Re: arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)

[Tiwei Bie]

On Sat, 11 Apr 2026 09:13:54 +0100, Anton Ivanov wrote:
> On 11/04/2026 08:57, Dan Carpenter wrote:
> > [ Obviously, the commit just did COMPILE_TEST or something.  Anyway... -dan ]
> >
> > tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> > head:   7c6c4ed80b874f721bc7c2c937e098c56e37d2f0
> > commit: b555cb66583e99158cfef8e91c025252cefae55b um: vector: Eliminate the dependency on uml_net
> > config: um-randconfig-r072-20260411 (https://download.01.org/0day-ci/archive/20260411/202604110937.MLUL70Lx-lkp@xxxxxxxxx/config)
> > compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project ae825cb8cea7f3ac8e5e4096f22713845cf5e501)
> > smatch: v0.5.0-9004-gb810ac53
> >
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Fixes: b555cb66583e ("um: vector: Eliminate the dependency on uml_net")
> > | Reported-by: kernel test robot <lkp@xxxxxxxxx>
> > | Reported-by: Dan Carpenter <error27@xxxxxxxxx>
> > | Closes: https://lore.kernel.org/r/202604110937.MLUL70Lx-lkp@xxxxxxxxx/
> >
> > smatch warnings:
> > arch/um/drivers/vector_kern.c:471 destroy_queue() warn: variable dereferenced before check 'qi' (see line 468)
> >
> > vim +/qi +471 arch/um/drivers/vector_kern.c
> >
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  464  static void destroy_queue(struct vector_queue *qi)
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  465  {
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  466  	int i;
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  467  	struct iovec *iov;
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 @468  	struct vector_private *vp = netdev_priv(qi->dev);
> >                                                                                          ^^^^^^^
> > Dereference
> >
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  469  	struct mmsghdr *mmsg_vector;
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  470
> > 49da7e64f33e80 Anton Ivanov 2017-11-20 @471  	if (qi == NULL)
> >                                                      ^^^^^^^^^^
> > Checked too late.
> >
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  472  		return;
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  473  	/* deallocate any skbuffs - we rely on any unused to be
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  474  	 * set to NULL.
> > 49da7e64f33e80 Anton Ivanov 2017-11-20  475  	 */
> >
> It has been used for quite a while, so surprising that it was not caught 
> earlier.
> 
> And no, it was not just a "compile test".

+1, I use it often. It was not just a compile test.

All callers of destroy_queue() already perform a NULL check, so qi will
never actually be NULL (I guess that's why it wasn't caught earlier):

https://github.com/torvalds/linux/blob/e774d5f1bc27a85f858bce7688509e866f8e8a4e/arch/um/drivers/vector_kern.c#L583
https://github.com/torvalds/linux/blob/e774d5f1bc27a85f858bce7688509e866f8e8a4e/arch/um/drivers/vector_kern.c#L1147-L1150

Regards,
Tiwei