[bug report] nvmet: implement basic In-Band Authentication

Mon Jul 18 06:14:30 PDT 2022

Hello Hannes Reinecke,

The patch b281bec75946: "nvmet: implement basic In-Band
Authentication" from Jun 27, 2022, leads to the following Smatch
static checker warning:

    drivers/nvme/target/fabrics-cmd-auth.c:251 nvmet_execute_auth_send()
    warn: impossible condition '(status < 0) => (0-u16max < 0)'

    drivers/nvme/target/fabrics-cmd-auth.c:488 nvmet_execute_auth_receive()
    warn: impossible condition '(status < 0) => (0-u16max < 0)'

drivers/nvme/target/fabrics-cmd-auth.c
    187 void nvmet_execute_auth_send(struct nvmet_req *req)
    188 {
    189         struct nvmet_ctrl *ctrl = req->sq->ctrl;
    190         struct nvmf_auth_dhchap_success2_data *data;
    191         void *d;
    192         u32 tl;
    193         u16 status = 0;
    194 
    195         if (req->cmd->auth_send.secp != NVME_AUTH_DHCHAP_PROTOCOL_IDENTIFIER) {
    196                 status = NVME_SC_INVALID_FIELD | NVME_SC_DNR;
    197                 req->error_loc =
    198                         offsetof(struct nvmf_auth_send_command, secp);
    199                 goto done;
    200         }
    201         if (req->cmd->auth_send.spsp0 != 0x01) {
    202                 status = NVME_SC_INVALID_FIELD | NVME_SC_DNR;
    203                 req->error_loc =
    204                         offsetof(struct nvmf_auth_send_command, spsp0);
    205                 goto done;
    206         }
    207         if (req->cmd->auth_send.spsp1 != 0x01) {
    208                 status = NVME_SC_INVALID_FIELD | NVME_SC_DNR;
    209                 req->error_loc =
    210                         offsetof(struct nvmf_auth_send_command, spsp1);
    211                 goto done;
    212         }
    213         tl = le32_to_cpu(req->cmd->auth_send.tl);
    214         if (!tl) {
    215                 status = NVME_SC_INVALID_FIELD | NVME_SC_DNR;
    216                 req->error_loc =
    217                         offsetof(struct nvmf_auth_send_command, tl);
    218                 goto done;
    219         }
    220         if (!nvmet_check_transfer_len(req, tl)) {
    221                 pr_debug("%s: transfer length mismatch (%u)\n", __func__, tl);
    222                 return;
    223         }
    224 
    225         d = kmalloc(tl, GFP_KERNEL);
    226         if (!d) {
    227                 status = NVME_SC_INTERNAL;
    228                 goto done;
    229         }
    230 
    231         status = nvmet_copy_from_sgl(req, 0, d, tl);
    232         if (status) {
    233                 kfree(d);
    234                 goto done;
    235         }
    236 
    237         data = d;
    238         pr_debug("%s: ctrl %d qid %d type %d id %d step %x\n", __func__,
    239                  ctrl->cntlid, req->sq->qid, data->auth_type, data->auth_id,
    240                  req->sq->dhchap_step);
    241         if (data->auth_type != NVME_AUTH_COMMON_MESSAGES &&
    242             data->auth_type != NVME_AUTH_DHCHAP_MESSAGES)
    243                 goto done_failure1;
    244         if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) {
    245                 if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
    246                         /* Restart negotiation */
    247                         pr_debug("%s: ctrl %d qid %d reset negotiation\n", __func__,
    248                                  ctrl->cntlid, req->sq->qid);
    249                         if (!req->sq->qid) {
    250                                 status = nvmet_setup_auth(ctrl);
--> 251                                 if (status < 0) {

"status" is a u16 so it can't be negative.

    252                                         pr_err("ctrl %d qid 0 failed to setup"
    253                                                "re-authentication",
    254                                                ctrl->cntlid);
    255                                         goto done_failure1;

regards,
dan carpenter