From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: fs/verity/open.c:244:2: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
Date: Wed, 18 Aug 2021 05:15:10 +0800 [thread overview]
Message-ID: <202108180503.cXH2pJOr-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 13061 bytes --]
CC: clang-built-linux(a)googlegroups.com
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Jakub Jelinek <jakub@redhat.com>
CC: "Peter Zijlstra (Intel)" <peterz@infradead.org>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 794c7931a2428a656551f2179e6a093233a6e0aa
commit: 2f78788b55baa3410b1ec91a576286abe1ad4d6a ilog2: improve ilog2 for constant arguments
date: 8 months ago
:::::: branch date: 20 hours ago
:::::: commit date: 8 months ago
config: arm-randconfig-c002-20210816 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 44d0a99a12ec7ead4d2f5ef649ba05b40f6d463d)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2f78788b55baa3410b1ec91a576286abe1ad4d6a
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout 2f78788b55baa3410b1ec91a576286abe1ad4d6a
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
^
drivers/pinctrl/pinctrl-single.c:1836:6: note: Assuming field 'res' is non-null
if (!pcs->res) {
^~~~~~~~~
drivers/pinctrl/pinctrl-single.c:1836:2: note: Taking false branch
if (!pcs->res) {
^
drivers/pinctrl/pinctrl-single.c:1843:6: note: Assuming field 'base' is non-null
if (!pcs->base) {
^~~~~~~~~~
drivers/pinctrl/pinctrl-single.c:1843:2: note: Taking false branch
if (!pcs->base) {
^
drivers/pinctrl/pinctrl-single.c:1848:2: note: Calling 'platform_set_drvdata'
platform_set_drvdata(pdev, pcs);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/platform_device.h:248:2: note: Calling 'dev_set_drvdata'
dev_set_drvdata(&pdev->dev, data);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/device.h:657:1: note: Returning without writing to 'data->bits_per_mux', which participates in a condition later
}
^
include/linux/device.h:657:1: note: Returning without writing to 'data->bits_per_pin'
include/linux/platform_device.h:248:2: note: Returning from 'dev_set_drvdata'
dev_set_drvdata(&pdev->dev, data);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/platform_device.h:249:1: note: Returning without writing to 'data->bits_per_mux', which participates in a condition later
}
^
include/linux/platform_device.h:249:1: note: Returning without writing to 'data->bits_per_pin'
drivers/pinctrl/pinctrl-single.c:1848:2: note: Returning from 'platform_set_drvdata'
platform_set_drvdata(pdev, pcs);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-single.c:1850:2: note: Control jumps to the 'default' case at line 1863
switch (pcs->width) {
^
drivers/pinctrl/pinctrl-single.c:1864:3: note: Execution continues on line 1867
break;
^
drivers/pinctrl/pinctrl-single.c:1870:6: note: Assuming the condition is false
if (PCS_HAS_PINCONF)
^
drivers/pinctrl/pinctrl-single.c:212:27: note: expanded from macro 'PCS_HAS_PINCONF'
#define PCS_HAS_PINCONF (pcs->flags & PCS_FEAT_PINCONF)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-single.c:1870:2: note: Taking false branch
if (PCS_HAS_PINCONF)
^
drivers/pinctrl/pinctrl-single.c:1874:8: note: Calling 'pcs_allocate_pin_table'
ret = pcs_allocate_pin_table(pcs);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-single.c:710:11: note: Field 'bits_per_mux' is true
if (pcs->bits_per_mux) {
^
drivers/pinctrl/pinctrl-single.c:710:2: note: Taking true branch
if (pcs->bits_per_mux) {
^
drivers/pinctrl/pinctrl-single.c:711:23: note: Calling 'fls'
pcs->bits_per_pin = fls(pcs->fmask);
^~~~~~~~~~~~~~~
include/asm-generic/bitops/builtin-fls.h:14:9: note: Assuming 'x' is 0
return x ? sizeof(x) * 8 - __builtin_clz(x) : 0;
^
include/asm-generic/bitops/builtin-fls.h:14:9: note: '?' condition is false
include/asm-generic/bitops/builtin-fls.h:14:2: note: Returning zero
return x ? sizeof(x) * 8 - __builtin_clz(x) : 0;
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-single.c:711:23: note: Returning from 'fls'
pcs->bits_per_pin = fls(pcs->fmask);
^~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-single.c:711:3: note: The value 0 is assigned to field 'bits_per_pin'
pcs->bits_per_pin = fls(pcs->fmask);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-single.c:712:41: note: Division by zero
nr_pins = (pcs->size * BITS_PER_BYTE) / pcs->bits_per_pin;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-single.c:1409:3: warning: Value stored to 'mask' is never read [clang-analyzer-deadcode.DeadStores]
mask = pcs->read(pcswi->reg);
^ ~~~~~~~~~~~~~~~~~~~~~
drivers/pinctrl/pinctrl-single.c:1409:3: note: Value stored to 'mask' is never read
mask = pcs->read(pcswi->reg);
^ ~~~~~~~~~~~~~~~~~~~~~
Suppressed 3 warnings (3 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
3 warnings generated.
Suppressed 3 warnings (3 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
5 warnings generated.
Suppressed 5 warnings (5 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
3 warnings generated.
Suppressed 3 warnings (3 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
2 warnings generated.
Suppressed 2 warnings (2 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
2 warnings generated.
Suppressed 2 warnings (2 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
3 warnings generated.
>> fs/verity/open.c:244:2: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
kfree(vi->tree_params.hashstate);
^
fs/verity/open.c:306:6: note: Assuming the condition is false
if (!IS_VERITY(inode))
^~~~~~~~~~~~~~~~~
fs/verity/open.c:306:2: note: Taking false branch
if (!IS_VERITY(inode))
^
fs/verity/open.c:309:6: note: Assuming the condition is false
if (filp->f_mode & FMODE_WRITE) {
^~~~~~~~~~~~~~~~~~~~~~~~~~
fs/verity/open.c:309:2: note: Taking false branch
if (filp->f_mode & FMODE_WRITE) {
^
fs/verity/open.c:315:9: note: Calling 'ensure_verity_info'
return ensure_verity_info(inode);
^~~~~~~~~~~~~~~~~~~~~~~~~
fs/verity/open.c:255:6: note: Assuming 'vi' is null
if (vi)
^~
fs/verity/open.c:255:2: note: Taking false branch
if (vi)
^
fs/verity/open.c:259:6: note: Assuming 'res' is >= 0
if (res < 0) {
^~~~~~~
fs/verity/open.c:259:2: note: Taking false branch
if (res < 0) {
^
fs/verity/open.c:264:6: note: Assuming 'res' is <= FS_VERITY_MAX_DESCRIPTOR_SIZE
if (res > FS_VERITY_MAX_DESCRIPTOR_SIZE) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/verity/open.c:264:2: note: Taking false branch
if (res > FS_VERITY_MAX_DESCRIPTOR_SIZE) {
^
fs/verity/open.c:270:6: note: Assuming 'desc' is non-null
if (!desc)
^~~~~
fs/verity/open.c:270:2: note: Taking false branch
if (!desc)
^
fs/verity/open.c:273:6: note: Assuming 'res' is >= 0
if (res < 0) {
^~~~~~~
fs/verity/open.c:273:2: note: Taking false branch
if (res < 0) {
^
fs/verity/open.c:278:7: note: Calling 'fsverity_create_info'
vi = fsverity_create_info(inode, desc, res);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/verity/open.c:155:6: note: Assuming the condition is false
if (desc_size < sizeof(*desc)) {
^~~~~~~~~~~~~~~~~~~~~~~~~
fs/verity/open.c:155:2: note: Taking false branch
if (desc_size < sizeof(*desc)) {
^
fs/verity/open.c:161:6: note: Assuming field 'version' is equal to 1
if (desc->version != 1) {
^~~~~~~~~~~~~~~~~~
fs/verity/open.c:161:2: note: Taking false branch
if (desc->version != 1) {
^
fs/verity/open.c:167:6: note: Assuming the condition is false
if (memchr_inv(desc->__reserved, 0, sizeof(desc->__reserved))) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/verity/open.c:167:2: note: Taking false branch
if (memchr_inv(desc->__reserved, 0, sizeof(desc->__reserved))) {
^
fs/verity/open.c:172:6: note: Assuming the condition is false
if (desc->salt_size > sizeof(desc->salt)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/verity/open.c:172:2: note: Taking false branch
if (desc->salt_size > sizeof(desc->salt)) {
^
fs/verity/open.c:177:6: note: Assuming field 'data_size' is equal to field 'i_size'
if (le64_to_cpu(desc->data_size) != inode->i_size) {
^
include/linux/byteorder/generic.h:87:21: note: expanded from macro 'le64_to_cpu'
#define le64_to_cpu __le64_to_cpu
^
include/uapi/linux/byteorder/little_endian.h:32:26: note: expanded from macro '__le64_to_cpu'
#define __le64_to_cpu(x) ((__force __u64)(__le64)(x))
^
fs/verity/open.c:177:2: note: Taking false branch
if (le64_to_cpu(desc->data_size) != inode->i_size) {
^
fs/verity/open.c:185:6: note: Assuming 'vi' is non-null
if (!vi)
^~~
fs/verity/open.c:185:2: note: Taking false branch
if (!vi)
^
fs/verity/open.c:189:8: note: Calling 'fsverity_init_merkle_tree_params'
err = fsverity_init_merkle_tree_params(&vi->tree_params, inode,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fs/verity/open.c:43:2: note: Taking false branch
if (IS_ERR(hash_alg))
^
fs/verity/open.c:50:2: note: Taking false branch
if (IS_ERR(params->hashstate)) {
vim +244 fs/verity/open.c
fd2d1acfcadfe2 Eric Biggers 2019-07-22 239
fd2d1acfcadfe2 Eric Biggers 2019-07-22 240 void fsverity_free_info(struct fsverity_info *vi)
fd2d1acfcadfe2 Eric Biggers 2019-07-22 241 {
fd2d1acfcadfe2 Eric Biggers 2019-07-22 242 if (!vi)
fd2d1acfcadfe2 Eric Biggers 2019-07-22 243 return;
fd2d1acfcadfe2 Eric Biggers 2019-07-22 @244 kfree(vi->tree_params.hashstate);
fd2d1acfcadfe2 Eric Biggers 2019-07-22 245 kmem_cache_free(fsverity_info_cachep, vi);
fd2d1acfcadfe2 Eric Biggers 2019-07-22 246 }
fd2d1acfcadfe2 Eric Biggers 2019-07-22 247
:::::: The code at line 244 was first introduced by commit
:::::: fd2d1acfcadfe2e42567afaec5e989b38061a7d2 fs-verity: add the hook for file ->open()
:::::: TO: Eric Biggers <ebiggers@google.com>
:::::: CC: Eric Biggers <ebiggers@google.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 27069 bytes --]
next reply other threads:[~2021-08-17 21:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-17 21:15 kernel test robot [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-08-22 3:00 fs/verity/open.c:244:2: warning: Attempt to free released memory [clang-analyzer-unix.Malloc] kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202108180503.cXH2pJOr-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.