[cifs:for-next 15/15] fs/cifs/transport.c:1247 SendReceive() warn: variable dereferenced before check 'ses' (see line 1245)

Dan Carpenter dan.carpenter at oracle.com
Fri Sep 6 08:13:04 UTC 2019 

tree:   git://git.samba.org/sfrench/cifs-2.6.git for-next
head:   2808c6639104c5aea1fccdf692deab0ccf00914f
commit: 2808c6639104c5aea1fccdf692deab0ccf00914f [15/15] cifs: add new debugging macro cifs_server_dbg

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp at intel.com>
Reported-by: Dan Carpenter <dan.carpenter at oracle.com>

New smatch warnings:
fs/cifs/transport.c:1247 SendReceive() warn: variable dereferenced before check 'ses' (see line 1245)
fs/cifs/transport.c:1342 SendReceive() warn: inconsistent returns 'mutex:&ses->server->srv_mutex'.
  Locked on:   line 1249
  Unlocked on: line 1284
fs/cifs/transport.c:1342 SendReceive() warn: inconsistent returns 'mutex:&server->srv_mutex'.
  Locked on:   line 1284
  Unlocked on: line 1249
fs/cifs/smb2pdu.c:2763 SMB2_ioctl() warn: variable dereferenced before check 'ses' (see line 2762)
fs/cifs/smb2pdu.c:3067 query_info() warn: variable dereferenced before check 'ses' (see line 3061)

git remote add cifs git://git.samba.org/sfrench/cifs-2.6.git
git remote update cifs
git checkout 2808c6639104c5aea1fccdf692deab0ccf00914f
vim +/ses +1247 fs/cifs/transport.c

96daf2b09178d8 Steve French    2011-05-27  1235  SendReceive(const unsigned int xid, struct cifs_ses *ses,
^1da177e4c3f41 Linus Torvalds  2005-04-16  1236  	    struct smb_hdr *in_buf, struct smb_hdr *out_buf,
480b1cb9dad894 Ronnie Sahlberg 2019-03-08  1237  	    int *pbytes_returned, const int flags)
^1da177e4c3f41 Linus Torvalds  2005-04-16  1238  {
^1da177e4c3f41 Linus Torvalds  2005-04-16  1239  	int rc = 0;
^1da177e4c3f41 Linus Torvalds  2005-04-16  1240  	struct mid_q_entry *midQ;
fb2036d817584d Pavel Shilovsky 2016-11-23  1241  	unsigned int len = be32_to_cpu(in_buf->smb_buf_length);
fb2036d817584d Pavel Shilovsky 2016-11-23  1242  	struct kvec iov = { .iov_base = in_buf, .iov_len = len };
fb2036d817584d Pavel Shilovsky 2016-11-23  1243  	struct smb_rqst rqst = { .rq_iov = &iov, .rq_nvec = 1 };
34f4deb7c56c6f Pavel Shilovsky 2019-01-16  1244  	struct cifs_credits credits = { .value = 1, .instance = 0 };
2808c6639104c5 Ronnie Sahlberg 2019-08-28 @1245  	struct TCP_Server_Info *server = ses->server;
                                                                                         ^^^^^^^^^^^
Dereference

^1da177e4c3f41 Linus Torvalds  2005-04-16  1246  
^1da177e4c3f41 Linus Torvalds  2005-04-16 @1247  	if (ses == NULL) {
                                                            ^^^^^^^^^^^
Check

