lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202108171423.aybCubVT-lkp@intel.com>
Date:   Tue, 17 Aug 2021 14:18:29 +0800
From:   kernel test robot <lkp@...el.com>
To:     Thomas Gleixner <tglx@...utronix.de>
Cc:     clang-built-linux@...glegroups.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org,
        Sebastian Andrzej Siewior <bigeasy@...utronix.de>
Subject: [linux-rt-devel:linux-5.14.y-rt-rebase 143/245]
 kernel/futex.c:1887:3: warning: Value stored to 'ret' is never read
 [clang-analyzer-deadcode.DeadStores]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-rt-devel.git linux-5.14.y-rt-rebase
head:   0eead4e5a60cb716ec911a552787a69332cf6943
commit: 7384201f9701c226cb1dd04cf76c12c33762bb30 [143/245] futex: Validate waiter correctly in futex_proxy_trylock_atomic()
config: mips-randconfig-c004-20210816 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 44d0a99a12ec7ead4d2f5ef649ba05b40f6d463d)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # install mips cross compiling tool for clang build
        # apt-get install binutils-mips-linux-gnu
        # https://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-rt-devel.git/commit/?id=7384201f9701c226cb1dd04cf76c12c33762bb30
        git remote add linux-rt-devel https://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-rt-devel.git
        git fetch --no-tags linux-rt-devel linux-5.14.y-rt-rebase
        git checkout 7384201f9701c226cb1dd04cf76c12c33762bb30
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=mips clang-analyzer 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>


clang-analyzer warnings: (new ones prefixed by >>)
           ^
   kernel/futex.c:3714:6: note: Assuming the condition is false
           if (op & FUTEX_CLOCK_REALTIME) {
               ^~~~~~~~~~~~~~~~~~~~~~~~~
   kernel/futex.c:3714:2: note: Taking false branch
           if (op & FUTEX_CLOCK_REALTIME) {
           ^
   kernel/futex.c:3721:2: note: 'Default' branch taken. Execution continues on line 3732
           switch (cmd) {
           ^
   kernel/futex.c:3732:2: note: Control jumps to 'case 5:'  at line 3747
           switch (cmd) {
           ^
   kernel/futex.c:3748:10: note: Calling 'futex_wake_op'
                   return futex_wake_op(uaddr, flags, uaddr2, val, val2, val3);
                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   kernel/futex.c:1699:2: note: Taking false branch
           if (unlikely(ret != 0))
           ^
   kernel/futex.c:1702:2: note: Taking false branch
           if (unlikely(ret != 0))
           ^
   kernel/futex.c:1710:11: note: Calling 'futex_atomic_op_inuser'
           op_ret = futex_atomic_op_inuser(op, uaddr2);
                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   kernel/futex.c:1643:6: note: 'oldval' declared without an initial value
           int oldval, ret;
               ^~~~~~
   kernel/futex.c:1645:6: note: Assuming the condition is false
           if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   kernel/futex.c:1645:2: note: Taking false branch
           if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
           ^
   kernel/futex.c:1660:8: note: Calling 'arch_futex_atomic_op_inuser'
           ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr);
                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   arch/mips/include/asm/futex.h:92:7: note: Assuming the condition is false
           if (!access_ok(uaddr, sizeof(u32)))
                ^
   arch/mips/include/asm/uaccess.h:88:2: note: expanded from macro 'access_ok'
           likely(__access_ok((addr), (size)))
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/compiler.h:77:38: note: expanded from macro 'likely'
   # define likely(x)      __builtin_expect(!!(x), 1)
                                             ^~~~
   arch/mips/include/asm/futex.h:92:2: note: Taking false branch
           if (!access_ok(uaddr, sizeof(u32)))
           ^
   arch/mips/include/asm/futex.h:95:2: note: Control jumps to 'case 3:'  at line 108
           switch (op) {
           ^
   arch/mips/include/asm/futex.h:109:3: note: Left side of '&&' is true
                   __futex_atomic_op("and  $1, %1, %z5",
                   ^
   arch/mips/include/asm/futex.h:24:6: note: expanded from macro '__futex_atomic_op'
           if (cpu_has_llsc && IS_ENABLED(CONFIG_WAR_R10000_LLSC)) {       \
               ^
   arch/mips/include/asm/mach-rc32434/cpu-feature-overrides.h:34:24: note: expanded from macro 'cpu_has_llsc'
   #define cpu_has_llsc                    1
                                           ^
   arch/mips/include/asm/futex.h:109:3: note: Taking false branch
                   __futex_atomic_op("and  $1, %1, %z5",
                   ^
   arch/mips/include/asm/futex.h:24:2: note: expanded from macro '__futex_atomic_op'
           if (cpu_has_llsc && IS_ENABLED(CONFIG_WAR_R10000_LLSC)) {       \
           ^
   arch/mips/include/asm/futex.h:109:3: note: Taking true branch
                   __futex_atomic_op("and  $1, %1, %z5",
                   ^
   arch/mips/include/asm/futex.h:53:9: note: expanded from macro '__futex_atomic_op'
