From: Al Viro <viro@zeniv.linux.org.uk>
To: Tiezhu Yang <yangtiezhu@loongson.cn>
Cc: David Howells <dhowells@redhat.com>,
linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] afs: Fix compile warning in afs_dynroot_lookup()
Date: Fri, 27 Dec 2019 00:06:34 +0000 [thread overview]
Message-ID: <20191227000634.GS4203@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1576761291-30121-1-git-send-email-yangtiezhu@loongson.cn>
On Thu, Dec 19, 2019 at 09:14:51PM +0800, Tiezhu Yang wrote:
> Fix the following compile warning:
>
> CC fs/afs/dynroot.o
> fs/afs/dynroot.c: In function ‘afs_dynroot_lookup’:
> fs/afs/dynroot.c:117:6: warning: ‘len’ may be used uninitialized in this function [-Wmaybe-uninitialized]
> ret = lookup_one_len(name, dentry->d_parent, len);
> ^
> fs/afs/dynroot.c:91:6: note: ‘len’ was declared here
> int len;
> ^
>
> Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
> ---
> fs/afs/dynroot.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
> index 7503899..303f712 100644
> --- a/fs/afs/dynroot.c
> +++ b/fs/afs/dynroot.c
> @@ -88,7 +88,7 @@ static struct dentry *afs_lookup_atcell(struct dentry *dentry)
> struct dentry *ret;
> unsigned int seq = 0;
> char *name;
> - int len;
> + int len = 0;
>
> if (!net->ws_cell)
> return ERR_PTR(-ENOENT);
NAK. This is really, really wrong - passing zero to lookup_one_len() is
always a bug. It's not any better than undefined value; if we *can*
get to lookup_one_len() call without other assignments to len, we
are fucked.
As it were, it's a false positive - we have
if (cell) {
len = cell->name_len;
memcpy(name, cell->name, len + 1);
}
upstream of
if (!cell)
goto out_n;
ret = lookup_one_len(name, dentry->d_parent, len);
so we can't reach the call of lookup_one_len() without having
hit the assignment to len.
BTW, what guarantees that cell->name won't be "@cell"? The
things would get rather interesting in that case... The same
for net->sysnames in afs_lookup_atsys() - what makes sure
we won't see "@sys" among those? David?
While we are at it,
d = d_splice_alias(inode, dentry);
if (!IS_ERR_OR_NULL(d)) {
d->d_fsdata = dentry->d_fsdata;
trace_afs_lookup(dvnode, &d->d_name,
inode ? AFS_FS_I(inode) : NULL);
} else {
trace_afs_lookup(dvnode, &dentry->d_name,
IS_ERR_OR_NULL(inode) ? NULL
: AFS_FS_I(inode));
}
is _very_ suspicious-looking - d_splice_alias() consumes
an inode reference, and if it ends up failing on non-ERR_PTR()
inode, the inode will be dropped by the time it returns.
IOW, that AFS_FS_I(inode) in the second branch can bloody
well point to already freed memory. Tracepoints: Just Say No...
next prev parent reply other threads:[~2019-12-27 0:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-19 13:14 [PATCH] afs: Fix compile warning in afs_dynroot_lookup() Tiezhu Yang
2019-12-27 0:06 ` Al Viro [this message]
2019-12-27 9:10 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191227000634.GS4203@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=dhowells@redhat.com \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=yangtiezhu@loongson.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.