From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@lists.01.org, Xiubo Li <xiubli@redhat.com>
Cc: lkp@intel.com, kbuild-all@lists.01.org,
ceph-devel@vger.kernel.org, Jeff Layton <jlayton@kernel.org>
Subject: [ceph-client:testing 6/8] fs/ceph/caps.c:2272 unsafe_request_wait() warn: potentially one past the end of array 'sessions[s->s_mds]'
Date: Thu, 8 Jul 2021 15:23:59 +0300 [thread overview]
Message-ID: <202107081225.Sgpea8vn-lkp@intel.com> (raw)
tree: https://github.com/ceph/ceph-client.git testing
head: 64887ecca52b9d754c09837b7242b80463bda63c
commit: dcdb5c3121f827d6bd92a11f3ad0f0cc27e3d133 [6/8] ceph: flush the mdlog before waiting on unsafe reqs
config: s390-randconfig-m031-20210707 (attached as .config)
compiler: s390-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
fs/ceph/caps.c:2272 unsafe_request_wait() warn: potentially one past the end of array 'sessions[s->s_mds]'
Old smatch warnings:
fs/ceph/caps.c:2286 unsafe_request_wait() warn: potentially one past the end of array 'sessions[s->s_mds]'
vim +2272 fs/ceph/caps.c
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2216 static int unsafe_request_wait(struct inode *inode)
da819c8150c5b6 Yan, Zheng 2015-05-27 2217 {
dcdb5c3121f827 Xiubo Li 2021-07-05 2218 struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc;
da819c8150c5b6 Yan, Zheng 2015-05-27 2219 struct ceph_inode_info *ci = ceph_inode(inode);
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2220 struct ceph_mds_request *req1 = NULL, *req2 = NULL;
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2221 int ret, err = 0;
da819c8150c5b6 Yan, Zheng 2015-05-27 2222
da819c8150c5b6 Yan, Zheng 2015-05-27 2223 spin_lock(&ci->i_unsafe_lock);
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2224 if (S_ISDIR(inode->i_mode) && !list_empty(&ci->i_unsafe_dirops)) {
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2225 req1 = list_last_entry(&ci->i_unsafe_dirops,
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2226 struct ceph_mds_request,
da819c8150c5b6 Yan, Zheng 2015-05-27 2227 r_unsafe_dir_item);
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2228 ceph_mdsc_get_request(req1);
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2229 }
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2230 if (!list_empty(&ci->i_unsafe_iops)) {
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2231 req2 = list_last_entry(&ci->i_unsafe_iops,
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2232 struct ceph_mds_request,
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2233 r_unsafe_target_item);
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2234 ceph_mdsc_get_request(req2);
68cd5b4b7612c2 Yan, Zheng 2015-10-27 2235 }
da819c8150c5b6 Yan, Zheng 2015-05-27 2236 spin_unlock(&ci->i_unsafe_lock);
da819c8150c5b6 Yan, Zheng 2015-05-27 2237
dcdb5c3121f827 Xiubo Li 2021-07-05 2238 /*
dcdb5c3121f827 Xiubo Li 2021-07-05 2239 * Trigger to flush the journal logs in all the relevant MDSes
dcdb5c3121f827 Xiubo Li 2021-07-05 2240 * manually, or in the worst case we must wait at most 5 seconds
dcdb5c3121f827 Xiubo Li 2021-07-05 2241 * to wait the journal logs to be flushed by the MDSes periodically.
dcdb5c3121f827 Xiubo Li 2021-07-05 2242 */
dcdb5c3121f827 Xiubo Li 2021-07-05 2243 if (req1 || req2) {
dcdb5c3121f827 Xiubo Li 2021-07-05 2244 struct ceph_mds_session **sessions = NULL;
dcdb5c3121f827 Xiubo Li 2021-07-05 2245 struct ceph_mds_session *s;
dcdb5c3121f827 Xiubo Li 2021-07-05 2246 struct ceph_mds_request *req;
dcdb5c3121f827 Xiubo Li 2021-07-05 2247 unsigned int max;
dcdb5c3121f827 Xiubo Li 2021-07-05 2248 int i;
dcdb5c3121f827 Xiubo Li 2021-07-05 2249
dcdb5c3121f827 Xiubo Li 2021-07-05 2250 /*
dcdb5c3121f827 Xiubo Li 2021-07-05 2251 * The mdsc->max_sessions is unlikely to be changed
dcdb5c3121f827 Xiubo Li 2021-07-05 2252 * mostly, here we will retry it by reallocating the
dcdb5c3121f827 Xiubo Li 2021-07-05 2253 * sessions arrary memory to get rid of the mdsc->mutex
dcdb5c3121f827 Xiubo Li 2021-07-05 2254 * lock.
dcdb5c3121f827 Xiubo Li 2021-07-05 2255 */
dcdb5c3121f827 Xiubo Li 2021-07-05 2256 retry:
dcdb5c3121f827 Xiubo Li 2021-07-05 2257 max = mdsc->max_sessions;
dcdb5c3121f827 Xiubo Li 2021-07-05 2258 sessions = krealloc(sessions, max * sizeof(s), __GFP_ZERO);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"sessions" is allocated here. It has "max" elements.
dcdb5c3121f827 Xiubo Li 2021-07-05 2259 if (!sessions) {
dcdb5c3121f827 Xiubo Li 2021-07-05 2260 err = -ENOMEM;
dcdb5c3121f827 Xiubo Li 2021-07-05 2261 goto out;
dcdb5c3121f827 Xiubo Li 2021-07-05 2262 }
dcdb5c3121f827 Xiubo Li 2021-07-05 2263 spin_lock(&ci->i_unsafe_lock);
dcdb5c3121f827 Xiubo Li 2021-07-05 2264 if (req1) {
dcdb5c3121f827 Xiubo Li 2021-07-05 2265 list_for_each_entry(req, &ci->i_unsafe_dirops,
dcdb5c3121f827 Xiubo Li 2021-07-05 2266 r_unsafe_dir_item) {
dcdb5c3121f827 Xiubo Li 2021-07-05 2267 s = req->r_session;
dcdb5c3121f827 Xiubo Li 2021-07-05 2268 if (unlikely(s->s_mds > max)) {
^^^^^^^^^^^^^^
This test is off by one. It should be >= max.
dcdb5c3121f827 Xiubo Li 2021-07-05 2269 spin_unlock(&ci->i_unsafe_lock);
dcdb5c3121f827 Xiubo Li 2021-07-05 2270 goto retry;
dcdb5c3121f827 Xiubo Li 2021-07-05 2271 }
dcdb5c3121f827 Xiubo Li 2021-07-05 @2272 if (!sessions[s->s_mds]) {
dcdb5c3121f827 Xiubo Li 2021-07-05 2273 s = ceph_get_mds_session(s);
dcdb5c3121f827 Xiubo Li 2021-07-05 2274 sessions[s->s_mds] = s;
Memory corrupting one element beyond the end of the array.
dcdb5c3121f827 Xiubo Li 2021-07-05 2275 }
dcdb5c3121f827 Xiubo Li 2021-07-05 2276 }
dcdb5c3121f827 Xiubo Li 2021-07-05 2277 }
dcdb5c3121f827 Xiubo Li 2021-07-05 2278 if (req2) {
dcdb5c3121f827 Xiubo Li 2021-07-05 2279 list_for_each_entry(req, &ci->i_unsafe_iops,
dcdb5c3121f827 Xiubo Li 2021-07-05 2280 r_unsafe_target_item) {
dcdb5c3121f827 Xiubo Li 2021-07-05 2281 s = req->r_session;
dcdb5c3121f827 Xiubo Li 2021-07-05 2282 if (unlikely(s->s_mds > max)) {
^^^^^^^^^^^^^^
Same.
dcdb5c3121f827 Xiubo Li 2021-07-05 2283 spin_unlock(&ci->i_unsafe_lock);
dcdb5c3121f827 Xiubo Li 2021-07-05 2284 goto retry;
dcdb5c3121f827 Xiubo Li 2021-07-05 2285 }
dcdb5c3121f827 Xiubo Li 2021-07-05 2286 if (!sessions[s->s_mds]) {
dcdb5c3121f827 Xiubo Li 2021-07-05 2287 s = ceph_get_mds_session(s);
dcdb5c3121f827 Xiubo Li 2021-07-05 2288 sessions[s->s_mds] = s;
dcdb5c3121f827 Xiubo Li 2021-07-05 2289 }
dcdb5c3121f827 Xiubo Li 2021-07-05 2290 }
dcdb5c3121f827 Xiubo Li 2021-07-05 2291 }
dcdb5c3121f827 Xiubo Li 2021-07-05 2292 spin_unlock(&ci->i_unsafe_lock);
dcdb5c3121f827 Xiubo Li 2021-07-05 2293
dcdb5c3121f827 Xiubo Li 2021-07-05 2294 /* the auth MDS */
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
reply other threads:[~2021-07-08 12:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202107081225.Sgpea8vn-lkp@intel.com \
--to=dan.carpenter@oracle.com \
--cc=ceph-devel@vger.kernel.org \
--cc=jlayton@kernel.org \
--cc=kbuild-all@lists.01.org \
--cc=kbuild@lists.01.org \
--cc=lkp@intel.com \
--cc=xiubli@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).