From: kernel test robot <lkp@intel.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: kbuild-all@lists.01.org,
Linux Memory Management List <linux-mm@kvack.org>
Subject: [linux-next:master 10012/11713] fs/io_uring.c:10332 __do_sys_io_uring_enter() warn: unsigned 'fd' is never less than zero.
Date: Thu, 10 Mar 2022 01:31:54 +0800 [thread overview]
Message-ID: <202203100127.ch6HRrXo-lkp@intel.com> (raw)
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: 4e7a74a6856f8613dab9794da4b5cfb8fd54fb8c
commit: 8061ecdca6112c8b5c0e6f0e2268fc64acacebb9 [10012/11713] io_uring: add support for registering ring file descriptors
config: i386-randconfig-m031-20220307 (https://download.01.org/0day-ci/archive/20220310/202203100127.ch6HRrXo-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
New smatch warnings:
fs/io_uring.c:10332 __do_sys_io_uring_enter() warn: unsigned 'fd' is never less than zero.
fs/io_uring.c:10337 __do_sys_io_uring_enter() warn: potential spectre issue 'tctx->registered_rings' [r] (local cap)
fs/io_uring.c:10338 __do_sys_io_uring_enter() warn: possible spectre second half. 'f.file'
fs/io_uring.c:10332 __do_sys_io_uring_enter() warn: unsigned 'fd' is never less than zero.
fs/io_uring.c:10337 __do_sys_io_uring_enter() warn: potential spectre issue 'tctx->registered_rings' [r] (local cap)
fs/io_uring.c:10338 __do_sys_io_uring_enter() warn: possible spectre second half. 'f.file'
Old smatch warnings:
fs/io_uring.c:5284 io_recv() error: uninitialized symbol 'flags'.
fs/io_uring.c:6140 io_timeout_cancel() warn: passing a valid pointer to 'PTR_ERR'
fs/io_uring.c:6197 io_timeout_update() warn: passing a valid pointer to 'PTR_ERR'
fs/io_uring.c:8468 io_sqe_files_register() error: we previously assumed 'ctx->file_data' could be null (see line 8440)
fs/io_uring.c:10347 __do_sys_io_uring_enter() warn: possible spectre second half. 'f.file'
fs/io_uring.c:10347 __do_sys_io_uring_enter() warn: possible spectre second half. 'f.file'
vim +/fd +10332 fs/io_uring.c
10305
10306 SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
10307 u32, min_complete, u32, flags, const void __user *, argp,
10308 size_t, argsz)
10309 {
10310 struct io_ring_ctx *ctx;
10311 int submitted = 0;
10312 struct fd f;
10313 long ret;
10314
10315 io_run_task_work();
10316
10317 if (unlikely(flags & ~(IORING_ENTER_GETEVENTS | IORING_ENTER_SQ_WAKEUP |
10318 IORING_ENTER_SQ_WAIT | IORING_ENTER_EXT_ARG |
10319 IORING_ENTER_REGISTERED_RING)))
10320 return -EINVAL;
10321
10322 /*
10323 * Ring fd has been registered via IORING_REGISTER_RING_FDS, we
10324 * need only dereference our task private array to find it.
10325 */
10326 if (flags & IORING_ENTER_REGISTERED_RING) {
10327 struct io_uring_task *tctx = current->io_uring;
10328
10329 if (!tctx)
10330 return -EINVAL;
10331 if (fd != tctx->last_reg_fd) {
10332 if (fd < 0 || fd >= IO_RINGFD_REG_MAX || !tctx)
10333 return -EINVAL;
10334 tctx->last_reg_fd = array_index_nospec(fd,
10335 IO_RINGFD_REG_MAX);
10336 }
10337 f.file = tctx->registered_rings[tctx->last_reg_fd];
10338 if (unlikely(!f.file))
10339 return -EBADF;
10340 } else {
10341 f = fdget(fd);
10342 if (unlikely(!f.file))
10343 return -EBADF;
10344 }
10345
10346 ret = -EOPNOTSUPP;
10347 if (unlikely(f.file->f_op != &io_uring_fops))
10348 goto out_fput;
10349
10350 ret = -ENXIO;
10351 ctx = f.file->private_data;
10352 if (unlikely(!percpu_ref_tryget(&ctx->refs)))
10353 goto out_fput;
10354
10355 ret = -EBADFD;
10356 if (unlikely(ctx->flags & IORING_SETUP_R_DISABLED))
10357 goto out;
10358
10359 /*
10360 * For SQ polling, the thread will do all submissions and completions.
10361 * Just return the requested submit count, and wake the thread if
10362 * we were asked to.
10363 */
10364 ret = 0;
10365 if (ctx->flags & IORING_SETUP_SQPOLL) {
10366 io_cqring_overflow_flush(ctx);
10367
10368 if (unlikely(ctx->sq_data->thread == NULL)) {
10369 ret = -EOWNERDEAD;
10370 goto out;
10371 }
10372 if (flags & IORING_ENTER_SQ_WAKEUP)
10373 wake_up(&ctx->sq_data->wait);
10374 if (flags & IORING_ENTER_SQ_WAIT) {
10375 ret = io_sqpoll_wait_sq(ctx);
10376 if (ret)
10377 goto out;
10378 }
10379 submitted = to_submit;
10380 } else if (to_submit) {
10381 ret = io_uring_add_tctx_node(ctx);
10382 if (unlikely(ret))
10383 goto out;
10384 mutex_lock(&ctx->uring_lock);
10385 submitted = io_submit_sqes(ctx, to_submit);
10386 mutex_unlock(&ctx->uring_lock);
10387
10388 if (submitted != to_submit)
10389 goto out;
10390 }
10391 if (flags & IORING_ENTER_GETEVENTS) {
10392 const sigset_t __user *sig;
10393 struct __kernel_timespec __user *ts;
10394
10395 ret = io_get_ext_arg(flags, argp, &argsz, &ts, &sig);
10396 if (unlikely(ret))
10397 goto out;
10398
10399 min_complete = min(min_complete, ctx->cq_entries);
10400
10401 /*
10402 * When SETUP_IOPOLL and SETUP_SQPOLL are both enabled, user
10403 * space applications don't need to do io completion events
10404 * polling again, they can rely on io_sq_thread to do polling
10405 * work, which can reduce cpu usage and uring_lock contention.
10406 */
10407 if (ctx->flags & IORING_SETUP_IOPOLL &&
10408 !(ctx->flags & IORING_SETUP_SQPOLL)) {
10409 ret = io_iopoll_check(ctx, min_complete);
10410 } else {
10411 ret = io_cqring_wait(ctx, min_complete, sig, argsz, ts);
10412 }
10413 }
10414
10415 out:
10416 percpu_ref_put(&ctx->refs);
10417 out_fput:
10418 if (!(flags & IORING_ENTER_REGISTERED_RING))
10419 fdput(f);
10420 return submitted ? submitted : ret;
10421 }
10422
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
reply other threads:[~2022-03-09 17:32 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202203100127.ch6HRrXo-lkp@intel.com \
--to=lkp@intel.com \
--cc=axboe@kernel.dk \
--cc=kbuild-all@lists.01.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).