lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 3 Mar 2022 13:56:02 +0300
From:   Dan Carpenter <>
To:     Rasmus Villemoes <>,
        Julia Lawall <>
Cc:     Linus Torvalds <>,
        David Laight <>,
        James Bottomley <>,
        linux-wireless <>,
        "" <>,
        KVM list <>,
        "Gustavo A. R. Silva" <>,
        "" <>,
        "" <>,
        dri-devel <>,
        Cristiano Giuffrida <>,
        "Bos, H.J." <>,
        "" <>,
        linux-arch <>,
        CIFS <>,
        "" <>,
        linux-scsi <>,
        linux-rdma <>,
        "" <>,
        amd-gfx list <>,
        Jason Gunthorpe <>,
        "" <>,
        Linux Media Mailing List <>,
        Kees Cook <>,
        Arnd Bergman <>,
        Linux PM <>,
        intel-gfx <>,
        Brian Johannesmeyer <>,
        Nathan Chancellor <>,
        dma <>,
        Christophe JAILLET <>,
        Jakob Koschel <>,
        linux-tegra <>,
        Thomas Gleixner <>,
        Andy Shevchenko <>,
        Linux ARM <>,
        "" <>,
        linux-block <>,
        Netdev <>,
        "" <>,
        "" <>,
        Linux Kernel Mailing List <>,
        Linux F2FS Dev Mailing List 
        Linux Crypto Mailing List <>,
        linux-fsdevel <>,
        Andrew Morton <>,
        linuxppc-dev <>,
        Christian K├Ânig <>,
        Mike Rapoport <>
Subject: Re: [PATCH 2/6] treewide: remove using list iterator after loop body
 as a ptr

On Wed, Mar 02, 2022 at 10:29:31AM +0100, Rasmus Villemoes wrote:
> This won't help the current issue (because it doesn't exist and might
> never), but just in case some compiler people are listening, I'd like to
> have some sort of way to tell the compiler "treat this variable as
> uninitialized from here on". So one could do
> #define kfree(p) do { __kfree(p); __magic_uninit(p); } while (0)

I think this is a good idea.

Smatch can already find all the iterator used outside the loop bugs that
Jakob did with a manageably small number of false positives.  The
problems are that:
1) It would be better to find it in the compile stage instead of later.
2) I hadn't published that check.  Will do shortly.
3) A couple weeks back I noticed that the list_for_each_entry() check
   was no longer working.  Fixed now.
4) Smatch was only looking at cases which dereferenced the iterator and
   not checks for NULL.  I will test the fix for that tonight.
5) Smatch is broken on PowerPC.

Coccinelle also has checks for iterator used outside the loop.
Coccinelle had these checks before Smatch did.  I copied Julia's idea.

If your annotation was added to GCC it would solve all those problems.

But it's kind of awkward that we can't annotate kfree() directly
instead of creating the kfree() macro.  And there are lots of other
functions which free things so you'd have to create a ton of macros

#define gr_free_dma_desc(a, b) do { __gr_free_dma_desc(a, b); __magic_uninit(b); } while (0)

And then there are functions which free a struct member:

void free_bar(struct foo *p) { kfree(p->bar); }

Or functions which free a container_of().

Smatch is more evolved than designed but what I do these days is use $0,
$1, $2 to represent the parameters.  So you can say a function frees
$0->bar.  For container_of() then is "(168<~$0)->bar" which means 168
bytes from $0.  Returns are parameter -1 so I guess it would be $(-1),
but as I said Smatch evolved so right now places that talk about
returned values use a different format.

What you could do is just make a parseable table next to the function
definition with all the information.  Then you would use a Perl script
to automatically generate a Coccinelle check to warn about use after

diff --git a/mm/slab.c b/mm/slab.c
index ddf5737c63d9..c9dffa5c40a2 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3771,6 +3771,9 @@ EXPORT_SYMBOL(kmem_cache_free_bulk);
  * Don't free memory not originally allocated by kmalloc()
  * or you will run into trouble.
+ *
+ * CHECKER information
+ * frees: $0
 void kfree(const void *objp)

dan carpenter

Powered by blists - more mailing lists