lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202512181203.IOv6IChH-lkp@intel.com>
Date: Thu, 18 Dec 2025 10:17:52 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: oe-kbuild@...ts.linux.dev, Alice Ryhl <aliceryhl@...gle.com>
Cc: lkp@...el.com, oe-kbuild-all@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	Wedson Almeida Filho <wedsonaf@...il.com>,
	Matt Gilbride <mattgilbride@...gle.com>
Subject: drivers/android/binder/rust_binderfs.c:134
 binderfs_binder_device_create() error: Calling ida_alloc_max() with a 'max'
 argument which is a power of 2. -1 missing?

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   ea1013c1539270e372fc99854bc6e4d94eaeff66
commit: eafedbc7c050c44744fbdf80bdf3315e860b7513 rust_binder: add Rust Binder driver
config: loongarch-randconfig-r071-20251218 (https://download.01.org/0day-ci/archive/20251218/202512181203.IOv6IChH-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 1335a05ab8bc8339ce24be3a9da89d8c3f4e0571)
rustc: rustc 1.88.0 (6b00bc388 2025-06-23)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
| Closes: https://lore.kernel.org/r/202512181203.IOv6IChH-lkp@intel.com/

smatch warnings:
drivers/android/binder/rust_binderfs.c:134 binderfs_binder_device_create() error: Calling ida_alloc_max() with a 'max' argument which is a power of 2. -1 missing?
drivers/android/binder/rust_binderfs.c:418 binderfs_binder_ctl_create() error: Calling ida_alloc_max() with a 'max' argument which is a power of 2. -1 missing?

vim +/max +134 drivers/android/binder/rust_binderfs.c

eafedbc7c050c4 Alice Ryhl 2025-09-19  130  
eafedbc7c050c4 Alice Ryhl 2025-09-19  131  	/* Reserve new minor number for the new device. */
eafedbc7c050c4 Alice Ryhl 2025-09-19  132  	mutex_lock(&binderfs_minors_mutex);
eafedbc7c050c4 Alice Ryhl 2025-09-19  133  	if (++info->device_count <= info->mount_opts.max)
eafedbc7c050c4 Alice Ryhl 2025-09-19 @134  		minor = ida_alloc_max(&binderfs_minors,
eafedbc7c050c4 Alice Ryhl 2025-09-19  135  				      use_reserve ? BINDERFS_MAX_MINOR :
eafedbc7c050c4 Alice Ryhl 2025-09-19  136  						    BINDERFS_MAX_MINOR_CAPPED,

ida_alloc_max() takes the maximum valid id not the count.  These should
be BINDERFS_MAX_MINOR - 1, BINDERFS_MAX_MINOR_CAPPED - 1.

eafedbc7c050c4 Alice Ryhl 2025-09-19  137  				      GFP_KERNEL);
eafedbc7c050c4 Alice Ryhl 2025-09-19  138  	else
eafedbc7c050c4 Alice Ryhl 2025-09-19  139  		minor = -ENOSPC;
eafedbc7c050c4 Alice Ryhl 2025-09-19  140  	if (minor < 0) {
eafedbc7c050c4 Alice Ryhl 2025-09-19  141  		--info->device_count;
eafedbc7c050c4 Alice Ryhl 2025-09-19  142  		mutex_unlock(&binderfs_minors_mutex);
eafedbc7c050c4 Alice Ryhl 2025-09-19  143  		return minor;
eafedbc7c050c4 Alice Ryhl 2025-09-19  144  	}
eafedbc7c050c4 Alice Ryhl 2025-09-19  145  	mutex_unlock(&binderfs_minors_mutex);
eafedbc7c050c4 Alice Ryhl 2025-09-19  146  
eafedbc7c050c4 Alice Ryhl 2025-09-19  147  	ret = -ENOMEM;
eafedbc7c050c4 Alice Ryhl 2025-09-19  148  	device = kzalloc(sizeof(*device), GFP_KERNEL);
eafedbc7c050c4 Alice Ryhl 2025-09-19  149  	if (!device)
eafedbc7c050c4 Alice Ryhl 2025-09-19  150  		goto err;
eafedbc7c050c4 Alice Ryhl 2025-09-19  151  
eafedbc7c050c4 Alice Ryhl 2025-09-19  152  	req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */
eafedbc7c050c4 Alice Ryhl 2025-09-19  153  
eafedbc7c050c4 Alice Ryhl 2025-09-19  154  	ctx = rust_binder_new_context(req->name);
eafedbc7c050c4 Alice Ryhl 2025-09-19  155  	if (!ctx)
eafedbc7c050c4 Alice Ryhl 2025-09-19  156  		goto err;
eafedbc7c050c4 Alice Ryhl 2025-09-19  157  
eafedbc7c050c4 Alice Ryhl 2025-09-19  158  	inode = new_inode(sb);
eafedbc7c050c4 Alice Ryhl 2025-09-19  159  	if (!inode)
eafedbc7c050c4 Alice Ryhl 2025-09-19  160  		goto err;
eafedbc7c050c4 Alice Ryhl 2025-09-19  161  
eafedbc7c050c4 Alice Ryhl 2025-09-19  162  	inode->i_ino = minor + INODE_OFFSET;
eafedbc7c050c4 Alice Ryhl 2025-09-19  163  	simple_inode_init_ts(inode);
eafedbc7c050c4 Alice Ryhl 2025-09-19  164  	init_special_inode(inode, S_IFCHR | 0600,
eafedbc7c050c4 Alice Ryhl 2025-09-19  165  			   MKDEV(MAJOR(binderfs_dev), minor));
eafedbc7c050c4 Alice Ryhl 2025-09-19  166  	inode->i_fop = &rust_binder_fops;
eafedbc7c050c4 Alice Ryhl 2025-09-19  167  	inode->i_uid = info->root_uid;
eafedbc7c050c4 Alice Ryhl 2025-09-19  168  	inode->i_gid = info->root_gid;
eafedbc7c050c4 Alice Ryhl 2025-09-19  169  
eafedbc7c050c4 Alice Ryhl 2025-09-19  170  	req->major = MAJOR(binderfs_dev);
eafedbc7c050c4 Alice Ryhl 2025-09-19  171  	req->minor = minor;
eafedbc7c050c4 Alice Ryhl 2025-09-19  172  	device->ctx = ctx;
eafedbc7c050c4 Alice Ryhl 2025-09-19  173  	device->minor = minor;
eafedbc7c050c4 Alice Ryhl 2025-09-19  174  
eafedbc7c050c4 Alice Ryhl 2025-09-19  175  	if (userp && copy_to_user(userp, req, sizeof(*req))) {
eafedbc7c050c4 Alice Ryhl 2025-09-19  176  		ret = -EFAULT;
eafedbc7c050c4 Alice Ryhl 2025-09-19  177  		goto err;
eafedbc7c050c4 Alice Ryhl 2025-09-19  178  	}
eafedbc7c050c4 Alice Ryhl 2025-09-19  179  
eafedbc7c050c4 Alice Ryhl 2025-09-19  180  	root = sb->s_root;
eafedbc7c050c4 Alice Ryhl 2025-09-19  181  	inode_lock(d_inode(root));
eafedbc7c050c4 Alice Ryhl 2025-09-19  182  
eafedbc7c050c4 Alice Ryhl 2025-09-19  183  	/* look it up */
eafedbc7c050c4 Alice Ryhl 2025-09-19  184  	dentry = lookup_noperm(&QSTR(req->name), root);
eafedbc7c050c4 Alice Ryhl 2025-09-19  185  	if (IS_ERR(dentry)) {
eafedbc7c050c4 Alice Ryhl 2025-09-19  186  		inode_unlock(d_inode(root));
eafedbc7c050c4 Alice Ryhl 2025-09-19  187  		ret = PTR_ERR(dentry);
eafedbc7c050c4 Alice Ryhl 2025-09-19  188  		goto err;
eafedbc7c050c4 Alice Ryhl 2025-09-19  189  	}
eafedbc7c050c4 Alice Ryhl 2025-09-19  190  
eafedbc7c050c4 Alice Ryhl 2025-09-19  191  	if (d_really_is_positive(dentry)) {
eafedbc7c050c4 Alice Ryhl 2025-09-19  192  		/* already exists */
eafedbc7c050c4 Alice Ryhl 2025-09-19  193  		dput(dentry);
eafedbc7c050c4 Alice Ryhl 2025-09-19  194  		inode_unlock(d_inode(root));
eafedbc7c050c4 Alice Ryhl 2025-09-19  195  		ret = -EEXIST;
eafedbc7c050c4 Alice Ryhl 2025-09-19  196  		goto err;
eafedbc7c050c4 Alice Ryhl 2025-09-19  197  	}
eafedbc7c050c4 Alice Ryhl 2025-09-19  198  
eafedbc7c050c4 Alice Ryhl 2025-09-19  199  	inode->i_private = device;
eafedbc7c050c4 Alice Ryhl 2025-09-19  200  	d_instantiate(dentry, inode);
eafedbc7c050c4 Alice Ryhl 2025-09-19  201  	fsnotify_create(root->d_inode, dentry);
eafedbc7c050c4 Alice Ryhl 2025-09-19  202  	inode_unlock(d_inode(root));
eafedbc7c050c4 Alice Ryhl 2025-09-19  203  
eafedbc7c050c4 Alice Ryhl 2025-09-19  204  	return 0;
eafedbc7c050c4 Alice Ryhl 2025-09-19  205  
eafedbc7c050c4 Alice Ryhl 2025-09-19  206  err:
eafedbc7c050c4 Alice Ryhl 2025-09-19  207  	kfree(device);
eafedbc7c050c4 Alice Ryhl 2025-09-19  208  	rust_binder_remove_context(ctx);
eafedbc7c050c4 Alice Ryhl 2025-09-19  209  	mutex_lock(&binderfs_minors_mutex);
eafedbc7c050c4 Alice Ryhl 2025-09-19  210  	--info->device_count;
eafedbc7c050c4 Alice Ryhl 2025-09-19  211  	ida_free(&binderfs_minors, minor);
eafedbc7c050c4 Alice Ryhl 2025-09-19  212  	mutex_unlock(&binderfs_minors_mutex);
eafedbc7c050c4 Alice Ryhl 2025-09-19  213  	iput(inode);
eafedbc7c050c4 Alice Ryhl 2025-09-19  214  
eafedbc7c050c4 Alice Ryhl 2025-09-19  215  	return ret;
eafedbc7c050c4 Alice Ryhl 2025-09-19  216  }

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