lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 5 Jul 2019 08:17:03 +0200 (CEST)
From:   Julia Lawall <julia.lawall@...6.fr>
To:     wen.yang99@....com.cn
cc:     Markus.Elfring@....de, linux-kernel@...r.kernel.org,
        wang.yi59@....com.cn, Gilles Muller <Gilles.Muller@...6.fr>,
        nicolas.palix@...g.fr, michal.lkml@...kovi.net,
        yamada.masahiro@...ionext.com, cocci@...teme.lip6.fr
Subject: Re: [PATCH v2] coccinelle: semantic code search
 formissingof_node_put



On Fri, 5 Jul 2019, wen.yang99@....com.cn wrote:

> > > > > > +x = @p1\(of_find_all_nodes\|
> > > > >
> > > > > I would find this SmPL disjunction easier to read without the usage
> > > > > of extra backslashes.
> > > > >
> > > > > +x =
> > > > > +(of_…
> > > > > +|of_…
> > > > > +)@p1(...);
> > > >
> > > > Did you actually test this?  I doubt that a position metavariable can be
> > > > put on a ) of a disjunction.
> > > >
> > > > > > +|
> > > > > > +return x;
> > > > > > +|
> > > > > > +return of_fwnode_handle(x);
> > > > >
> > > > > Can a nested SmPL disjunction be helpful at such places?
> > > > >
> > > > > +|return
> > > > > +(x
> > > > > +|of_fwnode_handle(x)
> > > > > +);
> > > >
> > > > The original code is much more readable.  The internal representation will
> > > > be the same.
> > > >
> > > > > > +    when != v4l2_async_notifier_add_fwnode_subdev(<...x...>)
> > > > >
> > > > > Would the specification variant “<+... x ...+>” be relevant
> > > > > for the parameter selection?
> > > >
> > > > I'm indeed quite surprised that <...x...> would be accepted by the parser..
> > >
> > > Hi julia,
> > >
> > > Thank you for your comments.
> > > We tested and found that both <...x...> and <+... x ...+> variants work fine.
> > > We use <... x ...> instead of <+... x ...+> here to eliminate the following false positives:
> > >
> > > ./drivers/media/platform/qcom/camss/camss.c:504:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 479, but without a corresponding object release within this function.
> > >
> > > 465 static int camss_of_parse_ports(struct camss *camss)
> > > 466 {
> > > ...
> > > 479 remote = of_graph_get_remote_port_parent(node);
> > > ...
> > > 486 asd = v4l2_async_notifier_add_fwnode_subdev(
> > > 487 &camss->notifier, of_fwnode_handle(remote), ---> v4l2_async_notifier_add_fwnode_subdev will pass remote to camss->notifier.
> > > 488 sizeof(*csd));
> > > ...
> > > 504 return num_subdevs;
> >
> > I suspect that what is happening is that there is a runtime error, but
> > that error is caught somewhere and you don't see it.
>
> Thanks.
> You are right, there is indeed a runtime error.
> Since make coccicheck adds the "-very-quiet" parameter by default, we didn't find it.
>
> $ spatch --sp-file   of_node_put.cocci   -D report drivers/media/platform/am437x/am437x-vpfe.c
> init_defs_builtins: /usr/local/bin/../lib/coccinelle/standard.h
> HANDLING: drivers/media/platform/am437x/am437x-vpfe.c
> exn while in timeout_function
> only handling multi and no when code in a nest expr
>
> >  Could you send me again the entire semantic patch so I can check on this?
> >
>
> Thanks.
> The entire SmPL is as follows:
>
> $ cat of_node_put.cocci
> // SPDX-License-Identifier: GPL-2.0
> /// Find missing of_node_put
> ///
> // Confidence: Moderate
> // Copyright: (C) 2018-2019 Wen Yang, ZTE.
> // Comments:
> // Options: --no-includes --include-headers
>
> virtual report
> virtual org
>
> @initialize:python@
> @@
>
> seen = set()
>
> def add_if_not_present (p1, p2):
>     if (p1, p2) not in seen:
>         seen.add((p1, p2))
>         return True
>     return False

Did you need this?  Normally a script rule is run only once for each set
of bindings for the inherited variables.  I guess that multiple p1s could
lead to the same p2, and you only want to report on one of them?

This set is going to be global to the whole kernel, or at least to all of
the files considered by a given thread, if you use -j.  To clean it up on
each file, you can make another python at the end that depends on r1 or r2
and depends on report.  This rule can clear seen.

Otherwise, it looks fine.

julia


>
> def display_report(p1, p2):
>     if add_if_not_present(p1[0].line, p2[0].line):
>        coccilib.report.print_report(p2[0],
>                                     "ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line "
>                                     + p1[0].line
>                                     + ", but without a corresponding object release within this function.")
>
> def display_org(p1, p2):
>     cocci.print_main("acquired a node pointer with refcount incremented", p1)
>     cocci.print_secs("needed of_node_put", p2)
>
> @r1 exists@
> local idexpression struct device_node *x;
> expression e, e1;
> position p1, p2;
> statement S;
> type T;
> @@
>
> x = @p1\(of_find_all_nodes\|
>          of_get_cpu_node\|
>          of_get_parent\|
>          of_get_next_parent\|
>          of_get_next_child\|
>          of_get_next_cpu_node\|
>          of_get_compatible_child\|
>          of_get_child_by_name\|
>          of_find_node_opts_by_path\|
>          of_find_node_by_name\|
>          of_find_node_by_type\|
>          of_find_compatible_node\|
>          of_find_node_with_property\|
>          of_find_matching_node_and_match\|
>          of_find_node_by_phandle\|
>          of_parse_phandle\|
>          of_find_next_cache_node\|
>          of_get_next_available_child\)(...);
> ...
> if (x == NULL || ...) S
> ... when != e = (T)x
>     when != true x == NULL
>     when != of_node_put(x)
>     when != of_get_next_parent(x)
>     when != of_find_matching_node(x, ...)
>     when != if (x) { ... return x; }
>     when != v4l2_async_notifier_add_fwnode_subdev(<...x...>)
>     when != e1 = of_fwnode_handle(x)
> (
> if (x) { ... when forall
>          of_node_put(x) ... }
> |
> return x;
> |
> return of_fwnode_handle(x);
> |
> return@p2 ...;
> )
>
> @script:python depends on report && r1@

No need to depend on r1.  That is guaranteed by the inheritance on the
metavariables below.

> p1 << r1.p1;
> p2 << r1.p2;
> @@
>
> display_report(p1, p2)
>
> @script:python depends on org && r1@
> p1 << r1.p1;
> p2 << r1.p2;
> @@
>
> display_org(p1, p2)
>
> @r2 exists@
> local idexpression struct device_node *x;
> expression e, e1;
> position p1, p2;
> identifier f;
> statement S;
> type T;
> @@
>
> (
> x = f@p1(...);
> ... when != e = (T)x
>     when != true x == NULL
>     when != of_node_put(x)
>     when != of_get_next_parent(x)
>     when != of_find_matching_node(x, ...)
>     when != if (x) { ... return x; }
>     when != v4l2_async_notifier_add_fwnode_subdev(<...x...>)
>     when != e1 = of_fwnode_handle(x)
> (
> if (x) { ... when forall
>          of_node_put(x) ... }
> |
> return x;
> |
> return of_fwnode_handle(x);
> |
> return@p2 ...;
> )
> &
> x = f(...)
> ...
> if (<+...x...+>) S
> ...
> of_node_put(x);
> )
> @script:python depends on report && r2@
> p1 << r2.p1;
> p2 << r2.p2;
> @@
>
> display_report(p1, p2)
>
> @script:python depends on org && r2@
> p1 << r2.p1;
> p2 << r2.p2;
> @@
>
> display_org(p1, p2)
>
> > I think that what you want is:
> >
> > when != v4l2_async_notifier_add_fwnode_subdev(...,<+...x...+>,...)
> >
> > ie x occurring somewhere within some argument.
>
> Thank you very much for your suggestion.
> Applying it will solve this problem, thank you.
>
> --
> Thanks and regards,
> Wen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