ceph-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [ceph-client:testing 6/8] fs/ceph/caps.c:2272 unsafe_request_wait() warn: potentially one past the end of array 'sessions[s->s_mds]'
@ 2021-07-08 12:23 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2021-07-08 12:23 UTC (permalink / raw)
  To: kbuild, Xiubo Li; +Cc: lkp, kbuild-all, ceph-devel, Jeff Layton

tree:   https://github.com/ceph/ceph-client.git testing
head:   64887ecca52b9d754c09837b7242b80463bda63c
commit: dcdb5c3121f827d6bd92a11f3ad0f0cc27e3d133 [6/8] ceph: flush the mdlog before waiting on unsafe reqs
config: s390-randconfig-m031-20210707 (attached as .config)
compiler: s390-linux-gcc (GCC) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

New smatch warnings:
fs/ceph/caps.c:2272 unsafe_request_wait() warn: potentially one past the end of array 'sessions[s->s_mds]'

Old smatch warnings:
fs/ceph/caps.c:2286 unsafe_request_wait() warn: potentially one past the end of array 'sessions[s->s_mds]'

vim +2272 fs/ceph/caps.c

68cd5b4b7612c2 Yan, Zheng  2015-10-27  2216  static int unsafe_request_wait(struct inode *inode)
da819c8150c5b6 Yan, Zheng  2015-05-27  2217  {
dcdb5c3121f827 Xiubo Li    2021-07-05  2218  	struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc;
da819c8150c5b6 Yan, Zheng  2015-05-27  2219  	struct ceph_inode_info *ci = ceph_inode(inode);
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2220  	struct ceph_mds_request *req1 = NULL, *req2 = NULL;
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2221  	int ret, err = 0;
da819c8150c5b6 Yan, Zheng  2015-05-27  2222  
da819c8150c5b6 Yan, Zheng  2015-05-27  2223  	spin_lock(&ci->i_unsafe_lock);
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2224  	if (S_ISDIR(inode->i_mode) && !list_empty(&ci->i_unsafe_dirops)) {
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2225  		req1 = list_last_entry(&ci->i_unsafe_dirops,
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2226  					struct ceph_mds_request,
da819c8150c5b6 Yan, Zheng  2015-05-27  2227  					r_unsafe_dir_item);
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2228  		ceph_mdsc_get_request(req1);
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2229  	}
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2230  	if (!list_empty(&ci->i_unsafe_iops)) {
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2231  		req2 = list_last_entry(&ci->i_unsafe_iops,
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2232  					struct ceph_mds_request,
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2233  					r_unsafe_target_item);
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2234  		ceph_mdsc_get_request(req2);
68cd5b4b7612c2 Yan, Zheng  2015-10-27  2235  	}
da819c8150c5b6 Yan, Zheng  2015-05-27  2236  	spin_unlock(&ci->i_unsafe_lock);
da819c8150c5b6 Yan, Zheng  2015-05-27  2237  
dcdb5c3121f827 Xiubo Li    2021-07-05  2238  	/*
dcdb5c3121f827 Xiubo Li    2021-07-05  2239  	 * Trigger to flush the journal logs in all the relevant MDSes
dcdb5c3121f827 Xiubo Li    2021-07-05  2240  	 * manually, or in the worst case we must wait at most 5 seconds
dcdb5c3121f827 Xiubo Li    2021-07-05  2241  	 * to wait the journal logs to be flushed by the MDSes periodically.
dcdb5c3121f827 Xiubo Li    2021-07-05  2242  	 */
dcdb5c3121f827 Xiubo Li    2021-07-05  2243  	if (req1 || req2) {
dcdb5c3121f827 Xiubo Li    2021-07-05  2244  		struct ceph_mds_session **sessions = NULL;
dcdb5c3121f827 Xiubo Li    2021-07-05  2245  		struct ceph_mds_session *s;
dcdb5c3121f827 Xiubo Li    2021-07-05  2246  		struct ceph_mds_request *req;
dcdb5c3121f827 Xiubo Li    2021-07-05  2247  		unsigned int max;
dcdb5c3121f827 Xiubo Li    2021-07-05  2248  		int i;
dcdb5c3121f827 Xiubo Li    2021-07-05  2249  
dcdb5c3121f827 Xiubo Li    2021-07-05  2250  		/*
dcdb5c3121f827 Xiubo Li    2021-07-05  2251  		 * The mdsc->max_sessions is unlikely to be changed
dcdb5c3121f827 Xiubo Li    2021-07-05  2252  		 * mostly, here we will retry it by reallocating the
dcdb5c3121f827 Xiubo Li    2021-07-05  2253  		 * sessions arrary memory to get rid of the mdsc->mutex
dcdb5c3121f827 Xiubo Li    2021-07-05  2254  		 * lock.
dcdb5c3121f827 Xiubo Li    2021-07-05  2255  		 */
dcdb5c3121f827 Xiubo Li    2021-07-05  2256  retry:
dcdb5c3121f827 Xiubo Li    2021-07-05  2257  		max = mdsc->max_sessions;
dcdb5c3121f827 Xiubo Li    2021-07-05  2258  		sessions = krealloc(sessions, max * sizeof(s), __GFP_ZERO);
                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"sessions" is allocated here.  It has "max" elements.


dcdb5c3121f827 Xiubo Li    2021-07-05  2259  		if (!sessions) {
dcdb5c3121f827 Xiubo Li    2021-07-05  2260  			err = -ENOMEM;
dcdb5c3121f827 Xiubo Li    2021-07-05  2261  			goto out;
dcdb5c3121f827 Xiubo Li    2021-07-05  2262  		}
dcdb5c3121f827 Xiubo Li    2021-07-05  2263  		spin_lock(&ci->i_unsafe_lock);
dcdb5c3121f827 Xiubo Li    2021-07-05  2264  		if (req1) {
dcdb5c3121f827 Xiubo Li    2021-07-05  2265  			list_for_each_entry(req, &ci->i_unsafe_dirops,
dcdb5c3121f827 Xiubo Li    2021-07-05  2266  					    r_unsafe_dir_item) {
dcdb5c3121f827 Xiubo Li    2021-07-05  2267  				s = req->r_session;
dcdb5c3121f827 Xiubo Li    2021-07-05  2268  				if (unlikely(s->s_mds > max)) {
                                                                                     ^^^^^^^^^^^^^^
This test is off by one.  It should be >= max.


dcdb5c3121f827 Xiubo Li    2021-07-05  2269  					spin_unlock(&ci->i_unsafe_lock);
dcdb5c3121f827 Xiubo Li    2021-07-05  2270  					goto retry;
dcdb5c3121f827 Xiubo Li    2021-07-05  2271  				}
dcdb5c3121f827 Xiubo Li    2021-07-05 @2272  				if (!sessions[s->s_mds]) {
dcdb5c3121f827 Xiubo Li    2021-07-05  2273  					s = ceph_get_mds_session(s);
dcdb5c3121f827 Xiubo Li    2021-07-05  2274  					sessions[s->s_mds] = s;

Memory corrupting one element beyond the end of the array.

dcdb5c3121f827 Xiubo Li    2021-07-05  2275  				}
dcdb5c3121f827 Xiubo Li    2021-07-05  2276  			}
dcdb5c3121f827 Xiubo Li    2021-07-05  2277  		}
dcdb5c3121f827 Xiubo Li    2021-07-05  2278  		if (req2) {
dcdb5c3121f827 Xiubo Li    2021-07-05  2279  			list_for_each_entry(req, &ci->i_unsafe_iops,
dcdb5c3121f827 Xiubo Li    2021-07-05  2280  					    r_unsafe_target_item) {
dcdb5c3121f827 Xiubo Li    2021-07-05  2281  				s = req->r_session;
dcdb5c3121f827 Xiubo Li    2021-07-05  2282  				if (unlikely(s->s_mds > max)) {
                                                                                     ^^^^^^^^^^^^^^
Same.

dcdb5c3121f827 Xiubo Li    2021-07-05  2283  					spin_unlock(&ci->i_unsafe_lock);
dcdb5c3121f827 Xiubo Li    2021-07-05  2284  					goto retry;
dcdb5c3121f827 Xiubo Li    2021-07-05  2285  				}
dcdb5c3121f827 Xiubo Li    2021-07-05  2286  				if (!sessions[s->s_mds]) {
dcdb5c3121f827 Xiubo Li    2021-07-05  2287  					s = ceph_get_mds_session(s);
dcdb5c3121f827 Xiubo Li    2021-07-05  2288  					sessions[s->s_mds] = s;
dcdb5c3121f827 Xiubo Li    2021-07-05  2289  				}
dcdb5c3121f827 Xiubo Li    2021-07-05  2290  			}
dcdb5c3121f827 Xiubo Li    2021-07-05  2291  		}
dcdb5c3121f827 Xiubo Li    2021-07-05  2292  		spin_unlock(&ci->i_unsafe_lock);
dcdb5c3121f827 Xiubo Li    2021-07-05  2293  
dcdb5c3121f827 Xiubo Li    2021-07-05  2294  		/* the auth MDS */

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org


^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2021-07-08 12:25 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-08 12:23 [ceph-client:testing 6/8] fs/ceph/caps.c:2272 unsafe_request_wait() warn: potentially one past the end of array 'sessions[s->s_mds]' Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).