* [hnaz-mm:master 420/435] net/mctp/route.c:156:3: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
@ 2022-01-15 14:11 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2022-01-15 14:11 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 13905 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
CC: Johannes Weiner <hannes@cmpxchg.org>
Hi Andrew,
First bad commit (maybe != root cause):
tree: https://github.com/hnaz/linux-mm master
head: b8280145cf2a894c873fdf91fb2af474c52ac6cc
commit: 467f11828258634df98bade42c10d6660b319f35 [420/435] mm-filemap-check-if-thp-has-hwpoisoned-subpage-for-pmd-page-fault-vs-folios
:::::: branch date: 3 months ago
:::::: commit date: 3 months ago
config: x86_64-randconfig-c007 (https://download.01.org/0day-ci/archive/20220115/202201152250.uZ6shWKA-lkp(a)intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 82c8aca93488730ce8f66101e0f3538f14b551dd)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/hnaz/linux-mm/commit/467f11828258634df98bade42c10d6660b319f35
git remote add hnaz-mm https://github.com/hnaz/linux-mm
git fetch --no-tags hnaz-mm master
git checkout 467f11828258634df98bade42c10d6660b319f35
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
if (id)
^~
drivers/power/supply/bq2415x_charger.c:1577:2: note: Taking true branch
if (id)
^
drivers/power/supply/bq2415x_charger.c:1587:6: note: 'np' is null
if (np || ACPI_HANDLE(bq->dev)) {
^~
drivers/power/supply/bq2415x_charger.c:1587:6: note: Left side of '||' is false
drivers/power/supply/bq2415x_charger.c:1587:12: note: Assuming the condition is false
if (np || ACPI_HANDLE(bq->dev)) {
^
include/linux/acpi.h:46:46: note: expanded from macro 'ACPI_HANDLE'
#define ACPI_HANDLE(dev) acpi_device_handle(ACPI_COMPANION(dev))
^~~~~~~~~~~~~~~~~~~
include/linux/acpi.h:43:30: note: expanded from macro 'ACPI_COMPANION'
#define ACPI_COMPANION(dev) to_acpi_device_node((dev)->fwnode)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/acpi/acpi_bus.h:417:3: note: expanded from macro 'to_acpi_device_node'
is_acpi_device_node(__to_acpi_device_node_fwnode) ? \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/power/supply/bq2415x_charger.c:1587:12: note: '?' condition is false
if (np || ACPI_HANDLE(bq->dev)) {
^
include/linux/acpi.h:46:46: note: expanded from macro 'ACPI_HANDLE'
#define ACPI_HANDLE(dev) acpi_device_handle(ACPI_COMPANION(dev))
^
include/linux/acpi.h:43:30: note: expanded from macro 'ACPI_COMPANION'
#define ACPI_COMPANION(dev) to_acpi_device_node((dev)->fwnode)
^
include/acpi/acpi_bus.h:417:3: note: expanded from macro 'to_acpi_device_node'
is_acpi_device_node(__to_acpi_device_node_fwnode) ? \
^
drivers/power/supply/bq2415x_charger.c:1587:12: note: Calling 'acpi_device_handle'
if (np || ACPI_HANDLE(bq->dev)) {
^
include/linux/acpi.h:46:27: note: expanded from macro 'ACPI_HANDLE'
#define ACPI_HANDLE(dev) acpi_device_handle(ACPI_COMPANION(dev))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/acpi.h:40:9: note: 'adev' is null
return adev ? adev->handle : NULL;
^~~~
include/linux/acpi.h:40:9: note: '?' condition is false
include/linux/acpi.h:40:2: note: Returning null pointer, which participates in a condition later
return adev ? adev->handle : NULL;
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/power/supply/bq2415x_charger.c:1587:12: note: Returning from 'acpi_device_handle'
if (np || ACPI_HANDLE(bq->dev)) {
^
include/linux/acpi.h:46:27: note: expanded from macro 'ACPI_HANDLE'
#define ACPI_HANDLE(dev) acpi_device_handle(ACPI_COMPANION(dev))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/power/supply/bq2415x_charger.c:1587:2: note: Taking false branch
if (np || ACPI_HANDLE(bq->dev)) {
^
drivers/power/supply/bq2415x_charger.c:1622:3: note: Null pointer passed as 2nd argument to memory copy function
memcpy(&bq->init_data, pdata, sizeof(bq->init_data));
^ ~~~~~
Suppressed 6 warnings (6 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
11 warnings generated.
net/mptcp/sockopt.c:595:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
strcpy(msk->ca_name, name);
^~~~~~
net/mptcp/sockopt.c:595:3: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
strcpy(msk->ca_name, name);
^~~~~~
Suppressed 10 warnings (10 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (10 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (10 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (10 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (10 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
11 warnings generated.
net/mctp/device.c:125:11: warning: Assigned value is garbage or undefined [clang-analyzer-core.uninitialized.Assign]
mcb->idx = idx;
^ ~~~
net/mctp/device.c:95:6: note: 'idx' declared without an initial value
int idx, rc;
^~~
net/mctp/device.c:102:9: note: Assuming the condition is false
for (; mcb->h < NETDEV_HASHENTRIES; mcb->h++, mcb->idx = 0) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~
net/mctp/device.c:102:2: note: Loop condition is false. Execution continues on line 124
for (; mcb->h < NETDEV_HASHENTRIES; mcb->h++, mcb->idx = 0) {
^
net/mctp/device.c:125:11: note: Assigned value is garbage or undefined
mcb->idx = idx;
^ ~~~
Suppressed 10 warnings (10 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
12 warnings generated.
