Hello Vinod Koul,
Commit 5cb664fbeba0 ("Merge branch 'fixes' into next") from Jan 5,
2022 (linux-next), leads to the following Smatch static checker
warning:
drivers/dma/idxd/submit.c:141 llist_abort_desc()
error: we previously assumed 'found' could be null (see line 129)
drivers/dma/idxd/submit.c
97 static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
98 struct idxd_desc *desc)
99 {
100 struct idxd_desc *d, *t, *found = NULL;
101 struct llist_node *head;
102 LIST_HEAD(flist);
103
104 desc->completion->status = IDXD_COMP_DESC_ABORT;
105 /*
106 * Grab the list lock so it will block the irq thread handler. This allows the
107 * abort code to locate the descriptor need to be aborted.
108 */
109 spin_lock(&ie->list_lock);
110 head = llist_del_all(&ie->pending_llist);
111 if (head) {
112 llist_for_each_entry_safe(d, t, head, llnode) {
113 if (d == desc) {
114 found = desc;
115 continue;
116 }
117
118 if (d->completion->status)
119 list_add_tail(&d->list, &flist);
Items added to flist here.
120 else
121 list_add_tail(&d->list, &ie->work_list);
122 }
123 }
124
125 if (!found)
126 found = list_abort_desc(wq, ie, desc);
127 spin_unlock(&ie->list_lock);
128
129 if (found)
This code assumes found can be NULL
130 idxd_dma_complete_txd(found, IDXD_COMPLETE_ABORT, false,
131 NULL, NULL);
132
133 /*
134 * completing the descriptor will return desc to allocator and
135 * the desc can be acquired by a different process and the
136 * desc->list can be modified. Delete desc from list so the
137 * list trasversing does not get corrupted by the other process.
138 */
139 list_for_each_entry_safe(d, t, &flist, list) {
140 list_del_init(&d->list);
--> 141 idxd_dma_complete_txd(found, IDXD_COMPLETE_ABORT, true,
^^^^^
NULL dereference if flist isn't empty but found is NULL
142 NULL, NULL);
143 }
144 }
regards,
dan carpenter
