lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <16405b7e-a582-1247-f5a6-c76f76ba087d@intel.com>
Date:   Mon, 26 Jul 2021 11:45:26 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Christoph Hellwig <hch@....de>
Cc:     kbuild-all@...ts.01.org, LKML <linux-kernel@...r.kernel.org>
Subject: [hch-misc:i915-mdev 39/40] drivers/vfio/vfio.c:395:36: warning: Use
 of memory after it is freed [clang-analyzer-unix.Malloc]


tree:   git://git.infradead.org/users/hch/misc.git i915-mdev
head:   3e7e1da34feaeb5473f397c9cab73b4eb7f6a33c
commit: f560e86c73f1bfff2ef69bb00b6a66d81f5f2c86 [39/40] vfio: grab a 
group reference in vfio_group_container_acquire
:::::: branch date: 20 hours ago
:::::: commit date: 20 hours ago
config: x86_64-randconfig-c001-20210725 (attached as .config)
compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project 
3f2c1e99e44d028d5e9dd685f3c568f2661f2f68)
reproduce (this is a W=1 build):
         wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross 
-O ~/bin/make.cross
         chmod +x ~/bin/make.cross
         # install x86_64 cross compiling tool for clang build
         # apt-get install binutils-x86-64-linux-gnu
         git remote add hch-misc git://git.infradead.org/users/hch/misc.git
         git fetch --no-tags hch-misc i915-mdev
         git checkout f560e86c73f1bfff2ef69bb00b6a66d81f5f2c86
         # save the attached .config to linux build tree
         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross 
clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>


