Re: [bug report] io_uring: add support for fixed wait regions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Oct 30, 2024 at 07:22:49AM -0600, Jens Axboe wrote:
> On 10/30/24 5:40 AM, Dan Carpenter wrote:
> > Hello Jens Axboe,
> > 
> > Commit 4b926ab18279 ("io_uring: add support for fixed wait regions")
> > from Oct 22, 2024 (linux-next), leads to the following Smatch static
> > checker warning:
> > 
> > 	io_uring/register.c:616 io_register_cqwait_reg()
> > 	warn: was expecting a 64 bit value instead of '~(~(((1) << 12) - 1))'
> > 
> > io_uring/register.c
> >     594 static int io_register_cqwait_reg(struct io_ring_ctx *ctx, void __user *uarg)
> >     595 {
> >     596         struct io_uring_cqwait_reg_arg arg;
> >     597         struct io_uring_reg_wait *reg;
> >     598         struct page **pages;
> >     599         unsigned long len;
> >     600         int nr_pages, poff;
> >     601         int ret;
> >     602 
> >     603         if (ctx->cq_wait_page || ctx->cq_wait_arg)
> >     604                 return -EBUSY;
> >     605         if (copy_from_user(&arg, uarg, sizeof(arg)))
> >     606                 return -EFAULT;
> >     607         if (!arg.nr_entries || arg.flags)
> >     608                 return -EINVAL;
> >     609         if (arg.struct_size != sizeof(*reg))
> >     610                 return -EINVAL;
> >     611         if (check_mul_overflow(arg.struct_size, arg.nr_entries, &len))
> >     612                 return -EOVERFLOW;
> >     613         if (len > PAGE_SIZE)
> >     614                 return -EINVAL;
> >     615         /* offset + len must fit within a page, and must be reg_wait aligned */
> > --> 616         poff = arg.user_addr & ~PAGE_MASK;
> > 
> > This is a harmless thing, but on 32 bit systems you can put whatever you want in
> > the high 32 bits of arg.user_addr and it won't affect anything.
> 
> That is certainly true, it'll get masked away. I suspect this kind of
> thing is everywhere, though? What do you suggest?

The way that I normally see these warnings is with code like
"if (u64flags & ~mask)" where only the first 3 bits of u64flags are used.  It's
not normally a real life bug.  Normally fix them the warning, but I have 174 old
warnings from before I started complaining about them.

Maybe:

        if (U32_MAX >= SIZE_MAX && arg.user_addr > SIZE_MAX)
		return -EINVAL;

This code works fine as-is, but eventually I want this code to trigger a couple
more static checker warnings.  It's so suspicious because we're truncating user
data then re-using the same untruncated variable again.

regards,
dan carpenter
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux