Re: [kvm:queue 71/177] arch/x86/kvm/vmx/nested.c:5246:3: error: variable 'roots_to_free' is used uninitialized whenever 'if' condition is false

Nick Desaulniers <ndesaulniers@xxxxxxxxxx> · Mon, 18 May 2020 12:16:00 -0700

On Sat, May 16, 2020 at 8:39 AM kbuild test robot <lkp@xxxxxxxxx> wrote:
>
> tree:   https://git.kernel.org/pub/scm/virt/kvm/kvm.git queue
> head:   cb953129bfe5c0f2da835a0469930873fb7e71df
> commit: ce8fe7b77bd8ee405295e349c82d0ef8c9788200 [71/177] KVM: nVMX: Free only the affected contexts when emulating INVEPT
> config: x86_64-randconfig-a012-20200515 (attached as .config)
> compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project 13d44b2a0c7ef404b13b16644765977cd5310fe2)
> reproduce:
>         wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
>         chmod +x ~/bin/make.cross
>         # install x86_64 cross compiling tool for clang build
>         # apt-get install binutils-x86-64-linux-gnu
>         git checkout ce8fe7b77bd8ee405295e349c82d0ef8c9788200
>         # save the attached .config to linux build tree
>         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kbuild test robot <lkp@xxxxxxxxx>
>
> Note: the kvm/queue HEAD cb953129bfe5c0f2da835a0469930873fb7e71df builds fine.
>       It only hurts bisectibility.
>
> All errors (new ones prefixed by >>, old ones prefixed by <<):
>
> >> arch/x86/kvm/vmx/nested.c:5246:3: error: variable 'roots_to_free' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized]
> BUG_ON(1);
> ^~~~~~~~~
> include/asm-generic/bug.h:62:32: note: expanded from macro 'BUG_ON'
> #define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
> ^~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/compiler.h:56:28: note: expanded from macro 'if'
> #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> include/linux/compiler.h:58:30: note: expanded from macro '__trace_if_var'
> #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> arch/x86/kvm/vmx/nested.c:5250:6: note: uninitialized use occurs here
> if (roots_to_free)
> ^~~~~~~~~~~~~
> include/linux/compiler.h:56:47: note: expanded from macro 'if'
> #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
> ^~~~
> include/linux/compiler.h:58:52: note: expanded from macro '__trace_if_var'
> #define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
> ^~~~
> arch/x86/kvm/vmx/nested.c:5246:3: note: remove the 'if' if its condition is always true
> BUG_ON(1);
> ^
> include/asm-generic/bug.h:62:32: note: expanded from macro 'BUG_ON'
> #define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while (0)
> ^
> include/linux/compiler.h:56:23: note: expanded from macro 'if'
> #define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
> ^
> arch/x86/kvm/vmx/nested.c:5179:35: note: initialize the variable 'roots_to_free' to silence this warning
> unsigned long type, roots_to_free;
> ^
> = 0
> 1 error generated.
>
> vim +5246 arch/x86/kvm/vmx/nested.c
>
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5173
> 55d2375e58a61b Sean Christopherson 2018-12-03  5174  /* Emulate the INVEPT instruction */
> 55d2375e58a61b Sean Christopherson 2018-12-03  5175  static int handle_invept(struct kvm_vcpu *vcpu)
> 55d2375e58a61b Sean Christopherson 2018-12-03  5176  {
> 55d2375e58a61b Sean Christopherson 2018-12-03  5177     struct vcpu_vmx *vmx = to_vmx(vcpu);
> 55d2375e58a61b Sean Christopherson 2018-12-03  5178     u32 vmx_instruction_info, types;
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5179     unsigned long type, roots_to_free;

^ definition of roots_to_free

> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5180     struct kvm_mmu *mmu;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5181     gva_t gva;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5182     struct x86_exception e;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5183     struct {
> 55d2375e58a61b Sean Christopherson 2018-12-03  5184             u64 eptp, gpa;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5185     } operand;
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5186     int i;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5187
> 55d2375e58a61b Sean Christopherson 2018-12-03  5188     if (!(vmx->nested.msrs.secondary_ctls_high &
> 55d2375e58a61b Sean Christopherson 2018-12-03  5189           SECONDARY_EXEC_ENABLE_EPT) ||
> 55d2375e58a61b Sean Christopherson 2018-12-03  5190         !(vmx->nested.msrs.ept_caps & VMX_EPT_INVEPT_BIT)) {
> 55d2375e58a61b Sean Christopherson 2018-12-03  5191             kvm_queue_exception(vcpu, UD_VECTOR);
> 55d2375e58a61b Sean Christopherson 2018-12-03  5192             return 1;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5193     }
> 55d2375e58a61b Sean Christopherson 2018-12-03  5194
> 55d2375e58a61b Sean Christopherson 2018-12-03  5195     if (!nested_vmx_check_permission(vcpu))
> 55d2375e58a61b Sean Christopherson 2018-12-03  5196             return 1;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5197
> 55d2375e58a61b Sean Christopherson 2018-12-03  5198     vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
> 55d2375e58a61b Sean Christopherson 2018-12-03  5199     type = kvm_register_readl(vcpu, (vmx_instruction_info >> 28) & 0xf);
> 55d2375e58a61b Sean Christopherson 2018-12-03  5200
> 55d2375e58a61b Sean Christopherson 2018-12-03  5201     types = (vmx->nested.msrs.ept_caps >> VMX_EPT_EXTENT_SHIFT) & 6;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5202
> 55d2375e58a61b Sean Christopherson 2018-12-03  5203     if (type >= 32 || !(types & (1 << type)))
> 55d2375e58a61b Sean Christopherson 2018-12-03  5204             return nested_vmx_failValid(vcpu,
> 55d2375e58a61b Sean Christopherson 2018-12-03  5205                             VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
> 55d2375e58a61b Sean Christopherson 2018-12-03  5206
> 55d2375e58a61b Sean Christopherson 2018-12-03  5207     /* According to the Intel VMX instruction reference, the memory
> 55d2375e58a61b Sean Christopherson 2018-12-03  5208      * operand is read even if it isn't needed (e.g., for type==global)
> 55d2375e58a61b Sean Christopherson 2018-12-03  5209      */
> 55d2375e58a61b Sean Christopherson 2018-12-03  5210     if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
> fdb28619a8f033 Eugene Korenevsky   2019-06-06  5211                     vmx_instruction_info, false, sizeof(operand), &gva))
> 55d2375e58a61b Sean Christopherson 2018-12-03  5212             return 1;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5213     if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) {
> ee1fa209f5e5ca Junaid Shahid       2020-03-20  5214             kvm_inject_emulated_page_fault(vcpu, &e);
> 55d2375e58a61b Sean Christopherson 2018-12-03  5215             return 1;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5216     }
> 55d2375e58a61b Sean Christopherson 2018-12-03  5217
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5218     /*
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5219      * Nested EPT roots are always held through guest_mmu,
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5220      * not root_mmu.
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5221      */
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5222     mmu = &vcpu->arch.guest_mmu;
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5223
> 55d2375e58a61b Sean Christopherson 2018-12-03  5224     switch (type) {
> b119019847fbca Jim Mattson         2019-06-13  5225     case VMX_EPT_EXTENT_CONTEXT:
> eed0030e4caa94 Sean Christopherson 2020-03-20  5226             if (!nested_vmx_check_eptp(vcpu, operand.eptp))
> eed0030e4caa94 Sean Christopherson 2020-03-20  5227                     return nested_vmx_failValid(vcpu,
> eed0030e4caa94 Sean Christopherson 2020-03-20  5228                             VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
> f8aa7e3958bc43 Sean Christopherson 2020-03-20  5229
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5230             roots_to_free = 0;

^ assignment

> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5231             if (nested_ept_root_matches(mmu->root_hpa, mmu->root_cr3,
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5232                                         operand.eptp))
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5233                     roots_to_free |= KVM_MMU_ROOT_CURRENT;
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5234
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5235             for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5236                     if (nested_ept_root_matches(mmu->prev_roots[i].hpa,
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5237                                                 mmu->prev_roots[i].cr3,
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5238                                                 operand.eptp))
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5239                             roots_to_free |= KVM_MMU_ROOT_PREVIOUS(i);
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5240             }
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5241             break;
> eed0030e4caa94 Sean Christopherson 2020-03-20  5242     case VMX_EPT_EXTENT_GLOBAL:
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5243             roots_to_free = KVM_MMU_ROOTS_ALL;

^ assignment

> 55d2375e58a61b Sean Christopherson 2018-12-03  5244             break;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5245     default:
> 55d2375e58a61b Sean Christopherson 2018-12-03 @5246             BUG_ON(1);
> 55d2375e58a61b Sean Christopherson 2018-12-03  5247             break;
> 55d2375e58a61b Sean Christopherson 2018-12-03  5248     }
> 55d2375e58a61b Sean Christopherson 2018-12-03  5249
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5250     if (roots_to_free)

^ use

While the BUG_ON in the default case should prevent the problematic
use, Clang can't understand the semantics of BUG_ON.  roots_to_free
should just be initialized to zero.

> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5251             kvm_mmu_free_roots(vcpu, mmu, roots_to_free);
> ce8fe7b77bd8ee Sean Christopherson 2020-03-20  5252
> 55d2375e58a61b Sean Christopherson 2018-12-03  5253     return nested_vmx_succeed(vcpu);
> 55d2375e58a61b Sean Christopherson 2018-12-03  5254  }
> 55d2375e58a61b Sean Christopherson 2018-12-03  5255
>
> :::::: The code at line 5246 was first introduced by commit
> :::::: 55d2375e58a61be072431dd3d3c8a320f4a4a01b KVM: nVMX: Move nested code to dedicated files
>
> :::::: TO: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
> :::::: CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
>
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx
>
> --
> You received this message because you are subscribed to the Google Groups "Clang Built Linux" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-linux+unsubscribe@xxxxxxxxxxxxxxxx.
> To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/202005162313.CDreQC6s%25lkp%40intel.com.

-- 
Thanks,
~Nick Desaulniers