clang-analyzer warnings: (new ones prefixed by >>)
    net/netlink/genetlink.c:1453:2: note: Loop condition is false. 
Exiting loop
            for_each_net_rcu(net) {
            ^
    include/net/net_namespace.h:337:2: note: expanded from macro 
'for_each_net_rcu'
            list_for_each_entry_rcu(VAR, &net_namespace_list, list)
            ^
    include/linux/rculist.h:392:13: note: expanded from macro 
'list_for_each_entry_rcu'
                 pos = list_entry_rcu((head)->next, typeof(*pos), 
member);  \
                       ^
    include/linux/rculist.h:316:2: note: expanded from macro 
'list_entry_rcu'
            container_of(READ_ONCE(ptr), type, member)
            ^
    note: (skipping 2 expansions in backtrace; use 
-fmacro-backtrace-limit=0 to see all)
    include/linux/compiler_types.h:328:2: note: expanded from macro 
'compiletime_assert'
            _compiletime_assert(condition, msg, __compiletime_assert_, 
__COUNTER__)
            ^
    include/linux/compiler_types.h:316:2: note: expanded from macro 
'_compiletime_assert'
            __compiletime_assert(condition, msg, prefix, suffix)
            ^
    include/linux/compiler_types.h:306:2: note: expanded from macro 
'__compiletime_assert'
            do { 
     \
            ^
    net/netlink/genetlink.c:1453:2: note: Loop condition is false. 
Execution continues on line 1471
            for_each_net_rcu(net) {
            ^
    include/net/net_namespace.h:337:2: note: expanded from macro 
'for_each_net_rcu'
            list_for_each_entry_rcu(VAR, &net_namespace_list, list)
            ^
    include/linux/rculist.h:391:2: note: expanded from macro 
'list_for_each_entry_rcu'
            for (__list_check_rcu(dummy, ## cond, 0), 
     \
            ^
    net/netlink/genetlink.c:1471:24: note: Access to field 'genl_sock' 
results in a dereference of a null pointer (loaded from variable 'prev')
            err = nlmsg_multicast(prev->genl_sock, skb, portid, group, 
flags);
                                  ^~~~
    Suppressed 9 warnings (9 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    8 warnings generated.
    Suppressed 8 warnings (8 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    8 warnings generated.
    Suppressed 8 warnings (8 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    8 warnings generated.
    Suppressed 8 warnings (8 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    8 warnings generated.
    Suppressed 8 warnings (8 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    12 warnings generated.
    Suppressed 12 warnings (12 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    11 warnings generated.
    Suppressed 11 warnings (11 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    11 warnings generated.
    Suppressed 11 warnings (11 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    19 warnings generated.
    Suppressed 19 warnings (19 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    11 warnings generated.
    Suppressed 11 warnings (11 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    8 warnings generated.
    Suppressed 8 warnings (8 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    11 warnings generated.
    drivers/net/fjes/fjes_hw.c:435:2: warning: Value stored to 'result' 
is never read [clang-analyzer-deadcode.DeadStores]
            result = 0;
            ^        ~
    drivers/net/fjes/fjes_hw.c:435:2: note: Value stored to 'result' is 
never read
            result = 0;
            ^        ~
    drivers/net/fjes/fjes_hw.c:541:2: warning: Value stored to 'result' 
is never read [clang-analyzer-deadcode.DeadStores]
            result = 0;
            ^        ~
    drivers/net/fjes/fjes_hw.c:541:2: note: Value stored to 'result' is 
never read
            result = 0;
            ^        ~
    drivers/net/fjes/fjes_hw.c:631:2: warning: Value stored to 'result' 
is never read [clang-analyzer-deadcode.DeadStores]
            result = 0;
            ^        ~
    drivers/net/fjes/fjes_hw.c:631:2: note: Value stored to 'result' is 
never read
            result = 0;
            ^        ~
    Suppressed 8 warnings (8 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    8 warnings generated.
    Suppressed 8 warnings (8 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    18 warnings generated.
    Suppressed 18 warnings (18 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    8 warnings generated.
    Suppressed 8 warnings (8 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    8 warnings generated.
    Suppressed 8 warnings (8 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    5 warnings generated.
>> drivers/vfio/vfio.c:395:36: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
            struct iommu_group *iommu_group = group->iommu_group;
                                              ^
    drivers/vfio/vfio.c:2159:6: note: Assuming 'dev' is non-null
            if (!dev || !nb)
                ^~~~
    drivers/vfio/vfio.c:2159:6: note: Left side of '||' is false
    drivers/vfio/vfio.c:2159:14: note: Assuming 'nb' is non-null
            if (!dev || !nb)
                        ^~~
    drivers/vfio/vfio.c:2159:2: note: Taking false branch
            if (!dev || !nb)
            ^
    drivers/vfio/vfio.c:2163:7: note: 'group' is non-null
            if (!group)
                 ^~~~~
    drivers/vfio/vfio.c:2163:2: note: Taking false branch
            if (!group)
            ^
    drivers/vfio/vfio.c:2166:2: note: Control jumps to 'case 
VFIO_GROUP_NOTIFY:'  at line 2170
            switch (type) {
            ^
    drivers/vfio/vfio.c:2171:9: note: Calling 
'vfio_unregister_group_notifier'
                    ret = vfio_unregister_group_notifier(group, nb);
                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/vfio/vfio.c:2114:6: note: 'ret' is 0
            if (ret)
                ^~~
    drivers/vfio/vfio.c:2114:2: note: Taking false branch
            if (ret)
            ^
    drivers/vfio/vfio.c:2119:2: note: Calling 'vfio_group_container_release'
            vfio_group_container_release(group);
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/vfio/vfio.c:1354:6: note: Assuming the condition is false
            if (!atomic_dec_if_positive(&group->container_users))
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/vfio/vfio.c:1354:2: note: Taking false branch
            if (!atomic_dec_if_positive(&group->container_users))
            ^
    drivers/vfio/vfio.c:1356:2: note: Calling 'vfio_group_put'
            vfio_group_put(group);
            ^~~~~~~~~~~~~~~~~~~~~
    drivers/vfio/vfio.c:415:2: note: Calling 'kref_put_mutex'
            kref_put_mutex(&group->kref, vfio_group_release, 
&vfio.group_lock);
 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    include/linux/kref.h:75:6: note: Assuming the condition is true
            if (refcount_dec_and_mutex_lock(&kref->refcount, lock)) {
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    include/linux/kref.h:75:2: note: Taking true branch
            if (refcount_dec_and_mutex_lock(&kref->refcount, lock)) {
            ^
    include/linux/kref.h:76:3: note: Calling 'vfio_group_release'
                    release(kref);
                    ^~~~~~~~~~~~~
    drivers/vfio/vfio.c:393:29: note: Left side of '&&' is false
            struct vfio_group *group = container_of(kref, struct 
vfio_group, kref);
                                       ^
    include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
            BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) 
&&   \
                                                                       ^
    drivers/vfio/vfio.c:393:29: note: Taking false branch
            struct vfio_group *group = container_of(kref, struct 
vfio_group, kref);
                                       ^
    include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
            BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) 
&&   \
            ^
    include/linux/build_bug.h:39:37: note: expanded from macro 
'BUILD_BUG_ON_MSG'
    #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
                                        ^
    include/linux/compiler_types.h:328:2: note: expanded from macro 
'compiletime_assert'
            _compiletime_assert(condition, msg, __compiletime_assert_, 
__COUNTER__)
            ^
    include/linux/compiler_types.h:316:2: note: expanded from macro 
'_compiletime_assert'
            __compiletime_assert(condition, msg, prefix, suffix)
            ^
    include/linux/compiler_types.h:308:3: note: expanded from macro 
'__compiletime_assert'
                    if (!(condition)) 
     \
                    ^
    drivers/vfio/vfio.c:393:29: note: Loop condition is false.  Exiting loop
            struct vfio_group *group = container_of(kref, struct 
vfio_group, kref);
                                       ^
    include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
            BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) 
&&   \
            ^
    include/linux/build_bug.h:39:37: note: expanded from macro 
'BUILD_BUG_ON_MSG'
    #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
                                        ^
    include/linux/compiler_types.h:328:2: note: expanded from macro 
'compiletime_assert'
            _compiletime_assert(condition, msg, __compiletime_assert_, 
__COUNTER__)
            ^
    include/linux/compiler_types.h:316:2: note: expanded from macro 
'_compiletime_assert'
            __compiletime_assert(condition, msg, prefix, suffix)
            ^
    include/linux/compiler_types.h:306:2: note: expanded from macro 
'__compiletime_assert'
            do { 
     \
            ^
    drivers/vfio/vfio.c:397:2: note: Assuming '__ret_warn_on' is 0
            WARN_ON(!list_empty(&group->device_list));
            ^
    include/asm-generic/bug.h:122:6: note: expanded from macro 'WARN_ON'

