[1/4] net/failsafe: avoid rte_memcpy if rte_realloc fails
Checks
Commit Message
There is a potential issue seen by static tools if number of multicast
addresses is zero, and rte_realloc of zero size fails (ie returns NULL).
This won't happen in real world for a couple of reasons: Azure doesn't
support multicast (ie this is dead code); and rte_realloc of zero size
will never fail, but safe to just always return -ENOMEM of realloc fails.
Coverity issue: 323487
Fixes: 901efc0da925 ("net/failsafe: support multicast address list set")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
drivers/net/failsafe/failsafe_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On 11/6/18 10:30 PM, Stephen Hemminger wrote:
> There is a potential issue seen by static tools if number of multicast
> addresses is zero, and rte_realloc of zero size fails (ie returns NULL).
> This won't happen in real world for a couple of reasons: Azure doesn't
> support multicast (ie this is dead code);
Is it guaranteed that Azure is the only user of the code?
Sorry, it does not sound like an argument at all.
> and rte_realloc of zero size
> will never fail, but safe to just always return -ENOMEM of realloc fails.
It is false statement. If ptr is NULL, rte_malloc() is used which explicitly
returns NULL if size is 0.
> Coverity issue: 323487
It is 100% false alarm from Coverity. rte_memcpy() does nothing
if size is 0 and it is zero if number of addresses is zero.
If we really want to cope with it (I'm not sure), just do rte_memcpy()
in else branch. And it should explained in the comment that it is
required to address false issue from static analysis tool only.
Other option is to add check for dummy set (zero number of addresses
when it is already zero, but it is extra lines of code and extra logic which
is not actually required here. So, more harm from my point of view.
> Fixes: 901efc0da925 ("net/failsafe: support multicast address list set")
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
> drivers/net/failsafe/failsafe_ops.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/failsafe/failsafe_ops.c b/drivers/net/failsafe/failsafe_ops.c
> index 7f8bcd4c69f4..a20953a662e1 100644
> --- a/drivers/net/failsafe/failsafe_ops.c
> +++ b/drivers/net/failsafe/failsafe_ops.c
> @@ -1155,7 +1155,7 @@ fs_set_mc_addr_list(struct rte_eth_dev *dev,
>
> mcast_addrs = rte_realloc(PRIV(dev)->mcast_addrs,
> nb_mc_addr * sizeof(PRIV(dev)->mcast_addrs[0]), 0);
> - if (mcast_addrs == NULL && nb_mc_addr > 0) {
> + if (mcast_addrs == NULL) {
> ret = -ENOMEM;
> goto rollback;
> }
On Wed, 7 Nov 2018 09:30:13 +0300
Andrew Rybchenko <arybchenko@solarflare.com> wrote:
> On 11/6/18 10:30 PM, Stephen Hemminger wrote:
> > There is a potential issue seen by static tools if number of multicast
> > addresses is zero, and rte_realloc of zero size fails (ie returns NULL).
> > This won't happen in real world for a couple of reasons: Azure doesn't
> > support multicast (ie this is dead code);
>
> Is it guaranteed that Azure is the only user of the code?
> Sorry, it does not sound like an argument at all.
There are no guarantees in life...
Failsafe in DPDK is probably only useful with Azure.
AWS, GCP, and other clouds handle virtual networking differently.
There has been some talk of doing similar things with KVM, but the device
model is different there. Failsafe makes some assumptions about device
layering that are specific to Azure. It also has some generalizations about
cases that will never matter.
Vdev_netvsc is definitely Azure specific. It will be deprecated once
netvsc PMD is more widely supported.
>
> > and rte_realloc of zero size
> > will never fail, but safe to just always return -ENOMEM of realloc fails.
>
> It is false statement. If ptr is NULL, rte_malloc() is used which explicitly
> returns NULL if size is 0.
>
> > Coverity issue: 323487
>
> It is 100% false alarm from Coverity. rte_memcpy() does nothing
> if size is 0 and it is zero if number of addresses is zero.
> If we really want to cope with it (I'm not sure), just do rte_memcpy()
> in else branch. And it should explained in the comment that it is
> required to address false issue from static analysis tool only.
>
> Other option is to add check for dummy set (zero number of addresses
> when it is already zero, but it is extra lines of code and extra logic which
> is not actually required here. So, more harm from my point of view.
We are in agreement, it is a false alarm because:
* Coverity assumes that memcpy and rte_memcpy have same semantics.
* the case can't never happen
Any solution is fine because of that. You could flag it as false in Coverity
or change code to avoid warning. Just want to get it fixed, don't care how.
On 11/7/18 9:15 PM, Stephen Hemminger wrote:
> Any solution is fine because of that. You could flag it as false in Coverity
> or change code to avoid warning. Just want to get it fixed, don't care how.
Done, marked it as false positive in Coverity and provided explanation why.
Andrew.
@@ -1155,7 +1155,7 @@ fs_set_mc_addr_list(struct rte_eth_dev *dev,
mcast_addrs = rte_realloc(PRIV(dev)->mcast_addrs,
nb_mc_addr * sizeof(PRIV(dev)->mcast_addrs[0]), 0);
- if (mcast_addrs == NULL && nb_mc_addr > 0) {
+ if (mcast_addrs == NULL) {
ret = -ENOMEM;
goto rollback;
}