public inbox for kernel-tls-handshake@lists.linux.dev
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Christian Brauner <brauner@kernel.org>
Cc: kernel-tls-handshake@lists.linux.dev
Subject: [bug report] net/handshake: convert handshake_nl_accept_doit() to FD_PREPARE()
Date: Wed, 26 Nov 2025 11:31:32 +0300	[thread overview]
Message-ID: <aSa65GzoGY-E6OYt@stanley.mountain> (raw)

Hello Christian Brauner,

Commit 214ab7edf554 ("net/handshake: convert
handshake_nl_accept_doit() to FD_PREPARE()") from Nov 23, 2025
(linux-next), leads to the following Smatch static checker warning:

	net/handshake/netlink.c:128 handshake_nl_accept_doit()
	error: we previously assumed 'req' could be null (see line 109)

net/handshake/netlink.c
    90 int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info)
    91 {
    92         struct net *net = sock_net(skb->sk);
    93         struct handshake_net *hn = handshake_pernet(net);
    94         struct handshake_req *req = NULL;
    95         struct socket *sock;
    96         int class, err;
    97 
    98         err = -EOPNOTSUPP;
    99         if (!hn)
    100                 goto out_status;
    101 
    102         err = -EINVAL;
    103         if (GENL_REQ_ATTR_CHECK(info, HANDSHAKE_A_ACCEPT_HANDLER_CLASS))
    104                 goto out_status;
    105         class = nla_get_u32(info->attrs[HANDSHAKE_A_ACCEPT_HANDLER_CLASS]);
    106 
    107         err = -EAGAIN;
    108         req = handshake_req_next(hn, class);
    109         if (req) {

If handshake_req_next() returns NULL

    110                 sock = req->hr_sk->sk_socket;
    111 
    112                 FD_PREPARE(fdf, O_CLOEXEC, sock->file);
    113                 if (fdf.err) {
    114                         err = fdf.err;
    115                         goto out_complete;
    116                 }
    117 
    118                 get_file(sock->file); /* FD_PREPARE() consumes a reference. */
    119                 err = req->hr_proto->hp_accept(req, info, fd_prepare_fd(fdf));
    120                 if (err)
    121                         goto out_complete; /* Automatic cleanup handles fput */
    122 
    123                 trace_handshake_cmd_accept(net, req, req->hr_sk, fd_prepare_fd(fdf));
    124                 return fd_publish(fdf);
    125         }
    126 
    127 out_complete:
--> 128         handshake_complete(req, -EIO, NULL);
                                   ^^^
then this will crash.

    129 out_status:
    130         trace_handshake_cmd_accept_err(net, req, NULL, err);
    131         return err;
    132 }

regards,
dan carpenter

             reply	other threads:[~2025-11-26  8:31 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-26  8:31 Dan Carpenter [this message]
2025-11-26 13:53 ` [bug report] net/handshake: convert handshake_nl_accept_doit() to FD_PREPARE() Chuck Lever
2025-11-26 15:36 ` Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aSa65GzoGY-E6OYt@stanley.mountain \
    --to=dan.carpenter@linaro.org \
    --cc=brauner@kernel.org \
    --cc=kernel-tls-handshake@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox