LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [cxl-cxl:pending 39/40] drivers/cxl/core/bus.c:501 devm_cxl_add_decoder() warn: variable dereferenced before check 'cxld' (see line 497)
@ 2021-08-25 7:12 Dan Carpenter
2021-08-26 12:50 ` Dan Carpenter
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2021-08-25 7:12 UTC (permalink / raw)
To: kbuild, Dan Williams
Cc: lkp, kbuild-all, Alison Schofield, Vishal Verma, Ira Weiny,
Ben Widawsky, Dan Williams, linux-kernel
tree: https://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl.git pending
head: 036a16a39e2fab9bf7279201d04cf7e90993521f
commit: b7ca54b625514464bac2db59b754e95c49b66fb5 [39/40] cxl/core: Split decoder setup into alloc + add
config: x86_64-randconfig-m001-20210824 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
drivers/cxl/core/bus.c:501 devm_cxl_add_decoder() warn: variable dereferenced before check 'cxld' (see line 497)
drivers/cxl/core/bus.c:541 devm_cxl_add_decoder() error: uninitialized symbol 'dev'.
vim +/cxld +501 drivers/cxl/core/bus.c
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 494 int devm_cxl_add_decoder(struct device *host, struct cxl_decoder *cxld,
574d46ed53b527 drivers/cxl/core/bus.c Dan Williams 2021-08-24 495 int *target_map)
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 496 {
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 @497 struct cxl_port *port = to_cxl_port(cxld->dev.parent);
^^^^^^^^^^^^^^^^
Dereference
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 498 struct device *dev;
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 499 int rc = 0, i;
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 500
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 @501 if (!cxld)
^^^^^
Checked too late.
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 502 return -EINVAL;
574d46ed53b527 drivers/cxl/core/bus.c Dan Williams 2021-08-24 503
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 504 if (IS_ERR(cxld))
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 505 return PTR_ERR(cxld);
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 506
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 507 if (cxld->interleave_ways < 1) {
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 508 rc = -EINVAL;
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 509 goto err;
"dev" not initialized at this point.
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 510 }
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 511
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 512 device_lock(&port->dev);
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 513 if (list_empty(&port->dports))
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 514 rc = -EINVAL;
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 515
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 516 for (i = 0; rc == 0 && target_map && i < cxld->nr_targets; i++) {
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 517 struct cxl_dport *dport = find_dport(port, target_map[i]);
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 518
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 519 if (!dport) {
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 520 rc = -ENXIO;
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 521 break;
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 522 }
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 523 dev_dbg(host, "%s: target: %d\n", dev_name(dport->dport), i);
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 524 cxld->target[i] = dport;
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 525 }
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 526 device_unlock(&port->dev);
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 527 if (rc)
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 528 goto err;
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 529
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 530 dev = &cxld->dev;
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 531 rc = dev_set_name(dev, "decoder%d.%d", port->id, cxld->id);
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 532 if (rc)
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 533 goto err;
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 534
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 535 rc = device_add(dev);
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 536 if (rc)
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 537 goto err;
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 538
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 539 return devm_add_action_or_reset(host, unregister_cxl_dev, dev);
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 540 err:
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 @541 put_device(dev);
Should be:
put_device(&cxld->dev);
But it feels like a layering violation to drop a reference that was
aquired by the caller.
b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 542 return rc;
40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 543 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [cxl-cxl:pending 39/40] drivers/cxl/core/bus.c:501 devm_cxl_add_decoder() warn: variable dereferenced before check 'cxld' (see line 497)
2021-08-25 7:12 [cxl-cxl:pending 39/40] drivers/cxl/core/bus.c:501 devm_cxl_add_decoder() warn: variable dereferenced before check 'cxld' (see line 497) Dan Carpenter
@ 2021-08-26 12:50 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2021-08-26 12:50 UTC (permalink / raw)
To: kbuild, Dan Williams
Cc: lkp, kbuild-all, Alison Schofield, Vishal Verma, Ira Weiny,
Ben Widawsky, linux-kernel
On Wed, Aug 25, 2021 at 10:12:32AM +0300, Dan Carpenter wrote:
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 494 int devm_cxl_add_decoder(struct device *host, struct cxl_decoder *cxld,
> 574d46ed53b527 drivers/cxl/core/bus.c Dan Williams 2021-08-24 495 int *target_map)
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 496 {
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 @497 struct cxl_port *port = to_cxl_port(cxld->dev.parent);
> ^^^^^^^^^^^^^^^^
> Dereference
>
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 498 struct device *dev;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 499 int rc = 0, i;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 500
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 @501 if (!cxld)
> ^^^^^
> Checked too late.
>
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 502 return -EINVAL;
> 574d46ed53b527 drivers/cxl/core/bus.c Dan Williams 2021-08-24 503
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 504 if (IS_ERR(cxld))
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 505 return PTR_ERR(cxld);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 506
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 507 if (cxld->interleave_ways < 1) {
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 508 rc = -EINVAL;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 509 goto err;
>
> "dev" not initialized at this point.
>
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 510 }
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 511
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 512 device_lock(&port->dev);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 513 if (list_empty(&port->dports))
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 514 rc = -EINVAL;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 515
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 516 for (i = 0; rc == 0 && target_map && i < cxld->nr_targets; i++) {
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 517 struct cxl_dport *dport = find_dport(port, target_map[i]);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 518
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 519 if (!dport) {
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 520 rc = -ENXIO;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 521 break;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 522 }
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 523 dev_dbg(host, "%s: target: %d\n", dev_name(dport->dport), i);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 524 cxld->target[i] = dport;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 525 }
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 526 device_unlock(&port->dev);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 527 if (rc)
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 528 goto err;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 529
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 530 dev = &cxld->dev;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 531 rc = dev_set_name(dev, "decoder%d.%d", port->id, cxld->id);
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 532 if (rc)
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 533 goto err;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 534
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 535 rc = device_add(dev);
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 536 if (rc)
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 537 goto err;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 538
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 539 return devm_add_action_or_reset(host, unregister_cxl_dev, dev);
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 540 err:
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 @541 put_device(dev);
>
> Should be:
>
> put_device(&cxld->dev);
>
> But it feels like a layering violation to drop a reference that was
> aquired by the caller.
This code hit linux-next yesterday so I reviewed it in context. The
put_device() should just be removed. It leads to a use after free.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-26 12:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-25 7:12 [cxl-cxl:pending 39/40] drivers/cxl/core/bus.c:501 devm_cxl_add_decoder() warn: variable dereferenced before check 'cxld' (see line 497) Dan Carpenter
2021-08-26 12:50 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).