[ceph-client:testing 77/77] fs/ceph/mds_client.c:1957 wake_up_session_cb() error: potentially dereferencing uninitialized 'cap'.

Dan Carpenter <error27@xxxxxxxxx> · Tue, 18 Apr 2023 07:25:41 +0300

tree:   https://github.com/ceph/ceph-client.git testing
head:   3fef7c3fd10c5f078e0f6ec8c683f2d1e14eb05d
commit: 3fef7c3fd10c5f078e0f6ec8c683f2d1e14eb05d [77/77] ceph: fix potential use-after-free bug when trimming caps
config: i386-randconfig-m021-20230417 (https://download.01.org/0day-ci/archive/20230418/202304180424.Dok2kyeU-lkp@xxxxxxxxx/config)
compiler: gcc-11 (Debian 11.3.0-8) 11.3.0

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Reported-by: Dan Carpenter <error27@xxxxxxxxx>
| Link: https://lore.kernel.org/r/202304180424.Dok2kyeU-lkp@xxxxxxxxx/

New smatch warnings:
fs/ceph/mds_client.c:1957 wake_up_session_cb() error: potentially dereferencing uninitialized 'cap'.

Old smatch warnings:
fs/ceph/mds_client.c:219 parse_reply_info_in() warn: missing unwind goto?

vim +/cap +1957 fs/ceph/mds_client.c

3fef7c3fd10c5f Xiubo Li    2023-04-14  1945  static int wake_up_session_cb(struct inode *inode, struct rb_node *ci_node, void *arg)
2f2dc053404feb Sage Weil   2009-10-06  1946  {
0dc2570fab222a Sage Weil   2009-11-20  1947  	struct ceph_inode_info *ci = ceph_inode(inode);
d2f8bb27c87945 Yan, Zheng  2018-12-10  1948  	unsigned long ev = (unsigned long)arg;
3fef7c3fd10c5f Xiubo Li    2023-04-14  1949  	struct ceph_cap *cap;
0dc2570fab222a Sage Weil   2009-11-20  1950  
d2f8bb27c87945 Yan, Zheng  2018-12-10  1951  	if (ev == RECONNECT) {
be655596b3de58 Sage Weil   2011-11-30  1952  		spin_lock(&ci->i_ceph_lock);
0dc2570fab222a Sage Weil   2009-11-20  1953  		ci->i_wanted_max_size = 0;
0dc2570fab222a Sage Weil   2009-11-20  1954  		ci->i_requested_max_size = 0;
be655596b3de58 Sage Weil   2011-11-30  1955  		spin_unlock(&ci->i_ceph_lock);
d2f8bb27c87945 Yan, Zheng  2018-12-10  1956  	} else if (ev == RENEWCAPS) {
52d60f8e18b855 Jeff Layton 2021-06-04 @1957  		if (cap->cap_gen < atomic_read(&cap->session->s_cap_gen)) {
                                                            ^^^^^^^^^^^^               ^^^^^^^^^^^^^

d2f8bb27c87945 Yan, Zheng  2018-12-10  1958  			/* mds did not re-issue stale cap */
d2f8bb27c87945 Yan, Zheng  2018-12-10  1959  			spin_lock(&ci->i_ceph_lock);
3fef7c3fd10c5f Xiubo Li    2023-04-14  1960  			cap = rb_entry(ci_node, struct ceph_cap, ci_node);
                                                                ^^^^^^^^^^^^^^
Initialized too late.

3fef7c3fd10c5f Xiubo Li    2023-04-14  1961  			if (cap)
d2f8bb27c87945 Yan, Zheng  2018-12-10  1962  				cap->issued = cap->implemented = CEPH_CAP_PIN;
d2f8bb27c87945 Yan, Zheng  2018-12-10  1963  			spin_unlock(&ci->i_ceph_lock);
d2f8bb27c87945 Yan, Zheng  2018-12-10  1964  		}
d2f8bb27c87945 Yan, Zheng  2018-12-10  1965  	} else if (ev == FORCE_RO) {
0dc2570fab222a Sage Weil   2009-11-20  1966  	}
e536030934aebf Yan, Zheng  2016-05-19  1967  	wake_up_all(&ci->i_cap_wq);
2f2dc053404feb Sage Weil   2009-10-06  1968  	return 0;
2f2dc053404feb Sage Weil   2009-10-06  1969  }

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests