From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============6458273136182610094==" MIME-Version: 1.0 From: kernel test robot Subject: [peterz-queue:x86/wip.ibt 2/15] net/core/skmsg.c:590:3: warning: Attempt to free released memory [clang-analyzer-unix.Malloc] Date: Sun, 16 Jan 2022 19:54:09 +0800 Message-ID: <202201161902.L3byQ6EP-lkp@intel.com> List-Id: To: kbuild@lists.01.org --===============6458273136182610094== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable CC: llvm(a)lists.linux.dev CC: kbuild-all(a)lists.01.org CC: linux-kernel(a)vger.kernel.org TO: Peter Zijlstra tree: https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git x8= 6/wip.ibt head: 7b31f08c5f3fb5f3cfd75deb24787569f35315d5 commit: f348a305ec94fcc9a5ac3aefb53dbf2269f26e18 [2/15] x86: Annotate _THIS= _IP_ :::::: branch date: 2 days ago :::::: commit date: 2 days ago config: i386-randconfig-c001 (https://download.01.org/0day-ci/archive/20220= 116/202201161902.L3byQ6EP-lkp(a)intel.com/config) compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 650fc4= 0b6d8d9a5869b4fca525d5f237b0ee2803) reproduce (this is a W=3D1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/= make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git/= commit/?id=3Df348a305ec94fcc9a5ac3aefb53dbf2269f26e18 git remote add peterz-queue https://git.kernel.org/pub/scm/linux/ke= rnel/git/peterz/queue.git git fetch --no-tags peterz-queue x86/wip.ibt git checkout f348a305ec94fcc9a5ac3aefb53dbf2269f26e18 # save the config file to linux build tree COMPILER_INSTALL_PATH=3D$HOME/0day COMPILER=3Dclang make.cross ARCH= =3Di386 clang-analyzer = If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot clang-analyzer warnings: (new ones prefixed by >>) include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wr= ap' __printk_index_emit(_fmt, NULL, NULL); \ ^ include/linux/printk.h:374:7: note: expanded from macro '__printk_index_= emit' if (__builtin_constant_p(_fmt) && __builtin_constant_p(_= level)) { \ ^ include/linux/hid.h:1011:3: note: Taking true branch pr_warn_ratelimited("%s: Invalid code %d type %d\n", ^ include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelim= ited' printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__) ^ include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimi= ted' printk(fmt, ##__VA_ARGS__); \ ^ include/linux/printk.h:450:26: note: expanded from macro 'printk' #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) ^ include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wr= ap' __printk_index_emit(_fmt, NULL, NULL); \ ^ include/linux/printk.h:374:3: note: expanded from macro '__printk_index_= emit' if (__builtin_constant_p(_fmt) && __builtin_constant_p(_= level)) { \ ^ include/linux/compiler.h:56:23: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/hid.h:1011:3: note: '?' condition is true pr_warn_ratelimited("%s: Invalid code %d type %d\n", ^ include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelim= ited' printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__) ^ include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimi= ted' printk(fmt, ##__VA_ARGS__); \ ^ include/linux/printk.h:450:26: note: expanded from macro 'printk' #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) ^ include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wr= ap' __printk_index_emit(_fmt, NULL, NULL); \ ^ include/linux/printk.h:383:12: note: expanded from macro '__printk_index= _emit' .fmt =3D __builtin_constant_p(_fmt) ? (_= fmt) : NULL, \ ^ include/linux/hid.h:1011:3: note: '?' condition is true pr_warn_ratelimited("%s: Invalid code %d type %d\n", ^ include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelim= ited' printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__) ^ include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimi= ted' printk(fmt, ##__VA_ARGS__); \ ^ include/linux/printk.h:450:26: note: expanded from macro 'printk' #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) ^ include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wr= ap' __printk_index_emit(_fmt, NULL, NULL); \ ^ include/linux/printk.h:387:14: note: expanded from macro '__printk_index= _emit' .level =3D __builtin_constant_p(_level) = ? (_level) : NULL, \ ^ include/linux/hid.h:1011:3: note: Loop condition is false. Exiting loop pr_warn_ratelimited("%s: Invalid code %d type %d\n", ^ include/linux/printk.h:660:2: note: expanded from macro 'pr_warn_ratelim= ited' printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__) ^ include/linux/printk.h:644:3: note: expanded from macro 'printk_ratelimi= ted' printk(fmt, ##__VA_ARGS__); \ ^ include/linux/printk.h:450:26: note: expanded from macro 'printk' #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) ^ include/linux/printk.h:421:3: note: expanded from macro 'printk_index_wr= ap' __printk_index_emit(_fmt, NULL, NULL); \ ^ include/linux/printk.h:373:2: note: expanded from macro '__printk_index_= emit' do { \ ^ include/linux/hid.h:1012:9: note: Access to field 'name' results in a de= reference of a null pointer (loaded from variable 'input') input->name, c, type); ^ include/linux/printk.h:660:49: note: expanded from macro 'pr_warn_rateli= mited' printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__) ^~~~~~~~~~~ include/linux/printk.h:644:17: note: expanded from macro 'printk_ratelim= ited' printk(fmt, ##__VA_ARGS__); \ ^~~~~~~~~~~ include/linux/printk.h:450:60: note: expanded from macro 'printk' #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) ^~~~~~~~~~~ include/linux/printk.h:422:19: note: expanded from macro 'printk_index_w= rap' _p_func(_fmt, ##__VA_ARGS__); \ ^~~~~~~~~~~ 1 warning generated. Suppressed 1 warnings (1 in non-user code). Use -header-filter=3D.* to display errors from all non-system headers. U= se -system-headers to display errors from system headers as well. 2 warnings generated. >> net/core/skmsg.c:590:3: warning: Attempt to free released memory [clang-= analyzer-unix.Malloc] kfree(msg); ^ net/core/skmsg.c:960:2: note: Control jumps to 'case __SK_PASS:' at lin= e 961 switch (verdict) { ^ net/core/skmsg.c:964:7: note: Assuming the condition is true if (sock_flag(sk_other, SOCK_DEAD) || ^ include/linux/compiler.h:56:47: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^~~~ include/linux/compiler.h:58:52: note: expanded from macro '__trace_if_va= r' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __tr= ace_if_value(cond)) ^~~~ net/core/skmsg.c:964:38: note: Left side of '||' is true if (sock_flag(sk_other, SOCK_DEAD) || ^ net/core/skmsg.c:964:3: note: '?' condition is false if (sock_flag(sk_other, SOCK_DEAD) || ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_va= r' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __tr= ace_if_value(cond)) ^ net/core/skmsg.c:964:7: note: Assuming the condition is true if (sock_flag(sk_other, SOCK_DEAD) || ^ include/linux/compiler.h:56:47: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^~~~ include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_va= r' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __tr= ace_if_value(cond)) = ^~~~ include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_val= ue' (cond) ? \ ^~~~ net/core/skmsg.c:964:38: note: Left side of '||' is true if (sock_flag(sk_other, SOCK_DEAD) || ^ net/core/skmsg.c:964:3: note: Assuming the condition is false if (sock_flag(sk_other, SOCK_DEAD) || ^ include/linux/compiler.h:56:44: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_va= r' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __tr= ace_if_value(cond)) ~~~~= ~~~~~~~~~~~~~^~~~~ include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_val= ue' (cond) ? \ ^~~~ net/core/skmsg.c:964:3: note: '?' condition is false if (sock_flag(sk_other, SOCK_DEAD) || ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_va= r' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __tr= ace_if_value(cond)) ^ include/linux/compiler.h:69:2: note: expanded from macro '__trace_if_val= ue' (cond) ? \ ^ net/core/skmsg.c:964:3: note: Taking false branch if (sock_flag(sk_other, SOCK_DEAD) || ^ include/linux/compiler.h:56:23: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ net/core/skmsg.c:978:3: note: '?' condition is false if (skb_queue_empty(&psock->ingress_skb)) { ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:31: note: expanded from macro '__trace_if_va= r' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __tr= ace_if_value(cond)) ^ net/core/skmsg.c:978:3: note: Assuming the condition is true if (skb_queue_empty(&psock->ingress_skb)) { ^ include/linux/compiler.h:56:44: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/compiler.h:58:86: note: expanded from macro '__trace_if_va= r' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __tr= ace_if_value(cond)) ~~~~= ~~~~~~~~~~~~~^~~~~ include/linux/compiler.h:69:3: note: expanded from macro '__trace_if_val= ue' (cond) ? \ ^~~~ net/core/skmsg.c:978:3: note: '?' condition is true if (skb_queue_empty(&psock->ingress_skb)) { ^ include/linux/compiler.h:56:28: note: expanded from macro 'if' #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) ) ^ include/linux/compiler.h:58:69: note: expanded from macro '__trace_if_va= r' #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __tr= ace_if_value(cond)) vim +590 net/core/skmsg.c 6fa9201a898983 John Fastabend 2020-11-16 572 = 6fa9201a898983 John Fastabend 2020-11-16 573 /* Puts an skb on the ingres= s queue of the socket already assigned to the 6fa9201a898983 John Fastabend 2020-11-16 574 * skb. In this case we do n= ot need to check memory limits or skb_set_owner_r 6fa9201a898983 John Fastabend 2020-11-16 575 * because the skb is alread= y accounted for here. 6fa9201a898983 John Fastabend 2020-11-16 576 */ 7303524e04af49 Liu Jian 2021-10-29 577 static int sk_psock_skb_ingr= ess_self(struct sk_psock *psock, struct sk_buff *skb, 7303524e04af49 Liu Jian 2021-10-29 578 u32 off, u32 len) 6fa9201a898983 John Fastabend 2020-11-16 579 { 6fa9201a898983 John Fastabend 2020-11-16 580 struct sk_msg *msg =3D kzal= loc(sizeof(*msg), __GFP_NOWARN | GFP_ATOMIC); 6fa9201a898983 John Fastabend 2020-11-16 581 struct sock *sk =3D psock->= sk; 7e6b27a69167f9 John Fastabend 2021-07-12 582 int err; 6fa9201a898983 John Fastabend 2020-11-16 583 = 6fa9201a898983 John Fastabend 2020-11-16 584 if (unlikely(!msg)) 6fa9201a898983 John Fastabend 2020-11-16 585 return -EAGAIN; 6fa9201a898983 John Fastabend 2020-11-16 586 sk_msg_init(msg); 144748eb0c4450 John Fastabend 2021-04-01 587 skb_set_owner_r(skb, sk); 7303524e04af49 Liu Jian 2021-10-29 588 err =3D sk_psock_skb_ingres= s_enqueue(skb, off, len, psock, sk, msg); 7e6b27a69167f9 John Fastabend 2021-07-12 589 if (err < 0) 7e6b27a69167f9 John Fastabend 2021-07-12 @590 kfree(msg); 7e6b27a69167f9 John Fastabend 2021-07-12 591 return err; 6fa9201a898983 John Fastabend 2020-11-16 592 } 6fa9201a898983 John Fastabend 2020-11-16 593 = :::::: The code@line 590 was first introduced by commit :::::: 7e6b27a69167f97c56b5437871d29e9722c3e470 bpf, sockmap: Fix potential= memory leak on unlikely error case :::::: TO: John Fastabend :::::: CC: Daniel Borkmann --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org --===============6458273136182610094==--