On 5/27/19 8:10 AM, Dan Carpenter wrote:
> On Mon, May 27, 2019 at 07:36:22AM -0600, Jens Axboe wrote:
>> On 5/27/19 4:08 AM, Dan Carpenter wrote:
>>> Hello Jens Axboe,
>>>
>>> The patch f3fafe4103bd: "io_uring: add support for sqe links" from
>>> May 10, 2019, leads to the following static checker warning:
>>>
>>> fs/io_uring.c:623 io_req_link_next()
>>> error: potential NULL dereference 'nxt'.
>>>
>>> fs/io_uring.c
>>> 614 static void io_req_link_next(struct io_kiocb *req)
>>> 615 {
>>> 616 struct io_kiocb *nxt;
>>> 617
>>> 618 nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb, list);
> ^^^^^^^^^^^^^^^
> If this list is empty then "nxt" is NULL.
Right...
>>> 619 list_del(&nxt->list);
>>> ^^^^^^^^^
>>> The warning is a false positive but this is a NULL dereference.
>>>
>>> 620 if (!list_empty(&req->link_list)) {
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> We're checking for list_empty() here.
After deleting an entry from it.
>>> 621 INIT_LIST_HEAD(&nxt->link_list);
>>> ^^^^^
>>> False positive.
>>
>> Both of them are false positives. I can work around them though, as it
>> probably makes it a bit cleaner, too.
>>
>>>
>>> 622 list_splice(&req->link_list, &nxt->link_list);
>>> 623 nxt->flags |= REQ_F_LINK;
>>> 624 }
>>> 625
>>> 626 INIT_WORK(&nxt->work, io_sq_wq_submit_work);
>>> ^^^^^^^^^^
>>> 627 queue_work(req->ctx->sqo_wq, &nxt->work);
>>> ^^^^^^^^^^
>>> Other bugs.
>>
>> Not sure what that means?
>
> All these dereferences outside the if not empty check are a problem.
But this is the same thing If 'nxt' can ever be NULL, it's a problem.
If it cannot, then it's a false positive.
I'll just add a check. It should not happen, but it probably can if
the chain is messed up.
--
Jens Axboe
