potential null pointer deference (or maybe invalid null check) in io_uring io_poll_remove_double()

potential null pointer deference (or maybe invalid null check) in io_uring io_poll_remove_double()

[Colin Ian King]

Hi Jens,

I was triaging some outstanding Coverity static analysis warnings and
found a potential issue in the following commit:

commit 807abcb0883439af5ead73f3308310453b97b624
Author: Jens Axboe <axboe@kernel.dk>
Date:   Fri Jul 17 17:09:27 2020 -0600

    io_uring: ensure double poll additions work with both request types

The analysis from Coverity is as follows:

4962 static int io_poll_double_wake(struct wait_queue_entry *wait,
unsigned mode,
4963                               int sync, void *key)
4964 {
4965        struct io_kiocb *req = wait->private;
4966        struct io_poll_iocb *poll = io_poll_get_single(req);
4967        __poll_t mask = key_to_poll(key);
4968
4969        /* for instances that support it check for an event match
first: */

    deref_ptr: Directly dereferencing pointer poll.

4970        if (mask && !(mask & poll->events))
4971                return 0;
4972        if (!(poll->events & EPOLLONESHOT))
4973                return poll->wait.func(&poll->wait, mode, sync, key);
4974
4975        list_del_init(&wait->entry);
4976

  Dereference before null check (REVERSE_INULL)
  check_after_deref: Null-checking poll suggests that it may be null,
but it has already been dereferenced on all paths leading to the check.

4977        if (poll && poll->head) {
4978                bool done;

pointer poll is being dereferenced on line 4970, however, on line 4977
it is being null checked. Either the null check is redundant (because it
can never be null) or it needs to be performed before the poll->events
read on line 4970.

Colin

Re: potential null pointer deference (or maybe invalid null check) in io_uring io_poll_remove_double()

[Jens Axboe]

On 7/9/21 5:55 AM, Colin Ian King wrote:
> Hi Jens,
> 
> I was triaging some outstanding Coverity static analysis warnings and
> found a potential issue in the following commit:
> 
> commit 807abcb0883439af5ead73f3308310453b97b624
> Author: Jens Axboe <axboe@kernel.dk>
> Date:   Fri Jul 17 17:09:27 2020 -0600
> 
>     io_uring: ensure double poll additions work with both request types
> 
> The analysis from Coverity is as follows:
> 
> 4962 static int io_poll_double_wake(struct wait_queue_entry *wait,
> unsigned mode,
> 4963                               int sync, void *key)
> 4964 {
> 4965        struct io_kiocb *req = wait->private;
> 4966        struct io_poll_iocb *poll = io_poll_get_single(req);
> 4967        __poll_t mask = key_to_poll(key);
> 4968
> 4969        /* for instances that support it check for an event match
> first: */
> 
>     deref_ptr: Directly dereferencing pointer poll.
> 
> 4970        if (mask && !(mask & poll->events))
> 4971                return 0;
> 4972        if (!(poll->events & EPOLLONESHOT))
> 4973                return poll->wait.func(&poll->wait, mode, sync, key);
> 4974
> 4975        list_del_init(&wait->entry);
> 4976
> 
>   Dereference before null check (REVERSE_INULL)
>   check_after_deref: Null-checking poll suggests that it may be null,
> but it has already been dereferenced on all paths leading to the check.
> 
> 4977        if (poll && poll->head) {
> 4978                bool done;
> 
> pointer poll is being dereferenced on line 4970, however, on line 4977
> it is being null checked. Either the null check is redundant (because it
> can never be null) or it needs to be performed before the poll->events
> read on line 4970.

I think it's dead code, originally copied from the single poll wake
side. The 'poll' non-zero check should just go.

-- 
Jens Axboe