* [sashal-stable:pending-5.17 458/787] net/bluetooth/eir.h:28:2: warning: Null pointer passed as 2nd argument to memory copy function [clang-analyzer-unix.cstring.NullArg]
@ 2022-04-03 17:32 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2022-04-03 17:32 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 17474 bytes --]
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
TO: Sasha Levin <sashal@kernel.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git pending-5.17
head: 910f479048304416d2f70a98fb84a9466e56c169
commit: 823b529c121fd985e726a49e4cafccb5eebe37e5 [458/787] Bluetooth: Fix skb allocation in mgmt_remote_name() & mgmt_device_connected()
:::::: branch date: 2 days ago
:::::: commit date: 2 days ago
config: arm-randconfig-c002-20220403 (https://download.01.org/0day-ci/archive/20220404/202204040107.SaTX5mXT-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project c4a1b07d0979e7ff20d7d541af666d822d66b566)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git/commit/?id=823b529c121fd985e726a49e4cafccb5eebe37e5
git remote add sashal-stable https://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git
git fetch --no-tags sashal-stable pending-5.17
git checkout 823b529c121fd985e726a49e4cafccb5eebe37e5
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4740:6: note: Left side of '&&' is true
if (LCNREV_IS(pi->pubpi.phy_rev, 2))
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/types.h:189:3: note: expanded from macro 'LCNREV_IS'
(LCNCONF_HAS(val) && (LCNCONF_IS(val) || ((var) == (val))))
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/types.h:154:26: note: expanded from macro 'LCNCONF_HAS'
#define LCNCONF_HAS(val) CONF_HAS(LCNCONF, val)
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/types.h:133:31: note: expanded from macro 'CONF_HAS'
#define CONF_HAS(config, val) ((config) & (1 << (val)))
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4740:6: note: Left side of '||' is false
if (LCNREV_IS(pi->pubpi.phy_rev, 2))
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/types.h:189:24: note: expanded from macro 'LCNREV_IS'
(LCNCONF_HAS(val) && (LCNCONF_IS(val) || ((var) == (val))))
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/types.h:156:26: note: expanded from macro 'LCNCONF_IS'
#define LCNCONF_IS(val) CONF_IS(LCNCONF, val)
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/types.h:138:30: note: expanded from macro 'CONF_IS'
#define CONF_IS(config, val) ((config) == (1 << (val)))
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4740:6: note: Assuming field 'phy_rev' is not equal to 2
if (LCNREV_IS(pi->pubpi.phy_rev, 2))
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/types.h:189:44: note: expanded from macro 'LCNREV_IS'
(LCNCONF_HAS(val) && (LCNCONF_IS(val) || ((var) == (val))))
^~~~~~~~~~~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4740:2: note: Taking false branch
if (LCNREV_IS(pi->pubpi.phy_rev, 2))
^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4742:2: note: Calling 'wlc_lcnphy_bu_tweaks'
wlc_lcnphy_bu_tweaks(pi);
^~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4373:41: note: The result of the left shift is undefined because the left operand is negative
mod_phy_reg(pi, 0x4df, (0xff << 8), -9 << 8);
~~ ^
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4434:3: warning: Value stored to 'rcal_value' is never read [clang-analyzer-deadcode.DeadStores]
rcal_value = rcal_value & 0x1f;
^ ~~~~~~~~~~~~~~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4434:3: note: Value stored to 'rcal_value' is never read
rcal_value = rcal_value & 0x1f;
^ ~~~~~~~~~~~~~~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4629:27: warning: Value stored to 'pi_lcn' during its initialization is never read [clang-analyzer-deadcode.DeadStores]
struct brcms_phy_lcnphy *pi_lcn = pi->u.pi_lcnphy;
^~~~~~ ~~~~~~~~~~~~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:4629:27: note: Value stored to 'pi_lcn' during its initialization is never read
struct brcms_phy_lcnphy *pi_lcn = pi->u.pi_lcnphy;
^~~~~~ ~~~~~~~~~~~~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:5103:11: warning: The result of the left shift is undefined due to shifting by '4294967295', which is greater or equal to the width of type 'int' [clang-analyzer-core.UndefinedBinaryOperatorResult]
val1 = 1 << msb1;
^ ~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:5101:2: note: The value 4294967295 is assigned to 'msb1'
msb1 = ffs(power) - 1;
^~~~~~~~~~~~~~~~~~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:5103:11: note: The result of the left shift is undefined due to shifting by '4294967295', which is greater or equal to the width of type 'int'
val1 = 1 << msb1;
^ ~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:5104:11: warning: The result of the left shift is undefined due to shifting by '32', which is greater or equal to the width of type 'int' [clang-analyzer-core.UndefinedBinaryOperatorResult]
val2 = 1 << msb2;
^ ~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:5102:2: note: The value 32 is assigned to 'msb2'
msb2 = msb1 + 1;
^~~~~~~~~~~~~~~
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:5104:11: note: The result of the left shift is undefined due to shifting by '32', which is greater or equal to the width of type 'int'
val2 = 1 << msb2;
^ ~~~~
Suppressed 9 warnings (9 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
8 warnings generated.
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
net/bluetooth/hci_core.c:890:2: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
strcpy(di.name, hdev->name);
^~~~~~
net/bluetooth/hci_core.c:890:2: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
strcpy(di.name, hdev->name);
^~~~~~
Suppressed 9 warnings (9 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
Suppressed 9 warnings (9 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
Suppressed 9 warnings (9 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
14 warnings generated.
>> net/bluetooth/eir.h:28:2: warning: Null pointer passed as 2nd argument to memory copy function [clang-analyzer-unix.cstring.NullArg]
memcpy(&eir[eir_len], data, data_len);
^
net/bluetooth/mgmt.c:9090:6: note: Assuming field 'le_adv_data_len' is <= 0
if (conn->le_adv_data_len > 0)
^~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt.c:9090:2: note: Taking false branch
if (conn->le_adv_data_len > 0)
^
net/bluetooth/mgmt.c:9095:25: note: Assuming 'name' is null
sizeof(*ev) + (name ? eir_precalc_len(name_len) : 0) +
^~~~
net/bluetooth/mgmt.c:9095:25: note: '?' condition is false
net/bluetooth/mgmt.c:9102:6: note: Assuming field 'out' is false
if (conn->out)
^~~~~~~~~
net/bluetooth/mgmt.c:9102:2: note: Taking false branch
if (conn->out)
^
net/bluetooth/mgmt.c:9111:12: note: Field 'le_adv_data_len' is <= 0
if (conn->le_adv_data_len > 0) {
^
net/bluetooth/mgmt.c:9111:2: note: Taking false branch
if (conn->le_adv_data_len > 0) {
^
net/bluetooth/mgmt.c:9115:7: note: Assuming 'name_len' is > 0
if (name_len > 0) {
^~~~~~~~~~~~
net/bluetooth/mgmt.c:9115:3: note: Taking true branch
if (name_len > 0) {
^
net/bluetooth/mgmt.c:9117:9: note: Passing null pointer value via 4th parameter 'data'
name, name_len);
^~~~
net/bluetooth/mgmt.c:9116:14: note: Calling 'eir_append_data'
eir_len = eir_append_data(ev->eir, 0, EIR_NAME_COMPLETE,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/eir.h:28:2: note: Null pointer passed as 2nd argument to memory copy function
memcpy(&eir[eir_len], data, data_len);
^ ~~~~
net/bluetooth/mgmt.c:6653:4: warning: Value stored to 'authenticated' is never read [clang-analyzer-deadcode.DeadStores]
authenticated = 0x00;
^ ~~~~
net/bluetooth/mgmt.c:6653:4: note: Value stored to 'authenticated' is never read
authenticated = 0x00;
^ ~~~~
net/bluetooth/mgmt.c:6654:4: warning: Value stored to 'type' is never read [clang-analyzer-deadcode.DeadStores]
type = SMP_LTK_P256_DEBUG;
^ ~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt.c:6654:4: note: Value stored to 'type' is never read
type = SMP_LTK_P256_DEBUG;
^ ~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt.c:7608:2: warning: Value stored to 'err' is never read [clang-analyzer-deadcode.DeadStores]
err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt.c:7608:2: note: Value stored to 'err' is never read
err = mgmt_limited_event(MGMT_EV_LOCAL_OOB_DATA_UPDATED, hdev,
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
net/bluetooth/mgmt.c:7954:14: warning: Although the value stored to 'cur_len' is used in the enclosing expression, the value is never actually read from 'cur_len' [clang-analyzer-deadcode.DeadStores]
for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
^ ~
net/bluetooth/mgmt.c:7954:14: note: Although the value stored to 'cur_len' is used in the enclosing expression, the value is never actually read from 'cur_len'
for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
^ ~
Suppressed 9 warnings (9 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
2 warnings generated.
Suppressed 2 warnings (2 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
2 warnings generated.
Suppressed 2 warnings (2 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
2 warnings generated.
Suppressed 2 warnings (2 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (9 in non-user code, 1 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (9 in non-user code, 1 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (9 in non-user code, 1 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (9 in non-user code, 1 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (9 in non-user code, 1 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (9 in non-user code, 1 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (9 in non-user code, 1 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (9 in non-user code, 1 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
10 warnings generated.
Suppressed 10 warnings (9 in non-user code, 1 with check filters).
vim +28 net/bluetooth/eir.h
823b529c121fd9 Radoslaw Biernacki 2022-02-01 22
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 23 static inline u16 eir_append_data(u8 *eir, u16 eir_len, u8 type,
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 24 u8 *data, u8 data_len)
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 25 {
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 26 eir[eir_len++] = sizeof(type) + data_len;
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 27 eir[eir_len++] = type;
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 @28 memcpy(&eir[eir_len], data, data_len);
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 29 eir_len += data_len;
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 30
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 31 return eir_len;
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 32 }
01ce70b0a274bd Luiz Augusto von Dentz 2021-09-20 33
:::::: The code@line 28 was first introduced by commit
:::::: 01ce70b0a274bd76a5a311fb90d4d446d9bdfea1 Bluetooth: eir: Move EIR/Adv Data functions to its own file
:::::: TO: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
:::::: CC: Marcel Holtmann <marcel@holtmann.org>
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-04-03 17:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-03 17:32 [sashal-stable:pending-5.17 458/787] net/bluetooth/eir.h:28:2: warning: Null pointer passed as 2nd argument to memory copy function [clang-analyzer-unix.cstring.NullArg] kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.