* arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)
@ 2026-04-11 1:27 kernel test robot
2026-04-11 7:57 ` Dan Carpenter
2026-04-11 8:13 ` Anton Ivanov
0 siblings, 2 replies; 4+ messages in thread
From: kernel test robot @ 2026-04-11 1:27 UTC (permalink / raw)
To: oe-kbuild; +Cc: lkp, Dan Carpenter
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Tiwei Bie <tiwei.btw@antgroup.com>
CC: Johannes Berg <johannes.berg@intel.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 7c6c4ed80b874f721bc7c2c937e098c56e37d2f0
commit: b555cb66583e99158cfef8e91c025252cefae55b um: vector: Eliminate the dependency on uml_net
date: 11 months ago
:::::: branch date: 10 hours ago
:::::: commit date: 11 months ago
config: um-randconfig-r072-20260411 (https://download.01.org/0day-ci/archive/20260411/202604110937.MLUL70Lx-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project ae825cb8cea7f3ac8e5e4096f22713845cf5e501)
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Fixes: b555cb66583e ("um: vector: Eliminate the dependency on uml_net")
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202604110937.MLUL70Lx-lkp@intel.com/
smatch warnings:
arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)
vim +/qi +471 arch/um/drivers/vector_kern.c
49da7e64f33e80 Anton Ivanov 2017-11-20 459
49da7e64f33e80 Anton Ivanov 2017-11-20 460 /* Queue destructor. Deliberately stateless so we can use
49da7e64f33e80 Anton Ivanov 2017-11-20 461 * it in queue cleanup if initialization fails.
49da7e64f33e80 Anton Ivanov 2017-11-20 462 */
49da7e64f33e80 Anton Ivanov 2017-11-20 463
49da7e64f33e80 Anton Ivanov 2017-11-20 464 static void destroy_queue(struct vector_queue *qi)
49da7e64f33e80 Anton Ivanov 2017-11-20 465 {
49da7e64f33e80 Anton Ivanov 2017-11-20 466 int i;
49da7e64f33e80 Anton Ivanov 2017-11-20 467 struct iovec *iov;
49da7e64f33e80 Anton Ivanov 2017-11-20 @468 struct vector_private *vp = netdev_priv(qi->dev);
49da7e64f33e80 Anton Ivanov 2017-11-20 469 struct mmsghdr *mmsg_vector;
49da7e64f33e80 Anton Ivanov 2017-11-20 470
49da7e64f33e80 Anton Ivanov 2017-11-20 @471 if (qi == NULL)
49da7e64f33e80 Anton Ivanov 2017-11-20 472 return;
49da7e64f33e80 Anton Ivanov 2017-11-20 473 /* deallocate any skbuffs - we rely on any unused to be
49da7e64f33e80 Anton Ivanov 2017-11-20 474 * set to NULL.
49da7e64f33e80 Anton Ivanov 2017-11-20 475 */
49da7e64f33e80 Anton Ivanov 2017-11-20 476 if (qi->skbuff_vector != NULL) {
49da7e64f33e80 Anton Ivanov 2017-11-20 477 for (i = 0; i < qi->max_depth; i++) {
49da7e64f33e80 Anton Ivanov 2017-11-20 478 if (*(qi->skbuff_vector + i) != NULL)
49da7e64f33e80 Anton Ivanov 2017-11-20 479 dev_kfree_skb_any(*(qi->skbuff_vector + i));
49da7e64f33e80 Anton Ivanov 2017-11-20 480 }
49da7e64f33e80 Anton Ivanov 2017-11-20 481 kfree(qi->skbuff_vector);
49da7e64f33e80 Anton Ivanov 2017-11-20 482 }
49da7e64f33e80 Anton Ivanov 2017-11-20 483 /* deallocate matching IOV structures including header buffs */
49da7e64f33e80 Anton Ivanov 2017-11-20 484 if (qi->mmsg_vector != NULL) {
49da7e64f33e80 Anton Ivanov 2017-11-20 485 mmsg_vector = qi->mmsg_vector;
49da7e64f33e80 Anton Ivanov 2017-11-20 486 for (i = 0; i < qi->max_depth; i++) {
49da7e64f33e80 Anton Ivanov 2017-11-20 487 iov = mmsg_vector->msg_hdr.msg_iov;
49da7e64f33e80 Anton Ivanov 2017-11-20 488 if (iov != NULL) {
49da7e64f33e80 Anton Ivanov 2017-11-20 489 if ((vp->header_size > 0) &&
49da7e64f33e80 Anton Ivanov 2017-11-20 490 (iov->iov_base != NULL))
49da7e64f33e80 Anton Ivanov 2017-11-20 491 kfree(iov->iov_base);
49da7e64f33e80 Anton Ivanov 2017-11-20 492 kfree(iov);
49da7e64f33e80 Anton Ivanov 2017-11-20 493 }
49da7e64f33e80 Anton Ivanov 2017-11-20 494 mmsg_vector++;
49da7e64f33e80 Anton Ivanov 2017-11-20 495 }
49da7e64f33e80 Anton Ivanov 2017-11-20 496 kfree(qi->mmsg_vector);
49da7e64f33e80 Anton Ivanov 2017-11-20 497 }
49da7e64f33e80 Anton Ivanov 2017-11-20 498 kfree(qi);
49da7e64f33e80 Anton Ivanov 2017-11-20 499 }
49da7e64f33e80 Anton Ivanov 2017-11-20 500
:::::: The code at line 471 was first introduced by commit
:::::: 49da7e64f33e80edffb1a9eeb230fa4c3f42dffb High Performance UML Vector Network Driver
:::::: TO: Anton Ivanov <anton.ivanov@cambridgegreys.com>
:::::: CC: Richard Weinberger <richard@nod.at>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
* arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)
2026-04-11 1:27 arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468) kernel test robot
@ 2026-04-11 7:57 ` Dan Carpenter
2026-04-11 8:13 ` Anton Ivanov
1 sibling, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2026-04-11 7:57 UTC (permalink / raw)
To: oe-kbuild, Tiwei Bie
Cc: lkp, oe-kbuild-all, linux-kernel, Johannes Berg, Anton Ivanov
[ Obviously, the commit just did COMPILE_TEST or something. Anyway... -dan ]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 7c6c4ed80b874f721bc7c2c937e098c56e37d2f0
commit: b555cb66583e99158cfef8e91c025252cefae55b um: vector: Eliminate the dependency on uml_net
config: um-randconfig-r072-20260411 (https://download.01.org/0day-ci/archive/20260411/202604110937.MLUL70Lx-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project ae825cb8cea7f3ac8e5e4096f22713845cf5e501)
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Fixes: b555cb66583e ("um: vector: Eliminate the dependency on uml_net")
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202604110937.MLUL70Lx-lkp@intel.com/
smatch warnings:
arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)
vim +/qi +471 arch/um/drivers/vector_kern.c
49da7e64f33e80 Anton Ivanov 2017-11-20 464 static void destroy_queue(struct vector_queue *qi)
49da7e64f33e80 Anton Ivanov 2017-11-20 465 {
49da7e64f33e80 Anton Ivanov 2017-11-20 466 int i;
49da7e64f33e80 Anton Ivanov 2017-11-20 467 struct iovec *iov;
49da7e64f33e80 Anton Ivanov 2017-11-20 @468 struct vector_private *vp = netdev_priv(qi->dev);
^^^^^^^
Dereference
49da7e64f33e80 Anton Ivanov 2017-11-20 469 struct mmsghdr *mmsg_vector;
49da7e64f33e80 Anton Ivanov 2017-11-20 470
49da7e64f33e80 Anton Ivanov 2017-11-20 @471 if (qi == NULL)
^^^^^^^^^^
Checked too late.
49da7e64f33e80 Anton Ivanov 2017-11-20 472 return;
49da7e64f33e80 Anton Ivanov 2017-11-20 473 /* deallocate any skbuffs - we rely on any unused to be
49da7e64f33e80 Anton Ivanov 2017-11-20 474 * set to NULL.
49da7e64f33e80 Anton Ivanov 2017-11-20 475 */
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)
2026-04-11 1:27 arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468) kernel test robot
2026-04-11 7:57 ` Dan Carpenter
@ 2026-04-11 8:13 ` Anton Ivanov
2026-04-11 10:24 ` Tiwei Bie
1 sibling, 1 reply; 4+ messages in thread
From: Anton Ivanov @ 2026-04-11 8:13 UTC (permalink / raw)
To: Dan Carpenter, oe-kbuild, Tiwei Bie
Cc: lkp, oe-kbuild-all, linux-kernel, Johannes Berg
On 11/04/2026 08:57, Dan Carpenter wrote:
> [ Obviously, the commit just did COMPILE_TEST or something. Anyway... -dan ]
>
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head: 7c6c4ed80b874f721bc7c2c937e098c56e37d2f0
> commit: b555cb66583e99158cfef8e91c025252cefae55b um: vector: Eliminate the dependency on uml_net
> config: um-randconfig-r072-20260411 (https://download.01.org/0day-ci/archive/20260411/202604110937.MLUL70Lx-lkp@intel.com/config)
> compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project ae825cb8cea7f3ac8e5e4096f22713845cf5e501)
> smatch: v0.5.0-9004-gb810ac53
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Fixes: b555cb66583e ("um: vector: Eliminate the dependency on uml_net")
> | Reported-by: kernel test robot <lkp@intel.com>
> | Reported-by: Dan Carpenter <error27@gmail.com>
> | Closes: https://lore.kernel.org/r/202604110937.MLUL70Lx-lkp@intel.com/
>
> smatch warnings:
> arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)
>
> vim +/qi +471 arch/um/drivers/vector_kern.c
>
> 49da7e64f33e80 Anton Ivanov 2017-11-20 464 static void destroy_queue(struct vector_queue *qi)
> 49da7e64f33e80 Anton Ivanov 2017-11-20 465 {
> 49da7e64f33e80 Anton Ivanov 2017-11-20 466 int i;
> 49da7e64f33e80 Anton Ivanov 2017-11-20 467 struct iovec *iov;
> 49da7e64f33e80 Anton Ivanov 2017-11-20 @468 struct vector_private *vp = netdev_priv(qi->dev);
> ^^^^^^^
> Dereference
>
> 49da7e64f33e80 Anton Ivanov 2017-11-20 469 struct mmsghdr *mmsg_vector;
> 49da7e64f33e80 Anton Ivanov 2017-11-20 470
> 49da7e64f33e80 Anton Ivanov 2017-11-20 @471 if (qi == NULL)
> ^^^^^^^^^^
> Checked too late.
>
> 49da7e64f33e80 Anton Ivanov 2017-11-20 472 return;
> 49da7e64f33e80 Anton Ivanov 2017-11-20 473 /* deallocate any skbuffs - we rely on any unused to be
> 49da7e64f33e80 Anton Ivanov 2017-11-20 474 * set to NULL.
> 49da7e64f33e80 Anton Ivanov 2017-11-20 475 */
>
It has been used for quite a while, so surprising that it was not caught
earlier.
And no, it was not just a "compile test".
--
Anton R. Ivanov
Cambridgegreys Limited. Registered in England. Company Number 10273661
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)
2026-04-11 8:13 ` Anton Ivanov
@ 2026-04-11 10:24 ` Tiwei Bie
0 siblings, 0 replies; 4+ messages in thread
From: Tiwei Bie @ 2026-04-11 10:24 UTC (permalink / raw)
To: anton.ivanov, error27
Cc: johannes.berg, linux-kernel, lkp, oe-kbuild-all, oe-kbuild,
tiwei.btw
On Sat, 11 Apr 2026 09:13:54 +0100, Anton Ivanov wrote:
> On 11/04/2026 08:57, Dan Carpenter wrote:
> > [ Obviously, the commit just did COMPILE_TEST or something. Anyway... -dan ]
> >
> > tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> > head: 7c6c4ed80b874f721bc7c2c937e098c56e37d2f0
> > commit: b555cb66583e99158cfef8e91c025252cefae55b um: vector: Eliminate the dependency on uml_net
> > config: um-randconfig-r072-20260411 (https://download.01.org/0day-ci/archive/20260411/202604110937.MLUL70Lx-lkp@intel.com/config)
> > compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project ae825cb8cea7f3ac8e5e4096f22713845cf5e501)
> > smatch: v0.5.0-9004-gb810ac53
> >
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Fixes: b555cb66583e ("um: vector: Eliminate the dependency on uml_net")
> > | Reported-by: kernel test robot <lkp@intel.com>
> > | Reported-by: Dan Carpenter <error27@gmail.com>
> > | Closes: https://lore.kernel.org/r/202604110937.MLUL70Lx-lkp@intel.com/
> >
> > smatch warnings:
> > arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)
> >
> > vim +/qi +471 arch/um/drivers/vector_kern.c
> >
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 464 static void destroy_queue(struct vector_queue *qi)
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 465 {
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 466 int i;
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 467 struct iovec *iov;
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 @468 struct vector_private *vp = netdev_priv(qi->dev);
> > ^^^^^^^
> > Dereference
> >
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 469 struct mmsghdr *mmsg_vector;
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 470
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 @471 if (qi == NULL)
> > ^^^^^^^^^^
> > Checked too late.
> >
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 472 return;
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 473 /* deallocate any skbuffs - we rely on any unused to be
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 474 * set to NULL.
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 475 */
> >
> It has been used for quite a while, so surprising that it was not caught
> earlier.
>
> And no, it was not just a "compile test".
+1, I use it often. It was not just a compile test.
All callers of destroy_queue() already perform a NULL check, so qi will
never actually be NULL (I guess that's why it wasn't caught earlier):
https://github.com/torvalds/linux/blob/e774d5f1bc27a85f858bce7688509e866f8e8a4e/arch/um/drivers/vector_kern.c#L583
https://github.com/torvalds/linux/blob/e774d5f1bc27a85f858bce7688509e866f8e8a4e/arch/um/drivers/vector_kern.c#L1147-L1150
Regards,
Tiwei
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-11 10:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-11 1:27 arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468) kernel test robot
2026-04-11 7:57 ` Dan Carpenter
2026-04-11 8:13 ` Anton Ivanov
2026-04-11 10:24 ` Tiwei Bie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox