[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202108180422.PsPp2u2i-lkp@intel.com>
Date: Wed, 18 Aug 2021 04:58:46 +0800
From: kernel test robot <lkp@...el.com>
To: "F.A.Sulaiman" <asha.16@...ac.mrt.ac.lk>, jikos@...nel.org,
benjamin.tissoires@...hat.com
Cc: clang-built-linux@...glegroups.com, kbuild-all@...ts.01.org,
"F.A.Sulaiman" <asha.16@...ac.mrt.ac.lk>,
linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
paskripkin@...il.com
Subject: Re: [PATCH] fix slab-out-of-bounds Write in betop_probe
Hi "F.A.Sulaiman",
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on hid/for-next]
[also build test WARNING on v5.14-rc6 next-20210817]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/F-A-Sulaiman/fix-slab-out-of-bounds-Write-in-betop_probe/20210817-041818
base: https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
config: x86_64-randconfig-c007-20210816 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 44d0a99a12ec7ead4d2f5ef649ba05b40f6d463d)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/8fc4d7961e182bc2992bee548fa3c33b628ffadd
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review F-A-Sulaiman/fix-slab-out-of-bounds-Write-in-betop_probe/20210817-041818
git checkout 8fc4d7961e182bc2992bee548fa3c33b628ffadd
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
clang-analyzer warnings: (new ones prefixed by >>)
set_temp_reg(HYST, temp_hyst);
^
drivers/hwmon/asb100.c:443:19: note: expanded from macro 'set_temp_reg'
data->reg[nr] = LM75_TEMP_TO_REG(val); \
^~~~~~~~~~~~~~~~~~~~~
drivers/hwmon/lm75.h:27:14: note: Assuming '__UNIQUE_ID___x271' is <= '__UNIQUE_ID___y272'
int ntemp = clamp_val(temp, LM75_TEMP_MIN, LM75_TEMP_MAX);
^
include/linux/minmax.h:137:32: note: expanded from macro 'clamp_val'
#define clamp_val(val, lo, hi) clamp_t(typeof(val), val, lo, hi)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/minmax.h:124:48: note: expanded from macro 'clamp_t'
#define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)
~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/minmax.h:112:27: note: expanded from macro 'max_t'
#define max_t(type, x, y) __careful_cmp((type)(x), (type)(y), >)
^
note: (skipping 3 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
include/linux/minmax.h:104:48: note: expanded from macro 'min_t'
#define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
include/linux/minmax.h:38:14: note: expanded from macro '__careful_cmp'
__cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/minmax.h:31:25: note: expanded from macro '__cmp_once'
typeof(x) unique_x = (x); \
^
drivers/hwmon/lm75.h:27:14: note: '?' condition is false
int ntemp = clamp_val(temp, LM75_TEMP_MIN, LM75_TEMP_MAX);
^
include/linux/minmax.h:137:32: note: expanded from macro 'clamp_val'
#define clamp_val(val, lo, hi) clamp_t(typeof(val), val, lo, hi)
^
include/linux/minmax.h:124:48: note: expanded from macro 'clamp_t'
#define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)
^
include/linux/minmax.h:112:27: note: expanded from macro 'max_t'
#define max_t(type, x, y) __careful_cmp((type)(x), (type)(y), >)
^
include/linux/minmax.h:38:3: note: expanded from macro '__careful_cmp'
__cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
^
include/linux/minmax.h:33:3: note: expanded from macro '__cmp_once'
__cmp(unique_x, unique_y, op); })
^
include/linux/minmax.h:28:26: note: expanded from macro '__cmp'
#define __cmp(x, y, op) ((x) op (y) ? (x) : (y))
^
drivers/hwmon/lm75.h:27:14: note: '__UNIQUE_ID___x273' is < '__UNIQUE_ID___y274'
int ntemp = clamp_val(temp, LM75_TEMP_MIN, LM75_TEMP_MAX);
^
include/linux/minmax.h:137:32: note: expanded from macro 'clamp_val'
#define clamp_val(val, lo, hi) clamp_t(typeof(val), val, lo, hi)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/minmax.h:124:36: note: expanded from macro 'clamp_t'
#define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/minmax.h:104:27: note: expanded from macro 'min_t'
#define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/minmax.h:38:3: note: expanded from macro '__careful_cmp'
__cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/minmax.h:33:3: note: expanded from macro '__cmp_once'
__cmp(unique_x, unique_y, op); })
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/minmax.h:28:26: note: expanded from macro '__cmp'
#define __cmp(x, y, op) ((x) op (y) ? (x) : (y))
^~~
drivers/hwmon/lm75.h:27:14: note: '?' condition is true
int ntemp = clamp_val(temp, LM75_TEMP_MIN, LM75_TEMP_MAX);
^
include/linux/minmax.h:137:32: note: expanded from macro 'clamp_val'
#define clamp_val(val, lo, hi) clamp_t(typeof(val), val, lo, hi)
^
include/linux/minmax.h:124:36: note: expanded from macro 'clamp_t'
#define clamp_t(type, val, lo, hi) min_t(type, max_t(type, val, lo), hi)
^
include/linux/minmax.h:104:27: note: expanded from macro 'min_t'
#define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
^
include/linux/minmax.h:38:3: note: expanded from macro '__careful_cmp'
__cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
^
include/linux/minmax.h:33:3: note: expanded from macro '__cmp_once'
__cmp(unique_x, unique_y, op); })
^
include/linux/minmax.h:28:26: note: expanded from macro '__cmp'
#define __cmp(x, y, op) ((x) op (y) ? (x) : (y))
^
drivers/hwmon/lm75.h:29:12: note: 'ntemp' is < 0
ntemp += (ntemp < 0 ? -250 : 250);
^~~~~
drivers/hwmon/lm75.h:29:12: note: '?' condition is true
drivers/hwmon/lm75.h:30:29: note: The result of the left shift is undefined because the left operand is negative
return (u16)((ntemp / 500) << 7);
~~~~~~~~~~~~~ ^
Suppressed 3 warnings (3 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
5 warnings generated.
