Re: [PATCH v2] ceph: fix bare ceph_decode_8 OOB in decode_lockers()
From: Dan Carpenter
Date: Sat May 30 2026 - 13:53:21 EST
Hi Pavitra,
kernel test robot noticed the following build warnings:
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Pavitra-Jha/ceph-fix-bare-ceph_decode_8-OOB-in-decode_lockers/20260528-212749
base: https://github.com/ceph/ceph-client.git testing
patch link: https://lore.kernel.org/r/20260528132521.843004-1-jhapavitra98%40gmail.com
patch subject: [PATCH v2] ceph: fix bare ceph_decode_8 OOB in decode_lockers()
config: um-randconfig-r073-20260530 (https://download.01.org/0day-ci/archive/20260531/202605310022.LGyGb8eD-lkp@xxxxxxxxx/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
smatch: v0.5.0-9185-gbcc58b9c
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Reported-by: Dan Carpenter <error27@xxxxxxxxx>
| Closes: https://lore.kernel.org/r/202605310022.LGyGb8eD-lkp@xxxxxxxxx/
smatch warnings:
net/ceph/cls_lock_client.c:313 decode_lockers() warn: missing error code 'ret'
vim +/ret +313 net/ceph/cls_lock_client.c
d4ed4a53056288 Douglas Fuller 2015-06-29 288 static int decode_lockers(void **p, void *end, u8 *type, char **tag,
d4ed4a53056288 Douglas Fuller 2015-06-29 289 struct ceph_locker **lockers, u32 *num_lockers)
d4ed4a53056288 Douglas Fuller 2015-06-29 290 {
d4ed4a53056288 Douglas Fuller 2015-06-29 291 u8 struct_v;
d4ed4a53056288 Douglas Fuller 2015-06-29 292 u32 struct_len;
d4ed4a53056288 Douglas Fuller 2015-06-29 293 char *s;
d4ed4a53056288 Douglas Fuller 2015-06-29 294 int i;
d4ed4a53056288 Douglas Fuller 2015-06-29 295 int ret;
d4ed4a53056288 Douglas Fuller 2015-06-29 296
d4ed4a53056288 Douglas Fuller 2015-06-29 297 ret = ceph_start_decoding(p, end, 1, "cls_lock_get_info_reply",
d4ed4a53056288 Douglas Fuller 2015-06-29 298 &struct_v, &struct_len);
d4ed4a53056288 Douglas Fuller 2015-06-29 299 if (ret)
d4ed4a53056288 Douglas Fuller 2015-06-29 300 return ret;
d4ed4a53056288 Douglas Fuller 2015-06-29 301
d4ed4a53056288 Douglas Fuller 2015-06-29 302 *num_lockers = ceph_decode_32(p);
69050f8d6d075d Kees Cook 2026-02-20 303 *lockers = kzalloc_objs(**lockers, *num_lockers, GFP_NOIO);
d4ed4a53056288 Douglas Fuller 2015-06-29 304 if (!*lockers)
d4ed4a53056288 Douglas Fuller 2015-06-29 305 return -ENOMEM;
d4ed4a53056288 Douglas Fuller 2015-06-29 306
d4ed4a53056288 Douglas Fuller 2015-06-29 307 for (i = 0; i < *num_lockers; i++) {
d4ed4a53056288 Douglas Fuller 2015-06-29 308 ret = decode_locker(p, end, *lockers + i);
d4ed4a53056288 Douglas Fuller 2015-06-29 309 if (ret)
d4ed4a53056288 Douglas Fuller 2015-06-29 310 goto err_free_lockers;
d4ed4a53056288 Douglas Fuller 2015-06-29 311 }
d4ed4a53056288 Douglas Fuller 2015-06-29 312
cff58e4599d8e1 Pavitra Jha 2026-05-28 @313 ceph_decode_8_safe(p, end, *type, err_free_lockers);
This macro has a goto err_free_lockers but the error code isn't set.
d4ed4a53056288 Douglas Fuller 2015-06-29 314 s = ceph_extract_encoded_string(p, end, NULL, GFP_NOIO);
d4ed4a53056288 Douglas Fuller 2015-06-29 315 if (IS_ERR(s)) {
d4ed4a53056288 Douglas Fuller 2015-06-29 316 ret = PTR_ERR(s);
d4ed4a53056288 Douglas Fuller 2015-06-29 317 goto err_free_lockers;
d4ed4a53056288 Douglas Fuller 2015-06-29 318 }
d4ed4a53056288 Douglas Fuller 2015-06-29 319
d4ed4a53056288 Douglas Fuller 2015-06-29 320 *tag = s;
d4ed4a53056288 Douglas Fuller 2015-06-29 321 return 0;
d4ed4a53056288 Douglas Fuller 2015-06-29 322
d4ed4a53056288 Douglas Fuller 2015-06-29 323 err_free_lockers:
d4ed4a53056288 Douglas Fuller 2015-06-29 324 ceph_free_lockers(*lockers, *num_lockers);
d4ed4a53056288 Douglas Fuller 2015-06-29 325 return ret;
d4ed4a53056288 Douglas Fuller 2015-06-29 326 }
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki