* [peterz-queue:x86/wip.ibt 2/15] net/core/skmsg.c:590:3: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
@ 2022-01-16 11:54 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2022-01-16 11:54 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 15922 bytes --]
CC: llvm(a)lists.linux.dev
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Peter Zijlstra <peterz@infradead.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git x86/wip.ibt
head: 7b31f08c5f3fb5f3cfd75deb24787569f35315d5
commit: f348a305ec94fcc9a5ac3aefb53dbf2269f26e18 [2/15] x86: Annotate _THIS_IP_
:::::: branch date: 2 days ago
:::::: commit date: 2 days ago
config: i386-randconfig-c001 (https://download.01.org/0day-ci/archive/20220116/202201161902.L3byQ6EP-lkp(a)intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 650fc40b6d8d9a5869b4fca525d5f237b0ee2803)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git/commit/?id=f348a305ec94fcc9a5ac3aefb53dbf2269f26e18
git remote add peterz-queue https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git
git fetch --no-tags peterz-queue x86/wip.ibt
git checkout f348a305ec94fcc9a5ac3aefb53dbf2269f26e18
# save the config file to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=i386 clang-analyzer
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
clang-analyzer warnings: (new ones prefixed by >>)
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:374:7: note: expanded from macro '__printk_index_emit'
if (__builtin_constant_p(_fmt) && __builtin_constant_p(_level)) { \
^
include/linux/hid.h:1011:3: note: Taking true branch
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^
include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^
include/linux/printk.h:450:26: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:374:3: note: expanded from macro '__printk_index_emit'
if (__builtin_constant_p(_fmt) && __builtin_constant_p(_level)) { \
^
include/linux/compiler.h:56:23: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/hid.h:1011:3: note: '?' condition is true
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^
include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^
include/linux/printk.h:450:26: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:383:12: note: expanded from macro '__printk_index_emit'
.fmt = __builtin_constant_p(_fmt) ? (_fmt) : NULL, \
^
include/linux/hid.h:1011:3: note: '?' condition is true
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^
include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^
include/linux/printk.h:450:26: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:387:14: note: expanded from macro '__printk_index_emit'
.level = __builtin_constant_p(_level) ? (_level) : NULL, \
^
include/linux/hid.h:1011:3: note: Loop condition is false. Exiting loop
pr_warn_ratelimited("%s: Invalid code %d type %d\n",
^
include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^
include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^
include/linux/printk.h:450:26: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^
include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wrap'
__printk_index_emit(_fmt, NULL, NULL); \
^
include/linux/printk.h:373:2: note: expanded from macro '__printk_index_emit'
do { \
^
include/linux/hid.h:1012:9: note: Access to field 'name' results in a dereference of a null pointer (loaded from variable 'input')
input->name, c, type);
^
include/linux/printk.h:660:49: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
^~~~~~~~~~~
include/linux/printk.h:644:17: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
^~~~~~~~~~~
include/linux/printk.h:450:60: note: expanded from macro 'printk'
#define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
^~~~~~~~~~~
include/linux/printk.h:422:19: note: expanded from macro 'printk_index_wrap'
_p_func(_fmt, ##__VA_ARGS__); \
^~~~~~~~~~~
1 warning generated.
Suppressed 1 warnings (1 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
2 warnings generated.
>> net/core/skmsg.c:590:3: warning: Attempt to free released memory [clang-analyzer-unix.Malloc]
kfree(msg);
^
net/core/skmsg.c:960:2: note: Control jumps to 'case __SK_PASS:' at line 961
switch (verdict) {
^
net/core/skmsg.c:964:7: note: Assuming the condition is true
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:47: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~
include/linux/compiler.h:58:52: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
net/core/skmsg.c:964:38: note: Left side of '||' is true
if (sock_flag(sk_other, SOCK_DEAD) ||
^
net/core/skmsg.c:964:3: note: '?' condition is false
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^
net/core/skmsg.c:964:7: note: Assuming the condition is true
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:47: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~
include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_value'
(cond) ? \
^~~~
net/core/skmsg.c:964:38: note: Left side of '||' is true
if (sock_flag(sk_other, SOCK_DEAD) ||
^
net/core/skmsg.c:964:3: note: Assuming the condition is false
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:44: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
~~~~~~~~~~~~~~~~~^~~~~
include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_value'
(cond) ? \
^~~~
net/core/skmsg.c:964:3: note: '?' condition is false
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^
include/linux/compiler.h:69:2: note: expanded from macro '__trace_if_value'
(cond) ? \
^
net/core/skmsg.c:964:3: note: Taking false branch
if (sock_flag(sk_other, SOCK_DEAD) ||
^
include/linux/compiler.h:56:23: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
net/core/skmsg.c:978:3: note: '?' condition is false
if (skb_queue_empty(&psock->ingress_skb)) {
^
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^
net/core/skmsg.c:978:3: note: Assuming the condition is true
if (skb_queue_empty(&psock->ingress_skb)) {
^
include/linux/compiler.h:56:44: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
~~~~~~~~~~~~~~~~~^~~~~
include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_value'
(cond) ? \
^~~~
net/core/skmsg.c:978:3: note: '?' condition is true
if (skb_queue_empty(&psock->ingress_skb)) {
^
include/linux/compiler.h:56:28: note: expanded from macro 'if'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^
include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
vim +590 net/core/skmsg.c
6fa9201a898983 John Fastabend 2020-11-16 572
6fa9201a898983 John Fastabend 2020-11-16 573 /* Puts an skb on the ingress queue of the socket already assigned to the
6fa9201a898983 John Fastabend 2020-11-16 574 * skb. In this case we do not need to check memory limits or skb_set_owner_r
6fa9201a898983 John Fastabend 2020-11-16 575 * because the skb is already accounted for here.
6fa9201a898983 John Fastabend 2020-11-16 576 */
7303524e04af49 Liu Jian 2021-10-29 577 static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
7303524e04af49 Liu Jian 2021-10-29 578 u32 off, u32 len)
6fa9201a898983 John Fastabend 2020-11-16 579 {
6fa9201a898983 John Fastabend 2020-11-16 580 struct sk_msg *msg = kzalloc(sizeof(*msg), __GFP_NOWARN | GFP_ATOMIC);
6fa9201a898983 John Fastabend 2020-11-16 581 struct sock *sk = psock->sk;
7e6b27a69167f9 John Fastabend 2021-07-12 582 int err;
6fa9201a898983 John Fastabend 2020-11-16 583
6fa9201a898983 John Fastabend 2020-11-16 584 if (unlikely(!msg))
6fa9201a898983 John Fastabend 2020-11-16 585 return -EAGAIN;
6fa9201a898983 John Fastabend 2020-11-16 586 sk_msg_init(msg);
144748eb0c4450 John Fastabend 2021-04-01 587 skb_set_owner_r(skb, sk);
7303524e04af49 Liu Jian 2021-10-29 588 err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
7e6b27a69167f9 John Fastabend 2021-07-12 589 if (err < 0)
7e6b27a69167f9 John Fastabend 2021-07-12 @590 kfree(msg);
7e6b27a69167f9 John Fastabend 2021-07-12 591 return err;
6fa9201a898983 John Fastabend 2020-11-16 592 }
6fa9201a898983 John Fastabend 2020-11-16 593
:::::: The code@line 590 was first introduced by commit
:::::: 7e6b27a69167f97c56b5437871d29e9722c3e470 bpf, sockmap: Fix potential memory leak on unlikely error case
:::::: TO: John Fastabend <john.fastabend@gmail.com>
:::::: CC: Daniel Borkmann <daniel@iogearbox.net>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-01-16 11:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-16 11:54 [peterz-queue:x86/wip.ibt 2/15] net/core/skmsg.c:590:3: warning: Attempt to free released memory [clang-analyzer-unix.Malloc] kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.