All of lore.kernel.org
 help / color / mirror / Atom feed
From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: Re: slab-out-of-bounds in iov_iter_revert()
Date: Thu, 17 Sep 2020 21:46:09 +0800	[thread overview]
Message-ID: <202009172159.DRkM3jYo%lkp@intel.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 10041 bytes --]

CC: kbuild-all(a)lists.01.org
In-Reply-To: <20200917020440.GQ3421308@ZenIV.linux.org.uk>
References: <20200917020440.GQ3421308@ZenIV.linux.org.uk>
TO: Al Viro <viro@zeniv.linux.org.uk>
TO: Qian Cai <cai@redhat.com>
CC: torvalds(a)linux-foundation.org
CC: vgoyal(a)redhat.com
CC: miklos(a)szeredi.hu
CC: linux-fsdevel(a)vger.kernel.org
CC: linux-kernel(a)vger.kernel.org

Hi Al,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on fuse/for-next]
[also build test WARNING on linux/master linus/master v5.9-rc5 next-20200917]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Al-Viro/Re-slab-out-of-bounds-in-iov_iter_revert/20200917-100520
base:   https://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git for-next
:::::: branch date: 12 hours ago
:::::: commit date: 12 hours ago
config: x86_64-randconfig-m001-20200917 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
fs/fuse/file.c:3205 fuse_direct_IO() error: uninitialized symbol 'shortened'.

# https://github.com/0day-ci/linux/commit/cf78ce1d71bfd0c3c06adfd5bba1664c61e36bbd
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Al-Viro/Re-slab-out-of-bounds-in-iov_iter_revert/20200917-100520
git checkout cf78ce1d71bfd0c3c06adfd5bba1664c61e36bbd
vim +/shortened +3205 fs/fuse/file.c

