CC: [email protected] BCC: [email protected] TO: Ammar Faizi <[email protected]>
tree: https://github.com/ammarfaizi2/linux-block google/android/kernel/common/android13-5.15 head: 754bb029c85fb4b18d198216540f75e635dde8d4 commit: 67cc8ce9a649a8407c8e815d03b88761c4ddfe67 [5484/5636] FROMLIST: mm: rcu safe vma freeing :::::: branch date: 4 weeks ago :::::: commit date: 6 weeks ago config: x86_64-randconfig-c007 (https://download.01.org/0day-ci/archive/20220502/[email protected]/config) compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 400775649969b9baf3bc2a510266e7912bb16ae9) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/ammarfaizi2/linux-block/commit/67cc8ce9a649a8407c8e815d03b88761c4ddfe67 git remote add ammarfaizi2-block https://github.com/ammarfaizi2/linux-block git fetch --no-tags ammarfaizi2-block google/android/kernel/common/android13-5.15 git checkout 67cc8ce9a649a8407c8e815d03b88761c4ddfe67 # save the config file COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 clang-analyzer If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <[email protected]> clang-analyzer warnings: (new ones prefixed by >>) Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 1 warning generated. lib/list_sort.c:243:28: warning: Access to field 'prev' results in a dereference of a null pointer (loaded from variable 'pending') [clang-analyzer-core.NullDereference] struct list_head *next = pending->prev; ^~~~~~~ lib/list_sort.c:187:40: note: 'pending' initialized to a null pointer value struct list_head *list = head->next, *pending = NULL; ^~~~~~~ lib/list_sort.c:190:6: note: Assuming 'list' is not equal to field 'prev' if (list == head->prev) /* Zero or one elements */ ^~~~~~~~~~~~~~~~~~ lib/list_sort.c:190:2: note: Taking false branch if (list == head->prev) /* Zero or one elements */ ^ lib/list_sort.c:219:3: note: Loop condition is false. Execution continues on line 222 for (bits = count; bits & 1; bits >>= 1) ^ lib/list_sort.c:222:3: note: Taking false branch if (likely(bits)) { ^ lib/list_sort.c:232:3: note: Null pointer value stored to field 'prev' list->prev = pending; ^~~~~~~~~~~~~~~~~~~~ lib/list_sort.c:214:2: note: Loop condition is false. Exiting loop do { ^ lib/list_sort.c:241:2: note: Null pointer value stored to 'pending' pending = pending->prev; ^~~~~~~~~~~~~~~~~~~~~~~ lib/list_sort.c:242:2: note: Loop condition is true. Entering loop body for (;;) { ^ lib/list_sort.c:243:28: note: Access to field 'prev' results in a dereference of a null pointer (loaded from variable 'pending') struct list_head *next = pending->prev; ^~~~~~~ 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 4 warnings generated. Suppressed 4 warnings (4 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 4 warnings generated. lib/rhashtable.c:792:21: warning: Value stored to 'p' during its initialization is never read [clang-analyzer-deadcode.DeadStores] struct rhash_head *p = iter->p; ^ ~~~~~~~ lib/rhashtable.c:792:21: note: Value stored to 'p' during its initialization is never read struct rhash_head *p = iter->p; ^ ~~~~~~~ Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 4 warnings generated. Suppressed 4 warnings (4 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 5 warnings generated. Suppressed 5 warnings (5 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 6 warnings generated. Suppressed 6 warnings (6 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 5 warnings generated. Suppressed 5 warnings (5 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 4 warnings generated. Suppressed 4 warnings (4 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 6 warnings generated. Suppressed 6 warnings (6 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 5 warnings generated. Suppressed 5 warnings (5 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 7 warnings generated. >> fs/proc/task_mmu.c:964:28: warning: Dereference of null pointer >> [clang-analyzer-core.NullDereference] show_vma_header_prefix(m, priv->mm->mmap->vm_start, ^~~~~~~~~~~~~~~~~~~~~~~~ fs/proc/task_mmu.c:878:6: note: Assuming field 'task' is non-null if (!priv->task) ^~~~~~~~~~~ fs/proc/task_mmu.c:878:2: note: Taking false branch if (!priv->task) ^ fs/proc/task_mmu.c:882:6: note: Assuming 'mm' is non-null if (!mm || !mmget_not_zero(mm)) { ^~~ fs/proc/task_mmu.c:882:6: note: Left side of '||' is false fs/proc/task_mmu.c:882:2: note: Taking false branch if (!mm || !mmget_not_zero(mm)) { ^ fs/proc/task_mmu.c:889:8: note: Calling 'mmap_read_lock_killable' ret = mmap_read_lock_killable(mm); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/mmap_lock.h:179:2: note: Calling '__mmap_lock_trace_start_locking' __mmap_lock_trace_start_locking(mm, false); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/mmap_lock.h:36:2: note: Taking false branch if (tracepoint_enabled(mmap_lock_start_locking)) ^ include/linux/mmap_lock.h:38:1: note: Returning without writing to 'mm->.mmap', which participates in a condition later } ^ include/linux/mmap_lock.h:38:1: note: Returning without writing to 'mm->.mmap' include/linux/mmap_lock.h:179:2: note: Returning from '__mmap_lock_trace_start_locking' __mmap_lock_trace_start_locking(mm, false); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/mmap_lock.h:180:10: note: Value assigned to field 'mmap', which participates in a condition later error = down_read_killable(&mm->mmap_lock); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/mmap_lock.h:180:10: note: Value assigned to field 'mmap' error = down_read_killable(&mm->mmap_lock); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/mmap_lock.h:181:48: note: Assuming 'error' is 0, which participates in a condition later __mmap_lock_trace_acquire_returned(mm, false, !error); ^~~~~~ include/linux/mmap_lock.h:181:2: note: Calling '__mmap_lock_trace_acquire_returned' __mmap_lock_trace_acquire_returned(mm, false, !error); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/mmap_lock.h:43:2: note: Taking false branch if (tracepoint_enabled(mmap_lock_acquire_returned)) ^ include/linux/mmap_lock.h:45:1: note: Returning without writing to 'mm->.mmap', which participates in a condition later } ^ include/linux/mmap_lock.h:45:1: note: Returning without writing to 'mm->.mmap' include/linux/mmap_lock.h:181:2: note: Returning from '__mmap_lock_trace_acquire_returned' __mmap_lock_trace_acquire_returned(mm, false, !error); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/mmap_lock.h:182:2: note: Returning zero (loaded from 'error'), which participates in a condition later return error; ^~~~~~~~~~~~ fs/proc/task_mmu.c:889:8: note: Returning from 'mmap_read_lock_killable' ret = mmap_read_lock_killable(mm); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ fs/proc/task_mmu.c:890:6: note: 'ret' is 0 if (ret) ^~~ fs/proc/task_mmu.c:890:2: note: Taking false branch if (ret) ^ fs/proc/task_mmu.c:895:29: note: Assuming pointer value is null for (vma = priv->mm->mmap; vma;) { ^~~ fs/proc/task_mmu.c:895:2: note: Loop condition is false. Execution continues on line 964 for (vma = priv->mm->mmap; vma;) { ^ fs/proc/task_mmu.c:964:28: note: Dereference of null pointer show_vma_header_prefix(m, priv->mm->mmap->vm_start, ^~~~~~~~~~~~~~~~~~~~~~~~ Suppressed 6 warnings (6 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. -- ^ ~~~~~~~~~~~~ drivers/target/target_core_pr.c:227:2: note: Value stored to 'tpg' is never read tpg = sess->se_tpg; ^ ~~~~~~~~~~~~ drivers/target/target_core_pr.c:1022:26: warning: Value stored to 'se_tpg' during its initialization is never read [clang-analyzer-deadcode.DeadStores] struct se_portal_group *se_tpg = nacl->se_tpg; ^~~~~~ ~~~~~~~~~~~~ drivers/target/target_core_pr.c:1022:26: note: Value stored to 'se_tpg' during its initialization is never read struct se_portal_group *se_tpg = nacl->se_tpg; ^~~~~~ ~~~~~~~~~~~~ drivers/target/target_core_pr.c:1279:39: warning: Value stored to 'tfo' during its initialization is never read [clang-analyzer-deadcode.DeadStores] const struct target_core_fabric_ops *tfo = ^~~ drivers/target/target_core_pr.c:1279:39: note: Value stored to 'tfo' during its initialization is never read const struct target_core_fabric_ops *tfo = ^~~ drivers/target/target_core_pr.c:1796:3: warning: Value stored to 'dest_se_deve' is never read [clang-analyzer-deadcode.DeadStores] dest_se_deve = tidh->dest_se_deve; ^ ~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:1796:3: note: Value stored to 'dest_se_deve' is never read dest_se_deve = tidh->dest_se_deve; ^ ~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:1954:3: warning: Value stored to 'len' is never read [clang-analyzer-deadcode.DeadStores] len += sprintf(buf+len, "No Registrations or Reservations"); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:1954:3: note: Value stored to 'len' is never read len += sprintf(buf+len, "No Registrations or Reservations"); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:2450:39: warning: Value stored to 'tfo' during its initialization is never read [clang-analyzer-deadcode.DeadStores] const struct target_core_fabric_ops *tfo = se_nacl->se_tpg->se_tpg_tfo; ^~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:2450:39: note: Value stored to 'tfo' during its initialization is never read const struct target_core_fabric_ops *tfo = se_nacl->se_tpg->se_tpg_tfo; ^~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:2760:39: warning: Value stored to 'tfo' during its initialization is never read [clang-analyzer-deadcode.DeadStores] const struct target_core_fabric_ops *tfo = nacl->se_tpg->se_tpg_tfo; ^~~ ~~~~~~~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:2760:39: note: Value stored to 'tfo' during its initialization is never read const struct target_core_fabric_ops *tfo = nacl->se_tpg->se_tpg_tfo; ^~~ ~~~~~~~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:3163:2: warning: Value stored to 'tf_ops' is never read [clang-analyzer-deadcode.DeadStores] tf_ops = se_tpg->se_tpg_tfo; ^ ~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:3163:2: note: Value stored to 'tf_ops' is never read tf_ops = se_tpg->se_tpg_tfo; ^ ~~~~~~~~~~~~~~~~~~ drivers/target/target_core_pr.c:3924:3: warning: Value stored to 'add_desc_len' is never read [clang-analyzer-deadcode.DeadStores] add_desc_len = 0; ^ ~ drivers/target/target_core_pr.c:3924:3: note: Value stored to 'add_desc_len' is never read add_desc_len = 0; ^ ~ Suppressed 4 warnings (4 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. drivers/acpi/acpica/dbutils.c:298:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy] strcpy(buffer, "0"); ^~~~~~ drivers/acpi/acpica/dbutils.c:298:3: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 strcpy(buffer, "0"); ^~~~~~ Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 7 warnings generated. drivers/acpi/button.c:511:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy] strcpy(name, ACPI_BUTTON_DEVICE_NAME_POWER); ^~~~~~ drivers/acpi/button.c:511:3: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 strcpy(name, ACPI_BUTTON_DEVICE_NAME_POWER); ^~~~~~ drivers/acpi/button.c:517:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy] strcpy(name, ACPI_BUTTON_DEVICE_NAME_SLEEP); ^~~~~~ drivers/acpi/button.c:517:3: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 strcpy(name, ACPI_BUTTON_DEVICE_NAME_SLEEP); ^~~~~~ drivers/acpi/button.c:522:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy] strcpy(name, ACPI_BUTTON_DEVICE_NAME_LID); ^~~~~~ drivers/acpi/button.c:522:3: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 strcpy(name, ACPI_BUTTON_DEVICE_NAME_LID); ^~~~~~ Suppressed 4 warnings (4 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 6 warnings generated. Suppressed 6 warnings (6 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 4 warnings generated. Suppressed 4 warnings (4 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 4 warnings generated. >> arch/x86/mm/pat/memtype.c:1098:24: warning: Dereference of null pointer >> [clang-analyzer-core.NullDereference] if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr)) { ^~~~~~~~~~~~~ arch/x86/mm/pat/memtype.c:1092:6: note: Assuming 'vma' is null if (vma && !(vma->vm_flags & VM_PAT)) ^~~ arch/x86/mm/pat/memtype.c:1092:10: note: Left side of '&&' is false if (vma && !(vma->vm_flags & VM_PAT)) ^ arch/x86/mm/pat/memtype.c:1097:6: note: Assuming 'paddr' is 0 if (!paddr && !size) { ^~~~~~ arch/x86/mm/pat/memtype.c:1097:6: note: Left side of '&&' is true arch/x86/mm/pat/memtype.c:1097:16: note: Assuming 'size' is 0 if (!paddr && !size) { ^~~~~ arch/x86/mm/pat/memtype.c:1097:2: note: Taking true branch if (!paddr && !size) { ^ arch/x86/mm/pat/memtype.c:1098:24: note: Dereference of null pointer if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr)) { ^~~~~~~~~~~~~ Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 4 warnings generated. Suppressed 4 warnings (4 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. Suppressed 3 warnings (3 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 6 warnings generated. Suppressed 6 warnings (6 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 4 warnings generated. Suppressed 4 warnings (4 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 4 warnings generated. Suppressed 4 warnings (4 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 3 warnings generated. drivers/acpi/acpica/dbcmds.c:1115:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy] strcpy(acpi_db_trace_method_name, method_arg); ^~~~~~ drivers/acpi/acpica/dbcmds.c:1115:3: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 strcpy(acpi_db_trace_method_name, method_arg); ^~~~~~ Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 2 warnings generated. Suppressed 2 warnings (2 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 8 warnings generated. include/linux/list.h:135:13: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc] __list_del(entry->prev, entry->next); ^ sound/core/control.c:121:2: note: Loop condition is false. Exiting loop write_lock_irqsave(&card->ctl_files_rwlock, flags); ^ include/linux/rwlock.h:81:2: note: expanded from macro 'write_lock_irqsave' do { \ ^ sound/core/control.c:123:2: note: Loop condition is false. Exiting loop write_unlock_irqrestore(&card->ctl_files_rwlock, flags); ^ include/linux/rwlock.h:118:2: note: expanded from macro 'write_unlock_irqrestore' do { \ ^ sound/core/control.c:125:2: note: Left side of '&&' is false list_for_each_entry(control, &card->controls, list) ^ include/linux/list.h:628:13: note: expanded from macro 'list_for_each_entry' for (pos = list_first_entry(head, typeof(*pos), member); \ ^ include/linux/list.h:522:2: note: expanded from macro 'list_first_entry' list_entry((ptr)->next, type, member) ^ include/linux/list.h:511:2: note: expanded from macro 'list_entry' container_of(ptr, type, member) ^ include/linux/kernel.h:495:61: note: expanded from macro 'container_of' BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \ ^ sound/core/control.c:125:2: note: Taking false branch list_for_each_entry(control, &card->controls, list) ^ include/linux/list.h:628:13: note: expanded from macro 'list_for_each_entry' for (pos = list_first_entry(head, typeof(*pos), member); \ ^ include/linux/list.h:522:2: note: expanded from macro 'list_first_entry' vim +964 fs/proc/task_mmu.c 258f669e7e88c1 Vlastimil Babka 2018-08-21 867 258f669e7e88c1 Vlastimil Babka 2018-08-21 868 static int show_smaps_rollup(struct seq_file *m, void *v) 258f669e7e88c1 Vlastimil Babka 2018-08-21 869 { 258f669e7e88c1 Vlastimil Babka 2018-08-21 870 struct proc_maps_private *priv = m->private; 258f669e7e88c1 Vlastimil Babka 2018-08-21 871 struct mem_size_stats mss; 258f669e7e88c1 Vlastimil Babka 2018-08-21 872 struct mm_struct *mm; 258f669e7e88c1 Vlastimil Babka 2018-08-21 873 struct vm_area_struct *vma; 258f669e7e88c1 Vlastimil Babka 2018-08-21 874 unsigned long last_vma_end = 0; 258f669e7e88c1 Vlastimil Babka 2018-08-21 875 int ret = 0; 258f669e7e88c1 Vlastimil Babka 2018-08-21 876 258f669e7e88c1 Vlastimil Babka 2018-08-21 877 priv->task = get_proc_task(priv->inode); 258f669e7e88c1 Vlastimil Babka 2018-08-21 878 if (!priv->task) 258f669e7e88c1 Vlastimil Babka 2018-08-21 879 return -ESRCH; 258f669e7e88c1 Vlastimil Babka 2018-08-21 880 258f669e7e88c1 Vlastimil Babka 2018-08-21 881 mm = priv->mm; 258f669e7e88c1 Vlastimil Babka 2018-08-21 882 if (!mm || !mmget_not_zero(mm)) { 258f669e7e88c1 Vlastimil Babka 2018-08-21 883 ret = -ESRCH; 258f669e7e88c1 Vlastimil Babka 2018-08-21 884 goto out_put_task; 258f669e7e88c1 Vlastimil Babka 2018-08-21 885 } 258f669e7e88c1 Vlastimil Babka 2018-08-21 886 258f669e7e88c1 Vlastimil Babka 2018-08-21 887 memset(&mss, 0, sizeof(mss)); 258f669e7e88c1 Vlastimil Babka 2018-08-21 888 d8ed45c5dcd455 Michel Lespinasse 2020-06-08 889 ret = mmap_read_lock_killable(mm); a26a9781554857 Konstantin Khlebnikov 2019-07-11 890 if (ret) a26a9781554857 Konstantin Khlebnikov 2019-07-11 891 goto out_put_mm; a26a9781554857 Konstantin Khlebnikov 2019-07-11 892 258f669e7e88c1 Vlastimil Babka 2018-08-21 893 hold_task_mempolicy(priv); 258f669e7e88c1 Vlastimil Babka 2018-08-21 894 ff9f47f6f00cfe Chinwen Chang 2020-10-13 895 for (vma = priv->mm->mmap; vma;) { 03b4b1149308b0 Chinwen Chang 2020-10-13 896 smap_gather_stats(vma, &mss, 0); 258f669e7e88c1 Vlastimil Babka 2018-08-21 897 last_vma_end = vma->vm_end; ff9f47f6f00cfe Chinwen Chang 2020-10-13 898 ff9f47f6f00cfe Chinwen Chang 2020-10-13 899 /* ff9f47f6f00cfe Chinwen Chang 2020-10-13 900 * Release mmap_lock temporarily if someone wants to ff9f47f6f00cfe Chinwen Chang 2020-10-13 901 * access it for write request. ff9f47f6f00cfe Chinwen Chang 2020-10-13 902 */ ff9f47f6f00cfe Chinwen Chang 2020-10-13 903 if (mmap_lock_is_contended(mm)) { ff9f47f6f00cfe Chinwen Chang 2020-10-13 904 mmap_read_unlock(mm); ff9f47f6f00cfe Chinwen Chang 2020-10-13 905 ret = mmap_read_lock_killable(mm); ff9f47f6f00cfe Chinwen Chang 2020-10-13 906 if (ret) { ff9f47f6f00cfe Chinwen Chang 2020-10-13 907 release_task_mempolicy(priv); ff9f47f6f00cfe Chinwen Chang 2020-10-13 908 goto out_put_mm; ff9f47f6f00cfe Chinwen Chang 2020-10-13 909 } ff9f47f6f00cfe Chinwen Chang 2020-10-13 910 ff9f47f6f00cfe Chinwen Chang 2020-10-13 911 /* ff9f47f6f00cfe Chinwen Chang 2020-10-13 912 * After dropping the lock, there are four cases to ff9f47f6f00cfe Chinwen Chang 2020-10-13 913 * consider. See the following example for explanation. ff9f47f6f00cfe Chinwen Chang 2020-10-13 914 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 915 * +------+------+-----------+ ff9f47f6f00cfe Chinwen Chang 2020-10-13 916 * | VMA1 | VMA2 | VMA3 | ff9f47f6f00cfe Chinwen Chang 2020-10-13 917 * +------+------+-----------+ ff9f47f6f00cfe Chinwen Chang 2020-10-13 918 * | | | | ff9f47f6f00cfe Chinwen Chang 2020-10-13 919 * 4k 8k 16k 400k ff9f47f6f00cfe Chinwen Chang 2020-10-13 920 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 921 * Suppose we drop the lock after reading VMA2 due to ff9f47f6f00cfe Chinwen Chang 2020-10-13 922 * contention, then we get: ff9f47f6f00cfe Chinwen Chang 2020-10-13 923 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 924 * last_vma_end = 16k ff9f47f6f00cfe Chinwen Chang 2020-10-13 925 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 926 * 1) VMA2 is freed, but VMA3 exists: ff9f47f6f00cfe Chinwen Chang 2020-10-13 927 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 928 * find_vma(mm, 16k - 1) will return VMA3. ff9f47f6f00cfe Chinwen Chang 2020-10-13 929 * In this case, just continue from VMA3. ff9f47f6f00cfe Chinwen Chang 2020-10-13 930 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 931 * 2) VMA2 still exists: ff9f47f6f00cfe Chinwen Chang 2020-10-13 932 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 933 * find_vma(mm, 16k - 1) will return VMA2. ff9f47f6f00cfe Chinwen Chang 2020-10-13 934 * Iterate the loop like the original one. ff9f47f6f00cfe Chinwen Chang 2020-10-13 935 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 936 * 3) No more VMAs can be found: ff9f47f6f00cfe Chinwen Chang 2020-10-13 937 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 938 * find_vma(mm, 16k - 1) will return NULL. ff9f47f6f00cfe Chinwen Chang 2020-10-13 939 * No more things to do, just break. ff9f47f6f00cfe Chinwen Chang 2020-10-13 940 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 941 * 4) (last_vma_end - 1) is the middle of a vma (VMA'): ff9f47f6f00cfe Chinwen Chang 2020-10-13 942 * ff9f47f6f00cfe Chinwen Chang 2020-10-13 943 * find_vma(mm, 16k - 1) will return VMA' whose range ff9f47f6f00cfe Chinwen Chang 2020-10-13 944 * contains last_vma_end. ff9f47f6f00cfe Chinwen Chang 2020-10-13 945 * Iterate VMA' from last_vma_end. ff9f47f6f00cfe Chinwen Chang 2020-10-13 946 */ ff9f47f6f00cfe Chinwen Chang 2020-10-13 947 vma = find_vma(mm, last_vma_end - 1); ff9f47f6f00cfe Chinwen Chang 2020-10-13 948 /* Case 3 above */ ff9f47f6f00cfe Chinwen Chang 2020-10-13 949 if (!vma) ff9f47f6f00cfe Chinwen Chang 2020-10-13 950 break; ff9f47f6f00cfe Chinwen Chang 2020-10-13 951 ff9f47f6f00cfe Chinwen Chang 2020-10-13 952 /* Case 1 above */ ff9f47f6f00cfe Chinwen Chang 2020-10-13 953 if (vma->vm_start >= last_vma_end) ff9f47f6f00cfe Chinwen Chang 2020-10-13 954 continue; ff9f47f6f00cfe Chinwen Chang 2020-10-13 955 ff9f47f6f00cfe Chinwen Chang 2020-10-13 956 /* Case 4 above */ ff9f47f6f00cfe Chinwen Chang 2020-10-13 957 if (vma->vm_end > last_vma_end) ff9f47f6f00cfe Chinwen Chang 2020-10-13 958 smap_gather_stats(vma, &mss, last_vma_end); ff9f47f6f00cfe Chinwen Chang 2020-10-13 959 } ff9f47f6f00cfe Chinwen Chang 2020-10-13 960 /* Case 2 above */ ff9f47f6f00cfe Chinwen Chang 2020-10-13 961 vma = vma->vm_next; 258f669e7e88c1 Vlastimil Babka 2018-08-21 962 } 258f669e7e88c1 Vlastimil Babka 2018-08-21 963 258f669e7e88c1 Vlastimil Babka 2018-08-21 @964 show_vma_header_prefix(m, priv->mm->mmap->vm_start, 258f669e7e88c1 Vlastimil Babka 2018-08-21 965 last_vma_end, 0, 0, 0, 0); 258f669e7e88c1 Vlastimil Babka 2018-08-21 966 seq_pad(m, ' '); 258f669e7e88c1 Vlastimil Babka 2018-08-21 967 seq_puts(m, "[rollup]\n"); 258f669e7e88c1 Vlastimil Babka 2018-08-21 968 ee2ad71b0756e9 Luigi Semenzato 2019-07-11 969 __show_smap(m, &mss, true); 258f669e7e88c1 Vlastimil Babka 2018-08-21 970 258f669e7e88c1 Vlastimil Babka 2018-08-21 971 release_task_mempolicy(priv); d8ed45c5dcd455 Michel Lespinasse 2020-06-08 972 mmap_read_unlock(mm); 258f669e7e88c1 Vlastimil Babka 2018-08-21 973 a26a9781554857 Konstantin Khlebnikov 2019-07-11 974 out_put_mm: a26a9781554857 Konstantin Khlebnikov 2019-07-11 975 mmput(mm); 258f669e7e88c1 Vlastimil Babka 2018-08-21 976 out_put_task: 258f669e7e88c1 Vlastimil Babka 2018-08-21 977 put_task_struct(priv->task); 258f669e7e88c1 Vlastimil Babka 2018-08-21 978 priv->task = NULL; 258f669e7e88c1 Vlastimil Babka 2018-08-21 979 493b0e9d945fa9 Daniel Colascione 2017-09-06 980 return ret; e070ad49f31155 Mauricio Lin 2005-09-03 981 } d1be35cb6f9697 Andrei Vagin 2018-04-10 982 #undef SEQ_PUT_DEC e070ad49f31155 Mauricio Lin 2005-09-03 983 :::::: The code at line 964 was first introduced by commit :::::: 258f669e7e88c18edbc23fe5ce00a476b924551f mm: /proc/pid/smaps_rollup: convert to single value seq_file :::::: TO: Vlastimil Babka <[email protected]> :::::: CC: Linus Torvalds <[email protected]> -- 0-DAY CI Kernel Test Service https://01.org/lkp _______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