vim +395 drivers/vfio/vfio.c

cba3345cc494ad Alex Williamson 2012-07-31  389  6d2cd3ce815b30 Al Viro 
        2012-08-17  390  /* called with vfio.group_lock held */
cba3345cc494ad Alex Williamson 2012-07-31  391  static void 
vfio_group_release(struct kref *kref)
cba3345cc494ad Alex Williamson 2012-07-31  392  {
cba3345cc494ad Alex Williamson 2012-07-31  393  	struct vfio_group 
*group = container_of(kref, struct vfio_group, kref);
60720a0fc6469e Alex Williamson 2015-02-06  394  	struct vfio_unbound_dev 
*unbound, *tmp;
4a68810dbbb466 Alex Williamson 2015-02-06 @395  	struct iommu_group 
*iommu_group = group->iommu_group;
cba3345cc494ad Alex Williamson 2012-07-31  396  cba3345cc494ad Alex 
Williamson 2012-07-31  397  	WARN_ON(!list_empty(&group->device_list));
65b1adebfe43c6 Alex Williamson 2017-03-21  398 
WARN_ON(group->notifier.head);
cba3345cc494ad Alex Williamson 2012-07-31  399  60720a0fc6469e Alex 
Williamson 2015-02-06  400  	list_for_each_entry_safe(unbound, tmp,
60720a0fc6469e Alex Williamson 2015-02-06  401  				 
&group->unbound_list, unbound_next) {
60720a0fc6469e Alex Williamson 2015-02-06  402  	 
list_del(&unbound->unbound_next);
60720a0fc6469e Alex Williamson 2015-02-06  403  		kfree(unbound);
60720a0fc6469e Alex Williamson 2015-02-06  404  	}
60720a0fc6469e Alex Williamson 2015-02-06  405  d10999016f4164 Alex 
Williamson 2013-12-19  406  	device_destroy(vfio.class, 
MKDEV(MAJOR(vfio.group_devt), group->minor));
cba3345cc494ad Alex Williamson 2012-07-31  407 
list_del(&group->vfio_next);
cba3345cc494ad Alex Williamson 2012-07-31  408 
vfio_free_group_minor(group->minor);
9df7b25ab71cee Jiang Liu       2012-12-07  409 
vfio_group_unlock_and_free(group);
4a68810dbbb466 Alex Williamson 2015-02-06  410 
iommu_group_put(iommu_group);
cba3345cc494ad Alex Williamson 2012-07-31  411  }
cba3345cc494ad Alex Williamson 2012-07-31  412
:::::: The code at line 395 was first introduced by commit
:::::: 4a68810dbbb4664fe4a9ac1be4d1c0e34a9b58f5 vfio: Tie IOMMU group 
reference to vfio group

:::::: TO: Alex Williamson <alex.williamson@...hat.com>
:::::: CC: Alex Williamson <alex.williamson@...hat.com>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org


Download attachment ".config.gz" of type "application/gzip" (29581 bytes)

View attachment "Attached Message Part" of type "text/plain" (151 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