Hello Trond Myklebust,
The patch 9a8f6b5ea275: "SUNRPC: Ensure get_rpccred() and
put_rpccred() can take NULL arguments" from May 16, 2016, leads to
the following static checker warning:
net/sunrpc/auth_generic.c:248 generic_key_timeout()
warn: 'tcred' can also be NULL
net/sunrpc/auth_generic.c
225 static int
226 generic_key_timeout(struct rpc_auth *auth, struct rpc_cred *cred)
227 {
228 struct auth_cred *acred = &container_of(cred, struct generic_cred,
229 gc_base)->acred;
230 struct rpc_cred *tcred;
231 int ret = 0;
232
233
234 /* Fast track for non crkey_timeout (no key) underlying credentials */
235 if (auth->au_flags & RPCAUTH_AUTH_NO_CRKEY_TIMEOUT)
236 return 0;
237
238 /* Fast track for the normal case */
239 if (test_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags))
240 return 0;
241
242 /* lookup_cred either returns a valid referenced rpc_cred, or PTR_ERR */
243 tcred = auth->au_ops->lookup_cred(auth, acred, 0);
It used to be that nul_lookup_cred() would always return valid pointers
but then we modified get_rpccred() to return NULL pointers. If it
happened here, then it leads to a NULL pointer dereference.
244 if (IS_ERR(tcred))
245 return -EACCES;
246
247 /* Test for the almost error case */
248 ret = tcred->cr_ops->crkey_timeout(tcred);
^^^^^^^^^^^^^
Here.
249 if (ret != 0) {
250 set_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags);
251 ret = 0;
252 } else {
253 /* In case underlying cred key has been reset */
254 if (test_and_clear_bit(RPC_CRED_KEY_EXPIRE_SOON,
255 &acred->ac_flags))
256 dprintk("RPC: UID %d Credential key reset\n",
257 from_kuid(&init_user_ns, tcred->cr_uid));
258 /* set up fasttrack for the normal case */
259 set_bit(RPC_CRED_NOTIFY_TIMEOUT, &acred->ac_flags);
260 }
261
262 put_rpccred(tcred);
263 return ret;
264 }
regards,
dan carpenter
