lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210204070132.GZ2696@kadam>
Date:   Thu, 4 Feb 2021 10:01:32 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, "Liam R. Howlett" <Liam.Howlett@...cle.com>
Cc:     lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org
Subject: [rcu:willy-maple 137/202] mm/mmap.c:1895 mmap_region() error:
 uninitialized symbol 'next'.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git willy-maple
head:   7e346d2845b4bd77663394f39fa70456e0084c86
commit: 059c8a0bb9679195f39e18eaa5b3f548f13e7226 [137/202] mm/mmap: Change mmap_region to use maple tree state
config: x86_64-randconfig-m001-20210202 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

smatch warnings:
mm/mmap.c:1895 mmap_region() error: uninitialized symbol 'next'.

vim +/next +1895 mm/mmap.c

0165ab443556bd Miklos Szeredi        2007-07-15  1753  unsigned long mmap_region(struct file *file, unsigned long addr,
897ab3e0c49e24 Mike Rapoport         2017-02-24  1754  		unsigned long len, vm_flags_t vm_flags, unsigned long pgoff,
897ab3e0c49e24 Mike Rapoport         2017-02-24  1755  		struct list_head *uf)
0165ab443556bd Miklos Szeredi        2007-07-15  1756  {
0165ab443556bd Miklos Szeredi        2007-07-15  1757  	struct mm_struct *mm = current->mm;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1758  	struct vm_area_struct *vma = NULL;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1759  	struct vm_area_struct *prev, *next;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1760  	pgoff_t pglen = len >> PAGE_SHIFT;
0165ab443556bd Miklos Szeredi        2007-07-15  1761  	unsigned long charged = 0;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1762  	unsigned long end = addr + len;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1763  	unsigned long merge_start = addr, merge_end = end;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1764  	pgoff_t vm_pgoff;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1765  	int error;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1766  	MA_STATE(mas, &mm->mm_mt, addr, end - 1);
0165ab443556bd Miklos Szeredi        2007-07-15  1767  
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1768  	/* Check against address space limit. */
84638335900f19 Konstantin Khlebnikov 2016-01-14  1769  	if (!may_expand_vm(mm, vm_flags, len >> PAGE_SHIFT)) {
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1770  		unsigned long nr_pages;
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1771  
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1772  		/*
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1773  		 * MAP_FIXED may remove pages of mappings that intersects with
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1774  		 * requested mapping. Account for the pages it would unmap.
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1775  		 */
059c8a0bb96791 Liam R. Howlett       2020-11-10  1776  		nr_pages = count_vma_pages_range(mm, addr, end);
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1777  
84638335900f19 Konstantin Khlebnikov 2016-01-14  1778  		if (!may_expand_vm(mm, vm_flags,
84638335900f19 Konstantin Khlebnikov 2016-01-14  1779  					(len >> PAGE_SHIFT) - nr_pages))
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1780  			return -ENOMEM;
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1781  	}
e8420a8ece80b3 Cyril Hrubis          2013-04-29  1782  
059c8a0bb96791 Liam R. Howlett       2020-11-10  1783  	/* Unmap any existing mapping in the area */
059c8a0bb96791 Liam R. Howlett       2020-11-10  1784  	if (do_munmap(mm, addr, len, uf))
^1da177e4c3f41 Linus Torvalds        2005-04-16  1785  		return -ENOMEM;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1786  
^1da177e4c3f41 Linus Torvalds        2005-04-16  1787  	/*
^1da177e4c3f41 Linus Torvalds        2005-04-16  1788  	 * Private writable mapping: check memory availability
^1da177e4c3f41 Linus Torvalds        2005-04-16  1789  	 */
5a6fe125950676 Mel Gorman            2009-02-10  1790  	if (accountable_mapping(file, vm_flags)) {
^1da177e4c3f41 Linus Torvalds        2005-04-16  1791  		charged = len >> PAGE_SHIFT;
191c542442fdf5 Al Viro               2012-02-13  1792  		if (security_vm_enough_memory_mm(mm, charged))
^1da177e4c3f41 Linus Torvalds        2005-04-16  1793  			return -ENOMEM;
^1da177e4c3f41 Linus Torvalds        2005-04-16  1794  		vm_flags |= VM_ACCOUNT;
^1da177e4c3f41 Linus Torvalds        2005-04-16  1795  	}
^1da177e4c3f41 Linus Torvalds        2005-04-16  1796  
^1da177e4c3f41 Linus Torvalds        2005-04-16  1797  
059c8a0bb96791 Liam R. Howlett       2020-11-10  1798  	if (vm_flags & VM_SPECIAL) {
059c8a0bb96791 Liam R. Howlett       2020-11-10  1799  		prev = mas_prev(&mas, 0);
059c8a0bb96791 Liam R. Howlett       2020-11-10  1800  		goto cannot_expand;

"next" not initialized on this path.

059c8a0bb96791 Liam R. Howlett       2020-11-10  1801  	}
059c8a0bb96791 Liam R. Howlett       2020-11-10  1802  
059c8a0bb96791 Liam R. Howlett       2020-11-10  1803  	/* Attempt to expand an old mapping */
059c8a0bb96791 Liam R. Howlett       2020-11-10  1804  
059c8a0bb96791 Liam R. Howlett       2020-11-10  1805  	/* Check next */
059c8a0bb96791 Liam R. Howlett       2020-11-10  1806  	next = mas_next(&mas, ULONG_MAX);
059c8a0bb96791 Liam R. Howlett       2020-11-10  1807  	if (next && next->vm_start == end && vma_policy(next) &&
059c8a0bb96791 Liam R. Howlett       2020-11-10  1808  	    can_vma_merge_before(next, vm_flags, NULL, file, pgoff+pglen,
059c8a0bb96791 Liam R. Howlett       2020-11-10  1809  				 NULL_VM_UFFD_CTX)) {
059c8a0bb96791 Liam R. Howlett       2020-11-10  1810  		merge_end = next->vm_end;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1811  		vma = next;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1812  		vm_pgoff = next->vm_pgoff - pglen;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1813  	}
059c8a0bb96791 Liam R. Howlett       2020-11-10  1814  
059c8a0bb96791 Liam R. Howlett       2020-11-10  1815  	/* Check prev */
059c8a0bb96791 Liam R. Howlett       2020-11-10  1816  	prev = mas_prev(&mas, 0);
059c8a0bb96791 Liam R. Howlett       2020-11-10  1817  	if (prev && prev->vm_end == addr && !vma_policy(prev) &&
059c8a0bb96791 Liam R. Howlett       2020-11-10  1818  	    can_vma_merge_after(prev, vm_flags, NULL, file, pgoff,
059c8a0bb96791 Liam R. Howlett       2020-11-10  1819  				NULL_VM_UFFD_CTX)) {
059c8a0bb96791 Liam R. Howlett       2020-11-10  1820  		merge_start = prev->vm_start;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1821  		vma = prev;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1822  		vm_pgoff = prev->vm_pgoff;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1823  	}
059c8a0bb96791 Liam R. Howlett       2020-11-10  1824  
059c8a0bb96791 Liam R. Howlett       2020-11-10  1825  
059c8a0bb96791 Liam R. Howlett       2020-11-10  1826  	/* Actually expand, if possible */
059c8a0bb96791 Liam R. Howlett       2020-11-10  1827  	if (vma &&
059c8a0bb96791 Liam R. Howlett       2020-11-10  1828  	    !vma_expand(&mas, vma, merge_start, merge_end, vm_pgoff, next)) {
059c8a0bb96791 Liam R. Howlett       2020-11-10  1829  		khugepaged_enter_vma_merge(prev, vm_flags);
059c8a0bb96791 Liam R. Howlett       2020-11-10  1830  		goto expanded;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1831  	}
059c8a0bb96791 Liam R. Howlett       2020-11-10  1832  
059c8a0bb96791 Liam R. Howlett       2020-11-10  1833  	mas_set_range(&mas, addr, end - 1);
059c8a0bb96791 Liam R. Howlett       2020-11-10  1834  cannot_expand:
^1da177e4c3f41 Linus Torvalds        2005-04-16  1835  	/*
^1da177e4c3f41 Linus Torvalds        2005-04-16  1836  	 * Determine the object being mapped and call the appropriate
^1da177e4c3f41 Linus Torvalds        2005-04-16  1837  	 * specific mapper. the address has already been validated, but
^1da177e4c3f41 Linus Torvalds        2005-04-16  1838  	 * not unmapped, but the maps are removed from the list.
^1da177e4c3f41 Linus Torvalds        2005-04-16  1839  	 */
490fc053865c9c Linus Torvalds        2018-07-21  1840  	vma = vm_area_alloc(mm);
^1da177e4c3f41 Linus Torvalds        2005-04-16  1841  	if (!vma) {
^1da177e4c3f41 Linus Torvalds        2005-04-16  1842  		error = -ENOMEM;
^1da177e4c3f41 Linus Torvalds        2005-04-16  1843  		goto unacct_error;
^1da177e4c3f41 Linus Torvalds        2005-04-16  1844  	}
^1da177e4c3f41 Linus Torvalds        2005-04-16  1845  
^1da177e4c3f41 Linus Torvalds        2005-04-16  1846  	vma->vm_start = addr;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1847  	vma->vm_end = end;
^1da177e4c3f41 Linus Torvalds        2005-04-16  1848  	vma->vm_flags = vm_flags;
3ed75eb8f1cd89 Coly Li               2007-10-18  1849  	vma->vm_page_prot = vm_get_page_prot(vm_flags);
^1da177e4c3f41 Linus Torvalds        2005-04-16  1850  	vma->vm_pgoff = pgoff;
^1da177e4c3f41 Linus Torvalds        2005-04-16  1851  
^1da177e4c3f41 Linus Torvalds        2005-04-16  1852  	if (file) {
^1da177e4c3f41 Linus Torvalds        2005-04-16  1853  		if (vm_flags & VM_DENYWRITE) {
^1da177e4c3f41 Linus Torvalds        2005-04-16  1854  			error = deny_write_access(file);
^1da177e4c3f41 Linus Torvalds        2005-04-16  1855  			if (error)
^1da177e4c3f41 Linus Torvalds        2005-04-16  1856  				goto free_vma;
^1da177e4c3f41 Linus Torvalds        2005-04-16  1857  		}
4bb5f5d9395bc1 David Herrmann        2014-08-08  1858  		if (vm_flags & VM_SHARED) {
4bb5f5d9395bc1 David Herrmann        2014-08-08  1859  			error = mapping_map_writable(file->f_mapping);
4bb5f5d9395bc1 David Herrmann        2014-08-08  1860  			if (error)
4bb5f5d9395bc1 David Herrmann        2014-08-08  1861  				goto allow_write_and_free_vma;
4bb5f5d9395bc1 David Herrmann        2014-08-08  1862  		}
4bb5f5d9395bc1 David Herrmann        2014-08-08  1863  
4bb5f5d9395bc1 David Herrmann        2014-08-08  1864  		/* ->mmap() can change vma->vm_file, but must guarantee that
4bb5f5d9395bc1 David Herrmann        2014-08-08  1865  		 * vma_link() below can deny write-access if VM_DENYWRITE is set
4bb5f5d9395bc1 David Herrmann        2014-08-08  1866  		 * and map writably if VM_SHARED is set. This usually means the
4bb5f5d9395bc1 David Herrmann        2014-08-08  1867  		 * new file must not have been exposed to user-space, yet.
4bb5f5d9395bc1 David Herrmann        2014-08-08  1868  		 */
cb0942b8124979 Al Viro               2012-08-27  1869  		vma->vm_file = get_file(file);
f74ac01520c9f6 Miklos Szeredi        2017-02-20  1870  		error = call_mmap(file, vma);
^1da177e4c3f41 Linus Torvalds        2005-04-16  1871  		if (error)
^1da177e4c3f41 Linus Torvalds        2005-04-16  1872  			goto unmap_and_free_vma;
^1da177e4c3f41 Linus Torvalds        2005-04-16  1873  
309d08d9b3a365 Liu Zixian            2020-12-05  1874  		/* Can addr have changed??
309d08d9b3a365 Liu Zixian            2020-12-05  1875  		 *
309d08d9b3a365 Liu Zixian            2020-12-05  1876  		 * Answer: Yes, several device drivers can do it in their
309d08d9b3a365 Liu Zixian            2020-12-05  1877  		 *         f_op->mmap method. -DaveM
309d08d9b3a365 Liu Zixian            2020-12-05  1878  		 * Bug: If addr is changed, prev, rb_link, rb_parent should
309d08d9b3a365 Liu Zixian            2020-12-05  1879  		 *      be updated for vma_link()
309d08d9b3a365 Liu Zixian            2020-12-05  1880  		 */
309d08d9b3a365 Liu Zixian            2020-12-05  1881  		WARN_ON_ONCE(addr != vma->vm_start);
309d08d9b3a365 Liu Zixian            2020-12-05  1882  
309d08d9b3a365 Liu Zixian            2020-12-05  1883  		addr = vma->vm_start;
309d08d9b3a365 Liu Zixian            2020-12-05  1884  
d70cec8983241a Miaohe Lin            2020-08-06  1885  		/* If vm_flags changed after call_mmap(), we should try merge vma again
d70cec8983241a Miaohe Lin            2020-08-06  1886  		 * as we may succeed this time.
d70cec8983241a Miaohe Lin            2020-08-06  1887  		 */
059c8a0bb96791 Liam R. Howlett       2020-11-10  1888  		if (unlikely(vm_flags != vma->vm_flags && prev &&
059c8a0bb96791 Liam R. Howlett       2020-11-10  1889  			     prev->vm_end == addr && !vma_policy(prev) &&
059c8a0bb96791 Liam R. Howlett       2020-11-10  1890  			     can_vma_merge_after(prev, vm_flags, NULL, file,
059c8a0bb96791 Liam R. Howlett       2020-11-10  1891  						 pgoff, NULL_VM_UFFD_CTX))) {
059c8a0bb96791 Liam R. Howlett       2020-11-10  1892  			merge_start = prev->vm_start;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1893  			vm_pgoff = prev->vm_pgoff;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1894  			if (!vma_expand(&mas, prev, merge_start, merge_end,
059c8a0bb96791 Liam R. Howlett       2020-11-10 @1895  					vm_pgoff, next)) {
                                                                                                  ^^^^
Warning here.  The code is too complicated to know if it's a false
positive.  Smatch is not very good about tracking bit masks and
particularly tests like "if (vm_flags & VM_SPECIAL)" are not tracked
accross function boundaries...

bc4fe4cdd602b3 Miaohe Lin            2020-10-10  1896  				/* ->mmap() can change vma->vm_file and fput the original file. So
bc4fe4cdd602b3 Miaohe Lin            2020-10-10  1897  				 * fput the vma->vm_file here or we would add an extra fput for file
bc4fe4cdd602b3 Miaohe Lin            2020-10-10  1898  				 * and cause general protection fault ultimately.
bc4fe4cdd602b3 Miaohe Lin            2020-10-10  1899  				 */
bc4fe4cdd602b3 Miaohe Lin            2020-10-10  1900  				fput(vma->vm_file);
d70cec8983241a Miaohe Lin            2020-08-06  1901  				vm_area_free(vma);
059c8a0bb96791 Liam R. Howlett       2020-11-10  1902  				vma = prev;
059c8a0bb96791 Liam R. Howlett       2020-11-10  1903  				/* Update vm_flags and possible addr to pick up the change. We don't
059c8a0bb96791 Liam R. Howlett       2020-11-10  1904  				 * warn here if addr changed as the vma is not linked by vma_link().
059c8a0bb96791 Liam R. Howlett       2020-11-10  1905  				 */
059c8a0bb96791 Liam R. Howlett       2020-11-10  1906  				addr = vma->vm_start;
d70cec8983241a Miaohe Lin            2020-08-06  1907  				vm_flags = vma->vm_flags;
d70cec8983241a Miaohe Lin            2020-08-06  1908  				goto unmap_writable;
d70cec8983241a Miaohe Lin            2020-08-06  1909  			}
d70cec8983241a Miaohe Lin            2020-08-06  1910  		}
d70cec8983241a Miaohe Lin            2020-08-06  1911  
^1da177e4c3f41 Linus Torvalds        2005-04-16  1912  		vm_flags = vma->vm_flags;
f8dbf0a7a4c5d9 Huang Shijie          2009-09-21  1913  	} else if (vm_flags & VM_SHARED) {
f8dbf0a7a4c5d9 Huang Shijie          2009-09-21  1914  		error = shmem_zero_setup(vma);
f8dbf0a7a4c5d9 Huang Shijie          2009-09-21  1915  		if (error)
f8dbf0a7a4c5d9 Huang Shijie          2009-09-21  1916  			goto free_vma;
bfd40eaff5abb9 Kirill A. Shutemov    2018-07-26  1917  	} else {

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (34031 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