Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4920656pxj; Wed, 9 Jun 2021 05:17:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGiwKclbyFW3VCqtzekGquGWMbYcLF+vVrRgj+dMGEYX4ZyB5eEe1Ks7JkXf7+wIJVeofn X-Received: by 2002:a17:907:1689:: with SMTP id hc9mr1860160ejc.552.1623241019836; Wed, 09 Jun 2021 05:16:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623241019; cv=none; d=google.com; s=arc-20160816; b=tbGfGtSpk115IyKDHKDF3oIU5yzmiTgCCkcaEGMTPGJKpkLyzGvQVAJvwF00RxETxn 3rb7Hxs/D8RUX2IFM1c+4dN11l3bjUV171tJjrJ8jePz+QpjuGTvFSAOu2P770304deX vNyx7aTq8VnHTxH1tIV6CgZZdj5hiFvTwU3qf39DmiqvrR4FKfvIQuQME7skssxWWr9U ACmwj0jEWJYAxyfhsE3BHHNKxRl4OiU/Ni6ZwsoxA6X5Ic3AW6WWQLFCjq2mkqsjb+5d iERmO8ZOrneUmjFrMzLaKWcKYPntGihpKDh7bhg0Bu69MJ3LFpDwwPlBfOj2/5aoLdll cdwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:message-id:references:in-reply-to :subject:cc:to:from:date:content-transfer-encoding:mime-version :sender:dkim-signature; bh=hOY4IY8I46gA8MMjH6W8hGdwOQJifP1exL50IuuC0xA=; b=YZK0siP0zKY2jC9ubceWkVcu6sej3hLvsm5XI45xSuGhsSwwIH1bhcNQe8sZSHnoLr wCsb9k2XrviwqMD+K68Q1itUnrJHiClXJVD3lDzA2Z2fnNKQfxG063FdcYq5OlwKjP77 IJouN4YibE+4RNkKBb2sQfn5MWXftEKAcs36LsoDMOiE7eV91Q3p0KVHzOm+AKxvtGbE RfAql2FAlyRe3wKw5ipdQHcoGdZY60iDyNICTJLM+h4LnlvtfhvBvFxwG4Vp+o1fF2r/ 9iQXR7kgRl5BYJ7qqWjUOcgtVV8Y+ktym27XKtzS2wH/1Ay/IldMtk9+RQucNmvRchiI Hzjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=qEpKcrvx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e17si2044458ejr.626.2021.06.09.05.16.35; Wed, 09 Jun 2021 05:16:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=qEpKcrvx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233998AbhFIBNH (ORCPT + 99 others); Tue, 8 Jun 2021 21:13:07 -0400 Received: from m43-7.mailgun.net ([69.72.43.7]:52030 "EHLO m43-7.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230303AbhFIBNH (ORCPT ); Tue, 8 Jun 2021 21:13:07 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1623201074; h=Message-ID: References: In-Reply-To: Subject: Cc: To: From: Date: Content-Transfer-Encoding: Content-Type: MIME-Version: Sender; bh=hOY4IY8I46gA8MMjH6W8hGdwOQJifP1exL50IuuC0xA=; b=qEpKcrvxBEB2dN9925WULspN09L4zp7tXEsaJDH2S76gzyHJTSvO7Zq2JCQz/8ZzXYR6nYFD 11MFsusCFxYNAd3HXpahJnZ9g66oFw1lFwTOckOE9M3m0GifDHWMyNTglaKa2RTdwbjTpM8e tA+GFa5XcGF0gInKoi80P89OYlQ= X-Mailgun-Sending-Ip: 69.72.43.7 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n05.prod.us-west-2.postgun.com with SMTP id 60c0150fe570c0561986610b (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Wed, 09 Jun 2021 01:10:39 GMT Sender: cang=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 7AF14C43460; Wed, 9 Jun 2021 01:10:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.codeaurora.org (localhost.localdomain [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: cang) by smtp.codeaurora.org (Postfix) with ESMTPSA id 8831CC433F1; Wed, 9 Jun 2021 01:10:38 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 09 Jun 2021 09:10:38 +0800 From: Can Guo To: Colin Ian King Cc: Alim Akhtar , Avri Altman , "James E.J. Bottomley" , "Martin K. Petersen" , Matthias Brugger , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: scsi: ufs: Optimize host lock on transfer requests send/compl paths (uninitialized pointer error) In-Reply-To: References: Message-ID: X-Sender: cang@codeaurora.org User-Agent: Roundcube Webmail/1.3.9 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Colin, On 2021-06-08 23:44, Colin Ian King wrote: > Hi, > > static analysis with Coverity on linux-next has found an issue in > drivers/scsi/ufs/ufshcd.c introduced by the following commit: > > commit a45f937110fa6b0c2c06a5d3ef026963a5759050 > Author: Can Guo > Date: Mon May 24 01:36:57 2021 -0700 > > scsi: ufs: Optimize host lock on transfer requests send/compl paths > > The analysis is as follows: > > > 2948 static int ufshcd_exec_dev_cmd(struct ufs_hba *hba, > 2949 enum dev_cmd_type cmd_type, int timeout) > 2950 { > 2951 struct request_queue *q = hba->cmd_queue; > 2952 struct request *req; > > 1. var_decl: Declaring variable lrbp without initializer. > > 2953 struct ufshcd_lrb *lrbp; > 2954 int err; > 2955 int tag; > 2956 struct completion wait; > 2957 > 2958 down_read(&hba->clk_scaling_lock); > 2959 > 2960 /* > 2961 * Get free slot, sleep if slots are unavailable. > 2962 * Even though we use wait_event() which sleeps > indefinitely, > 2963 * the maximum wait time is bounded by SCSI request > timeout. > 2964 */ > 2965 req = blk_get_request(q, REQ_OP_DRV_OUT, 0); > > 2. Condition IS_ERR(req), taking false branch. > > 2966 if (IS_ERR(req)) { > 2967 err = PTR_ERR(req); > 2968 goto out_unlock; > 2969 } > 2970 tag = req->tag; > > 3. Condition !!__ret_warn_on, taking false branch. > 4. Condition !!__ret_warn_on, taking false branch. > > 2971 WARN_ON_ONCE(!ufshcd_valid_tag(hba, tag)); > 2972 /* Set the timeout such that the SCSI error handler is not > activated. */ > 2973 req->timeout = msecs_to_jiffies(2 * timeout); > 2974 blk_mq_start_request(req); > 2975 > > 5. Condition !!test_bit(tag, &hba->outstanding_reqs), taking true > branch. > > 2976 if (unlikely(test_bit(tag, &hba->outstanding_reqs))) { > 2977 err = -EBUSY; > > 6. Jumping to label out. > > 2978 goto out; > 2979 } > 2980 > 2981 init_completion(&wait); > 2982 lrbp = &hba->lrb[tag]; > 2983 WARN_ON(lrbp->cmd); > 2984 err = ufshcd_compose_dev_cmd(hba, lrbp, cmd_type, tag); > 2985 if (unlikely(err)) > 2986 goto out_put_tag; > 2987 > 2988 hba->dev_cmd.complete = &wait; > 2989 > 2990 ufshcd_add_query_upiu_trace(hba, UFS_QUERY_SEND, > lrbp->ucd_req_ptr); > 2991 /* Make sure descriptors are ready before ringing the > doorbell */ > 2992 wmb(); > 2993 > 2994 ufshcd_send_command(hba, tag); > 2995 err = ufshcd_wait_for_dev_cmd(hba, lrbp, timeout); > 2996 out: > > 7. Condition err, taking true branch. > > Uninitialized pointer read (UNINIT) > 8. uninit_use: Using uninitialized value lrbp. > > 2997 ufshcd_add_query_upiu_trace(hba, err ? UFS_QUERY_ERR : > UFS_QUERY_COMP, > 2998 (struct utp_upiu_req > *)lrbp->ucd_rsp_ptr); > 2999 > 3000 out_put_tag: > 3001 blk_put_request(req); > 3002 out_unlock: > 3003 up_read(&hba->clk_scaling_lock); > 3004 return err; > 3005 } > > Pointer lrbp is being accessed on the error exit path on line 2989 > because it is no longer being initialized early, the pointer assignment > was moved to a later point (line 2982) by the commit referenced in the > top of the email. > > Colin I will fix it by changing "goto out;" -> "goto out_put_tag;" on line #2978 in a new patch. Thanks, Can Guo.