linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [bug report] cifsd: add file operations
@ 2021-07-07 10:11 Dan Carpenter
  0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2021-07-07 10:11 UTC (permalink / raw)
  To: namjae.jeon; +Cc: linux-cifs

Hello Namjae Jeon,

The patch f44158485826: "cifsd: add file operations" from Mar 16,
2021, leads to the following static checker warning:

	fs/ksmbd/vfs_cache.c:661 ksmbd_file_table_flush()
	warn: was expecting a 64 bit value instead of '0'

fs/ksmbd/vfs_cache.c
   653  int ksmbd_file_table_flush(struct ksmbd_work *work)
   654  {
   655          struct ksmbd_file       *fp = NULL;
   656          unsigned int            id;
   657          int                     ret;
   658  
   659          read_lock(&work->sess->file_table.lock);
   660          idr_for_each_entry(work->sess->file_table.idr, fp, id) {
   661                  ret = ksmbd_vfs_fsync(work, fp->volatile_id, KSMBD_NO_FID);

TBH, I'm not sure what's triggering this warning, but ksmbd_vfs_fsync()
takes a u64 and fp->volatile_id is a u32.  The ksmbd_lookup_fd_slow()
function takes a u32 so passing a u64 value seems like it would lead to
a bug.  And smb2_flush() passes a u64 so this seems buggy.

   662                  if (ret)
   663                          break;
   664          }
   665          read_unlock(&work->sess->file_table.lock);
   666          return ret;
   667  }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [bug report] cifsd: add file operations
@ 2023-03-03 14:10 Dan Carpenter
  0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2023-03-03 14:10 UTC (permalink / raw)
  To: namjae.jeon; +Cc: linux-cifs, cip-dev

Hello Namjae Jeon,

The patch f44158485826: "cifsd: add file operations" from Mar 16,
2021, leads to the following Smatch static checker warning:

fs/ksmbd/vfs.c:1040 ksmbd_vfs_fqar_lseek() warn: no lower bound on 'length'
fs/ksmbd/vfs.c:1041 ksmbd_vfs_fqar_lseek() warn: no lower bound on 'start'

fs/ksmbd/vfs.c
    1021 int ksmbd_vfs_fqar_lseek(struct ksmbd_file *fp, loff_t start, loff_t length,
    1022                          struct file_allocated_range_buffer *ranges,
    1023                          unsigned int in_count, unsigned int *out_count)
    1024 {
    1025         struct file *f = fp->filp;
    1026         struct inode *inode = file_inode(fp->filp);
    1027         loff_t maxbytes = (u64)inode->i_sb->s_maxbytes, end;
    1028         loff_t extent_start, extent_end;
    1029         int ret = 0;
    1030 
    1031         if (start > maxbytes)
                     ^^^^^^^^^^^^^^^^
loff_t is signed long long.  This comes from the user via
fsctl_query_allocated_ranges().  Both start and length can be negative.
So we can end up search through negative offsets.  Possibly
vfs_llseek() protects us.

    1032                 return -EFBIG;
    1033 
    1034         if (!in_count)
    1035                 return 0;
    1036 
    1037         /*
    1038          * Shrink request scope to what the fs can actually handle.
    1039          */
--> 1040         if (length > maxbytes || (maxbytes - length) < start)
    1041                 length = maxbytes - start;
    1042 
    1043         if (start + length > inode->i_size)
    1044                 length = inode->i_size - start;
    1045 
    1046         *out_count = 0;
    1047         end = start + length;
    1048         while (start < end && *out_count < in_count) {
    1049                 extent_start = vfs_llseek(f, start, SEEK_DATA);
    1050                 if (extent_start < 0) {
    1051                         if (extent_start != -ENXIO)
    1052                                 ret = (int)extent_start;
    1053                         break;
    1054                 }
    1055 
    1056                 if (extent_start >= end)
    1057                         break;
    1058 
    1059                 extent_end = vfs_llseek(f, extent_start, SEEK_HOLE);
    1060                 if (extent_end < 0) {
    1061                         if (extent_end != -ENXIO)
    1062                                 ret = (int)extent_end;
    1063                         break;
    1064                 } else if (extent_start >= extent_end) {
    1065                         break;
    1066                 }
    1067 
    1068                 ranges[*out_count].file_offset = cpu_to_le64(extent_start);
    1069                 ranges[(*out_count)++].length =
    1070                         cpu_to_le64(min(extent_end, end) - extent_start);
    1071 
    1072                 start = extent_end;
    1073         }
    1074 
    1075         return ret;
    1076 }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-03-03 14:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-07 10:11 [bug report] cifsd: add file operations Dan Carpenter
2023-03-03 14:10 Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).