* drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-01-10 15:15 kernel test robot
0 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2022-01-10 15:15 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 16372 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Rasmus Villemoes <linux@rasmusvillemoes.dk>
CC: Miguel Ojeda <ojeda@kernel.org>
CC: Nick Desaulniers <ndesaulniers@google.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: df0cc57e057f18e44dac8e6c18aba47ab53202f9
commit: e1edc277e6f6dfb372216522dfc57f9381c39e35 linux/container_of.h: switch to static_assert
date: 9 weeks ago
:::::: branch date: 16 hours ago
:::::: commit date: 9 weeks ago
config: arm-randconfig-c002-20220107 (https://download.01.org/0day-ci/archive/20220110/202201102309.jPnMcMSS-lkp(a)intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 32167bfe64a4c5dd4eb3f7a58e24f4cba76f5ac2)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e1edc277e6f6dfb372216522dfc57f9381c39e35
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout e1edc277e6f6dfb372216522dfc57f9381c39e35
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
skb_setup_tx_timestamp(skb, sockc->tsflags);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/net/sock.h:2607:39: note: Passing value via 3rd parameter 'tx_flags'
_sock_tx_timestamp(skb->sk, tsflags, &skb_shinfo(skb)->tx_flags,
^~~~~~~~~~~~~~~~~~~~~~~~~~
include/net/sock.h:2607:2: note: Calling '_sock_tx_timestamp'
_sock_tx_timestamp(skb->sk, tsflags, &skb_shinfo(skb)->tx_flags,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/net/sock.h:2589:6: note: Assuming 'tsflags' is not equal to 0
if (unlikely(tsflags)) {
^
include/linux/compiler.h:78:40: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^~~~
include/net/sock.h:2589:2: note: Taking true branch
if (unlikely(tsflags)) {
^
include/net/sock.h:2591:7: note: Assuming the condition is true
if (tsflags & SOF_TIMESTAMPING_OPT_ID && tskey &&
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/net/sock.h:2591:7: note: Left side of '&&' is true
include/net/sock.h:2591:44: note: Assuming 'tskey' is null
if (tsflags & SOF_TIMESTAMPING_OPT_ID && tskey &&
^~~~~
include/net/sock.h:2591:7: note: Assuming pointer value is null
if (tsflags & SOF_TIMESTAMPING_OPT_ID && tskey &&
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/net/sock.h:2591:50: note: Left side of '&&' is false
if (tsflags & SOF_TIMESTAMPING_OPT_ID && tskey &&
^
include/net/sock.h:2595:6: note: Assuming the condition is false
if (unlikely(sock_flag(sk, SOCK_WIFI_STATUS)))
^
include/linux/compiler.h:78:40: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^~~~
include/net/sock.h:2595:2: note: Taking true branch
if (unlikely(sock_flag(sk, SOCK_WIFI_STATUS)))
^
include/net/sock.h:2596:13: note: Dereference of null pointer (loaded from variable 'tx_flags')
*tx_flags |= SKBTX_WIFI_STATUS;
~~~~~~~~ ^
2 warnings generated.
drivers/md/dm-kcopyd.c:246:10: warning: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl') [clang-analyzer-core.NullDereference]
next = pl->next;
^
drivers/md/dm-kcopyd.c:913:6: note: Assuming 'kc' is non-null
if (!kc)
^~~
drivers/md/dm-kcopyd.c:913:2: note: Taking false branch
if (!kc)
^
drivers/md/dm-kcopyd.c:916:2: note: Loop condition is false. Exiting loop
spin_lock_init(&kc->job_lock);
^
include/linux/spinlock.h:352:34: note: expanded from macro 'spin_lock_init'
# define spin_lock_init(_lock) \
^
drivers/md/dm-kcopyd.c:924:6: note: Assuming 'r' is 0
if (r)
^
drivers/md/dm-kcopyd.c:924:2: note: Taking false branch
if (r)
^
drivers/md/dm-kcopyd.c:927:2: note: Loop condition is false. Exiting loop
INIT_WORK(&kc->kcopyd_work, do_work);
^
include/linux/workqueue.h:245:2: note: expanded from macro 'INIT_WORK'
__INIT_WORK((_work), (_func), 0)
^
include/linux/workqueue.h:236:2: note: expanded from macro '__INIT_WORK'
do { \
^
drivers/md/dm-kcopyd.c:929:6: note: Assuming field 'kcopyd_wq' is non-null
if (!kc->kcopyd_wq) {
^~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:929:2: note: Taking false branch
if (!kc->kcopyd_wq) {
^
drivers/md/dm-kcopyd.c:939:6: note: Calling 'client_reserve_pages'
r = client_reserve_pages(kc, reserve_pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:309:20: note: 'pl' initialized to a null pointer value
struct page_list *pl = NULL, *next;
^~
drivers/md/dm-kcopyd.c:311:14: note: Assuming 'i' is >= 'nr_pages'
for (i = 0; i < nr_pages; i++) {
^~~~~~~~~~~~
drivers/md/dm-kcopyd.c:311:2: note: Loop condition is false. Execution continues on line 322
for (i = 0; i < nr_pages; i++) {
^
drivers/md/dm-kcopyd.c:323:23: note: Passing null pointer value via 2nd parameter 'pl'
kcopyd_put_pages(kc, pl);
^~
drivers/md/dm-kcopyd.c:323:2: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, pl);
^~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:246:10: note: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl')
next = pl->next;
^~
>> drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
kcopyd_put_pages(kc, job->pages);
^
drivers/md/dm-kcopyd.c:662:2: note: Calling 'process_jobs'
process_jobs(&kc->complete_jobs, kc, run_complete_job);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Assuming field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:7: note: Assuming field 'nr_free_pages' is >= field 'nr_reserved_pages'
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:3: note: Taking true branch
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^
drivers/md/dm-kcopyd.c:249:4: note: Calling 'free_pl'
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:234:2: note: Memory is released
kfree(pl);
^~~~~~~~~
drivers/md/dm-kcopyd.c:249:4: note: Returning; memory was released via 1st parameter
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:245:2: note: Loop condition is false. Exiting loop
do {
^
drivers/md/dm-kcopyd.c:494:3: note: Returning; memory was released via 2nd parameter
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:6: note: Assuming 'job' is not equal to field 'master_job'
if (job->master_job == job) {
^~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:2: note: Taking false branch
if (job->master_job == job) {
^
drivers/md/dm-kcopyd.c:505:2: note: Taking false branch
if (atomic_dec_and_test(&kc->nr_jobs))
^
drivers/md/dm-kcopyd.c:613:7: note: Returning; memory was released
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:615:7: note: 'r' is >= 0
if (r < 0) {
^
drivers/md/dm-kcopyd.c:615:3: note: Taking false branch
if (r < 0) {
^
drivers/md/dm-kcopyd.c:626:7: note: 'r' is <= 0
if (r > 0) {
^
drivers/md/dm-kcopyd.c:626:3: note: Taking false branch
if (r > 0) {
^
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:11: note: Field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Use of memory after it is freed
kcopyd_put_pages(kc, job->pages);
^ ~~~~~~~~~~
5 warnings generated.
include/net/dst_metadata.h:74:18: warning: Access to field 'type' results in a dereference of a null pointer (loaded from variable 'a') [clang-analyzer-core.NullDereference]
if (!a != !b || a->type != b->type)
^
net/core/dev.c:6338:37: note: Calling 'dev_gro_receive'
ret = napi_frags_finish(napi, skb, dev_gro_receive(napi, skb));
^~~~~~~~~~~~~~~~~~~~~~~~~~
net/core/dev.c:6049:2: note: Taking false branch
if (netif_elide_gro(skb->dev))
^
vim +494 drivers/md/dm-kcopyd.c
b673c3a8192e28 drivers/md/dm-kcopyd.c Kazuo Ito 2008-10-21 475
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 476 /*
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 477 * These three functions process 1 item from the corresponding
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 478 * job list.
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 479 *
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 480 * They return:
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 481 * < 0: error
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 482 * 0: success
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 483 * > 0: can't process yet.
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 484 */
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 485 static int run_complete_job(struct kcopyd_job *job)
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 486 {
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 487 void *context = job->context;
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 488 int read_err = job->read_err;
4cdc1d1fa5c5ac drivers/md/kcopyd.c Alasdair G Kergon 2008-03-28 489 unsigned long write_err = job->write_err;
eb69aca5d3370b drivers/md/kcopyd.c Heinz Mauelshagen 2008-04-24 490 dm_kcopyd_notify_fn fn = job->fn;
eb69aca5d3370b drivers/md/kcopyd.c Heinz Mauelshagen 2008-04-24 491 struct dm_kcopyd_client *kc = job->kc;
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 492
7f06965390e4a1 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-10-31 493 if (job->pages && job->pages != &zero_page_list)
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 @494 kcopyd_put_pages(kc, job->pages);
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 495 /*
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 496 * If this is the master job, the sub jobs have already
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 497 * completed so we can free everything.
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 498 */
d5ffebdd797a7c drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 499 if (job->master_job == job) {
d5ffebdd797a7c drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 500 mutex_destroy(&job->lock);
6f1c819c219f78 drivers/md/dm-kcopyd.c Kent Overstreet 2018-05-20 501 mempool_free(job, &kc->job_pool);
d5ffebdd797a7c drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 502 }
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 503 fn(read_err, write_err, context);
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 504
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 505 if (atomic_dec_and_test(&kc->nr_jobs))
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 506 wake_up(&kc->destroyq);
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 507
784c9a29e99eb4 drivers/md/dm-kcopyd.c John Pittman 2018-08-06 508 cond_resched();
784c9a29e99eb4 drivers/md/dm-kcopyd.c John Pittman 2018-08-06 509
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 510 return 0;
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 511 }
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 512
:::::: The code at line 494 was first introduced by commit
:::::: 138728dc96529f20dfe970c470e51885a60e329f [PATCH] dm snapshot: fix kcopyd destructor
:::::: TO: Alasdair G Kergon <agk@redhat.com>
:::::: CC: Linus Torvalds <torvalds@g5.osdl.org>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] 4+ messages in thread
* drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-06-03 2:19 kernel test robot
0 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2022-06-03 2:19 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 48551 bytes --]
::::::
:::::: Manual check reason: "low confidence static check first_new_problem: drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]"
::::::
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Rasmus Villemoes <linux@rasmusvillemoes.dk>
CC: Miguel Ojeda <ojeda@kernel.org>
CC: Nick Desaulniers <ndesaulniers@google.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 50fd82b3a9a9335df5d50c7ddcb81c81d358c4fc
commit: e1edc277e6f6dfb372216522dfc57f9381c39e35 linux/container_of.h: switch to static_assert
date: 7 months ago
:::::: branch date: 4 hours ago
:::::: commit date: 7 months ago
config: arm-randconfig-c002-20220531 (https://download.01.org/0day-ci/archive/20220603/202206031034.W27549iK-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project c825abd6b0198fb088d9752f556a70705bc99dfd)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e1edc277e6f6dfb372216522dfc57f9381c39e35
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout e1edc277e6f6dfb372216522dfc57f9381c39e35
# save the config file
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
fs/ext4/namei.c:1602:8: note: Assuming 'retval' is not equal to 0
if (retval) {
^~~~~~
fs/ext4/namei.c:1602:4: note: Taking true branch
if (retval) {
^
fs/ext4/namei.c:1605:5: note: Control jumps to line 1660
goto cleanup_and_exit;
^
fs/ext4/namei.c:1660:2: note: Loop condition is false. Execution continues on line 1662
for (; ra_ptr < ra_max; ra_ptr++)
^
fs/ext4/namei.c:1662:2: note: Returning pointer (loaded from 'ret'), which participates in a condition later
return ret;
^~~~~~~~~~
fs/ext4/namei.c:1680:7: note: Returning from '__ext4_find_entry'
bh = __ext4_find_entry(dir, &fname, res_dir, inlined);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/ext4/namei.c:1683:2: note: Returning pointer (loaded from 'bh'), which participates in a condition later
return bh;
^~~~~~~~~
fs/ext4/namei.c:3979:11: note: Returning from 'ext4_find_entry'
new.bh = ext4_find_entry(new.dir, &new.dentry->d_name,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/ext4/namei.c:3981:2: note: Taking false branch
if (IS_ERR(new.bh)) {
^
fs/ext4/namei.c:3988:6: note: Assuming field 'bh' is non-null
if (!new.bh || le32_to_cpu(new.de->inode) != new.inode->i_ino)
^~~~~~~
fs/ext4/namei.c:3988:6: note: Left side of '||' is false
fs/ext4/namei.c:3988:17: note: Access to field 'inode' results in a dereference of a null pointer (loaded from field 'de')
if (!new.bh || le32_to_cpu(new.de->inode) != new.inode->i_ino)
^
include/linux/byteorder/generic.h:89:21: note: expanded from macro 'le32_to_cpu'
#define le32_to_cpu __le32_to_cpu
^
include/uapi/linux/byteorder/little_endian.h:34:50: note: expanded from macro '__le32_to_cpu'
#define __le32_to_cpu(x) ((__force __u32)(__le32)(x))
^~
Suppressed 2 warnings (2 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
2 warnings generated.
drivers/md/dm-kcopyd.c:246:10: warning: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl') [clang-analyzer-core.NullDereference]
next = pl->next;
^
drivers/md/dm-kcopyd.c:913:6: note: Assuming 'kc' is non-null
if (!kc)
^~~
drivers/md/dm-kcopyd.c:913:2: note: Taking false branch
if (!kc)
^
drivers/md/dm-kcopyd.c:916:2: note: Loop condition is false. Exiting loop
spin_lock_init(&kc->job_lock);
^
include/linux/spinlock.h:352:34: note: expanded from macro 'spin_lock_init'
# define spin_lock_init(_lock) \
^
drivers/md/dm-kcopyd.c:924:6: note: Assuming 'r' is 0
if (r)
^
drivers/md/dm-kcopyd.c:924:2: note: Taking false branch
if (r)
^
drivers/md/dm-kcopyd.c:927:2: note: Loop condition is false. Exiting loop
INIT_WORK(&kc->kcopyd_work, do_work);
^
include/linux/workqueue.h:245:2: note: expanded from macro 'INIT_WORK'
__INIT_WORK((_work), (_func), 0)
^
include/linux/workqueue.h:236:2: note: expanded from macro '__INIT_WORK'
do { \
^
drivers/md/dm-kcopyd.c:929:6: note: Assuming field 'kcopyd_wq' is non-null
if (!kc->kcopyd_wq) {
^~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:929:2: note: Taking false branch
if (!kc->kcopyd_wq) {
^
drivers/md/dm-kcopyd.c:939:6: note: Calling 'client_reserve_pages'
r = client_reserve_pages(kc, reserve_pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:309:20: note: 'pl' initialized to a null pointer value
struct page_list *pl = NULL, *next;
^~
drivers/md/dm-kcopyd.c:311:14: note: Assuming 'i' is >= 'nr_pages'
for (i = 0; i < nr_pages; i++) {
^~~~~~~~~~~~
drivers/md/dm-kcopyd.c:311:2: note: Loop condition is false. Execution continues on line 322
for (i = 0; i < nr_pages; i++) {
^
drivers/md/dm-kcopyd.c:323:23: note: Passing null pointer value via 2nd parameter 'pl'
kcopyd_put_pages(kc, pl);
^~
drivers/md/dm-kcopyd.c:323:2: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, pl);
^~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:246:10: note: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl')
next = pl->next;
^~
>> drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
kcopyd_put_pages(kc, job->pages);
^
drivers/md/dm-kcopyd.c:662:2: note: Calling 'process_jobs'
process_jobs(&kc->complete_jobs, kc, run_complete_job);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Assuming field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:7: note: Assuming field 'nr_free_pages' is >= field 'nr_reserved_pages'
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:3: note: Taking true branch
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^
drivers/md/dm-kcopyd.c:249:4: note: Calling 'free_pl'
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:234:2: note: Memory is released
kfree(pl);
^~~~~~~~~
drivers/md/dm-kcopyd.c:249:4: note: Returning; memory was released via 1st parameter
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:245:2: note: Loop condition is false. Exiting loop
do {
^
drivers/md/dm-kcopyd.c:494:3: note: Returning; memory was released via 2nd parameter
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:6: note: Assuming 'job' is not equal to field 'master_job'
if (job->master_job == job) {
^~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:2: note: Taking false branch
if (job->master_job == job) {
^
drivers/md/dm-kcopyd.c:505:2: note: Taking false branch
if (atomic_dec_and_test(&kc->nr_jobs))
^
drivers/md/dm-kcopyd.c:613:7: note: Returning; memory was released
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:615:7: note: 'r' is >= 0
if (r < 0) {
^
drivers/md/dm-kcopyd.c:615:3: note: Taking false branch
if (r < 0) {
^
drivers/md/dm-kcopyd.c:626:7: note: 'r' is <= 0
if (r > 0) {
^
drivers/md/dm-kcopyd.c:626:3: note: Taking false branch
if (r > 0) {
^
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:11: note: Field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Use of memory after it is freed
kcopyd_put_pages(kc, job->pages);
^ ~~~~~~~~~~
2 warnings generated.
