Re: NFS: nfs_find_open_context() may only select open files

From: Trond Myklebust
Date: Tue Jun 29 2021 - 13:10:34 EST


On Tue, 2021-06-29 at 18:05 +0100, Colin Ian King wrote:
> Hi,
>
> Static analysis on linux-next with Coverity has found a potential
> null
> pointer dereference in the following commit:
>
> commit 92735943dc6cf52aeaf2ce9aee397dee55e3ef05
> Author: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
> Date:   Tue May 11 23:41:10 2021 -0400
>
>     NFS: nfs_find_open_context() may only select open files
>
> The analysis is as follows:
>
> 1113 struct nfs_open_context *nfs_find_open_context(struct inode
> *inode,
> const struct cred *cred, fmode_t mode)
> 1114 {
> 1115        struct nfs_inode *nfsi = NFS_I(inode);
>
>     1. assign_zero: Assigning: ctx = NULL.
>
> 1116        struct nfs_open_context *pos, *ctx = NULL;
> 1117
> 1118        rcu_read_lock();
>
>     2. Condition 1 /* !0 */, taking true branch.
>     3. Condition !rcu_read_lock_any_held(), taking true branch.
>     4. Condition debug_lockdep_rcu_enabled(), taking true branch.
>     5. Condition !__warned, taking true branch.
>     6. Condition 0 /* !((((sizeof (nfsi->open_files.next) == sizeof
> (char) || sizeof (nfsi->open_files.next) == sizeof (short)) || sizeof
> (nfsi->open_files.next) == sizeof (int)) || sizeof
> (nfsi->open_files.next) == sizeof (long)) || sizeof
> (nfsi->open_files.next) == sizeof (long long)) */, taking false
> branch.
>     7. Condition 0 /* !!(!__builtin_types_compatible_p() &&
> !__builtin_types_compatible_p()) */, taking false branch.
>     8. Condition &pos->list != &nfsi->open_files, taking true branch.
>     13. Condition 0 /* !((((sizeof (pos->list.next) == sizeof (char)
> ||
> sizeof (pos->list.next) == sizeof (short)) || sizeof (pos->list.next)
> ==
> sizeof (int)) || sizeof (pos->list.next) == sizeof (long)) || sizeof
> (pos->list.next) == sizeof (long long)) */, taking false branch.
>     14. Condition 0 /* !!(!__builtin_types_compatible_p() &&
> !__builtin_types_compatible_p()) */, taking false branch.
>     15. Condition &pos->list != &nfsi->open_files, taking true
> branch.
>     20. Condition 0 /* !((((sizeof (pos->list.next) == sizeof (char)
> ||
> sizeof (pos->list.next) == sizeof (short)) || sizeof (pos->list.next)
> ==
> sizeof (int)) || sizeof (pos->list.next) == sizeof (long)) || sizeof
> (pos->list.next) == sizeof (long long)) */, taking false branch.
>     21. Condition 0 /* !!(!__builtin_types_compatible_p() &&
> !__builtin_types_compatible_p()) */, taking false branch.
>     22. Condition &pos->list != &nfsi->open_files, taking true
> branch.
> 1119        list_for_each_entry_rcu(pos, &nfsi->open_files, list) {
>     9. Condition cred != NULL, taking true branch.
>     10. Condition cred_fscmp(pos->cred, cred) != 0, taking false
> branch.
>     16. Condition cred != NULL, taking true branch.
>     17. Condition cred_fscmp(pos->cred, cred) != 0, taking false
> branch.
>     23. Condition cred != NULL, taking true branch.
>     24. Condition cred_fscmp(pos->cred, cred) != 0, taking false
> branch.
>
> 1120                if (cred != NULL && cred_fscmp(pos->cred, cred)
> != 0)
> 1121                        continue;
>
>     11. Condition (pos->mode & (3U /* (fmode_t)1 | (fmode_t)2 */)) !=
> mode, taking true branch.
>     18. Condition (pos->mode & (3U /* (fmode_t)1 | (fmode_t)2 */)) !=
> mode, taking true branch.
>     25. Condition (pos->mode & (3U /* (fmode_t)1 | (fmode_t)2 */)) !=
> mode, taking false branch.
> 1122                if ((pos->mode & (FMODE_READ|FMODE_WRITE)) !=
> mode)
>     12. Continuing loop.
>     19. Continuing loop.
> 1123                        continue;
>
>     Explicit null dereferenced (FORWARD_NULL)
>     26. var_deref_model: Passing null pointer &ctx->flags to
> test_bit,
> which dereferences it.
>
> 1124                if (!test_bit(NFS_CONTEXT_FILE_OPEN, &ctx-
> >flags))

That should be &pos->flags....

> 1125                        continue;
> 1126                ctx = get_nfs_open_context(pos);
> 1127                if (ctx)
> 1128                        break;
> 1129        }
> 1130        rcu_read_unlock();
> 1131        return ctx;
> 1132 }
>
> Coverity is indicating that the test_bit call on &ctx->flags can
> cause a
> null pointer dereference when ctx is NULL.  I'm not entirely
> convinced
> if this is a false positive, so I though I had better report this
> issue.
>
> Colin
>

Thanks for reporting this! This would be a brown paper bag moment.

--
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@xxxxxxxxxxxxxxx