CC: [email protected] CC: [email protected] BCC: [email protected] CC: [email protected] TO: Corey Minyard <[email protected]>
tree: https://github.com/cminyard/linux-ipmi for-next head: af82f0f557885a3c021e756230b48de5c4c76347 commit: e622399b18f8efe2e7dd89017b81fa202e44ddf8 [2/12] ipmi: Limit the number of message a user may have outstanding :::::: branch date: 3 days ago :::::: commit date: 3 weeks ago config: arm-randconfig-c002-20220418 (https://download.01.org/0day-ci/archive/20220419/[email protected]/config) compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 429cbac0390654f90bba18a41799464adf31a5ec) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # install arm cross compiling tool for clang build # apt-get install binutils-arm-linux-gnueabi # https://github.com/cminyard/linux-ipmi/commit/e622399b18f8efe2e7dd89017b81fa202e44ddf8 git remote add cminyard-ipmi https://github.com/cminyard/linux-ipmi git fetch --no-tags cminyard-ipmi for-next git checkout e622399b18f8efe2e7dd89017b81fa202e44ddf8 # save the config file to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm clang-analyzer If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <[email protected]> clang-analyzer warnings: (new ones prefixed by >>) ^~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:733:2: warning: Attempt to free released memory [clang-analyzer-unix.Malloc] kfree(intf); ^ drivers/char/ipmi/ipmi_msghandler.c:3514:6: note: Assuming field 'in_shutdown' is false if (!intf->in_shutdown) ^~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:3514:2: note: Taking true branch if (!intf->in_shutdown) ^ drivers/char/ipmi/ipmi_msghandler.c:3515:3: note: Calling 'bmc_get_device_id' bmc_get_device_id(intf, NULL, NULL, NULL, NULL); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:2741:9: note: Calling '__bmc_get_device_id' return __bmc_get_device_id(intf, bmc, id, guid_set, guid, -1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:2610:18: note: 'intf' is not equal to NULL bool intf_set = intf != NULL; ^~~~ drivers/char/ipmi/ipmi_msghandler.c:2612:7: note: 'intf' is non-null if (!intf) { ^~~~ drivers/char/ipmi/ipmi_msghandler.c:2612:2: note: Taking false branch if (!intf) { ^ drivers/char/ipmi/ipmi_msghandler.c:2639:6: note: Assuming field 'in_bmc_register' is true if (intf->in_bmc_register || ^~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:2639:28: note: Left side of '||' is true if (intf->in_bmc_register || ^ drivers/char/ipmi/ipmi_msghandler.c:2641:3: note: Control jumps to line 2719 goto out_noprocessing; ^ drivers/char/ipmi/ipmi_msghandler.c:2719:7: note: 'rv' is 0 if (!rv) { ^~ drivers/char/ipmi/ipmi_msghandler.c:2719:2: note: Taking true branch if (!rv) { ^ drivers/char/ipmi/ipmi_msghandler.c:2720:7: note: 'id' is null if (id) ^~ drivers/char/ipmi/ipmi_msghandler.c:2720:3: note: Taking false branch if (id) ^ drivers/char/ipmi/ipmi_msghandler.c:2723:7: note: 'guid_set' is null if (guid_set) ^~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:2723:3: note: Taking false branch if (guid_set) ^ drivers/char/ipmi/ipmi_msghandler.c:2726:7: note: 'guid' is null if (guid && bmc->dyn_guid_set) ^~~~ drivers/char/ipmi/ipmi_msghandler.c:2726:12: note: Left side of '&&' is false if (guid && bmc->dyn_guid_set) ^ drivers/char/ipmi/ipmi_msghandler.c:2733:2: note: Calling 'kref_put' kref_put(&intf->refcount, intf_free); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/kref.h:64:6: note: Assuming the condition is true if (refcount_dec_and_test(&kref->refcount)) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/kref.h:64:2: note: Taking true branch if (refcount_dec_and_test(&kref->refcount)) { ^ include/linux/kref.h:65:3: note: Calling 'intf_free' release(kref); ^~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:733:2: note: Memory is released kfree(intf); ^~~~~~~~~~~ include/linux/kref.h:65:3: note: Returning; memory was released release(kref); ^~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:2733:2: note: Returning; memory was released kref_put(&intf->refcount, intf_free); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:2741:9: note: Returning; memory was released return __bmc_get_device_id(intf, bmc, id, guid_set, guid, -1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:3515:3: note: Returning; memory was released bmc_get_device_id(intf, NULL, NULL, NULL, NULL); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:3517:2: note: Calling 'kref_put' kref_put(&intf->refcount, intf_free); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/kref.h:64:6: note: Assuming the condition is true if (refcount_dec_and_test(&kref->refcount)) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/kref.h:64:2: note: Taking true branch if (refcount_dec_and_test(&kref->refcount)) { ^ include/linux/kref.h:65:3: note: Calling 'intf_free' release(kref); ^~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:733:2: note: Attempt to free released memory kfree(intf); ^~~~~~~~~~~ >> drivers/char/ipmi/ipmi_msghandler.c:945:15: warning: Use of memory after it >> is freed [clang-analyzer-unix.Malloc] atomic_dec(&msg->user->nr_msgs); ^ drivers/char/ipmi/ipmi_msghandler.c:3948:6: note: Assuming 'rcvr' is non-null if (rcvr) { ^~~~ drivers/char/ipmi/ipmi_msghandler.c:3948:2: note: Taking true branch if (rcvr) { ^ drivers/char/ipmi/ipmi_msghandler.c:3955:6: note: Assuming 'user' is not equal to NULL if (user == NULL) { ^~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:3955:2: note: Taking false branch if (user == NULL) { ^ drivers/char/ipmi/ipmi_msghandler.c:3980:14: note: Calling 'ipmi_alloc_recv_msg' recv_msg = ipmi_alloc_recv_msg(); ^~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:5105:6: note: Assuming 'rv' is non-null if (rv) { ^~ drivers/char/ipmi/ipmi_msghandler.c:5105:2: note: Taking true branch if (rv) { ^ drivers/char/ipmi/ipmi_msghandler.c:3980:14: note: Returning from 'ipmi_alloc_recv_msg' recv_msg = ipmi_alloc_recv_msg(); ^~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:3981:8: note: 'recv_msg' is non-null if (!recv_msg) { ^~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:3981:3: note: Taking false branch if (!recv_msg) { ^ drivers/char/ipmi/ipmi_msghandler.c:4012:8: note: Calling 'deliver_response' if (deliver_response(intf, recv_msg)) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:929:12: note: Field 'user' is non-null if (!msg->user) { ^ drivers/char/ipmi/ipmi_msghandler.c:929:2: note: Taking false branch if (!msg->user) { ^ drivers/char/ipmi/ipmi_msghandler.c:938:13: note: Assuming 'oops_in_progress' is not equal to 0 } else if (oops_in_progress) { ^~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:938:9: note: Taking true branch } else if (oops_in_progress) { ^ drivers/char/ipmi/ipmi_msghandler.c:944:3: note: Calling 'ipmi_free_recv_msg' ipmi_free_recv_msg(msg); ^~~~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:5115:11: note: Field 'user' is non-null if (msg->user && !oops_in_progress) ^ drivers/char/ipmi/ipmi_msghandler.c:5115:6: note: Left side of '&&' is true if (msg->user && !oops_in_progress) ^ drivers/char/ipmi/ipmi_msghandler.c:5115:20: note: 'oops_in_progress' is not equal to 0 if (msg->user && !oops_in_progress) ^~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:5115:2: note: Taking false branch if (msg->user && !oops_in_progress) ^ drivers/char/ipmi/ipmi_msghandler.c:5117:2: note: Calling 'free_recv_msg' msg->done(msg); ^~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:5096:6: note: Assuming 'oops_in_progress' is 0 if (!oops_in_progress) ^~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:5096:2: note: Taking true branch if (!oops_in_progress) ^ drivers/char/ipmi/ipmi_msghandler.c:5097:3: note: Memory is released kfree(msg); ^~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:5117:2: note: Returning; memory was released via 1st parameter msg->done(msg); ^~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:944:3: note: Returning; memory was released