block/bfq-iosched.c:5133:20: warning: Access to field 'burst_size' results in a dereference of a null pointer (loaded from field 'bfqd') [clang-analyzer-core.NullDereference]
if (bfqq->bic && bfqq->bfqd->burst_size > 0)
^
block/bfq-iosched.c:6827:2: note: Loop condition is true. Entering loop body
for (i = 0; i < 2; i++)
^
block/bfq-iosched.c:6828:3: note: Loop condition is true. Entering loop body
for (j = 0; j < IOPRIO_NR_LEVELS; j++)
^
--
drivers/nvmem/core.c:1431:6: note: Assuming 'buf' is non-null
if (!buf)
^~~~
drivers/nvmem/core.c:1431:2: note: Taking false branch
if (!buf)
^
drivers/nvmem/core.c:1434:7: note: Calling '__nvmem_cell_read'
rc = __nvmem_cell_read(nvmem, cell, buf, len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvmem/core.c:1398:6: note: Assuming 'rc' is not equal to 0
if (rc)
^~
drivers/nvmem/core.c:1398:2: note: Taking true branch
if (rc)
^
drivers/nvmem/core.c:1399:3: note: Returning without writing to '*len'
return rc;
^
drivers/nvmem/core.c:1434:7: note: Returning from '__nvmem_cell_read'
rc = __nvmem_cell_read(nvmem, cell, buf, len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvmem/core.c:1435:6: note: 'rc' is not equal to 0
if (rc) {
^~
drivers/nvmem/core.c:1435:2: note: Taking true branch
if (rc) {
^
drivers/nvmem/core.c:1437:3: note: Returning without writing to '*len'
return ERR_PTR(rc);
^
drivers/nvmem/core.c:1545:8: note: Returning from 'nvmem_cell_read'
buf = nvmem_cell_read(cell, &len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvmem/core.c:1546:2: note: Taking false branch
if (IS_ERR(buf)) {
^
drivers/nvmem/core.c:1550:10: note: The left operand of '!=' is a garbage value
if (len != count) {
~~~ ^
drivers/nvmem/core.c:1647:11: warning: The left operand of '>' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult]
if (*len > max_len) {
^
drivers/nvmem/core.c:1698:2: note: 'len' declared without an initial value
size_t len;
^~~~~~~~~~
drivers/nvmem/core.c:1702:8: note: Calling 'nvmem_cell_read_variable_common'
buf = nvmem_cell_read_variable_common(dev, cell_id, sizeof(*val), &len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvmem/core.c:1631:2: note: Taking false branch
if (IS_ERR(cell))
^
drivers/nvmem/core.c:1635:8: note: Calling 'nvmem_cell_read'
buf = nvmem_cell_read(cell, len);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvmem/core.c:1427:6: note: Assuming 'nvmem' is non-null
if (!nvmem)
^~~~~~
drivers/nvmem/core.c:1427:2: note: Taking false branch
if (!nvmem)
^
drivers/nvmem/core.c:1431:6: note: Assuming 'buf' is non-null
if (!buf)
^~~~
drivers/nvmem/core.c:1431:2: note: Taking false branch
if (!buf)
^
drivers/nvmem/core.c:1434:7: note: Calling '__nvmem_cell_read'
rc = __nvmem_cell_read(nvmem, cell, buf, len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvmem/core.c:1398:6: note: Assuming 'rc' is not equal to 0
if (rc)
^~
drivers/nvmem/core.c:1398:2: note: Taking true branch
if (rc)
^
drivers/nvmem/core.c:1434:7: note: Returning from '__nvmem_cell_read'
rc = __nvmem_cell_read(nvmem, cell, buf, len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvmem/core.c:1435:6: note: 'rc' is not equal to 0
if (rc) {
^~
drivers/nvmem/core.c:1435:2: note: Taking true branch
if (rc) {
^
drivers/nvmem/core.c:1635:8: note: Returning from 'nvmem_cell_read'
buf = nvmem_cell_read(cell, len);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvmem/core.c:1637:2: note: Taking false branch
if (IS_ERR(buf))
^
drivers/nvmem/core.c:1644:6: note: Assuming 'nbits' is 0
if (nbits)
^~~~~
drivers/nvmem/core.c:1644:2: note: Taking false branch
if (nbits)
^
drivers/nvmem/core.c:1647:11: note: The left operand of '>' is a garbage value
if (*len > max_len) {
~~~~ ^
1 warning generated.
>> drivers/md/dm-stats.c:174:2: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
kfree(s->histogram_boundaries);
^
drivers/md/dm-stats.c:212:2: note: Loop condition is true. Entering loop body
while (!list_empty(&stats->list)) {
^
drivers/md/dm-stats.c:215:16: note: Assuming 'ni' is >= field 'n_entries'
for (ni = 0; ni < s->n_entries; ni++) {
^~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:215:3: note: Loop condition is false. Execution continues on line 228
for (ni = 0; ni < s->n_entries; ni++) {
^
drivers/md/dm-stats.c:228:3: note: Calling 'dm_stat_free'
dm_stat_free(&s->rcu_head);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:174:2: note: Memory is released
kfree(s->histogram_boundaries);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:177:2: note: Loop condition is true. Entering loop body
for_each_possible_cpu(cpu) {
^
include/linux/cpumask.h:788:36: note: expanded from macro 'for_each_possible_cpu'
#define for_each_possible_cpu(cpu) for_each_cpu((cpu), cpu_possible_mask)
^
include/linux/cpumask.h:179:2: note: expanded from macro 'for_each_cpu'
for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask)
^
drivers/md/dm-stats.c:177:2: note: Loop condition is false. Execution continues on line 181
for_each_possible_cpu(cpu) {
^
include/linux/cpumask.h:788:36: note: expanded from macro 'for_each_possible_cpu'
#define for_each_possible_cpu(cpu) for_each_cpu((cpu), cpu_possible_mask)
^
include/linux/cpumask.h:179:2: note: expanded from macro 'for_each_cpu'
for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask)
^
drivers/md/dm-stats.c:228:3: note: Returning; memory was released
dm_stat_free(&s->rcu_head);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:212:2: note: Loop condition is true. Entering loop body
while (!list_empty(&stats->list)) {
^
drivers/md/dm-stats.c:215:3: note: Loop condition is false. Execution continues on line 228
for (ni = 0; ni < s->n_entries; ni++) {
^
drivers/md/dm-stats.c:228:3: note: Calling 'dm_stat_free'
dm_stat_free(&s->rcu_head);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:174:2: note: Attempt to free released memory
kfree(s->histogram_boundaries);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3 warnings generated.
drivers/media/dvb-frontends/stv0910.c:692:4: warning: Value stored to 'status' is never read [clang-analyzer-deadcode.DeadStores]
status = write_reg(state, RSTV0910_P2_ERRCTRL1 +
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/media/dvb-frontends/stv0910.c:692:4: note: Value stored to 'status' is never read
status = write_reg(state, RSTV0910_P2_ERRCTRL1 +
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/media/dvb-frontends/stv0910.c:698:4: warning: Value stored to 'status' is never read [clang-analyzer-deadcode.DeadStores]
status = write_reg(state, RSTV0910_P2_ERRCTRL1 +
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/media/dvb-frontends/stv0910.c:698:4: note: Value stored to 'status' is never read
status = write_reg(state, RSTV0910_P2_ERRCTRL1 +
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Suppressed 1 warnings (1 with check filters).
2 warnings generated.
drivers/media/dvb-frontends/stv6111.c:473:2: warning: Value stored to 'icp' is never read [clang-analyzer-deadcode.DeadStores]
icp = 0;
^ ~
drivers/media/dvb-frontends/stv6111.c:473:2: note: Value stored to 'icp' is never read
icp = 0;
^ ~
Suppressed 1 warnings (1 with check filters).
6 warnings generated.
drivers/media/dvb-frontends/mxl5xx.c:190:28: warning: The right operand of '&' is a garbage value [clang-analyzer-core.UndefinedBinaryOperatorResult]
if (DMA_INTR_PROT_WR_CMP & val)
^
drivers/media/dvb-frontends/mxl5xx.c:665:6: note: Assuming 're_tune' is true
if (re_tune) {
^~~~~~~
drivers/media/dvb-frontends/mxl5xx.c:665:2: note: Taking true branch
if (re_tune) {
^
drivers/media/dvb-frontends/mxl5xx.c:666:7: note: Calling 'set_parameters'
r = set_parameters(fe);
^~~~~~~~~~~~~~~~~~
drivers/media/dvb-frontends/mxl5xx.c:445:6: note: Assuming field 'frequency' is >= 950000
if (p->frequency < 950000 || p->frequency > 2150000)
^~~~~~~~~~~~~~~~~~~~~
drivers/media/dvb-frontends/mxl5xx.c:445:6: note: Left side of '||' is false
drivers/media/dvb-frontends/mxl5xx.c:445:31: note: Assuming field 'frequency' is <= 2150000
if (p->frequency < 950000 || p->frequency > 2150000)
^~~~~~~~~~~~~~~~~~~~~~
drivers/media/dvb-frontends/mxl5xx.c:445:2: note: Taking false branch
if (p->frequency < 950000 || p->frequency > 2150000)
^
drivers/media/dvb-frontends/mxl5xx.c:447:6: note: Assuming field 'symbol_rate' is >= 1000000
if (p->symbol_rate < 1000000 || p->symbol_rate > 45000000)
^~~~~~~~~~~~~~~~~~~~~~~~
drivers/media/dvb-frontends/mxl5xx.c:447:6: note: Left side of '||' is false
drivers/media/dvb-frontends/mxl5xx.c:447:34: note: Assuming field 'symbol_rate' is <= 45000000
--
drivers/md/bcache/movinggc.c:233:9: note: Assuming 'sectors_to_move' is <= 'reserve_sectors'
while (sectors_to_move > reserve_sectors) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/bcache/movinggc.c:233:2: note: Loop condition is false. Execution continues on line 238
while (sectors_to_move > reserve_sectors) {
^
drivers/md/bcache/movinggc.c:238:9: note: '_r' is false
while (heap_pop(&ca->heap, b, bucket_cmp))
^
drivers/md/bcache/util.h:101:6: note: expanded from macro 'heap_pop'
if (_r) { \
^~
drivers/md/bcache/movinggc.c:238:9: note: Taking false branch
while (heap_pop(&ca->heap, b, bucket_cmp))
^
drivers/md/bcache/util.h:101:2: note: expanded from macro 'heap_pop'
if (_r) { \
^
drivers/md/bcache/movinggc.c:238:2: note: Loop condition is false. Execution continues on line 241
while (heap_pop(&ca->heap, b, bucket_cmp))
^
drivers/md/bcache/movinggc.c:245:2: note: Calling 'read_moving'
read_moving(c);
^~~~~~~~~~~~~~
drivers/md/bcache/movinggc.c:137:9: note: Assuming the condition is true
while (!test_bit(CACHE_SET_STOPPING, &c->flags)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/bcache/movinggc.c:137:2: note: Loop condition is true. Entering loop body
while (!test_bit(CACHE_SET_STOPPING, &c->flags)) {
^
drivers/md/bcache/movinggc.c:139:10: note: The result of the left shift is undefined because the left operand is negative
&MAX_KEY, moving_pred);
^
include/uapi/linux/bcache.h:81:24: note: expanded from macro 'MAX_KEY'
#define MAX_KEY KEY(MAX_KEY_INODE, MAX_KEY_OFFSET, 0)
^~~~~~~~~~~~~
include/uapi/linux/bcache.h:79:31: note: expanded from macro 'MAX_KEY_INODE'
#define MAX_KEY_INODE (~(~0 << 20))
~~ ^
include/uapi/linux/bcache.h:73:51: note: expanded from macro 'KEY'
.high = (1ULL << 63) | ((__u64) (size) << 20) | (inode), \
^~~~~
2 warnings generated.
