lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ad24597e-c7b2-abf5-d5b3-adcf8fdc02c9@intel.com>
Date:   Mon, 26 Jul 2021 11:40:24 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Ronnie Sahlberg <lsahlber@...hat.com>
Cc:     kbuild-all@...ts.01.org, LKML <linux-kernel@...r.kernel.org>,
        Steve French <stfrench@...rosoft.com>
Subject: fs/cifs/smb2ops.c:3646:2: warning: Undefined or garbage value
 returned to caller [clang-analyzer-core.uninitialized.UndefReturn]


tree: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   d8079fac168168b25677dc16c00ffaf9fb7df723
commit: 2485bd7557a7edb4520b4072af464f0a08c8efe0 cifs: only write 64kb 
at a time when fallocating a small region of a file
date:   3 days ago
:::::: branch date: 6 hours ago
:::::: commit date: 3 days ago
config: x86_64-randconfig-c001-20210725 (attached as .config)
compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project 
3f2c1e99e44d028d5e9dd685f3c568f2661f2f68)
reproduce (this is a W=1 build):
         wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross 
-O ~/bin/make.cross
         chmod +x ~/bin/make.cross
         # install x86_64 cross compiling tool for clang build
         # apt-get install binutils-x86-64-linux-gnu
         # 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2485bd7557a7edb4520b4072af464f0a08c8efe0
         git remote add linus 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
         git fetch --no-tags linus master
         git checkout 2485bd7557a7edb4520b4072af464f0a08c8efe0
         # save the attached .config to linux build tree
         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross 
clang-analyzer ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>


