From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: [peterz-queue:x86/wip.ibt 2/15] net/core/skmsg.c:590:3: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
Date: Sun, 16 Jan 2022 19:54:09 +0800 [thread overview]
Message-ID: <202201161902.L3byQ6EP-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 15922 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Peter Zijlstra <peterz@infradead.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git x86/wip.ibt
head: 7b31f08c5f3fb5f3cfd75deb24787569f35315d5
commit: f348a305ec94fcc9a5ac3aefb53dbf2269f26e18 [2/15] x86: Annotate _THIS_IP_
:::::: branch date: 2 days ago
:::::: commit date: 2 days ago
config: i386-randconfig-c001 (https://download.01.org/0day-ci/archive/20220116/202201161902.L3byQ6EP-lkp(a)intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 650fc40b6d8d9a5869b4fca525d5f237b0ee2803)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git/commit/?id=f348a305ec94fcc9a5ac3aefb53dbf2269f26e18
git remote add peterz-queue https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git
git fetch --no-tags peterz-queue x86/wip.ibt
git checkout f348a305ec94fcc9a5ac3aefb53dbf2269f26e18
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=i386 clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:374:7: note: expanded from macro '__printk_index_emit'
if (__builtin_constant_p(_fmt) && __builtin_constant_p(_level)) { \
^
include/linux/hid.h:1011:3: note: Taking true branch
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^
include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^
include/linux/printk.h:450:26: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:374:3: note: expanded from macro '__printk_index_emit'
if (__builtin_constant_p(_fmt) && __builtin_constant_p(_level)) { \
^
include/linux/compiler.h:56:23: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/hid.h:1011:3: note: '?' condition is true
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^
include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^
include/linux/printk.h:450:26: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:383:12: note: expanded from macro '__printk_index_emit'
.fmt = __builtin_constant_p(_fmt) ? (_fmt) : NULL, \
^
include/linux/hid.h:1011:3: note: '?' condition is true
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^
include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^
include/linux/printk.h:450:26: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:387:14: note: expanded from macro '__printk_index_emit'
.level = __builtin_constant_p(_level) ? (_level) : NULL, \
^
include/linux/hid.h:1011:3: note: Loop condition is false. Exiting loop
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^
include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^
include/linux/printk.h:450:26: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:373:2: note: expanded from macro '__printk_index_emit'
do { \
^
include/linux/hid.h:1012:9: note: Access to field 'name' results in a dereference of a null pointer (loaded from variable 'input')
input->name, c, type);
^
include/linux/printk.h:660:49: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^~~~~~~~~~~
include/linux/printk.h:644:17: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^~~~~~~~~~~
include/linux/printk.h:450:60: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^~~~~~~~~~~
include/linux/printk.h:422:19: note: expanded from macro 'printk_index_wrap'
_p_func(_fmt, ##__VA_ARGS__); \
^~~~~~~~~~~
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
2 warnings generated.
>> net/core/skmsg.c:590:3: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
kfree(msg);
^
net/core/skmsg.c:960:2: note: Control jumps to 'case __SK_PASS:' at line 961
switch (verdict) {
^
net/core/skmsg.c:964:7: note: Assuming the condition is true
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:47: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~
include/linux/compiler.h:58:52: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
net/core/skmsg.c:964:38: note: Left side of '||' is true
if (sock_flag(sk_other, SOCK_DEAD) ||
^
net/core/skmsg.c:964:3: note: '?' condition is false
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^
net/core/skmsg.c:964:7: note: Assuming the condition is true
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:47: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~
include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_value'
(cond) ? \
^~~~
net/core/skmsg.c:964:38: note: Left side of '||' is true
if (sock_flag(sk_other, SOCK_DEAD) ||
^
net/core/skmsg.c:964:3: note: Assuming the condition is false
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:44: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
~~~~~~~~~~~~~~~~~^~~~~
include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_value'
(cond) ? \
^~~~
net/core/skmsg.c:964:3: note: '?' condition is false
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^
include/linux/compiler.h:69:2: note: expanded from macro '__trace_if_value'
(cond) ? \
^
net/core/skmsg.c:964:3: note: Taking false branch
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:23: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
net/core/skmsg.c:978:3: note: '?' condition is false
if (skb_queue_empty(&psock->ingress_skb)) {
^
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^
net/core/skmsg.c:978:3: note: Assuming the condition is true
if (skb_queue_empty(&psock->ingress_skb)) {
^
include/linux/compiler.h:56:44: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
~~~~~~~~~~~~~~~~~^~~~~
include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_value'
(cond) ? \
^~~~
net/core/skmsg.c:978:3: note: '?' condition is true
if (skb_queue_empty(&psock->ingress_skb)) {
^
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
vim +590 net/core/skmsg.c
6fa9201a898983 John Fastabend 2020-11-16 572
6fa9201a898983 John Fastabend 2020-11-16 573 /* Puts an skb on the ingress queue of the socket already assigned to the
6fa9201a898983 John Fastabend 2020-11-16 574 * skb. In this case we do not need to check memory limits or skb_set_owner_r
6fa9201a898983 John Fastabend 2020-11-16 575 * because the skb is already accounted for here.
6fa9201a898983 John Fastabend 2020-11-16 576 */
7303524e04af49 Liu Jian 2021-10-29 577 static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
7303524e04af49 Liu Jian 2021-10-29 578 u32 off, u32 len)
6fa9201a898983 John Fastabend 2020-11-16 579 {
6fa9201a898983 John Fastabend 2020-11-16 580 struct sk_msg *msg = kzalloc(sizeof(*msg), __GFP_NOWARN | GFP_ATOMIC);
6fa9201a898983 John Fastabend 2020-11-16 581 struct sock *sk = psock->sk;
7e6b27a69167f9 John Fastabend 2021-07-12 582 int err;
6fa9201a898983 John Fastabend 2020-11-16 583
6fa9201a898983 John Fastabend 2020-11-16 584 if (unlikely(!msg))
6fa9201a898983 John Fastabend 2020-11-16 585 return -EAGAIN;
6fa9201a898983 John Fastabend 2020-11-16 586 sk_msg_init(msg);
144748eb0c4450 John Fastabend 2021-04-01 587 skb_set_owner_r(skb, sk);
7303524e04af49 Liu Jian 2021-10-29 588 err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
7e6b27a69167f9 John Fastabend 2021-07-12 589 if (err < 0)
7e6b27a69167f9 John Fastabend 2021-07-12 @590 kfree(msg);
7e6b27a69167f9 John Fastabend 2021-07-12 591 return err;
6fa9201a898983 John Fastabend 2020-11-16 592 }
6fa9201a898983 John Fastabend 2020-11-16 593
:::::: The code@line 590 was first introduced by commit
:::::: 7e6b27a69167f97c56b5437871d29e9722c3e470 bpf, sockmap: Fix potential memory leak on unlikely error case
:::::: TO: John Fastabend <john.fastabend@gmail.com>
:::::: CC: Daniel Borkmann <daniel@iogearbox.net>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
reply other threads:[~2022-01-16 11:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202201161902.L3byQ6EP-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.