* [smfrench-smb3:pr/192 3/3] fs/smb/client/smb2inode.c:124:18: warning: comparison of distinct pointer types ('struct smb2_file_full_ea_info *' and 'u8 *' (aka 'unsigned char *'))
@ 2026-05-03 12:54 kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2026-05-03 12:54 UTC (permalink / raw)
To: Steve French; +Cc: oe-kbuild-all
tree: https://github.com/smfrench/smb3-kernel.git pr/192
head: bedb46d0f4ef3fe98e9da42665bd1d8ec3d013cb
commit: bedb46d0f4ef3fe98e9da42665bd1d8ec3d013cb [3/3] smb/client: fix out-of-bounds read in smb2_compound_op()
config: sparc64-allmodconfig (https://download.01.org/0day-ci/archive/20260503/202605032002.nU7uHLDo-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project 5bac06718f502014fade905512f1d26d578a18f3)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260503/202605032002.nU7uHLDo-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605032002.nU7uHLDo-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> fs/smb/client/smb2inode.c:124:18: warning: comparison of distinct pointer types ('struct smb2_file_full_ea_info *' and 'u8 *' (aka 'unsigned char *')) [-Wcompare-distinct-pointer-types]
124 | if (ea + outlen > end)
| ~~~~~~~~~~~ ^ ~~~
1 warning generated.
vim +124 fs/smb/client/smb2inode.c
105
106 static int check_wsl_eas(struct kvec *rsp_iov)
107 {
108 struct smb2_file_full_ea_info *ea;
109 struct smb2_query_info_rsp *rsp = rsp_iov->iov_base;
110 unsigned long addr;
111 u32 outlen, next;
112 u16 vlen;
113 u8 nlen;
114 u8 *end;
115
116 outlen = le32_to_cpu(rsp->OutputBufferLength);
117 if (outlen < SMB2_WSL_MIN_QUERY_EA_RESP_SIZE ||
118 outlen > SMB2_WSL_MAX_QUERY_EA_RESP_SIZE)
119 return -EINVAL;
120
121 ea = (void *)((u8 *)rsp_iov->iov_base +
122 le16_to_cpu(rsp->OutputBufferOffset));
123 end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;
> 124 if (ea + outlen > end)
125 return -EINVAL;
126
127 for (;;) {
128 if ((u8 *)ea > end - sizeof(*ea))
129 return -EINVAL;
130
131 nlen = ea->ea_name_length;
132 vlen = le16_to_cpu(ea->ea_value_length);
133 if (nlen != SMB2_WSL_XATTR_NAME_LEN ||
134 (u8 *)ea->ea_data + nlen + 1 + vlen > end)
135 return -EINVAL;
136
137 switch (vlen) {
138 case 4:
139 if (strncmp(ea->ea_data, SMB2_WSL_XATTR_UID, nlen) &&
140 strncmp(ea->ea_data, SMB2_WSL_XATTR_GID, nlen) &&
141 strncmp(ea->ea_data, SMB2_WSL_XATTR_MODE, nlen))
142 return -EINVAL;
143 break;
144 case 8:
145 if (strncmp(ea->ea_data, SMB2_WSL_XATTR_DEV, nlen))
146 return -EINVAL;
147 break;
148 case 0:
149 if (!strncmp(ea->ea_data, SMB2_WSL_XATTR_UID, nlen) ||
150 !strncmp(ea->ea_data, SMB2_WSL_XATTR_GID, nlen) ||
151 !strncmp(ea->ea_data, SMB2_WSL_XATTR_MODE, nlen) ||
152 !strncmp(ea->ea_data, SMB2_WSL_XATTR_DEV, nlen))
153 break;
154 fallthrough;
155 default:
156 return -EINVAL;
157 }
158
159 next = le32_to_cpu(ea->next_entry_offset);
160 if (!next)
161 break;
162 if (!IS_ALIGNED(next, 4) ||
163 check_add_overflow((unsigned long)ea, next, &addr))
164 return -EINVAL;
165 ea = (void *)addr;
166 }
167 return 0;
168 }
169
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 2+ messages in thread* [smfrench-smb3:pr/192 3/3] fs/smb/client/smb2inode.c:124:18: warning: comparison of distinct pointer types ('struct smb2_file_full_ea_info *' and 'u8 *' (aka 'unsigned char *'))
@ 2026-05-02 22:18 kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2026-05-02 22:18 UTC (permalink / raw)
To: Steve French; +Cc: oe-kbuild-all
tree: https://github.com/smfrench/smb3-kernel.git pr/192
head: bedb46d0f4ef3fe98e9da42665bd1d8ec3d013cb
commit: bedb46d0f4ef3fe98e9da42665bd1d8ec3d013cb [3/3] smb/client: fix out-of-bounds read in smb2_compound_op()
config: x86_64-kexec (https://download.01.org/0day-ci/archive/20260503/202605030009.Et3z8iAD-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260503/202605030009.Et3z8iAD-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605030009.Et3z8iAD-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> fs/smb/client/smb2inode.c:124:18: warning: comparison of distinct pointer types ('struct smb2_file_full_ea_info *' and 'u8 *' (aka 'unsigned char *')) [-Wcompare-distinct-pointer-types]
124 | if (ea + outlen > end)
| ~~~~~~~~~~~ ^ ~~~
1 warning generated.
vim +124 fs/smb/client/smb2inode.c
105
106 static int check_wsl_eas(struct kvec *rsp_iov)
107 {
108 struct smb2_file_full_ea_info *ea;
109 struct smb2_query_info_rsp *rsp = rsp_iov->iov_base;
110 unsigned long addr;
111 u32 outlen, next;
112 u16 vlen;
113 u8 nlen;
114 u8 *end;
115
116 outlen = le32_to_cpu(rsp->OutputBufferLength);
117 if (outlen < SMB2_WSL_MIN_QUERY_EA_RESP_SIZE ||
118 outlen > SMB2_WSL_MAX_QUERY_EA_RESP_SIZE)
119 return -EINVAL;
120
121 ea = (void *)((u8 *)rsp_iov->iov_base +
122 le16_to_cpu(rsp->OutputBufferOffset));
123 end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len;
> 124 if (ea + outlen > end)
125 return -EINVAL;
126
127 for (;;) {
128 if ((u8 *)ea > end - sizeof(*ea))
129 return -EINVAL;
130
131 nlen = ea->ea_name_length;
132 vlen = le16_to_cpu(ea->ea_value_length);
133 if (nlen != SMB2_WSL_XATTR_NAME_LEN ||
134 (u8 *)ea->ea_data + nlen + 1 + vlen > end)
135 return -EINVAL;
136
137 switch (vlen) {
138 case 4:
139 if (strncmp(ea->ea_data, SMB2_WSL_XATTR_UID, nlen) &&
140 strncmp(ea->ea_data, SMB2_WSL_XATTR_GID, nlen) &&
141 strncmp(ea->ea_data, SMB2_WSL_XATTR_MODE, nlen))
142 return -EINVAL;
143 break;
144 case 8:
145 if (strncmp(ea->ea_data, SMB2_WSL_XATTR_DEV, nlen))
146 return -EINVAL;
147 break;
148 case 0:
149 if (!strncmp(ea->ea_data, SMB2_WSL_XATTR_UID, nlen) ||
150 !strncmp(ea->ea_data, SMB2_WSL_XATTR_GID, nlen) ||
151 !strncmp(ea->ea_data, SMB2_WSL_XATTR_MODE, nlen) ||
152 !strncmp(ea->ea_data, SMB2_WSL_XATTR_DEV, nlen))
153 break;
154 fallthrough;
155 default:
156 return -EINVAL;
157 }
158
159 next = le32_to_cpu(ea->next_entry_offset);
160 if (!next)
161 break;
162 if (!IS_ALIGNED(next, 4) ||
163 check_add_overflow((unsigned long)ea, next, &addr))
164 return -EINVAL;
165 ea = (void *)addr;
166 }
167 return 0;
168 }
169
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-03 12:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-03 12:54 [smfrench-smb3:pr/192 3/3] fs/smb/client/smb2inode.c:124:18: warning: comparison of distinct pointer types ('struct smb2_file_full_ea_info *' and 'u8 *' (aka 'unsigned char *')) kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2026-05-02 22:18 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.