On 4/17/23 23:49, kernel test robot wrote:
tree: https://github.com/ceph/ceph-client.git testing
head: 3fef7c3fd10c5f078e0f6ec8c683f2d1e14eb05d
commit: 3fef7c3fd10c5f078e0f6ec8c683f2d1e14eb05d [77/77] ceph: fix potential use-after-free bug when trimming caps
config: x86_64-randconfig-a011-20230417 (https://download.01.org/0day-ci/archive/20230417/202304172343.2ToBO5ag-lkp@xxxxxxxxx/config)
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/ceph/ceph-client/commit/3fef7c3fd10c5f078e0f6ec8c683f2d1e14eb05d
git remote add ceph-client https://github.com/ceph/ceph-client.git
git fetch --no-tags ceph-client testing
git checkout 3fef7c3fd10c5f078e0f6ec8c683f2d1e14eb05d
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=x86_64 olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash fs/ceph/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Link: https://lore.kernel.org/oe-kbuild-all/202304172343.2ToBO5ag-lkp@xxxxxxxxx/
All warnings (new ones prefixed by >>):
fs/ceph/mds_client.c:1866:6: warning: variable 'iputs' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
if (cap) {
^~~
fs/ceph/mds_client.c:1877:9: note: uninitialized use occurs here
while (iputs--)
^~~~~
fs/ceph/mds_client.c:1866:2: note: remove the 'if' if its condition is always true
if (cap) {
^~~~~~~~~
fs/ceph/mds_client.c:1862:11: note: initialize the variable 'iputs' to silence this warning
int iputs;
^
= 0
fs/ceph/mds_client.c:1957:7: warning: variable 'cap' is uninitialized when used here [-Wuninitialized]
if (cap->cap_gen < atomic_read(&cap->session->s_cap_gen)) {
^~~
fs/ceph/mds_client.c:1949:22: note: initialize the variable 'cap' to silence this warning
struct ceph_cap *cap;
^
= NULL
2 warnings generated.
vim +1866 fs/ceph/mds_client.c
Thanks for reporting this.
As Luis mentioned in another thread, I will fix this in the testing branch.
- Xiubo
1855
1856 static int remove_session_caps_cb(struct inode *inode, struct rb_node *ci_node,
1857 void *arg)
1858 {
1859 struct ceph_inode_info *ci = ceph_inode(inode);
1860 bool invalidate = false;
1861 struct ceph_cap *cap;
1862 int iputs;
1863
1864 spin_lock(&ci->i_ceph_lock);
1865 cap = rb_entry(ci_node, struct ceph_cap, ci_node);
1866 if (cap) {
1867 dout(" removing cap %p, ci is %p, inode is %p\n",
1868 cap, ci, &ci->netfs.inode);
1869
1870 iputs = ceph_purge_inode_cap(inode, cap, &invalidate);
1871 }
1872 spin_unlock(&ci->i_ceph_lock);
1873
1874 wake_up_all(&ci->i_cap_wq);
1875 if (invalidate)
1876 ceph_queue_invalidate(inode);
1877 while (iputs--)
1878 iput(inode);
1879 return 0;
1880 }
1881
1882 /*
1883 * caller must hold session s_mutex
1884 */
1885 static void remove_session_caps(struct ceph_mds_session *session)
1886 {
1887 struct ceph_fs_client *fsc = session->s_mdsc->fsc;
1888 struct super_block *sb = fsc->sb;
1889 LIST_HEAD(dispose);
1890
1891 dout("remove_session_caps on %p\n", session);
1892 ceph_iterate_session_caps(session, remove_session_caps_cb, fsc);
1893
1894 wake_up_all(&fsc->mdsc->cap_flushing_wq);
1895
1896 spin_lock(&session->s_cap_lock);
1897 if (session->s_nr_caps > 0) {
1898 struct inode *inode;
1899 struct ceph_cap *cap, *prev = NULL;
1900 struct ceph_vino vino;
1901 /*
1902 * iterate_session_caps() skips inodes that are being
1903 * deleted, we need to wait until deletions are complete.
1904 * __wait_on_freeing_inode() is designed for the job,
1905 * but it is not exported, so use lookup inode function
1906 * to access it.
1907 */
1908 while (!list_empty(&session->s_caps)) {
1909 cap = list_entry(session->s_caps.next,
1910 struct ceph_cap, session_caps);
1911 if (cap == prev)
1912 break;
1913 prev = cap;
1914 vino = cap->ci->i_vino;
1915 spin_unlock(&session->s_cap_lock);
1916
1917 inode = ceph_find_inode(sb, vino);
1918 iput(inode);
1919
1920 spin_lock(&session->s_cap_lock);
1921 }
1922 }
1923
1924 // drop cap expires and unlock s_cap_lock
1925 detach_cap_releases(session, &dispose);
1926
1927 BUG_ON(session->s_nr_caps > 0);
1928 BUG_ON(!list_empty(&session->s_cap_flushing));
1929 spin_unlock(&session->s_cap_lock);
1930 dispose_cap_releases(session->s_mdsc, &dispose);
1931 }
1932
1933 enum {
1934 RECONNECT,
1935 RENEWCAPS,
1936 FORCE_RO,
1937 };
1938
1939 /*
1940 * wake up any threads waiting on this session's caps. if the cap is
1941 * old (didn't get renewed on the client reconnect), remove it now.
1942 *
1943 * caller must hold s_mutex.
1944 */
1945 static int wake_up_session_cb(struct inode *inode, struct rb_node *ci_node, void *arg)
1946 {
1947 struct ceph_inode_info *ci = ceph_inode(inode);
1948 unsigned long ev = (unsigned long)arg;
1949 struct ceph_cap *cap;
1950
1951 if (ev == RECONNECT) {
1952 spin_lock(&ci->i_ceph_lock);
1953 ci->i_wanted_max_size = 0;
1954 ci->i_requested_max_size = 0;
1955 spin_unlock(&ci->i_ceph_lock);
1956 } else if (ev == RENEWCAPS) {
1957 if (cap->cap_gen < atomic_read(&cap->session->s_cap_gen)) {
1958 /* mds did not re-issue stale cap */
1959 spin_lock(&ci->i_ceph_lock);
1960 cap = rb_entry(ci_node, struct ceph_cap, ci_node);
1961 if (cap)
1962 cap->issued = cap->implemented = CEPH_CAP_PIN;
1963 spin_unlock(&ci->i_ceph_lock);
1964 }
1965 } else if (ev == FORCE_RO) {
1966 }
1967 wake_up_all(&ci->i_cap_wq);
1968 return 0;
1969 }
1970