e5c5f05dca0cf90 Maxim Patlasov        2013-05-30  3110  
4273b793ec68753 Anand Avati           2012-02-17  3111  static ssize_t
c8b8e32d700fe94 Christoph Hellwig     2016-04-07  3112  fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
4273b793ec68753 Anand Avati           2012-02-17  3113  {
9d5722b7777e64d Christoph Hellwig     2015-02-02  3114  	DECLARE_COMPLETION_ONSTACK(wait);
4273b793ec68753 Anand Avati           2012-02-17  3115  	ssize_t ret = 0;
60b9df7a54804a9 Miklos Szeredi        2013-05-01  3116  	struct file *file = iocb->ki_filp;
60b9df7a54804a9 Miklos Szeredi        2013-05-01  3117  	struct fuse_file *ff = file->private_data;
e5c5f05dca0cf90 Maxim Patlasov        2013-05-30  3118  	bool async_dio = ff->fc->async_dio;
4273b793ec68753 Anand Avati           2012-02-17  3119  	loff_t pos = 0;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3120  	struct inode *inode;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3121  	loff_t i_size;
cf78ce1d71bfd0c Al Viro               2020-09-17  3122  	size_t count = iov_iter_count(iter), shortened;
c8b8e32d700fe94 Christoph Hellwig     2016-04-07  3123  	loff_t offset = iocb->ki_pos;
36cf66ed9f871fc Maxim Patlasov        2012-12-14  3124  	struct fuse_io_priv *io;
4273b793ec68753 Anand Avati           2012-02-17  3125  
4273b793ec68753 Anand Avati           2012-02-17  3126  	pos = offset;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3127  	inode = file->f_mapping->host;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3128  	i_size = i_size_read(inode);
4273b793ec68753 Anand Avati           2012-02-17  3129  
6f67376318abea5 Omar Sandoval         2015-03-16  3130  	if ((iov_iter_rw(iter) == READ) && (offset > i_size))
9fe55eea7e4b444 Steven Whitehouse     2014-01-24  3131  		return 0;
9fe55eea7e4b444 Steven Whitehouse     2014-01-24  3132  
439ee5f0c5080d4 Maxim Patlasov        2012-12-14  3133  	/* optimization for short read */
6f67376318abea5 Omar Sandoval         2015-03-16  3134  	if (async_dio && iov_iter_rw(iter) != WRITE && offset + count > i_size) {
439ee5f0c5080d4 Maxim Patlasov        2012-12-14  3135  		if (offset >= i_size)
439ee5f0c5080d4 Maxim Patlasov        2012-12-14  3136  			return 0;
5da784cce4308ae Constantine Shulyupin 2018-09-06  3137  		iov_iter_truncate(iter, fuse_round_up(ff->fc, i_size - offset));
cf78ce1d71bfd0c Al Viro               2020-09-17  3138  		shortened = count - iov_iter_count(iter);
cf78ce1d71bfd0c Al Viro               2020-09-17  3139  		count -= shortened;
439ee5f0c5080d4 Maxim Patlasov        2012-12-14  3140  	}
439ee5f0c5080d4 Maxim Patlasov        2012-12-14  3141  
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3142  	io = kmalloc(sizeof(struct fuse_io_priv), GFP_KERNEL);
36cf66ed9f871fc Maxim Patlasov        2012-12-14  3143  	if (!io)
36cf66ed9f871fc Maxim Patlasov        2012-12-14  3144  		return -ENOMEM;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3145  	spin_lock_init(&io->lock);
744742d692e37ad Seth Forshee          2016-03-11  3146  	kref_init(&io->refcnt);
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3147  	io->reqs = 1;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3148  	io->bytes = -1;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3149  	io->size = 0;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3150  	io->offset = offset;
6f67376318abea5 Omar Sandoval         2015-03-16  3151  	io->write = (iov_iter_rw(iter) == WRITE);
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3152  	io->err = 0;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3153  	/*
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3154  	 * By default, we want to optimize all I/Os with async request
60b9df7a54804a9 Miklos Szeredi        2013-05-01  3155  	 * submission to the client filesystem if supported.
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3156  	 */
e5c5f05dca0cf90 Maxim Patlasov        2013-05-30  3157  	io->async = async_dio;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3158  	io->iocb = iocb;
7879c4e58b7c884 Ashish Sangwan        2016-04-07  3159  	io->blocking = is_sync_kiocb(iocb);
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3160  
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3161  	/*
7879c4e58b7c884 Ashish Sangwan        2016-04-07  3162  	 * We cannot asynchronously extend the size of a file.
7879c4e58b7c884 Ashish Sangwan        2016-04-07  3163  	 * In such case the aio will behave exactly like sync io.
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3164  	 */
7879c4e58b7c884 Ashish Sangwan        2016-04-07  3165  	if ((offset + count > i_size) && iov_iter_rw(iter) == WRITE)
7879c4e58b7c884 Ashish Sangwan        2016-04-07  3166  		io->blocking = true;
4273b793ec68753 Anand Avati           2012-02-17  3167  
7879c4e58b7c884 Ashish Sangwan        2016-04-07  3168  	if (io->async && io->blocking) {
744742d692e37ad Seth Forshee          2016-03-11  3169  		/*
744742d692e37ad Seth Forshee          2016-03-11  3170  		 * Additional reference to keep io around after
744742d692e37ad Seth Forshee          2016-03-11  3171  		 * calling fuse_aio_complete()
744742d692e37ad Seth Forshee          2016-03-11  3172  		 */
744742d692e37ad Seth Forshee          2016-03-11  3173  		kref_get(&io->refcnt);
9d5722b7777e64d Christoph Hellwig     2015-02-02  3174  		io->done = &wait;
744742d692e37ad Seth Forshee          2016-03-11  3175  	}
9d5722b7777e64d Christoph Hellwig     2015-02-02  3176  
6f67376318abea5 Omar Sandoval         2015-03-16  3177  	if (iov_iter_rw(iter) == WRITE) {
812408fb51ef580 Al Viro               2015-03-30  3178  		ret = fuse_direct_io(io, iter, &pos, FUSE_DIO_WRITE);
812408fb51ef580 Al Viro               2015-03-30  3179  		fuse_invalidate_attr(inode);
812408fb51ef580 Al Viro               2015-03-30  3180  	} else {
d22a943f44c79c9 Al Viro               2014-03-16  3181  		ret = __fuse_direct_read(io, iter, &pos);
812408fb51ef580 Al Viro               2015-03-30  3182  	}
36cf66ed9f871fc Maxim Patlasov        2012-12-14  3183  
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3184  	if (io->async) {
ebacb8127359955 Lukas Czerner         2018-11-09  3185  		bool blocking = io->blocking;
ebacb8127359955 Lukas Czerner         2018-11-09  3186  
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3187  		fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3188  
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3189  		/* we have a non-extending, async request, so return */
ebacb8127359955 Lukas Czerner         2018-11-09  3190  		if (!blocking)
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3191  			return -EIOCBQUEUED;
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3192  
9d5722b7777e64d Christoph Hellwig     2015-02-02  3193  		wait_for_completion(&wait);
9d5722b7777e64d Christoph Hellwig     2015-02-02  3194  		ret = fuse_get_res_by_io(io);
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3195  	}
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3196  
744742d692e37ad Seth Forshee          2016-03-11  3197  	kref_put(&io->refcnt, fuse_io_release);
9d5722b7777e64d Christoph Hellwig     2015-02-02  3198  
6f67376318abea5 Omar Sandoval         2015-03-16  3199  	if (iov_iter_rw(iter) == WRITE) {
efb9fa9e911b23c Maxim Patlasov        2012-12-18  3200  		if (ret > 0)
bcba24ccdc82f74 Maxim Patlasov        2012-12-14  3201  			fuse_write_update_size(inode, pos);
efb9fa9e911b23c Maxim Patlasov        2012-12-18  3202  		else if (ret < 0 && offset + count > i_size)
efb9fa9e911b23c Maxim Patlasov        2012-12-18  3203  			fuse_do_truncate(file);
efb9fa9e911b23c Maxim Patlasov        2012-12-18  3204  	}
cf78ce1d71bfd0c Al Viro               2020-09-17 @3205  	if (shortened)
cf78ce1d71bfd0c Al Viro               2020-09-17  3206  		iov_iter_reexpand(iter, shortened);
4273b793ec68753 Anand Avati           2012-02-17  3207  
4273b793ec68753 Anand Avati           2012-02-17  3208  	return ret;
4273b793ec68753 Anand Avati           2012-02-17  3209  }
4273b793ec68753 Anand Avati           2012-02-17  3210  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 30052 bytes --]

             reply	other threads:[~2020-09-17 13:46 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-17 13:46 kernel test robot [this message]
  -- strict thread matches above, loose matches on Subject: below --
2020-09-11 21:59 slab-out-of-bounds in iov_iter_revert() Qian Cai
2020-09-11 23:55 ` Al Viro
2020-09-16 21:09   ` Qian Cai
2020-09-17  2:04     ` Al Viro
2020-09-17  2:14       ` Al Viro
2020-09-17 14:10         ` Qian Cai
2020-09-17 16:44           ` Al Viro
2020-09-17 17:42             ` Qian Cai
2020-09-17 18:45               ` Al Viro
2020-09-17 20:16                 ` Qian Cai
2020-09-17 18:45             ` Qian Cai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202009172159.DRkM3jYo%lkp@intel.com \
    --to=lkp@intel.com \
    --cc=kbuild@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.