f96637be081141 Joe Perches     2013-05-04  1248  		cifs_dbg(VFS, "Null smb session\n");
^1da177e4c3f41 Linus Torvalds  2005-04-16  1249  		return -EIO;
^1da177e4c3f41 Linus Torvalds  2005-04-16  1250  	}
2808c6639104c5 Ronnie Sahlberg 2019-08-28  1251  	if (server == NULL) {
f96637be081141 Joe Perches     2013-05-04  1252  		cifs_dbg(VFS, "Null tcp session\n");
^1da177e4c3f41 Linus Torvalds  2005-04-16  1253  		return -EIO;
^1da177e4c3f41 Linus Torvalds  2005-04-16  1254  	}
^1da177e4c3f41 Linus Torvalds  2005-04-16  1255  
2808c6639104c5 Ronnie Sahlberg 2019-08-28  1256  	if (server->tcpStatus == CifsExiting)
31ca3bc3c569f9 Steve French    2005-04-28  1257  		return -ENOENT;
31ca3bc3c569f9 Steve French    2005-04-28  1258  
^1da177e4c3f41 Linus Torvalds  2005-04-16  1259  	/* Ensure that we do not send more than 50 overlapping requests
^1da177e4c3f41 Linus Torvalds  2005-04-16  1260  	   to the same server. We may make this configurable later or
^1da177e4c3f41 Linus Torvalds  2005-04-16  1261  	   use ses->maxReq */
^1da177e4c3f41 Linus Torvalds  2005-04-16  1262  
fb2036d817584d Pavel Shilovsky 2016-11-23  1263  	if (len > CIFSMaxBufSize + MAX_CIFS_HDR_SIZE - 4) {
2808c6639104c5 Ronnie Sahlberg 2019-08-28  1264  		cifs_server_dbg(VFS, "Illegal length, greater than maximum frame, %d\n",
fb2036d817584d Pavel Shilovsky 2016-11-23  1265  			 len);
6d9c6d543165d1 Volker Lendecke 2008-12-08  1266  		return -EIO;
6d9c6d543165d1 Volker Lendecke 2008-12-08  1267  	}
6d9c6d543165d1 Volker Lendecke 2008-12-08  1268  
2808c6639104c5 Ronnie Sahlberg 2019-08-28  1269  	rc = wait_for_free_request(server, flags, &credits.instance);
7ee1af765dfa31 Jeremy Allison  2006-08-02  1270  	if (rc)
7ee1af765dfa31 Jeremy Allison  2006-08-02  1271  		return rc;
^1da177e4c3f41 Linus Torvalds  2005-04-16  1272  
^1da177e4c3f41 Linus Torvalds  2005-04-16  1273  	/* make sure that we sign in the same order that we send on this socket
^1da177e4c3f41 Linus Torvalds  2005-04-16  1274  	   and avoid races inside tcp sendmsg code that could cause corruption
^1da177e4c3f41 Linus Torvalds  2005-04-16  1275  	   of smb data */
^1da177e4c3f41 Linus Torvalds  2005-04-16  1276  
2808c6639104c5 Ronnie Sahlberg 2019-08-28  1277  	mutex_lock(&server->srv_mutex);
^1da177e4c3f41 Linus Torvalds  2005-04-16  1278  
7ee1af765dfa31 Jeremy Allison  2006-08-02  1279  	rc = allocate_mid(ses, in_buf, &midQ);
7ee1af765dfa31 Jeremy Allison  2006-08-02  1280  	if (rc) {
72ca545b2d83ac Jeff Layton     2008-12-01  1281  		mutex_unlock(&ses->server->srv_mutex);
                                                                              ^^^^^^^^^^^^^^^^^^^^^^
This isn't a bug, but Smatch wants you to use "&server->srv_mutex"
instead of &ses->server->srv_mutex.  They are equivalent.

7ee1af765dfa31 Jeremy Allison  2006-08-02  1282  		/* Update # of requests on wire to server */
2808c6639104c5 Ronnie Sahlberg 2019-08-28  1283  		add_credits(server, &credits, 0);
7ee1af765dfa31 Jeremy Allison  2006-08-02  1284  		return rc;
^1da177e4c3f41 Linus Torvalds  2005-04-16  1285  	}
^1da177e4c3f41 Linus Torvalds  2005-04-16  1286  

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

More information about the samba-technical mailing list