Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5538256rdb; Wed, 13 Dec 2023 11:27:23 -0800 (PST) X-Google-Smtp-Source: AGHT+IEkCUMZe4iE75b8I1r2ZlGLbUnbeWkJq9gAu6OxL4R8PwvOrkx/c/C1UOmsWeqNHeOnme38 X-Received: by 2002:a17:902:680b:b0:1d0:7ed3:ea7c with SMTP id h11-20020a170902680b00b001d07ed3ea7cmr7826902plk.29.1702495643311; Wed, 13 Dec 2023 11:27:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702495643; cv=none; d=google.com; s=arc-20160816; b=VCZaMNG/BQGDSsSh5jcBmCD68jg064oVxYBZ/k/rc6qZnLrNwLPbiYK0Y+ktAFCRsz JO0ov8dyMd20ozeOyltbV0H6FTJvp2qTM6alTlKpkz1K7AxczFnlk9IH3TU6VSzmoOlu tUuVz0sshGKhBK6Z+DLuqWiuOErsnTe1qgIc8Mvu3EiiuYEqcg8NGNsjASG+yylzsV8I /aElMMdg3QeQ5jZgpiPNNKXbVhsIFa9utNQAu1XqwmPs6p/zD0zMp2CfmKAhkI7wHRRs sQLlHtX6Ig2EbdVjB1CMGufCz1pi0O2B8UL1WDo/FH+daU1uaQV0fX9mKmcGFgG8Pi4O WTww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=KIEPLdJEFA0Pp7hDQ0afFUbi4IxWG/oxBggCByZxVD8=; fh=5BXPZK1748bQSU/1KUky8kQhKMc4K8EWxa7ssteKdXg=; b=CMXWUk0Gnyli1+h1EfQG8zmrSFect6Y2tc31KFNuf6V/7dh5N0yPgsAbum1ukNJlHW pxV0IxeG0EmpyxGLeAPILvRXqIrarcFsT/Xy31NzDXPBUpPWrBzHYNm1OS4BBhaHGYlR zKSyTwC/kbZEJZ0wahcdaX9zLJGpfgd2kjFkUDaEaFZynNyee79Em3UUyCyKxEzlFUVJ HeQzg3BYLR4lcW52HSXzrP1Q8ZPnvBR7Uj6R6AHJOdJHdZz6CZG9+A6YwcqwYvfToVfl 5aQOyNR31CN1UZR4OFs0Oxsnj2Xi8Y6QqF0dvmI3bWvk/J3rstYGxIp3TaEYrXYLuIEw YSEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=DLnGD0WN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id t8-20020a1709028c8800b001d069748938si9793141plo.105.2023.12.13.11.27.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 11:27:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=DLnGD0WN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 6CAC88069D9C; Wed, 13 Dec 2023 11:27:20 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235474AbjLMT1D (ORCPT + 99 others); Wed, 13 Dec 2023 14:27:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233674AbjLMT07 (ORCPT ); Wed, 13 Dec 2023 14:26:59 -0500 Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9770EAD for ; Wed, 13 Dec 2023 11:27:05 -0800 (PST) Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-1d347b4d676so15192035ad.2 for ; Wed, 13 Dec 2023 11:27:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1702495625; x=1703100425; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=KIEPLdJEFA0Pp7hDQ0afFUbi4IxWG/oxBggCByZxVD8=; b=DLnGD0WNYOl+Qf9jYztFm55+BsnWwe8VslneNCWqEgWiSi5nHfDvCaQNOqo7XOzhXQ KLegR9Nqkjd9pYt+oLOLg9SJCFEwASf8g+4ebDBIAlMO0uCrs5RdysJlttZv28xUscwf Hvegd/gpdnz3YUuwDjOf2s1I5STqrHctstnYTKHUdeGaGy7HzIreNzTJCYSz47yeNAtU F17zDKod0TxzcKE8yYfI0LhB/82aORx8KGPsR3oGGNRjo1oW7Lwd2m/vs+KQZURXxci4 kgQcaVRg6RvtIlClrkKfou6uXUQmN9iij3A0G+7EJVj5ovuF87OIBV9OeAC2aA59vvqQ 42IA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702495625; x=1703100425; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=KIEPLdJEFA0Pp7hDQ0afFUbi4IxWG/oxBggCByZxVD8=; b=r0b+F8hnRmAzHnNokPssNF9OdvVy3oZwSexqZUv7fXWLAImA12iY5uO976P+uEX/Qd 6ojYXmLb9LPpiCu/QwgTtezdV1MCu0S8apr5lmKjvzHXVCEcVHG1m5w5KxtsIG26eEmH cM41lwsPhJ0fnJO/03qo7ILpZIklw+c+hMB+yNHJ9UruvwO2npD1nIuXSIecCmUWfkP8 XIha5ddhDwCLE6PDd6A0HQkhm25DFk6WeMKyvLFLOxgkGjH0vXMCA8uUQ6QlloUwozzt RI/7CK0+0tkcxT1xzVO/nvueeOV5oZv0jVdhAOqs/ZuGGGBrt2wC+y1vp8abIF3fjuUS DNhw== X-Gm-Message-State: AOJu0YyiMFbMOinUj+VWkbMCWO2DjRGFAr871gwncJ6cnKx/k3ryhq2t 3zOc4D8YT+GpZxuYlYATYnBddg== X-Received: by 2002:a17:902:db0c:b0:1d0:b503:1ea5 with SMTP id m12-20020a170902db0c00b001d0b5031ea5mr10267620plx.20.1702495625028; Wed, 13 Dec 2023 11:27:05 -0800 (PST) Received: from ghost ([12.44.203.122]) by smtp.gmail.com with ESMTPSA id ba1-20020a170902720100b001d09c539c95sm10962745plb.90.2023.12.13.11.27.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 11:27:04 -0800 (PST) Date: Wed, 13 Dec 2023 11:27:02 -0800 From: Charlie Jenkins To: Dan Carpenter Cc: oe-kbuild@lists.linux.dev, lkp@intel.com, oe-kbuild-all@lists.linux.dev, linux-kernel@vger.kernel.org, Palmer Dabbelt Subject: Re: arch/riscv/kernel/module.c:639 process_accumulated_relocations() error: uninitialized symbol 'curr_type'. Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 13 Dec 2023 11:27:20 -0800 (PST) On Wed, Dec 13, 2023 at 04:05:06PM +0300, Dan Carpenter wrote: > tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master > head: cf52eed70e555e864120cfaf280e979e2a035c66 > commit: 8fd6c5142395a106b63c8668e9f4a7106b6a0772 riscv: Add remaining module relocations > config: riscv-randconfig-r071-20231211 (https://download.01.org/0day-ci/archive/20231213/202312130859.wnkuzVWY-lkp@intel.com/config) > compiler: riscv64-linux-gcc (GCC) 13.2.0 > reproduce: (https://download.01.org/0day-ci/archive/20231213/202312130859.wnkuzVWY-lkp@intel.com/reproduce) > > If you fix the issue in a separate patch/commit (i.e. not just a new version of > the same patch/commit), kindly add following tags > | Reported-by: kernel test robot > | Reported-by: Dan Carpenter > | Closes: https://lore.kernel.org/r/202312130859.wnkuzVWY-lkp@intel.com/ > > New smatch warnings: > arch/riscv/kernel/module.c:639 process_accumulated_relocations() error: uninitialized symbol 'curr_type'. > > Old smatch warnings: > arch/riscv/kernel/module.c:632 process_accumulated_relocations() error: dereferencing freed memory 'rel_entry_iter' > arch/riscv/kernel/module.c:629 process_accumulated_relocations() error: dereferencing freed memory 'rel_head_iter' > arch/riscv/kernel/module.c:628 process_accumulated_relocations() error: dereferencing freed memory 'bucket_iter' > > vim +/curr_type +639 arch/riscv/kernel/module.c > > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 602 void process_accumulated_relocations(struct module *me) > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 603 { > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 604 /* > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 605 * Only ADD/SUB/SET/ULEB128 should end up here. > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 606 * > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 607 * Each bucket may have more than one relocation location. All > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 608 * relocations for a location are stored in a list in a bucket. > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 609 * > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 610 * Relocations are applied to a temp variable before being stored to the > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 611 * provided location to check for overflow. This also allows ULEB128 to > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 612 * properly decide how many entries are needed before storing to > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 613 * location. The final value is stored into location using the handler > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 614 * for the last relocation to an address. > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 615 * > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 616 * Three layers of indexing: > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 617 * - Each of the buckets in use > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 618 * - Groups of relocations in each bucket by location address > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 619 * - Each relocation entry for a location address > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 620 */ > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 621 struct used_bucket *bucket_iter; > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 622 struct relocation_head *rel_head_iter; > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 623 struct relocation_entry *rel_entry_iter; > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 624 int curr_type; > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 625 void *location; > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 626 long buffer; > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 627 > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 628 list_for_each_entry(bucket_iter, &used_buckets_list, head) { > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 629 hlist_for_each_entry(rel_head_iter, bucket_iter->bucket, node) { > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 630 buffer = 0; > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 631 location = rel_head_iter->location; > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 632 list_for_each_entry(rel_entry_iter, > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 633 rel_head_iter->rel_entry, head) { > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 634 curr_type = rel_entry_iter->type; > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 635 reloc_handlers[curr_type].reloc_handler( > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 636 me, &buffer, rel_entry_iter->value); > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 637 kfree(rel_entry_iter); > > This kfree() will lead to a NULL dereference on the next iteration > through the loop. You need to use list_for_each_entry_safe(). > This has been fixed in 6.7-rc5. > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 638 } > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 @639 reloc_handlers[curr_type].accumulate_handler( > ^^^^^^^^^ > Can the list be empty? Uninitialized in that case. That's a tricky one, the list cannot be empty. Each bucket in the bucket_iter is guarunteed to have at least one rel_entry. I can probably resolve this by extracting this for loop into a do-while loop. - Charlie > > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 640 me, location, buffer); > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 641 kfree(rel_head_iter); > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 642 } > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 643 kfree(bucket_iter); > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 644 } > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 645 > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 646 kfree(relocation_hashtable); > 8fd6c5142395a1 Charlie Jenkins 2023-11-01 647 } > > -- > 0-DAY CI Kernel Test Service > https://github.com/intel/lkp-tests/wiki >