Re: [PATCH v2] cifs: Fix copy_to_iter return value check
From: Tom Talpey
Date: Mon Oct 06 2025 - 20:25:39 EST
On 10/5/2025 10:19 AM, Fushuai Wang wrote:
The return value of copy_to_iter() function will never be negative,
it is the number of bytes copied, or zero if nothing was copied.
Update the check to treat !length as an error, and return -1 in
that case.
Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list")
Signed-off-by: Fushuai Wang <wangfushuai@xxxxxxxxx>
---
fs/smb/client/smb2ops.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 058050f744c0..577ac2e11e77 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -4764,8 +4764,8 @@ handle_read_data(struct TCP_Server_Info *server, struct mid_q_entry *mid,
/* read response payload is in buf */
WARN_ONCE(buffer, "read data can be either in buf or in buffer");
length = copy_to_iter(buf + data_offset, data_len, &rdata->subreq.io_iter);
- if (length < 0)
- return length;
+ if (!length)
+ return -1;
rdata->got_bytes = data_len;
I think this has exposed several issues, and one's still there.
1) copy_to_iter() returns a size_t, which is the fundamental reason
this can never be negative. The code is assigning the size_t to
an integer ("length"), which is why static checkers never found it.
You should correct this.
2) If the "length" is positive, it's completely ignored and the
previously-computed "data_len" is substituted. This pre-existing
mistake could easily cause a too-large read data count to be
returned, incorrectly.
3) I detest using integers as booleans. Please spell out a test
against zero. But I guess I wouldn't nak for that alone.
Tom.
} else {
/* read response payload cannot be in both buf and pages */