lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 16 May 2021 18:27:30 +0200 (CEST)
From:   Julia Lawall <julia.lawall@...ia.fr>
To:     Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
cc:     Julia Lawall <Julia.Lawall@...ia.fr>,
        Krzysztof Kozlowski <krzysztof.kozlowski@...onical.com>,
        kernel-janitors@...r.kernel.org,
        Gilles Muller <Gilles.Muller@...ia.fr>,
        Nicolas Palix <nicolas.palix@...g.fr>,
        Michal Marek <michal.lkml@...kovi.net>, cocci@...teme.lip6.fr,
        linux-kernel@...r.kernel.org,
        "Rafael J . Wysocki" <rafael@...nel.org>,
        Johan Hovold <johan@...nel.org>,
        Zhang Qilong <zhangqilong3@...wei.com>,
        Jakub Kicinski <kuba@...nel.org>,
        "Rafael J . Wysocki" <rafael.j.wysocki@...el.com>,
        Dan Carpenter <dan.carpenter@...cle.com>,
        Sakari Ailus <sakari.ailus@...ux.intel.com>,
        Jonathan Cameron <jic23@...nel.org>
Subject: Re: [PATCH v5] coccinelle: api: semantic patch to use
 pm_runtime_resume_and_get



On Wed, 5 May 2021, Mauro Carvalho Chehab wrote:

