[bug report] NFSD introduce async copy feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Olga Kornievskaia,

The patch e0639dc5805a: "NFSD introduce async copy feature" from Jul
20, 2018, leads to the following static checker warning:

	fs/nfsd/nfs4proc.c:1544 nfsd4_copy()
	error: '__memcpy()' '&copy->cp_res.cb_stateid' too small (16 vs 24)

fs/nfsd/nfs4proc.c
  1508  static __be32
  1509  nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
  1510                  union nfsd4_op_u *u)
  1511  {
  1512          struct nfsd4_copy *copy = &u->copy;
  1513          __be32 status;
  1514          struct nfsd4_copy *async_copy = NULL;
  1515  
  1516          if (!copy->cp_intra) { /* Inter server SSC */
  1517                  if (!inter_copy_offload_enable || copy->cp_synchronous) {
  1518                          status = nfserr_notsupp;
  1519                          goto out;
  1520                  }
  1521                  status = nfsd4_setup_inter_ssc(rqstp, cstate, copy,
  1522                                  &copy->ss_mnt);
  1523                  if (status)
  1524                          return nfserr_offload_denied;
  1525          } else {
  1526                  status = nfsd4_setup_intra_ssc(rqstp, cstate, copy);
  1527                  if (status)
  1528                          return status;
  1529          }
  1530  
  1531          copy->cp_clp = cstate->clp;
  1532          memcpy(&copy->fh, &cstate->current_fh.fh_handle,
  1533                  sizeof(struct knfsd_fh));
  1534          if (!copy->cp_synchronous) {
  1535                  struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
  1536  
  1537                  status = nfserrno(-ENOMEM);
  1538                  async_copy = kzalloc(sizeof(struct nfsd4_copy), GFP_KERNEL);
  1539                  if (!async_copy)
  1540                          goto out_err;
  1541                  if (!nfs4_init_copy_state(nn, copy))
  1542                          goto out_err;
  1543                  refcount_set(&async_copy->refcount, 1);
  1544                  memcpy(&copy->cp_res.cb_stateid, &copy->cp_stateid,
  1545                          sizeof(copy->cp_stateid));

It took me a while to spot the cb_ vs cp_...  :P

The copy->cp_stateid looks like this: fs/nfsd/state.h
    59  typedef struct {
    60          stateid_t               stid;
    61  #define NFS4_COPY_STID 1
    62  #define NFS4_COPYNOTIFY_STID 2
    63          unsigned char           sc_type;
    64          refcount_t              sc_count;
    65  } copy_stateid_t;

The .cb_stateid is just the stateid without the sc_type or the
refcounting.  I suspect we should only be copying the stateid.

  1546                  dup_copy_fields(copy, async_copy);
  1547                  async_copy->copy_task = kthread_create(nfsd4_do_async_copy,
  1548                                  async_copy, "%s", "copy thread");
  1549                  if (IS_ERR(async_copy->copy_task))
  1550                          goto out_err;
  1551                  spin_lock(&async_copy->cp_clp->async_lock);
  1552                  list_add(&async_copy->copies,

regards,
dan carpenter
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux