From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: io_uring/rw.c:382:17: warning: use of uninitialized value '<unknown>' [CWE-457]
Date: Mon, 08 Aug 2022 16:33:42 +0800 [thread overview]
Message-ID: <202208081640.uCDfbp65-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 14803 bytes --]
::::::
:::::: Manual check reason: "low confidence bisect report"
:::::: Manual check reason: "low confidence static check warning: io_uring/rw.c:382:17: warning: use of uninitialized value '<unknown>' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]"
::::::
BCC: lkp(a)intel.com
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 4e23eeebb2e57f5a28b36221aa776b5a1122dde5
commit: f3b44f92e59a804cf375479bda0bccbf4b6e6ef6 io_uring: move read/write related opcodes to its own file
date: 2 weeks ago
:::::: branch date: 8 hours ago
:::::: commit date: 2 weeks ago
config: arm-randconfig-c002-20220804 (https://download.01.org/0day-ci/archive/20220808/202208081640.uCDfbp65-lkp(a)intel.com/config)
compiler: arm-linux-gnueabi-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f3b44f92e59a804cf375479bda0bccbf4b6e6ef6
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout f3b44f92e59a804cf375479bda0bccbf4b6e6ef6
# save the config file
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross ARCH=arm KBUILD_USERCFLAGS='-fanalyzer -Wno-error'
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
gcc-analyzer warnings: (new ones prefixed by >>)
|
'io_do_iopoll': event 5
|
|cc1:
| (5): ...to here
|
'io_do_iopoll': event 6
|
| 1076 | wq_list_for_each_resume(pos, prev) {
| | ^~~
| | |
| | (6) following 'true' branch (when 'pos' is non-NULL)...
io_uring/io-wq.h:36:16: note: in definition of macro 'wq_list_for_each_resume'
| 36 | for (; pos; prv = pos, pos = (pos)->next)
| | ^~~
|
'io_do_iopoll': events 7-12
|
|io_uring/rw.c:1077:17:
| 1077 | struct io_kiocb *req = container_of(pos, struct io_kiocb, comp_list);
| | ^~~~~~
| | |
| | (7) ...to here
|......
| 1080 | if (!smp_load_acquire(&req->iopoll_completed))
| | ~
| | |
| | (8) following 'false' branch...
| 1081 | break;
| 1082 | nr_events++;
| | ~~~~~~~~~
| | |
| | (9) ...to here
| 1083 | if (unlikely(req->flags & REQ_F_CQE_SKIP))
| | ~
| | |
| | (10) following 'false' branch...
|......
| 1086 | req->cqe.flags = io_put_kbuf(req, 0);
| | ~~~ ~~~~~~~~~~~~~~~~~~~
| | | |
| | (11) ...to here (12) calling 'io_put_kbuf' from 'io_do_iopoll'
|
+--> 'io_put_kbuf': events 13-18
|
|io_uring/kbuf.h:105:28:
| 105 | static inline unsigned int io_put_kbuf(struct io_kiocb *req,
| | ^~~~~~~~~~~
| | |
| | (13) entry to 'io_put_kbuf'
|......
| 110 | if (!(req->flags & (REQ_F_BUFFER_SELECTED|REQ_F_BUFFER_RING)))
| | ~
| | |
| | (14) following 'false' branch...
|......
| 125 | if (req->flags & REQ_F_BUFFER_RING) {
| | ~~ ~
| | | |
| | | (16) following 'true' branch...
| | (15) ...to here
| 126 | /* no buffers to recycle for this case */
| 127 | cflags = __io_put_kbuf(req, NULL);
| | ~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (18) calling '__io_put_kbuf' from 'io_put_kbuf'
| | (17) ...to here
|
+--> '__io_put_kbuf': events 19-22
|
| 82 | static unsigned int __io_put_kbuf(struct io_kiocb *req, struct list_head *list)
| | ^~~~~~~~~~~~~
| | |
| | (19) entry to '__io_put_kbuf'
| 83 | {
| 84 | if (req->flags & REQ_F_BUFFER_RING) {
| | ~
| | |
| | (20) following 'false' branch...
|......
| 89 | list_add(&req->kbuf->list, list);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (21) ...to here
| | (22) calling 'list_add' from '__io_put_kbuf'
|
+--> 'list_add': events 23-24
|
|include/linux/list.h:86:20:
| 86 | static inline void list_add(struct list_head *new, struct list_head *head)
| | ^~~~~~~~
| | |
| | (23) entry to 'list_add'
| 87 | {
| 88 | __list_add(new, head, head->next);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (24) dereference of NULL 'head'
|
io_uring/rw.c: In function '__io_iov_buffer_select':
>> io_uring/rw.c:382:17: warning: use of uninitialized value '<unknown>' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]
382 | ssize_t len;
| ^~~
'io_write': events 1-4
|
| 916 | int io_write(struct io_kiocb *req, unsigned int issue_flags)
| | ^~~~~~~~
| | |
| | (1) entry to 'io_write'
|......
| 926 | if (!req_has_async_data(req)) {
| | ~
| | |
| | (2) following 'true' branch...
