Dan Carpenter <dan.carpenter@xxxxxxxxxx> writes:
> In this code "ret" is type long and "src_objlen" is unsigned int. The
> problem is that on 32bit systems, when we do the comparison signed longs
> are type promoted to unsigned int. So negative error codes from
> do_splice_direct() are treated as success instead of failure.
>
> Fixes: 1b0c3b9f91f0 ("ceph: re-org copy_file_range and fix some error paths")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> 32bit is so weird and ancient. It's strange to think that unsigned int
> has more positive bits than signed long.
Yikes! Thanks for catching this, Dan. Really tricky. I guess you used
some static analysis tool (smatch?) to highlight this issue for you,
right?
Anyway, feel free to add my
Reviewed-by: Luis Henriques <lhenriques@xxxxxxx>
Cheers,
--
Luís
>
> fs/ceph/file.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index b1da02f5dbe3..b5f8038065d7 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -2969,7 +2969,7 @@ static ssize_t __ceph_copy_file_range(struct file *src_file, loff_t src_off,
> ret = do_splice_direct(src_file, &src_off, dst_file,
> &dst_off, src_objlen, flags);
> /* Abort on short copies or on error */
> - if (ret < src_objlen) {
> + if (ret < (long)src_objlen) {
> dout("Failed partial copy (%zd)\n", ret);
> goto out;
> }
> --
>
> 2.39.2
>
