From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
Date: Sun, 10 Apr 2022 17:50:31 +0800 [thread overview]
Message-ID: <202204101719.ar1C744Z-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 18051 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Paolo Valente <paolo.valente@linaro.org>
CC: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 1862a69c917417142190bc18c8ce16680598664b
commit: d29bd41428cfff9b582c248db14a47e2be8457a8 block, bfq: reset last_bfqq_created on group change
date: 6 months ago
:::::: branch date: 5 hours ago
:::::: commit date: 6 months ago
config: riscv-randconfig-c006-20220405 (https://download.01.org/0day-ci/archive/20220410/202204101719.ar1C744Z-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project c4a1b07d0979e7ff20d7d541af666d822d66b566)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install riscv cross compiling tool for clang build
# apt-get install binutils-riscv64-linux-gnu
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d29bd41428cfff9b582c248db14a47e2be8457a8
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout d29bd41428cfff9b582c248db14a47e2be8457a8
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=riscv clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^
drivers/nvme/target/zns.c:478:6: note: Assuming field 'select_all' is not equal to 0
if (req->cmd->zms.select_all) {
^~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:478:2: note: Taking true branch
if (req->cmd->zms.select_all) {
^
drivers/nvme/target/zns.c:479:12: note: Calling 'nvmet_bdev_execute_zmgmt_send_all'
status = nvmet_bdev_execute_zmgmt_send_all(req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:440:2: note: Control jumps to 'case REQ_OP_ZONE_FINISH:' at line 450
switch (zsa_req_op(req->cmd->zms.zsa)) {
^
drivers/nvme/target/zns.c:451:10: note: Calling 'nvmet_bdev_zone_mgmt_emulate_all'
return nvmet_bdev_zone_mgmt_emulate_all(req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:397:6: note: Assuming field 'zbitmap' is non-null
if (!d.zbitmap) {
^~~~~~~~~~
drivers/nvme/target/zns.c:397:2: note: Taking false branch
if (!d.zbitmap) {
^
drivers/nvme/target/zns.c:404:6: note: Assuming 'ret' is equal to 'nr_zones'
if (ret != nr_zones) {
^~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:404:2: note: Taking false branch
if (ret != nr_zones) {
^
drivers/nvme/target/zns.c:413:9: note: Assuming the condition is true
while (sector < get_capacity(bdev->bd_disk)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:413:2: note: Loop condition is true. Entering loop body
while (sector < get_capacity(bdev->bd_disk)) {
^
drivers/nvme/target/zns.c:414:16: note: Calling 'blk_queue_zone_no'
if (test_bit(blk_queue_zone_no(q, sector), d.zbitmap)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/blkdev.h:700:2: note: Taking false branch
if (!blk_queue_is_zoned(q))
^
include/linux/blkdev.h:702:19: note: '?' condition is false
return sector >> ilog2(q->limits.chunk_sectors);
^
include/linux/log2.h:158:2: note: expanded from macro 'ilog2'
__builtin_constant_p(n) ? \
^
include/linux/blkdev.h:702:19: note: '?' condition is true
return sector >> ilog2(q->limits.chunk_sectors);
^
include/linux/log2.h:161:2: note: expanded from macro 'ilog2'
(sizeof(n) <= 4) ? \
^
include/linux/blkdev.h:702:19: note: Calling '__ilog2_u32'
return sector >> ilog2(q->limits.chunk_sectors);
^
include/linux/log2.h:162:2: note: expanded from macro 'ilog2'
__ilog2_u32(n) : \
^~~~~~~~~~~~~~
include/linux/log2.h:24:2: note: Returning the value -1
return fls(n) - 1;
^~~~~~~~~~~~~~~~~
include/linux/blkdev.h:702:19: note: Returning from '__ilog2_u32'
return sector >> ilog2(q->limits.chunk_sectors);
^
include/linux/log2.h:162:2: note: expanded from macro 'ilog2'
__ilog2_u32(n) : \
^~~~~~~~~~~~~~
include/linux/blkdev.h:702:16: note: The result of the right shift is undefined because the right operand is negative
return sector >> ilog2(q->limits.chunk_sectors);
^
Suppressed 11 warnings (4 in non-user code, 7 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
11 warnings generated.
block/bfq-wf2q.c:263:7: warning: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity') [clang-analyzer-core.NullDereference]
if (!entity->my_sched_data)
^
block/bfq-wf2q.c:1508:2: note: 'entity' initialized to a null pointer value
struct bfq_entity *entity = NULL;
^~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:6: note: Assuming the condition is false
if (bfq_tot_busy_queues(bfqd) == 0)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:2: note: Taking false branch
if (bfq_tot_busy_queues(bfqd) == 0)
^
block/bfq-wf2q.c:1521:2: note: Loop condition is false. Execution continues on line 1582
for (; sd ; sd = entity->my_sched_data) {
^
block/bfq-wf2q.c:1582:28: note: Passing null pointer value via 1st parameter 'entity'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~
block/bfq-wf2q.c:1582:9: note: Calling 'bfq_entity_to_bfqq'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:263:7: note: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity')
if (!entity->my_sched_data)
^~~~~~
Suppressed 10 warnings (3 in non-user code, 7 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
11 warnings generated.
