| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Jul 2021 11:45:26 +0800
From: kernel test robot <rong.a.chen@...el.com>
To: Christoph Hellwig <hch@....de>
Cc: kbuild-all@...ts.01.org, LKML <linux-kernel@...r.kernel.org>
Subject: [hch-misc:i915-mdev 39/40] drivers/vfio/vfio.c:395:36: warning: Use
of memory after it is freed [clang-analyzer-unix.Malloc]
tree: git://git.infradead.org/users/hch/misc.git i915-mdev
head: 3e7e1da34feaeb5473f397c9cab73b4eb7f6a33c
commit: f560e86c73f1bfff2ef69bb00b6a66d81f5f2c86 [39/40] vfio: grab a
group reference in vfio_group_container_acquire
:::::: branch date: 20 hours ago
:::::: commit date: 20 hours ago
config: x86_64-randconfig-c001-20210725 (attached as .config)
compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project
3f2c1e99e44d028d5e9dd685f3c568f2661f2f68)
reproduce (this is a W=1 build):
wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross
-O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install x86_64 cross compiling tool for clang build
# apt-get install binutils-x86-64-linux-gnu
git remote add hch-misc git://git.infradead.org/users/hch/misc.git
git fetch --no-tags hch-misc i915-mdev
git checkout f560e86c73f1bfff2ef69bb00b6a66d81f5f2c86
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross
clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
clang-analyzer warnings: (new ones prefixed by >>)
net/netlink/genetlink.c:1453:2: note: Loop condition is false.
Exiting loop
for_each_net_rcu(net) {
^
include/net/net_namespace.h:337:2: note: expanded from macro
'for_each_net_rcu'
list_for_each_entry_rcu(VAR, &net_namespace_list, list)
^
include/linux/rculist.h:392:13: note: expanded from macro
'list_for_each_entry_rcu'
pos = list_entry_rcu((head)->next, typeof(*pos),
member); \
^
include/linux/rculist.h:316:2: note: expanded from macro
'list_entry_rcu'
container_of(READ_ONCE(ptr), type, member)
^
note: (skipping 2 expansions in backtrace; use
-fmacro-backtrace-limit=0 to see all)
include/linux/compiler_types.h:328:2: note: expanded from macro
'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_,
__COUNTER__)
^
include/linux/compiler_types.h:316:2: note: expanded from macro
'_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:306:2: note: expanded from macro
'__compiletime_assert'
do {
\
^
net/netlink/genetlink.c:1453:2: note: Loop condition is false.
Execution continues on line 1471
for_each_net_rcu(net) {
^
include/net/net_namespace.h:337:2: note: expanded from macro
'for_each_net_rcu'
list_for_each_entry_rcu(VAR, &net_namespace_list, list)
^
include/linux/rculist.h:391:2: note: expanded from macro
'list_for_each_entry_rcu'
for (__list_check_rcu(dummy, ## cond, 0),
\
^
net/netlink/genetlink.c:1471:24: note: Access to field 'genl_sock'
results in a dereference of a null pointer (loaded from variable 'prev')
err = nlmsg_multicast(prev->genl_sock, skb, portid, group,
flags);
^~~~
Suppressed 9 warnings (9 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
12 warnings generated.
Suppressed 12 warnings (12 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
11 warnings generated.
Suppressed 11 warnings (11 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
11 warnings generated.
Suppressed 11 warnings (11 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
19 warnings generated.
Suppressed 19 warnings (19 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
11 warnings generated.
Suppressed 11 warnings (11 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
11 warnings generated.
drivers/net/fjes/fjes_hw.c:435:2: warning: Value stored to 'result'
is never read [clang-analyzer-deadcode.DeadStores]
result = 0;
^ ~
drivers/net/fjes/fjes_hw.c:435:2: note: Value stored to 'result' is
never read
result = 0;
^ ~
drivers/net/fjes/fjes_hw.c:541:2: warning: Value stored to 'result'
is never read [clang-analyzer-deadcode.DeadStores]
result = 0;
^ ~
drivers/net/fjes/fjes_hw.c:541:2: note: Value stored to 'result' is
never read
result = 0;
^ ~
drivers/net/fjes/fjes_hw.c:631:2: warning: Value stored to 'result'
is never read [clang-analyzer-deadcode.DeadStores]
result = 0;
^ ~
drivers/net/fjes/fjes_hw.c:631:2: note: Value stored to 'result' is
never read
result = 0;
^ ~
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
18 warnings generated.
Suppressed 18 warnings (18 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers.
Use -system-headers to display errors from system headers as well.
5 warnings generated.
>> drivers/vfio/vfio.c:395:36: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
struct iommu_group *iommu_group = group->iommu_group;
^
drivers/vfio/vfio.c:2159:6: note: Assuming 'dev' is non-null
if (!dev || !nb)
^~~~
drivers/vfio/vfio.c:2159:6: note: Left side of '||' is false
drivers/vfio/vfio.c:2159:14: note: Assuming 'nb' is non-null
if (!dev || !nb)
^~~
drivers/vfio/vfio.c:2159:2: note: Taking false branch
if (!dev || !nb)
^
drivers/vfio/vfio.c:2163:7: note: 'group' is non-null
if (!group)
^~~~~
drivers/vfio/vfio.c:2163:2: note: Taking false branch
if (!group)
^
drivers/vfio/vfio.c:2166:2: note: Control jumps to 'case
VFIO_GROUP_NOTIFY:' at line 2170
switch (type) {
^
drivers/vfio/vfio.c:2171:9: note: Calling
'vfio_unregister_group_notifier'
ret = vfio_unregister_group_notifier(group, nb);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/vfio/vfio.c:2114:6: note: 'ret' is 0
if (ret)
^~~
drivers/vfio/vfio.c:2114:2: note: Taking false branch
if (ret)
^
drivers/vfio/vfio.c:2119:2: note: Calling 'vfio_group_container_release'
vfio_group_container_release(group);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/vfio/vfio.c:1354:6: note: Assuming the condition is false
if (!atomic_dec_if_positive(&group->container_users))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/vfio/vfio.c:1354:2: note: Taking false branch
if (!atomic_dec_if_positive(&group->container_users))
^
drivers/vfio/vfio.c:1356:2: note: Calling 'vfio_group_put'
vfio_group_put(group);
^~~~~~~~~~~~~~~~~~~~~
drivers/vfio/vfio.c:415:2: note: Calling 'kref_put_mutex'
kref_put_mutex(&group->kref, vfio_group_release,
&vfio.group_lock);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/kref.h:75:6: note: Assuming the condition is true
if (refcount_dec_and_mutex_lock(&kref->refcount, lock)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/kref.h:75:2: note: Taking true branch
if (refcount_dec_and_mutex_lock(&kref->refcount, lock)) {
^
include/linux/kref.h:76:3: note: Calling 'vfio_group_release'
release(kref);
^~~~~~~~~~~~~
drivers/vfio/vfio.c:393:29: note: Left side of '&&' is false
struct vfio_group *group = container_of(kref, struct
vfio_group, kref);
^
include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member)
&& \
^
drivers/vfio/vfio.c:393:29: note: Taking false branch
struct vfio_group *group = container_of(kref, struct
vfio_group, kref);
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member)
&& \
^
include/linux/build_bug.h:39:37: note: expanded from macro
'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:328:2: note: expanded from macro
'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_,
__COUNTER__)
^
include/linux/compiler_types.h:316:2: note: expanded from macro
'_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:308:3: note: expanded from macro
'__compiletime_assert'
if (!(condition))
\
^
drivers/vfio/vfio.c:393:29: note: Loop condition is false. Exiting loop
struct vfio_group *group = container_of(kref, struct
vfio_group, kref);
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member)
&& \
^
include/linux/build_bug.h:39:37: note: expanded from macro
'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:328:2: note: expanded from macro
'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_,
__COUNTER__)
^
include/linux/compiler_types.h:316:2: note: expanded from macro
'_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:306:2: note: expanded from macro
'__compiletime_assert'
do {
\
^
drivers/vfio/vfio.c:397:2: note: Assuming '__ret_warn_on' is 0
WARN_ON(!list_empty(&group->device_list));
^
include/asm-generic/bug.h:122:6: note: expanded from macro 'WARN_ON'
vim +395 drivers/vfio/vfio.c
cba3345cc494ad Alex Williamson 2012-07-31 389 6d2cd3ce815b30 Al Viro
2012-08-17 390 /* called with vfio.group_lock held */
cba3345cc494ad Alex Williamson 2012-07-31 391 static void
vfio_group_release(struct kref *kref)
cba3345cc494ad Alex Williamson 2012-07-31 392 {
cba3345cc494ad Alex Williamson 2012-07-31 393 struct vfio_group
*group = container_of(kref, struct vfio_group, kref);
60720a0fc6469e Alex Williamson 2015-02-06 394 struct vfio_unbound_dev
*unbound, *tmp;
4a68810dbbb466 Alex Williamson 2015-02-06 @395 struct iommu_group
*iommu_group = group->iommu_group;
cba3345cc494ad Alex Williamson 2012-07-31 396 cba3345cc494ad Alex
Williamson 2012-07-31 397 WARN_ON(!list_empty(&group->device_list));
65b1adebfe43c6 Alex Williamson 2017-03-21 398
WARN_ON(group->notifier.head);
cba3345cc494ad Alex Williamson 2012-07-31 399 60720a0fc6469e Alex
Williamson 2015-02-06 400 list_for_each_entry_safe(unbound, tmp,
60720a0fc6469e Alex Williamson 2015-02-06 401
&group->unbound_list, unbound_next) {
60720a0fc6469e Alex Williamson 2015-02-06 402
list_del(&unbound->unbound_next);
60720a0fc6469e Alex Williamson 2015-02-06 403 kfree(unbound);
60720a0fc6469e Alex Williamson 2015-02-06 404 }
60720a0fc6469e Alex Williamson 2015-02-06 405 d10999016f4164 Alex
Williamson 2013-12-19 406 device_destroy(vfio.class,
MKDEV(MAJOR(vfio.group_devt), group->minor));
cba3345cc494ad Alex Williamson 2012-07-31 407
list_del(&group->vfio_next);
cba3345cc494ad Alex Williamson 2012-07-31 408
vfio_free_group_minor(group->minor);
9df7b25ab71cee Jiang Liu 2012-12-07 409
vfio_group_unlock_and_free(group);
4a68810dbbb466 Alex Williamson 2015-02-06 410
iommu_group_put(iommu_group);
cba3345cc494ad Alex Williamson 2012-07-31 411 }
cba3345cc494ad Alex Williamson 2012-07-31 412
:::::: The code at line 395 was first introduced by commit
:::::: 4a68810dbbb4664fe4a9ac1be4d1c0e34a9b58f5 vfio: Tie IOMMU group
reference to vfio group
:::::: TO: Alex Williamson <alex.williamson@...hat.com>
:::::: CC: Alex Williamson <alex.williamson@...hat.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Download attachment ".config.gz" of type "application/gzip" (29581 bytes)
View attachment "Attached Message Part" of type "text/plain" (151 bytes)
Powered by blists - more mailing lists