On Mon, May 27, 2019 at 07:36:22AM -0600, Jens Axboe wrote:
> On 5/27/19 4:08 AM, Dan Carpenter wrote:
> > Hello Jens Axboe,
> >
> > The patch f3fafe4103bd: "io_uring: add support for sqe links" from
> > May 10, 2019, leads to the following static checker warning:
> >
> > fs/io_uring.c:623 io_req_link_next()
> > error: potential NULL dereference 'nxt'.
> >
> > fs/io_uring.c
> > 614 static void io_req_link_next(struct io_kiocb *req)
> > 615 {
> > 616 struct io_kiocb *nxt;
> > 617
> > 618 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb, list);
^^^^^^^^^^^^^^^
If this list is empty then "nxt" is NULL.
> > 619 list_del(&nxt->list);
> > ^^^^^^^^^
> > The warning is a false positive but this is a NULL dereference.
> >
> > 620 if (!list_empty(&req->link_list)) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We're checking for list_empty() here.
> > 621 INIT_LIST_HEAD(&nxt->link_list);
> > ^^^^^
> > False positive.
>
> Both of them are false positives. I can work around them though, as it
> probably makes it a bit cleaner, too.
>
> >
> > 622 list_splice(&req->link_list, &nxt->link_list);
> > 623 nxt->flags |= REQ_F_LINK;
> > 624 }
> > 625
> > 626 INIT_WORK(&nxt->work, io_sq_wq_submit_work);
> > ^^^^^^^^^^
> > 627 queue_work(req->ctx->sqo_wq, &nxt->work);
> > ^^^^^^^^^^
> > Other bugs.
>
> Not sure what that means?
All these dereferences outside the if not empty check are a problem.
regards,
dan carpenter