>> block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
entity->parent->last_bfqq_created == bfqq)
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:393:2: note: expanded from macro 'spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^
include/linux/spinlock.h:254:2: note: expanded from macro 'raw_spin_lock_irqsave'
do { \
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:391:43: note: expanded from macro 'spin_lock_irqsave'
#define spin_lock_irqsave(lock, flags) \
^
block/bfq-cgroup.c:894:6: note: Assuming 'entity' is non-null
if (!entity) /* root group */
^~~~~~~
block/bfq-cgroup.c:894:2: note: Taking false branch
if (!entity) /* root group */
^
block/bfq-cgroup.c:901:2: note: Loop condition is true. Entering loop body
for (i = 0; i < BFQ_IOPRIO_CLASSES; i++) {
^
block/bfq-cgroup.c:916:3: note: Calling 'bfq_reparent_active_queues'
bfq_reparent_active_queues(bfqd, bfqg, st, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:866:2: note: Loop condition is true. Entering loop body
while ((entity = bfq_entity_of(rb_first(active))))
^
block/bfq-cgroup.c:867:3: note: Calling 'bfq_reparent_leaf_entity'
bfq_reparent_leaf_entity(bfqd, entity, ioprio_class);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:836:2: note: Loop condition is false. Execution continues on line 848
while (child_entity->my_sched_data) { /* leaf not reached yet */
^
block/bfq-cgroup.c:849:2: note: Calling 'bfq_bfqq_move'
bfq_bfqq_move(bfqd, bfqq, bfqd->root_group);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:6: note: Assuming 'bfqq' is not equal to field 'in_service_queue'
if (bfqq == bfqd->in_service_queue)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:2: note: Taking false branch
if (bfqq == bfqd->in_service_queue)
^
block/bfq-cgroup.c:663:6: note: Assuming the condition is false
if (bfq_bfqq_busy(bfqq))
^~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:663:2: note: Taking false branch
if (bfq_bfqq_busy(bfqq))
^
block/bfq-cgroup.c:665:11: note: Assuming field 'on_st_or_in_serv' is false
else if (entity->on_st_or_in_serv)
^~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:665:7: note: Taking false branch
else if (entity->on_st_or_in_serv)
^
block/bfq-cgroup.c:667:20: note: Calling 'bfqq_group'
bfqg_and_blkg_put(bfqq_group(bfqq));
^~~~~~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: Assuming 'group_entity' is non-null
return group_entity ? container_of(group_entity, struct bfq_group,
^~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: '?' condition is true
block/bfq-cgroup.c:312:24: note: Left side of '&&' is false
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
block/bfq-cgroup.c:312:24: note: Taking false branch
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:302:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
block/bfq-cgroup.c:312:24: note: Loop condition is false. Exiting loop
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
vim +670 block/bfq-cgroup.c
ea25da48086d3b Paolo Valente 2017-04-19 627
ea25da48086d3b Paolo Valente 2017-04-19 628 /**
ea25da48086d3b Paolo Valente 2017-04-19 629 * bfq_bfqq_move - migrate @bfqq to @bfqg.
ea25da48086d3b Paolo Valente 2017-04-19 630 * @bfqd: queue descriptor.
ea25da48086d3b Paolo Valente 2017-04-19 631 * @bfqq: the queue to move.
ea25da48086d3b Paolo Valente 2017-04-19 632 * @bfqg: the group to move to.
ea25da48086d3b Paolo Valente 2017-04-19 633 *
ea25da48086d3b Paolo Valente 2017-04-19 634 * Move @bfqq to @bfqg, deactivating it from its old group and reactivating
ea25da48086d3b Paolo Valente 2017-04-19 635 * it on the new one. Avoid putting the entity on the old group idle tree.
ea25da48086d3b Paolo Valente 2017-04-19 636 *
8f9bebc33dd718 Paolo Valente 2017-06-05 637 * Must be called under the scheduler lock, to make sure that the blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 638 * owning @bfqg does not disappear (see comments in
8f9bebc33dd718 Paolo Valente 2017-06-05 639 * bfq_bic_update_cgroup on guaranteeing the consistency of blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 640 * objects).
ea25da48086d3b Paolo Valente 2017-04-19 641 */
ea25da48086d3b Paolo Valente 2017-04-19 642 void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
ea25da48086d3b Paolo Valente 2017-04-19 643 struct bfq_group *bfqg)
ea25da48086d3b Paolo Valente 2017-04-19 644 {
ea25da48086d3b Paolo Valente 2017-04-19 645 struct bfq_entity *entity = &bfqq->entity;
ea25da48086d3b Paolo Valente 2017-04-19 646
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 647 /*
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 648 * Get extra reference to prevent bfqq from being freed in
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 649 * next possible expire or deactivate.
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 650 */
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 651 bfqq->ref++;
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 652
ea25da48086d3b Paolo Valente 2017-04-19 653 /* If bfqq is empty, then bfq_bfqq_expire also invokes
ea25da48086d3b Paolo Valente 2017-04-19 654 * bfq_del_bfqq_busy, thereby removing bfqq and its entity
ea25da48086d3b Paolo Valente 2017-04-19 655 * from data structures related to current group. Otherwise we
ea25da48086d3b Paolo Valente 2017-04-19 656 * need to remove bfqq explicitly with bfq_deactivate_bfqq, as
ea25da48086d3b Paolo Valente 2017-04-19 657 * we do below.
ea25da48086d3b Paolo Valente 2017-04-19 658 */
ea25da48086d3b Paolo Valente 2017-04-19 659 if (bfqq == bfqd->in_service_queue)
ea25da48086d3b Paolo Valente 2017-04-19 660 bfq_bfqq_expire(bfqd, bfqd->in_service_queue,
ea25da48086d3b Paolo Valente 2017-04-19 661 false, BFQQE_PREEMPTED);
ea25da48086d3b Paolo Valente 2017-04-19 662
ea25da48086d3b Paolo Valente 2017-04-19 663 if (bfq_bfqq_busy(bfqq))
ea25da48086d3b Paolo Valente 2017-04-19 664 bfq_deactivate_bfqq(bfqd, bfqq, false, false);
33a16a9804688b Paolo Valente 2020-02-03 665 else if (entity->on_st_or_in_serv)
ea25da48086d3b Paolo Valente 2017-04-19 666 bfq_put_idle_entity(bfq_entity_service_tree(entity), entity);
8f9bebc33dd718 Paolo Valente 2017-06-05 667 bfqg_and_blkg_put(bfqq_group(bfqq));
ea25da48086d3b Paolo Valente 2017-04-19 668
d29bd41428cfff Paolo Valente 2021-10-15 669 if (entity->parent &&
d29bd41428cfff Paolo Valente 2021-10-15 @670 entity->parent->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 671 entity->parent->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 672 else if (bfqd->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 673 bfqd->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 674
ea25da48086d3b Paolo Valente 2017-04-19 675 entity->parent = bfqg->my_entity;
ea25da48086d3b Paolo Valente 2017-04-19 676 entity->sched_data = &bfqg->sched_data;
8f9bebc33dd718 Paolo Valente 2017-06-05 677 /* pin down bfqg and its associated blkg */
8f9bebc33dd718 Paolo Valente 2017-06-05 678 bfqg_and_blkg_get(bfqg);
ea25da48086d3b Paolo Valente 2017-04-19 679
ea25da48086d3b Paolo Valente 2017-04-19 680 if (bfq_bfqq_busy(bfqq)) {
8cacc5ab3eacf5 Paolo Valente 2019-03-12 681 if (unlikely(!bfqd->nonrot_with_queueing))
ea25da48086d3b Paolo Valente 2017-04-19 682 bfq_pos_tree_add_move(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 683 bfq_activate_bfqq(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 684 }
ea25da48086d3b Paolo Valente 2017-04-19 685
ea25da48086d3b Paolo Valente 2017-04-19 686 if (!bfqd->in_service_queue && !bfqd->rq_in_driver)
ea25da48086d3b Paolo Valente 2017-04-19 687 bfq_schedule_dispatch(bfqd);
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 688 /* release extra ref taken above, bfqq may happen to be freed now */
ecedd3d7e19911 Paolo Valente 2020-02-03 689 bfq_put_queue(bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 690 }
ea25da48086d3b Paolo Valente 2017-04-19 691
--
0-DAY CI Kernel Test Service
https://01.org/lkp
next reply other threads:[~2022-04-10 9:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-10 9:50 kernel test robot [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-07-03 2:35 block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc] kernel test robot
2022-06-30 22:27 kernel test robot
2022-06-28 15:41 kernel test robot
2022-06-26 17:00 kernel test robot
2022-03-10 6:11 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202204101719.ar1C744Z-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.