[bug report] ublk_drv: add io_uring based userspace block driver

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Mon, 18 Jul 2022 14:13:42 +0300

Hello Ming Lei,

The patch 71f28f3136af: "ublk_drv: add io_uring based userspace block
driver" from Jul 13, 2022, leads to the following Smatch static
checker warning:

	drivers/block/ublk_drv.c:940 ublk_ch_uring_cmd()
	error: potentially dereferencing uninitialized 'io'.

drivers/block/ublk_drv.c
    863 static int ublk_ch_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags)
    864 {
    865         struct ublksrv_io_cmd *ub_cmd = (struct ublksrv_io_cmd *)cmd->cmd;
    866         struct ublk_device *ub = cmd->file->private_data;
    867         struct ublk_queue *ubq;
    868         struct ublk_io *io;
    869         u32 cmd_op = cmd->cmd_op;
    870         unsigned tag = ub_cmd->tag;
    871         int ret = -EINVAL;
    872 
    873         pr_devel("%s: received: cmd op %d queue %d tag %d result %d\n",
    874                         __func__, cmd->cmd_op, ub_cmd->q_id, tag,
    875                         ub_cmd->result);
    876 
    877         if (!(issue_flags & IO_URING_F_SQE128))
    878                 goto out;

"io" isn't intialized until later so this goto out will crash.  Goto
out is always a red flag becaue the label name is too vague to say what
the goto does.

    879 
    880         if (ub_cmd->q_id >= ub->dev_info.nr_hw_queues)
    81                 goto out;
    882 
    883         ubq = ublk_get_queue(ub, ub_cmd->q_id);
    884         if (!ubq || ub_cmd->q_id != ubq->q_id)
    885                 goto out;
    886 
    887         if (ubq->ubq_daemon && ubq->ubq_daemon != current)
    888                 goto out;
    889 
    890         if (tag >= ubq->q_depth)
    891                 goto out;
    892 
    893         io = &ubq->ios[tag];
    894 
    895         /* there is pending io cmd, something must be wrong */
    896         if (io->flags & UBLK_IO_FLAG_ACTIVE) {
    897                 ret = -EBUSY;
    898                 goto out;
    899         }
    900 
    901         switch (cmd_op) {
    902         case UBLK_IO_FETCH_REQ:
    903                 /* UBLK_IO_FETCH_REQ is only allowed before queue is setup */
    904                 if (ublk_queue_ready(ubq)) {
    905                         ret = -EBUSY;
    906                         goto out;
    907                 }
    908                 /*
    909                  * The io is being handled by server, so COMMIT_RQ is expected
    910                  * instead of FETCH_REQ
    911                  */
    912                 if (io->flags & UBLK_IO_FLAG_OWNED_BY_SRV)
    913                         goto out;
    914                 /* FETCH_RQ has to provide IO buffer */
    915                 if (!ub_cmd->addr)
    916                         goto out;
    917                 io->cmd = cmd;
    918                 io->flags |= UBLK_IO_FLAG_ACTIVE;
    919                 io->addr = ub_cmd->addr;
    920 
    921                 ublk_mark_io_ready(ub, ubq);
    922                 break;
    923         case UBLK_IO_COMMIT_AND_FETCH_REQ:
    924                 /* FETCH_RQ has to provide IO buffer */
    925                 if (!ub_cmd->addr)
    926                         goto out;
    927                 if (!(io->flags & UBLK_IO_FLAG_OWNED_BY_SRV))
    928                         goto out;
    929                 io->addr = ub_cmd->addr;
    930                 io->flags |= UBLK_IO_FLAG_ACTIVE;
    931                 io->cmd = cmd;
    932                 ublk_commit_completion(ub, ub_cmd);
    933                 break;
    934         default:
    935                 goto out;
    936         }
    937         return -EIOCBQUEUED;
    938 
    939  out:
--> 940         io->flags &= ~UBLK_IO_FLAG_ACTIVE;
    941         io_uring_cmd_done(cmd, ret, 0);
    942         pr_devel("%s: complete: cmd op %d, tag %d ret %x io_flags %x\n",
    943                         __func__, cmd_op, tag, ret, io->flags);
    944         return -EIOCBQUEUED;
    945 }

regards,
dan carpenter