* security/selinux/ss/services.c:1563:17: warning: Null pointer passed as 1st argument to string length function [clang-analyzer-unix.cstring.NullArg]
@ 2021-11-08 10:17 kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2021-11-08 10:17 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 19537 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Ondrej Mosnacek <omosnace@redhat.com>
CC: Paul Moore <paul@paul-moore.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 6b75d88fa81b122cce37ebf17428a849ccd3d0f1
commit: 9ad6e9cb39c66366bf7b9aece114aca277981a1f selinux: fix race between old and new sidtab
date: 7 months ago
:::::: branch date: 15 hours ago
:::::: commit date: 7 months ago
config: riscv-randconfig-c006-20211029 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 5db7568a6a1fcb408eb8988abdaff2a225a8eb72)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install riscv cross compiling tool for clang build
# apt-get install binutils-riscv64-linux-gnu
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9ad6e9cb39c66366bf7b9aece114aca277981a1f
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout 9ad6e9cb39c66366bf7b9aece114aca277981a1f
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=riscv clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^
include/linux/kernel.h:694:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:326:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:314:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:306:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
net/caif/cfrfml.c:220:24: note: Loop condition is false. Exiting loop
struct cfrfml *rfml = container_obj(layr);
^
net/caif/cfrfml.c:17:29: note: expanded from macro 'container_obj'
#define container_obj(layr) container_of(layr, struct cfrfml, serv.layer)
^
include/linux/kernel.h:694:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:326:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:314:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:304:2: note: expanded from macro '__compiletime_assert'
do { \
^
net/caif/cfrfml.c:222:14: note: Assuming field 'dn' is equal to null
caif_assert(layr->dn != NULL);
^
include/net/caif/caif_layer.h:29:8: note: expanded from macro 'caif_assert'
if (!(assert)) { \
^~~~~~
net/caif/cfrfml.c:222:2: note: Taking true branch
caif_assert(layr->dn != NULL);
^
include/net/caif/caif_layer.h:29:2: note: expanded from macro 'caif_assert'
if (!(assert)) { \
^
net/caif/cfrfml.c:222:2: note: Taking true branch
caif_assert(layr->dn != NULL);
^
include/net/caif/caif_layer.h:31:3: note: expanded from macro 'caif_assert'
WARN_ON(!(assert)); \
^
include/asm-generic/bug.h:120:2: note: expanded from macro 'WARN_ON'
if (unlikely(__ret_warn_on)) \
^
net/caif/cfrfml.c:222:2: note: Loop condition is false. Exiting loop
caif_assert(layr->dn != NULL);
^
include/net/caif/caif_layer.h:31:3: note: expanded from macro 'caif_assert'
WARN_ON(!(assert)); \
^
include/asm-generic/bug.h:121:3: note: expanded from macro 'WARN_ON'
__WARN(); \
^
include/asm-generic/bug.h:94:19: note: expanded from macro '__WARN'
#define __WARN() __WARN_FLAGS(BUGFLAG_TAINT(TAINT_WARN))
^
arch/riscv/include/asm/bug.h:79:29: note: expanded from macro '__WARN_FLAGS'
#define __WARN_FLAGS(flags) __BUG_FLAGS(BUGFLAG_WARNING|(flags))
^
arch/riscv/include/asm/bug.h:53:32: note: expanded from macro '__BUG_FLAGS'
#define __BUG_FLAGS(flags) \
^
net/caif/cfrfml.c:222:2: note: Loop condition is false. Exiting loop
caif_assert(layr->dn != NULL);
^
include/net/caif/caif_layer.h:27:33: note: expanded from macro 'caif_assert'
#define caif_assert(assert) \
^
net/caif/cfrfml.c:223:14: note: Access to field 'transmit' results in a dereference of a null pointer (loaded from field 'dn')
caif_assert(layr->dn->transmit != NULL);
^
include/net/caif/caif_layer.h:29:8: note: expanded from macro 'caif_assert'
if (!(assert)) { \
^~~~~~
Suppressed 2 warnings (2 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
4 warnings generated.
security/selinux/ss/policydb.c:2592:3: warning: Value stored to 'rc' is never read [clang-analyzer-deadcode.DeadStores]
rc = -EINVAL;
^ ~~~~~~~
security/selinux/ss/policydb.c:2592:3: note: Value stored to 'rc' is never read
rc = -EINVAL;
^ ~~~~~~~
Suppressed 3 warnings (3 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
8 warnings generated.
>> security/selinux/ss/services.c:1563:17: warning: Null pointer passed as 1st argument to string length function [clang-analyzer-unix.cstring.NullArg]
context.len = strlen(str) + 1;
^
security/selinux/ss/services.c:1643:9: note: Calling 'security_context_to_sid_core'
return security_context_to_sid_core(state, scontext, scontext_len,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
security/selinux/ss/services.c:1523:6: note: Assuming 'scontext_len' is not equal to 0
if (!scontext_len)
^~~~~~~~~~~~~
security/selinux/ss/services.c:1523:2: note: Taking false branch
if (!scontext_len)
^
security/selinux/ss/services.c:1528:6: note: Assuming 'scontext2' is non-null
if (!scontext2)
^~~~~~~~~~
security/selinux/ss/services.c:1528:2: note: Taking false branch
if (!scontext2)
^
security/selinux/ss/services.c:1531:7: note: Calling 'selinux_initialized'
if (!selinux_initialized(state)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~
security/selinux/include/security.h:116:9: note: Left side of '||' is true
return smp_load_acquire(&state->initialized);
^
include/asm-generic/barrier.h:171:37: note: expanded from macro 'smp_load_acquire'
__unqual_scalar_typeof(*p) ___p1 = READ_ONCE(*p); \
^
include/asm-generic/rwonce.h:49:2: note: expanded from macro 'READ_ONCE'
compiletime_assert_rwonce_type(x); \
^
include/asm-generic/rwonce.h:36:21: note: expanded from macro 'compiletime_assert_rwonce_type'
compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \
^
include/linux/compiler_types.h:288:29: note: expanded from macro '__native_word'
(sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || \
^
security/selinux/include/security.h:116:9: note: Taking false branch
return smp_load_acquire(&state->initialized);
^
include/asm-generic/barrier.h:171:37: note: expanded from macro 'smp_load_acquire'
__unqual_scalar_typeof(*p) ___p1 = READ_ONCE(*p); \
^
include/asm-generic/rwonce.h:49:2: note: expanded from macro 'READ_ONCE'
compiletime_assert_rwonce_type(x); \
^
include/asm-generic/rwonce.h:36:2: note: expanded from macro 'compiletime_assert_rwonce_type'
compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \
^
include/linux/compiler_types.h:326:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:314:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:306:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
security/selinux/include/security.h:116:9: note: Loop condition is false. Exiting loop
return smp_load_acquire(&state->initialized);
^
include/asm-generic/barrier.h:171:37: note: expanded from macro 'smp_load_acquire'
__unqual_scalar_typeof(*p) ___p1 = READ_ONCE(*p); \
^
include/asm-generic/rwonce.h:49:2: note: expanded from macro 'READ_ONCE'
compiletime_assert_rwonce_type(x); \
^
include/asm-generic/rwonce.h:36:2: note: expanded from macro 'compiletime_assert_rwonce_type'
compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \
^
include/linux/compiler_types.h:326:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:314:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:304:2: note: expanded from macro '__compiletime_assert'
do { \
^
security/selinux/include/security.h:116:9: note: Left side of '||' is true
return smp_load_acquire(&state->initialized);
^
include/asm-generic/barrier.h:172:2: note: expanded from macro 'smp_load_acquire'
compiletime_assert_atomic_type(*p); \
^
include/linux/compiler_types.h:329:21: note: expanded from macro 'compiletime_assert_atomic_type'
compiletime_assert(__native_word(t), \
^
include/linux/compiler_types.h:288:29: note: expanded from macro '__native_word'
(sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || \
^
security/selinux/include/security.h:116:9: note: Taking false branch
return smp_load_acquire(&state->initialized);
^
include/asm-generic/barrier.h:172:2: note: expanded from macro 'smp_load_acquire'
compiletime_assert_atomic_type(*p); \
^
include/linux/compiler_types.h:329:2: note: expanded from macro 'compiletime_assert_atomic_type'
compiletime_assert(__native_word(t), \
^
include/linux/compiler_types.h:326:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
vim +1563 security/selinux/ss/services.c
12b29f34558b9b Stephen Smalley 2008-05-07 1509
aa8e712cee93d5 Stephen Smalley 2018-03-01 1510 static int security_context_to_sid_core(struct selinux_state *state,
aa8e712cee93d5 Stephen Smalley 2018-03-01 1511 const char *scontext, u32 scontext_len,
12b29f34558b9b Stephen Smalley 2008-05-07 1512 u32 *sid, u32 def_sid, gfp_t gfp_flags,
12b29f34558b9b Stephen Smalley 2008-05-07 1513 int force)
12b29f34558b9b Stephen Smalley 2008-05-07 1514 {
1b8b31a2e6120b Stephen Smalley 2020-08-19 1515 struct selinux_policy *policy;
aa8e712cee93d5 Stephen Smalley 2018-03-01 1516 struct policydb *policydb;
aa8e712cee93d5 Stephen Smalley 2018-03-01 1517 struct sidtab *sidtab;
9a59daa03df725 Stephen Smalley 2008-05-14 1518 char *scontext2, *str = NULL;
12b29f34558b9b Stephen Smalley 2008-05-07 1519 struct context context;
12b29f34558b9b Stephen Smalley 2008-05-07 1520 int rc = 0;
12b29f34558b9b Stephen Smalley 2008-05-07 1521
2172fa709ab32c Stephen Smalley 2014-01-30 1522 /* An empty security context is never valid. */
2172fa709ab32c Stephen Smalley 2014-01-30 1523 if (!scontext_len)
2172fa709ab32c Stephen Smalley 2014-01-30 1524 return -EINVAL;
2172fa709ab32c Stephen Smalley 2014-01-30 1525
ef28df55ac27e1 Paul Moore 2017-11-28 1526 /* Copy the string to allow changes and ensure a NUL terminator */
ef28df55ac27e1 Paul Moore 2017-11-28 1527 scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);
ef28df55ac27e1 Paul Moore 2017-11-28 1528 if (!scontext2)
ef28df55ac27e1 Paul Moore 2017-11-28 1529 return -ENOMEM;
ef28df55ac27e1 Paul Moore 2017-11-28 1530
65cddd50980be8 Ondrej Mosnacek 2020-01-07 1531 if (!selinux_initialized(state)) {
12b29f34558b9b Stephen Smalley 2008-05-07 1532 int i;
12b29f34558b9b Stephen Smalley 2008-05-07 1533
12b29f34558b9b Stephen Smalley 2008-05-07 1534 for (i = 1; i < SECINITSID_NUM; i++) {
e3e0b582c321ae Stephen Smalley 2020-02-24 1535 const char *s = initial_sid_to_string[i];
e3e0b582c321ae Stephen Smalley 2020-02-24 1536
e3e0b582c321ae Stephen Smalley 2020-02-24 1537 if (s && !strcmp(s, scontext2)) {
12b29f34558b9b Stephen Smalley 2008-05-07 1538 *sid = i;
ef28df55ac27e1 Paul Moore 2017-11-28 1539 goto out;
12b29f34558b9b Stephen Smalley 2008-05-07 1540 }
12b29f34558b9b Stephen Smalley 2008-05-07 1541 }
12b29f34558b9b Stephen Smalley 2008-05-07 1542 *sid = SECINITSID_KERNEL;
ef28df55ac27e1 Paul Moore 2017-11-28 1543 goto out;
12b29f34558b9b Stephen Smalley 2008-05-07 1544 }
12b29f34558b9b Stephen Smalley 2008-05-07 1545 *sid = SECSID_NULL;
12b29f34558b9b Stephen Smalley 2008-05-07 1546
9a59daa03df725 Stephen Smalley 2008-05-14 1547 if (force) {
9a59daa03df725 Stephen Smalley 2008-05-14 1548 /* Save another copy for storing in uninterpreted form */
4b02b524487622 Eric Paris 2010-11-23 1549 rc = -ENOMEM;
9a59daa03df725 Stephen Smalley 2008-05-14 1550 str = kstrdup(scontext2, gfp_flags);
4b02b524487622 Eric Paris 2010-11-23 1551 if (!str)
4b02b524487622 Eric Paris 2010-11-23 1552 goto out;
9a59daa03df725 Stephen Smalley 2008-05-14 1553 }
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1554 retry:
1b8b31a2e6120b Stephen Smalley 2020-08-19 1555 rcu_read_lock();
1b8b31a2e6120b Stephen Smalley 2020-08-19 1556 policy = rcu_dereference(state->policy);
1b8b31a2e6120b Stephen Smalley 2020-08-19 1557 policydb = &policy->policydb;
1b8b31a2e6120b Stephen Smalley 2020-08-19 1558 sidtab = policy->sidtab;
aa8e712cee93d5 Stephen Smalley 2018-03-01 1559 rc = string_to_context_struct(policydb, sidtab, scontext2,
95ffe194204ae3 Jann Horn 2018-08-06 1560 &context, def_sid);
12b29f34558b9b Stephen Smalley 2008-05-07 1561 if (rc == -EINVAL && force) {
9a59daa03df725 Stephen Smalley 2008-05-14 1562 context.str = str;
efe3de79e0b52c Sachin Grover 2018-05-25 @1563 context.len = strlen(str) + 1;
9a59daa03df725 Stephen Smalley 2008-05-14 1564 str = NULL;
12b29f34558b9b Stephen Smalley 2008-05-07 1565 } else if (rc)
4b02b524487622 Eric Paris 2010-11-23 1566 goto out_unlock;
225621c9348d2a Ondrej Mosnacek 2020-04-17 1567 rc = sidtab_context_to_sid(sidtab, &context, sid);
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1568 if (rc == -ESTALE) {
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1569 rcu_read_unlock();
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1570 if (context.str) {
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1571 str = context.str;
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1572 context.str = NULL;
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1573 }
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1574 context_destroy(&context);
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1575 goto retry;
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1576 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 1577 context_destroy(&context);
4b02b524487622 Eric Paris 2010-11-23 1578 out_unlock:
1b8b31a2e6120b Stephen Smalley 2020-08-19 1579 rcu_read_unlock();
4b02b524487622 Eric Paris 2010-11-23 1580 out:
9a59daa03df725 Stephen Smalley 2008-05-14 1581 kfree(scontext2);
9a59daa03df725 Stephen Smalley 2008-05-14 1582 kfree(str);
^1da177e4c3f41 Linus Torvalds 2005-04-16 1583 return rc;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1584 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 1585
:::::: The code at line 1563 was first introduced by commit
:::::: efe3de79e0b52ca281ef6691480c8c68c82a4657 selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
:::::: TO: Sachin Grover <sgrover@codeaurora.org>
:::::: CC: Paul Moore <paul@paul-moore.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 35285 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* security/selinux/ss/services.c:1563:17: warning: Null pointer passed as 1st argument to string length function [clang-analyzer-unix.cstring.NullArg]
@ 2022-02-24 10:54 kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2022-02-24 10:54 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 19023 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Ondrej Mosnacek <omosnace@redhat.com>
CC: Paul Moore <paul@paul-moore.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 23d04328444a8fa0ca060c5e532220dac8e8bc26
commit: 9ad6e9cb39c66366bf7b9aece114aca277981a1f selinux: fix race between old and new sidtab
date: 11 months ago
:::::: branch date: 15 hours ago
:::::: commit date: 11 months ago
config: riscv-randconfig-c006-20220224 (https://download.01.org/0day-ci/archive/20220224/202202241853.8nKl7Hpc-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project d271fc04d5b97b12e6b797c6067d3c96a8d7470e)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install riscv cross compiling tool for clang build
# apt-get install binutils-riscv64-linux-gnu
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9ad6e9cb39c66366bf7b9aece114aca277981a1f
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout 9ad6e9cb39c66366bf7b9aece114aca277981a1f
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=riscv clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^
fs/btrfs/compression.c:999:14: note: Calling 'alloc_workspace'
workspace = alloc_workspace(type, level);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/btrfs/compression.c:875:2: note: Control jumps to 'case BTRFS_COMPRESS_NONE:' at line 876
switch (type) {
^
fs/btrfs/compression.c:876:35: note: Calling 'alloc_heuristic_ws'
case BTRFS_COMPRESS_NONE: return alloc_heuristic_ws(level);
^~~~~~~~~~~~~~~~~~~~~~~~~
fs/btrfs/compression.c:838:7: note: Calling 'kzalloc'
ws = kzalloc(sizeof(*ws), GFP_KERNEL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/slab.h:682:9: note: Uninitialized value stored to field 'bucket_b'
return kmalloc(size, flags | __GFP_ZERO);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/btrfs/compression.c:838:7: note: Returning from 'kzalloc'
ws = kzalloc(sizeof(*ws), GFP_KERNEL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/btrfs/compression.c:839:6: note: Assuming 'ws' is non-null
if (!ws)
^~~
fs/btrfs/compression.c:839:2: note: Taking false branch
if (!ws)
^
fs/btrfs/compression.c:843:6: note: Assuming field 'sample' is non-null
if (!ws->sample)
^~~~~~~~~~~
fs/btrfs/compression.c:843:2: note: Taking false branch
if (!ws->sample)
^
fs/btrfs/compression.c:847:6: note: Assuming field 'bucket' is null
if (!ws->bucket)
^~~~~~~~~~~
fs/btrfs/compression.c:847:2: note: Taking true branch
if (!ws->bucket)
^
fs/btrfs/compression.c:848:3: note: Control jumps to line 857
goto fail;
^
fs/btrfs/compression.c:857:2: note: Calling 'free_heuristic_ws'
free_heuristic_ws(&ws->list);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/btrfs/compression.c:826:14: note: Left side of '&&' is false
workspace = list_entry(ws, struct heuristic_ws, list);
^
include/linux/list.h:511:2: note: expanded from macro 'list_entry'
container_of(ptr, type, member)
^
include/linux/kernel.h:694:61: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
fs/btrfs/compression.c:826:14: note: Taking false branch
workspace = list_entry(ws, struct heuristic_ws, list);
^
include/linux/list.h:511:2: note: expanded from macro 'list_entry'
container_of(ptr, type, member)
^
include/linux/kernel.h:694:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:326:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:314:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:306:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
fs/btrfs/compression.c:826:14: note: Loop condition is false. Exiting loop
workspace = list_entry(ws, struct heuristic_ws, list);
^
include/linux/list.h:511:2: note: expanded from macro 'list_entry'
container_of(ptr, type, member)
^
include/linux/kernel.h:694:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:326:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:314:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:304:2: note: expanded from macro '__compiletime_assert'
do { \
^
fs/btrfs/compression.c:830:2: note: 1st function call argument is an uninitialized value
kfree(workspace->bucket_b);
^ ~~~~~~~~~~~~~~~~~~~
Suppressed 5 warnings (5 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
19 warnings generated.
>> security/selinux/ss/services.c:1563:17: warning: Null pointer passed as 1st argument to string length function [clang-analyzer-unix.cstring.NullArg]
context.len = strlen(str) + 1;
^
security/selinux/ss/services.c:1643:9: note: Calling 'security_context_to_sid_core'
return security_context_to_sid_core(state, scontext, scontext_len,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
security/selinux/ss/services.c:1523:6: note: Assuming 'scontext_len' is not equal to 0
if (!scontext_len)
^~~~~~~~~~~~~
security/selinux/ss/services.c:1523:2: note: Taking false branch
if (!scontext_len)
^
security/selinux/ss/services.c:1528:6: note: Assuming 'scontext2' is non-null
if (!scontext2)
^~~~~~~~~~
security/selinux/ss/services.c:1528:2: note: Taking false branch
if (!scontext2)
^
security/selinux/ss/services.c:1531:7: note: Calling 'selinux_initialized'
if (!selinux_initialized(state)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~
security/selinux/include/security.h:116:9: note: Left side of '||' is true
return smp_load_acquire(&state->initialized);
^
include/asm-generic/barrier.h:142:29: note: expanded from macro 'smp_load_acquire'
#define smp_load_acquire(p) __smp_load_acquire(p)
^
arch/riscv/include/asm/barrier.h:39:21: note: expanded from macro '__smp_load_acquire'
typeof(*p) ___p1 = READ_ONCE(*p); \
^
include/asm-generic/rwonce.h:49:2: note: expanded from macro 'READ_ONCE'
compiletime_assert_rwonce_type(x); \
^
include/asm-generic/rwonce.h:36:21: note: expanded from macro 'compiletime_assert_rwonce_type'
compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \
^
include/linux/compiler_types.h:288:29: note: expanded from macro '__native_word'
(sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || \
^
security/selinux/include/security.h:116:9: note: Taking false branch
return smp_load_acquire(&state->initialized);
^
include/asm-generic/barrier.h:142:29: note: expanded from macro 'smp_load_acquire'
#define smp_load_acquire(p) __smp_load_acquire(p)
^
arch/riscv/include/asm/barrier.h:39:21: note: expanded from macro '__smp_load_acquire'
typeof(*p) ___p1 = READ_ONCE(*p); \
^
include/asm-generic/rwonce.h:49:2: note: expanded from macro 'READ_ONCE'
compiletime_assert_rwonce_type(x); \
^
note: (skipping 1 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
include/linux/compiler_types.h:326:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:314:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:306:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
security/selinux/include/security.h:116:9: note: Loop condition is false. Exiting loop
return smp_load_acquire(&state->initialized);
^
include/asm-generic/barrier.h:142:29: note: expanded from macro 'smp_load_acquire'
#define smp_load_acquire(p) __smp_load_acquire(p)
^
arch/riscv/include/asm/barrier.h:39:21: note: expanded from macro '__smp_load_acquire'
typeof(*p) ___p1 = READ_ONCE(*p); \
^
include/asm-generic/rwonce.h:49:2: note: expanded from macro 'READ_ONCE'
compiletime_assert_rwonce_type(x); \
^
note: (skipping 1 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
include/linux/compiler_types.h:326:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:314:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:304:2: note: expanded from macro '__compiletime_assert'
do { \
^
security/selinux/include/security.h:116:9: note: Left side of '||' is true
return smp_load_acquire(&state->initialized);
^
include/asm-generic/barrier.h:142:29: note: expanded from macro 'smp_load_acquire'
#define smp_load_acquire(p) __smp_load_acquire(p)
^
arch/riscv/include/asm/barrier.h:40:2: note: expanded from macro '__smp_load_acquire'
compiletime_assert_atomic_type(*p); \
^
include/linux/compiler_types.h:329:21: note: expanded from macro 'compiletime_assert_atomic_type'
compiletime_assert(__native_word(t), \
^
include/linux/compiler_types.h:288:29: note: expanded from macro '__native_word'
(sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || \
^
security/selinux/include/security.h:116:9: note: Taking false branch
return smp_load_acquire(&state->initialized);
^
vim +1563 security/selinux/ss/services.c
12b29f34558b9b Stephen Smalley 2008-05-07 1509
aa8e712cee93d5 Stephen Smalley 2018-03-01 1510 static int security_context_to_sid_core(struct selinux_state *state,
aa8e712cee93d5 Stephen Smalley 2018-03-01 1511 const char *scontext, u32 scontext_len,
12b29f34558b9b Stephen Smalley 2008-05-07 1512 u32 *sid, u32 def_sid, gfp_t gfp_flags,
12b29f34558b9b Stephen Smalley 2008-05-07 1513 int force)
12b29f34558b9b Stephen Smalley 2008-05-07 1514 {
1b8b31a2e6120b Stephen Smalley 2020-08-19 1515 struct selinux_policy *policy;
aa8e712cee93d5 Stephen Smalley 2018-03-01 1516 struct policydb *policydb;
aa8e712cee93d5 Stephen Smalley 2018-03-01 1517 struct sidtab *sidtab;
9a59daa03df725 Stephen Smalley 2008-05-14 1518 char *scontext2, *str = NULL;
12b29f34558b9b Stephen Smalley 2008-05-07 1519 struct context context;
12b29f34558b9b Stephen Smalley 2008-05-07 1520 int rc = 0;
12b29f34558b9b Stephen Smalley 2008-05-07 1521
2172fa709ab32c Stephen Smalley 2014-01-30 1522 /* An empty security context is never valid. */
2172fa709ab32c Stephen Smalley 2014-01-30 1523 if (!scontext_len)
2172fa709ab32c Stephen Smalley 2014-01-30 1524 return -EINVAL;
2172fa709ab32c Stephen Smalley 2014-01-30 1525
ef28df55ac27e1 Paul Moore 2017-11-28 1526 /* Copy the string to allow changes and ensure a NUL terminator */
ef28df55ac27e1 Paul Moore 2017-11-28 1527 scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);
ef28df55ac27e1 Paul Moore 2017-11-28 1528 if (!scontext2)
ef28df55ac27e1 Paul Moore 2017-11-28 1529 return -ENOMEM;
ef28df55ac27e1 Paul Moore 2017-11-28 1530
65cddd50980be8 Ondrej Mosnacek 2020-01-07 1531 if (!selinux_initialized(state)) {
12b29f34558b9b Stephen Smalley 2008-05-07 1532 int i;
12b29f34558b9b Stephen Smalley 2008-05-07 1533
12b29f34558b9b Stephen Smalley 2008-05-07 1534 for (i = 1; i < SECINITSID_NUM; i++) {
e3e0b582c321ae Stephen Smalley 2020-02-24 1535 const char *s = initial_sid_to_string[i];
e3e0b582c321ae Stephen Smalley 2020-02-24 1536
e3e0b582c321ae Stephen Smalley 2020-02-24 1537 if (s && !strcmp(s, scontext2)) {
12b29f34558b9b Stephen Smalley 2008-05-07 1538 *sid = i;
ef28df55ac27e1 Paul Moore 2017-11-28 1539 goto out;
12b29f34558b9b Stephen Smalley 2008-05-07 1540 }
12b29f34558b9b Stephen Smalley 2008-05-07 1541 }
12b29f34558b9b Stephen Smalley 2008-05-07 1542 *sid = SECINITSID_KERNEL;
ef28df55ac27e1 Paul Moore 2017-11-28 1543 goto out;
12b29f34558b9b Stephen Smalley 2008-05-07 1544 }
12b29f34558b9b Stephen Smalley 2008-05-07 1545 *sid = SECSID_NULL;
12b29f34558b9b Stephen Smalley 2008-05-07 1546
9a59daa03df725 Stephen Smalley 2008-05-14 1547 if (force) {
9a59daa03df725 Stephen Smalley 2008-05-14 1548 /* Save another copy for storing in uninterpreted form */
4b02b524487622 Eric Paris 2010-11-23 1549 rc = -ENOMEM;
9a59daa03df725 Stephen Smalley 2008-05-14 1550 str = kstrdup(scontext2, gfp_flags);
4b02b524487622 Eric Paris 2010-11-23 1551 if (!str)
4b02b524487622 Eric Paris 2010-11-23 1552 goto out;
9a59daa03df725 Stephen Smalley 2008-05-14 1553 }
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1554 retry:
1b8b31a2e6120b Stephen Smalley 2020-08-19 1555 rcu_read_lock();
1b8b31a2e6120b Stephen Smalley 2020-08-19 1556 policy = rcu_dereference(state->policy);
1b8b31a2e6120b Stephen Smalley 2020-08-19 1557 policydb = &policy->policydb;
1b8b31a2e6120b Stephen Smalley 2020-08-19 1558 sidtab = policy->sidtab;
aa8e712cee93d5 Stephen Smalley 2018-03-01 1559 rc = string_to_context_struct(policydb, sidtab, scontext2,
95ffe194204ae3 Jann Horn 2018-08-06 1560 &context, def_sid);
12b29f34558b9b Stephen Smalley 2008-05-07 1561 if (rc == -EINVAL && force) {
9a59daa03df725 Stephen Smalley 2008-05-14 1562 context.str = str;
efe3de79e0b52c Sachin Grover 2018-05-25 @1563 context.len = strlen(str) + 1;
9a59daa03df725 Stephen Smalley 2008-05-14 1564 str = NULL;
12b29f34558b9b Stephen Smalley 2008-05-07 1565 } else if (rc)
4b02b524487622 Eric Paris 2010-11-23 1566 goto out_unlock;
225621c9348d2a Ondrej Mosnacek 2020-04-17 1567 rc = sidtab_context_to_sid(sidtab, &context, sid);
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1568 if (rc == -ESTALE) {
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1569 rcu_read_unlock();
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1570 if (context.str) {
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1571 str = context.str;
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1572 context.str = NULL;
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1573 }
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1574 context_destroy(&context);
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1575 goto retry;
9ad6e9cb39c663 Ondrej Mosnacek 2021-04-07 1576 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 1577 context_destroy(&context);
4b02b524487622 Eric Paris 2010-11-23 1578 out_unlock:
1b8b31a2e6120b Stephen Smalley 2020-08-19 1579 rcu_read_unlock();
4b02b524487622 Eric Paris 2010-11-23 1580 out:
9a59daa03df725 Stephen Smalley 2008-05-14 1581 kfree(scontext2);
9a59daa03df725 Stephen Smalley 2008-05-14 1582 kfree(str);
^1da177e4c3f41 Linus Torvalds 2005-04-16 1583 return rc;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1584 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 1585
:::::: The code at line 1563 was first introduced by commit
:::::: efe3de79e0b52ca281ef6691480c8c68c82a4657 selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
:::::: TO: Sachin Grover <sgrover@codeaurora.org>
:::::: CC: Paul Moore <paul@paul-moore.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-24 10:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-08 10:17 security/selinux/ss/services.c:1563:17: warning: Null pointer passed as 1st argument to string length function [clang-analyzer-unix.cstring.NullArg] kernel test robot
2022-02-24 10:54 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.