On 2/7/22 4:43 AM, Ammar Faizi wrote:
> From: Alviro Iskandar Setiawan <[email protected]>
>
> In io_recv() if import_single_range() fails, the @flags variable is
> uninitialized, then it will goto out_free.
>
> After the goto, the compiler doesn't know that (ret < min_ret) is
> always true, so it thinks the "if ((flags & MSG_WAITALL) ..." path
> could be taken.
>
> The complaint comes from gcc-9 (Debian 9.3.0-22) 9.3.0:
> ```
> fs/io_uring.c:5238 io_recvfrom() error: uninitialized symbol 'flags'
> ```
> Fix this by bypassing the @ret and @flags check when
> import_single_range() fails.
The compiler should be able to deduce this, and I guess newer compilers
do which is why we haven't seen this warning before. I'm fine with doing
this as a cleanup, but I think the commit title should be modified a
bit. It sounds like there might be an issue reading uninitialized data,
which isn't actually true.
--
Jens Axboe
From: Alviro Iskandar Setiawan <[email protected]>
In io_recv(), if import_single_range() fails, the @flags variable is
uninitialized, then it will goto out_free.
After the goto, the compiler doesn't know that (ret < min_ret) is
always true, so it thinks the "if ((flags & MSG_WAITALL) ..." path
could be taken.
The complaint comes from gcc-9 (Debian 9.3.0-22) 9.3.0:
```
fs/io_uring.c:5238 io_recvfrom() error: uninitialized symbol 'flags'
```
Fix this by bypassing the @ret and @flags check when
import_single_range() fails.
Reasons:
1. import_single_range() only returns -EFAULT when it fails.
2. At that point, @flags is uninitialized and shouldn't be read.
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Reported-by: "Chen, Rong A" <[email protected]>
Link: https://lore.gnuweeb.org/timl/[email protected]/
Cc: Pavel Begunkov <[email protected]>
Suggested-by: Ammar Faizi <[email protected]>
Fixes: 7297ce3d59449de49d3c9e1f64ae25488750a1fc ("io_uring: improve send/recv error handling")
Signed-off-by: Alviro Iskandar Setiawan <[email protected]>
Signed-off-by: Ammar Faizi <[email protected]>
---
v2:
- Update the subject line
fs/io_uring.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 2e04f718319d..3445c4da0153 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5228,7 +5228,6 @@ static int io_recv(struct io_kiocb *req, unsigned int issue_flags)
min_ret = iov_iter_count(&msg.msg_iter);
ret = sock_recvmsg(sock, &msg, flags);
-out_free:
if (ret < min_ret) {
if (ret == -EAGAIN && force_nonblock)
return -EAGAIN;
@@ -5236,9 +5235,9 @@ static int io_recv(struct io_kiocb *req, unsigned int issue_flags)
ret = -EINTR;
req_set_fail(req);
} else if ((flags & MSG_WAITALL) && (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))) {
+out_free:
req_set_fail(req);
}
-
__io_req_complete(req, issue_flags, ret, io_put_kbuf(req));
return 0;
}
base-commit: f6133fbd373811066c8441737e65f384c8f31974
--
2.32.0
On Mon, 7 Feb 2022 21:05:33 +0700, Ammar Faizi wrote:
> From: Alviro Iskandar Setiawan <[email protected]>
>
> In io_recv(), if import_single_range() fails, the @flags variable is
> uninitialized, then it will goto out_free.
>
> After the goto, the compiler doesn't know that (ret < min_ret) is
> always true, so it thinks the "if ((flags & MSG_WAITALL) ..." path
> could be taken.
>
> [...]
Applied, thanks!
[1/1] io_uring: Clean up a false-positive warning from GCC 9.3.0
commit: 0d7c1153d9291197c1dc473cfaade77acb874b4b
Best regards,
--
Jens Axboe