* [cminyard-ipmi:for-next 2/12] drivers/char/ipmi/ipmi_msghandler.c:945:15: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-04-18 20:45 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2022-04-18 20:45 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 16419 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Corey Minyard <cminyard@mvista.com>
tree: https://github.com/cminyard/linux-ipmi for-next
head: af82f0f557885a3c021e756230b48de5c4c76347
commit: e622399b18f8efe2e7dd89017b81fa202e44ddf8 [2/12] ipmi: Limit the number of message a user may have outstanding
:::::: branch date: 3 days ago
:::::: commit date: 3 weeks ago
config: arm-randconfig-c002-20220418 (https://download.01.org/0day-ci/archive/20220419/202204190449.m22dzWVB-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 429cbac0390654f90bba18a41799464adf31a5ec)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://github.com/cminyard/linux-ipmi/commit/e622399b18f8efe2e7dd89017b81fa202e44ddf8
git remote add cminyard-ipmi https://github.com/cminyard/linux-ipmi
git fetch --no-tags cminyard-ipmi for-next
git checkout e622399b18f8efe2e7dd89017b81fa202e44ddf8
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:733:2: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
kfree(intf);
^
drivers/char/ipmi/ipmi_msghandler.c:3514:6: note: Assuming field 'in_shutdown' is false
if (!intf->in_shutdown)
^~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:3514:2: note: Taking true branch
if (!intf->in_shutdown)
^
drivers/char/ipmi/ipmi_msghandler.c:3515:3: note: Calling 'bmc_get_device_id'
bmc_get_device_id(intf, NULL, NULL, NULL, NULL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:2741:9: note: Calling '__bmc_get_device_id'
return __bmc_get_device_id(intf, bmc, id, guid_set, guid, -1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:2610:18: note: 'intf' is not equal to NULL
bool intf_set = intf != NULL;
^~~~
drivers/char/ipmi/ipmi_msghandler.c:2612:7: note: 'intf' is non-null
if (!intf) {
^~~~
drivers/char/ipmi/ipmi_msghandler.c:2612:2: note: Taking false branch
if (!intf) {
^
drivers/char/ipmi/ipmi_msghandler.c:2639:6: note: Assuming field 'in_bmc_register' is true
if (intf->in_bmc_register ||
^~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:2639:28: note: Left side of '||' is true
if (intf->in_bmc_register ||
^
drivers/char/ipmi/ipmi_msghandler.c:2641:3: note: Control jumps to line 2719
goto out_noprocessing;
^
drivers/char/ipmi/ipmi_msghandler.c:2719:7: note: 'rv' is 0
if (!rv) {
^~
drivers/char/ipmi/ipmi_msghandler.c:2719:2: note: Taking true branch
if (!rv) {
^
drivers/char/ipmi/ipmi_msghandler.c:2720:7: note: 'id' is null
if (id)
^~
drivers/char/ipmi/ipmi_msghandler.c:2720:3: note: Taking false branch
if (id)
^
drivers/char/ipmi/ipmi_msghandler.c:2723:7: note: 'guid_set' is null
if (guid_set)
^~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:2723:3: note: Taking false branch
if (guid_set)
^
drivers/char/ipmi/ipmi_msghandler.c:2726:7: note: 'guid' is null
if (guid && bmc->dyn_guid_set)
^~~~
drivers/char/ipmi/ipmi_msghandler.c:2726:12: note: Left side of '&&' is false
if (guid && bmc->dyn_guid_set)
^
drivers/char/ipmi/ipmi_msghandler.c:2733:2: note: Calling 'kref_put'
kref_put(&intf->refcount, intf_free);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/kref.h:64:6: note: Assuming the condition is true
if (refcount_dec_and_test(&kref->refcount)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/kref.h:64:2: note: Taking true branch
if (refcount_dec_and_test(&kref->refcount)) {
^
include/linux/kref.h:65:3: note: Calling 'intf_free'
release(kref);
^~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:733:2: note: Memory is released
kfree(intf);
^~~~~~~~~~~
include/linux/kref.h:65:3: note: Returning; memory was released
release(kref);
^~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:2733:2: note: Returning; memory was released
kref_put(&intf->refcount, intf_free);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:2741:9: note: Returning; memory was released
return __bmc_get_device_id(intf, bmc, id, guid_set, guid, -1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:3515:3: note: Returning; memory was released
bmc_get_device_id(intf, NULL, NULL, NULL, NULL);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:3517:2: note: Calling 'kref_put'
kref_put(&intf->refcount, intf_free);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/kref.h:64:6: note: Assuming the condition is true
if (refcount_dec_and_test(&kref->refcount)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/kref.h:64:2: note: Taking true branch
if (refcount_dec_and_test(&kref->refcount)) {
^
include/linux/kref.h:65:3: note: Calling 'intf_free'
release(kref);
^~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:733:2: note: Attempt to free released memory
kfree(intf);
^~~~~~~~~~~
>> drivers/char/ipmi/ipmi_msghandler.c:945:15: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
atomic_dec(&msg->user->nr_msgs);
^
drivers/char/ipmi/ipmi_msghandler.c:3948:6: note: Assuming 'rcvr' is non-null
if (rcvr) {
^~~~
drivers/char/ipmi/ipmi_msghandler.c:3948:2: note: Taking true branch
if (rcvr) {
^
drivers/char/ipmi/ipmi_msghandler.c:3955:6: note: Assuming 'user' is not equal to NULL
if (user == NULL) {
^~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:3955:2: note: Taking false branch
if (user == NULL) {
^
drivers/char/ipmi/ipmi_msghandler.c:3980:14: note: Calling 'ipmi_alloc_recv_msg'
recv_msg = ipmi_alloc_recv_msg();
^~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:5105:6: note: Assuming 'rv' is non-null
if (rv) {
^~
drivers/char/ipmi/ipmi_msghandler.c:5105:2: note: Taking true branch
if (rv) {
^
drivers/char/ipmi/ipmi_msghandler.c:3980:14: note: Returning from 'ipmi_alloc_recv_msg'
recv_msg = ipmi_alloc_recv_msg();
^~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:3981:8: note: 'recv_msg' is non-null
if (!recv_msg) {
^~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:3981:3: note: Taking false branch
if (!recv_msg) {
^
drivers/char/ipmi/ipmi_msghandler.c:4012:8: note: Calling 'deliver_response'
if (deliver_response(intf, recv_msg))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:929:12: note: Field 'user' is non-null
if (!msg->user) {
^
drivers/char/ipmi/ipmi_msghandler.c:929:2: note: Taking false branch
if (!msg->user) {
^
drivers/char/ipmi/ipmi_msghandler.c:938:13: note: Assuming 'oops_in_progress' is not equal to 0
} else if (oops_in_progress) {
^~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:938:9: note: Taking true branch
} else if (oops_in_progress) {
^
drivers/char/ipmi/ipmi_msghandler.c:944:3: note: Calling 'ipmi_free_recv_msg'
ipmi_free_recv_msg(msg);
^~~~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:5115:11: note: Field 'user' is non-null
if (msg->user && !oops_in_progress)
^
drivers/char/ipmi/ipmi_msghandler.c:5115:6: note: Left side of '&&' is true
if (msg->user && !oops_in_progress)
^
drivers/char/ipmi/ipmi_msghandler.c:5115:20: note: 'oops_in_progress' is not equal to 0
if (msg->user && !oops_in_progress)
^~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:5115:2: note: Taking false branch
if (msg->user && !oops_in_progress)
^
drivers/char/ipmi/ipmi_msghandler.c:5117:2: note: Calling 'free_recv_msg'
msg->done(msg);
^~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:5096:6: note: Assuming 'oops_in_progress' is 0
if (!oops_in_progress)
^~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:5096:2: note: Taking true branch
if (!oops_in_progress)
^
drivers/char/ipmi/ipmi_msghandler.c:5097:3: note: Memory is released
kfree(msg);
^~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:5117:2: note: Returning; memory was released via 1st parameter
msg->done(msg);
^~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:944:3: note: Returning; memory was released via 1st parameter
ipmi_free_recv_msg(msg);
^~~~~~~~~~~~~~~~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:945:15: note: Use of memory after it is freed
atomic_dec(&msg->user->nr_msgs);
^~~~~~~~~
drivers/char/ipmi/ipmi_msghandler.c:1814:3: warning: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling]
memcpy(&smi_msg->data[i + 9], msg->data, msg->data_len);
^~~~~~
drivers/char/ipmi/ipmi_msghandler.c:1814:3: note: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11
memcpy(&smi_msg->data[i + 9], msg->data, msg->data_len);
^~~~~~
drivers/char/ipmi/ipmi_msghandler.c:1851:3: warning: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling]
memcpy(&smi_msg->data[10], msg->data, msg->data_len);
^~~~~~
drivers/char/ipmi/ipmi_msghandler.c:1851:3: note: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11
memcpy(&smi_msg->data[10], msg->data, msg->data_len);
^~~~~~
drivers/char/ipmi/ipmi_msghandler.c:1931:2: warning: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling]
memcpy(&recv_msg->addr, smi_addr, sizeof(*smi_addr));
^~~~~~
drivers/char/ipmi/ipmi_msghandler.c:1931:2: note: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11
memcpy(&recv_msg->addr, smi_addr, sizeof(*smi_addr));
vim +945 drivers/char/ipmi/ipmi_msghandler.c
^1da177e4c3f41 Linus Torvalds 2005-04-16 924
ac93bd0c9e163f Corey Minyard 2018-04-05 925 static int deliver_response(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
^1da177e4c3f41 Linus Torvalds 2005-04-16 926 {
ac93bd0c9e163f Corey Minyard 2018-04-05 927 int rv = 0;
56a55ec64806fb Corey Minyard 2005-09-06 928
ac93bd0c9e163f Corey Minyard 2018-04-05 929 if (!msg->user) {
56a55ec64806fb Corey Minyard 2005-09-06 930 /* Special handling for NULL users. */
56a55ec64806fb Corey Minyard 2005-09-06 931 if (intf->null_user_handler) {
56a55ec64806fb Corey Minyard 2005-09-06 932 intf->null_user_handler(intf, msg);
56a55ec64806fb Corey Minyard 2005-09-06 933 } else {
56a55ec64806fb Corey Minyard 2005-09-06 934 /* No handler, so give up. */
ac93bd0c9e163f Corey Minyard 2018-04-05 935 rv = -EINVAL;
56a55ec64806fb Corey Minyard 2005-09-06 936 }
56a55ec64806fb Corey Minyard 2005-09-06 937 ipmi_free_recv_msg(msg);
2033f6858970b9 Corey Minyard 2019-08-16 938 } else if (oops_in_progress) {
c49c097610fe1a Hidehiro Kawai 2015-07-27 939 /*
c49c097610fe1a Hidehiro Kawai 2015-07-27 940 * If we are running in the panic context, calling the
c49c097610fe1a Hidehiro Kawai 2015-07-27 941 * receive handler doesn't much meaning and has a deadlock
c49c097610fe1a Hidehiro Kawai 2015-07-27 942 * risk. At this moment, simply skip it in that case.
c49c097610fe1a Hidehiro Kawai 2015-07-27 943 */
2033f6858970b9 Corey Minyard 2019-08-16 944 ipmi_free_recv_msg(msg);
e622399b18f8ef Corey Minyard 2022-03-28 @945 atomic_dec(&msg->user->nr_msgs);
2033f6858970b9 Corey Minyard 2019-08-16 946 } else {
e86ee2d44b4405 Corey Minyard 2018-04-05 947 int index;
e86ee2d44b4405 Corey Minyard 2018-04-05 948 struct ipmi_user *user = acquire_ipmi_user(msg->user, &index);
c49c097610fe1a Hidehiro Kawai 2015-07-27 949
e86ee2d44b4405 Corey Minyard 2018-04-05 950 if (user) {
e622399b18f8ef Corey Minyard 2022-03-28 951 atomic_dec(&user->nr_msgs);
393d2cc354d150 Corey Minyard 2005-11-07 952 user->handler->ipmi_recv_hndl(msg, user->handler_data);
479d6b39b9e0d2 Fred Klassen 2019-01-19 953 release_ipmi_user(user, index);
e86ee2d44b4405 Corey Minyard 2018-04-05 954 } else {
e86ee2d44b4405 Corey Minyard 2018-04-05 955 /* User went away, give up. */
e86ee2d44b4405 Corey Minyard 2018-04-05 956 ipmi_free_recv_msg(msg);
e86ee2d44b4405 Corey Minyard 2018-04-05 957 rv = -EINVAL;
e86ee2d44b4405 Corey Minyard 2018-04-05 958 }
56a55ec64806fb Corey Minyard 2005-09-06 959 }
ac93bd0c9e163f Corey Minyard 2018-04-05 960
ac93bd0c9e163f Corey Minyard 2018-04-05 961 return rv;
^1da177e4c3f41 Linus Torvalds 2005-04-16 962 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 963
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-04-18 20:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-18 20:45 [cminyard-ipmi:for-next 2/12] drivers/char/ipmi/ipmi_msghandler.c:945:15: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc] kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.