tree: https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git orangefs-untested head: d73856895759bde434f118b7468da696c53624a3 commit: 6da8338a44b43c6a2c1b6c8705282680e6a09217 [18/19] orangefs: don't leave uninitialized data in ->trailer_buf config: mn10300-allmodconfig (attached as .config) reproduce: wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 6da8338a44b43c6a2c1b6c8705282680e6a09217 # save the attached .config to linux build tree make.cross ARCH=mn10300 All warnings (new ones prefixed by >>): fs/orangefs/devpvfs2-req.c: In function 'pvfs2_devreq_writev': fs/orangefs/devpvfs2-req.c:284:4: warning: format '%zu' expects argument of type 'size_t', but argument 2 has type 'unsigned int' [-Wformat=] notrailer_count); ^ fs/orangefs/devpvfs2-req.c:361:5: warning: format '%zu' expects argument of type 'size_t', but argument 3 has type 'unsigned int' [-Wformat=] gossip_err("Error: trailer size (%ld) is non-zero, no trailer elements though? (%zu)\n", (unsigned long)trailer_size, count); ^ >> fs/orangefs/devpvfs2-req.c:368:5: warning: format '%zd' expects argument of type 'signed size_t', but argument 3 has type 'size_t' [-Wformat=] gossip_err("writev error: trailer size (%ld) != iov_len (%zd)\n", (unsigned long)trailer_size, size); ^ vim +368 fs/orangefs/devpvfs2-req.c 278 ssize_t total_returned_size = 0; 279 280 /* Either there is a trailer or there isn't */ 281 if (count != notrailer_count && count != (notrailer_count + 1)) { 282 gossip_err("Error: Number of iov vectors is (%zu) and notrailer count is %d\n", 283 count, > 284 notrailer_count); 285 return -EPROTO; 286 } 287 buffer = dev_req_alloc(); 288 if (!buffer) 289 return -ENOMEM; 290 ptr = buffer; 291 292 for (i = 0; i < notrailer_count; i++) { 293 if (iov[i].iov_len > num_remaining) { 294 gossip_err 295 ("writev error: Freeing buffer and returning\n"); 296 dev_req_release(buffer); 297 return -EMSGSIZE; 298 } 299 ret = copy_from_user(ptr, iov[i].iov_base, iov[i].iov_len); 300 if (ret) { 301 gossip_err("Failed to copy data from user space\n"); 302 dev_req_release(buffer); 303 return -EIO; 304 } 305 num_remaining -= iov[i].iov_len; 306 ptr += iov[i].iov_len; 307 payload_size += iov[i].iov_len; 308 } 309 total_returned_size = payload_size; 310 311 /* these elements are currently 8 byte aligned (8 bytes for (version + 312 * magic) 8 bytes for tag). If you add another element, either 313 * make it 8 bytes big, or use get_unaligned when asigning. 314 */ 315 ptr = buffer; 316 proto_ver = *((__s32 *) ptr); 317 ptr += sizeof(__s32); 318 319 magic = *((__s32 *) ptr); 320 ptr += sizeof(__s32); 321 322 tag = *((__u64 *) ptr); 323 ptr += sizeof(__u64); 324 325 if (magic != PVFS2_DEVREQ_MAGIC) { 326 gossip_err("Error: Device magic number does not match.\n"); 327 dev_req_release(buffer); 328 return -EPROTO; 329 } 330 331 /* 332 * proto_ver = 20902 for 2.9.2 333 */ 334 335 op = pvfs2_devreq_remove_op(tag); 336 if (op) { 337 /* Increase ref count! */ 338 get_op(op); 339 /* cut off magic and tag from payload size */ 340 payload_size -= (2 * sizeof(__s32) + sizeof(__u64)); 341 if (payload_size <= sizeof(struct pvfs2_downcall_s)) 342 /* copy the passed in downcall into the op */ 343 memcpy(&op->downcall, 344 ptr, 345 sizeof(struct pvfs2_downcall_s)); 346 else 347 gossip_debug(GOSSIP_DEV_DEBUG, 348 "writev: Ignoring %d bytes\n", 349 payload_size); 350 351 /* Do not allocate needlessly if client-core forgets 352 * to reset trailer size on op errors. 353 */ 354 if (op->downcall.status == 0 && op->downcall.trailer_size > 0) { 355 __u64 trailer_size = op->downcall.trailer_size; 356 size_t size; 357 gossip_debug(GOSSIP_DEV_DEBUG, 358 "writev: trailer size %ld\n", 359 (unsigned long)size); 360 if (count != (notrailer_count + 1)) { 361 gossip_err("Error: trailer size (%ld) is non-zero, no trailer elements though? (%zu)\n", (unsigned long)trailer_size, count); 362 dev_req_release(buffer); 363 put_op(op); 364 return -EPROTO; 365 } 366 size = iov[notrailer_count].iov_len; 367 if (size > trailer_size) { > 368 gossip_err("writev error: trailer size (%ld) != iov_len (%zd)\n", (unsigned long)trailer_size, size); 369 dev_req_release(buffer); 370 put_op(op); 371 return -EMSGSIZE; --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
Attachment:
.config.gz
Description: Binary data
