* block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-07-03 2:35 kernel test robot
0 siblings, 0 replies; 6+ messages in thread
From: kernel test robot @ 2022-07-03 2:35 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 18603 bytes --]
::::::
:::::: Manual check reason: "low confidence static check warning: block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]"
::::::
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Paolo Valente <paolo.valente@linaro.org>
CC: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 69cb6c6556ad89620547318439d6be8bb1629a5a
commit: d29bd41428cfff9b582c248db14a47e2be8457a8 block, bfq: reset last_bfqq_created on group change
date: 9 months ago
:::::: branch date: 8 hours ago
:::::: commit date: 9 months ago
config: arm-randconfig-c002-20220625 (https://download.01.org/0day-ci/archive/20220703/202207031050.E4jHtLZ9-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 42a7ddb428c999229491b0effbb1a4059149fba8)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d29bd41428cfff9b582c248db14a47e2be8457a8
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout d29bd41428cfff9b582c248db14a47e2be8457a8
# save the config file
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^
include/linux/list.h:838:2: note: Left side of '||' is false
WRITE_ONCE(*pprev, next);
^
include/asm-generic/rwonce.h:60:2: note: expanded from macro 'WRITE_ONCE'
compiletime_assert_rwonce_type(x); \
^
include/asm-generic/rwonce.h:36:21: note: expanded from macro 'compiletime_assert_rwonce_type'
compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \
^
include/linux/compiler_types.h:290:3: note: expanded from macro '__native_word'
(sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || \
^
include/linux/list.h:838:2: note: Left side of '||' is true
WRITE_ONCE(*pprev, next);
^
include/asm-generic/rwonce.h:60:2: note: expanded from macro 'WRITE_ONCE'
compiletime_assert_rwonce_type(x); \
^
include/asm-generic/rwonce.h:36:21: note: expanded from macro 'compiletime_assert_rwonce_type'
compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \
^
include/linux/compiler_types.h:291:28: note: expanded from macro '__native_word'
sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long))
^
include/linux/list.h:838:2: note: Taking false branch
WRITE_ONCE(*pprev, next);
^
include/asm-generic/rwonce.h:60:2: note: expanded from macro 'WRITE_ONCE'
compiletime_assert_rwonce_type(x); \
^
include/asm-generic/rwonce.h:36:2: note: expanded from macro 'compiletime_assert_rwonce_type'
compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:302:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
include/linux/list.h:838:2: note: Loop condition is false. Exiting loop
WRITE_ONCE(*pprev, next);
^
include/asm-generic/rwonce.h:60:2: note: expanded from macro 'WRITE_ONCE'
compiletime_assert_rwonce_type(x); \
^
include/asm-generic/rwonce.h:36:2: note: expanded from macro 'compiletime_assert_rwonce_type'
compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:300:2: note: expanded from macro '__compiletime_assert'
do { \
^
include/linux/list.h:838:2: note: Dereference of null pointer
WRITE_ONCE(*pprev, next);
^
include/asm-generic/rwonce.h:61:2: note: expanded from macro 'WRITE_ONCE'
__WRITE_ONCE(x, val); \
^~~~~~~~~~~~~~~~~~~~
include/asm-generic/rwonce.h:55:30: note: expanded from macro '__WRITE_ONCE'
*(volatile typeof(x) *)&(x) = (val); \
~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~
Suppressed 7 warnings (7 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
block/bfq-wf2q.c:263:7: warning: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity') [clang-analyzer-core.NullDereference]
if (!entity->my_sched_data)
^
block/bfq-wf2q.c:1508:2: note: 'entity' initialized to a null pointer value
struct bfq_entity *entity = NULL;
^~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:6: note: Assuming the condition is false
if (bfq_tot_busy_queues(bfqd) == 0)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:2: note: Taking false branch
if (bfq_tot_busy_queues(bfqd) == 0)
^
block/bfq-wf2q.c:1521:2: note: Loop condition is false. Execution continues on line 1582
for (; sd ; sd = entity->my_sched_data) {
^
block/bfq-wf2q.c:1582:28: note: Passing null pointer value via 1st parameter 'entity'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~
block/bfq-wf2q.c:1582:9: note: Calling 'bfq_entity_to_bfqq'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:263:7: note: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity')
if (!entity->my_sched_data)
^~~~~~
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
>> block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
entity->parent->last_bfqq_created == bfqq)
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:393:2: note: expanded from macro 'spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^
include/linux/spinlock.h:254:2: note: expanded from macro 'raw_spin_lock_irqsave'
do { \
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:391:43: note: expanded from macro 'spin_lock_irqsave'
#define spin_lock_irqsave(lock, flags) \
^
block/bfq-cgroup.c:894:6: note: Assuming 'entity' is non-null
if (!entity) /* root group */
^~~~~~~
block/bfq-cgroup.c:894:2: note: Taking false branch
if (!entity) /* root group */
^
block/bfq-cgroup.c:901:2: note: Loop condition is true. Entering loop body
for (i = 0; i < BFQ_IOPRIO_CLASSES; i++) {
^
block/bfq-cgroup.c:916:3: note: Calling 'bfq_reparent_active_queues'
bfq_reparent_active_queues(bfqd, bfqg, st, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:866:2: note: Loop condition is true. Entering loop body
while ((entity = bfq_entity_of(rb_first(active))))
^
block/bfq-cgroup.c:867:3: note: Calling 'bfq_reparent_leaf_entity'
bfq_reparent_leaf_entity(bfqd, entity, ioprio_class);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:836:2: note: Loop condition is false. Execution continues on line 848
while (child_entity->my_sched_data) { /* leaf not reached yet */
^
block/bfq-cgroup.c:849:2: note: Calling 'bfq_bfqq_move'
bfq_bfqq_move(bfqd, bfqq, bfqd->root_group);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:6: note: Assuming 'bfqq' is not equal to field 'in_service_queue'
if (bfqq == bfqd->in_service_queue)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:2: note: Taking false branch
if (bfqq == bfqd->in_service_queue)
^
block/bfq-cgroup.c:663:6: note: Assuming the condition is true
if (bfq_bfqq_busy(bfqq))
^~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:663:2: note: Taking true branch
if (bfq_bfqq_busy(bfqq))
^
block/bfq-cgroup.c:667:20: note: Calling 'bfqq_group'
bfqg_and_blkg_put(bfqq_group(bfqq));
^~~~~~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: Assuming 'group_entity' is non-null
return group_entity ? container_of(group_entity, struct bfq_group,
^~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: '?' condition is true
block/bfq-cgroup.c:312:24: note: Left side of '&&' is false
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
block/bfq-cgroup.c:312:24: note: Taking false branch
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:302:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
block/bfq-cgroup.c:312:24: note: Loop condition is false. Exiting loop
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:300:2: note: expanded from macro '__compiletime_assert'
vim +670 block/bfq-cgroup.c
ea25da48086d3b Paolo Valente 2017-04-19 627
ea25da48086d3b Paolo Valente 2017-04-19 628 /**
ea25da48086d3b Paolo Valente 2017-04-19 629 * bfq_bfqq_move - migrate @bfqq to @bfqg.
ea25da48086d3b Paolo Valente 2017-04-19 630 * @bfqd: queue descriptor.
ea25da48086d3b Paolo Valente 2017-04-19 631 * @bfqq: the queue to move.
ea25da48086d3b Paolo Valente 2017-04-19 632 * @bfqg: the group to move to.
ea25da48086d3b Paolo Valente 2017-04-19 633 *
ea25da48086d3b Paolo Valente 2017-04-19 634 * Move @bfqq to @bfqg, deactivating it from its old group and reactivating
ea25da48086d3b Paolo Valente 2017-04-19 635 * it on the new one. Avoid putting the entity on the old group idle tree.
ea25da48086d3b Paolo Valente 2017-04-19 636 *
8f9bebc33dd718 Paolo Valente 2017-06-05 637 * Must be called under the scheduler lock, to make sure that the blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 638 * owning @bfqg does not disappear (see comments in
8f9bebc33dd718 Paolo Valente 2017-06-05 639 * bfq_bic_update_cgroup on guaranteeing the consistency of blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 640 * objects).
ea25da48086d3b Paolo Valente 2017-04-19 641 */
ea25da48086d3b Paolo Valente 2017-04-19 642 void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
ea25da48086d3b Paolo Valente 2017-04-19 643 struct bfq_group *bfqg)
ea25da48086d3b Paolo Valente 2017-04-19 644 {
ea25da48086d3b Paolo Valente 2017-04-19 645 struct bfq_entity *entity = &bfqq->entity;
ea25da48086d3b Paolo Valente 2017-04-19 646
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 647 /*
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 648 * Get extra reference to prevent bfqq from being freed in
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 649 * next possible expire or deactivate.
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 650 */
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 651 bfqq->ref++;
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 652
ea25da48086d3b Paolo Valente 2017-04-19 653 /* If bfqq is empty, then bfq_bfqq_expire also invokes
ea25da48086d3b Paolo Valente 2017-04-19 654 * bfq_del_bfqq_busy, thereby removing bfqq and its entity
ea25da48086d3b Paolo Valente 2017-04-19 655 * from data structures related to current group. Otherwise we
ea25da48086d3b Paolo Valente 2017-04-19 656 * need to remove bfqq explicitly with bfq_deactivate_bfqq, as
ea25da48086d3b Paolo Valente 2017-04-19 657 * we do below.
ea25da48086d3b Paolo Valente 2017-04-19 658 */
ea25da48086d3b Paolo Valente 2017-04-19 659 if (bfqq == bfqd->in_service_queue)
ea25da48086d3b Paolo Valente 2017-04-19 660 bfq_bfqq_expire(bfqd, bfqd->in_service_queue,
ea25da48086d3b Paolo Valente 2017-04-19 661 false, BFQQE_PREEMPTED);
ea25da48086d3b Paolo Valente 2017-04-19 662
ea25da48086d3b Paolo Valente 2017-04-19 663 if (bfq_bfqq_busy(bfqq))
ea25da48086d3b Paolo Valente 2017-04-19 664 bfq_deactivate_bfqq(bfqd, bfqq, false, false);
33a16a9804688b Paolo Valente 2020-02-03 665 else if (entity->on_st_or_in_serv)
ea25da48086d3b Paolo Valente 2017-04-19 666 bfq_put_idle_entity(bfq_entity_service_tree(entity), entity);
8f9bebc33dd718 Paolo Valente 2017-06-05 667 bfqg_and_blkg_put(bfqq_group(bfqq));
ea25da48086d3b Paolo Valente 2017-04-19 668
d29bd41428cfff Paolo Valente 2021-10-15 669 if (entity->parent &&
d29bd41428cfff Paolo Valente 2021-10-15 @670 entity->parent->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 671 entity->parent->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 672 else if (bfqd->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 673 bfqd->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 674
ea25da48086d3b Paolo Valente 2017-04-19 675 entity->parent = bfqg->my_entity;
ea25da48086d3b Paolo Valente 2017-04-19 676 entity->sched_data = &bfqg->sched_data;
8f9bebc33dd718 Paolo Valente 2017-06-05 677 /* pin down bfqg and its associated blkg */
8f9bebc33dd718 Paolo Valente 2017-06-05 678 bfqg_and_blkg_get(bfqg);
ea25da48086d3b Paolo Valente 2017-04-19 679
ea25da48086d3b Paolo Valente 2017-04-19 680 if (bfq_bfqq_busy(bfqq)) {
8cacc5ab3eacf5 Paolo Valente 2019-03-12 681 if (unlikely(!bfqd->nonrot_with_queueing))
ea25da48086d3b Paolo Valente 2017-04-19 682 bfq_pos_tree_add_move(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 683 bfq_activate_bfqq(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 684 }
ea25da48086d3b Paolo Valente 2017-04-19 685
ea25da48086d3b Paolo Valente 2017-04-19 686 if (!bfqd->in_service_queue && !bfqd->rq_in_driver)
ea25da48086d3b Paolo Valente 2017-04-19 687 bfq_schedule_dispatch(bfqd);
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 688 /* release extra ref taken above, bfqq may happen to be freed now */
ecedd3d7e19911 Paolo Valente 2020-02-03 689 bfq_put_queue(bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 690 }
ea25da48086d3b Paolo Valente 2017-04-19 691
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] 6+ messages in thread
* block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-06-30 22:27 kernel test robot
0 siblings, 0 replies; 6+ messages in thread
From: kernel test robot @ 2022-06-30 22:27 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 18275 bytes --]
::::::
:::::: Manual check reason: "low confidence static check warning: block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]"
::::::
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Paolo Valente <paolo.valente@linaro.org>
CC: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 1a0e93df1e107dc766fdf86ae88076efd9f376e6
commit: d29bd41428cfff9b582c248db14a47e2be8457a8 block, bfq: reset last_bfqq_created on group change
date: 9 months ago
:::::: branch date: 5 hours ago
:::::: commit date: 9 months ago
config: arm-randconfig-c002-20220625 (https://download.01.org/0day-ci/archive/20220701/202207010623.OxutEnVC-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 42a7ddb428c999229491b0effbb1a4059149fba8)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d29bd41428cfff9b582c248db14a47e2be8457a8
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout d29bd41428cfff9b582c248db14a47e2be8457a8
# save the config file
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
fs/hfs/bnode.c:381:6: note: Assuming the condition is false
if (off != sizeof(struct hfs_bnode_desc))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/hfs/bnode.c:381:2: note: Taking false branch
if (off != sizeof(struct hfs_bnode_desc))
^
fs/hfs/bnode.c:383:14: note: Assuming 'i' is <= field 'num_recs'
for (i = 1; i <= node->num_recs; off = next_off, i++) {
^~~~~~~~~~~~~~~~~~~
fs/hfs/bnode.c:383:2: note: Loop condition is true. Entering loop body
for (i = 1; i <= node->num_recs; off = next_off, i++) {
^
fs/hfs/bnode.c:386:7: note: Assuming 'next_off' is > 'off'
if (next_off <= off ||
^~~~~~~~~~~~~~~
fs/hfs/bnode.c:386:7: note: Left side of '||' is false
fs/hfs/bnode.c:387:7: note: Assuming 'next_off' is <= field 'node_size'
next_off > tree->node_size ||
^~~~~~~~~~~~~~~~~~~~~~~~~~
fs/hfs/bnode.c:386:7: note: Left side of '||' is false
if (next_off <= off ||
^
fs/hfs/bnode.c:388:7: note: Assuming the condition is false
next_off & 1)
^~~~~~~~~~~~
fs/hfs/bnode.c:386:3: note: Taking false branch
if (next_off <= off ||
^
fs/hfs/bnode.c:391:13: note: Field 'type' is equal to HFS_NODE_INDEX
if (node->type != HFS_NODE_INDEX &&
^
fs/hfs/bnode.c:391:36: note: Left side of '&&' is false
if (node->type != HFS_NODE_INDEX &&
^
fs/hfs/bnode.c:394:14: note: Calling 'hfs_bnode_read_u8'
key_size = hfs_bnode_read_u8(node, off) + 1;
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/hfs/bnode.c:55:2: note: 'data' declared without an initial value
u8 data;
^~~~~~~
fs/hfs/bnode.c:57:2: note: Calling 'hfs_bnode_read'
hfs_bnode_read(node, &data, off, 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/hfs/bnode.c:30:2: note: Loop condition is true. Entering loop body
for (bytes_read = 0; bytes_read < len; bytes_read += bytes_to_read) {
^
fs/hfs/bnode.c:31:7: note: Assuming 'pagenum' is >= field 'pages_per_bnode'
if (pagenum >= node->tree->pages_per_bnode)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/hfs/bnode.c:31:3: note: Taking true branch
if (pagenum >= node->tree->pages_per_bnode)
^
fs/hfs/bnode.c:32:4: note: Execution continues on line 31
break;
^
fs/hfs/bnode.c:43:1: note: Returning without writing to '*buf'
}
^
fs/hfs/bnode.c:57:2: note: Returning from 'hfs_bnode_read'
hfs_bnode_read(node, &data, off, 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/hfs/bnode.c:58:2: note: Undefined or garbage value returned to caller
return data;
^ ~~~~
fs/hfs/bnode.c:179:4: warning: Value stored to 'tmp' is never read [clang-analyzer-deadcode.DeadStores]
tmp = hfs_bnode_read_u8(node, key_off);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/hfs/bnode.c:179:4: note: Value stored to 'tmp' is never read
tmp = hfs_bnode_read_u8(node, key_off);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Suppressed 7 warnings (7 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
block/bfq-wf2q.c:263:7: warning: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity') [clang-analyzer-core.NullDereference]
if (!entity->my_sched_data)
^
block/bfq-wf2q.c:1508:2: note: 'entity' initialized to a null pointer value
struct bfq_entity *entity = NULL;
^~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:6: note: Assuming the condition is false
if (bfq_tot_busy_queues(bfqd) == 0)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:2: note: Taking false branch
if (bfq_tot_busy_queues(bfqd) == 0)
^
block/bfq-wf2q.c:1521:2: note: Loop condition is false. Execution continues on line 1582
for (; sd ; sd = entity->my_sched_data) {
^
block/bfq-wf2q.c:1582:28: note: Passing null pointer value via 1st parameter 'entity'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~
block/bfq-wf2q.c:1582:9: note: Calling 'bfq_entity_to_bfqq'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:263:7: note: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity')
if (!entity->my_sched_data)
^~~~~~
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
>> block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
entity->parent->last_bfqq_created == bfqq)
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:393:2: note: expanded from macro 'spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^
include/linux/spinlock.h:254:2: note: expanded from macro 'raw_spin_lock_irqsave'
do { \
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:391:43: note: expanded from macro 'spin_lock_irqsave'
#define spin_lock_irqsave(lock, flags) \
^
block/bfq-cgroup.c:894:6: note: Assuming 'entity' is non-null
if (!entity) /* root group */
^~~~~~~
block/bfq-cgroup.c:894:2: note: Taking false branch
if (!entity) /* root group */
^
block/bfq-cgroup.c:901:2: note: Loop condition is true. Entering loop body
for (i = 0; i < BFQ_IOPRIO_CLASSES; i++) {
^
block/bfq-cgroup.c:916:3: note: Calling 'bfq_reparent_active_queues'
bfq_reparent_active_queues(bfqd, bfqg, st, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:866:2: note: Loop condition is true. Entering loop body
while ((entity = bfq_entity_of(rb_first(active))))
^
block/bfq-cgroup.c:867:3: note: Calling 'bfq_reparent_leaf_entity'
bfq_reparent_leaf_entity(bfqd, entity, ioprio_class);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:836:2: note: Loop condition is false. Execution continues on line 848
while (child_entity->my_sched_data) { /* leaf not reached yet */
^
block/bfq-cgroup.c:849:2: note: Calling 'bfq_bfqq_move'
bfq_bfqq_move(bfqd, bfqq, bfqd->root_group);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:6: note: Assuming 'bfqq' is not equal to field 'in_service_queue'
if (bfqq == bfqd->in_service_queue)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:2: note: Taking false branch
if (bfqq == bfqd->in_service_queue)
^
block/bfq-cgroup.c:663:6: note: Assuming the condition is true
if (bfq_bfqq_busy(bfqq))
^~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:663:2: note: Taking true branch
if (bfq_bfqq_busy(bfqq))
^
block/bfq-cgroup.c:667:20: note: Calling 'bfqq_group'
bfqg_and_blkg_put(bfqq_group(bfqq));
^~~~~~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: Assuming 'group_entity' is non-null
return group_entity ? container_of(group_entity, struct bfq_group,
^~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: '?' condition is true
block/bfq-cgroup.c:312:24: note: Left side of '&&' is false
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
block/bfq-cgroup.c:312:24: note: Taking false branch
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:302:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
block/bfq-cgroup.c:312:24: note: Loop condition is false. Exiting loop
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:300:2: note: expanded from macro '__compiletime_assert'
vim +670 block/bfq-cgroup.c
ea25da48086d3b Paolo Valente 2017-04-19 627
ea25da48086d3b Paolo Valente 2017-04-19 628 /**
ea25da48086d3b Paolo Valente 2017-04-19 629 * bfq_bfqq_move - migrate @bfqq to @bfqg.
ea25da48086d3b Paolo Valente 2017-04-19 630 * @bfqd: queue descriptor.
ea25da48086d3b Paolo Valente 2017-04-19 631 * @bfqq: the queue to move.
ea25da48086d3b Paolo Valente 2017-04-19 632 * @bfqg: the group to move to.
ea25da48086d3b Paolo Valente 2017-04-19 633 *
ea25da48086d3b Paolo Valente 2017-04-19 634 * Move @bfqq to @bfqg, deactivating it from its old group and reactivating
ea25da48086d3b Paolo Valente 2017-04-19 635 * it on the new one. Avoid putting the entity on the old group idle tree.
ea25da48086d3b Paolo Valente 2017-04-19 636 *
8f9bebc33dd718 Paolo Valente 2017-06-05 637 * Must be called under the scheduler lock, to make sure that the blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 638 * owning @bfqg does not disappear (see comments in
8f9bebc33dd718 Paolo Valente 2017-06-05 639 * bfq_bic_update_cgroup on guaranteeing the consistency of blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 640 * objects).
ea25da48086d3b Paolo Valente 2017-04-19 641 */
ea25da48086d3b Paolo Valente 2017-04-19 642 void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
ea25da48086d3b Paolo Valente 2017-04-19 643 struct bfq_group *bfqg)
ea25da48086d3b Paolo Valente 2017-04-19 644 {
ea25da48086d3b Paolo Valente 2017-04-19 645 struct bfq_entity *entity = &bfqq->entity;
ea25da48086d3b Paolo Valente 2017-04-19 646
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 647 /*
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 648 * Get extra reference to prevent bfqq from being freed in
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 649 * next possible expire or deactivate.
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 650 */
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 651 bfqq->ref++;
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 652
ea25da48086d3b Paolo Valente 2017-04-19 653 /* If bfqq is empty, then bfq_bfqq_expire also invokes
ea25da48086d3b Paolo Valente 2017-04-19 654 * bfq_del_bfqq_busy, thereby removing bfqq and its entity
ea25da48086d3b Paolo Valente 2017-04-19 655 * from data structures related to current group. Otherwise we
ea25da48086d3b Paolo Valente 2017-04-19 656 * need to remove bfqq explicitly with bfq_deactivate_bfqq, as
ea25da48086d3b Paolo Valente 2017-04-19 657 * we do below.
ea25da48086d3b Paolo Valente 2017-04-19 658 */
ea25da48086d3b Paolo Valente 2017-04-19 659 if (bfqq == bfqd->in_service_queue)
ea25da48086d3b Paolo Valente 2017-04-19 660 bfq_bfqq_expire(bfqd, bfqd->in_service_queue,
ea25da48086d3b Paolo Valente 2017-04-19 661 false, BFQQE_PREEMPTED);
ea25da48086d3b Paolo Valente 2017-04-19 662
ea25da48086d3b Paolo Valente 2017-04-19 663 if (bfq_bfqq_busy(bfqq))
ea25da48086d3b Paolo Valente 2017-04-19 664 bfq_deactivate_bfqq(bfqd, bfqq, false, false);
33a16a9804688b Paolo Valente 2020-02-03 665 else if (entity->on_st_or_in_serv)
ea25da48086d3b Paolo Valente 2017-04-19 666 bfq_put_idle_entity(bfq_entity_service_tree(entity), entity);
8f9bebc33dd718 Paolo Valente 2017-06-05 667 bfqg_and_blkg_put(bfqq_group(bfqq));
ea25da48086d3b Paolo Valente 2017-04-19 668
d29bd41428cfff Paolo Valente 2021-10-15 669 if (entity->parent &&
d29bd41428cfff Paolo Valente 2021-10-15 @670 entity->parent->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 671 entity->parent->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 672 else if (bfqd->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 673 bfqd->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 674
ea25da48086d3b Paolo Valente 2017-04-19 675 entity->parent = bfqg->my_entity;
ea25da48086d3b Paolo Valente 2017-04-19 676 entity->sched_data = &bfqg->sched_data;
8f9bebc33dd718 Paolo Valente 2017-06-05 677 /* pin down bfqg and its associated blkg */
8f9bebc33dd718 Paolo Valente 2017-06-05 678 bfqg_and_blkg_get(bfqg);
ea25da48086d3b Paolo Valente 2017-04-19 679
ea25da48086d3b Paolo Valente 2017-04-19 680 if (bfq_bfqq_busy(bfqq)) {
8cacc5ab3eacf5 Paolo Valente 2019-03-12 681 if (unlikely(!bfqd->nonrot_with_queueing))
ea25da48086d3b Paolo Valente 2017-04-19 682 bfq_pos_tree_add_move(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 683 bfq_activate_bfqq(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 684 }
ea25da48086d3b Paolo Valente 2017-04-19 685
ea25da48086d3b Paolo Valente 2017-04-19 686 if (!bfqd->in_service_queue && !bfqd->rq_in_driver)
ea25da48086d3b Paolo Valente 2017-04-19 687 bfq_schedule_dispatch(bfqd);
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 688 /* release extra ref taken above, bfqq may happen to be freed now */
ecedd3d7e19911 Paolo Valente 2020-02-03 689 bfq_put_queue(bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 690 }
ea25da48086d3b Paolo Valente 2017-04-19 691
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] 6+ messages in thread
* block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-06-28 15:41 kernel test robot
0 siblings, 0 replies; 6+ messages in thread
From: kernel test robot @ 2022-06-28 15:41 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 17911 bytes --]
::::::
:::::: Manual check reason: "low confidence static check warning: block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]"
::::::
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Paolo Valente <paolo.valente@linaro.org>
CC: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 941e3e7912696b9fbe3586083a7c2e102cee7a87
commit: d29bd41428cfff9b582c248db14a47e2be8457a8 block, bfq: reset last_bfqq_created on group change
date: 8 months ago
:::::: branch date: 22 hours ago
:::::: commit date: 8 months ago
config: arm-randconfig-c002-20220625 (https://download.01.org/0day-ci/archive/20220628/202206282351.6ki5bWh5-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 42a7ddb428c999229491b0effbb1a4059149fba8)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d29bd41428cfff9b582c248db14a47e2be8457a8
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout d29bd41428cfff9b582c248db14a47e2be8457a8
# save the config file
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^
drivers/iio/buffer/kfifo_buf.c:35:6: note: Calling '__roundup_pow_of_two'
if (roundup_pow_of_two(length) > UINT_MAX / bytes_per_datum)
^
include/linux/log2.h:180:2: note: expanded from macro 'roundup_pow_of_two'
__roundup_pow_of_two(n) \
^~~~~~~~~~~~~~~~~~~~~~~
include/linux/log2.h:57:16: note: Calling 'fls_long'
return 1UL << fls_long(n - 1);
^~~~~~~~~~~~~~~
include/linux/bitops.h:188:2: note: Taking true branch
if (sizeof(l) == 4)
^
include/linux/bitops.h:189:10: note: Calling 'fls'
return fls(l);
^~~~~~
include/asm-generic/bitops/fls.h:15:2: note: 'r' initialized to 32
int r = 32;
^~~~~
include/asm-generic/bitops/fls.h:17:6: note: Assuming 'x' is not equal to 0, which participates in a condition later
if (!x)
^~
include/asm-generic/bitops/fls.h:17:2: note: Taking false branch
if (!x)
^
include/asm-generic/bitops/fls.h:19:6: note: Assuming the condition is false
if (!(x & 0xffff0000u)) {
^~~~~~~~~~~~~~~~~~
include/asm-generic/bitops/fls.h:19:2: note: Taking false branch
if (!(x & 0xffff0000u)) {
^
include/asm-generic/bitops/fls.h:23:6: note: Assuming the condition is false
if (!(x & 0xff000000u)) {
^~~~~~~~~~~~~~~~~~
include/asm-generic/bitops/fls.h:23:2: note: Taking false branch
if (!(x & 0xff000000u)) {
^
include/asm-generic/bitops/fls.h:27:6: note: Assuming the condition is false
if (!(x & 0xf0000000u)) {
^~~~~~~~~~~~~~~~~~
include/asm-generic/bitops/fls.h:27:2: note: Taking false branch
if (!(x & 0xf0000000u)) {
^
include/asm-generic/bitops/fls.h:31:6: note: Assuming the condition is false
if (!(x & 0xc0000000u)) {
^~~~~~~~~~~~~~~~~~
include/asm-generic/bitops/fls.h:31:2: note: Taking false branch
if (!(x & 0xc0000000u)) {
^
include/asm-generic/bitops/fls.h:35:6: note: Assuming the condition is false
if (!(x & 0x80000000u)) {
^~~~~~~~~~~~~~~~~~
include/asm-generic/bitops/fls.h:35:2: note: Taking false branch
if (!(x & 0x80000000u)) {
^
include/asm-generic/bitops/fls.h:39:2: note: Returning the value 32 (loaded from 'r')
return r;
^~~~~~~~
include/linux/bitops.h:189:10: note: Returning from 'fls'
return fls(l);
^~~~~~
include/linux/bitops.h:189:3: note: Returning the value 32
return fls(l);
^~~~~~~~~~~~~
include/linux/log2.h:57:16: note: Returning from 'fls_long'
return 1UL << fls_long(n - 1);
^~~~~~~~~~~~~~~
include/linux/log2.h:57:13: note: The result of the left shift is undefined due to shifting by '32', which is greater or equal to the width of type 'unsigned long'
return 1UL << fls_long(n - 1);
^ ~~~~~~~~~~~~~~~
Suppressed 7 warnings (7 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
block/bfq-wf2q.c:263:7: warning: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity') [clang-analyzer-core.NullDereference]
if (!entity->my_sched_data)
^
block/bfq-wf2q.c:1508:2: note: 'entity' initialized to a null pointer value
struct bfq_entity *entity = NULL;
^~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:6: note: Assuming the condition is false
if (bfq_tot_busy_queues(bfqd) == 0)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:2: note: Taking false branch
if (bfq_tot_busy_queues(bfqd) == 0)
^
block/bfq-wf2q.c:1521:2: note: Loop condition is false. Execution continues on line 1582
for (; sd ; sd = entity->my_sched_data) {
^
block/bfq-wf2q.c:1582:28: note: Passing null pointer value via 1st parameter 'entity'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~
block/bfq-wf2q.c:1582:9: note: Calling 'bfq_entity_to_bfqq'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:263:7: note: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity')
if (!entity->my_sched_data)
^~~~~~
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
>> block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
entity->parent->last_bfqq_created == bfqq)
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:393:2: note: expanded from macro 'spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^
include/linux/spinlock.h:254:2: note: expanded from macro 'raw_spin_lock_irqsave'
do { \
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:391:43: note: expanded from macro 'spin_lock_irqsave'
#define spin_lock_irqsave(lock, flags) \
^
block/bfq-cgroup.c:894:6: note: Assuming 'entity' is non-null
if (!entity) /* root group */
^~~~~~~
block/bfq-cgroup.c:894:2: note: Taking false branch
if (!entity) /* root group */
^
block/bfq-cgroup.c:901:2: note: Loop condition is true. Entering loop body
for (i = 0; i < BFQ_IOPRIO_CLASSES; i++) {
^
block/bfq-cgroup.c:916:3: note: Calling 'bfq_reparent_active_queues'
bfq_reparent_active_queues(bfqd, bfqg, st, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:866:2: note: Loop condition is true. Entering loop body
while ((entity = bfq_entity_of(rb_first(active))))
^
block/bfq-cgroup.c:867:3: note: Calling 'bfq_reparent_leaf_entity'
bfq_reparent_leaf_entity(bfqd, entity, ioprio_class);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:836:2: note: Loop condition is false. Execution continues on line 848
while (child_entity->my_sched_data) { /* leaf not reached yet */
^
block/bfq-cgroup.c:849:2: note: Calling 'bfq_bfqq_move'
bfq_bfqq_move(bfqd, bfqq, bfqd->root_group);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:6: note: Assuming 'bfqq' is not equal to field 'in_service_queue'
if (bfqq == bfqd->in_service_queue)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:2: note: Taking false branch
if (bfqq == bfqd->in_service_queue)
^
block/bfq-cgroup.c:663:6: note: Assuming the condition is true
if (bfq_bfqq_busy(bfqq))
^~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:663:2: note: Taking true branch
if (bfq_bfqq_busy(bfqq))
^
block/bfq-cgroup.c:667:20: note: Calling 'bfqq_group'
bfqg_and_blkg_put(bfqq_group(bfqq));
^~~~~~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: Assuming 'group_entity' is non-null
return group_entity ? container_of(group_entity, struct bfq_group,
^~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: '?' condition is true
block/bfq-cgroup.c:312:24: note: Left side of '&&' is false
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
block/bfq-cgroup.c:312:24: note: Taking false branch
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:302:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
block/bfq-cgroup.c:312:24: note: Loop condition is false. Exiting loop
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:300:2: note: expanded from macro '__compiletime_assert'
vim +670 block/bfq-cgroup.c
ea25da48086d3b Paolo Valente 2017-04-19 627
ea25da48086d3b Paolo Valente 2017-04-19 628 /**
ea25da48086d3b Paolo Valente 2017-04-19 629 * bfq_bfqq_move - migrate @bfqq to @bfqg.
