RE: [PATCH] Coccinelle report script for refcounters

From: Reshetova, Elena
Date: Tue Jul 18 2017 - 08:27:22 EST

Next message: Dan Carpenter: "Re: [patch 0/3] Re: tty contention resulting from tty_open_by_device export"
Previous message: Paul Moore: "Re: [PATCH] Free skb at error context in auditd_send_unicast_skb()."
In reply to: Julia Lawall: "RE: [PATCH] Coccinelle report script for refcounters"
Next in thread: Julia Lawall: "RE: [PATCH] Coccinelle report script for refcounters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Tue, 18 Jul 2017, Reshetova, Elena wrote:
>
> > > On Tue, 18 Jul 2017, Elena Reshetova wrote:
> > >
> > > > The below script can be used to detect potential misusage
> > > > of atomic_t type and API for reference counting purposes.
> > > > Now when we have a dedicated refcount_t type and API with
> > > > security protection implemented, people should be using it
> > > > instead.
> > > >
> > > > Currently it still reports many occurences since we are
> > > > nowhere near the end of our kernel-wide conversion execrise,
> > > > but hopefully after couple of cycles more, the amount of
> > > > output would be much more limited.
> > > >
> > > > Each script result must be analysed manually before any
> > > > conversion, since refcount_t might not suit for certain
> > > > purposes (for example if an object is not always destroyed
> > > > upon refcounter reaching zero, if increments from zero are
> > > > allowed in the code etc.)
> > > >
> > > > As we go further and get less results in output, we will
> > > > improve the pattern to detect conversion cases more precisely.
> > >
> > > The regexps are the best you can do?
> >
> > They are simple and so far they were sufficient for the purpose since
> > they found pretty much all the cases we are aware about. I was thinking
> > on working to improve the pattern later on after we merge the bulk of
> > conversions and I have some cycles free on that front.
> >
> > What would you suggest to do instead of regexps?
>
> Is there anything about the definitions of these functions that indicates
> why they are important?

I am not sure I understand the question fully. Do you mean the functions
used in the rules, such as atomic_dec_and_test() etc.?
If yes, then for example the combination of atomic_dec_and_test(&(a)->x)
on a pointer, then followed later by some kind of *free*(a) function (kfree, kmem_cache_free() etc.)
on that pointer is a quite common indicator that we are dealing with a reference counter since
they would normally free resources when counter reaches zero.
Again, it is not a 100% indicator since I have seen weird schemes that for example
free a resource upon reaching -1, or free it in one case and don't free on another,
but such cases are more rare.

Does this answer your questions?

Best Regards,
Elena.

>
> julia
>
> >
> > Best Regards,
> > Elena.
> >
> > >
> > > julia
> > >
> > > >
> > > > Elena Reshetova (1):
> > > > Coccinelle: add atomic_as_refcounter script
> > > >
> > > > scripts/coccinelle/api/atomic_as_refcounter.cocci | 102
> > > ++++++++++++++++++++++
> > > > 1 file changed, 102 insertions(+)
> > > > create mode 100644 scripts/coccinelle/api/atomic_as_refcounter.cocci
> > > >
> > > > --
> > > > 2.7.4
> > > >
> > > >
> >

Next message: Dan Carpenter: "Re: [patch 0/3] Re: tty contention resulting from tty_open_by_device export"
Previous message: Paul Moore: "Re: [PATCH] Free skb at error context in auditd_send_unicast_skb()."
In reply to: Julia Lawall: "RE: [PATCH] Coccinelle report script for refcounters"
Next in thread: Julia Lawall: "RE: [PATCH] Coccinelle report script for refcounters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]