>> drivers/hid/hid-betopff.c:127:2: warning: Value stored to 'dev' is never read [clang-analyzer-deadcode.DeadStores]
dev = hidinput->input;
^ ~~~~~~~~~~~~~~~
drivers/hid/hid-betopff.c:127:2: note: Value stored to 'dev' is never read
dev = hidinput->input;
^ ~~~~~~~~~~~~~~~
Suppressed 4 warnings (3 in non-user code, 1 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
3 warnings generated.
Suppressed 3 warnings (3 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
4 warnings generated.
include/linux/hid.h:1007:9: warning: Access to field 'name' results in a dereference of a null pointer (loaded from variable 'input') [clang-analyzer-core.NullDereference]
input->name, c, type);
^
drivers/hid/hid-corsair.c:630:6: note: Assuming the condition is false
if ((usage->hid & HID_USAGE_PAGE) != HID_UP_KEYBOARD)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/hid/hid-corsair.c:630:2: note: Taking false branch
if ((usage->hid & HID_USAGE_PAGE) != HID_UP_KEYBOARD)
^
drivers/hid/hid-corsair.c:634:6: note: 'gkey' is not equal to 0
if (gkey != 0) {
^~~~
drivers/hid/hid-corsair.c:634:2: note: Taking true branch
if (gkey != 0) {
^
drivers/hid/hid-corsair.c:635:3: note: Calling 'hid_map_usage_clear'
hid_map_usage_clear(input, usage, bit, max, EV_KEY,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/hid.h:1035:2: note: Calling 'hid_map_usage'
hid_map_usage(hidinput, usage, bit, max, type, c);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/hid.h:982:2: note: 'input' initialized here
struct input_dev *input = hidinput->input;
^~~~~~~~~~~~~~~~~~~~~~~
include/linux/hid.h:986:2: note: Control jumps to 'case 1:' at line 995
switch (type) {
^
include/linux/hid.h:998:3: note: Execution continues on line 1005
break;
^
include/linux/hid.h:1005:15: note: Assuming 'c' is <= 'limit'
if (unlikely(c > limit || !bmap)) {
^
include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^
include/linux/hid.h:1005:15: note: Left side of '||' is false
if (unlikely(c > limit || !bmap)) {
^
include/linux/hid.h:1005:28: note: Assuming 'bmap' is null
if (unlikely(c > limit || !bmap)) {
^
include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^
include/linux/hid.h:1005:28: note: Assuming pointer value is null
if (unlikely(c > limit || !bmap)) {
^
include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^
include/linux/hid.h:1005:2: note: Taking true branch
if (unlikely(c > limit || !bmap)) {
^
include/linux/hid.h:1006:3: note: Assuming the condition is true
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:574:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/printk.h:557:6: note: expanded from macro 'printk_ratelimited'
if (__ratelimit(&_rs)) \
^~~~~~~~~~~~~~~~~
include/linux/ratelimit_types.h:41:28: note: expanded from macro '__ratelimit'
#define __ratelimit(state) ___ratelimit(state, __func__)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/hid.h:1006:3: note: Taking true branch
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:574:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^
include/linux/printk.h:557:2: note: expanded from macro 'printk_ratelimited'
if (__ratelimit(&_rs)) \
^
include/linux/hid.h:1007:9: note: Access to field 'name' results in a dereference of a null pointer (loaded from variable 'input')
input->name, c, type);
^
include/linux/printk.h:574:49: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^~~~~~~~~~~
include/linux/printk.h:558:17: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^~~~~~~~~~~
Suppressed 3 warnings (3 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
4 warnings generated.
kernel/static_call.c:275:47: warning: Access to field 'func' results in a dereference of a null pointer (loaded from variable 'key') [clang-analyzer-core.NullDereference]
arch_static_call_transform(site_addr, NULL, key->func,
vim +/dev +127 drivers/hid/hid-betopff.c
114
115 static int betop_probe(struct hid_device *hdev, const struct hid_device_id *id)
116 {
117 struct hid_input *hidinput;
118 struct input_dev *dev;
119 int ret;
120
121 if (list_empty(&hdev->inputs)) {
122 hid_err(hdev, "no inputs found\n");
123 return -ENODEV;
124 }
125
126 hidinput = list_first_entry(&hdev->inputs, struct hid_input, list);
> 127 dev = hidinput->input;
128
129 if (id->driver_data)
130 hdev->quirks |= HID_QUIRK_MULTI_INPUT;
131
132 ret = hid_parse(hdev);
133 if (ret) {
134 hid_err(hdev, "parse failed\n");
135 goto err;
136 }
137
138 ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT & ~HID_CONNECT_FF);
139 if (ret) {
140 hid_err(hdev, "hw start failed\n");
141 goto err;
142 }
143
144 betopff_init(hdev);
145
146 return 0;
147 err:
148 return ret;
149 }
150
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Download attachment ".config.gz" of type "application/gzip" (35425 bytes)
Powered by blists - more mailing lists