drivers/md/dm-kcopyd.c:246:10: warning: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl') [clang-analyzer-core.NullDereference]
next = pl->next;
^
drivers/md/dm-kcopyd.c:913:6: note: Assuming 'kc' is non-null
if (!kc)
^~~
drivers/md/dm-kcopyd.c:913:2: note: Taking false branch
if (!kc)
^
drivers/md/dm-kcopyd.c:916:2: note: Loop condition is false. Exiting loop
spin_lock_init(&kc->job_lock);
^
include/linux/spinlock.h:352:34: note: expanded from macro 'spin_lock_init'
# define spin_lock_init(_lock) \
^
drivers/md/dm-kcopyd.c:924:6: note: Assuming 'r' is 0
if (r)
^
drivers/md/dm-kcopyd.c:924:2: note: Taking false branch
if (r)
^
drivers/md/dm-kcopyd.c:927:2: note: Loop condition is false. Exiting loop
INIT_WORK(&kc->kcopyd_work, do_work);
^
include/linux/workqueue.h:245:2: note: expanded from macro 'INIT_WORK'
__INIT_WORK((_work), (_func), 0)
^
include/linux/workqueue.h:236:2: note: expanded from macro '__INIT_WORK'
do { \
^
drivers/md/dm-kcopyd.c:929:6: note: Assuming field 'kcopyd_wq' is non-null
if (!kc->kcopyd_wq) {
^~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:929:2: note: Taking false branch
if (!kc->kcopyd_wq) {
^
drivers/md/dm-kcopyd.c:939:6: note: Calling 'client_reserve_pages'
r = client_reserve_pages(kc, reserve_pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:309:20: note: 'pl' initialized to a null pointer value
struct page_list *pl = NULL, *next;
^~
drivers/md/dm-kcopyd.c:311:14: note: Assuming 'i' is >= 'nr_pages'
for (i = 0; i < nr_pages; i++) {
^~~~~~~~~~~~
drivers/md/dm-kcopyd.c:311:2: note: Loop condition is false. Execution continues on line 322
for (i = 0; i < nr_pages; i++) {
^
drivers/md/dm-kcopyd.c:323:23: note: Passing null pointer value via 2nd parameter 'pl'
kcopyd_put_pages(kc, pl);
^~
drivers/md/dm-kcopyd.c:323:2: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, pl);
^~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:246:10: note: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl')
next = pl->next;
^~
>> drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
kcopyd_put_pages(kc, job->pages);
^
drivers/md/dm-kcopyd.c:662:2: note: Calling 'process_jobs'
process_jobs(&kc->complete_jobs, kc, run_complete_job);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Assuming field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:7: note: Assuming field 'nr_free_pages' is >= field 'nr_reserved_pages'
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:3: note: Taking true branch
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^
drivers/md/dm-kcopyd.c:249:4: note: Calling 'free_pl'
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:234:2: note: Memory is released
kfree(pl);
^~~~~~~~~
drivers/md/dm-kcopyd.c:249:4: note: Returning; memory was released via 1st parameter
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:245:2: note: Loop condition is false. Exiting loop
do {
^
drivers/md/dm-kcopyd.c:494:3: note: Returning; memory was released via 2nd parameter
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:6: note: Assuming 'job' is not equal to field 'master_job'
if (job->master_job == job) {
^~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:2: note: Taking false branch
if (job->master_job == job) {
^
drivers/md/dm-kcopyd.c:505:2: note: Taking false branch
if (atomic_dec_and_test(&kc->nr_jobs))
^
drivers/md/dm-kcopyd.c:613:7: note: Returning; memory was released
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:615:7: note: 'r' is >= 0
if (r < 0) {
^
drivers/md/dm-kcopyd.c:615:3: note: Taking false branch
if (r < 0) {
^
drivers/md/dm-kcopyd.c:626:7: note: 'r' is <= 0
if (r > 0) {
^
drivers/md/dm-kcopyd.c:626:3: note: Taking false branch
if (r > 0) {
^
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:11: note: Field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Use of memory after it is freed
kcopyd_put_pages(kc, job->pages);
^ ~~~~~~~~~~
1 warning generated.
mm/memblock.c:1185:36: warning: The result of the '<<' expression is undefined [clang-analyzer-core.UndefinedBinaryOperatorResult]
*idx = (u32)idx_a | (u64)idx_b << 32;
~~~~~~~~~~~^~~~~
mm/memblock.c:1123:16: note: Assuming the condition is false
if (WARN_ONCE(nid == MAX_NUMNODES, "Usage of MAX_NUMNODES is deprecated. Use NUMA_NO_NODE instead\n"))
^
include/asm-generic/bug.h:150:18: note: expanded from macro 'WARN_ONCE'
DO_ONCE_LITE_IF(condition, WARN, 1, format)
~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
--
^
fs/gfs2/glock.c:617:2: note: Loop condition is false. Exiting loop
GLOCK_BUG_ON(gl, gl->gl_state == gl->gl_target);
^
fs/gfs2/glock.h:211:28: note: expanded from macro 'GLOCK_BUG_ON'
#define GLOCK_BUG_ON(gl,x) do { if (unlikely(x)) { \
^
fs/gfs2/glock.c:618:7: note: 'target' is not equal to LM_ST_UNLOCKED
if ((target == LM_ST_UNLOCKED || target == LM_ST_DEFERRED) &&
^~~~~~
fs/gfs2/glock.c:618:7: note: Left side of '||' is false
fs/gfs2/glock.c:618:35: note: Assuming 'target' is equal to LM_ST_DEFERRED
if ((target == LM_ST_UNLOCKED || target == LM_ST_DEFERRED) &&
^~~~~~~~~~~~~~~~~~~~~~~~
fs/gfs2/glock.c:618:6: note: Left side of '&&' is true
if ((target == LM_ST_UNLOCKED || target == LM_ST_DEFERRED) &&
^
fs/gfs2/glock.c:619:6: note: Assuming field 'go_inval' is null
glops->go_inval) {
^~~~~~~~~~~~~~~
fs/gfs2/glock.c:618:6: note: Assuming pointer value is null
if ((target == LM_ST_UNLOCKED || target == LM_ST_DEFERRED) &&
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/gfs2/glock.c:618:2: note: Taking false branch
if ((target == LM_ST_UNLOCKED || target == LM_ST_DEFERRED) &&
^
fs/gfs2/glock.c:631:2: note: '?' condition is true
set_bit(GLF_BLOCKING, &gl->gl_flags);
^
arch/arm/include/asm/bitops.h:189:25: note: expanded from macro 'set_bit'
#define set_bit(nr,p) ATOMIC_BITOP(set_bit,nr,p)
^
arch/arm/include/asm/bitops.h:181:3: note: expanded from macro 'ATOMIC_BITOP'
(__builtin_constant_p(nr) ? ____atomic_##name(nr, p) : _##name(nr,p))
^
fs/gfs2/glock.c:632:11: note: Field 'gl_req' is not equal to LM_ST_UNLOCKED
if ((gl->gl_req == LM_ST_UNLOCKED) ||
^
fs/gfs2/glock.c:632:6: note: Left side of '||' is false
if ((gl->gl_req == LM_ST_UNLOCKED) ||
^
fs/gfs2/glock.c:633:7: note: Assuming field 'gl_state' is not equal to LM_ST_EXCLUSIVE
(gl->gl_state == LM_ST_EXCLUSIVE) ||
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/gfs2/glock.c:632:6: note: Left side of '||' is false
if ((gl->gl_req == LM_ST_UNLOCKED) ||
^
fs/gfs2/glock.c:632:2: note: Taking false branch
if ((gl->gl_req == LM_ST_UNLOCKED) ||
^
fs/gfs2/glock.c:637:6: note: Assuming field 'go_sync' is null
if (glops->go_sync) {
^~~~~~~~~~~~~~
fs/gfs2/glock.c:637:2: note: Taking false branch
if (glops->go_sync) {
^
fs/gfs2/glock.c:651:6: note: Assuming the condition is true
if (test_bit(GLF_INVALIDATE_IN_PROGRESS, &gl->gl_flags)) {
^
include/asm-generic/bitops/non-atomic.h:120:18: note: expanded from macro 'test_bit'
#define test_bit arch_test_bit
^
fs/gfs2/glock.c:651:2: note: Taking true branch
if (test_bit(GLF_INVALIDATE_IN_PROGRESS, &gl->gl_flags)) {
^
fs/gfs2/glock.c:659:8: note: Assuming the condition is false
if ((atomic_read(&gl->gl_ail_count) != 0) &&
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/gfs2/glock.c:659:45: note: Left side of '&&' is false
if ((atomic_read(&gl->gl_ail_count) != 0) &&
^
fs/gfs2/glock.c:665:23: note: 'target' is equal to LM_ST_DEFERRED
glops->go_inval(gl, target == LM_ST_DEFERRED ? 0 : DIO_METADATA);
^~~~~~
fs/gfs2/glock.c:665:23: note: '?' condition is true
fs/gfs2/glock.c:665:3: note: Called function pointer is null (null dereference)
glops->go_inval(gl, target == LM_ST_DEFERRED ? 0 : DIO_METADATA);
^~~~~~~~~~~~~~~
include/linux/jhash.h:127:5: warning: Assigned value is garbage or undefined [clang-analyzer-core.uninitialized.Assign]
b += k[1];
^
fs/gfs2/glock.c:1556:10: note: Calling 'gfs2_glock_get'
error = gfs2_glock_get(sdp, number, glops, CREATE, &gl);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/gfs2/glock.c:1032:7: note: Calling 'find_insert_glock'
gl = find_insert_glock(&name, NULL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/gfs2/glock.c:976:26: note: Calling 'glock_waitqueue'
wait_queue_head_t *wq = glock_waitqueue(name);
^~~~~~~~~~~~~~~~~~~~~
fs/gfs2/glock.c:107:13: note: Calling 'jhash2'
u32 hash = jhash2((u32 *)name, ht_parms.key_len / 4, 0);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/jhash.h:125:2: note: Loop condition is true. Entering loop body
while (length > 3) {
^
include/linux/jhash.h:127:5: note: Assigned value is garbage or undefined
b += k[1];
^ ~~~~
1 warning generated.
>> drivers/md/dm-stats.c:174:2: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
kfree(s->histogram_boundaries);
^
drivers/md/dm-stats.c:212:2: note: Loop condition is true. Entering loop body
while (!list_empty(&stats->list)) {
^
drivers/md/dm-stats.c:215:16: note: Assuming 'ni' is >= field 'n_entries'
for (ni = 0; ni < s->n_entries; ni++) {
^~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:215:3: note: Loop condition is false. Execution continues on line 228
for (ni = 0; ni < s->n_entries; ni++) {
^
drivers/md/dm-stats.c:228:3: note: Calling 'dm_stat_free'
dm_stat_free(&s->rcu_head);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:174:2: note: Memory is released
kfree(s->histogram_boundaries);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:177:2: note: Loop condition is true. Entering loop body
for_each_possible_cpu(cpu) {
^
include/linux/cpumask.h:788:36: note: expanded from macro 'for_each_possible_cpu'
#define for_each_possible_cpu(cpu) for_each_cpu((cpu), cpu_possible_mask)
^
include/linux/cpumask.h:179:2: note: expanded from macro 'for_each_cpu'
for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask)
^
drivers/md/dm-stats.c:177:2: note: Loop condition is false. Execution continues on line 181
for_each_possible_cpu(cpu) {
^
include/linux/cpumask.h:788:36: note: expanded from macro 'for_each_possible_cpu'
#define for_each_possible_cpu(cpu) for_each_cpu((cpu), cpu_possible_mask)
^
include/linux/cpumask.h:179:2: note: expanded from macro 'for_each_cpu'
for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask)
^
drivers/md/dm-stats.c:228:3: note: Returning; memory was released
dm_stat_free(&s->rcu_head);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:212:2: note: Loop condition is true. Entering loop body
while (!list_empty(&stats->list)) {
^
drivers/md/dm-stats.c:215:3: note: Loop condition is false. Execution continues on line 228
for (ni = 0; ni < s->n_entries; ni++) {
^
drivers/md/dm-stats.c:228:3: note: Calling 'dm_stat_free'
dm_stat_free(&s->rcu_head);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:174:2: note: Attempt to free released memory
kfree(s->histogram_boundaries);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
sound/core/oss/mixer_oss.c:1067:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
strcpy(str, ptr->name);
^~~~~~
sound/core/oss/mixer_oss.c:1067:3: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
strcpy(str, ptr->name);
^~~~~~
1 warning generated.
include/linux/log2.h:67:13: warning: The result of the left shift is undefined due to shifting by '4294967295', which is greater or equal to the width of type 'unsigned long' [clang-analyzer-core.UndefinedBinaryOperatorResult]
return 1UL << (fls_long(n) - 1);
^
sound/core/oss/pcm_oss.c:849:6: note: Assuming field 'params' is not equal to 0
if (!runtime->oss.params)
^~~~~~~~~~~~~~~~~~~~
sound/core/oss/pcm_oss.c:849:2: note: Taking false branch
if (!runtime->oss.params)
^
sound/core/oss/pcm_oss.c:854:6: note: Assuming 'sw_params' is non-null
if (!sw_params || !params || !sparams) {
^~~~~~~~~~
sound/core/oss/pcm_oss.c:854:6: note: Left side of '||' is false
sound/core/oss/pcm_oss.c:854:20: note: Assuming 'params' is non-null
if (!sw_params || !params || !sparams) {
^~~~~~~
sound/core/oss/pcm_oss.c:854:6: note: Left side of '||' is false
if (!sw_params || !params || !sparams) {
^
sound/core/oss/pcm_oss.c:854:31: note: Assuming 'sparams' is non-null
if (!sw_params || !params || !sparams) {
^~~~~~~~
sound/core/oss/pcm_oss.c:854:2: note: Taking false branch
if (!sw_params || !params || !sparams) {
^
sound/core/oss/pcm_oss.c:859:6: note: Assuming the condition is false
if (atomic_read(&substream->mmap_count))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/core/oss/pcm_oss.c:859:2: note: Taking false branch
if (atomic_read(&substream->mmap_count))
^
sound/core/oss/pcm_oss.c:868:2: note: Taking false branch
if (atomic_read(&substream->mmap_count))
^
sound/core/oss/pcm_oss.c:872:7: note: Assuming 'direct' is not equal to 0
if (!direct)
^~~~~~~
sound/core/oss/pcm_oss.c:872:3: note: Taking false branch
if (!direct)
^
sound/core/oss/pcm_oss.c:876:6: note: 'err' is >= 0
if (err < 0) {
vim +494 drivers/md/dm-kcopyd.c
b673c3a8192e28f drivers/md/dm-kcopyd.c Kazuo Ito 2008-10-21 475
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 476 /*
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 477 * These three functions process 1 item from the corresponding
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 478 * job list.
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 479 *
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 480 * They return:
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 481 * < 0: error
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 482 * 0: success
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 483 * > 0: can't process yet.
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 484 */
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 485 static int run_complete_job(struct kcopyd_job *job)
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 486 {
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 487 void *context = job->context;
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 488 int read_err = job->read_err;
4cdc1d1fa5c5ac1 drivers/md/kcopyd.c Alasdair G Kergon 2008-03-28 489 unsigned long write_err = job->write_err;
eb69aca5d3370b8 drivers/md/kcopyd.c Heinz Mauelshagen 2008-04-24 490 dm_kcopyd_notify_fn fn = job->fn;
eb69aca5d3370b8 drivers/md/kcopyd.c Heinz Mauelshagen 2008-04-24 491 struct dm_kcopyd_client *kc = job->kc;
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 492
7f06965390e4a10 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-10-31 493 if (job->pages && job->pages != &zero_page_list)
138728dc96529f2 drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 @494 kcopyd_put_pages(kc, job->pages);
c6ea41fbbe08f27 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 495 /*
c6ea41fbbe08f27 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 496 * If this is the master job, the sub jobs have already
c6ea41fbbe08f27 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 497 * completed so we can free everything.
c6ea41fbbe08f27 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 498 */
d5ffebdd797a7c1 drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 499 if (job->master_job == job) {
d5ffebdd797a7c1 drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 500 mutex_destroy(&job->lock);
6f1c819c219f784 drivers/md/dm-kcopyd.c Kent Overstreet 2018-05-20 501 mempool_free(job, &kc->job_pool);
d5ffebdd797a7c1 drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 502 }
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 503 fn(read_err, write_err, context);
138728dc96529f2 drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 504
138728dc96529f2 drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 505 if (atomic_dec_and_test(&kc->nr_jobs))
138728dc96529f2 drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 506 wake_up(&kc->destroyq);
138728dc96529f2 drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 507
784c9a29e99eb40 drivers/md/dm-kcopyd.c John Pittman 2018-08-06 508 cond_resched();
784c9a29e99eb40 drivers/md/dm-kcopyd.c John Pittman 2018-08-06 509
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 510 return 0;
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 511 }
^1da177e4c3f415 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 512
:::::: The code at line 494 was first introduced by commit
:::::: 138728dc96529f20dfe970c470e51885a60e329f [PATCH] dm snapshot: fix kcopyd destructor
:::::: TO: Alasdair G Kergon <agk@redhat.com>
:::::: CC: Linus Torvalds <torvalds@g5.osdl.org>
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] 4+ messages in thread
* drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-05-22 15:22 kernel test robot
0 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2022-05-22 15:22 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 27489 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Rasmus Villemoes <linux@rasmusvillemoes.dk>
CC: Miguel Ojeda <ojeda@kernel.org>
CC: Nick Desaulniers <ndesaulniers@google.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: eaea45fc0e7b6ae439526b4a41d91230c8517336
commit: e1edc277e6f6dfb372216522dfc57f9381c39e35 linux/container_of.h: switch to static_assert
date: 6 months ago
:::::: branch date: 15 hours ago
:::::: commit date: 6 months ago
config: arm-randconfig-c002-20220518 (https://download.01.org/0day-ci/archive/20220522/202205222334.TUx9D4Qj-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 853fa8ee225edf2d0de94b0dcbd31bea916e825e)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e1edc277e6f6dfb372216522dfc57f9381c39e35
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout e1edc277e6f6dfb372216522dfc57f9381c39e35
# save the config file
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
include/linux/minmax.h:45:19: note: expanded from macro 'min'
#define min(x, y) __careful_cmp(x, y, <)
^
include/linux/minmax.h:38:3: note: expanded from macro '__careful_cmp'
__cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
^
include/linux/minmax.h:33:3: note: expanded from macro '__cmp_once'
__cmp(unique_x, unique_y, op); })
^
include/linux/minmax.h:28:26: note: expanded from macro '__cmp'
#define __cmp(x, y, op) ((x) op (y) ? (x) : (y))
^
drivers/virtio/virtio_balloon.c:288:25: note: Assuming 'num' is <= field 'num_pfns'
for (vb->num_pfns = 0; vb->num_pfns < num;
^~~~~~~~~~~~~~~~~~
drivers/virtio/virtio_balloon.c:288:2: note: Loop condition is false. Execution continues on line 298
for (vb->num_pfns = 0; vb->num_pfns < num;
^
drivers/virtio/virtio_balloon.c:304:10: note: Field 'num_pfns' is equal to 0
if (vb->num_pfns != 0)
^
drivers/virtio/virtio_balloon.c:304:2: note: Taking false branch
if (vb->num_pfns != 0)
^
drivers/virtio/virtio_balloon.c:306:2: note: Calling 'release_pages_balloon'
release_pages_balloon(vb, &pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/virtio/virtio_balloon.c:266:2: note: Assigned value is garbage or undefined
list_for_each_entry_safe(page, next, pages, lru) {
^
include/linux/list.h:718:7: note: expanded from macro 'list_for_each_entry_safe'
n = list_next_entry(pos, member); \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/list.h:557:2: note: expanded from macro 'list_next_entry'
list_entry((pos)->member.next, typeof(*(pos)), member)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/list.h:513:2: note: expanded from macro 'list_entry'
container_of(ptr, type, member)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/container_of.h:18:2: note: expanded from macro 'container_of'
void *__mptr = (void *)(ptr); \
^ ~~~~~~~~~~~~~
2 warnings generated.
drivers/md/dm-kcopyd.c:246:10: warning: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl') [clang-analyzer-core.NullDereference]
next = pl->next;
^
drivers/md/dm-kcopyd.c:913:6: note: Assuming 'kc' is non-null
if (!kc)
^~~
drivers/md/dm-kcopyd.c:913:2: note: Taking false branch
if (!kc)
^
drivers/md/dm-kcopyd.c:916:2: note: Loop condition is false. Exiting loop
spin_lock_init(&kc->job_lock);
^
include/linux/spinlock.h:352:34: note: expanded from macro 'spin_lock_init'
# define spin_lock_init(_lock) \
^
drivers/md/dm-kcopyd.c:924:6: note: Assuming 'r' is 0
if (r)
^
drivers/md/dm-kcopyd.c:924:2: note: Taking false branch
if (r)
^
drivers/md/dm-kcopyd.c:927:2: note: Loop condition is false. Exiting loop
INIT_WORK(&kc->kcopyd_work, do_work);
^
include/linux/workqueue.h:245:2: note: expanded from macro 'INIT_WORK'
__INIT_WORK((_work), (_func), 0)
^
include/linux/workqueue.h:236:2: note: expanded from macro '__INIT_WORK'
do { \
^
drivers/md/dm-kcopyd.c:929:6: note: Assuming field 'kcopyd_wq' is non-null
if (!kc->kcopyd_wq) {
^~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:929:2: note: Taking false branch
if (!kc->kcopyd_wq) {
^
drivers/md/dm-kcopyd.c:939:6: note: Calling 'client_reserve_pages'
r = client_reserve_pages(kc, reserve_pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:309:20: note: 'pl' initialized to a null pointer value
struct page_list *pl = NULL, *next;
^~
drivers/md/dm-kcopyd.c:311:14: note: Assuming 'i' is >= 'nr_pages'
for (i = 0; i < nr_pages; i++) {
^~~~~~~~~~~~
drivers/md/dm-kcopyd.c:311:2: note: Loop condition is false. Execution continues on line 322
for (i = 0; i < nr_pages; i++) {
^
drivers/md/dm-kcopyd.c:323:23: note: Passing null pointer value via 2nd parameter 'pl'
kcopyd_put_pages(kc, pl);
^~
drivers/md/dm-kcopyd.c:323:2: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, pl);
^~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:246:10: note: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl')
next = pl->next;
^~
>> drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
kcopyd_put_pages(kc, job->pages);
^
drivers/md/dm-kcopyd.c:662:2: note: Calling 'process_jobs'
process_jobs(&kc->complete_jobs, kc, run_complete_job);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Assuming field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:7: note: Assuming field 'nr_free_pages' is >= field 'nr_reserved_pages'
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:3: note: Taking true branch
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^
drivers/md/dm-kcopyd.c:249:4: note: Calling 'free_pl'
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:234:2: note: Memory is released
kfree(pl);
^~~~~~~~~
drivers/md/dm-kcopyd.c:249:4: note: Returning; memory was released via 1st parameter
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:245:2: note: Loop condition is false. Exiting loop
do {
^
drivers/md/dm-kcopyd.c:494:3: note: Returning; memory was released via 2nd parameter
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:6: note: Assuming 'job' is not equal to field 'master_job'
if (job->master_job == job) {
^~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:2: note: Taking false branch
if (job->master_job == job) {
^
drivers/md/dm-kcopyd.c:505:2: note: Taking false branch
if (atomic_dec_and_test(&kc->nr_jobs))
^
drivers/md/dm-kcopyd.c:613:7: note: Returning; memory was released
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:615:7: note: 'r' is >= 0
if (r < 0) {
^
drivers/md/dm-kcopyd.c:615:3: note: Taking false branch
if (r < 0) {
^
drivers/md/dm-kcopyd.c:626:7: note: 'r' is <= 0
if (r > 0) {
^
drivers/md/dm-kcopyd.c:626:3: note: Taking false branch
if (r > 0) {
^
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:11: note: Field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Use of memory after it is freed
kcopyd_put_pages(kc, job->pages);
^ ~~~~~~~~~~
11 warnings generated.
kernel/sched/core.c:5463:16: warning: Value stored to 'preempt_disable_ip' during its initialization is never read [clang-analyzer-deadcode.DeadStores]
unsigned long preempt_disable_ip = get_preempt_disable_ip(current);
^~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kernel/sched/core.c:5463:16: note: Value stored to 'preempt_disable_ip' during its initialization is never read
unsigned long preempt_disable_ip = get_preempt_disable_ip(current);
^~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kernel/sched/core.c:6287:3: warning: Value stored to 'rq' is never read [clang-analyzer-deadcode.DeadStores]
rq = context_switch(rq, prev, next, &rf);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/socket.c:2671:2: warning: Argument to kfree() is the address of the local variable 'iovstack', which is not memory allocated by malloc() [clang-analyzer-unix.Malloc]
kfree(iov);
^
net/socket.c:2859:1: note: Calling '__do_sys_recvmmsg'
SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
^
include/linux/syscalls.h:220:36: note: expanded from macro 'SYSCALL_DEFINE5'
#define SYSCALL_DEFINE5(name, ...) SYSCALL_DEFINEx(5, _##name, __VA_ARGS__)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/syscalls.h:227:2: note: expanded from macro 'SYSCALL_DEFINEx'
__SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/syscalls.h:248:14: note: expanded from macro '__SYSCALL_DEFINEx'
long ret = __do_sys##name(__MAP(x,__SC_CAST,__VA_ARGS__));\
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
note: expanded from here
net/socket.c:2863:2: note: Taking false branch
if (flags & MSG_CMSG_COMPAT)
^
net/socket.c:2866:9: note: Calling '__sys_recvmmsg'
return __sys_recvmmsg(fd, mmsg, vlen, flags, timeout, NULL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/socket.c:2836:6: note: Assuming 'timeout' is null
if (timeout && get_timespec64(&timeout_sys, timeout))
^~~~~~~
net/socket.c:2836:14: note: Left side of '&&' is false
if (timeout && get_timespec64(&timeout_sys, timeout))
^
net/socket.c:2839:6: note: 'timeout32' is null
if (timeout32 && get_old_timespec32(&timeout_sys, timeout32))
^~~~~~~~~
net/socket.c:2839:16: note: Left side of '&&' is false
if (timeout32 && get_old_timespec32(&timeout_sys, timeout32))
^
net/socket.c:2842:7: note: 'timeout' is null
if (!timeout && !timeout32)
^~~~~~~
net/socket.c:2842:6: note: Left side of '&&' is true
if (!timeout && !timeout32)
^
net/socket.c:2842:19: note: 'timeout32' is null
if (!timeout && !timeout32)
^~~~~~~~~
net/socket.c:2842:2: note: Taking true branch
if (!timeout && !timeout32)
^
net/socket.c:2843:10: note: Calling 'do_recvmmsg'
return do_recvmmsg(fd, mmsg, vlen, flags, NULL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/socket.c:2729:6: note: 'timeout' is null
if (timeout &&
^~~~~~~
net/socket.c:2729:14: note: Left side of '&&' is false
if (timeout &&
^
net/socket.c:2737:7: note: 'sock' is non-null
if (!sock)
^~~~
net/socket.c:2737:2: note: Taking false branch
if (!sock)
^
net/socket.c:2740:13: note: Assuming the condition is false
if (likely(!(flags & MSG_ERRQUEUE))) {
^
include/linux/compiler.h:77:40: note: expanded from macro 'likely'
# define likely(x) __builtin_expect(!!(x), 1)
^
net/socket.c:2740:2: note: Taking false branch
if (likely(!(flags & MSG_ERRQUEUE))) {
^
net/socket.c:2751:9: note: Assuming 'datagrams' is < 'vlen'
while (datagrams < vlen) {
^~~~~~~~~~~~~~~~
net/socket.c:2751:2: note: Loop condition is true. Entering loop body
while (datagrams < vlen) {
^
net/socket.c:2755:3: note: Taking false branch
if (MSG_CMSG_COMPAT & flags) {
^
net/socket.c:2764:10: note: Calling '___sys_recvmsg'
err = ___sys_recvmsg(sock,
^~~~~~~~~~~~~~~~~~~~
net/socket.c:2667:6: note: 'err' is >= 0
if (err < 0)
^~~
net/socket.c:2667:2: note: Taking false branch
if (err < 0)
^
net/socket.c:2671:2: note: Argument to kfree() is the address of the local variable 'iovstack', which is not memory allocated by malloc()
kfree(iov);
^ ~~~
net/socket.c:2749:2: warning: Value stored to 'compat_entry' is never read [clang-analyzer-deadcode.DeadStores]
compat_entry = (struct compat_mmsghdr __user *)mmsg;
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/socket.c:2749:2: note: Value stored to 'compat_entry' is never read
compat_entry = (struct compat_mmsghdr __user *)mmsg;
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Suppressed 2 warnings (2 with check filters).
1 warning generated.
>> drivers/md/dm-stats.c:174:2: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
kfree(s->histogram_boundaries);
^
drivers/md/dm-stats.c:212:2: note: Loop condition is true. Entering loop body
while (!list_empty(&stats->list)) {
^
drivers/md/dm-stats.c:215:16: note: Assuming 'ni' is >= field 'n_entries'
for (ni = 0; ni < s->n_entries; ni++) {
^~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:215:3: note: Loop condition is false. Execution continues on line 228
for (ni = 0; ni < s->n_entries; ni++) {
^
drivers/md/dm-stats.c:228:3: note: Calling 'dm_stat_free'
dm_stat_free(&s->rcu_head);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:174:2: note: Memory is released
kfree(s->histogram_boundaries);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:177:2: note: Loop condition is true. Entering loop body
for_each_possible_cpu(cpu) {
^
include/linux/cpumask.h:788:36: note: expanded from macro 'for_each_possible_cpu'
#define for_each_possible_cpu(cpu) for_each_cpu((cpu), cpu_possible_mask)
^
include/linux/cpumask.h:179:2: note: expanded from macro 'for_each_cpu'
for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask)
^
drivers/md/dm-stats.c:177:2: note: Loop condition is false. Execution continues on line 181
for_each_possible_cpu(cpu) {
^
include/linux/cpumask.h:788:36: note: expanded from macro 'for_each_possible_cpu'
#define for_each_possible_cpu(cpu) for_each_cpu((cpu), cpu_possible_mask)
^
include/linux/cpumask.h:179:2: note: expanded from macro 'for_each_cpu'
for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask)
^
drivers/md/dm-stats.c:228:3: note: Returning; memory was released
dm_stat_free(&s->rcu_head);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:212:2: note: Loop condition is true. Entering loop body
while (!list_empty(&stats->list)) {
^
drivers/md/dm-stats.c:215:3: note: Loop condition is false. Execution continues on line 228
for (ni = 0; ni < s->n_entries; ni++) {
^
drivers/md/dm-stats.c:228:3: note: Calling 'dm_stat_free'
dm_stat_free(&s->rcu_head);
^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-stats.c:174:2: note: Attempt to free released memory
kfree(s->histogram_boundaries);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
2 warnings generated.
crypto/poly1305_generic.c:49:4: warning: Value stored to 'src' is never read [clang-analyzer-deadcode.DeadStores]
src += POLY1305_BLOCK_SIZE;
^
crypto/poly1305_generic.c:49:4: note: Value stored to 'src' is never read
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
1 warning generated.
Suppressed 1 warnings (1 with check filters).
1 warning generated.
Suppressed 1 warnings (1 with check filters).
3 warnings generated.
drivers/media/tuners/tda18271-fe.c:473:2: warning: Value stored to 'bcal' is never read [clang-analyzer-deadcode.DeadStores]
bcal = 0;
^ ~
drivers/media/tuners/tda18271-fe.c:473:2: note: Value stored to 'bcal' is never read
bcal = 0;
vim +494 drivers/md/dm-kcopyd.c
b673c3a8192e28 drivers/md/dm-kcopyd.c Kazuo Ito 2008-10-21 475
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 476 /*
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 477 * These three functions process 1 item from the corresponding
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 478 * job list.
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 479 *
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 480 * They return:
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 481 * < 0: error
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 482 * 0: success
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 483 * > 0: can't process yet.
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 484 */
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 485 static int run_complete_job(struct kcopyd_job *job)
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 486 {
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 487 void *context = job->context;
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 488 int read_err = job->read_err;
4cdc1d1fa5c5ac drivers/md/kcopyd.c Alasdair G Kergon 2008-03-28 489 unsigned long write_err = job->write_err;
eb69aca5d3370b drivers/md/kcopyd.c Heinz Mauelshagen 2008-04-24 490 dm_kcopyd_notify_fn fn = job->fn;
eb69aca5d3370b drivers/md/kcopyd.c Heinz Mauelshagen 2008-04-24 491 struct dm_kcopyd_client *kc = job->kc;
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 492
7f06965390e4a1 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-10-31 493 if (job->pages && job->pages != &zero_page_list)
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 @494 kcopyd_put_pages(kc, job->pages);
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 495 /*
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 496 * If this is the master job, the sub jobs have already
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 497 * completed so we can free everything.
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 498 */
d5ffebdd797a7c drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 499 if (job->master_job == job) {
d5ffebdd797a7c drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 500 mutex_destroy(&job->lock);
6f1c819c219f78 drivers/md/dm-kcopyd.c Kent Overstreet 2018-05-20 501 mempool_free(job, &kc->job_pool);
d5ffebdd797a7c drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 502 }
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 503 fn(read_err, write_err, context);
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 504
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 505 if (atomic_dec_and_test(&kc->nr_jobs))
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 506 wake_up(&kc->destroyq);
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 507
784c9a29e99eb4 drivers/md/dm-kcopyd.c John Pittman 2018-08-06 508 cond_resched();
784c9a29e99eb4 drivers/md/dm-kcopyd.c John Pittman 2018-08-06 509
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 510 return 0;
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 511 }
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 512
:::::: The code at line 494 was first introduced by commit
:::::: 138728dc96529f20dfe970c470e51885a60e329f [PATCH] dm snapshot: fix kcopyd destructor
:::::: TO: Alasdair G Kergon <agk@redhat.com>
:::::: CC: Linus Torvalds <torvalds@g5.osdl.org>
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] 4+ messages in thread
* drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-01-08 6:28 kernel test robot
0 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2022-01-08 6:28 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 16082 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Rasmus Villemoes <linux@rasmusvillemoes.dk>
CC: Miguel Ojeda <ojeda@kernel.org>
CC: Nick Desaulniers <ndesaulniers@google.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: d1587f7bfe9a0f97a75d42ac1489aeda551106bc
commit: e1edc277e6f6dfb372216522dfc57f9381c39e35 linux/container_of.h: switch to static_assert
date: 9 weeks ago
:::::: branch date: 6 hours ago
:::::: commit date: 9 weeks ago
config: arm-randconfig-c002-20220107 (https://download.01.org/0day-ci/archive/20220108/202201081414.C8DcWGJN-lkp(a)intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 32167bfe64a4c5dd4eb3f7a58e24f4cba76f5ac2)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e1edc277e6f6dfb372216522dfc57f9381c39e35
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout e1edc277e6f6dfb372216522dfc57f9381c39e35
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
drivers/mtd/nand/raw/nand_onfi.c:190:7: note: Assuming 'crc' is equal to field 'crc'
if (crc == le16_to_cpu(pbuf[i].crc)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/mtd/nand/raw/nand_onfi.c:190:3: note: Taking true branch
if (crc == le16_to_cpu(pbuf[i].crc)) {
^
drivers/mtd/nand/raw/nand_onfi.c:192:4: note: Execution continues on line 196
break;
^
drivers/mtd/nand/raw/nand_onfi.c:196:6: note: 'i' is not equal to ONFI_PARAM_PAGES
if (i == ONFI_PARAM_PAGES) {
^
drivers/mtd/nand/raw/nand_onfi.c:196:2: note: Taking false branch
if (i == ONFI_PARAM_PAGES) {
^
drivers/mtd/nand/raw/nand_onfi.c:215:6: note: Assuming field 'desc' is null
if (chip->manufacturer.desc && chip->manufacturer.desc->ops &&
^~~~~~~~~~~~~~~~~~~~~~~
drivers/mtd/nand/raw/nand_onfi.c:215:30: note: Left side of '&&' is false
if (chip->manufacturer.desc && chip->manufacturer.desc->ops &&
^
drivers/mtd/nand/raw/nand_onfi.c:221:6: note: Assuming the condition is true
if (val & ONFI_VERSION_2_3)
^~~~~~~~~~~~~~~~~~~~~~
drivers/mtd/nand/raw/nand_onfi.c:221:2: note: Taking true branch
if (val & ONFI_VERSION_2_3)
^
drivers/mtd/nand/raw/nand_onfi.c:232:7: note: 'onfi_version' is 23
if (!onfi_version) {
^~~~~~~~~~~~
drivers/mtd/nand/raw/nand_onfi.c:232:2: note: Taking false branch
if (!onfi_version) {
^
drivers/mtd/nand/raw/nand_onfi.c:240:6: note: Assuming field 'model' is non-null
if (!chip->parameters.model) {
^~~~~~~~~~~~~~~~~~~~~~~
drivers/mtd/nand/raw/nand_onfi.c:240:2: note: Taking false branch
if (!chip->parameters.model) {
^
drivers/mtd/nand/raw/nand_onfi.c:265:5: note: The result of the left shift is undefined because the right operand is negative
1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
drivers/md/dm-kcopyd.c:246:10: warning: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl') [clang-analyzer-core.NullDereference]
next = pl->next;
^
drivers/md/dm-kcopyd.c:913:6: note: Assuming 'kc' is non-null
if (!kc)
^~~
drivers/md/dm-kcopyd.c:913:2: note: Taking false branch
if (!kc)
^
drivers/md/dm-kcopyd.c:916:2: note: Loop condition is false. Exiting loop
spin_lock_init(&kc->job_lock);
^
include/linux/spinlock.h:352:34: note: expanded from macro 'spin_lock_init'
# define spin_lock_init(_lock) \
^
drivers/md/dm-kcopyd.c:924:6: note: Assuming 'r' is 0
if (r)
^
drivers/md/dm-kcopyd.c:924:2: note: Taking false branch
if (r)
^
drivers/md/dm-kcopyd.c:927:2: note: Loop condition is false. Exiting loop
INIT_WORK(&kc->kcopyd_work, do_work);
^
include/linux/workqueue.h:245:2: note: expanded from macro 'INIT_WORK'
__INIT_WORK((_work), (_func), 0)
^
include/linux/workqueue.h:236:2: note: expanded from macro '__INIT_WORK'
do { \
^
drivers/md/dm-kcopyd.c:929:6: note: Assuming field 'kcopyd_wq' is non-null
if (!kc->kcopyd_wq) {
^~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:929:2: note: Taking false branch
if (!kc->kcopyd_wq) {
^
drivers/md/dm-kcopyd.c:939:6: note: Calling 'client_reserve_pages'
r = client_reserve_pages(kc, reserve_pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:309:20: note: 'pl' initialized to a null pointer value
struct page_list *pl = NULL, *next;
^~
drivers/md/dm-kcopyd.c:311:14: note: Assuming 'i' is >= 'nr_pages'
for (i = 0; i < nr_pages; i++) {
^~~~~~~~~~~~
drivers/md/dm-kcopyd.c:311:2: note: Loop condition is false. Execution continues on line 322
for (i = 0; i < nr_pages; i++) {
^
drivers/md/dm-kcopyd.c:323:23: note: Passing null pointer value via 2nd parameter 'pl'
kcopyd_put_pages(kc, pl);
^~
drivers/md/dm-kcopyd.c:323:2: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, pl);
^~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:246:10: note: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'pl')
next = pl->next;
^~
>> drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
kcopyd_put_pages(kc, job->pages);
^
drivers/md/dm-kcopyd.c:662:2: note: Calling 'process_jobs'
process_jobs(&kc->complete_jobs, kc, run_complete_job);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Assuming field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Calling 'kcopyd_put_pages'
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:7: note: Assuming field 'nr_free_pages' is >= field 'nr_reserved_pages'
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:248:3: note: Taking true branch
if (kc->nr_free_pages >= kc->nr_reserved_pages)
^
drivers/md/dm-kcopyd.c:249:4: note: Calling 'free_pl'
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:234:2: note: Memory is released
kfree(pl);
^~~~~~~~~
drivers/md/dm-kcopyd.c:249:4: note: Returning; memory was released via 1st parameter
free_pl(pl);
^~~~~~~~~~~
drivers/md/dm-kcopyd.c:245:2: note: Loop condition is false. Exiting loop
do {
^
drivers/md/dm-kcopyd.c:494:3: note: Returning; memory was released via 2nd parameter
kcopyd_put_pages(kc, job->pages);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:6: note: Assuming 'job' is not equal to field 'master_job'
if (job->master_job == job) {
^~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:499:2: note: Taking false branch
if (job->master_job == job) {
^
drivers/md/dm-kcopyd.c:505:2: note: Taking false branch
if (atomic_dec_and_test(&kc->nr_jobs))
^
drivers/md/dm-kcopyd.c:613:7: note: Returning; memory was released
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:615:7: note: 'r' is >= 0
if (r < 0) {
^
drivers/md/dm-kcopyd.c:615:3: note: Taking false branch
if (r < 0) {
^
drivers/md/dm-kcopyd.c:626:7: note: 'r' is <= 0
if (r > 0) {
^
drivers/md/dm-kcopyd.c:626:3: note: Taking false branch
if (r > 0) {
^
drivers/md/dm-kcopyd.c:611:2: note: Loop condition is true. Entering loop body
while ((job = pop(jobs, kc))) {
^
drivers/md/dm-kcopyd.c:613:7: note: Calling 'run_complete_job'
r = fn(job);
^~~~~~~
drivers/md/dm-kcopyd.c:493:11: note: Field 'pages' is non-null
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:6: note: Left side of '&&' is true
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:493:20: note: Assuming the condition is true
if (job->pages && job->pages != &zero_page_list)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/dm-kcopyd.c:493:2: note: Taking true branch
if (job->pages && job->pages != &zero_page_list)
^
drivers/md/dm-kcopyd.c:494:3: note: Use of memory after it is freed
kcopyd_put_pages(kc, job->pages);
^ ~~~~~~~~~~
1 warning generated.
include/linux/list.h:73:12: warning: Access to field 'next' results in a dereference of a null pointer (loaded from variable 'new') [clang-analyzer-core.NullDereference]
new->next = next;
^
fs/xattr.c:1007:2: note: 'new_xattr' initialized to a null pointer value
struct simple_xattr *new_xattr = NULL;
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/xattr.c:1010:6: note: Assuming 'removed_size' is null
if (removed_size)
^~~~~~~~~~~~
vim +494 drivers/md/dm-kcopyd.c
b673c3a8192e28 drivers/md/dm-kcopyd.c Kazuo Ito 2008-10-21 475
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 476 /*
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 477 * These three functions process 1 item from the corresponding
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 478 * job list.
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 479 *
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 480 * They return:
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 481 * < 0: error
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 482 * 0: success
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 483 * > 0: can't process yet.
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 484 */
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 485 static int run_complete_job(struct kcopyd_job *job)
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 486 {
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 487 void *context = job->context;
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 488 int read_err = job->read_err;
4cdc1d1fa5c5ac drivers/md/kcopyd.c Alasdair G Kergon 2008-03-28 489 unsigned long write_err = job->write_err;
eb69aca5d3370b drivers/md/kcopyd.c Heinz Mauelshagen 2008-04-24 490 dm_kcopyd_notify_fn fn = job->fn;
eb69aca5d3370b drivers/md/kcopyd.c Heinz Mauelshagen 2008-04-24 491 struct dm_kcopyd_client *kc = job->kc;
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 492
7f06965390e4a1 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-10-31 493 if (job->pages && job->pages != &zero_page_list)
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 @494 kcopyd_put_pages(kc, job->pages);
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 495 /*
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 496 * If this is the master job, the sub jobs have already
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 497 * completed so we can free everything.
c6ea41fbbe08f2 drivers/md/dm-kcopyd.c Mikulas Patocka 2011-05-29 498 */
d5ffebdd797a7c drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 499 if (job->master_job == job) {
d5ffebdd797a7c drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 500 mutex_destroy(&job->lock);
6f1c819c219f78 drivers/md/dm-kcopyd.c Kent Overstreet 2018-05-20 501 mempool_free(job, &kc->job_pool);
d5ffebdd797a7c drivers/md/dm-kcopyd.c Mike Snitzer 2018-01-05 502 }
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 503 fn(read_err, write_err, context);
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 504
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 505 if (atomic_dec_and_test(&kc->nr_jobs))
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 506 wake_up(&kc->destroyq);
138728dc96529f drivers/md/kcopyd.c Alasdair G Kergon 2006-03-27 507
784c9a29e99eb4 drivers/md/dm-kcopyd.c John Pittman 2018-08-06 508 cond_resched();
784c9a29e99eb4 drivers/md/dm-kcopyd.c John Pittman 2018-08-06 509
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 510 return 0;
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 511 }
^1da177e4c3f41 drivers/md/kcopyd.c Linus Torvalds 2005-04-16 512
:::::: The code at line 494 was first introduced by commit
:::::: 138728dc96529f20dfe970c470e51885a60e329f [PATCH] dm snapshot: fix kcopyd destructor
:::::: TO: Alasdair G Kergon <agk@redhat.com>
:::::: CC: Linus Torvalds <torvalds@g5.osdl.org>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-03 2:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-10 15:15 drivers/md/dm-kcopyd.c:494:3: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc] kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2022-06-03 2:19 kernel test robot
2022-05-22 15:22 kernel test robot
2022-01-08 6:28 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.