[linux-next:master 10012/11713] fs/io_uring.c:10332 __do_sys_io_uring_enter() warn: unsigned 'fd' is never less than zero.

[kernel test robot <lkp@intel.com>]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head:   4e7a74a6856f8613dab9794da4b5cfb8fd54fb8c
commit: 8061ecdca6112c8b5c0e6f0e2268fc64acacebb9 [10012/11713] io_uring: add support for registering ring file descriptors
config: i386-randconfig-m031-20220307 (https://download.01.org/0day-ci/archive/20220310/202203100127.ch6HRrXo-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

New smatch warnings:
fs/io_uring.c:10332 __do_sys_io_uring_enter() warn: unsigned 'fd' is never less than zero.
fs/io_uring.c:10337 __do_sys_io_uring_enter() warn: potential spectre issue 'tctx->registered_rings' [r] (local cap)
fs/io_uring.c:10338 __do_sys_io_uring_enter() warn: possible spectre second half.  'f.file'
fs/io_uring.c:10332 __do_sys_io_uring_enter() warn: unsigned 'fd' is never less than zero.
fs/io_uring.c:10337 __do_sys_io_uring_enter() warn: potential spectre issue 'tctx->registered_rings' [r] (local cap)
fs/io_uring.c:10338 __do_sys_io_uring_enter() warn: possible spectre second half.  'f.file'

Old smatch warnings:
fs/io_uring.c:5284 io_recv() error: uninitialized symbol 'flags'.
fs/io_uring.c:6140 io_timeout_cancel() warn: passing a valid pointer to 'PTR_ERR'
fs/io_uring.c:6197 io_timeout_update() warn: passing a valid pointer to 'PTR_ERR'
fs/io_uring.c:8468 io_sqe_files_register() error: we previously assumed 'ctx->file_data' could be null (see line 8440)
fs/io_uring.c:10347 __do_sys_io_uring_enter() warn: possible spectre second half.  'f.file'
fs/io_uring.c:10347 __do_sys_io_uring_enter() warn: possible spectre second half.  'f.file'

vim +/fd +10332 fs/io_uring.c

 10305	
 10306	SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
 10307			u32, min_complete, u32, flags, const void __user *, argp,
 10308			size_t, argsz)
 10309	{
 10310		struct io_ring_ctx *ctx;
 10311		int submitted = 0;
 10312		struct fd f;
 10313		long ret;
 10314	
 10315		io_run_task_work();
 10316	
 10317		if (unlikely(flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP |
 10318				       IORING_ENTER_SQ_WAIT | IORING_ENTER_EXT_ARG |
 10319				       IORING_ENTER_REGISTERED_RING)))
 10320			return -EINVAL;
 10321	
 10322		/*
 10323		 * Ring fd has been registered via IORING_REGISTER_RING_FDS, we
 10324		 * need only dereference our task private array to find it.
 10325		 */
 10326		if (flags & IORING_ENTER_REGISTERED_RING) {
 10327			struct io_uring_task *tctx = current->io_uring;
 10328	
 10329			if (!tctx)
 10330				return -EINVAL;
 10331			if (fd != tctx->last_reg_fd) {
 10332				if (fd < 0 || fd >= IO_RINGFD_REG_MAX || !tctx)
 10333					return -EINVAL;
 10334				tctx->last_reg_fd = array_index_nospec(fd,
 10335								IO_RINGFD_REG_MAX);
 10336			}
 10337			f.file = tctx->registered_rings[tctx->last_reg_fd];
 10338			if (unlikely(!f.file))
 10339				return -EBADF;
 10340		} else {
 10341			f = fdget(fd);
 10342			if (unlikely(!f.file))
 10343				return -EBADF;
 10344		}
 10345	
 10346		ret = -EOPNOTSUPP;
 10347		if (unlikely(f.file->f_op != &io_uring_fops))
 10348			goto out_fput;
 10349	
 10350		ret = -ENXIO;
 10351		ctx = f.file->private_data;
 10352		if (unlikely(!percpu_ref_tryget(&ctx->refs)))
 10353			goto out_fput;
 10354	
 10355		ret = -EBADFD;
 10356		if (unlikely(ctx->flags & IORING_SETUP_R_DISABLED))
 10357			goto out;
 10358	
 10359		/*
 10360		 * For SQ polling, the thread will do all submissions and completions.
 10361		 * Just return the requested submit count, and wake the thread if
 10362		 * we were asked to.
 10363		 */
 10364		ret = 0;
 10365		if (ctx->flags & IORING_SETUP_SQPOLL) {
 10366			io_cqring_overflow_flush(ctx);
 10367	
 10368			if (unlikely(ctx->sq_data->thread == NULL)) {
 10369				ret = -EOWNERDEAD;
 10370				goto out;
 10371			}
 10372			if (flags & IORING_ENTER_SQ_WAKEUP)
 10373				wake_up(&ctx->sq_data->wait);
 10374			if (flags & IORING_ENTER_SQ_WAIT) {
 10375				ret = io_sqpoll_wait_sq(ctx);
 10376				if (ret)
 10377					goto out;
 10378			}
 10379			submitted = to_submit;
 10380		} else if (to_submit) {
 10381			ret = io_uring_add_tctx_node(ctx);
 10382			if (unlikely(ret))
 10383				goto out;
 10384			mutex_lock(&ctx->uring_lock);
 10385			submitted = io_submit_sqes(ctx, to_submit);
 10386			mutex_unlock(&ctx->uring_lock);
 10387	
 10388			if (submitted != to_submit)
 10389				goto out;
 10390		}
 10391		if (flags & IORING_ENTER_GETEVENTS) {
 10392			const sigset_t __user *sig;
 10393			struct __kernel_timespec __user *ts;
 10394	
 10395			ret = io_get_ext_arg(flags, argp, &argsz, &ts, &sig);
 10396			if (unlikely(ret))
 10397				goto out;
 10398	
 10399			min_complete = min(min_complete, ctx->cq_entries);
 10400	
 10401			/*
 10402			 * When SETUP_IOPOLL and SETUP_SQPOLL are both enabled, user
 10403			 * space applications don't need to do io completion events
 10404			 * polling again, they can rely on io_sq_thread to do polling
 10405			 * work, which can reduce cpu usage and uring_lock contention.
 10406			 */
 10407			if (ctx->flags & IORING_SETUP_IOPOLL &&
 10408			    !(ctx->flags & IORING_SETUP_SQPOLL)) {
 10409				ret = io_iopoll_check(ctx, min_complete);
 10410			} else {
 10411				ret = io_cqring_wait(ctx, min_complete, sig, argsz, ts);
 10412			}
 10413		}
 10414	
 10415	out:
 10416		percpu_ref_put(&ctx->refs);
 10417	out_fput:
 10418		if (!(flags & IORING_ENTER_REGISTERED_RING))
 10419			fdput(f);
 10420		return submitted ? submitted : ret;
 10421	}
 10422	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org