Re: generic/013 failure to Samba

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ChenXiaoSong <chenxiaosong.chenxiaosong@linux.dev>
To: Henrique Carvalho <henrique.carvalho@suse.com>,
	Steve French <smfrench@gmail.com>,
	Youling Tang <tangyouling@kylinos.cn>,
	Namjae Jeon <linkinjeon@kernel.org>
Cc: David Howells <dhowells@redhat.com>,
	CIFS <linux-cifs@vger.kernel.org>,
	Meetakshi Setiya <meetakshisetiyaoss@gmail.com>,
	gustavoars@kernel.org
Subject: Re: generic/013 failure to Samba
Date: Fri, 26 Dec 2025 14:44:26 +0800	[thread overview]
Message-ID: <e56024d8-6fd3-4040-b31c-44d3dea3df3c@linux.dev> (raw)
In-Reply-To: <141824e7-50ab-4072-b611-5db5fa01bb86@linux.dev>

Hi Henrique,

The following is the modifications I suggest. If you have a better 
solution, please let me know.

If you agree with my modifications, could you send the v2 patch?

Give special thanks once again to Youling Tang <tangyouling@kylinos.cn> 
for his guidance on UBSAN and Clang.

If you build the kernel code with the latest version Clang (I am using 
version 21.1.7), and `CONFIG_UBSAN_BOUNDS` has been enabled, you will be 
able to see this UBSAN error every time.

It seems that we need to add two Fixes tags:
Fixes: 68d2e2ca1cba ("smb: client: batch SRV_COPYCHUNK entries to cut 
round trips")
Fixes: cc26f593dc19 ("smb: move copychunk definitions to common/smb2pdu.h")

The key modifications are as follows:
```
smb2_copychunk_range()
{
	// remove `chunk_count`, and use only `cc_req->ChunkCount`
	...
	cc_req->ChunkCount = 0;
	while (copy_bytes_left > 0 && cc_req->ChunkCount < chunk_count) {
		cc_req->ChunkCount++;
		chunk = &cc_req->Chunks[cc_req->ChunkCount - 1];
		...
	}
	...
}
```

Thanks,
ChenXiaoSong <chenxiaosong@kylinos.cn>

On 12/26/25 12:36, ChenXiaoSong wrote:
> Hi Henrique,
> 
> I can reproduce this UBSAN error. You need to compile the kernel code 
> using the latest version of Clang.
> 
> I would like to give special thanks to Tang Youling 
> <tangyouling@kylinos.cn> for his guidance on UBSAN and Clang.
> 
> Thanks,
> ChenXiaoSong <chenxiaosong@kylinos.cn>
> 
> On 12/24/25 23:02, Henrique Carvalho wrote:
>> This UBSAN report is consistent with struct copychunk_ioctl_req::Chunks[]
>> being annotated with __counted_by_le(ChunkCount) while ChunkCount is not
>> set to the allocated capacity before we start populating the array. 
>> This is
>> the same class of issue described in [1].
>>
>> A fix would be to set ChunkCount to chunk_count (capacity) at the start
>> of each iteration before accessing Chunks[]. Proposed patch is attached.
>>
>> However, if my interpretation is correct, I would expect the first
>> population to trip as well since ChunkCount starts at 0, which does not
>> happen.
>>
>> @Gustavo do you have any insight into why the first access might not
>> trigger?
>>
>> [1] https://people.kernel.org/gustavoars/how-to-use-the-new- 
>> counted_by-attribute-in-c-and-linux
>>
>

next prev parent reply	other threads:[~2025-12-26  6:45 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-23  0:19 generic/013 failure to Samba Steve French
2025-12-24 15:02 ` Henrique Carvalho
2025-12-26  4:36   ` ChenXiaoSong
2025-12-26  6:44     ` ChenXiaoSong [this message]
2025-12-26  7:49       ` ChenXiaoSong
2025-12-26 15:45       ` Henrique Carvalho
2025-12-26 16:01         ` ChenXiaoSong
2025-12-26 18:05           ` Henrique Carvalho
2025-12-26 22:48             ` ChenXiaoSong
     [not found]               ` <CAH2r5mtaGgiWLnMebWeGNoyVKY81xj6DkZY5iTmWkJZ_gvyeLw@mail.gmail.com>
     [not found]                 ` <7919537a-d3b5-45cd-9032-0a5312b28dfb@linux.dev>
2025-12-26 23:46                   ` ChenXiaoSong
2025-12-26 15:33   ` Henrique Carvalho

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e56024d8-6fd3-4040-b31c-44d3dea3df3c@linux.dev \
    --to=chenxiaosong.chenxiaosong@linux.dev \
    --cc=dhowells@redhat.com \
    --cc=gustavoars@kernel.org \
    --cc=henrique.carvalho@suse.com \
    --cc=linkinjeon@kernel.org \
    --cc=linux-cifs@vger.kernel.org \
    --cc=meetakshisetiyaoss@gmail.com \
    --cc=smfrench@gmail.com \
    --cc=tangyouling@kylinos.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.