>> net/mctp/route.c:156:3: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
kfree(key);
^
net/mctp/route.c:281:6: note: Assuming the condition is false
if (skb->len < sizeof(struct mctp_hdr) + 1)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/mctp/route.c:281:2: note: Taking false branch
if (skb->len < sizeof(struct mctp_hdr) + 1)
^
net/mctp/route.c:288:6: note: Assuming field 'ver' is equal to 1
if (mh->ver != 1)
^~~~~~~~~~~~
net/mctp/route.c:288:2: note: Taking false branch
if (mh->ver != 1)
^
net/mctp/route.c:299:8: note: Calling 'mctp_lookup_key'
key = mctp_lookup_key(net, skb, mh->src, &f);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/mctp/route.c:107:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&net->mctp.keys_lock, flags);
^
include/linux/spinlock.h:397:2: note: expanded from macro 'spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^
include/linux/spinlock.h:253:2: note: expanded from macro 'raw_spin_lock_irqsave'
do { \
^
net/mctp/route.c:107:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&net->mctp.keys_lock, flags);
^
include/linux/spinlock.h:395:43: note: expanded from macro 'spin_lock_irqsave'
#define spin_lock_irqsave(lock, flags) \
^
net/mctp/route.c:109:2: note: Assuming '____ptr' is non-null
hlist_for_each_entry(key, &net->mctp.keys, hlist) {
^
include/linux/list.h:995:13: note: expanded from macro 'hlist_for_each_entry'
for (pos = hlist_entry_safe((head)->first, typeof(*(pos)), member);\
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/list.h:985:5: note: expanded from macro 'hlist_entry_safe'
____ptr ? hlist_entry(____ptr, type, member) : NULL; \
^~~~~~~
net/mctp/route.c:109:2: note: '?' condition is true
hlist_for_each_entry(key, &net->mctp.keys, hlist) {
^
include/linux/list.h:995:13: note: expanded from macro 'hlist_for_each_entry'
for (pos = hlist_entry_safe((head)->first, typeof(*(pos)), member);\
^
include/linux/list.h:985:5: note: expanded from macro 'hlist_entry_safe'
____ptr ? hlist_entry(____ptr, type, member) : NULL; \
^
net/mctp/route.c:109:2: note: Loop condition is true. Entering loop body
hlist_for_each_entry(key, &net->mctp.keys, hlist) {
^
include/linux/list.h:995:2: note: expanded from macro 'hlist_for_each_entry'
for (pos = hlist_entry_safe((head)->first, typeof(*(pos)), member);\
^
net/mctp/route.c:110:3: note: Taking false branch
if (!mctp_key_match(key, mh->dest, peer, tag))
^
net/mctp/route.c:114:7: note: Assuming field 'valid' is true
if (key->valid) {
^~~~~~~~~~
net/mctp/route.c:114:3: note: Taking true branch
if (key->valid) {
^
net/mctp/route.c:117:4: note: Execution continues on line 122
break;
^
net/mctp/route.c:122:6: note: 'ret' is non-null
if (ret) {
^~~
net/mctp/route.c:122:2: note: Taking true branch
if (ret) {
^
net/mctp/route.c:299:8: note: Returning from 'mctp_lookup_key'
key = mctp_lookup_key(net, skb, mh->src, &f);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/mctp/route.c:301:6: note: Assuming the condition is true
if (flags & MCTP_HDR_FLAG_SOM) {
^~~~~~~~~~~~~~~~~~~~~~~~~
net/mctp/route.c:301:2: note: Taking true branch
if (flags & MCTP_HDR_FLAG_SOM) {
^
net/mctp/route.c:302:7: note: 'key' is non-null
if (key) {
^~~
net/mctp/route.c:302:3: note: Taking true branch
if (key) {
^
net/mctp/route.c:320:8: note: 'key' is non-null
if (!key && !msk && (tag & MCTP_HDR_FLAG_TO))
^~~
net/mctp/route.c:320:12: note: Left side of '&&' is false
if (!key && !msk && (tag & MCTP_HDR_FLAG_TO))
^
net/mctp/route.c:323:7: note: Assuming 'msk' is non-null
if (!msk) {
^~~~
net/mctp/route.c:323:3: note: Taking false branch
if (!msk) {
vim +156 net/mctp/route.c
4a992bbd365094 Jeremy Kerr 2021-07-29 152
2ce5eeadf5d8d9 Andrew Morton 2021-10-28 153 void mctp_key_unref(struct mctp_sk_key *key)
2ce5eeadf5d8d9 Andrew Morton 2021-10-28 154 {
2ce5eeadf5d8d9 Andrew Morton 2021-10-28 155 if (refcount_dec_and_test(&key->refs))
2ce5eeadf5d8d9 Andrew Morton 2021-10-28 @156 kfree(key);
2ce5eeadf5d8d9 Andrew Morton 2021-10-28 157 }
2ce5eeadf5d8d9 Andrew Morton 2021-10-28 158
:::::: The code at line 156 was first introduced by commit
:::::: 2ce5eeadf5d8d942274eab25142c309ff63c80ba linux-next
:::::: TO: Andrew Morton <akpm@linux-foundation.org>
:::::: CC: Johannes Weiner <hannes@cmpxchg.org>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-01-15 14:11 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-15 14:11 [hnaz-mm:master 420/435] net/mctp/route.c:156:3: warning: Attempt to free released memory [clang-analyzer-unix.Malloc] kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.