| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 17 Mar 2019 12:54:31 +0900
From: Masahiro Yamada <yamada.masahiro@...ionext.com>
To: Wen Yang <wen.yang99@....com.cn>
Cc: Julia Lawall <Julia.Lawall@...6.fr>,
Gilles Muller <Gilles.Muller@...6.fr>,
Nicolas Palix <nicolas.palix@...g.fr>,
Michal Marek <michal.lkml@...kovi.net>, Markus.Elfring@....de,
wang.yi59@....com.cn, Wen Yang <yellowriver2010@...mail.com>,
cheng.shengyu@....com.cn, cocci@...teme.lip6.fr,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v5] coccinelle: semantic code search for missing put_device()
On Sat, Feb 16, 2019 at 12:35 AM Wen Yang <wen.yang99@....com.cn> wrote:
>
> The of_find_device_by_node() takes a reference to the underlying device
> structure, we should release that reference.
> The implementation of this semantic code search is:
> In a function, for a local variable returned by calling
> of_find_device_by_node(),
> a, if it is released by a function such as
> put_device()/of_dev_put()/platform_device_put() after the last use,
> it is considered that there is no reference leak;
> b, if it is passed back to the caller via
> dev_get_drvdata()/platform_get_drvdata()/get_device(), etc., the
> reference will be released in other functions, and the current function
> also considers that there is no reference leak;
> c, for the rest of the situation, the current function should release the
> reference by calling put_device, this code search will report the
> corresponding error message.
>
> By using this semantic code search, we have found some object reference leaks,
> such as:
> commit 11907e9d3533 ("ASoC: fsl-asoc-card: fix object reference leaks in
> fsl_asoc_card_probe")
> commit a12085d13997 ("mtd: rawnand: atmel: fix possible object reference leak")
> commit 11493f26856a ("mtd: rawnand: jz4780: fix possible object reference leak")
>
> There are still dozens of reference leaks in the current kernel code.
>
> Further, for the case of b, the object returned to other functions may also
> have a reference leak, we will continue to develop other cocci scripts to
> further check the reference leak.
>
> Signed-off-by: Wen Yang <wen.yang99@....com.cn>
> Reviewed-by: Julia Lawall <Julia.Lawall@...6.fr>
> Reviewed-by: Markus Elfring <Markus.Elfring@....de>
> Cc: Julia Lawall <Julia.Lawall@...6.fr>
> Cc: Gilles Muller <Gilles.Muller@...6.fr>
> Cc: Nicolas Palix <nicolas.palix@...g.fr>
> Cc: Michal Marek <michal.lkml@...kovi.net>
> Cc: Markus Elfring <Markus.Elfring@....de>
> Cc: Masahiro Yamada <yamada.masahiro@...ionext.com>
> Cc: Wen Yang <yellowriver2010@...mail.com>
> Cc: cheng.shengyu@....com.cn
> Cc: cocci@...teme.lip6.fr
> Cc: linux-kernel@...r.kernel.org
Applied to linux-kbuild. Thanks.
> ---
> v5->v4:
> - exchange the word “patch” by “code search”
> - add a SPDX identifierfix
> - a split string literal can be unwanted.
> - Change the content of the reported information.
> v4->v3:
> - add Masahiro Yamada
> - omit a blank line
> - split the long message parameter
> - reduce the number of metavariables
> - Describe the implementation of the semantic patch,
> explain the scenarios it can detect,
> and further software development considerations.
> v3->v2:
> - reduction of a bit of redundant C code within SmPL search specifications.
> - consider the message construction without using the extra Python variable “msg”
> v2->v1:
> - put exists after search, and then drop the when exists below.
> - should not use the same e as in the when's below.
> - Make a new type metavariable and use it to put a cast on the result of
> platform_get_drvdata.
>
> scripts/coccinelle/free/put_device.cocci | 56 ++++++++++++++++++++++++++++++++
> 1 file changed, 56 insertions(+)
> create mode 100644 scripts/coccinelle/free/put_device.cocci
>
> diff --git a/scripts/coccinelle/free/put_device.cocci b/scripts/coccinelle/free/put_device.cocci
> new file mode 100644
> index 0000000..7395697
> --- /dev/null
> +++ b/scripts/coccinelle/free/put_device.cocci
> @@ -0,0 +1,56 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/// Find missing put_device for every of_find_device_by_node.
> +///
> +// Confidence: Moderate
> +// Copyright: (C) 2018-2019 Wen Yang, ZTE.
> +// Comments:
> +// Options: --no-includes --include-headers
> +
> +virtual report
> +virtual org
> +
> +@...rch exists@
> +local idexpression id;
> +expression x,e,e1;
> +position p1,p2;
> +type T,T1,T2,T3;
> +@@
> +
> +id = of_find_device_by_node@p1(x)
> +... when != e = id
> +if (id == NULL || ...) { ... return ...; }
> +... when != put_device(&id->dev)
> + when != platform_device_put(id)
> + when != of_dev_put(id)
> + when != if (id) { ... put_device(&id->dev) ... }
> + when != e1 = (T)id
> + when != e1 = &id->dev
> + when != e1 = get_device(&id->dev)
> + when != e1 = (T1)platform_get_drvdata(id)
> +(
> + return
> +( id
> +| (T2)dev_get_drvdata(&id->dev)
> +| (T3)platform_get_drvdata(id)
> +);
> +| return@p2 ...;
> +)
> +
> +@...ipt:python depends on report@
> +p1 << search.p1;
> +p2 << search.p2;
> +@@
> +
> +coccilib.report.print_report(p2[0], "ERROR: missing put_device; "
> + + "call of_find_device_by_node on line "
> + + p1[0].line
> + + ", but without a corresponding object release "
> + + "within this function.")
> +
> +@...ipt:python depends on org@
> +p1 << search.p1;
> +p2 << search.p2;
> +@@
> +
> +cocci.print_main("of_find_device_by_node", p1)
> +cocci.print_secs("needed put_device", p2)
> --
> 2.9.5
>
--
Best Regards
Masahiro Yamada
Powered by blists - more mailing lists