| Message ID | 20210921203335.GB16529@kili (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | smbfs_client: fix a sign extension bug | expand |
merged into cifs-2.6.git for-next On Tue, Sep 21, 2021 at 4:13 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > The problem is the mismatched types between "ctx->total_len" which is > an unsigned int, "rc" which is an int, and "ctx->rc" which is a > ssize_t. The code does: > > ctx->rc = (rc == 0) ? ctx->total_len : rc; > > We want "ctx->rc" to store the negative "rc" error code. But what > happens is that "rc" is type promoted to a high unsigned int and > 'ctx->rc" will store the high positive value instead of a negative > value. > > The fix is to change "rc" from an int to a ssize_t. > > Fixes: c610c4b619e5 ("CIFS: Add asynchronous write support through kernel AIO") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > fs/smbfs_client/file.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/smbfs_client/file.c b/fs/smbfs_client/file.c > index 4d10c9343890..7db9ddb3381f 100644 > --- a/fs/smbfs_client/file.c > +++ b/fs/smbfs_client/file.c > @@ -3111,7 +3111,7 @@ static void collect_uncached_write_data(struct cifs_aio_ctx *ctx) > struct cifs_tcon *tcon; > struct cifs_sb_info *cifs_sb; > struct dentry *dentry = ctx->cfile->dentry; > - int rc; > + ssize_t rc; > > tcon = tlink_tcon(ctx->cfile->tlink); > cifs_sb = CIFS_SB(dentry->d_sb); > -- > 2.20.1 >
diff --git a/fs/smbfs_client/file.c b/fs/smbfs_client/file.c index 4d10c9343890..7db9ddb3381f 100644 --- a/fs/smbfs_client/file.c +++ b/fs/smbfs_client/file.c @@ -3111,7 +3111,7 @@ static void collect_uncached_write_data(struct cifs_aio_ctx *ctx) struct cifs_tcon *tcon; struct cifs_sb_info *cifs_sb; struct dentry *dentry = ctx->cfile->dentry; - int rc; + ssize_t rc; tcon = tlink_tcon(ctx->cfile->tlink); cifs_sb = CIFS_SB(dentry->d_sb);
The problem is the mismatched types between "ctx->total_len" which is an unsigned int, "rc" which is an int, and "ctx->rc" which is a ssize_t. The code does: ctx->rc = (rc == 0) ? ctx->total_len : rc; We want "ctx->rc" to store the negative "rc" error code. But what happens is that "rc" is type promoted to a high unsigned int and 'ctx->rc" will store the high positive value instead of a negative value. The fix is to change "rc" from an int to a ssize_t. Fixes: c610c4b619e5 ("CIFS: Add asynchronous write support through kernel AIO") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- fs/smbfs_client/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)