[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202505080231.7OXwq4Te-lkp@intel.com>
Date: Thu, 8 May 2025 08:47:24 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: oe-kbuild@...ts.linux.dev, Namjae Jeon <linkinjeon@...nel.org>
Cc: lkp@...el.com, oe-kbuild-all@...ts.linux.dev,
linux-kernel@...r.kernel.org, Steve French <stfrench@...rosoft.com>
Subject: fs/smb/server/oplock.c:155 opinfo_get_list() warn: can 'opinfo' even
be NULL?
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 707df3375124b51048233625a7e1c801e8c8a7fd
commit: 18b4fac5ef17f77fed9417d22210ceafd6525fc7 ksmbd: fix use-after-free in smb_break_all_levII_oplock()
config: i386-randconfig-141-20250416 (https://download.01.org/0day-ci/archive/20250508/202505080231.7OXwq4Te-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
| Closes: https://lore.kernel.org/r/202505080231.7OXwq4Te-lkp@intel.com/
New smatch warnings:
fs/smb/server/oplock.c:155 opinfo_get_list() warn: can 'opinfo' even be NULL?
vim +/opinfo +155 fs/smb/server/oplock.c
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 145 static struct oplock_info *opinfo_get_list(struct ksmbd_inode *ci)
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 146 {
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 147 struct oplock_info *opinfo;
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 148
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 149 if (list_empty(&ci->m_op_list))
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 150 return NULL;
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 151
18b4fac5ef17f77 fs/smb/server/oplock.c Namjae Jeon 2025-04-15 152 down_read(&ci->m_lock);
18b4fac5ef17f77 fs/smb/server/oplock.c Namjae Jeon 2025-04-15 153 opinfo = list_first_entry(&ci->m_op_list, struct oplock_info,
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 154 op_entry);
The list_first_entry() macro never returns NULL. If the list is
empty then it returns an invalid pointer. Use
list_first_entry_or_null(). We have the check for list_empty()
at the start of the function but it's outside of the lock so it's
probably not safe to assume it's still true. (I haven't looked
at the locking here outside of what the kbuild-bot includes in this
email).
36322523dddb111 fs/smb/server/oplock.c Namjae Jeon 2023-05-19 @155 if (opinfo) {
c8efcc786146a95 fs/smb/server/oplock.c Namjae Jeon 2024-03-12 156 if (opinfo->conn == NULL ||
c8efcc786146a95 fs/smb/server/oplock.c Namjae Jeon 2024-03-12 157 !atomic_inc_not_zero(&opinfo->refcount))
36322523dddb111 fs/smb/server/oplock.c Namjae Jeon 2023-05-19 158 opinfo = NULL;
36322523dddb111 fs/smb/server/oplock.c Namjae Jeon 2023-05-19 159 else {
36322523dddb111 fs/smb/server/oplock.c Namjae Jeon 2023-05-19 160 if (ksmbd_conn_releasing(opinfo->conn)) {
36322523dddb111 fs/smb/server/oplock.c Namjae Jeon 2023-05-19 161 atomic_dec(&opinfo->refcount);
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 162 opinfo = NULL;
36322523dddb111 fs/smb/server/oplock.c Namjae Jeon 2023-05-19 163 }
36322523dddb111 fs/smb/server/oplock.c Namjae Jeon 2023-05-19 164 }
36322523dddb111 fs/smb/server/oplock.c Namjae Jeon 2023-05-19 165 }
18b4fac5ef17f77 fs/smb/server/oplock.c Namjae Jeon 2025-04-15 166 up_read(&ci->m_lock);
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 167
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 168 return opinfo;
e2f34481b24db2f fs/cifsd/oplock.c Namjae Jeon 2021-03-16 169 }
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists