while (ibv_poll_cq(cq, 1, &wc) > 0) {
> 1324 cnt++;
> 1325 acmp_process_comp(ep, &wc);
>
> ** CID 1465926: Concurrent data access violations (MISSING_LOCK)
> /home/bart/software/infiniband/rdma-core/srp_daemon/srp_sync.c: 220 in pop_from_list()
>
>
> ________________________________________________________________________________________________________
> *** CID 1465926: Concurrent data access violations (MISSING_LOCK)
> /home/bart/software/infiniband/rdma-core/srp_daemon/srp_sync.c: 220 in pop_from_list()
> 214 *pkey = res->tasks[0].pkey;
> 215 *gid = res->tasks[0].gid;
> 216 /* push the rest down */
> 217 for (i=1; i < res->next_task; ++i)
> 218 res->tasks[i-1] = res->tasks[i];
> 219 ret = 1;
> >>> CID 1465926: Concurrent data access violations (MISSING_LOCK)
> >>> Accessing "res->next_task" without holding lock "sync_resources.mutex". Elsewhere, "sync_resources.next_task" is accessed with "sync_resources.mutex" held 5 out of 7 times (1 of these accesses strongly imply that it is necessary).
> 220 --res->next_task;
> 221 }
> 222
> 223 return ret;
> 224 }
> 225
>
> ** CID 1465925: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 1465925: Memory - corruptions (OVERRUN)
> /home/bart/software/infiniband/rdma-core/providers/cxgb4/verbs.c: 317 in create_qp_v0()
> 311
> 312 PDBG("%s enter qp\n", __func__);
> 313 qhp = calloc(1, sizeof *qhp);
> 314 if (!qhp)
> 315 goto err1;
> 316
> >>> CID 1465925: Memory - corruptions (OVERRUN)
> >>> Overrunning struct type ib_uverbs_create_qp_resp of 32 bytes by passing it to a function which accesses it at byte offset 32.
> 317 ret = ibv_cmd_create_qp(pd, &qhp->ibv_qp, attr, &cmd,
> 318 sizeof cmd, &resp.ibv_resp, sizeof resp);
> 319 if (ret)
> 320 goto err2;
> 321
> 322 PDBG("%s sqid 0x%x sq key %" PRIx64 " sq db/gts key %" PRIx64
>
>
----- End forwarded message -----
Attachment:
signature.asc
Description: PGP signature