           } else if (cpu_has_llsc) {                                      \
                  ^
   arch/mips/include/asm/futex.h:111:3: note:  Execution continues on line 120
                   break;
                   ^
   arch/mips/include/asm/futex.h:120:6: note: Assuming 'ret' is not equal to 0
           if (!ret)
               ^~~~
   arch/mips/include/asm/futex.h:120:2: note: Taking false branch
           if (!ret)
           ^
   arch/mips/include/asm/futex.h:123:2: note: Returning without writing to '*oval'
           return ret;
           ^
   kernel/futex.c:1660:8: note: Returning from 'arch_futex_atomic_op_inuser'
           ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr);
                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   kernel/futex.c:1662:6: note: Assuming 'ret' is 0
           if (ret)
               ^~~
   kernel/futex.c:1662:2: note: Taking false branch
           if (ret)
           ^
   kernel/futex.c:1665:2: note: Control jumps to 'case 4:'  at line 1676
           switch (cmp) {
           ^
   kernel/futex.c:1677:17: note: The left operand of '>' is a garbage value
                   return oldval > cmparg;
                          ~~~~~~ ^
>> kernel/futex.c:1887:3: warning: Value stored to 'ret' is never read [clang-analyzer-deadcode.DeadStores]
                   ret = -EINVAL;
                   ^     ~~~~~~~
   kernel/futex.c:1887:3: note: Value stored to 'ret' is never read
                   ret = -EINVAL;
                   ^     ~~~~~~~
   Suppressed 3 warnings (3 in non-user code).
   Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
   3 warnings generated.
   Suppressed 3 warnings (3 in non-user code).
   Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
   3 warnings generated.
   Suppressed 3 warnings (3 in non-user code).
   Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
   5 warnings generated.
   drivers/soundwire/stream.c:847:10: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
                           kfree(bus->defer_msg.msg->buf);
                                 ^
   drivers/soundwire/stream.c:1755:6: note: Assuming 'stream' is non-null
           if (!stream) {
               ^~~~~~~
   drivers/soundwire/stream.c:1755:2: note: Taking false branch
           if (!stream) {
           ^
   drivers/soundwire/stream.c:1762:6: note: Assuming field 'state' is equal to SDW_STREAM_ENABLED
           if (stream->state != SDW_STREAM_ENABLED) {
               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   drivers/soundwire/stream.c:1762:2: note: Taking false branch
           if (stream->state != SDW_STREAM_ENABLED) {
           ^
   drivers/soundwire/stream.c:1769:8: note: Calling '_sdw_disable_stream'
           ret = _sdw_disable_stream(stream);
                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~
   drivers/soundwire/stream.c:1700:2: note: Left side of '&&' is false
           list_for_each_entry(m_rt, &stream->master_list, stream_node) {
           ^
   include/linux/list.h:628:13: note: expanded from macro 'list_for_each_entry'
           for (pos = list_first_entry(head, typeof(*pos), member);        \
                      ^
   include/linux/list.h:522:2: note: expanded from macro 'list_first_entry'
           list_entry((ptr)->next, type, member)
           ^
   include/linux/list.h:511:2: note: expanded from macro 'list_entry'
           container_of(ptr, type, member)
           ^
   include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
           BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) &&   \
                                                                      ^
   drivers/soundwire/stream.c:1700:2: note: Taking false branch
           list_for_each_entry(m_rt, &stream->master_list, stream_node) {
           ^
   include/linux/list.h:628:13: note: expanded from macro 'list_for_each_entry'
           for (pos = list_first_entry(head, typeof(*pos), member);        \
                      ^
   include/linux/list.h:522:2: note: expanded from macro 'list_first_entry'
           list_entry((ptr)->next, type, member)
           ^
   include/linux/list.h:511:2: note: expanded from macro 'list_entry'
           container_of(ptr, type, member)
           ^
   note: (skipping 2 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
   include/linux/compiler_types.h:328:2: note: expanded from macro 'compiletime_assert'
           _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
           ^
   include/linux/compiler_types.h:316:2: note: expanded from macro '_compiletime_assert'
           __compiletime_assert(condition, msg, prefix, suffix)
           ^
   include/linux/compiler_types.h:308:3: note: expanded from macro '__compiletime_assert'
                   if (!(condition))                                       \
                   ^
   drivers/soundwire/stream.c:1700:2: note: Loop condition is false.  Exiting loop
           list_for_each_entry(m_rt, &stream->master_list, stream_node) {
           ^
   include/linux/list.h:628:13: note: expanded from macro 'list_for_each_entry'
           for (pos = list_first_entry(head, typeof(*pos), member);        \
                      ^
   include/linux/list.h:522:2: note: expanded from macro 'list_first_entry'
           list_entry((ptr)->next, type, member)
           ^
   include/linux/list.h:511:2: note: expanded from macro 'list_entry'
           container_of(ptr, type, member)
           ^
   note: (skipping 2 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
   include/linux/compiler_types.h:328:2: note: expanded from macro 'compiletime_assert'
           _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
           ^
   include/linux/compiler_types.h:316:2: note: expanded from macro '_compiletime_assert'
           __compiletime_assert(condition, msg, prefix, suffix)
           ^
   include/linux/compiler_types.h:306:2: note: expanded from macro '__compiletime_assert'
           do {                                                            \
           ^
   drivers/soundwire/stream.c:1700:2: note: Loop condition is false. Execution continues on line 1710
           list_for_each_entry(m_rt, &stream->master_list, stream_node) {
           ^
   include/linux/list.h:628:2: note: expanded from macro 'list_for_each_entry'
           for (pos = list_first_entry(head, typeof(*pos), member);        \
           ^
   drivers/soundwire/stream.c:1712:2: note: Left side of '&&' is false
           list_for_each_entry(m_rt, &stream->master_list, stream_node) {
           ^

vim +/ret +1887 kernel/futex.c

  1825	
  1826	/**
  1827	 * futex_proxy_trylock_atomic() - Attempt an atomic lock for the top waiter
  1828	 * @pifutex:		the user address of the to futex
  1829	 * @hb1:		the from futex hash bucket, must be locked by the caller
  1830	 * @hb2:		the to futex hash bucket, must be locked by the caller
  1831	 * @key1:		the from futex key
  1832	 * @key2:		the to futex key
  1833	 * @ps:			address to store the pi_state pointer
  1834	 * @exiting:		Pointer to store the task pointer of the owner task
  1835	 *			which is in the middle of exiting
  1836	 * @set_waiters:	force setting the FUTEX_WAITERS bit (1) or not (0)
  1837	 *
  1838	 * Try and get the lock on behalf of the top waiter if we can do it atomically.
  1839	 * Wake the top waiter if we succeed.  If the caller specified set_waiters,
  1840	 * then direct futex_lock_pi_atomic() to force setting the FUTEX_WAITERS bit.
  1841	 * hb1 and hb2 must be held by the caller.
  1842	 *
  1843	 * @exiting is only set when the return value is -EBUSY. If so, this holds
  1844	 * a refcount on the exiting task on return and the caller needs to drop it
  1845	 * after waiting for the exit to complete.
  1846	 *
  1847	 * Return:
  1848	 *  -  0 - failed to acquire the lock atomically;
  1849	 *  - >0 - acquired the lock, return value is vpid of the top_waiter
  1850	 *  - <0 - error
  1851	 */
  1852	static int
  1853	futex_proxy_trylock_atomic(u32 __user *pifutex, struct futex_hash_bucket *hb1,
  1854				   struct futex_hash_bucket *hb2, union futex_key *key1,
  1855				   union futex_key *key2, struct futex_pi_state **ps,
  1856				   struct task_struct **exiting, int set_waiters)
  1857	{
  1858		struct futex_q *top_waiter = NULL;
  1859		u32 curval;
  1860		int ret, vpid;
  1861	
  1862		if (get_futex_value_locked(&curval, pifutex))
  1863			return -EFAULT;
  1864	
  1865		if (unlikely(should_fail_futex(true)))
  1866			return -EFAULT;
  1867	
  1868		/*
  1869		 * Find the top_waiter and determine if there are additional waiters.
  1870		 * If the caller intends to requeue more than 1 waiter to pifutex,
  1871		 * force futex_lock_pi_atomic() to set the FUTEX_WAITERS bit now,
  1872		 * as we have means to handle the possible fault.  If not, don't set
  1873		 * the bit unnecessarily as it will force the subsequent unlock to enter
  1874		 * the kernel.
  1875		 */
  1876		top_waiter = futex_top_waiter(hb1, key1);
  1877	
  1878		/* There are no waiters, nothing for us to do. */
  1879		if (!top_waiter)
  1880			return 0;
  1881	
  1882		/*
  1883		 * Ensure that this is a waiter sitting in futex_wait_requeue_pi()
  1884		 * and waiting on the 'waitqueue' futex which is always !PI.
  1885		 */
  1886		if (!top_waiter->rt_waiter || top_waiter->pi_state)
> 1887			ret = -EINVAL;
  1888	
  1889		/* Ensure we requeue to the expected futex. */
  1890		if (!match_futex(top_waiter->requeue_pi_key, key2))
  1891			return -EINVAL;
  1892	
  1893		/*
  1894		 * Try to take the lock for top_waiter.  Set the FUTEX_WAITERS bit in
  1895		 * the contended case or if set_waiters is 1.  The pi_state is returned
  1896		 * in ps in contended cases.
  1897		 */
  1898		vpid = task_pid_vnr(top_waiter->task);
  1899		ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
  1900					   exiting, set_waiters);
  1901		if (ret == 1) {
  1902			requeue_pi_wake_futex(top_waiter, key2, hb2);
  1903			return vpid;
  1904		}
  1905		return ret;
  1906	}
  1907	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (35604 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