From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: fs/cifs/cifssmb.c:1386:17: warning: dereference of NULL 'tcon' [CWE-476]
Date: Thu, 16 Jun 2022 04:15:57 +0800 [thread overview]
Message-ID: <202206160424.O3ChW9zW-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 16496 bytes --]
::::::
:::::: Manual check reason: "low confidence bisect report"
:::::: Manual check reason: "low confidence static check first_new_problem: fs/cifs/cifssmb.c:1386:17: warning: dereference of NULL 'tcon' [CWE-476] [-Wanalyzer-null-dereference]"
::::::
CC: kbuild-all(a)lists.01.org
BCC: lkp(a)intel.com
CC: linux-kernel(a)vger.kernel.org
TO: Tanner Love <tannerlove@google.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 979086f5e0066b4eff66e1eee123da228489985c
commit: a358f40600b3b39ae3906b6118625b99c0aa7a34 once: implement DO_ONCE_LITE for non-fast-path "do once" functionality
date: 12 months ago
:::::: branch date: 4 hours ago
:::::: commit date: 12 months ago
config: i386-randconfig-c001-20220613 (https://download.01.org/0day-ci/archive/20220616/202206160424.O3ChW9zW-lkp(a)intel.com/config)
compiler: gcc-11 (Debian 11.3.0-3) 11.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a358f40600b3b39ae3906b6118625b99c0aa7a34
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout a358f40600b3b39ae3906b6118625b99c0aa7a34
# save the config file
ARCH=i386 KBUILD_USERCFLAGS='-fanalyzer -Wno-error'
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
gcc-analyzer warnings: (new ones prefixed by >>)
fs/cifs/cifssmb.c: In function 'CIFS_open':
>> fs/cifs/cifssmb.c:1386:17: warning: dereference of NULL 'tcon' [CWE-476] [-Wanalyzer-null-dereference]
1386 | if (tcon->ses->capabilities & CAP_UNIX)
| ~~~~^~~~~
'CIFSSMBSetPathInfo': events 1-2
|
| 5838 | CIFSSMBSetPathInfo(const unsigned int xid, struct cifs_tcon *tcon,
| | ^~~~~~~~~~~~~~~~~~
| | |
| | (1) entry to 'CIFSSMBSetPathInfo'
|......
| 5855 | rc = smb_init(SMB_COM_TRANSACTION2, 15, tcon, (void **) &pSMB,
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) calling 'smb_init' from 'CIFSSMBSetPathInfo'
| 5856 | (void **) &pSMBr);
| | ~~~~~~~~~~~~~~~~~
|
+--> 'smb_init': events 3-6
|
| 353 | smb_init(int smb_command, int wct, struct cifs_tcon *tcon,
| | ^~~~~~~~
| | |
| | (3) entry to 'smb_init'
|......
| 359 | if (rc)
| | ~
| | |
| | (4) following 'false' branch (when 'rc == 0')...
|......
| 362 | return __smb_init(smb_command, wct, tcon, request_buf, response_buf);
| | ~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (6) calling '__smb_init' from 'smb_init'
| | (5) ...to here
|
+--> '__smb_init': events 7-12
|
| 327 | __smb_init(int smb_command, int wct, struct cifs_tcon *tcon,
| | ^~~~~~~~~~
| | |
| | (7) entry to '__smb_init'
|......
| 331 | if (*request_buf == NULL) {
| | ~
| | |
| | (8) following 'false' branch...
|......
| 339 | if (response_buf)
| | ~~ ~
| | | |
| | | (10) following 'true' branch (when 'response_buf' is non-NULL)...
| | (9) ...to here
| 340 | *response_buf = *request_buf;
| | ~
| | |
| | (11) ...to here
|......
| 345 | if (tcon != NULL)
| | ~
| | |
| | (12) following 'false' branch (when 'tcon' is NULL)...
|
'__smb_init': event 13
|
|cc1:
| (13): ...to here
|
<------+
|
'smb_init': event 14
|
| 362 | return __smb_init(smb_command, wct, tcon, request_buf, response_buf);
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (14) returning to 'smb_init' from '__smb_init'
|
<------+
|
'CIFSSMBSetPathInfo': events 15-17
|
| 5855 | rc = smb_init(SMB_COM_TRANSACTION2, 15, tcon, (void **) &pSMB,
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (15) returning to 'CIFSSMBSetPathInfo' from 'smb_init'
| 5856 | (void **) &pSMBr);
| | ~~~~~~~~~~~~~~~~~
| 5857 | if (rc)
| | ~
| | |
| | (16) following 'false' branch (when 'rc == 0')...
|......
| 5860 | if (pSMB->hdr.Flags2 & SMBFLG2_UNICODE) {
| | ~~
| | |
| | (17) ...to here
|
'CIFSSMBSetPathInfo': events 18-19
|
|include/linux/fortify-string.h:189:12:
| 189 | if (p_size < size || q_size < size)
| | ^
vim +/tcon +1386 fs/cifs/cifssmb.c
a9d02ad49013c8 Steve French 2005-08-24 1319
^1da177e4c3f41 Linus Torvalds 2005-04-16 1320 int
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1321 CIFS_open(const unsigned int xid, struct cifs_open_parms *oparms, int *oplock,
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1322 FILE_ALL_INFO *buf)
^1da177e4c3f41 Linus Torvalds 2005-04-16 1323 {
1afdea4f19a97e Colin Ian King 2019-07-23 1324 int rc;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1325 OPEN_REQ *req = NULL;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1326 OPEN_RSP *rsp = NULL;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1327 int bytes_returned;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1328 int name_len;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1329 __u16 count;
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1330 struct cifs_sb_info *cifs_sb = oparms->cifs_sb;
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1331 struct cifs_tcon *tcon = oparms->tcon;
2baa2682531ff0 Steve French 2014-09-27 1332 int remap = cifs_remap(cifs_sb);
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1333 const struct nls_table *nls = cifs_sb->local_nls;
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1334 int create_options = oparms->create_options;
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1335 int desired_access = oparms->desired_access;
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1336 int disposition = oparms->disposition;
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1337 const char *path = oparms->path;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1338
^1da177e4c3f41 Linus Torvalds 2005-04-16 1339 openRetry:
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1340 rc = smb_init(SMB_COM_NT_CREATE_ANDX, 24, tcon, (void **)&req,
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1341 (void **)&rsp);
^1da177e4c3f41 Linus Torvalds 2005-04-16 1342 if (rc)
^1da177e4c3f41 Linus Torvalds 2005-04-16 1343 return rc;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1344
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1345 /* no commands go after this */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1346 req->AndXCommand = 0xFF;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1347
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1348 if (req->hdr.Flags2 & SMBFLG2_UNICODE) {
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1349 /* account for one byte pad to word boundary */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1350 count = 1;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1351 name_len = cifsConvertToUTF16((__le16 *)(req->fileName + 1),
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1352 path, PATH_MAX, nls, remap);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1353 /* trailing null */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1354 name_len++;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1355 name_len *= 2;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1356 req->NameLength = cpu_to_le16(name_len);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1357 } else {
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1358 /* BB improve check for buffer overruns BB */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1359 /* no pad */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1360 count = 0;
340625e618e1b3 Ronnie Sahlberg 2019-08-27 1361 name_len = copy_path_name(req->fileName, path);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1362 req->NameLength = cpu_to_le16(name_len);
^1da177e4c3f41 Linus Torvalds 2005-04-16 1363 }
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1364
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1365 if (*oplock & REQ_OPLOCK)
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1366 req->OpenFlags = cpu_to_le32(REQ_OPLOCK);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1367 else if (*oplock & REQ_BATCHOPLOCK)
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1368 req->OpenFlags = cpu_to_le32(REQ_BATCHOPLOCK);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1369
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1370 req->DesiredAccess = cpu_to_le32(desired_access);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1371 req->AllocationSize = 0;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1372
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1373 /*
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1374 * Set file as system file if special file such as fifo and server
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1375 * expecting SFU style and no Unix extensions.
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1376 */
eda3c029899cbf Steve French 2005-07-21 1377 if (create_options & CREATE_OPTION_SPECIAL)
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1378 req->FileAttributes = cpu_to_le32(ATTR_SYSTEM);
eda3c029899cbf Steve French 2005-07-21 1379 else
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1380 req->FileAttributes = cpu_to_le32(ATTR_NORMAL);
67750fb9e07940 Jeff Layton 2008-05-09 1381
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1382 /*
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1383 * XP does not handle ATTR_POSIX_SEMANTICS but it helps speed up case
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1384 * sensitive checks for other servers such as Samba.
