* [smfrench-smb3:ksmbd-for-next-next 11/15] fs/smb/server/smb2pdu.c:5790:6: warning: variable 'scratch_len' is used uninitialized whenever 'if' condition is true
@ 2026-03-25 13:13 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2026-03-25 13:13 UTC (permalink / raw)
To: Steve French; +Cc: oe-kbuild-all
tree: https://github.com/smfrench/smb3-kernel.git ksmbd-for-next-next
head: 3a3623e9d49586a0dac997718a9fb9c4cb18fff4
commit: 7657677ba79aa5bafeb8c8f173761b86e9f047b7 [11/15] ksmbd: fix OOB write in QUERY_INFO for compound requests
config: arm-randconfig-002-20260325 (https://download.01.org/0day-ci/archive/20260325/202603252147.lIPyoNlD-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project 054e11d1a17e5ba88bb1a8ef32fad3346e80b186)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260325/202603252147.lIPyoNlD-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202603252147.lIPyoNlD-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> fs/smb/server/smb2pdu.c:5790:6: warning: variable 'scratch_len' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
5790 | if (max_len < 0) {
| ^~~~~~~~~~~
fs/smb/server/smb2pdu.c:5817:29: note: uninitialized use occurs here
5817 | if (ALIGN(secdesclen, 8) > scratch_len)
| ^~~~~~~~~~~
fs/smb/server/smb2pdu.c:5790:2: note: remove the 'if' if its condition is always false
5790 | if (max_len < 0) {
| ^~~~~~~~~~~~~~~~~~
5791 | rc = -EINVAL;
| ~~~~~~~~~~~~~
5792 | goto release_acl;
| ~~~~~~~~~~~~~~~~~
5793 | }
| ~
fs/smb/server/smb2pdu.c:5734:20: note: initialize the variable 'scratch_len' to silence this warning
5734 | size_t scratch_len;
| ^
| = 0
1 warning generated.
vim +5790 fs/smb/server/smb2pdu.c
5720
5721 static int smb2_get_info_sec(struct ksmbd_work *work,
5722 struct smb2_query_info_req *req,
5723 struct smb2_query_info_rsp *rsp)
5724 {
5725 struct ksmbd_file *fp;
5726 struct mnt_idmap *idmap;
5727 struct smb_ntsd *pntsd = NULL, *ppntsd = NULL;
5728 struct smb_fattr fattr = {{0}};
5729 struct inode *inode;
5730 __u32 secdesclen = 0;
5731 unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID;
5732 int addition_info = le32_to_cpu(req->AdditionalInformation);
5733 int rc = 0, ppntsd_size = 0, max_len;
5734 size_t scratch_len;
5735
5736 if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO |
5737 PROTECTED_DACL_SECINFO |
5738 UNPROTECTED_DACL_SECINFO)) {
5739 ksmbd_debug(SMB, "Unsupported addition info: 0x%x)\n",
5740 addition_info);
5741
5742 pntsd = kmalloc(ALIGN(sizeof(struct smb_ntsd), 8),
5743 KSMBD_DEFAULT_GFP);
5744 if (!pntsd)
5745 return -ENOMEM;
5746
5747 pntsd->revision = cpu_to_le16(1);
5748 pntsd->type = cpu_to_le16(SELF_RELATIVE | DACL_PROTECTED);
5749 pntsd->osidoffset = 0;
5750 pntsd->gsidoffset = 0;
5751 pntsd->sacloffset = 0;
5752 pntsd->dacloffset = 0;
5753
5754 secdesclen = sizeof(struct smb_ntsd);
5755 goto iov_pin;
5756 }
5757
5758 if (work->next_smb2_rcv_hdr_off) {
5759 if (!has_file_id(req->VolatileFileId)) {
5760 ksmbd_debug(SMB, "Compound request set FID = %llu\n",
5761 work->compound_fid);
5762 id = work->compound_fid;
5763 pid = work->compound_pfid;
5764 }
5765 }
5766
5767 if (!has_file_id(id)) {
5768 id = req->VolatileFileId;
5769 pid = req->PersistentFileId;
5770 }
5771
5772 fp = ksmbd_lookup_fd_slow(work, id, pid);
5773 if (!fp)
5774 return -ENOENT;
5775
5776 idmap = file_mnt_idmap(fp->filp);
5777 inode = file_inode(fp->filp);
5778 ksmbd_acls_fattr(&fattr, idmap, inode);
5779
5780 if (test_share_config_flag(work->tcon->share_conf,
5781 KSMBD_SHARE_FLAG_ACL_XATTR))
5782 ppntsd_size = ksmbd_vfs_get_sd_xattr(work->conn, idmap,
5783 fp->filp->f_path.dentry,
5784 &ppntsd);
5785
5786 /* Check if sd buffer size exceeds response buffer size */
5787 max_len = smb2_calc_max_out_buf_len(work,
5788 offsetof(struct smb2_query_info_rsp, Buffer),
5789 le32_to_cpu(req->OutputBufferLength));
> 5790 if (max_len < 0) {
5791 rc = -EINVAL;
5792 goto release_acl;
5793 }
5794
5795 scratch_len = smb_acl_sec_desc_scratch_len(&fattr, ppntsd,
5796 ppntsd_size, addition_info);
5797 if (!scratch_len || scratch_len == SIZE_MAX) {
5798 rc = -EFBIG;
5799 goto release_acl;
5800 }
5801
5802 pntsd = kvzalloc(scratch_len, KSMBD_DEFAULT_GFP);
5803 if (!pntsd) {
5804 rc = -ENOMEM;
5805 goto release_acl;
5806 }
5807
5808 rc = build_sec_desc(idmap, pntsd, ppntsd, ppntsd_size,
5809 addition_info, &secdesclen, &fattr);
5810
5811 release_acl:
5812 posix_acl_release(fattr.cf_acls);
5813 posix_acl_release(fattr.cf_dacls);
5814 kfree(ppntsd);
5815 ksmbd_fd_put(work, fp);
5816
5817 if (ALIGN(secdesclen, 8) > scratch_len)
5818 rc = -EFBIG;
5819 if (rc)
5820 goto err_out;
5821
5822 iov_pin:
5823 rsp->OutputBufferLength = cpu_to_le32(secdesclen);
5824 rc = buffer_check_err(le32_to_cpu(req->OutputBufferLength),
5825 rsp, work->response_buf);
5826 if (rc)
5827 goto err_out;
5828
5829 rc = ksmbd_iov_pin_rsp_read(work, (void *)rsp,
5830 offsetof(struct smb2_query_info_rsp, Buffer),
5831 pntsd, secdesclen);
5832 err_out:
5833 if (rc) {
5834 rsp->OutputBufferLength = 0;
5835 kvfree(pntsd);
5836 }
5837
5838 return rc;
5839 }
5840
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-25 13:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-25 13:13 [smfrench-smb3:ksmbd-for-next-next 11/15] fs/smb/server/smb2pdu.c:5790:6: warning: variable 'scratch_len' is used uninitialized whenever 'if' condition is true kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.