[PATCH v2] cifs: Fix copy_to_iter return value check

[Tom Talpey]

On 10/5/2025 10:19 AM, Fushuai Wang wrote:
> The return value of copy_to_iter() function will never be negative,
> it is the number of bytes copied, or zero if nothing was copied.
> Update the check to treat !length as an error, and return -1 in
> that case.
> 
> Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list")
> Signed-off-by: Fushuai Wang <wangfushuai at baidu.com>
> ---
>   fs/smb/client/smb2ops.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
> index 058050f744c0..577ac2e11e77 100644
> --- a/fs/smb/client/smb2ops.c
> +++ b/fs/smb/client/smb2ops.c
> @@ -4764,8 +4764,8 @@ handle_read_data(struct TCP_Server_Info *server, struct mid_q_entry *mid,
>   		/* read response payload is in buf */
>   		WARN_ONCE(buffer, "read data can be either in buf or in buffer");
>   		length = copy_to_iter(buf + data_offset, data_len, &rdata->subreq.io_iter);
> -		if (length < 0)
> -			return length;
> +		if (!length)
> +			return -1;
>   		rdata->got_bytes = data_len;

I think this has exposed several issues, and one's still there.

1) copy_to_iter() returns a size_t, which is the fundamental reason
this can never be negative. The code is assigning the size_t to
an integer ("length"), which is why static checkers never found it.
You should correct this.

2) If the "length" is positive, it's completely ignored and the
previously-computed "data_len" is substituted. This pre-existing
mistake could easily cause a too-large read data count to be
returned, incorrectly.

3) I detest using integers as booleans. Please spell out a test
against zero. But I guess I wouldn't nak for that alone.

Tom.

>   	} else {
>   		/* read response payload cannot be in both buf and pages */