via 1st parameter ipmi_free_recv_msg(msg); ^~~~~~~~~~~~~~~~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:945:15: note: Use of memory after it is freed atomic_dec(&msg->user->nr_msgs); ^~~~~~~~~ drivers/char/ipmi/ipmi_msghandler.c:1814:3: warning: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] memcpy(&smi_msg->data[i + 9], msg->data, msg->data_len); ^~~~~~ drivers/char/ipmi/ipmi_msghandler.c:1814:3: note: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11 memcpy(&smi_msg->data[i + 9], msg->data, msg->data_len); ^~~~~~ drivers/char/ipmi/ipmi_msghandler.c:1851:3: warning: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] memcpy(&smi_msg->data[10], msg->data, msg->data_len); ^~~~~~ drivers/char/ipmi/ipmi_msghandler.c:1851:3: note: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11 memcpy(&smi_msg->data[10], msg->data, msg->data_len); ^~~~~~ drivers/char/ipmi/ipmi_msghandler.c:1931:2: warning: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] memcpy(&recv_msg->addr, smi_addr, sizeof(*smi_addr)); ^~~~~~ drivers/char/ipmi/ipmi_msghandler.c:1931:2: note: Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11 memcpy(&recv_msg->addr, smi_addr, sizeof(*smi_addr)); vim +945 drivers/char/ipmi/ipmi_msghandler.c ^1da177e4c3f41 Linus Torvalds 2005-04-16 924 ac93bd0c9e163f Corey Minyard 2018-04-05 925 static int deliver_response(struct ipmi_smi *intf, struct ipmi_recv_msg *msg) ^1da177e4c3f41 Linus Torvalds 2005-04-16 926 { ac93bd0c9e163f Corey Minyard 2018-04-05 927 int rv = 0; 56a55ec64806fb Corey Minyard 2005-09-06 928 ac93bd0c9e163f Corey Minyard 2018-04-05 929 if (!msg->user) { 56a55ec64806fb Corey Minyard 2005-09-06 930 /* Special handling for NULL users. */ 56a55ec64806fb Corey Minyard 2005-09-06 931 if (intf->null_user_handler) { 56a55ec64806fb Corey Minyard 2005-09-06 932 intf->null_user_handler(intf, msg); 56a55ec64806fb Corey Minyard 2005-09-06 933 } else { 56a55ec64806fb Corey Minyard 2005-09-06 934 /* No handler, so give up. */ ac93bd0c9e163f Corey Minyard 2018-04-05 935 rv = -EINVAL; 56a55ec64806fb Corey Minyard 2005-09-06 936 } 56a55ec64806fb Corey Minyard 2005-09-06 937 ipmi_free_recv_msg(msg); 2033f6858970b9 Corey Minyard 2019-08-16 938 } else if (oops_in_progress) { c49c097610fe1a Hidehiro Kawai 2015-07-27 939 /* c49c097610fe1a Hidehiro Kawai 2015-07-27 940 * If we are running in the panic context, calling the c49c097610fe1a Hidehiro Kawai 2015-07-27 941 * receive handler doesn't much meaning and has a deadlock c49c097610fe1a Hidehiro Kawai 2015-07-27 942 * risk. At this moment, simply skip it in that case. c49c097610fe1a Hidehiro Kawai 2015-07-27 943 */ 2033f6858970b9 Corey Minyard 2019-08-16 944 ipmi_free_recv_msg(msg); e622399b18f8ef Corey Minyard 2022-03-28 @945 atomic_dec(&msg->user->nr_msgs); 2033f6858970b9 Corey Minyard 2019-08-16 946 } else { e86ee2d44b4405 Corey Minyard 2018-04-05 947 int index; e86ee2d44b4405 Corey Minyard 2018-04-05 948 struct ipmi_user *user = acquire_ipmi_user(msg->user, &index); c49c097610fe1a Hidehiro Kawai 2015-07-27 949 e86ee2d44b4405 Corey Minyard 2018-04-05 950 if (user) { e622399b18f8ef Corey Minyard 2022-03-28 951 atomic_dec(&user->nr_msgs); 393d2cc354d150 Corey Minyard 2005-11-07 952 user->handler->ipmi_recv_hndl(msg, user->handler_data); 479d6b39b9e0d2 Fred Klassen 2019-01-19 953 release_ipmi_user(user, index); e86ee2d44b4405 Corey Minyard 2018-04-05 954 } else { e86ee2d44b4405 Corey Minyard 2018-04-05 955 /* User went away, give up. */ e86ee2d44b4405 Corey Minyard 2018-04-05 956 ipmi_free_recv_msg(msg); e86ee2d44b4405 Corey Minyard 2018-04-05 957 rv = -EINVAL; e86ee2d44b4405 Corey Minyard 2018-04-05 958 } 56a55ec64806fb Corey Minyard 2005-09-06 959 } ac93bd0c9e163f Corey Minyard 2018-04-05 960 ac93bd0c9e163f Corey Minyard 2018-04-05 961 return rv; ^1da177e4c3f41 Linus Torvalds 2005-04-16 962 } ^1da177e4c3f41 Linus Torvalds 2005-04-16 963 -- 0-DAY CI Kernel Test Service https://01.org/lkp _______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
