From: Colin Ian King <colin.king@canonical.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: Pavel Begunkov <asml.silence@gmail.com>,
io-uring@vger.kernel.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: potential null pointer deference (or maybe invalid null check) in io_uring io_poll_remove_double()
Date: Fri, 9 Jul 2021 12:55:16 +0100 [thread overview]
Message-ID: <fe70c532-e2a7-3722-58a1-0fa4e5c5ff2c@canonical.com> (raw)
Hi Jens,
I was triaging some outstanding Coverity static analysis warnings and
found a potential issue in the following commit:
commit 807abcb0883439af5ead73f3308310453b97b624
Author: Jens Axboe <axboe@kernel.dk>
Date: Fri Jul 17 17:09:27 2020 -0600
io_uring: ensure double poll additions work with both request types
The analysis from Coverity is as follows:
4962 static int io_poll_double_wake(struct wait_queue_entry *wait,
unsigned mode,
4963 int sync, void *key)
4964 {
4965 struct io_kiocb *req = wait->private;
4966 struct io_poll_iocb *poll = io_poll_get_single(req);
4967 __poll_t mask = key_to_poll(key);
4968
4969 /* for instances that support it check for an event match
first: */
deref_ptr: Directly dereferencing pointer poll.
4970 if (mask && !(mask & poll->events))
4971 return 0;
4972 if (!(poll->events & EPOLLONESHOT))
4973 return poll->wait.func(&poll->wait, mode, sync, key);
4974
4975 list_del_init(&wait->entry);
4976
Dereference before null check (REVERSE_INULL)
check_after_deref: Null-checking poll suggests that it may be null,
but it has already been dereferenced on all paths leading to the check.
4977 if (poll && poll->head) {
4978 bool done;
pointer poll is being dereferenced on line 4970, however, on line 4977
it is being null checked. Either the null check is redundant (because it
can never be null) or it needs to be performed before the poll->events
read on line 4970.
Colin
next reply other threads:[~2021-07-09 12:04 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-09 11:55 Colin Ian King [this message]
2021-07-09 14:19 ` potential null pointer deference (or maybe invalid null check) in io_uring io_poll_remove_double() Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe70c532-e2a7-3722-58a1-0fa4e5c5ff2c@canonical.com \
--to=colin.king@canonical.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).