ea25da48086d3b Paolo Valente 2017-04-19 630 * @bfqd: queue descriptor.
ea25da48086d3b Paolo Valente 2017-04-19 631 * @bfqq: the queue to move.
ea25da48086d3b Paolo Valente 2017-04-19 632 * @bfqg: the group to move to.
ea25da48086d3b Paolo Valente 2017-04-19 633 *
ea25da48086d3b Paolo Valente 2017-04-19 634 * Move @bfqq to @bfqg, deactivating it from its old group and reactivating
ea25da48086d3b Paolo Valente 2017-04-19 635 * it on the new one. Avoid putting the entity on the old group idle tree.
ea25da48086d3b Paolo Valente 2017-04-19 636 *
8f9bebc33dd718 Paolo Valente 2017-06-05 637 * Must be called under the scheduler lock, to make sure that the blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 638 * owning @bfqg does not disappear (see comments in
8f9bebc33dd718 Paolo Valente 2017-06-05 639 * bfq_bic_update_cgroup on guaranteeing the consistency of blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 640 * objects).
ea25da48086d3b Paolo Valente 2017-04-19 641 */
ea25da48086d3b Paolo Valente 2017-04-19 642 void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
ea25da48086d3b Paolo Valente 2017-04-19 643 struct bfq_group *bfqg)
ea25da48086d3b Paolo Valente 2017-04-19 644 {
ea25da48086d3b Paolo Valente 2017-04-19 645 struct bfq_entity *entity = &bfqq->entity;
ea25da48086d3b Paolo Valente 2017-04-19 646
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 647 /*
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 648 * Get extra reference to prevent bfqq from being freed in
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 649 * next possible expire or deactivate.
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 650 */
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 651 bfqq->ref++;
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 652
ea25da48086d3b Paolo Valente 2017-04-19 653 /* If bfqq is empty, then bfq_bfqq_expire also invokes
ea25da48086d3b Paolo Valente 2017-04-19 654 * bfq_del_bfqq_busy, thereby removing bfqq and its entity
ea25da48086d3b Paolo Valente 2017-04-19 655 * from data structures related to current group. Otherwise we
ea25da48086d3b Paolo Valente 2017-04-19 656 * need to remove bfqq explicitly with bfq_deactivate_bfqq, as
ea25da48086d3b Paolo Valente 2017-04-19 657 * we do below.
ea25da48086d3b Paolo Valente 2017-04-19 658 */
ea25da48086d3b Paolo Valente 2017-04-19 659 if (bfqq == bfqd->in_service_queue)
ea25da48086d3b Paolo Valente 2017-04-19 660 bfq_bfqq_expire(bfqd, bfqd->in_service_queue,
ea25da48086d3b Paolo Valente 2017-04-19 661 false, BFQQE_PREEMPTED);
ea25da48086d3b Paolo Valente 2017-04-19 662
ea25da48086d3b Paolo Valente 2017-04-19 663 if (bfq_bfqq_busy(bfqq))
ea25da48086d3b Paolo Valente 2017-04-19 664 bfq_deactivate_bfqq(bfqd, bfqq, false, false);
33a16a9804688b Paolo Valente 2020-02-03 665 else if (entity->on_st_or_in_serv)
ea25da48086d3b Paolo Valente 2017-04-19 666 bfq_put_idle_entity(bfq_entity_service_tree(entity), entity);
8f9bebc33dd718 Paolo Valente 2017-06-05 667 bfqg_and_blkg_put(bfqq_group(bfqq));
ea25da48086d3b Paolo Valente 2017-04-19 668
d29bd41428cfff Paolo Valente 2021-10-15 669 if (entity->parent &&
d29bd41428cfff Paolo Valente 2021-10-15 @670 entity->parent->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 671 entity->parent->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 672 else if (bfqd->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 673 bfqd->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 674
ea25da48086d3b Paolo Valente 2017-04-19 675 entity->parent = bfqg->my_entity;
ea25da48086d3b Paolo Valente 2017-04-19 676 entity->sched_data = &bfqg->sched_data;
8f9bebc33dd718 Paolo Valente 2017-06-05 677 /* pin down bfqg and its associated blkg */
8f9bebc33dd718 Paolo Valente 2017-06-05 678 bfqg_and_blkg_get(bfqg);
ea25da48086d3b Paolo Valente 2017-04-19 679
ea25da48086d3b Paolo Valente 2017-04-19 680 if (bfq_bfqq_busy(bfqq)) {
8cacc5ab3eacf5 Paolo Valente 2019-03-12 681 if (unlikely(!bfqd->nonrot_with_queueing))
ea25da48086d3b Paolo Valente 2017-04-19 682 bfq_pos_tree_add_move(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 683 bfq_activate_bfqq(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 684 }
ea25da48086d3b Paolo Valente 2017-04-19 685
ea25da48086d3b Paolo Valente 2017-04-19 686 if (!bfqd->in_service_queue && !bfqd->rq_in_driver)
ea25da48086d3b Paolo Valente 2017-04-19 687 bfq_schedule_dispatch(bfqd);
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 688 /* release extra ref taken above, bfqq may happen to be freed now */
ecedd3d7e19911 Paolo Valente 2020-02-03 689 bfq_put_queue(bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 690 }
ea25da48086d3b Paolo Valente 2017-04-19 691
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] 6+ messages in thread
* block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-06-26 17:00 kernel test robot
0 siblings, 0 replies; 6+ messages in thread
From: kernel test robot @ 2022-06-26 17:00 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 18461 bytes --]
::::::
:::::: Manual check reason: "low confidence static check warning: block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]"
::::::
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Paolo Valente <paolo.valente@linaro.org>
CC: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 0840a7914caa14315a3191178a9f72c742477860
commit: d29bd41428cfff9b582c248db14a47e2be8457a8 block, bfq: reset last_bfqq_created on group change
date: 8 months ago
:::::: branch date: 24 hours ago
:::::: commit date: 8 months ago
config: arm-randconfig-c002-20220625
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 42a7ddb428c999229491b0effbb1a4059149fba8)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d29bd41428cfff9b582c248db14a47e2be8457a8
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout d29bd41428cfff9b582c248db14a47e2be8457a8
# save the config file
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
drivers/watchdog/mlx_wdt.c:309:2: note: Calling 'watchdog_set_drvdata'
watchdog_set_drvdata(&wdt->wdd, wdt);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/watchdog.h:197:1: note: Returning without writing to 'data->wdt_type', which participates in a condition later
}
^
drivers/watchdog/mlx_wdt.c:309:2: note: Returning from 'watchdog_set_drvdata'
watchdog_set_drvdata(&wdt->wdd, wdt);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/watchdog/mlx_wdt.c:310:7: note: Calling 'mlxreg_wdt_init_timeout'
rc = mlxreg_wdt_init_timeout(wdt, pdata);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/watchdog/mlx_wdt.c:277:9: note: Calling 'mlxreg_wdt_set_timeout'
return mlxreg_wdt_set_timeout(&wdt->wdd, timeout);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/watchdog/mlx_wdt.c:116:2: note: Control jumps to 'case MLX_WDT_TYPE1:' at line 117
switch (wdt->wdt_type) {
^
drivers/watchdog/mlx_wdt.c:119:7: note: Assuming 'rc' is 0
if (rc)
^~
drivers/watchdog/mlx_wdt.c:119:3: note: Taking false branch
if (rc)
^
drivers/watchdog/mlx_wdt.c:122:16: note: '?' condition is false
hw_timeout = order_base_2(timeout * MLXREG_WDT_CLOCK_SCALE);
^
include/linux/log2.h:219:2: note: expanded from macro 'order_base_2'
__builtin_constant_p(n) ? ( \
^
drivers/watchdog/mlx_wdt.c:122:16: note: Calling '__order_base_2'
hw_timeout = order_base_2(timeout * MLXREG_WDT_CLOCK_SCALE);
^
include/linux/log2.h:222:2: note: expanded from macro 'order_base_2'
__order_base_2(n) \
^~~~~~~~~~~~~~~~~
include/linux/log2.h:201:9: note: Assuming 'n' is > 1
return n > 1 ? ilog2(n - 1) + 1 : 0;
^~~~~
include/linux/log2.h:201:9: note: '?' condition is true
include/linux/log2.h:201:17: note: '?' condition is false
return n > 1 ? ilog2(n - 1) + 1 : 0;
^
include/linux/log2.h:158:2: note: expanded from macro 'ilog2'
__builtin_constant_p(n) ? \
^
include/linux/log2.h:201:17: note: '?' condition is true
return n > 1 ? ilog2(n - 1) + 1 : 0;
^
include/linux/log2.h:161:2: note: expanded from macro 'ilog2'
(sizeof(n) <= 4) ? \
^
include/linux/log2.h:201:2: note: Returning the value 32
return n > 1 ? ilog2(n - 1) + 1 : 0;
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/watchdog/mlx_wdt.c:122:16: note: Returning from '__order_base_2'
hw_timeout = order_base_2(timeout * MLXREG_WDT_CLOCK_SCALE);
^
include/linux/log2.h:222:2: note: expanded from macro 'order_base_2'
__order_base_2(n) \
^~~~~~~~~~~~~~~~~
drivers/watchdog/mlx_wdt.c:122:3: note: The value 32 is assigned to 'hw_timeout'
hw_timeout = order_base_2(timeout * MLXREG_WDT_CLOCK_SCALE);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/watchdog/mlx_wdt.c:125:14: note: The result of the left shift is undefined due to shifting by '32', which is greater or equal to the width of type 'unsigned long'
set_time = BIT(hw_timeout) / MLXREG_WDT_CLOCK_SCALE;
^
include/vdso/bits.h:7:26: note: expanded from macro 'BIT'
#define BIT(nr) (UL(1) << (nr))
^ ~~~~
Suppressed 3 warnings (3 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
block/bfq-wf2q.c:263:7: warning: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity') [clang-analyzer-core.NullDereference]
if (!entity->my_sched_data)
^
block/bfq-wf2q.c:1508:2: note: 'entity' initialized to a null pointer value
struct bfq_entity *entity = NULL;
^~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:6: note: Assuming the condition is false
if (bfq_tot_busy_queues(bfqd) == 0)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:2: note: Taking false branch
if (bfq_tot_busy_queues(bfqd) == 0)
^
block/bfq-wf2q.c:1521:2: note: Loop condition is false. Execution continues on line 1582
for (; sd ; sd = entity->my_sched_data) {
^
block/bfq-wf2q.c:1582:28: note: Passing null pointer value via 1st parameter 'entity'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~
block/bfq-wf2q.c:1582:9: note: Calling 'bfq_entity_to_bfqq'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:263:7: note: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity')
if (!entity->my_sched_data)
^~~~~~
Suppressed 8 warnings (8 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
9 warnings generated.
>> block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
entity->parent->last_bfqq_created == bfqq)
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:393:2: note: expanded from macro 'spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^
include/linux/spinlock.h:254:2: note: expanded from macro 'raw_spin_lock_irqsave'
do { \
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:391:43: note: expanded from macro 'spin_lock_irqsave'
#define spin_lock_irqsave(lock, flags) \
^
block/bfq-cgroup.c:894:6: note: Assuming 'entity' is non-null
if (!entity) /* root group */
^~~~~~~
block/bfq-cgroup.c:894:2: note: Taking false branch
if (!entity) /* root group */
^
block/bfq-cgroup.c:901:2: note: Loop condition is true. Entering loop body
for (i = 0; i < BFQ_IOPRIO_CLASSES; i++) {
^
block/bfq-cgroup.c:916:3: note: Calling 'bfq_reparent_active_queues'
bfq_reparent_active_queues(bfqd, bfqg, st, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:866:2: note: Loop condition is true. Entering loop body
while ((entity = bfq_entity_of(rb_first(active))))
^
block/bfq-cgroup.c:867:3: note: Calling 'bfq_reparent_leaf_entity'
bfq_reparent_leaf_entity(bfqd, entity, ioprio_class);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:836:2: note: Loop condition is false. Execution continues on line 848
while (child_entity->my_sched_data) { /* leaf not reached yet */
^
block/bfq-cgroup.c:849:2: note: Calling 'bfq_bfqq_move'
bfq_bfqq_move(bfqd, bfqq, bfqd->root_group);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:6: note: Assuming 'bfqq' is not equal to field 'in_service_queue'
if (bfqq == bfqd->in_service_queue)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:2: note: Taking false branch
if (bfqq == bfqd->in_service_queue)
^
block/bfq-cgroup.c:663:6: note: Assuming the condition is true
if (bfq_bfqq_busy(bfqq))
^~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:663:2: note: Taking true branch
if (bfq_bfqq_busy(bfqq))
^
block/bfq-cgroup.c:667:20: note: Calling 'bfqq_group'
bfqg_and_blkg_put(bfqq_group(bfqq));
^~~~~~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: Assuming 'group_entity' is non-null
return group_entity ? container_of(group_entity, struct bfq_group,
^~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: '?' condition is true
block/bfq-cgroup.c:312:24: note: Left side of '&&' is false
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
block/bfq-cgroup.c:312:24: note: Taking false branch
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:302:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
block/bfq-cgroup.c:312:24: note: Loop condition is false. Exiting loop
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:300:2: note: expanded from macro '__compiletime_assert'
vim +670 block/bfq-cgroup.c
ea25da48086d3bb Paolo Valente 2017-04-19 627
ea25da48086d3bb Paolo Valente 2017-04-19 628 /**
ea25da48086d3bb Paolo Valente 2017-04-19 629 * bfq_bfqq_move - migrate @bfqq to @bfqg.
ea25da48086d3bb Paolo Valente 2017-04-19 630 * @bfqd: queue descriptor.
ea25da48086d3bb Paolo Valente 2017-04-19 631 * @bfqq: the queue to move.
ea25da48086d3bb Paolo Valente 2017-04-19 632 * @bfqg: the group to move to.
ea25da48086d3bb Paolo Valente 2017-04-19 633 *
ea25da48086d3bb Paolo Valente 2017-04-19 634 * Move @bfqq to @bfqg, deactivating it from its old group and reactivating
ea25da48086d3bb Paolo Valente 2017-04-19 635 * it on the new one. Avoid putting the entity on the old group idle tree.
ea25da48086d3bb Paolo Valente 2017-04-19 636 *
8f9bebc33dd7182 Paolo Valente 2017-06-05 637 * Must be called under the scheduler lock, to make sure that the blkg
8f9bebc33dd7182 Paolo Valente 2017-06-05 638 * owning @bfqg does not disappear (see comments in
8f9bebc33dd7182 Paolo Valente 2017-06-05 639 * bfq_bic_update_cgroup on guaranteeing the consistency of blkg
8f9bebc33dd7182 Paolo Valente 2017-06-05 640 * objects).
ea25da48086d3bb Paolo Valente 2017-04-19 641 */
ea25da48086d3bb Paolo Valente 2017-04-19 642 void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
ea25da48086d3bb Paolo Valente 2017-04-19 643 struct bfq_group *bfqg)
ea25da48086d3bb Paolo Valente 2017-04-19 644 {
ea25da48086d3bb Paolo Valente 2017-04-19 645 struct bfq_entity *entity = &bfqq->entity;
ea25da48086d3bb Paolo Valente 2017-04-19 646
fd1bb3ae54a9a2e Paolo Valente 2020-03-21 647 /*
fd1bb3ae54a9a2e Paolo Valente 2020-03-21 648 * Get extra reference to prevent bfqq from being freed in
fd1bb3ae54a9a2e Paolo Valente 2020-03-21 649 * next possible expire or deactivate.
fd1bb3ae54a9a2e Paolo Valente 2020-03-21 650 */
fd1bb3ae54a9a2e Paolo Valente 2020-03-21 651 bfqq->ref++;
fd1bb3ae54a9a2e Paolo Valente 2020-03-21 652
ea25da48086d3bb Paolo Valente 2017-04-19 653 /* If bfqq is empty, then bfq_bfqq_expire also invokes
ea25da48086d3bb Paolo Valente 2017-04-19 654 * bfq_del_bfqq_busy, thereby removing bfqq and its entity
ea25da48086d3bb Paolo Valente 2017-04-19 655 * from data structures related to current group. Otherwise we
ea25da48086d3bb Paolo Valente 2017-04-19 656 * need to remove bfqq explicitly with bfq_deactivate_bfqq, as
ea25da48086d3bb Paolo Valente 2017-04-19 657 * we do below.
ea25da48086d3bb Paolo Valente 2017-04-19 658 */
ea25da48086d3bb Paolo Valente 2017-04-19 659 if (bfqq == bfqd->in_service_queue)
ea25da48086d3bb Paolo Valente 2017-04-19 660 bfq_bfqq_expire(bfqd, bfqd->in_service_queue,
ea25da48086d3bb Paolo Valente 2017-04-19 661 false, BFQQE_PREEMPTED);
ea25da48086d3bb Paolo Valente 2017-04-19 662
ea25da48086d3bb Paolo Valente 2017-04-19 663 if (bfq_bfqq_busy(bfqq))
ea25da48086d3bb Paolo Valente 2017-04-19 664 bfq_deactivate_bfqq(bfqd, bfqq, false, false);
33a16a9804688b2 Paolo Valente 2020-02-03 665 else if (entity->on_st_or_in_serv)
ea25da48086d3bb Paolo Valente 2017-04-19 666 bfq_put_idle_entity(bfq_entity_service_tree(entity), entity);
8f9bebc33dd7182 Paolo Valente 2017-06-05 667 bfqg_and_blkg_put(bfqq_group(bfqq));
ea25da48086d3bb Paolo Valente 2017-04-19 668
d29bd41428cfff9 Paolo Valente 2021-10-15 669 if (entity->parent &&
d29bd41428cfff9 Paolo Valente 2021-10-15 @670 entity->parent->last_bfqq_created == bfqq)
d29bd41428cfff9 Paolo Valente 2021-10-15 671 entity->parent->last_bfqq_created = NULL;
d29bd41428cfff9 Paolo Valente 2021-10-15 672 else if (bfqd->last_bfqq_created == bfqq)
d29bd41428cfff9 Paolo Valente 2021-10-15 673 bfqd->last_bfqq_created = NULL;
d29bd41428cfff9 Paolo Valente 2021-10-15 674
ea25da48086d3bb Paolo Valente 2017-04-19 675 entity->parent = bfqg->my_entity;
ea25da48086d3bb Paolo Valente 2017-04-19 676 entity->sched_data = &bfqg->sched_data;
8f9bebc33dd7182 Paolo Valente 2017-06-05 677 /* pin down bfqg and its associated blkg */
8f9bebc33dd7182 Paolo Valente 2017-06-05 678 bfqg_and_blkg_get(bfqg);
ea25da48086d3bb Paolo Valente 2017-04-19 679
ea25da48086d3bb Paolo Valente 2017-04-19 680 if (bfq_bfqq_busy(bfqq)) {
8cacc5ab3eacf52 Paolo Valente 2019-03-12 681 if (unlikely(!bfqd->nonrot_with_queueing))
ea25da48086d3bb Paolo Valente 2017-04-19 682 bfq_pos_tree_add_move(bfqd, bfqq);
ea25da48086d3bb Paolo Valente 2017-04-19 683 bfq_activate_bfqq(bfqd, bfqq);
ea25da48086d3bb Paolo Valente 2017-04-19 684 }
ea25da48086d3bb Paolo Valente 2017-04-19 685
ea25da48086d3bb Paolo Valente 2017-04-19 686 if (!bfqd->in_service_queue && !bfqd->rq_in_driver)
ea25da48086d3bb Paolo Valente 2017-04-19 687 bfq_schedule_dispatch(bfqd);
fd1bb3ae54a9a2e Paolo Valente 2020-03-21 688 /* release extra ref taken above, bfqq may happen to be freed now */
ecedd3d7e19911a Paolo Valente 2020-02-03 689 bfq_put_queue(bfqq);
ea25da48086d3bb Paolo Valente 2017-04-19 690 }
ea25da48086d3bb Paolo Valente 2017-04-19 691
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] 6+ messages in thread
* block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-04-10 9:50 kernel test robot
0 siblings, 0 replies; 6+ messages in thread
From: kernel test robot @ 2022-04-10 9:50 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 18051 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Paolo Valente <paolo.valente@linaro.org>
CC: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 1862a69c917417142190bc18c8ce16680598664b
commit: d29bd41428cfff9b582c248db14a47e2be8457a8 block, bfq: reset last_bfqq_created on group change
date: 6 months ago
:::::: branch date: 5 hours ago
:::::: commit date: 6 months ago
config: riscv-randconfig-c006-20220405 (https://download.01.org/0day-ci/archive/20220410/202204101719.ar1C744Z-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project c4a1b07d0979e7ff20d7d541af666d822d66b566)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install riscv cross compiling tool for clang build
# apt-get install binutils-riscv64-linux-gnu
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d29bd41428cfff9b582c248db14a47e2be8457a8
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout d29bd41428cfff9b582c248db14a47e2be8457a8
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=riscv clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^
drivers/nvme/target/zns.c:478:6: note: Assuming field 'select_all' is not equal to 0
if (req->cmd->zms.select_all) {
^~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:478:2: note: Taking true branch
if (req->cmd->zms.select_all) {
^
drivers/nvme/target/zns.c:479:12: note: Calling 'nvmet_bdev_execute_zmgmt_send_all'
status = nvmet_bdev_execute_zmgmt_send_all(req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:440:2: note: Control jumps to 'case REQ_OP_ZONE_FINISH:' at line 450
switch (zsa_req_op(req->cmd->zms.zsa)) {
^
drivers/nvme/target/zns.c:451:10: note: Calling 'nvmet_bdev_zone_mgmt_emulate_all'
return nvmet_bdev_zone_mgmt_emulate_all(req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:397:6: note: Assuming field 'zbitmap' is non-null
if (!d.zbitmap) {
^~~~~~~~~~
drivers/nvme/target/zns.c:397:2: note: Taking false branch
if (!d.zbitmap) {
^
drivers/nvme/target/zns.c:404:6: note: Assuming 'ret' is equal to 'nr_zones'
if (ret != nr_zones) {
^~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:404:2: note: Taking false branch
if (ret != nr_zones) {
^
drivers/nvme/target/zns.c:413:9: note: Assuming the condition is true
while (sector < get_capacity(bdev->bd_disk)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/nvme/target/zns.c:413:2: note: Loop condition is true. Entering loop body
while (sector < get_capacity(bdev->bd_disk)) {
^
drivers/nvme/target/zns.c:414:16: note: Calling 'blk_queue_zone_no'
if (test_bit(blk_queue_zone_no(q, sector), d.zbitmap)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/blkdev.h:700:2: note: Taking false branch
if (!blk_queue_is_zoned(q))
^
include/linux/blkdev.h:702:19: note: '?' condition is false
return sector >> ilog2(q->limits.chunk_sectors);
^
include/linux/log2.h:158:2: note: expanded from macro 'ilog2'
__builtin_constant_p(n) ? \
^
include/linux/blkdev.h:702:19: note: '?' condition is true
return sector >> ilog2(q->limits.chunk_sectors);
^
include/linux/log2.h:161:2: note: expanded from macro 'ilog2'
(sizeof(n) <= 4) ? \
^
include/linux/blkdev.h:702:19: note: Calling '__ilog2_u32'
return sector >> ilog2(q->limits.chunk_sectors);
^
include/linux/log2.h:162:2: note: expanded from macro 'ilog2'
__ilog2_u32(n) : \
^~~~~~~~~~~~~~
include/linux/log2.h:24:2: note: Returning the value -1
return fls(n) - 1;
^~~~~~~~~~~~~~~~~
include/linux/blkdev.h:702:19: note: Returning from '__ilog2_u32'
return sector >> ilog2(q->limits.chunk_sectors);
^
include/linux/log2.h:162:2: note: expanded from macro 'ilog2'
__ilog2_u32(n) : \
^~~~~~~~~~~~~~
include/linux/blkdev.h:702:16: note: The result of the right shift is undefined because the right operand is negative
return sector >> ilog2(q->limits.chunk_sectors);
^
Suppressed 11 warnings (4 in non-user code, 7 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
11 warnings generated.
block/bfq-wf2q.c:263:7: warning: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity') [clang-analyzer-core.NullDereference]
if (!entity->my_sched_data)
^
block/bfq-wf2q.c:1508:2: note: 'entity' initialized to a null pointer value
struct bfq_entity *entity = NULL;
^~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:6: note: Assuming the condition is false
if (bfq_tot_busy_queues(bfqd) == 0)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:1512:2: note: Taking false branch
if (bfq_tot_busy_queues(bfqd) == 0)
^
block/bfq-wf2q.c:1521:2: note: Loop condition is false. Execution continues on line 1582
for (; sd ; sd = entity->my_sched_data) {
^
block/bfq-wf2q.c:1582:28: note: Passing null pointer value via 1st parameter 'entity'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~
block/bfq-wf2q.c:1582:9: note: Calling 'bfq_entity_to_bfqq'
bfqq = bfq_entity_to_bfqq(entity);
^~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-wf2q.c:263:7: note: Access to field 'my_sched_data' results in a dereference of a null pointer (loaded from variable 'entity')
if (!entity->my_sched_data)
^~~~~~
Suppressed 10 warnings (3 in non-user code, 7 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
11 warnings generated.
>> block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
entity->parent->last_bfqq_created == bfqq)
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:393:2: note: expanded from macro 'spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^
include/linux/spinlock.h:254:2: note: expanded from macro 'raw_spin_lock_irqsave'
do { \
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:391:43: note: expanded from macro 'spin_lock_irqsave'
#define spin_lock_irqsave(lock, flags) \
^
block/bfq-cgroup.c:894:6: note: Assuming 'entity' is non-null
if (!entity) /* root group */
^~~~~~~
block/bfq-cgroup.c:894:2: note: Taking false branch
if (!entity) /* root group */
^
block/bfq-cgroup.c:901:2: note: Loop condition is true. Entering loop body
for (i = 0; i < BFQ_IOPRIO_CLASSES; i++) {
^
block/bfq-cgroup.c:916:3: note: Calling 'bfq_reparent_active_queues'
bfq_reparent_active_queues(bfqd, bfqg, st, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:866:2: note: Loop condition is true. Entering loop body
while ((entity = bfq_entity_of(rb_first(active))))
^
block/bfq-cgroup.c:867:3: note: Calling 'bfq_reparent_leaf_entity'
bfq_reparent_leaf_entity(bfqd, entity, ioprio_class);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:836:2: note: Loop condition is false. Execution continues on line 848
while (child_entity->my_sched_data) { /* leaf not reached yet */
^
block/bfq-cgroup.c:849:2: note: Calling 'bfq_bfqq_move'
bfq_bfqq_move(bfqd, bfqq, bfqd->root_group);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:6: note: Assuming 'bfqq' is not equal to field 'in_service_queue'
if (bfqq == bfqd->in_service_queue)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:2: note: Taking false branch
if (bfqq == bfqd->in_service_queue)
^
block/bfq-cgroup.c:663:6: note: Assuming the condition is false
if (bfq_bfqq_busy(bfqq))
^~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:663:2: note: Taking false branch
if (bfq_bfqq_busy(bfqq))
^
block/bfq-cgroup.c:665:11: note: Assuming field 'on_st_or_in_serv' is false
else if (entity->on_st_or_in_serv)
^~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:665:7: note: Taking false branch
else if (entity->on_st_or_in_serv)
^
block/bfq-cgroup.c:667:20: note: Calling 'bfqq_group'
bfqg_and_blkg_put(bfqq_group(bfqq));
^~~~~~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: Assuming 'group_entity' is non-null
return group_entity ? container_of(group_entity, struct bfq_group,
^~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: '?' condition is true
block/bfq-cgroup.c:312:24: note: Left side of '&&' is false
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
block/bfq-cgroup.c:312:24: note: Taking false branch
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:302:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
block/bfq-cgroup.c:312:24: note: Loop condition is false. Exiting loop
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
vim +670 block/bfq-cgroup.c
ea25da48086d3b Paolo Valente 2017-04-19 627
ea25da48086d3b Paolo Valente 2017-04-19 628 /**
ea25da48086d3b Paolo Valente 2017-04-19 629 * bfq_bfqq_move - migrate @bfqq to @bfqg.
ea25da48086d3b Paolo Valente 2017-04-19 630 * @bfqd: queue descriptor.
ea25da48086d3b Paolo Valente 2017-04-19 631 * @bfqq: the queue to move.
ea25da48086d3b Paolo Valente 2017-04-19 632 * @bfqg: the group to move to.
ea25da48086d3b Paolo Valente 2017-04-19 633 *
ea25da48086d3b Paolo Valente 2017-04-19 634 * Move @bfqq to @bfqg, deactivating it from its old group and reactivating
ea25da48086d3b Paolo Valente 2017-04-19 635 * it on the new one. Avoid putting the entity on the old group idle tree.
ea25da48086d3b Paolo Valente 2017-04-19 636 *
8f9bebc33dd718 Paolo Valente 2017-06-05 637 * Must be called under the scheduler lock, to make sure that the blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 638 * owning @bfqg does not disappear (see comments in
8f9bebc33dd718 Paolo Valente 2017-06-05 639 * bfq_bic_update_cgroup on guaranteeing the consistency of blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 640 * objects).
ea25da48086d3b Paolo Valente 2017-04-19 641 */
ea25da48086d3b Paolo Valente 2017-04-19 642 void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
ea25da48086d3b Paolo Valente 2017-04-19 643 struct bfq_group *bfqg)
ea25da48086d3b Paolo Valente 2017-04-19 644 {
ea25da48086d3b Paolo Valente 2017-04-19 645 struct bfq_entity *entity = &bfqq->entity;
ea25da48086d3b Paolo Valente 2017-04-19 646
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 647 /*
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 648 * Get extra reference to prevent bfqq from being freed in
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 649 * next possible expire or deactivate.
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 650 */
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 651 bfqq->ref++;
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 652
ea25da48086d3b Paolo Valente 2017-04-19 653 /* If bfqq is empty, then bfq_bfqq_expire also invokes
ea25da48086d3b Paolo Valente 2017-04-19 654 * bfq_del_bfqq_busy, thereby removing bfqq and its entity
ea25da48086d3b Paolo Valente 2017-04-19 655 * from data structures related to current group. Otherwise we
ea25da48086d3b Paolo Valente 2017-04-19 656 * need to remove bfqq explicitly with bfq_deactivate_bfqq, as
ea25da48086d3b Paolo Valente 2017-04-19 657 * we do below.
ea25da48086d3b Paolo Valente 2017-04-19 658 */
ea25da48086d3b Paolo Valente 2017-04-19 659 if (bfqq == bfqd->in_service_queue)
ea25da48086d3b Paolo Valente 2017-04-19 660 bfq_bfqq_expire(bfqd, bfqd->in_service_queue,
ea25da48086d3b Paolo Valente 2017-04-19 661 false, BFQQE_PREEMPTED);
ea25da48086d3b Paolo Valente 2017-04-19 662
ea25da48086d3b Paolo Valente 2017-04-19 663 if (bfq_bfqq_busy(bfqq))
ea25da48086d3b Paolo Valente 2017-04-19 664 bfq_deactivate_bfqq(bfqd, bfqq, false, false);
33a16a9804688b Paolo Valente 2020-02-03 665 else if (entity->on_st_or_in_serv)
ea25da48086d3b Paolo Valente 2017-04-19 666 bfq_put_idle_entity(bfq_entity_service_tree(entity), entity);
8f9bebc33dd718 Paolo Valente 2017-06-05 667 bfqg_and_blkg_put(bfqq_group(bfqq));
ea25da48086d3b Paolo Valente 2017-04-19 668
d29bd41428cfff Paolo Valente 2021-10-15 669 if (entity->parent &&
d29bd41428cfff Paolo Valente 2021-10-15 @670 entity->parent->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 671 entity->parent->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 672 else if (bfqd->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 673 bfqd->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 674
ea25da48086d3b Paolo Valente 2017-04-19 675 entity->parent = bfqg->my_entity;
ea25da48086d3b Paolo Valente 2017-04-19 676 entity->sched_data = &bfqg->sched_data;
8f9bebc33dd718 Paolo Valente 2017-06-05 677 /* pin down bfqg and its associated blkg */
8f9bebc33dd718 Paolo Valente 2017-06-05 678 bfqg_and_blkg_get(bfqg);
ea25da48086d3b Paolo Valente 2017-04-19 679
ea25da48086d3b Paolo Valente 2017-04-19 680 if (bfq_bfqq_busy(bfqq)) {
8cacc5ab3eacf5 Paolo Valente 2019-03-12 681 if (unlikely(!bfqd->nonrot_with_queueing))
ea25da48086d3b Paolo Valente 2017-04-19 682 bfq_pos_tree_add_move(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 683 bfq_activate_bfqq(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 684 }
ea25da48086d3b Paolo Valente 2017-04-19 685
ea25da48086d3b Paolo Valente 2017-04-19 686 if (!bfqd->in_service_queue && !bfqd->rq_in_driver)
ea25da48086d3b Paolo Valente 2017-04-19 687 bfq_schedule_dispatch(bfqd);
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 688 /* release extra ref taken above, bfqq may happen to be freed now */
ecedd3d7e19911 Paolo Valente 2020-02-03 689 bfq_put_queue(bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 690 }
ea25da48086d3b Paolo Valente 2017-04-19 691
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] 6+ messages in thread
* block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
@ 2022-03-10 6:11 kernel test robot
0 siblings, 0 replies; 6+ messages in thread
From: kernel test robot @ 2022-03-10 6:11 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 18090 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Paolo Valente <paolo.valente@linaro.org>
CC: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 3bf7edc84a9eb4007dd9a0cb8878a7e1d5ec6a3b
commit: d29bd41428cfff9b582c248db14a47e2be8457a8 block, bfq: reset last_bfqq_created on group change
date: 5 months ago
:::::: branch date: 8 hours ago
:::::: commit date: 5 months ago
config: riscv-randconfig-c006-20220309 (https://download.01.org/0day-ci/archive/20220310/202203101417.mDOaT6at-lkp(a)intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 276ca87382b8f16a65bddac700202924228982f6)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install riscv cross compiling tool for clang build
# apt-get install binutils-riscv64-linux-gnu
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d29bd41428cfff9b582c248db14a47e2be8457a8
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout d29bd41428cfff9b582c248db14a47e2be8457a8
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=riscv clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^
fs/fscache/cookie.c:276:6: note: Assuming 'aux_data' is null
if (!aux_data || !aux_data_len) {
^~~~~~~~~
fs/fscache/cookie.c:276:16: note: Left side of '||' is true
if (!aux_data || !aux_data_len) {
^
fs/fscache/cookie.c:277:3: note: Null pointer value stored to 'aux_data'
aux_data = NULL;
^~~~~~~~~~~~~~~
fs/fscache/cookie.c:281:2: note: Loop condition is false. Exiting loop
fscache_stat(&fscache_n_acquires);
^
fs/fscache/internal.h:276:28: note: expanded from macro 'fscache_stat'
#define fscache_stat(stat) do {} while (0)
^
fs/fscache/cookie.c:284:6: note: Assuming 'parent' is non-null
if (!parent) {
^~~~~~~
fs/fscache/cookie.c:284:2: note: Taking false branch
if (!parent) {
^
fs/fscache/cookie.c:291:9: note: Assuming the condition is false
BUG_ON(!def->name[0]);
^
include/asm-generic/bug.h:65:45: note: expanded from macro 'BUG_ON'
#define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
^~~~~~~~~
include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^
fs/fscache/cookie.c:291:2: note: Taking false branch
BUG_ON(!def->name[0]);
^
include/asm-generic/bug.h:65:32: note: expanded from macro 'BUG_ON'
#define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
^
fs/fscache/cookie.c:291:2: note: Loop condition is false. Exiting loop
BUG_ON(!def->name[0]);
^
include/asm-generic/bug.h:65:27: note: expanded from macro 'BUG_ON'
#define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
^
fs/fscache/cookie.c:293:9: note: Assuming field 'type' is not equal to 0
BUG_ON(def->type == FSCACHE_COOKIE_TYPE_INDEX &&
^
include/asm-generic/bug.h:65:45: note: expanded from macro 'BUG_ON'
#define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
~~~~~~~~~^~~~~~~~~~
include/linux/compiler.h:78:42: note: expanded from macro 'unlikely'
# define unlikely(x) __builtin_expect(!!(x), 0)
^
fs/fscache/cookie.c:293:48: note: Left side of '&&' is false
BUG_ON(def->type == FSCACHE_COOKIE_TYPE_INDEX &&
^
fs/fscache/cookie.c:293:2: note: Taking false branch
BUG_ON(def->type == FSCACHE_COOKIE_TYPE_INDEX &&
^
include/asm-generic/bug.h:65:32: note: expanded from macro 'BUG_ON'
#define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
^
fs/fscache/cookie.c:293:2: note: Loop condition is false. Exiting loop
BUG_ON(def->type == FSCACHE_COOKIE_TYPE_INDEX &&
^
include/asm-generic/bug.h:65:27: note: expanded from macro 'BUG_ON'
#define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
^
fs/fscache/cookie.c:298:7: note: Passing null pointer value via 5th parameter 'aux_data'
aux_data, aux_data_len,
^~~~~~~~
fs/fscache/cookie.c:296:14: note: Calling 'fscache_alloc_cookie'
candidate = fscache_alloc_cookie(parent, def,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/fscache/cookie.c:150:6: note: Assuming 'cookie' is non-null
if (!cookie)
^~~~~~~
fs/fscache/cookie.c:150:2: note: Taking false branch
if (!cookie)
^
fs/fscache/cookie.c:156:2: note: Taking false branch
if (fscache_set_key(cookie, index_key, index_key_len) < 0)
^
fs/fscache/cookie.c:159:6: note: Assuming the condition is true
if (cookie->aux_len <= sizeof(cookie->inline_aux)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/fscache/cookie.c:159:2: note: Taking true branch
if (cookie->aux_len <= sizeof(cookie->inline_aux)) {
^
fs/fscache/cookie.c:160:3: note: Null pointer passed as 2nd argument to memory copy function
memcpy(cookie->inline_aux, aux_data, cookie->aux_len);
^ ~~~~~~~~
Suppressed 12 warnings (5 in non-user code, 7 with check filters).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
5 warnings generated.
Suppressed 5 warnings (5 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
5 warnings generated.
Suppressed 5 warnings (5 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
16 warnings generated.
>> block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc]
entity->parent->last_bfqq_created == bfqq)
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:393:2: note: expanded from macro 'spin_lock_irqsave'
raw_spin_lock_irqsave(spinlock_check(lock), flags); \
^
include/linux/spinlock.h:254:2: note: expanded from macro 'raw_spin_lock_irqsave'
do { \
^
block/bfq-cgroup.c:892:2: note: Loop condition is false. Exiting loop
spin_lock_irqsave(&bfqd->lock, flags);
^
include/linux/spinlock.h:391:43: note: expanded from macro 'spin_lock_irqsave'
#define spin_lock_irqsave(lock, flags) \
^
block/bfq-cgroup.c:894:6: note: Assuming 'entity' is non-null
if (!entity) /* root group */
^~~~~~~
block/bfq-cgroup.c:894:2: note: Taking false branch
if (!entity) /* root group */
^
block/bfq-cgroup.c:901:2: note: Loop condition is true. Entering loop body
for (i = 0; i < BFQ_IOPRIO_CLASSES; i++) {
^
block/bfq-cgroup.c:916:3: note: Calling 'bfq_reparent_active_queues'
bfq_reparent_active_queues(bfqd, bfqg, st, i);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:866:2: note: Loop condition is true. Entering loop body
while ((entity = bfq_entity_of(rb_first(active))))
^
block/bfq-cgroup.c:867:3: note: Calling 'bfq_reparent_leaf_entity'
bfq_reparent_leaf_entity(bfqd, entity, ioprio_class);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:836:2: note: Loop condition is false. Execution continues on line 848
while (child_entity->my_sched_data) { /* leaf not reached yet */
^
block/bfq-cgroup.c:849:2: note: Calling 'bfq_bfqq_move'
bfq_bfqq_move(bfqd, bfqq, bfqd->root_group);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:6: note: Assuming 'bfqq' is not equal to field 'in_service_queue'
if (bfqq == bfqd->in_service_queue)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:659:2: note: Taking false branch
if (bfqq == bfqd->in_service_queue)
^
block/bfq-cgroup.c:663:6: note: Assuming the condition is false
if (bfq_bfqq_busy(bfqq))
^~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:663:2: note: Taking false branch
if (bfq_bfqq_busy(bfqq))
^
block/bfq-cgroup.c:665:11: note: Assuming field 'on_st_or_in_serv' is false
else if (entity->on_st_or_in_serv)
^~~~~~~~~~~~~~~~~~~~~~~~
block/bfq-cgroup.c:665:7: note: Taking false branch
else if (entity->on_st_or_in_serv)
^
block/bfq-cgroup.c:667:20: note: Calling 'bfqq_group'
bfqg_and_blkg_put(bfqq_group(bfqq));
^~~~~~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: Assuming 'group_entity' is non-null
return group_entity ? container_of(group_entity, struct bfq_group,
^~~~~~~~~~~~
block/bfq-cgroup.c:312:9: note: '?' condition is true
block/bfq-cgroup.c:312:24: note: Left side of '&&' is false
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:61: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
block/bfq-cgroup.c:312:24: note: Taking false branch
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
_compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
^
include/linux/compiler_types.h:310:2: note: expanded from macro '_compiletime_assert'
__compiletime_assert(condition, msg, prefix, suffix)
^
include/linux/compiler_types.h:302:3: note: expanded from macro '__compiletime_assert'
if (!(condition)) \
^
block/bfq-cgroup.c:312:24: note: Loop condition is false. Exiting loop
return group_entity ? container_of(group_entity, struct bfq_group,
^
include/linux/kernel.h:495:2: note: expanded from macro 'container_of'
BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
^
include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^
include/linux/compiler_types.h:322:2: note: expanded from macro 'compiletime_assert'
vim +670 block/bfq-cgroup.c
ea25da48086d3b Paolo Valente 2017-04-19 627
ea25da48086d3b Paolo Valente 2017-04-19 628 /**
ea25da48086d3b Paolo Valente 2017-04-19 629 * bfq_bfqq_move - migrate @bfqq to @bfqg.
ea25da48086d3b Paolo Valente 2017-04-19 630 * @bfqd: queue descriptor.
ea25da48086d3b Paolo Valente 2017-04-19 631 * @bfqq: the queue to move.
ea25da48086d3b Paolo Valente 2017-04-19 632 * @bfqg: the group to move to.
ea25da48086d3b Paolo Valente 2017-04-19 633 *
ea25da48086d3b Paolo Valente 2017-04-19 634 * Move @bfqq to @bfqg, deactivating it from its old group and reactivating
ea25da48086d3b Paolo Valente 2017-04-19 635 * it on the new one. Avoid putting the entity on the old group idle tree.
ea25da48086d3b Paolo Valente 2017-04-19 636 *
8f9bebc33dd718 Paolo Valente 2017-06-05 637 * Must be called under the scheduler lock, to make sure that the blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 638 * owning @bfqg does not disappear (see comments in
8f9bebc33dd718 Paolo Valente 2017-06-05 639 * bfq_bic_update_cgroup on guaranteeing the consistency of blkg
8f9bebc33dd718 Paolo Valente 2017-06-05 640 * objects).
ea25da48086d3b Paolo Valente 2017-04-19 641 */
ea25da48086d3b Paolo Valente 2017-04-19 642 void bfq_bfqq_move(struct bfq_data *bfqd, struct bfq_queue *bfqq,
ea25da48086d3b Paolo Valente 2017-04-19 643 struct bfq_group *bfqg)
ea25da48086d3b Paolo Valente 2017-04-19 644 {
ea25da48086d3b Paolo Valente 2017-04-19 645 struct bfq_entity *entity = &bfqq->entity;
ea25da48086d3b Paolo Valente 2017-04-19 646
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 647 /*
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 648 * Get extra reference to prevent bfqq from being freed in
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 649 * next possible expire or deactivate.
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 650 */
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 651 bfqq->ref++;
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 652
ea25da48086d3b Paolo Valente 2017-04-19 653 /* If bfqq is empty, then bfq_bfqq_expire also invokes
ea25da48086d3b Paolo Valente 2017-04-19 654 * bfq_del_bfqq_busy, thereby removing bfqq and its entity
ea25da48086d3b Paolo Valente 2017-04-19 655 * from data structures related to current group. Otherwise we
ea25da48086d3b Paolo Valente 2017-04-19 656 * need to remove bfqq explicitly with bfq_deactivate_bfqq, as
ea25da48086d3b Paolo Valente 2017-04-19 657 * we do below.
ea25da48086d3b Paolo Valente 2017-04-19 658 */
ea25da48086d3b Paolo Valente 2017-04-19 659 if (bfqq == bfqd->in_service_queue)
ea25da48086d3b Paolo Valente 2017-04-19 660 bfq_bfqq_expire(bfqd, bfqd->in_service_queue,
ea25da48086d3b Paolo Valente 2017-04-19 661 false, BFQQE_PREEMPTED);
ea25da48086d3b Paolo Valente 2017-04-19 662
ea25da48086d3b Paolo Valente 2017-04-19 663 if (bfq_bfqq_busy(bfqq))
ea25da48086d3b Paolo Valente 2017-04-19 664 bfq_deactivate_bfqq(bfqd, bfqq, false, false);
33a16a9804688b Paolo Valente 2020-02-03 665 else if (entity->on_st_or_in_serv)
ea25da48086d3b Paolo Valente 2017-04-19 666 bfq_put_idle_entity(bfq_entity_service_tree(entity), entity);
8f9bebc33dd718 Paolo Valente 2017-06-05 667 bfqg_and_blkg_put(bfqq_group(bfqq));
ea25da48086d3b Paolo Valente 2017-04-19 668
d29bd41428cfff Paolo Valente 2021-10-15 669 if (entity->parent &&
d29bd41428cfff Paolo Valente 2021-10-15 @670 entity->parent->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 671 entity->parent->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 672 else if (bfqd->last_bfqq_created == bfqq)
d29bd41428cfff Paolo Valente 2021-10-15 673 bfqd->last_bfqq_created = NULL;
d29bd41428cfff Paolo Valente 2021-10-15 674
ea25da48086d3b Paolo Valente 2017-04-19 675 entity->parent = bfqg->my_entity;
ea25da48086d3b Paolo Valente 2017-04-19 676 entity->sched_data = &bfqg->sched_data;
8f9bebc33dd718 Paolo Valente 2017-06-05 677 /* pin down bfqg and its associated blkg */
8f9bebc33dd718 Paolo Valente 2017-06-05 678 bfqg_and_blkg_get(bfqg);
ea25da48086d3b Paolo Valente 2017-04-19 679
ea25da48086d3b Paolo Valente 2017-04-19 680 if (bfq_bfqq_busy(bfqq)) {
8cacc5ab3eacf5 Paolo Valente 2019-03-12 681 if (unlikely(!bfqd->nonrot_with_queueing))
ea25da48086d3b Paolo Valente 2017-04-19 682 bfq_pos_tree_add_move(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 683 bfq_activate_bfqq(bfqd, bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 684 }
ea25da48086d3b Paolo Valente 2017-04-19 685
ea25da48086d3b Paolo Valente 2017-04-19 686 if (!bfqd->in_service_queue && !bfqd->rq_in_driver)
ea25da48086d3b Paolo Valente 2017-04-19 687 bfq_schedule_dispatch(bfqd);
fd1bb3ae54a9a2 Paolo Valente 2020-03-21 688 /* release extra ref taken above, bfqq may happen to be freed now */
ecedd3d7e19911 Paolo Valente 2020-02-03 689 bfq_put_queue(bfqq);
ea25da48086d3b Paolo Valente 2017-04-19 690 }
ea25da48086d3b Paolo Valente 2017-04-19 691
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-07-03 2:35 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-03 2:35 block/bfq-cgroup.c:670:6: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc] kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2022-06-30 22:27 kernel test robot
2022-06-28 15:41 kernel test robot
2022-06-26 17:00 kernel test robot
2022-04-10 9:50 kernel test robot
2022-03-10 6:11 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.