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1385 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 @1386 if (tcon->ses->capabilities & CAP_UNIX)
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1387 req->FileAttributes |= cpu_to_le32(ATTR_POSIX_SEMANTICS);
^1da177e4c3f41 Linus Torvalds 2005-04-16 1388
67750fb9e07940 Jeff Layton 2008-05-09 1389 if (create_options & CREATE_OPTION_READONLY)
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1390 req->FileAttributes |= cpu_to_le32(ATTR_READONLY);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1391
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1392 req->ShareAccess = cpu_to_le32(FILE_SHARE_ALL);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1393 req->CreateDisposition = cpu_to_le32(disposition);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1394 req->CreateOptions = cpu_to_le32(create_options & CREATE_OPTIONS_MASK);
67750fb9e07940 Jeff Layton 2008-05-09 1395
09d1db5c613123 Steve French 2005-04-28 1396 /* BB Expirement with various impersonation levels and verify */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1397 req->ImpersonationLevel = cpu_to_le32(SECURITY_IMPERSONATION);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1398 req->SecurityFlags = SECURITY_CONTEXT_TRACKING|SECURITY_EFFECTIVE_ONLY;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1399
^1da177e4c3f41 Linus Torvalds 2005-04-16 1400 count += name_len;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1401 inc_rfc1001_len(req, count);
^1da177e4c3f41 Linus Torvalds 2005-04-16 1402
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1403 req->ByteCount = cpu_to_le16(count);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1404 rc = SendReceive(xid, tcon->ses, (struct smb_hdr *)req,
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1405 (struct smb_hdr *)rsp, &bytes_returned, 0);
44c581866e2ae4 Pavel Shilovsky 2012-05-28 1406 cifs_stats_inc(&tcon->stats.cifs_stats.num_opens);
^1da177e4c3f41 Linus Torvalds 2005-04-16 1407 if (rc) {
f96637be081141 Joe Perches 2013-05-04 1408 cifs_dbg(FYI, "Error in Open = %d\n", rc);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1409 cifs_buf_release(req);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1410 if (rc == -EAGAIN)
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1411 goto openRetry;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1412 return rc;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1413 }
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1414
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1415 /* 1 byte no need to le_to_cpu */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1416 *oplock = rsp->OplockLevel;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1417 /* cifs fid stays in le */
d81b8a40e2ece0 Pavel Shilovsky 2014-01-16 1418 oparms->fid->netfid = rsp->Fid;
86f740f2aed5ea Aurelien Aptel 2020-02-21 1419 oparms->fid->access = desired_access;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1420
^1da177e4c3f41 Linus Torvalds 2005-04-16 1421 /* Let caller know file was created so we can set the mode. */
^1da177e4c3f41 Linus Torvalds 2005-04-16 1422 /* Do we care about the CreateAction in any other cases? */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1423 if (cpu_to_le32(FILE_CREATE) == rsp->CreateAction)
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1424 *oplock |= CIFS_CREATE_ACTION;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1425
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1426 if (buf) {
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1427 /* copy from CreationTime to Attributes */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1428 memcpy((char *)buf, (char *)&rsp->CreationTime, 36);
^1da177e4c3f41 Linus Torvalds 2005-04-16 1429 /* the file_info buf is endian converted by caller */
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1430 buf->AllocationSize = rsp->AllocationSize;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1431 buf->EndOfFile = rsp->EndOfFile;
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1432 buf->NumberOfLinks = cpu_to_le32(1);
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1433 buf->DeletePending = 0;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1434 }
a5a2b489bae8f6 Steve French 2005-08-20 1435
9bf4fa01f9aaf2 Pavel Shilovsky 2014-01-16 1436 cifs_buf_release(req);
^1da177e4c3f41 Linus Torvalds 2005-04-16 1437 return rc;
^1da177e4c3f41 Linus Torvalds 2005-04-16 1438 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 1439
:::::: The code at line 1386 was first introduced by commit
:::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2
:::::: TO: Linus Torvalds <torvalds@ppc970.osdl.org>
:::::: CC: Linus Torvalds <torvalds@ppc970.osdl.org>
--
0-DAY CI Kernel Test Service
https://01.org/lkp
next reply other threads:[~2022-06-15 20:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-15 20:15 kernel test robot [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-06-15 22:58 fs/cifs/cifssmb.c:1386:17: warning: dereference of NULL 'tcon' [CWE-476] kernel test robot
2022-06-14 10:04 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202206160424.O3ChW9zW-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.