lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Mon, 14 Sep 2020 17:29:59 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, Ursula Braun <ubraun@...ux.ibm.com>
Cc:     lkp@...el.com, Dan Carpenter <error27@...il.com>,
        kbuild-all@...ts.01.org, netdev@...r.kernel.org,
        Guvenc Gulce <guvenc@...ux.ibm.com>,
        Karsten Graul <kgraul@...ux.ibm.com>
Subject: [net-next:master 903/970] net/smc/smc_close.c:214 smc_close_active()
 warn: variable dereferenced before check 'smc->clcsock' (see line 211)

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git master
head:   5a6bd84f815485800699f55c78f690b2ed35f0c5
commit: a60a2b1e0af1a7517ba41689b39e9df90ef09041 [903/970] net/smc: reduce active tcp_listen workers
config: i386-randconfig-m021-20200911 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

smatch warnings:
net/smc/smc_close.c:214 smc_close_active() warn: variable dereferenced before check 'smc->clcsock' (see line 211)
net/smc/smc_close.c:214 smc_close_active() warn: variable dereferenced before check 'smc->clcsock->sk' (see line 211)

# https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=a60a2b1e0af1a7517ba41689b39e9df90ef09041
git remote add net-next https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
git fetch --no-tags net-next master
git checkout a60a2b1e0af1a7517ba41689b39e9df90ef09041
vim +214 net/smc/smc_close.c

b38d732477e4211 Ursula Braun 2017-01-09  189  int smc_close_active(struct smc_sock *smc)
b38d732477e4211 Ursula Braun 2017-01-09  190  {
b38d732477e4211 Ursula Braun 2017-01-09  191  	struct smc_cdc_conn_state_flags *txflags =
b38d732477e4211 Ursula Braun 2017-01-09  192  		&smc->conn.local_tx_ctrl.conn_state_flags;
b38d732477e4211 Ursula Braun 2017-01-09  193  	struct smc_connection *conn = &smc->conn;
b38d732477e4211 Ursula Braun 2017-01-09  194  	struct sock *sk = &smc->sk;
b38d732477e4211 Ursula Braun 2017-01-09  195  	int old_state;
8c96feeeb39ba0b Ursula Braun 2017-09-21  196  	long timeout;
b38d732477e4211 Ursula Braun 2017-01-09  197  	int rc = 0;
b38d732477e4211 Ursula Braun 2017-01-09  198  
8c96feeeb39ba0b Ursula Braun 2017-09-21  199  	timeout = current->flags & PF_EXITING ?
8c96feeeb39ba0b Ursula Braun 2017-09-21  200  		  0 : sock_flag(sk, SOCK_LINGER) ?
8c96feeeb39ba0b Ursula Braun 2017-09-21  201  		      sk->sk_lingertime : SMC_MAX_STREAM_WAIT_TIMEOUT;
b38d732477e4211 Ursula Braun 2017-01-09  202  
b38d732477e4211 Ursula Braun 2017-01-09  203  	old_state = sk->sk_state;
bbb96bf2366e502 Ursula Braun 2018-01-24  204  again:
bbb96bf2366e502 Ursula Braun 2018-01-24  205  	switch (sk->sk_state) {
b38d732477e4211 Ursula Braun 2017-01-09  206  	case SMC_INIT:
b38d732477e4211 Ursula Braun 2017-01-09  207  		sk->sk_state = SMC_CLOSED;
b38d732477e4211 Ursula Braun 2017-01-09  208  		break;
b38d732477e4211 Ursula Braun 2017-01-09  209  	case SMC_LISTEN:
b38d732477e4211 Ursula Braun 2017-01-09  210  		sk->sk_state = SMC_CLOSED;
a60a2b1e0af1a75 Ursula Braun 2020-09-10 @211  		smc->clcsock->sk->sk_data_ready = smc->clcsk_data_ready;
                                                        ^^^^^^^^^^^^^^^^^
Dereferences

a60a2b1e0af1a75 Ursula Braun 2020-09-10  212  		smc->clcsock->sk->sk_user_data = NULL;
b38d732477e4211 Ursula Braun 2017-01-09  213  		sk->sk_state_change(sk); /* wake up accept */
a60a2b1e0af1a75 Ursula Braun 2020-09-10 @214  		if (smc->clcsock && smc->clcsock->sk)
                                                            ^^^^^^^^^^^^    ^^^^^^^^^^^^^^^^
Checks for NULL too late?

b38d732477e4211 Ursula Braun 2017-01-09  215  			rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
b38d732477e4211 Ursula Braun 2017-01-09  216  		smc_close_cleanup_listen(sk);
3d502067599f0db Ursula Braun 2018-03-13  217  		release_sock(sk);
3d502067599f0db Ursula Braun 2018-03-13  218  		flush_work(&smc->tcp_listen_work);
3d502067599f0db Ursula Braun 2018-03-13  219  		lock_sock(sk);
b38d732477e4211 Ursula Braun 2017-01-09  220  		break;
b38d732477e4211 Ursula Braun 2017-01-09  221  	case SMC_ACTIVE:
b38d732477e4211 Ursula Braun 2017-01-09  222  		smc_close_stream_wait(smc, timeout);

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (32156 bytes)

Powered by blists - more mailing lists