clang-analyzer warnings: (new ones prefixed by >>)
    net/lapb/lapb_iface.c:47:2: note: Memory is released
            kfree(lapb);
            ^~~~~~~~~~~
    net/lapb/lapb_iface.c:58:3: note: Returning; memory was released via 
1st parameter
                    lapb_free_cb(lapb);
                    ^~~~~~~~~~~~~~~~~~
    net/lapb/lapb_iface.c:68:3: note: Returning; memory was released via 
1st parameter
                    lapb_put(lapb);
                    ^~~~~~~~~~~~~~
    net/lapb/lapb_iface.c:200:2: note: Returning; memory was released 
via 1st parameter
            __lapb_remove_cb(lapb);
            ^~~~~~~~~~~~~~~~~~~~~~
    net/lapb/lapb_iface.c:202:2: note: Use of memory after it is freed
            lapb_put(lapb);
            ^        ~~~~
    Suppressed 9 warnings (9 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    8 warnings generated.
    drivers/media/dvb-frontends/stv090x.c:2289:23: warning: The result 
of the '/' expression is undefined 
[clang-analyzer-core.UndefinedBinaryOperatorResult]
            steps_max = (car_max / inc) + 1; /* min steps = 3 */
                                 ^
    drivers/media/dvb-frontends/stv090x.c:2405:2: note: Calling 
'stv090x_get_loop_params'
            stv090x_get_loop_params(state, &inc, &timeout_step, &steps_max);
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/media/dvb-frontends/stv090x.c:2251:6: note: Assuming 
'car_max' is <= 16384
            if (car_max > 0x4000)
                ^~~~~~~~~~~~~~~~
    drivers/media/dvb-frontends/stv090x.c:2251:2: note: Taking false branch
            if (car_max > 0x4000)
            ^
    drivers/media/dvb-frontends/stv090x.c:2260:2: note: Control jumps to 
'case STV090x_SEARCH_DVBS2:'  at line 2267
            switch (state->search_mode) {
            ^
    drivers/media/dvb-frontends/stv090x.c:2270:3: note:  Execution 
continues on line 2278
                    break;
                    ^
    drivers/media/dvb-frontends/stv090x.c:2279:7: note: Assuming 'inc' 
is <= 'car_max'
            if ((inc > car_max) || (inc < 0))
                 ^~~~~~~~~~~~~
    drivers/media/dvb-frontends/stv090x.c:2279:6: note: Left side of 
'||' is false
            if ((inc > car_max) || (inc < 0))
                ^
    drivers/media/dvb-frontends/stv090x.c:2279:26: note: Assuming 'inc' 
is >= 0
            if ((inc > car_max) || (inc < 0))
                                    ^~~~~~~
    drivers/media/dvb-frontends/stv090x.c:2279:2: note: Taking false branch
            if ((inc > car_max) || (inc < 0))
            ^
    drivers/media/dvb-frontends/stv090x.c:2283:6: note: Assuming 'srate' 
is <= 0
            if (srate > 0)
                ^~~~~~~~~
    drivers/media/dvb-frontends/stv090x.c:2283:2: note: Taking false branch
            if (srate > 0)
            ^
    drivers/media/dvb-frontends/stv090x.c:2286:7: note: 'timeout' is > 100
            if ((timeout > 100) || (timeout < 0))
                 ^~~~~~~
    drivers/media/dvb-frontends/stv090x.c:2286:22: note: Left side of 
'||' is true
            if ((timeout > 100) || (timeout < 0))
                                ^
    drivers/media/dvb-frontends/stv090x.c:2289:23: note: The result of 
the '/' expression is undefined
            steps_max = (car_max / inc) + 1; /* min steps = 3 */
                         ~~~~~~~~^~~~~
    drivers/media/dvb-frontends/stv090x.c:2960:2: warning: Value stored 
to 'reg' is never read [clang-analyzer-deadcode.DeadStores]
            reg = STV090x_READ_DEMOD(state, TMGOBS);
            ^
    drivers/media/dvb-frontends/stv090x.c:2960:2: note: Value stored to 
'reg' is never read
    Suppressed 6 warnings (6 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    6 warnings generated.
    Suppressed 6 warnings (6 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    6 warnings generated.
    Suppressed 6 warnings (6 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    6 warnings generated.
    Suppressed 6 warnings (6 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    4 warnings generated.
    Suppressed 4 warnings (4 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    4 warnings generated.
    Suppressed 4 warnings (4 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    6 warnings generated.
    Suppressed 6 warnings (6 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    7 warnings generated.
    Suppressed 7 warnings (6 in non-user code, 1 with check filters).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    6 warnings generated.
    Suppressed 6 warnings (6 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    4 warnings generated.
    Suppressed 4 warnings (4 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    6 warnings generated.
    Suppressed 6 warnings (6 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    13 warnings generated.
>> fs/cifs/smb2ops.c:3646:2: warning: Undefined or garbage value returned to caller [clang-analyzer-core.uninitialized.UndefReturn]
            return rc;
            ^
    fs/cifs/smb2ops.c:3668:6: note: Assuming 'rc' is 0
            if (rc)
                ^~
    fs/cifs/smb2ops.c:3668:2: note: Taking false branch
            if (rc)
            ^
    fs/cifs/smb2ops.c:3673:6: note: Assuming 'out_data_len' is not equal 
to 0
            if (out_data_len == 0)
                ^~~~~~~~~~~~~~~~~
    fs/cifs/smb2ops.c:3673:2: note: Taking false branch
            if (out_data_len == 0)
            ^
    fs/cifs/smb2ops.c:3677:6: note: Assuming 'buf' is not equal to NULL
            if (buf == NULL) {
                ^~~~~~~~~~~
    fs/cifs/smb2ops.c:3677:2: note: Taking false branch
            if (buf == NULL) {
            ^
    fs/cifs/smb2ops.c:3683:2: note: Loop condition is true.  Entering 
loop body
            while (len) {
            ^
    fs/cifs/smb2ops.c:3687:7: note: 'out_data_len' is not equal to 0
                    if (out_data_len == 0) {
                        ^~~~~~~~~~~~
    fs/cifs/smb2ops.c:3687:3: note: Taking false branch
                    if (out_data_len == 0) {
                    ^
    fs/cifs/smb2ops.c:3693:7: note: Assuming the condition is false
                    if (out_data_len < sizeof(struct 
file_allocated_range_buffer)) {
 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    fs/cifs/smb2ops.c:3693:3: note: Taking false branch
                    if (out_data_len < sizeof(struct 
file_allocated_range_buffer)) {
                    ^
    fs/cifs/smb2ops.c:3698:7: note: Assuming 'off' is < field 'file_offset'
                    if (off < le64_to_cpu(tmp_data->file_offset)) {
                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    fs/cifs/smb2ops.c:3698:3: note: Taking true branch
                    if (off < le64_to_cpu(tmp_data->file_offset)) {
                    ^
    fs/cifs/smb2ops.c:3705:8: note: Assuming 'len' is >= 'l'
                            if (len < l)
                                ^~~~~~~
    fs/cifs/smb2ops.c:3705:4: note: Taking false branch
                            if (len < l)
                            ^
    fs/cifs/smb2ops.c:3707:9: note: Calling 
'smb3_simple_fallocate_write_range'
                            rc = smb3_simple_fallocate_write_range(xid, 
tcon,
 
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    fs/cifs/smb2ops.c:3620:6: note: 'rc' declared without an initial value
            int rc, nbytes;
                ^~
    fs/cifs/smb2ops.c:3629:2: note: Loop condition is false. Execution 
continues on line 3646
            while (len) {
            ^
    fs/cifs/smb2ops.c:3646:2: note: Undefined or garbage value returned 
to caller
            return rc;
            ^      ~~
    fs/cifs/smb2ops.c:4178:3: warning: Call to function 'strcat' is 
insecure as it does not provide bounding of the memory buffer. Replace 
unbounded copy functions with analogous functions that support length 
arguments such as 'strlcat'. CWE-119 
[clang-analyzer-security.insecureAPI.strcpy]
                    strcat(message, "R");
                    ^~~~~~
    fs/cifs/smb2ops.c:4178:3: note: Call to function 'strcat' is 
insecure as it does not provide bounding of the memory buffer. Replace 
unbounded copy functions with analogous functions that support length 
arguments such as 'strlcat'. CWE-119
                    strcat(message, "R");
                    ^~~~~~
    fs/cifs/smb2ops.c:4182:3: warning: Call to function 'strcat' is 
insecure as it does not provide bounding of the memory buffer. Replace 
unbounded copy functions with analogous functions that support length 
arguments such as 'strlcat'. CWE-119 
[clang-analyzer-security.insecureAPI.strcpy]
                    strcat(message, "H");
                    ^~~~~~
    fs/cifs/smb2ops.c:4182:3: note: Call to function 'strcat' is 
insecure as it does not provide bounding of the memory buffer. Replace 
unbounded copy functions with analogous functions that support length 
arguments such as 'strlcat'. CWE-119
                    strcat(message, "H");
                    ^~~~~~
    fs/cifs/smb2ops.c:4186:3: warning: Call to function 'strcat' is 
insecure as it does not provide bounding of the memory buffer. Replace 
unbounded copy functions with analogous functions that support length 
arguments such as 'strlcat'. CWE-119 
[clang-analyzer-security.insecureAPI.strcpy]
                    strcat(message, "W");
                    ^~~~~~
    fs/cifs/smb2ops.c:4186:3: note: Call to function 'strcat' is 
insecure as it does not provide bounding of the memory buffer. Replace 
unbounded copy functions with analogous functions that support length 
arguments such as 'strlcat'. CWE-119
                    strcat(message, "W");
                    ^~~~~~
    Suppressed 9 warnings (9 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    6 warnings generated.
    Suppressed 6 warnings (6 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    4 warnings generated.
    Suppressed 4 warnings (4 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    3 warnings generated.
    Suppressed 3 warnings (3 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    4 warnings generated.
    Suppressed 4 warnings (4 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    3 warnings generated.
    Suppressed 3 warnings (3 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    4 warnings generated.
    Suppressed 4 warnings (4 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.
    3 warnings generated.
    Suppressed 3 warnings (3 in non-user code).
    Use -header-filter=.* to display errors from all non-system headers. 
Use -system-headers to display errors from system headers as well.

vim +3646 fs/cifs/smb2ops.c

31742c5a331766 Steve French    2014-08-17  3612  966a3cb7c7db78 Ronnie 
Sahlberg 2021-06-03  3613  static int 
smb3_simple_fallocate_write_range(unsigned int xid,
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3614  					     struct 
cifs_tcon *tcon,
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3615  					     struct 
cifsFileInfo *cfile,
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3616  					     loff_t off, 
loff_t len,
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3617  					     char *buf)
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3618  {
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3619  	struct cifs_io_parms 
io_parms = {0};
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3620  	int rc, nbytes;
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3621  	struct kvec iov[2];
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3622  966a3cb7c7db78 Ronnie 
Sahlberg 2021-06-03  3623  	io_parms.netfid = cfile->fid.netfid;
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3624  	io_parms.pid = 
current->tgid;
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3625  	io_parms.tcon = tcon;
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3626 
io_parms.persistent_fid = cfile->fid.persistent_fid;
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3627  	io_parms.volatile_fid 
= cfile->fid.volatile_fid;
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3628  2485bd7557a7ed Ronnie 
Sahlberg 2021-07-22  3629  	while (len) {
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3630  		io_parms.offset = off;
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3631  		io_parms.length = len;
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3632  		if (io_parms.length > 
SMB2_MAX_BUFFER_SIZE)
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3633  			io_parms.length = 
SMB2_MAX_BUFFER_SIZE;
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3634  		/* iov[0] is reserved 
for smb header */
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3635  		iov[1].iov_base = buf;
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3636  		iov[1].iov_len = 
io_parms.length;
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3637  		rc = SMB2_write(xid, 
&io_parms, &nbytes, iov, 1);
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3638  		if (rc)
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3639  			break;
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3640  		if (nbytes > len)
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3641  			return -EINVAL;
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3642  		buf += nbytes;
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3643  		off += nbytes;
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3644  		len -= nbytes;
2485bd7557a7ed Ronnie Sahlberg 2021-07-22  3645  	}
2485bd7557a7ed Ronnie Sahlberg 2021-07-22 @3646  	return rc;
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3647  }
966a3cb7c7db78 Ronnie Sahlberg 2021-06-03  3648
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org


Download attachment ".config.gz" of type "application/gzip" (29587 bytes)

View attachment "Attached Message Part" of type "text/plain" (151 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