CC: [email protected] CC: [email protected] CC: [email protected] TO: Duoming Zhou <[email protected]>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: 90c9e950c0def5c354b4a6154a2ddda3e5f214ac commit: d01ffb9eee4af165d83b08dd73ebdf9fe94a519b ax25: add refcount in ax25_dev to avoid UAF bugs date: 9 days ago :::::: branch date: 27 hours ago :::::: commit date: 9 days ago config: x86_64-randconfig-c007 (https://download.01.org/0day-ci/archive/20220207/[email protected]/config) compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 6daaf5a44925592c764c59219b0024ee06317028) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d01ffb9eee4af165d83b08dd73ebdf9fe94a519b git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git git fetch --no-tags linus master git checkout d01ffb9eee4af165d83b08dd73ebdf9fe94a519b # save the config file to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 clang-analyzer If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <[email protected]> clang-analyzer warnings: (new ones prefixed by >>) fs/reiserfs/fix_node.c:2655:3: note: Taking false branch if (ret != CARRY_ON) ^ fs/reiserfs/fix_node.c:2663:7: note: 'ret' is equal to CARRY_ON if (ret != CARRY_ON) ^~~ fs/reiserfs/fix_node.c:2663:3: note: Taking false branch if (ret != CARRY_ON) ^ fs/reiserfs/fix_node.c:2670:8: note: Field 'pe_buffer' is non-null if (!PATH_H_PBUFFER(tb->tb_path, h)) { ^ fs/reiserfs/reiserfs.h:2169:4: note: expanded from macro 'PATH_H_PBUFFER' PATH_OFFSET_PBUFFER(path, path->path_length - (h)) ^ fs/reiserfs/reiserfs.h:2148:86: note: expanded from macro 'PATH_OFFSET_PBUFFER' #define PATH_OFFSET_PBUFFER(path, n_offset) (PATH_OFFSET_PELEMENT(path, n_offset)->pe_buffer) ^ fs/reiserfs/fix_node.c:2670:3: note: Taking false branch if (!PATH_H_PBUFFER(tb->tb_path, h)) { ^ fs/reiserfs/fix_node.c:2677:14: note: Assuming field 'pe_buffer' is null } else if (!PATH_H_PBUFFER(tb->tb_path, h + 1)) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fs/reiserfs/fix_node.c:2677:10: note: Taking true branch } else if (!PATH_H_PBUFFER(tb->tb_path, h + 1)) { ^ fs/reiserfs/fix_node.c:2684:8: note: Assuming the condition is true if (tb->blknum[h] > 1) { ^~~~~~~~~~~~~~~~~ fs/reiserfs/fix_node.c:2684:4: note: Taking true branch if (tb->blknum[h] > 1) { ^ fs/reiserfs/fix_node.c:2686:5: note: Taking false branch RFALSE(h == MAX_HEIGHT - 1, ^ fs/reiserfs/reiserfs.h:918:39: note: expanded from macro 'RFALSE' #define RFALSE(cond, format, args...) __RASSERT(!(cond), "!(" #cond ")", format, ##args) ^ fs/reiserfs/reiserfs.h:909:2: note: expanded from macro '__RASSERT' if (!(cond)) \ ^ fs/reiserfs/fix_node.c:2686:5: note: Loop condition is false. Exiting loop RFALSE(h == MAX_HEIGHT - 1, ^ fs/reiserfs/reiserfs.h:918:39: note: expanded from macro 'RFALSE' #define RFALSE(cond, format, args...) __RASSERT(!(cond), "!(" #cond ")", format, ##args) ^ fs/reiserfs/reiserfs.h:907:51: note: expanded from macro '__RASSERT' #define __RASSERT(cond, scond, format, args...) \ ^ fs/reiserfs/fix_node.c:2630:14: note: 'h' is < MAX_HEIGHT for (h = 0; h < MAX_HEIGHT && tb->insert_size[h]; h++) { ^ fs/reiserfs/fix_node.c:2630:14: note: Left side of '&&' is true fs/reiserfs/fix_node.c:2630:2: note: Loop condition is true. Entering loop body for (h = 0; h < MAX_HEIGHT && tb->insert_size[h]; h++) { ^ fs/reiserfs/fix_node.c:2631:9: note: Calling 'get_direct_parent' ret = get_direct_parent(tb, h); ^~~~~~~~~~~~~~~~~~~~~~~~ fs/reiserfs/fix_node.c:2098:6: note: Assuming 'path_offset' is > FIRST_PATH_ELEMENT_OFFSET if (path_offset <= FIRST_PATH_ELEMENT_OFFSET) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fs/reiserfs/fix_node.c:2098:2: note: Taking false branch if (path_offset <= FIRST_PATH_ELEMENT_OFFSET) { ^ fs/reiserfs/fix_node.c:2115:6: note: Assuming the condition is false if (!B_IS_IN_TREE ^~~~~~~~~~~~~ fs/reiserfs/fix_node.c:2115:2: note: Taking false branch if (!B_IS_IN_TREE ^ fs/reiserfs/fix_node.c:2119:6: note: Assuming the condition is false if ((position = ^~~~~~~~~~~ fs/reiserfs/fix_node.c:2119:2: note: Taking false branch if ((position = ^ fs/reiserfs/fix_node.c:2126:6: note: Access to field 'b_blocknr' results in a dereference of a null pointer (loaded from field 'pe_buffer') PATH_OFFSET_PBUFFER(path, path_offset)->b_blocknr) ^ fs/reiserfs/reiserfs.h:2148:47: note: expanded from macro 'PATH_OFFSET_PBUFFER' #define PATH_OFFSET_PBUFFER(path, n_offset) (PATH_OFFSET_PELEMENT(path, n_offset)->pe_buffer) ^ ~~~~~~~~~ Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 8 warnings generated. Suppressed 8 warnings (8 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 8 warnings generated. Suppressed 8 warnings (8 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 8 warnings generated. Suppressed 8 warnings (8 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 8 warnings generated. Suppressed 8 warnings (8 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 10 warnings generated. >> net/ax25/ax25_dev.c:122:3: warning: Use of memory after it is freed >> [clang-analyzer-unix.Malloc] ax25_dev_put(ax25_dev); ^ ~~~~~~~~ net/ax25/ax25_dev.c:98:6: note: Assuming the condition is false if ((ax25_dev = ax25_dev_ax25dev(dev)) == NULL) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ net/ax25/ax25_dev.c:98:2: note: Taking false branch if ((ax25_dev = ax25_dev_ax25dev(dev)) == NULL) ^ net/ax25/ax25_dev.c:112:26: note: Assuming 's' is not equal to NULL for (s = ax25_dev_list; s != NULL; s = s->next) ^~~~~~~~~ net/ax25/ax25_dev.c:112:2: note: Loop condition is true. Entering loop body for (s = ax25_dev_list; s != NULL; s = s->next) ^ net/ax25/ax25_dev.c:113:7: note: Assuming 'dev' is not equal to field 'forward' if (s->forward == dev) ^~~~~~~~~~~~~~~~~ net/ax25/ax25_dev.c:113:3: note: Taking false branch if (s->forward == dev) ^ net/ax25/ax25_dev.c:112:26: note: Assuming 's' is equal to NULL for (s = ax25_dev_list; s != NULL; s = s->next) ^~~~~~~~~ net/ax25/ax25_dev.c:112:2: note: Loop condition is false. Execution continues on line 116 for (s = ax25_dev_list; s != NULL; s = s->next) ^ net/ax25/ax25_dev.c:116:6: note: Assuming the condition is true if ((s = ax25_dev_list) == ax25_dev) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ net/ax25/ax25_dev.c:116:2: note: Taking true branch if ((s = ax25_dev_list) == ax25_dev) { ^ net/ax25/ax25_dev.c:118:3: note: Calling 'ax25_dev_put' ax25_dev_put(ax25_dev); ^~~~~~~~~~~~~~~~~~~~~~ include/net/ax25.h:302:6: note: Assuming the condition is true if (refcount_dec_and_test(&ax25_dev->refcount)) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/net/ax25.h:302:2: note: Taking true branch if (refcount_dec_and_test(&ax25_dev->refcount)) { ^ include/net/ax25.h:303:3: note: Memory is released kfree(ax25_dev); ^~~~~~~~~~~~~~~ net/ax25/ax25_dev.c:118:3: note: Returning; memory was released via 1st parameter ax25_dev_put(ax25_dev); ^~~~~~~~~~~~~~~~~~~~~~ net/ax25/ax25_dev.c:122:3: note: Use of memory after it is freed ax25_dev_put(ax25_dev); ^ ~~~~~~~~ net/ax25/ax25_dev.c:133:4: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc] ax25_dev_put(ax25_dev); ^ ~~~~~~~~ net/ax25/ax25_dev.c:98:6: note: Assuming the condition is false if ((ax25_dev = ax25_dev_ax25dev(dev)) == NULL) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ net/ax25/ax25_dev.c:98:2: note: Taking false branch if ((ax25_dev = ax25_dev_ax25dev(dev)) == NULL) ^ net/ax25/ax25_dev.c:112:26: note: Assuming 's' is not equal to NULL for (s = ax25_dev_list; s != NULL; s = s->next) ^~~~~~~~~ net/ax25/ax25_dev.c:112:2: note: Loop condition is true. Entering loop body for (s = ax25_dev_list; s != NULL; s = s->next) ^ net/ax25/ax25_dev.c:113:7: note: Assuming 'dev' is not equal to field 'forward' if (s->forward == dev) ^~~~~~~~~~~~~~~~~ net/ax25/ax25_dev.c:113:3: note: Taking false branch if (s->forward == dev) ^ net/ax25/ax25_dev.c:112:26: note: Assuming 's' is not equal to NULL for (s = ax25_dev_list; s != NULL; s = s->next) ^~~~~~~~~ net/ax25/ax25_dev.c:112:2: note: Loop condition is true. Entering loop body for (s = ax25_dev_list; s != NULL; s = s->next) ^ net/ax25/ax25_dev.c:113:7: note: Assuming 'dev' is not equal to field 'forward' if (s->forward == dev) ^~~~~~~~~~~~~~~~~ net/ax25/ax25_dev.c:113:3: note: Taking false branch if (s->forward == dev) ^ net/ax25/ax25_dev.c:112:26: note: Assuming 's' is equal to NULL for (s = ax25_dev_list; s != NULL; s = s->next) ^~~~~~~~~ net/ax25/ax25_dev.c:112:2: note: Loop condition is false. Execution continues on line 116 for (s = ax25_dev_list; s != NULL; s = s->next) ^ net/ax25/ax25_dev.c:116:6: note: Assuming the condition is false if ((s = ax25_dev_list) == ax25_dev) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ net/ax25/ax25_dev.c:116:2: note: Taking false branch if ((s = ax25_dev_list) == ax25_dev) { ^ net/ax25/ax25_dev.c:126:9: note: 's' is not equal to NULL while (s != NULL && s->next != NULL) { ^ net/ax25/ax25_dev.c:126:9: note: Left side of '&&' is true net/ax25/ax25_dev.c:126:25: note: Field 'next' is not equal to NULL vim +122 net/ax25/ax25_dev.c ^1da177e4c3f41 Linus Torvalds 2005-04-16 108 ^1da177e4c3f41 Linus Torvalds 2005-04-16 109 /* ^1da177e4c3f41 Linus Torvalds 2005-04-16 110 * Remove any packet forwarding that points to this device. ^1da177e4c3f41 Linus Torvalds 2005-04-16 111 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 112 for (s = ax25_dev_list; s != NULL; s = s->next) ^1da177e4c3f41 Linus Torvalds 2005-04-16 113 if (s->forward == dev) ^1da177e4c3f41 Linus Torvalds 2005-04-16 114 s->forward = NULL; ^1da177e4c3f41 Linus Torvalds 2005-04-16 115 ^1da177e4c3f41 Linus Torvalds 2005-04-16 116 if ((s = ax25_dev_list) == ax25_dev) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 117 ax25_dev_list = s->next; d01ffb9eee4af1 Duoming Zhou 2022-01-28 118 ax25_dev_put(ax25_dev); ^1da177e4c3f41 Linus Torvalds 2005-04-16 119 spin_unlock_bh(&ax25_dev_lock); c433570458e49b Cong Wang 2018-12-29 120 dev->ax25_ptr = NULL; 66ce07f7802b68 Eric Dumazet 2021-12-06 121 dev_put_track(dev, &ax25_dev->dev_tracker); d01ffb9eee4af1 Duoming Zhou 2022-01-28 @122 ax25_dev_put(ax25_dev); ^1da177e4c3f41 Linus Torvalds 2005-04-16 123 return; ^1da177e4c3f41 Linus Torvalds 2005-04-16 124 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 125 ^1da177e4c3f41 Linus Torvalds 2005-04-16 126 while (s != NULL && s->next != NULL) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 127 if (s->next == ax25_dev) { ^1da177e4c3f41 Linus Torvalds 2005-04-16 128 s->next = ax25_dev->next; d01ffb9eee4af1 Duoming Zhou 2022-01-28 129 ax25_dev_put(ax25_dev); ^1da177e4c3f41 Linus Torvalds 2005-04-16 130 spin_unlock_bh(&ax25_dev_lock); c433570458e49b Cong Wang 2018-12-29 131 dev->ax25_ptr = NULL; 66ce07f7802b68 Eric Dumazet 2021-12-06 132 dev_put_track(dev, &ax25_dev->dev_tracker); d01ffb9eee4af1 Duoming Zhou 2022-01-28 133 ax25_dev_put(ax25_dev); ^1da177e4c3f41 Linus Torvalds 2005-04-16 134 return; ^1da177e4c3f41 Linus Torvalds 2005-04-16 135 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 136 ^1da177e4c3f41 Linus Torvalds 2005-04-16 137 s = s->next; ^1da177e4c3f41 Linus Torvalds 2005-04-16 138 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 139 spin_unlock_bh(&ax25_dev_lock); ^1da177e4c3f41 Linus Torvalds 2005-04-16 140 dev->ax25_ptr = NULL; d01ffb9eee4af1 Duoming Zhou 2022-01-28 141 ax25_dev_put(ax25_dev); ^1da177e4c3f41 Linus Torvalds 2005-04-16 142 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 143 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/[email protected] _______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
