From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: [koverstreet-bcachefs:bcachefs-rebalance_v2 481/799] fs/bcachefs/init/chardev.c:578 bch2_ioctl_query_accounting() warn: potential user controlled sizeof overflow 'arg.accounting_u64s * 8' '0-u32max * 8'
Date: Thu, 14 May 2026 16:04:18 +0800 [thread overview]
Message-ID: <202605141559.kX6o5Q6d-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
TO: Kent Overstreet <kent.overstreet@linux.dev>
tree: https://github.com/koverstreet/bcachefs bcachefs-rebalance_v2
head: d4b3d00447faf8d4d95db47e3902e4ca4db8fbdc
commit: 29e05f82d6bdd4efef504f6f68922db28e2e4917 [481/799] bcachefs: bit more reorg
:::::: branch date: 6 months ago
:::::: commit date: 7 months ago
config: i386-randconfig-141-20260514 (https://download.01.org/0day-ci/archive/20260514/202605141559.kX6o5Q6d-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
smatch: v0.5.0-9185-gbcc58b9c
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202605141559.kX6o5Q6d-lkp@intel.com/
smatch warnings:
fs/bcachefs/init/chardev.c:578 bch2_ioctl_query_accounting() warn: potential user controlled sizeof overflow 'arg.accounting_u64s * 8' '0-u32max * 8'
vim +578 fs/bcachefs/init/chardev.c
1c6fdbd8f2465dd fs/bcachefs/chardev.c Kent Overstreet 2017-03-16 566
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 567 static long bch2_ioctl_query_accounting(struct bch_fs *c,
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 568 struct bch_ioctl_query_accounting __user *user_arg)
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 569 {
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 570 struct bch_ioctl_query_accounting arg;
635c5791582a65e fs/bcachefs/chardev.c Kent Overstreet 2025-07-14 571 CLASS(darray_char, accounting)();
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 572
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 573 if (!test_bit(BCH_FS_started, &c->flags))
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 574 return -EINVAL;
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 575
635c5791582a65e fs/bcachefs/chardev.c Kent Overstreet 2025-07-14 576 int ret = copy_from_user_errcode(&arg, user_arg, sizeof(arg)) ?:
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 577 bch2_fs_accounting_read(c, &accounting, arg.accounting_types_mask) ?:
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 @578 (arg.accounting_u64s * sizeof(u64) < accounting.nr ? -ERANGE : 0) ?:
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 579 copy_to_user_errcode(&user_arg->accounting, accounting.data, accounting.nr);
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 580 if (ret)
635c5791582a65e fs/bcachefs/chardev.c Kent Overstreet 2025-07-14 581 return ret;
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 582
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 583 arg.capacity = c->capacity;
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 584 arg.used = bch2_fs_usage_read_short(c).used;
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 585 arg.online_reserved = percpu_u64_get(c->online_reserved);
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 586 arg.accounting_u64s = accounting.nr / sizeof(u64);
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 587
635c5791582a65e fs/bcachefs/chardev.c Kent Overstreet 2025-07-14 588 return copy_to_user_errcode(user_arg, &arg, sizeof(arg));
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 589 }
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 590
:::::: The code at line 578 was first introduced by commit
:::::: 8863d1e092005d5b31f7e712827a5605f8a7ba22 bcachefs: BCH_IOCTL_QUERY_ACCOUNTING
:::::: TO: Kent Overstreet <kent.overstreet@linux.dev>
:::::: CC: Kent Overstreet <kent.overstreet@linux.dev>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <error27@gmail.com>
To: oe-kbuild@lists.linux.dev, Kent Overstreet <kent.overstreet@linux.dev>
Cc: lkp@intel.com, oe-kbuild-all@lists.linux.dev
Subject: [koverstreet-bcachefs:bcachefs-rebalance_v2 481/799] fs/bcachefs/init/chardev.c:578 bch2_ioctl_query_accounting() warn: potential user controlled sizeof overflow 'arg.accounting_u64s * 8' '0-u32max * 8'
Date: Thu, 14 May 2026 11:39:21 +0300 [thread overview]
Message-ID: <202605141559.kX6o5Q6d-lkp@intel.com> (raw)
Message-ID: <20260514083921.JjhHmNnUMmzWEtELrLMfvVm05V5oIkzLSwu2FF5_byg@z> (raw)
tree: https://github.com/koverstreet/bcachefs bcachefs-rebalance_v2
head: d4b3d00447faf8d4d95db47e3902e4ca4db8fbdc
commit: 29e05f82d6bdd4efef504f6f68922db28e2e4917 [481/799] bcachefs: bit more reorg
config: i386-randconfig-141-20260514 (https://download.01.org/0day-ci/archive/20260514/202605141559.kX6o5Q6d-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
smatch: v0.5.0-9185-gbcc58b9c
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202605141559.kX6o5Q6d-lkp@intel.com/
smatch warnings:
fs/bcachefs/init/chardev.c:578 bch2_ioctl_query_accounting() warn: potential user controlled sizeof overflow 'arg.accounting_u64s * 8' '0-u32max * 8'
vim +578 fs/bcachefs/init/chardev.c
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 567 static long bch2_ioctl_query_accounting(struct bch_fs *c,
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 568 struct bch_ioctl_query_accounting __user *user_arg)
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 569 {
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 570 struct bch_ioctl_query_accounting arg;
635c5791582a65e fs/bcachefs/chardev.c Kent Overstreet 2025-07-14 571 CLASS(darray_char, accounting)();
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 572
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 573 if (!test_bit(BCH_FS_started, &c->flags))
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 574 return -EINVAL;
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 575
635c5791582a65e fs/bcachefs/chardev.c Kent Overstreet 2025-07-14 576 int ret = copy_from_user_errcode(&arg, user_arg, sizeof(arg)) ?:
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 577 bch2_fs_accounting_read(c, &accounting, arg.accounting_types_mask) ?:
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 @578 (arg.accounting_u64s * sizeof(u64) < accounting.nr ? -ERANGE : 0) ?:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This can have an integer overflow on i386.
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 579 copy_to_user_errcode(&user_arg->accounting, accounting.data, accounting.nr);
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 580 if (ret)
635c5791582a65e fs/bcachefs/chardev.c Kent Overstreet 2025-07-14 581 return ret;
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 582
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 583 arg.capacity = c->capacity;
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 584 arg.used = bch2_fs_usage_read_short(c).used;
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 585 arg.online_reserved = percpu_u64_get(c->online_reserved);
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 586 arg.accounting_u64s = accounting.nr / sizeof(u64);
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 587
635c5791582a65e fs/bcachefs/chardev.c Kent Overstreet 2025-07-14 588 return copy_to_user_errcode(user_arg, &arg, sizeof(arg));
8863d1e092005d5 fs/bcachefs/chardev.c Kent Overstreet 2024-03-01 589 }
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2026-05-14 8:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 8:04 kernel test robot [this message]
2026-05-14 8:39 ` [koverstreet-bcachefs:bcachefs-rebalance_v2 481/799] fs/bcachefs/init/chardev.c:578 bch2_ioctl_query_accounting() warn: potential user controlled sizeof overflow 'arg.accounting_u64s * 8' '0-u32max * 8' Dan Carpenter
-- strict thread matches above, loose matches on Subject: below --
2026-01-27 1:35 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202605141559.kX6o5Q6d-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.