2006-08-12 21:33:17

by Jesper Juhl

[permalink] [raw]
Subject: [PATCH] XFS: possibly uninitialized variable use in fs/xfs/xfs_da_btree.c::xfs_da_node_lookup_int()

Ok, I'll honestly admit that I'm in over my head here. But, coverity found
a potential use of an uninitialized variable in
fs/xfs/xfs_da_btree.c::xfs_da_node_lookup_int() and I think it might be
correct (coverity bug #900).

The problem spot is this bit of code :

...
if (blk->magic == XFS_DIR2_LEAFN_MAGIC) {
retval = xfs_dir2_leafn_lookup_int(blk->bp, args,
&blk->index, state);
}
else if (blk->magic == XFS_ATTR_LEAF_MAGIC) {
retval = xfs_attr_leaf_lookup_int(blk->bp, args);
blk->index = args->index;
args->blkno = blk->blkno;
}
if (((retval == ENOENT) || (retval == ENOATTR)) &&

^^^--- 'retval' possibly used uninitialized here...

(blk->hashval == args->hashval)) {
...

Nothing initializes 'retval' before this bit of code, so if 'blk->magic' is
neither == XFS_DIR2_LEAFN_MAGIC or XFS_ATTR_LEAF_MAGIC then it'll be in an
uninitialized state when we get to the "if (((retval == ENOENT) ..." bit.

Now we get to the part where I'm in over my head.

Since there is code above that check 'blk->magic' against
being == XFS_DA_NODE_MAGIC and I don't see how we would be skipping the
code quoted above in that case, it looks to me like this could happen and
lead to the uninitialized use of retval.
It also seems to me, from reading fs/xfs/xfs_da_btree.h, that 'blk->magic'
might in some cases be == XFS_DIR2_LEAF1_MAGIC in which case we'd also end
up using retval uninitialized.

Now, what to do about it. Well, if I'm reading the function correctly the
safest thing would be to assume a 'retval' of ENOENT if the above
"if/else if" didn't trigger, so below is a patch that initializes 'retval'
to that value so that if we do hit this corner case we'll just act as if
we couldn't find what we were looking for in the Btree.

I suspect I may be completely wrong, and if that's the case I'd sure like
an explanation of where I went wrong along with the NACK for the patch.
In case my understanding is in fact correct and the patch below makes sense,
then kindly apply :-)



Signed-off-by: Jesper Juhl <[email protected]>
---

fs/xfs/xfs_da_btree.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)

--- linux-2.6.18-rc4-orig/fs/xfs/xfs_da_btree.c 2006-08-11 00:11:13.000000000 +0200
+++ linux-2.6.18-rc4/fs/xfs/xfs_da_btree.c 2006-08-12 23:18:23.000000000 +0200
@@ -1053,7 +1053,8 @@ xfs_da_node_lookup_int(xfs_da_state_t *s
xfs_da_intnode_t *node;
xfs_da_node_entry_t *btree;
xfs_dablk_t blkno;
- int probe, span, max, error, retval;
+ int probe, span, max, error;
+ int retval = ENOENT;
xfs_dahash_t hashval;
xfs_da_args_t *args;




2006-08-14 01:55:18

by Nathan Scott

[permalink] [raw]
Subject: Re: [PATCH] XFS: possibly uninitialized variable use in fs/xfs/xfs_da_btree.c::xfs_da_node_lookup_int()

On Sat, Aug 12, 2006 at 11:34:21PM +0200, Jesper Juhl wrote:
> Ok, I'll honestly admit that I'm in over my head here. But, coverity found
> a potential use of an uninitialized variable in
> fs/xfs/xfs_da_btree.c::xfs_da_node_lookup_int() and I think it might be
> correct (coverity bug #900).

It looks like a false positive to me.

> Nothing initializes 'retval' before this bit of code, so if 'blk->magic' is
> neither == XFS_DIR2_LEAFN_MAGIC or XFS_ATTR_LEAF_MAGIC then it'll be in an
> uninitialized state when we get to the "if (((retval == ENOENT) ..." bit.

blk->magic is guaranteed to be one of those two things by the first
loop.

> Since there is code above that check 'blk->magic' against
> being == XFS_DA_NODE_MAGIC and I don't see how we would be skipping the

Reading closely through the 1st loop we can see that there's no way
to get to the second loop without having one of the LEAF variants in
the magic#. The NODE variant indicates its an internal btree node,
and we move down the btree toward the leaves, at which point we jump
out into the second loop.

> I suspect I may be completely wrong, and if that's the case I'd sure like
> an explanation of where I went wrong along with the NACK for the patch.
> In case my understanding is in fact correct and the patch below makes sense,
> then kindly apply :-)

Its not correct. What I think we should do is add a third branch into
that second loop which just ASSERTs (to trip up a debug build) and set
retval to EFSCORRUPTED (to shut these tools up).

cheers.

--
Nathan