> Hi Julia,
>
> Em Thu, 29 Apr 2021 19:43:43 +0200
> Julia Lawall <Julia.Lawall@...ia.fr> escreveu:
>
> > pm_runtime_get_sync keeps a reference count on failure, which can lead
> > to leaks.  pm_runtime_resume_and_get drops the reference count in the
> > failure case.  This rule very conservatively follows the definition of
> > pm_runtime_resume_and_get to address the cases where the reference
> > count is unlikely to be needed in the failure case.  Specifically, the
> > change is only done when pm_runtime_get_sync is followed immediately
> > by an if and when the branch of the if is immediately a call to
> > pm_runtime_put_noidle (like in the definition of
> > pm_runtime_resume_and_get) or something that is likely a print
> > statement followed by a pm_runtime_put_noidle call.  The patch
> > case appears somewhat more complicated, because it also deals with the
> > cases where {}s need to be removed.
> >
> > pm_runtime_resume_and_get was introduced in
> > commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to
> > deal with usage counter")
> >
> > Signed-off-by: Julia Lawall <Julia.Lawall@...ia.fr>
> > Acked-by: Rafael J. Wysocki <rafael.j.wysocki@...el.com>
>
> First of all, thanks for doing that! It sounds a lot better to have
> a script doing the check than newbies trying to address it manually,
> as there are several aspects to be considered on such replacement.
>
> >
> > ---
> > v5: print a message with the new function name, as suggested by Markus Elfring
> > v4: s/pm_runtime_resume_and_get/pm_runtime_put_noidle/ as noted by John Hovold
> > v3: add the people who signed off on commit dd8088d5a896, expand the log message
> > v2: better keyword
> >
> >  scripts/coccinelle/api/pm_runtime_resume_and_get.cocci |  153 +++++++++++++++++
> >  1 file changed, 153 insertions(+)
> >
> > diff --git a/scripts/coccinelle/api/pm_runtime_resume_and_get.cocci b/scripts/coccinelle/api/pm_runtime_resume_and_get.cocci
> > new file mode 100644
> > index 000000000000..3387cb606f9b
> > --- /dev/null
> > +++ b/scripts/coccinelle/api/pm_runtime_resume_and_get.cocci
> > @@ -0,0 +1,153 @@
> > +// SPDX-License-Identifier: GPL-2.0-only
> > +///
> > +/// Use pm_runtime_resume_and_get.
> > +/// pm_runtime_get_sync keeps a reference count on failure,
> > +/// which can lead to leaks.  pm_runtime_resume_and_get
> > +/// drops the reference count in the failure case.
> > +/// This rule addresses the cases where the reference count
> > +/// is unlikely to be needed in the failure case.
> > +///
> > +// Confidence: High
>
> Long story short, I got a corner case where the script is doing
> the wrong thing.
>
> ---
>
> A detailed explanation follows:
>
> As you know, I'm doing some manual work to address issues related
> to pm_runtime_get() on media.
>
> There, I found a corner case: There is a functional difference
> between:
>
> 	ret = pm_runtime_get_sync(&client->dev);
>         if (ret < 0) {
>                 pm_runtime_put_noidle(&client->dev);
> 		return ret;
> 	}
>
> and:
> 	ret = pm_runtime_resume_and_get(&client->dev);
>         if (ret < 0)
> 		return ret;
>
> On success, pm_runtime_get_sync() can return either 0 or 1.
> When 1 is returned, it means that the driver was already resumed.
>
> pm_runtime_resume_and_get(), on the other hand, don't have the same
> behavior. On success, it always return zero.
>
> IMO, this is actually a good thing, as it helps to address a common
> mistake:
>
> 	ret = pm_runtime_get_sync(&client->dev);
> 	/*
> 	 * or, even worse:
> 	 * ret = some_function_that_calls_pm_runtime_get_sync();
> 	 */
>
>         if (ret) {
>                 pm_runtime_put_noidle(&client->dev);
> 		return ret;
> 	}
>
> FYI, Dan pointed one media driver to me those days with the above
> issue at the imx334 driver, which I'm fixing on my patch series.
>
> -
>
> Anyway, after revisiting my patches, I found several cases that were
> doing things like:
>
> 	int ret;
>
> 	ret = pm_runtime_get_sync(dev);
> 	pm_runtime_put_noidle(dev);		/* Or without it, on drivers with unbalanced get/put */
>
> 	return ret > 0 ? 0 : ret;
>
> Which can be replaced by just:
>
> 	return pm_runtime_resume_and_get(&ctx->gsc_dev->pdev->dev);
>
> Yet, I found a single corner case on media where a driver is actually
> using the positive return: the ccs-core camera sensor driver.
>
> There, the driver checks the past state of RPM. If the
> device was indeed suspended, the driver restores the hardware
> controls (on V4L2, a control is something like brightness,
> contrast, etc) to the last used value set.
>
> This is the right thing to be done there, as setting values
> to such hardware can be a slow operation, as it is done via I2C.
>
> So, this particular driver checks if the RPM returned 0 or 1,
> in order to check the previous RPM state before get.
>
> In this particular case, replacing:
> 	pm_runtime_get_sync()
> with
> 	pm_runtime_resume_and_get()
>
> Will make part of the code unreachable.
>
> While it won't break this specific driver, It could have
> cause troubles if the logic there were different.
>
> In any case, I tested the coccinelle script, and it produces
> this change:
>
>  static int ccs_pm_get_init(struct ccs_sensor *sensor)
>  {
>         struct i2c_client *client = v4l2_get_subdevdata(&sensor->src->sd);
>         int rval;
>
> -       rval = pm_runtime_get_sync(&client->dev);
> -       if (rval < 0) {
> -               pm_runtime_put_noidle(&client->dev);
> +       rval = pm_runtime_resume_and_get(&client->dev);
> +       if (rval < 0)
>
>                 return rval;
> -       } else if (!rval) {
> +       else if (!rval) {
>                 rval = v4l2_ctrl_handler_setup(&sensor->pixel_array->
>                                                ctrl_handler);
>                 if (rval)
>                         return rval;
>
>                 return v4l2_ctrl_handler_setup(&sensor->src->ctrl_handler);
>         }
>
>         return 0;
>
> which will make v4l2_ctrl_handler_setup() to always being called,
> even if the device was already resumed.

Thanks for the feedback.  It looks like what you are saying that the
script should ensure that the return value of pm_runtime_get_sync is not
used for anything else.  That can be added to the script.

julia

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