lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210402050944.GA176778@shao2-debian>
Date:   Fri, 2 Apr 2021 13:09:44 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Lv Yunlong <lyl2019@...l.ustc.edu.cn>, philipp.reisner@...bit.com,
        lars.ellenberg@...bit.com, axboe@...nel.dk
Cc:     kbuild-all@...ts.01.org, drbd-dev@...ts.linbit.com,
        linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
        Lv Yunlong <lyl2019@...l.ustc.edu.cn>
Subject: Re: [PATCH] drbd: Fix a use after free in get_initial_state

Hi Lv,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on block/for-next]
[also build test WARNING on linux/master linus/master v5.12-rc5 next-20210401]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Lv-Yunlong/drbd-Fix-a-use-after-free-in-get_initial_state/20210402-015401
base:   https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-next
config: x86_64-randconfig-s021-20210401 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce:
        # apt-get install sparse
        # sparse version: v0.6.3-279-g6d5d9b42-dirty
        # https://github.com/0day-ci/linux/commit/af3f55d6c8730c5c1ce31fda165712091584adb0
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Lv-Yunlong/drbd-Fix-a-use-after-free-in-get_initial_state/20210402-015401
        git checkout af3f55d6c8730c5c1ce31fda165712091584adb0
        # save the attached .config to linux build tree
        make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>


sparse warnings: (new ones prefixed by >>)
>> drivers/block/drbd/drbd_nl.c:4957:1: sparse: sparse: unused label 'out'
   drivers/block/drbd/drbd_nl.c: note: in included file:
   include/linux/genl_magic_func.h:212:12: sparse: sparse: symbol 'drbd_genl_cmd_to_str' was not declared. Should it be static?
   drivers/block/drbd/drbd_nl.c:454:33: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:454:33: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:454:33: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:691:38: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:691:38: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:691:38: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:793:40: sparse: sparse: mixing different enum types:
   drivers/block/drbd/drbd_nl.c:793:40: sparse:    int enum drbd_state_rv
   drivers/block/drbd/drbd_nl.c:793:40: sparse:    unsigned int enum drbd_ret_code
   drivers/block/drbd/drbd_nl.c:795:40: sparse: sparse: mixing different enum types:
   drivers/block/drbd/drbd_nl.c:795:40: sparse:    int enum drbd_state_rv
   drivers/block/drbd/drbd_nl.c:795:40: sparse:    unsigned int enum drbd_ret_code
   drivers/block/drbd/drbd_nl.c:980:18: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:980:18: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:980:18: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1347:22: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:1347:22: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:1347:22: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:1639:17: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:1639:17: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:1639:17: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:1649:17: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:1649:17: sparse:    struct fifo_buffer [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:1649:17: sparse:    struct fifo_buffer *
   drivers/block/drbd/drbd_nl.c:1872:14: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:1872:14: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:1872:14: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:2130:39: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2130:39: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2130:39: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:2138:13: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2138:13: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2138:13: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:2320:50: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2320:50: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2320:50: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:2343:45: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2343:45: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2343:45: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:2488:9: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2488:9: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2488:9: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:2651:9: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2651:9: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2651:9: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:2803:27: sparse: sparse: mixing different enum types:
   drivers/block/drbd/drbd_nl.c:2883:18: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2883:18: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2883:18: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:2923:17: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2923:17: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2923:17: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:3461:33: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3461:33: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3461:33: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:3586:28: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3586:28: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3586:28: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:3799:29: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3799:29: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3799:29: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:3805:22: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3805:22: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3805:22: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:3995:38: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3995:38: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3995:38: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:450:9: sparse: sparse: context imbalance in 'highest_fencing_policy' - different lock contexts for basic block
   drivers/block/drbd/drbd_nl.c:2185:9: sparse: sparse: context imbalance in 'drbd_adm_attach' - different lock contexts for basic block
   drivers/block/drbd/drbd_nl.c: note: in included file:
   drivers/block/drbd/drbd_int.h:2141:14: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:2141:14: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:2141:14: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *

vim +/out +4957 drivers/block/drbd/drbd_nl.c

a29728463b254c Andreas Gruenbacher 2014-07-31  4902  
a29728463b254c Andreas Gruenbacher 2014-07-31  4903  static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
a29728463b254c Andreas Gruenbacher 2014-07-31  4904  {
a29728463b254c Andreas Gruenbacher 2014-07-31  4905  	struct drbd_state_change *state_change = (struct drbd_state_change *)cb->args[0];
a29728463b254c Andreas Gruenbacher 2014-07-31  4906  	unsigned int seq = cb->args[2];
a29728463b254c Andreas Gruenbacher 2014-07-31  4907  	unsigned int n;
af3f55d6c8730c Lv Yunlong          2021-04-01  4908  	unsigned int skb_len = skb->len;
a29728463b254c Andreas Gruenbacher 2014-07-31  4909  	enum drbd_notification_type flags = 0;
a29728463b254c Andreas Gruenbacher 2014-07-31  4910  
a29728463b254c Andreas Gruenbacher 2014-07-31  4911  	/* There is no need for taking notification_mutex here: it doesn't
a29728463b254c Andreas Gruenbacher 2014-07-31  4912  	   matter if the initial state events mix with later state chage
a29728463b254c Andreas Gruenbacher 2014-07-31  4913  	   events; we can always tell the events apart by the NOTIFY_EXISTS
a29728463b254c Andreas Gruenbacher 2014-07-31  4914  	   flag. */
a29728463b254c Andreas Gruenbacher 2014-07-31  4915  
a29728463b254c Andreas Gruenbacher 2014-07-31  4916  	cb->args[5]--;
a29728463b254c Andreas Gruenbacher 2014-07-31  4917  	if (cb->args[5] == 1) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4918  		notify_initial_state_done(skb, seq);
af3f55d6c8730c Lv Yunlong          2021-04-01  4919  		return skb_len;
a29728463b254c Andreas Gruenbacher 2014-07-31  4920  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4921  	n = cb->args[4]++;
a29728463b254c Andreas Gruenbacher 2014-07-31  4922  	if (cb->args[4] < cb->args[3])
a29728463b254c Andreas Gruenbacher 2014-07-31  4923  		flags |= NOTIFY_CONTINUES;
a29728463b254c Andreas Gruenbacher 2014-07-31  4924  	if (n < 1) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4925  		notify_resource_state_change(skb, seq, state_change->resource,
a29728463b254c Andreas Gruenbacher 2014-07-31  4926  					     NOTIFY_EXISTS | flags);
a29728463b254c Andreas Gruenbacher 2014-07-31  4927  		goto next;
a29728463b254c Andreas Gruenbacher 2014-07-31  4928  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4929  	n--;
a29728463b254c Andreas Gruenbacher 2014-07-31  4930  	if (n < state_change->n_connections) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4931  		notify_connection_state_change(skb, seq, &state_change->connections[n],
a29728463b254c Andreas Gruenbacher 2014-07-31  4932  					       NOTIFY_EXISTS | flags);
a29728463b254c Andreas Gruenbacher 2014-07-31  4933  		goto next;
a29728463b254c Andreas Gruenbacher 2014-07-31  4934  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4935  	n -= state_change->n_connections;
a29728463b254c Andreas Gruenbacher 2014-07-31  4936  	if (n < state_change->n_devices) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4937  		notify_device_state_change(skb, seq, &state_change->devices[n],
a29728463b254c Andreas Gruenbacher 2014-07-31  4938  					   NOTIFY_EXISTS | flags);
a29728463b254c Andreas Gruenbacher 2014-07-31  4939  		goto next;
a29728463b254c Andreas Gruenbacher 2014-07-31  4940  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4941  	n -= state_change->n_devices;
a29728463b254c Andreas Gruenbacher 2014-07-31  4942  	if (n < state_change->n_devices * state_change->n_connections) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4943  		notify_peer_device_state_change(skb, seq, &state_change->peer_devices[n],
a29728463b254c Andreas Gruenbacher 2014-07-31  4944  						NOTIFY_EXISTS | flags);
a29728463b254c Andreas Gruenbacher 2014-07-31  4945  		goto next;
a29728463b254c Andreas Gruenbacher 2014-07-31  4946  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4947  
a29728463b254c Andreas Gruenbacher 2014-07-31  4948  next:
a29728463b254c Andreas Gruenbacher 2014-07-31  4949  	if (cb->args[4] == cb->args[3]) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4950  		struct drbd_state_change *next_state_change =
a29728463b254c Andreas Gruenbacher 2014-07-31  4951  			list_entry(state_change->list.next,
a29728463b254c Andreas Gruenbacher 2014-07-31  4952  				   struct drbd_state_change, list);
a29728463b254c Andreas Gruenbacher 2014-07-31  4953  		cb->args[0] = (long)next_state_change;
a29728463b254c Andreas Gruenbacher 2014-07-31  4954  		cb->args[3] = notifications_for_state_change(next_state_change);
a29728463b254c Andreas Gruenbacher 2014-07-31  4955  		cb->args[4] = 0;
a29728463b254c Andreas Gruenbacher 2014-07-31  4956  	}
a29728463b254c Andreas Gruenbacher 2014-07-31 @4957  out:
a29728463b254c Andreas Gruenbacher 2014-07-31  4958  	return skb->len;
a29728463b254c Andreas Gruenbacher 2014-07-31  4959  }
a29728463b254c Andreas Gruenbacher 2014-07-31  4960  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (41710 bytes)

_______________________________________________
kbuild mailing list -- kbuild@...ts.01.org
To unsubscribe send an email to kbuild-leave@...ts.01.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