Hello Bernd Schubert,
Commit e24b7a3b70ae ("fuse: make args->in_args[0] to be always the
header") from Jan 20, 2025 (linux-next), leads to the following
Smatch static checker warning:
fs/fuse/dir.c:596 get_create_ext()
error: buffer overflow 'args->in_args' 3 <= 3
fs/fuse/dax.c
921 static int fuse_symlink(struct mnt_idmap *idmap, struct inode *dir,
922 struct dentry *entry, const char *link)
923 {
924 struct fuse_mount *fm = get_fuse_mount(dir);
925 unsigned len = strlen(link) + 1;
926 FUSE_ARGS(args);
927
928 args.opcode = FUSE_SYMLINK;
929 args.in_numargs = 3;
opcode is FUSE_SYMLINK. in->in_numargs is 3.
930 fuse_set_zero_arg0(&args);
931 args.in_args[1].size = entry->d_name.len + 1;
932 args.in_args[1].value = entry->d_name.name;
933 args.in_args[2].size = len;
934 args.in_args[2].value = link;
935 return create_new_entry(idmap, fm, &args, dir, entry, S_IFLNK);
^^^^^
936 }
fs/fuse/dir.c
782 static int create_new_entry(struct mnt_idmap *idmap, struct fuse_mount *fm,
783 struct fuse_args *args, struct inode *dir,
784 struct dentry *entry, umode_t mode)
785 {
786 struct fuse_entry_out outarg;
787 struct inode *inode;
788 struct dentry *d;
789 int err;
790 struct fuse_forget_link *forget;
791
792 if (fuse_is_bad(dir))
793 return -EIO;
794
795 forget = fuse_alloc_forget();
796 if (!forget)
797 return -ENOMEM;
798
799 memset(&outarg, 0, sizeof(outarg));
800 args->nodeid = get_node_id(dir);
801 args->out_numargs = 1;
802 args->out_args[0].size = sizeof(outarg);
803 args->out_args[0].value = &outarg;
804
805 if (args->opcode != FUSE_LINK) {
FUSE_LINK is 13. FUSE_SYMLINK is 6.
806 err = get_create_ext(idmap, args, dir, entry, mode);
^^^^
807 if (err)
808 goto out_put_forget_req;
809 }
fs/fuse/dir.c
578 static int get_create_ext(struct mnt_idmap *idmap,
579 struct fuse_args *args,
580 struct inode *dir, struct dentry *dentry,
581 umode_t mode)
582 {
583 struct fuse_conn *fc = get_fuse_conn_super(dentry->d_sb);
584 struct fuse_in_arg ext = { .size = 0, .value = NULL };
585 int err = 0;
586
587 if (fc->init_security)
588 err = get_security_context(dentry, mode, &ext);
589 if (!err && fc->create_supp_group)
590 err = get_create_supp_group(idmap, dir, &ext);
591
592 if (!err && ext.size) {
^^^^^^^^
I don't know what ext.size is. Maybe it's zero for symlinks? In that
case just ignore this static checker warning.
593 WARN_ON(args->in_numargs >= ARRAY_SIZE(args->in_args));
594 args->is_ext = true;
595 args->ext_idx = args->in_numargs++;
--> 596 args->in_args[args->ext_idx] = ext;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
3 results an out of bounds warning here.
597 } else {
598 kfree(ext.value);
599 }
600
601 return err;
602 }
regards,
dan carpenter
