* [linux-next:master 3989/4668] drivers/scsi/ufs/ufshcd.c:4898:27: warning: The left operand of '==' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult]
@ 2021-08-02 10:15 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2021-08-02 10:15 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 16782 bytes --]
CC: clang-built-linux(a)googlegroups.com
CC: kbuild-all(a)lists.01.org
CC: Linux Memory Management List <linux-mm@kvack.org>
TO: Bart Van Assche <bvanassche@acm.org>
CC: "Martin K. Petersen" <martin.petersen@oracle.com>
CC: Daejun Park <daejun7.park@samsung.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: 8d4b477da1a807199ca60e0829357ce7aa6758d5
commit: b1d5de8c6ea261667348424133a4f648ea48e7ca [3989/4668] scsi: ufs: Fix memory corruption by ufshcd_read_desc_param()
:::::: branch date: 3 days ago
:::::: commit date: 4 days ago
config: x86_64-randconfig-c001-20210802 (attached as .config)
compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project 4f71f59bf3d9914188a11d0c41bedbb339d36ff5)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install x86_64 cross compiling tool for clang build
# apt-get install binutils-x86-64-linux-gnu
# https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b1d5de8c6ea261667348424133a4f648ea48e7ca
git remote add linux-next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
git fetch --no-tags linux-next master
git checkout b1d5de8c6ea261667348424133a4f648ea48e7ca
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
include/linux/rcupdate.h:604:31: note: expanded from macro 'rcu_dereference_bh'
#define rcu_dereference_bh(p) rcu_dereference_bh_check(p, 0)
^
include/linux/rcupdate.h:543:2: note: expanded from macro 'rcu_dereference_bh_check'
__rcu_dereference_check((p), (c) || rcu_read_lock_bh_held(), __rcu)
^
include/linux/rcupdate.h:390:2: note: expanded from macro '__rcu_dereference_check'
RCU_LOCKDEP_WARN(!(c), "suspicious rcu_dereference_check() usage"); \
^
include/linux/rcupdate.h:316:2: note: expanded from macro 'RCU_LOCKDEP_WARN'
do { \
^
net/decnet/dn_route.c:1255:3: note: Loop condition is false. Execution continues on line 1268
for (rt = rcu_dereference_bh(dn_rt_hash_table[hash].chain); rt;
^
net/decnet/dn_route.c:1278:8: note: Returning from '__dn_route_output_key'
err = __dn_route_output_key(pprt, flp, flags);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/decnet/dn_route.c:1279:6: note: Assuming 'err' is equal to 0
if (err == 0 && flp->flowidn_proto) {
^~~~~~~~
net/decnet/dn_route.c:1279:6: note: Left side of '&&' is true
net/decnet/dn_route.c:1279:23: note: Field 'flowic_proto' is 2
if (err == 0 && flp->flowidn_proto) {
^
include/net/flow.h:162:36: note: expanded from macro 'flowidn_proto'
#define flowidn_proto __fl_common.flowic_proto
^
net/decnet/dn_route.c:1279:2: note: Taking true branch
if (err == 0 && flp->flowidn_proto) {
^
net/decnet/dn_route.c:1282:7: note: Calling 'IS_ERR'
if (IS_ERR(*pprt)) {
^~~~~~~~~~~~~
include/linux/err.h:36:9: note: Assuming the condition is true
return IS_ERR_VALUE((unsigned long)ptr);
^
include/linux/err.h:22:34: note: expanded from macro 'IS_ERR_VALUE'
#define IS_ERR_VALUE(x) unlikely((unsigned long)(void *)(x) >= (unsigned long)-MAX_ERRNO)
~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^
include/linux/err.h:36:2: note: Returning the value 1, which participates in a condition later
return IS_ERR_VALUE((unsigned long)ptr);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/decnet/dn_route.c:1282:7: note: Returning from 'IS_ERR'
if (IS_ERR(*pprt)) {
^~~~~~~~~~~~~
net/decnet/dn_route.c:1282:3: note: Taking true branch
if (IS_ERR(*pprt)) {
^
net/decnet/dn_route.c:1284:4: note: Null pointer value stored to 'rt'
*pprt = NULL;
^~~~~~~~~~~~
net/decnet/dn_route.c:1287:2: note: Returning value (loaded from 'err'), which participates in a condition later
return err;
^~~~~~~~~~
net/decnet/dn_route.c:1700:9: note: Returning from 'dn_route_output_key'
err = dn_route_output_key((struct dst_entry **)&rt, &fld, 0);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/decnet/dn_route.c:1704:6: note: Assuming 'err' is 0
if (err)
^~~
net/decnet/dn_route.c:1704:2: note: Taking false branch
if (err)
^
net/decnet/dn_route.c:1707:6: note: Assuming the condition is true
if (rtm->rtm_flags & RTM_F_NOTIFY)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/decnet/dn_route.c:1707:2: note: Taking true branch
if (rtm->rtm_flags & RTM_F_NOTIFY)
^
net/decnet/dn_route.c:1708:16: note: Access to field 'rt_flags' results in a dereference of a null pointer (loaded from variable 'rt')
rt->rt_flags |= RTCF_NOTIFY;
~~ ^
Suppressed 14 warnings (14 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
13 warnings generated.
drivers/acpi/event.c:31:2: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
strcpy(event.device_class, dev->pnp.device_class);
^~~~~~
drivers/acpi/event.c:31:2: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
strcpy(event.device_class, dev->pnp.device_class);
^~~~~~
drivers/acpi/event.c:32:2: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
strcpy(event.bus_id, dev->pnp.bus_id);
^~~~~~
drivers/acpi/event.c:32:2: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
strcpy(event.bus_id, dev->pnp.bus_id);
^~~~~~
Suppressed 11 warnings (11 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
6 warnings generated.
Suppressed 6 warnings (6 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
39 warnings generated.
>> drivers/scsi/ufs/ufshcd.c:4898:27: warning: The left operand of '==' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult]
(b_lu_write_protect == UFS_LU_POWER_ON_WP))
~~~~~~~~~~~~~~~~~~ ^
drivers/scsi/ufs/ufshcd.c:4892:6: note: Assuming field 'f_power_on_wp_en' is true
if (hba->dev_info.f_power_on_wp_en &&
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:4892:6: note: Left side of '&&' is true
drivers/scsi/ufs/ufshcd.c:4893:6: note: Assuming field 'is_lu_power_on_wp' is false
!hba->dev_info.is_lu_power_on_wp) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:4892:2: note: Taking true branch
if (hba->dev_info.f_power_on_wp_en &&
^
drivers/scsi/ufs/ufshcd.c:4894:3: note: 'b_lu_write_protect' declared without an initial value
u8 b_lu_write_protect;
^~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:4896:8: note: Calling 'ufshcd_get_lu_wp'
if (!ufshcd_get_lu_wp(hba, ufshcd_scsi_to_upiu_lun(sdev->lun),
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:4864:7: note: 'b_lu_write_protect' is non-null
if (!b_lu_write_protect)
^~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:4864:2: note: Taking false branch
if (!b_lu_write_protect)
^
drivers/scsi/ufs/ufshcd.c:4871:11: note: Assuming 'lun' is < field 'max_lu_supported', which participates in a condition later
else if (lun >= hba->dev_info.max_lu_supported)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:4871:7: note: Taking false branch
else if (lun >= hba->dev_info.max_lu_supported)
^
drivers/scsi/ufs/ufshcd.c:4874:9: note: Calling 'ufshcd_read_unit_desc_param'
ret = ufshcd_read_unit_desc_param(hba,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:3556:7: note: Calling 'ufs_is_valid_unit_desc_lun'
if (!ufs_is_valid_unit_desc_lun(&hba->dev_info, lun, param_offset))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufs.h:583:7: note: 'dev_info' is non-null, which participates in a condition later
if (!dev_info || !dev_info->max_lu_supported) {
^~~~~~~~
drivers/scsi/ufs/ufs.h:583:6: note: Left side of '||' is false
if (!dev_info || !dev_info->max_lu_supported) {
^
drivers/scsi/ufs/ufs.h:583:19: note: Assuming field 'max_lu_supported' is not equal to 0, which participates in a condition later
if (!dev_info || !dev_info->max_lu_supported) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufs.h:583:2: note: Taking false branch
if (!dev_info || !dev_info->max_lu_supported) {
^
drivers/scsi/ufs/ufs.h:588:6: note: 'param_offset' is not equal to UNIT_DESC_PARAM_WB_BUF_ALLOC_UNITS
if (param_offset == UNIT_DESC_PARAM_WB_BUF_ALLOC_UNITS)
^~~~~~~~~~~~
drivers/scsi/ufs/ufs.h:588:2: note: Taking false branch
if (param_offset == UNIT_DESC_PARAM_WB_BUF_ALLOC_UNITS)
^
drivers/scsi/ufs/ufs.h:590:9: note: Assuming 'lun' is equal to UFS_UPIU_RPMB_WLUN
return lun == UFS_UPIU_RPMB_WLUN || (lun < dev_info->max_lu_supported);
^~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufs.h:590:35: note: Left side of '||' is true
return lun == UFS_UPIU_RPMB_WLUN || (lun < dev_info->max_lu_supported);
^
drivers/scsi/ufs/ufs.h:590:2: note: Returning the value 1, which participates in a condition later
return lun == UFS_UPIU_RPMB_WLUN || (lun < dev_info->max_lu_supported);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:3556:7: note: Returning from 'ufs_is_valid_unit_desc_lun'
if (!ufs_is_valid_unit_desc_lun(&hba->dev_info, lun, param_offset))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:3556:2: note: Taking false branch
if (!ufs_is_valid_unit_desc_lun(&hba->dev_info, lun, param_offset))
^
drivers/scsi/ufs/ufshcd.c:3559:9: note: Calling 'ufshcd_read_desc_param'
return ufshcd_read_desc_param(hba, QUERY_DESC_IDN_UNIT, lun,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:3371:6: note: 'desc_id' is < QUERY_DESC_IDN_MAX
if (desc_id >= QUERY_DESC_IDN_MAX || !param_size)
^~~~~~~
drivers/scsi/ufs/ufshcd.c:3371:6: note: Left side of '||' is false
drivers/scsi/ufs/ufshcd.c:3371:40: note: 'param_size' is 1
if (desc_id >= QUERY_DESC_IDN_MAX || !param_size)
^~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:3371:2: note: Taking false branch
if (desc_id >= QUERY_DESC_IDN_MAX || !param_size)
^
drivers/scsi/ufs/ufshcd.c:3375:2: note: Calling 'ufshcd_map_desc_id_to_length'
ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/ufs/ufshcd.c:3325:6: note: 'desc_id' is < QUERY_DESC_IDN_MAX
if (desc_id >= QUERY_DESC_IDN_MAX || desc_id == QUERY_DESC_IDN_RFU_0 ||
^~~~~~~
drivers/scsi/ufs/ufshcd.c:3325:6: note: Left side of '||' is false
drivers/scsi/ufs/ufshcd.c:3325:39: note: 'desc_id' is not equal to QUERY_DESC_IDN_RFU_0
if (desc_id >= QUERY_DESC_IDN_MAX || desc_id == QUERY_DESC_IDN_RFU_0 ||
^~~~~~~
drivers/scsi/ufs/ufshcd.c:3325:6: note: Left side of '||' is false
if (desc_id >= QUERY_DESC_IDN_MAX || desc_id == QUERY_DESC_IDN_RFU_0 ||
^
drivers/scsi/ufs/ufshcd.c:3326:6: note: 'desc_id' is not equal to QUERY_DESC_IDN_RFU_1
desc_id == QUERY_DESC_IDN_RFU_1)
^~~~~~~
drivers/scsi/ufs/ufshcd.c:3325:2: note: Taking false branch
if (desc_id >= QUERY_DESC_IDN_MAX || desc_id == QUERY_DESC_IDN_RFU_0 ||
vim +4898 drivers/scsi/ufs/ufshcd.c
57d104c153d3d6 Subhash Jadavani 2014-09-25 4881
57d104c153d3d6 Subhash Jadavani 2014-09-25 4882 /**
57d104c153d3d6 Subhash Jadavani 2014-09-25 4883 * ufshcd_get_lu_power_on_wp_status - get LU's power on write protect
57d104c153d3d6 Subhash Jadavani 2014-09-25 4884 * status
57d104c153d3d6 Subhash Jadavani 2014-09-25 4885 * @hba: per-adapter instance
57d104c153d3d6 Subhash Jadavani 2014-09-25 4886 * @sdev: pointer to SCSI device
57d104c153d3d6 Subhash Jadavani 2014-09-25 4887 *
57d104c153d3d6 Subhash Jadavani 2014-09-25 4888 */
57d104c153d3d6 Subhash Jadavani 2014-09-25 4889 static inline void ufshcd_get_lu_power_on_wp_status(struct ufs_hba *hba,
57d104c153d3d6 Subhash Jadavani 2014-09-25 4890 struct scsi_device *sdev)
57d104c153d3d6 Subhash Jadavani 2014-09-25 4891 {
57d104c153d3d6 Subhash Jadavani 2014-09-25 4892 if (hba->dev_info.f_power_on_wp_en &&
57d104c153d3d6 Subhash Jadavani 2014-09-25 4893 !hba->dev_info.is_lu_power_on_wp) {
57d104c153d3d6 Subhash Jadavani 2014-09-25 4894 u8 b_lu_write_protect;
57d104c153d3d6 Subhash Jadavani 2014-09-25 4895
57d104c153d3d6 Subhash Jadavani 2014-09-25 4896 if (!ufshcd_get_lu_wp(hba, ufshcd_scsi_to_upiu_lun(sdev->lun),
57d104c153d3d6 Subhash Jadavani 2014-09-25 4897 &b_lu_write_protect) &&
57d104c153d3d6 Subhash Jadavani 2014-09-25 @4898 (b_lu_write_protect == UFS_LU_POWER_ON_WP))
57d104c153d3d6 Subhash Jadavani 2014-09-25 4899 hba->dev_info.is_lu_power_on_wp = true;
57d104c153d3d6 Subhash Jadavani 2014-09-25 4900 }
57d104c153d3d6 Subhash Jadavani 2014-09-25 4901 }
57d104c153d3d6 Subhash Jadavani 2014-09-25 4902
:::::: The code at line 4898 was first introduced by commit
:::::: 57d104c153d3d6d7bea60089e80f37501851ed2c ufs: add UFS power management support
:::::: TO: Subhash Jadavani <subhashj@codeaurora.org>
:::::: CC: Christoph Hellwig <hch@lst.de>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 34118 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-02 10:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-02 10:15 [linux-next:master 3989/4668] drivers/scsi/ufs/ufshcd.c:4898:27: warning: The left operand of '==' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult] kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.