| 927 | ret = io_import_iovec(WRITE, req, &iovec, s, issue_flags);
| | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (4) calling 'io_import_iovec' from 'io_write'
| | (3) ...to here
|
+--> 'io_import_iovec': events 5-6
|
| 473 | static inline int io_import_iovec(int rw, struct io_kiocb *req,
| | ^~~~~~~~~~~~~~~
| | |
| | (5) entry to 'io_import_iovec'
|......
| 477 | *iovec = __io_import_iovec(rw, req, s, issue_flags);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (6) calling '__io_import_iovec' from 'io_import_iovec'
|
+--> '__io_import_iovec': events 7-14
|
| 420 | static struct iovec *__io_import_iovec(int ddir, struct io_kiocb *req,
| | ^~~~~~~~~~~~~~~~~
| | |
| | (7) entry to '__io_import_iovec'
|......
| 432 | if (opcode == IORING_OP_READ_FIXED || opcode == IORING_OP_WRITE_FIXED) {
| | ~
| | |
| | (8) following 'false' branch...
|......
| 439 | buf = u64_to_user_ptr(rw->addr);
| | ~~~
| | |
| | (9) ...to here
|......
| 442 | if (opcode == IORING_OP_READ || opcode == IORING_OP_WRITE) {
| | ~
| | |
| | (10) following 'false' branch...
|......
| 457 | iovec = s->fast_iov;
| | ~~~~~
| | |
| | (11) ...to here
| 458 | if (req->flags & REQ_F_BUFFER_SELECT) {
| | ~
| | |
| | (12) following 'true' branch...
| 459 | ret = io_iov_buffer_select(req, iovec, issue_flags);
| | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (14) calling 'io_iov_buffer_select' from '__io_import_iovec'
| | (13) ...to here
|
+--> 'io_iov_buffer_select': events 15-20
|
| 399 | static ssize_t io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
| | ^~~~~~~~~~~~~~~~~~~~
| | |
| | (15) entry to 'io_iov_buffer_select'
|......
| 404 | if (req->flags & (REQ_F_BUFFER_SELECTED|REQ_F_BUFFER_RING)) {
| | ~
| | |
| | (16) following 'false' branch...
|......
| 409 | if (rw->len != 1)
| | ~~ ~
| | | |
| | | (18) following 'false' branch...
| | (17) ...to here
|......
| 417 | return __io_iov_buffer_select(req, iov, issue_flags);
| | ~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (20) calling '__io_iov_buffer_select' from 'io_iov_buffer_select'
| | (19) ...to here
|
+--> '__io_iov_buffer_select': events 21-22
|
| 376 | static ssize_t __io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
| | ^~~~~~~~~~~~~~~~~~~~~~
| | |
| | (21) entry to '__io_iov_buffer_select'
|......
| 382 | ssize_t len;
| | ~~~
vim +382 io_uring/rw.c
f3b44f92e59a80 Jens Axboe 2022-06-13 375
f3b44f92e59a80 Jens Axboe 2022-06-13 376 static ssize_t __io_iov_buffer_select(struct io_kiocb *req, struct iovec *iov,
f3b44f92e59a80 Jens Axboe 2022-06-13 377 unsigned int issue_flags)
f3b44f92e59a80 Jens Axboe 2022-06-13 378 {
f3b44f92e59a80 Jens Axboe 2022-06-13 379 struct io_rw *rw = io_kiocb_to_cmd(req);
f3b44f92e59a80 Jens Axboe 2022-06-13 380 struct iovec __user *uiov = u64_to_user_ptr(rw->addr);
f3b44f92e59a80 Jens Axboe 2022-06-13 381 void __user *buf;
f3b44f92e59a80 Jens Axboe 2022-06-13 @382 ssize_t len;
f3b44f92e59a80 Jens Axboe 2022-06-13 383
f3b44f92e59a80 Jens Axboe 2022-06-13 384 if (copy_from_user(iov, uiov, sizeof(*uiov)))
f3b44f92e59a80 Jens Axboe 2022-06-13 385 return -EFAULT;
f3b44f92e59a80 Jens Axboe 2022-06-13 386
f3b44f92e59a80 Jens Axboe 2022-06-13 387 len = iov[0].iov_len;
f3b44f92e59a80 Jens Axboe 2022-06-13 388 if (len < 0)
f3b44f92e59a80 Jens Axboe 2022-06-13 389 return -EINVAL;
f3b44f92e59a80 Jens Axboe 2022-06-13 390 buf = io_buffer_select(req, &len, issue_flags);
f3b44f92e59a80 Jens Axboe 2022-06-13 391 if (!buf)
f3b44f92e59a80 Jens Axboe 2022-06-13 392 return -ENOBUFS;
f3b44f92e59a80 Jens Axboe 2022-06-13 393 rw->addr = (unsigned long) buf;
f3b44f92e59a80 Jens Axboe 2022-06-13 394 iov[0].iov_base = buf;
f3b44f92e59a80 Jens Axboe 2022-06-13 395 rw->len = iov[0].iov_len = len;
f3b44f92e59a80 Jens Axboe 2022-06-13 396 return 0;
f3b44f92e59a80 Jens Axboe 2022-06-13 397 }
f3b44f92e59a80 Jens Axboe 2022-06-13 398
--
0-DAY CI Kernel Test Service
https://01.org/lkp
reply other threads:[~2022-08-08 8:33 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202208081640.uCDfbp65-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.