From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: fs/nfs/nfs42xdr.c:1356 decode_listxattrs() warn: potential spectre issue 'buf' [w]
Date: Tue, 31 Mar 2026 17:54:50 +0800 [thread overview]
Message-ID: <202603311719.JXnMsjYm-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Anna Schumaker <anna.schumaker@oracle.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: d0c3bcd5b8976159d835a897254048e078f447e6
commit: 7537db24806fdc3d3ec4fef53babdc22c9219e75 NFS: Merge CONFIG_NFS_V4_1 with CONFIG_NFS_V4
date: 9 weeks ago
:::::: branch date: 13 hours ago
:::::: commit date: 9 weeks ago
config: x86_64-randconfig-161-20260330 (https://download.01.org/0day-ci/archive/20260331/202603311719.JXnMsjYm-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202603311719.JXnMsjYm-lkp@intel.com/
New smatch warnings:
fs/nfs/nfs42xdr.c:1356 decode_listxattrs() warn: potential spectre issue 'buf' [w]
Old smatch warnings:
fs/nfs/nfs4xdr.c:1197 encode_attrs() error: we previously assumed 'umask' could be null (see line 1106)
vim +/buf +1356 fs/nfs/nfs42xdr.c
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1278
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1279 static int decode_listxattrs(struct xdr_stream *xdr,
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1280 struct nfs42_listxattrsres *res)
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1281 {
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1282 int status;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1283 __be32 *p;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1284 u32 count, len, ulen;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1285 size_t left, copied;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1286 char *buf;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1287
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1288 status = decode_op_hdr(xdr, OP_LISTXATTRS);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1289 if (status) {
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1290 /*
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1291 * Special case: for LISTXATTRS, NFS4ERR_TOOSMALL
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1292 * should be translated to ERANGE.
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1293 */
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1294 if (status == -ETOOSMALL)
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1295 status = -ERANGE;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1296 /*
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1297 * Special case: for LISTXATTRS, NFS4ERR_NOXATTR
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1298 * should be translated to success with zero-length reply.
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1299 */
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1300 if (status == -ENODATA) {
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1301 res->eof = true;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1302 status = 0;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1303 }
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1304 goto out;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1305 }
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1306
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1307 p = xdr_inline_decode(xdr, 8);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1308 if (unlikely(!p))
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1309 return -EIO;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1310
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1311 xdr_decode_hyper(p, &res->cookie);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1312
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1313 p = xdr_inline_decode(xdr, 4);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1314 if (unlikely(!p))
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1315 return -EIO;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1316
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1317 left = res->xattr_len;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1318 buf = res->xattr_buf;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1319
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1320 count = be32_to_cpup(p);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1321 copied = 0;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1322
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1323 /*
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1324 * We have asked for enough room to encode the maximum number
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1325 * of possible attribute names, so everything should fit.
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1326 *
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1327 * But, don't rely on that assumption. Just decode entries
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1328 * until they don't fit anymore, just in case the server did
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1329 * something odd.
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1330 */
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1331 while (count--) {
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1332 p = xdr_inline_decode(xdr, 4);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1333 if (unlikely(!p))
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1334 return -EIO;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1335
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1336 len = be32_to_cpup(p);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1337 if (len > (XATTR_NAME_MAX - XATTR_USER_PREFIX_LEN)) {
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1338 status = -ERANGE;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1339 goto out;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1340 }
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1341
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1342 p = xdr_inline_decode(xdr, len);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1343 if (unlikely(!p))
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1344 return -EIO;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1345
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1346 ulen = len + XATTR_USER_PREFIX_LEN + 1;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1347 if (buf) {
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1348 if (ulen > left) {
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1349 status = -ERANGE;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1350 goto out;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1351 }
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1352
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1353 memcpy(buf, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1354 memcpy(buf + XATTR_USER_PREFIX_LEN, p, len);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1355
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 @1356 buf[ulen - 1] = 0;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1357 buf += ulen;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1358 left -= ulen;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1359 }
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1360 copied += ulen;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1361 }
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1362
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1363 p = xdr_inline_decode(xdr, 4);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1364 if (unlikely(!p))
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1365 return -EIO;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1366
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1367 res->eof = be32_to_cpup(p);
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1368 res->copied = copied;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1369
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1370 out:
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1371 if (status == -ERANGE && res->xattr_len == XATTR_LIST_MAX)
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1372 status = -E2BIG;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1373
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1374 return status;
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1375 }
04b4c9fb07bfb1 Anna Schumaker 2023-05-04 1376
:::::: The code at line 1356 was first introduced by commit
:::::: 04b4c9fb07bfb196378fd449f6125dfeadb9acc5 NFSv4.2: Clean up: move decode_*xattr() functions
:::::: TO: Anna Schumaker <Anna.Schumaker@Netapp.com>
:::::: CC: Trond Myklebust <trond.myklebust@hammerspace.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
reply other threads:[~2026-03-31 9:55 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202603311719.JXnMsjYm-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox