| Message ID | 20220114064625.765511-1-deng.changcheng@zte.com.cn (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | cifs: Replace one-element array with flexible-array member | expand |
Doesn't this change the address of the assignment in this line in the
function (smb2_ioctl_query_info)?
/* Close */
rqst[2].rq_iov = &vars->close_iov[0];
On Fri, Jan 14, 2022 at 8:44 AM <cgel.zte@gmail.com> wrote:
>
> From: Changcheng Deng <deng.changcheng@zte.com.cn>
>
> There is a regular need in the kernel to provide a way to declare having
> a dynamically sized set of trailing elements in a structure. Kernel code
> should always use "flexible array members" for these cases. The older
> style of one-element or zero-length arrays should no longer be used.
> Reference:
> https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays
>
> Reported-by: Zeal Robot <zealci@zte.com.cn>
> Signed-off-by: Changcheng Deng <deng.changcheng@zte.com.cn>
> ---
> fs/cifs/smb2ops.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
> index af5d0830bc8a..5c104b2f308a 100644
> --- a/fs/cifs/smb2ops.c
> +++ b/fs/cifs/smb2ops.c
> @@ -1609,10 +1609,10 @@ struct iqi_vars {
> struct smb_rqst rqst[3];
> struct kvec rsp_iov[3];
> struct kvec open_iov[SMB2_CREATE_IOV_SIZE];
> - struct kvec qi_iov[1];
> + struct kvec qi_iov[];
> struct kvec io_iov[SMB2_IOCTL_IOV_SIZE];
> struct kvec si_iov[SMB2_SET_INFO_IOV_SIZE];
> - struct kvec close_iov[1];
> + struct kvec close_iov[];
> };
>
> static int
> --
> 2.25.1
>
This patch is wrong. qi_iov is not even the trailing element of the array so we cant change it to be a flexible array member. This change will likely clobber io_iov so the potential for breaking, memory leaks or ooops is quite possible. qi_iov is supposed to be exactly one element in size. Same for close_iov, while it is the last element in the structure, it is not a flexible array but an array of exactly one member. This change to close_iov would likely lead to reading/writing beyond the end of the structure. NACK On Sat, Jan 15, 2022 at 12:44 AM <cgel.zte@gmail.com> wrote: > > From: Changcheng Deng <deng.changcheng@zte.com.cn> > > There is a regular need in the kernel to provide a way to declare having > a dynamically sized set of trailing elements in a structure. Kernel code > should always use "flexible array members" for these cases. The older > style of one-element or zero-length arrays should no longer be used. > Reference: > https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays > > Reported-by: Zeal Robot <zealci@zte.com.cn> > Signed-off-by: Changcheng Deng <deng.changcheng@zte.com.cn> > --- > fs/cifs/smb2ops.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c > index af5d0830bc8a..5c104b2f308a 100644 > --- a/fs/cifs/smb2ops.c > +++ b/fs/cifs/smb2ops.c > @@ -1609,10 +1609,10 @@ struct iqi_vars { > struct smb_rqst rqst[3]; > struct kvec rsp_iov[3]; > struct kvec open_iov[SMB2_CREATE_IOV_SIZE]; > - struct kvec qi_iov[1]; > + struct kvec qi_iov[]; > struct kvec io_iov[SMB2_IOCTL_IOV_SIZE]; > struct kvec si_iov[SMB2_SET_INFO_IOV_SIZE]; > - struct kvec close_iov[1]; > + struct kvec close_iov[]; > }; > > static int > -- > 2.25.1 >
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index af5d0830bc8a..5c104b2f308a 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -1609,10 +1609,10 @@ struct iqi_vars { struct smb_rqst rqst[3]; struct kvec rsp_iov[3]; struct kvec open_iov[SMB2_CREATE_IOV_SIZE]; - struct kvec qi_iov[1]; + struct kvec qi_iov[]; struct kvec io_iov[SMB2_IOCTL_IOV_SIZE]; struct kvec si_iov[SMB2_SET_INFO_IOV_SIZE]; - struct kvec close_iov[1]; + struct kvec close_iov[]; }; static int