Re: Time for a code audit?

[Dan Carpenter]

On Mon, May 02, 2016 at 04:38:27PM +, Sell, Timothy C wrote:
> After we get these changes in, is there a specific process we need to
> follow in order to have visornic inspected by the netdev folks
> (assume net...@vger.kernel.org) and visorhba inspected by the scsi folks
> (assume linux-s...@vger.kernel.org)?
> 
> I also assume we would need to do the same thing for visorinput
> (linux-in...@vger.kernel.org).

Yeah.  Just send it to those lists.

regards,
dan carpenter

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

RE: Time for a code audit?

[Sell, Timothy C]

> -Original Message-
> From: Dan Carpenter [mailto:dan.carpen...@oracle.com]
> Sent: Monday, May 02, 2016 8:55 AM
> To: Kershner, David A
> Cc: gre...@linuxfoundation.org; driverdev-devel@linuxdriverproject.org;
> Sell, Timothy C; *S-Par-Maintainer; Binder, David Anthony
> Subject: Re: Time for a code audit?
> 
> Reviewing drivers/staging/unisys/visornic/visornic_main.c
> 
>212  static int
>213  visor_copy_fragsinfo_from_skb(struct sk_buff *skb, unsigned int
> firstfraglen,
>214unsigned int frags_max,
>215struct phys_info frags[])
>216  {
>217  unsigned int count = 0, ii, size, offset = 0, numfrags;
> ^^
> 
> The second "i" character indicates that it is an integer.  Which is ugly
> and, of course, misleading.
> 
>296  static ssize_t enable_ints_write(struct file *file,
>297   const char __user *buffer,
>298   size_t count, loff_t *ppos)
>299  {
>300  /*
>301   * Don't want to break ABI here by having a debugfs
>302   * file that no longer exists or is writable, so
>303   * lets just make this a vestigual function
>304   */
>305  return count;
>306  }
> 
> We don't care about ABI so much as we do about applications or scripts.
> This was added by Neil Horman because the original code was useless and
> dangerous.  It was the right patch for him, because he doesn't know
> about the userspace so he can't say if anything will break.  But
> presumably you guys know.  Does anything break if we remove this debugfs
> file?
> 
> Also if so then shame shame shame.  User space is not supposed to depend
> on debugfs being writable.  Just delete this...
> 
>   1019   */
>   1020  static void
>   1021  visornic_set_multi(struct net_device *netdev)
>   1022  {
>   1023  struct uiscmdrsp *cmdrsp;
>   1024  struct visornic_devdata *devdata = netdev_priv(netdev);
>   1025
>   1026  /* any filtering changes */
>   1027  if (devdata->old_flags != netdev->flags) {
>   1028  if ((netdev->flags & IFF_PROMISC) !=
>   1029  (devdata->old_flags & IFF_PROMISC)) {
> 
> Reverse these if statements and pull the code in two indent levels.
> 
>   1154  /**
>   1155   *  visornic_rx - Handle receive packets coming back from IO Part
>   1156   *  @cmdrsp: Receive packet returned from IO Part
>   1157   *
>   1158   *  Got a receive packet back from the IO Part, handle it and send
>   1159   *  it up the stack.
>   1160   *  Returns void
> 
> Actually it returns either zero or one but in a convoluted way.  Update
> it to use literals and update the comment.
> 
>   1361  /**
>   1362   *  devdata_initialize  - Initialize devdata structure
>   1363   *  @devdata: visornic_devdata structure to initialize
>   1364   *  #dev: visorbus_deviced it belongs to
>   1365   *
>   1366   *  Setup initial values for the visornic based on channel and 
> default
>   1367   *  values.
>   1368   *  Returns a pointer to the devdata if successful, else NULL
>   1369   */
>   1370  static struct visornic_devdata *
>   1371  devdata_initialize(struct visornic_devdata *devdata, struct
> visor_device *dev)
>   1372  {
>   1373  if (!devdata)
>   1374  return NULL;
> 
> This check doesn't make sense and the error handling is kind of odd.
> Just remove it, remove the error handling and update the comment.
> 
>   1817  err = visorbus_read_channel(dev, channel_offset,
>   1818  &devdata->num_rcv_bufs, 4);
>   1819  if (err) {
>   1820  dev_err(&dev->device,
>   1821  "%s failed to get #rcv bufs from chan (%d)\n",
>   1822  __func__, err);
>   1823  goto cleanup_netdev;
>   1824  }
>   1825
>   1826  devdata->rcvbuf = kcalloc(devdata->num_rcv_bufs,
>   1827sizeof(struct sk_buff *), 
> GFP_KERNEL);
>   1828  if (!devdata->rcvbuf) {
>   1829  err = -ENOMEM;
>   1830  goto cleanup_rcvbuf;
> 
> We never allocated rcvbuf.  It should still be goto cleanup_netdev;  The
> other gotos after this in this function are slightly off as well.  But
> thanks for the nice label names because it makes reviewing this much
> ea

Re: Time for a code audit?

[Dan Carpenter]

Reviewing drivers/staging/unisys/visorinput/visorinput.c

   465  case KEY_NUMLOCK:
   466  led = LED_NUML;
   467  break;
   468  default:
   469  led = -1;

Just make this a direct return.

   470  break;
   471  }
   472  if (led >= 0) {


Then you can remove this if condition.

   473  int old_state = (test_bit(led, visorinput_dev->led));

Remove extra parens.

   474  
   475  if (old_state != desired_state) {
   476  input_report_key(visorinput_dev, keycode, 1);
   477  input_sync(visorinput_dev);
   478  input_report_key(visorinput_dev, keycode, 0);
   479  input_sync(visorinput_dev);
   480  __change_bit(led, visorinput_dev->led);
   481  }
   482  }
   483  }

regards,
dan carpenter
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: Time for a code audit?

[Dan Carpenter]

Reviewing drivers/staging/unisys/visornic/visornic_main.c

   212  static int
   213  visor_copy_fragsinfo_from_skb(struct sk_buff *skb, unsigned int 
firstfraglen,
   214unsigned int frags_max,
   215struct phys_info frags[])
   216  {
   217  unsigned int count = 0, ii, size, offset = 0, numfrags;
^^

The second "i" character indicates that it is an integer.  Which is ugly
and, of course, misleading.

   296  static ssize_t enable_ints_write(struct file *file,
   297   const char __user *buffer,
   298   size_t count, loff_t *ppos)
   299  {
   300  /*
   301   * Don't want to break ABI here by having a debugfs
   302   * file that no longer exists or is writable, so
   303   * lets just make this a vestigual function
   304   */
   305  return count;
   306  }

We don't care about ABI so much as we do about applications or scripts.
This was added by Neil Horman because the original code was useless and
dangerous.  It was the right patch for him, because he doesn't know
about the userspace so he can't say if anything will break.  But
presumably you guys know.  Does anything break if we remove this debugfs
file?

Also if so then shame shame shame.  User space is not supposed to depend
on debugfs being writable.  Just delete this...

  1019   */
  1020  static void
  1021  visornic_set_multi(struct net_device *netdev)
  1022  {
  1023  struct uiscmdrsp *cmdrsp;
  1024  struct visornic_devdata *devdata = netdev_priv(netdev);
  1025  
  1026  /* any filtering changes */
  1027  if (devdata->old_flags != netdev->flags) {
  1028  if ((netdev->flags & IFF_PROMISC) !=
  1029  (devdata->old_flags & IFF_PROMISC)) {

Reverse these if statements and pull the code in two indent levels.

  1154  /**
  1155   *  visornic_rx - Handle receive packets coming back from IO Part
  1156   *  @cmdrsp: Receive packet returned from IO Part
  1157   *
  1158   *  Got a receive packet back from the IO Part, handle it and send
  1159   *  it up the stack.
  1160   *  Returns void

Actually it returns either zero or one but in a convoluted way.  Update
it to use literals and update the comment.

  1361  /**
  1362   *  devdata_initialize  - Initialize devdata structure
  1363   *  @devdata: visornic_devdata structure to initialize
  1364   *  #dev: visorbus_deviced it belongs to
  1365   *
  1366   *  Setup initial values for the visornic based on channel and 
default
  1367   *  values.
  1368   *  Returns a pointer to the devdata if successful, else NULL
  1369   */
  1370  static struct visornic_devdata *
  1371  devdata_initialize(struct visornic_devdata *devdata, struct 
visor_device *dev)
  1372  {
  1373  if (!devdata)
  1374  return NULL;

This check doesn't make sense and the error handling is kind of odd.
Just remove it, remove the error handling and update the comment.

  1817  err = visorbus_read_channel(dev, channel_offset,
  1818  &devdata->num_rcv_bufs, 4);
  1819  if (err) {
  1820  dev_err(&dev->device,
  1821  "%s failed to get #rcv bufs from chan (%d)\n",
  1822  __func__, err);
  1823  goto cleanup_netdev;
  1824  }
  1825  
  1826  devdata->rcvbuf = kcalloc(devdata->num_rcv_bufs,
  1827sizeof(struct sk_buff *), GFP_KERNEL);
  1828  if (!devdata->rcvbuf) {
  1829  err = -ENOMEM;
  1830  goto cleanup_rcvbuf;

We never allocated rcvbuf.  It should still be goto cleanup_netdev;  The
other gotos after this in this function are slightly off as well.  But
thanks for the nice label names because it makes reviewing this much
easier.  :)

  1831  }

In visornic_init():
  2126  err = visorbus_register_visor_driver(&visornic_driver);
  2127  if (!err)
  2128  return 0;

Flip this around.

if (err)
goto cleanup_debugfs;

return 0;


These things should be reviewed by people on netdev and the scsi thing
should get a review by the scsi people.

regards,
dan carpenter
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: Time for a code audit?

[Dan Carpenter]

Reviewing drivers/staging/unisys/visorhba/visorhba_main.c

visor_thread_start()
I'm nervous about the error handling here.  Is setting ->id to zero
really sufficient to prevent dereferencing ->task?

Still a lot of return -1;
grep "return -1;" drivers/staging/unisys/ -R

del_scsipending_ent()
flip the if condition around so it's error handling instead of success
handling.  Remove the "sent = NULL" initializer.

drivers/staging/unisys/visorhba/visorhba_main.c
   301  /* specify the event that has to be triggered when this */
   302  /* cmd is complete */
   303  cmdrsp->scsitaskmgmt.notify_handle = (u64)¬ifyevent;
   304  cmdrsp->scsitaskmgmt.notifyresult_handle = (u64)¬ifyresult;

This casting an int pointer to u64 pointer seems bad.

I must be blind.  How does queue_disk_add_remove() work?  Where do we
initialize dar_work_queue?

process_disk_notify()
switch success handling to error handling.

visorhba_probe().
We really can only probe one device right?  Because VISORHBA_OPEN_MAX is
1.  So what happens if we try to probe two?  I don't immediately see how
that is handled.

visorhba_init()
return a literal zero on success.

Looks pretty good generally to mee.

regards,
dan carpenter
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

RE: Time for a code audit?

[Kershner, David A]

> -Original Message-
> From: Romer, Benjamin M
> Sent: Tuesday, February 16, 2016 10:03 AM
> To: Dan Carpenter 
> Cc: gre...@linuxfoundation.org; driverdev-devel@linuxdriverproject.org;
> Sell, Timothy C ; *S-Par-Maintainer
> 
> Subject: Re: Time for a code audit?
> 
...
> 
> Hi Dan,
> 
> Thank you for this list! We'll get started on fixing these issues
> immediately. I've run Smatch using the make options
> 
> O=../builds/testbuild CC=gcc-4.9 CHECK="smatch -p=kernel" C=1
> 
> but when I use it this way, I don't get that line where it complains
> about the variable's size. What settings do you use?
> 
> If I can generate a list of problems that way across the whole driver
> set, we can just resolve them all without having to bother you or Greg
> until we have patches for them.
> 
> Thanks a ton for the review. :)
> 
> -- Ben

Greg, 

With the patch "[PATCH] staging: unisys: visorbus: initialize variables",
I believe all the issues brought up by both you and Dan are addressed by
the patches you accepted. Also during the time we did some additional
cleanup.

What is the next step to get visorbus out of the staging directory? What
do we do with the include files?

Also, I'm working on removing the MODULE_ALIAS lines from visorinput,
visornic, and visorhba. I believe this requires me to make changes in
include/kernel/mod_devicemodules.h and scripts/mod/*. Should I
send those fixes to the respective maintainers now or when we move
the other drivers from staging?

Thanks,
David Kershner


___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

RE: Time for a code audit?

[Kershner, David A]

> -Original Message-
> From: Dan Carpenter [mailto:dan.carpen...@oracle.com]
> Sent: Tuesday, February 23, 2016 3:26 PM
> To: Kershner, David A 
> Cc: Romer, Benjamin M ;
> gre...@linuxfoundation.org; driverdev-devel@linuxdriverproject.org; Sell,
> Timothy C ; *S-Par-Maintainer
> 
> Subject: Re: Time for a code audit?
> 
> On Tue, Feb 23, 2016 at 05:45:55PM +, Kershner, David A wrote:
> >
> >
> > > -Original Message-
> > > From: Dan Carpenter [mailto:dan.carpen...@oracle.com]
> > > Sent: Friday, February 12, 2016 5:02 PM
> > > To: Romer, Benjamin M 
> > > Cc: gre...@linuxfoundation.org; driverdev-
> de...@linuxdriverproject.org;
> > > Sell, Timothy C ; *S-Par-Maintainer
> > > 
> > > Subject: Re: Time for a code audit?
> > >
> > > I looked at the Smatch warnings, plus some bonus stuff I'm still working
> > > on.
> > >
> > > drivers/staging/unisys/include/iochannel.h:592 add_physinfo_entries()
> > > warn: inconsistent indenting
> > > drivers/staging/unisys/include/iochannel.h:596 add_physinfo_entries()
> > > warn: inconsistent indenting
> > > drivers/staging/unisys/include/iochannel.h:600 add_physinfo_entries()
> > > warn: XXX should 'inp_pfn + i' be a 64 bit type?
> > >
> > > This is because the left side is u64 but we wrap at u32.
> > >
> >
> > Dan, thanks for the find. Though I'm curious what options are you using
> when you run smatch to produce the "warn: XXX should 'inp_pfn +I' be a 64
> bit type" message? When I run smatch locally I don't see that message but I
> see the other two and it is definitely a problem in the codebase that I'm
> looking at.
> >
> 
> These are things I'm still working on and haven't published yet.  It
> feels like it should be a warning though.  I'm not certain the heuristic
> to use here.  Sometimes people declare things as u64 when they don't
> care.  Also Smatch tries to be clever about if the integer overflow is
> actually possible but sometimes it still gets false positives.
> 
> regards,
> dan carpenter

Is it possible for me to get a copy of your patches so I can verify that my fix 
doesn't break anything else?

David 
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: Time for a code audit?

[Dan Carpenter]

On Tue, Feb 23, 2016 at 05:45:55PM +, Kershner, David A wrote:
> 
> 
> > -Original Message-
> > From: Dan Carpenter [mailto:dan.carpen...@oracle.com]
> > Sent: Friday, February 12, 2016 5:02 PM
> > To: Romer, Benjamin M 
> > Cc: gre...@linuxfoundation.org; driverdev-devel@linuxdriverproject.org;
> > Sell, Timothy C ; *S-Par-Maintainer
> > 
> > Subject: Re: Time for a code audit?
> > 
> > I looked at the Smatch warnings, plus some bonus stuff I'm still working
> > on.
> > 
> > drivers/staging/unisys/include/iochannel.h:592 add_physinfo_entries()
> > warn: inconsistent indenting
> > drivers/staging/unisys/include/iochannel.h:596 add_physinfo_entries()
> > warn: inconsistent indenting
> > drivers/staging/unisys/include/iochannel.h:600 add_physinfo_entries()
> > warn: XXX should 'inp_pfn + i' be a 64 bit type?
> > 
> > This is because the left side is u64 but we wrap at u32.
> > 
> 
> Dan, thanks for the find. Though I'm curious what options are you using when 
> you run smatch to produce the "warn: XXX should 'inp_pfn +I' be a 64 bit 
> type" message? When I run smatch locally I don't see that message but I see 
> the other two and it is definitely a problem in the codebase that I'm looking 
> at. 
> 

These are things I'm still working on and haven't published yet.  It
feels like it should be a warning though.  I'm not certain the heuristic
to use here.  Sometimes people declare things as u64 when they don't
care.  Also Smatch tries to be clever about if the integer overflow is
actually possible but sometimes it still gets false positives.

regards,
dan carpenter

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

RE: Time for a code audit?

[Kershner, David A]

> -Original Message-
> From: Dan Carpenter [mailto:dan.carpen...@oracle.com]
> Sent: Friday, February 12, 2016 5:02 PM
> To: Romer, Benjamin M 
> Cc: gre...@linuxfoundation.org; driverdev-devel@linuxdriverproject.org;
> Sell, Timothy C ; *S-Par-Maintainer
> 
> Subject: Re: Time for a code audit?
> 
> I looked at the Smatch warnings, plus some bonus stuff I'm still working
> on.
> 
> drivers/staging/unisys/include/iochannel.h:592 add_physinfo_entries()
> warn: inconsistent indenting
> drivers/staging/unisys/include/iochannel.h:596 add_physinfo_entries()
> warn: inconsistent indenting
> drivers/staging/unisys/include/iochannel.h:600 add_physinfo_entries()
> warn: XXX should 'inp_pfn + i' be a 64 bit type?
> 
> This is because the left side is u64 but we wrap at u32.
> 

Dan, thanks for the find. Though I'm curious what options are you using when 
you run smatch to produce the "warn: XXX should 'inp_pfn +I' be a 64 bit type" 
message? When I run smatch locally I don't see that message but I see the other 
two and it is definitely a problem in the codebase that I'm looking at. 

David 

> drivers/staging/unisys/visorbus/visorbus_main.c:787
> visordriver_probe_device() warn: 'sem:&dev->visordriver_callback_lock' is
> sometimes locked here and sometimes unlocked.
> drivers/staging/unisys/visorbus/visorchipset.c:542 toolaction_show() warn:
> XXX passing uninitialized 'tool_action'
> drivers/staging/unisys/visorbus/visorchipset.c:609 error_show() warn: XXX
> passing uninitialized 'error'
> drivers/staging/unisys/visorbus/visorchipset.c:639 textid_show() warn: XXX
> passing uninitialized 'text_id'
> drivers/staging/unisys/visorbus/visorchipset.c:669 remaining_steps_show()
> warn: XXX passing uninitialized 'remaining_steps'
> 
> These with XXX are if channel->nbytes is too small.
> 
> drivers/staging/unisys/visorbus/visorchipset.c:2217 visorchipset_ioctl() warn:
> user controlled 'adjustment' cast to postive rl = 's64min-s64max'
> 
> This is because we read a s64 and pass it to a function as u64.
> 
> Do an:  grep "rc = -1" drivers/staging/unisys/ -R
> 
> Also "if (rc != 0)" is a double negative.  != zero is good style when
> you are talking about the number zero or for strcmp() functions.
> 
> Ho ho ho.
> int maxdevnodes = ARRAY_SIZE(dev->devnodes) / sizeof(dev-
> >devnodes[0]);
> 
> You guys know that when I read
> drivers/staging/unisys/visorbus/visorbus_main.c there is still a lot
> that makes me itch.  All the unnecessary initialization to -1 and the
> goto aways.
> 
> char s[99];  Why 99?  Why s?  I'm not a fan of a lot of the naming.
> What is s?  What is x?
> 
> Blank lines after declaration sections.
> 
>781  fix_vbus_dev_info(dev);
>782  up(&dev->visordriver_callback_lock);
>783  rc = 0;
>784  away:
>785  if (rc != 0)
>786  put_device(&dev->device);
>787  return rc;
>788  }
> 
> This is like in my kitchen because when I'm making spaghetti I throw
> some against the wall to see if it is done and eventual the whole wall
> has tiny spots of pasta stuck to it.
> 
> I'm half way through the first file and this code is *almost* so close
> to being ready, but could you just go through it once more and do a
> final tidy up.
> 
> regards,
> dan carpenter

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: Time for a code audit?

[Ben Romer]

On Sat, 2016-02-13 at 01:01 +0300, Dan Carpenter wrote:
> I looked at the Smatch warnings, plus some bonus stuff I'm still
> working
> on.
> 
> drivers/staging/unisys/include/iochannel.h:592 add_physinfo_entries()
> warn: inconsistent indenting
> drivers/staging/unisys/include/iochannel.h:596 add_physinfo_entries()
> warn: inconsistent indenting
> drivers/staging/unisys/include/iochannel.h:600 add_physinfo_entries()
> warn: XXX should 'inp_pfn + i' be a 64 bit type?
> 

Hi Dan,

Thank you for this list! We'll get started on fixing these issues
immediately. I've run Smatch using the make options 

O=../builds/testbuild CC=gcc-4.9 CHECK="smatch -p=kernel" C=1

but when I use it this way, I don't get that line where it complains
about the variable's size. What settings do you use?

If I can generate a list of problems that way across the whole driver
set, we can just resolve them all without having to bother you or Greg
until we have patches for them.

Thanks a ton for the review. :) 

-- Ben
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: Time for a code audit?

[Dan Carpenter]

On Mon, Feb 15, 2016 at 05:35:01PM +, Sell, Timothy C wrote:
> Re spaghetti:
> 
> I certainly agree that most uses of 'goto' are evil.
> But I've found that when 'goto' is used to provide a single common
> exit-point for a function (e.g., "goto away"), it can lead to code
> that is much more readable and much less fragile than the alternative
> of sprinkling 'return's at various points within the function,
> especially when different clean-up actions are needed prior to each
> of those 'return's.
> 
> For me, knowing that there is exactly one place where a function can
> return (i.e., at the end), and exactly one place where we perform
> resource clean-ups (i.e., at the 'away' label) makes it easier to write
> correct code, and I think easier to understand.  'away' essentially
> fills a destructor-like role.
> 
> I don't consider such a use of 'goto' as 'spaghetti code'.
> 
> I agree that in trivial functions, this strategy would be overkill,
> and I suspect this may indeed be what is at the core of your
> argument against it.

I've written a lot about error handling.

https://plus.google.com/106378716002406849458/posts/dnanfhQ4mHQ

Do everything labels are the most error prone way of doing error
handling.  I discovered this because I look at a lot of error handling
code but it makes sense because doing everything is more complicated
than doing one thing.

I have also looked at does one err style error handling prevent future
bugs.  For example, when people introduce a new return -ENOMEM; without
dropping the lock, does it matter if there is an out: label at the
bottom of the function and basically it does not.  The people who don't
care about locks don't care about common exit paths either.

This style also causes future bugs when we change from a NULL on error
kmalloc(), copy_from_user() to an error pointer function like
kmemdup_user().  If you use canonical unwinding then you don't have that
problem because you don't free things which have not been allocated.

One err style causes bugs in the present and it causes bugs in the
future.  And empirically, historically it doesn't prevented people
from adding new returns in the middle of functions.

> >781  fix_vbus_dev_info(dev);
> >782  up(&dev->visordriver_callback_lock);
> >783  rc = 0;
> >784  away:
> >785  if (rc != 0)
> >786  put_device(&dev->device);
> >787  return rc;
> >788  }

What makes this spaghetti code is that we twist the error paths and the
success paths together.  I put it in my email because it was ugly, but
looking at it now I see it's also buggy.  It's hard to argue this
prevents future bugs when it is buggy right now as-is.

Of course, that's a sample size of one.  Let's look at the rest of
the file.

visorbus_match(), it's impossible to tell if the error codes are
intentional which is typical for do-nothing gotos.  The comment is not
totally helpful.

   343  away:
   344  if (rc < 0) {
   345  kfree(myattr);
   346  myattr = NULL;
   347  dev->devnodes[slot].attr = NULL;
   348  }
   349  return rc;
   350  }

Memory corruption.  Gar, Smatch should have caught this.

create_visor_device() has incomplete error handling.

  1460  rc = 0;
  1461  away:
  1462  if (rc < 0) {
  1463  if (notify_func)
  1464  (*notify_func)(dev, rc);
  1465  }
  1466  }

Hm...  This one is tricky.  rc is -1.  notify_func is either
visorchipset_device_pause_response() or device_resume_response().  I'm
a bit confused about ->pending_msg_hdr and how that is protected from
races.  We do "msg->hdr.completion_status = (u32)(-response);" where
response is -1.  It's hard to tell what's going on here.  I think
normally we pass positive error codes to response like
CONTROLVM_RESP_ERROR_DEVICE_UDEV_TIMEOUT (1400)?

That's the end of the file.  So most of the time if the away label does
something more complicated than printing a message and and returning
it's probably buggy.

regards,
dan carpenter

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

RE: Time for a code audit?

[Sell, Timothy C]

Re spaghetti:

I certainly agree that most uses of 'goto' are evil.
But I've found that when 'goto' is used to provide a single common
exit-point for a function (e.g., "goto away"), it can lead to code
that is much more readable and much less fragile than the alternative
of sprinkling 'return's at various points within the function,
especially when different clean-up actions are needed prior to each
of those 'return's.

For me, knowing that there is exactly one place where a function can
return (i.e., at the end), and exactly one place where we perform
resource clean-ups (i.e., at the 'away' label) makes it easier to write
correct code, and I think easier to understand.  'away' essentially
fills a destructor-like role.

I don't consider such a use of 'goto' as 'spaghetti code'.

I agree that in trivial functions, this strategy would be overkill,
and I suspect this may indeed be what is at the core of your
argument against it.

> -Original Message-
> From: Dan Carpenter [mailto:dan.carpen...@oracle.com]
> Sent: Friday, February 12, 2016 5:02 PM
> To: Romer, Benjamin M
> Cc: gre...@linuxfoundation.org; driverdev-devel@linuxdriverproject.org;
> Sell, Timothy C; *S-Par-Maintainer
> Subject: Re: Time for a code audit?
> 
> I looked at the Smatch warnings, plus some bonus stuff I'm still working
> on.
> 
> drivers/staging/unisys/include/iochannel.h:592 add_physinfo_entries()
> warn: inconsistent indenting
> drivers/staging/unisys/include/iochannel.h:596 add_physinfo_entries()
> warn: inconsistent indenting
> drivers/staging/unisys/include/iochannel.h:600 add_physinfo_entries()
> warn: XXX should 'inp_pfn + i' be a 64 bit type?
> 
> This is because the left side is u64 but we wrap at u32.
> 
> drivers/staging/unisys/visorbus/visorbus_main.c:787
> visordriver_probe_device() warn: 'sem:&dev->visordriver_callback_lock' is
> sometimes locked here and sometimes unlocked.
> drivers/staging/unisys/visorbus/visorchipset.c:542 toolaction_show() warn:
> XXX passing uninitialized 'tool_action'
> drivers/staging/unisys/visorbus/visorchipset.c:609 error_show() warn: XXX
> passing uninitialized 'error'
> drivers/staging/unisys/visorbus/visorchipset.c:639 textid_show() warn: XXX
> passing uninitialized 'text_id'
> drivers/staging/unisys/visorbus/visorchipset.c:669 remaining_steps_show()
> warn: XXX passing uninitialized 'remaining_steps'
> 
> These with XXX are if channel->nbytes is too small.
> 
> drivers/staging/unisys/visorbus/visorchipset.c:2217 visorchipset_ioctl()
> warn: user controlled 'adjustment' cast to postive rl = 's64min-s64max'
> 
> This is because we read a s64 and pass it to a function as u64.
> 
> Do an:  grep "rc = -1" drivers/staging/unisys/ -R
> 
> Also "if (rc != 0)" is a double negative.  != zero is good style when
> you are talking about the number zero or for strcmp() functions.
> 
> Ho ho ho.
> int maxdevnodes = ARRAY_SIZE(dev->devnodes) / sizeof(dev-
> >devnodes[0]);
> 
> You guys know that when I read
> drivers/staging/unisys/visorbus/visorbus_main.c there is still a lot
> that makes me itch.  All the unnecessary initialization to -1 and the
> goto aways.
> 
> char s[99];  Why 99?  Why s?  I'm not a fan of a lot of the naming.
> What is s?  What is x?
> 
> Blank lines after declaration sections.
> 
>781  fix_vbus_dev_info(dev);
>782  up(&dev->visordriver_callback_lock);
>783  rc = 0;
>784  away:
>785  if (rc != 0)
>786  put_device(&dev->device);
>787  return rc;
>788  }
> 
> This is like in my kitchen because when I'm making spaghetti I throw
> some against the wall to see if it is done and eventual the whole wall
> has tiny spots of pasta stuck to it.
> 
> I'm half way through the first file and this code is *almost* so close
> to being ready, but could you just go through it once more and do a
> final tidy up.
> 
> regards,
> dan carpenter

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: Time for a code audit?

[Greg KH]

On Fri, Feb 12, 2016 at 02:01:06PM -0500, Ben Romer wrote:
> Greg,
> 
> Thank you very much for taking our patches. All of us here appreciate
> it a lot. :) 
> 
> It looks to me like our driver set is clean as far as
> checkpatch.pl is concerned - there's one error, which was said to be
> acceptable as it was, and a small number of checks that can't be
> made any prettier.
> 
> I was hoping we could get started with the code audit and work on
> getting the drivers out of the staging tree. What's the best way to
> do that? 

For some reason I thought the "raw kobject" usage was going to be
converted to use 'struct device' so that you can then take advantage of
userspace tools to read/write the sysfs attributes properly (i.e.
libudev).  As long as they are kobjects, userspace is "blind" to them.

I know I've brought this up before, but I keep forgetting why the code
is this way.  If it can only be done with kobjects, then we need some
huge comments in the code as to why this is so.

Also, mostcore.h has a function that returns a kobject, that seems "odd"
to me, shouldn't it be returning a object type of your bus/subsystem
instead?

thanks,

greg k-h
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: Time for a code audit?

[Dan Carpenter]

I looked at the Smatch warnings, plus some bonus stuff I'm still working
on.

drivers/staging/unisys/include/iochannel.h:592 add_physinfo_entries() warn: 
inconsistent indenting
drivers/staging/unisys/include/iochannel.h:596 add_physinfo_entries() warn: 
inconsistent indenting
drivers/staging/unisys/include/iochannel.h:600 add_physinfo_entries() warn: XXX 
should 'inp_pfn + i' be a 64 bit type?

This is because the left side is u64 but we wrap at u32.

drivers/staging/unisys/visorbus/visorbus_main.c:787 visordriver_probe_device() 
warn: 'sem:&dev->visordriver_callback_lock' is sometimes locked here and 
sometimes unlocked.
drivers/staging/unisys/visorbus/visorchipset.c:542 toolaction_show() warn: XXX 
passing uninitialized 'tool_action'
drivers/staging/unisys/visorbus/visorchipset.c:609 error_show() warn: XXX 
passing uninitialized 'error'
drivers/staging/unisys/visorbus/visorchipset.c:639 textid_show() warn: XXX 
passing uninitialized 'text_id'
drivers/staging/unisys/visorbus/visorchipset.c:669 remaining_steps_show() warn: 
XXX passing uninitialized 'remaining_steps'

These with XXX are if channel->nbytes is too small.

drivers/staging/unisys/visorbus/visorchipset.c:2217 visorchipset_ioctl() warn: 
user controlled 'adjustment' cast to postive rl = 's64min-s64max'

This is because we read a s64 and pass it to a function as u64.

Do an:  grep "rc = -1" drivers/staging/unisys/ -R

Also "if (rc != 0)" is a double negative.  != zero is good style when
you are talking about the number zero or for strcmp() functions.

Ho ho ho.
int maxdevnodes = ARRAY_SIZE(dev->devnodes) / sizeof(dev->devnodes[0]);

You guys know that when I read
drivers/staging/unisys/visorbus/visorbus_main.c there is still a lot
that makes me itch.  All the unnecessary initialization to -1 and the
goto aways.

char s[99];  Why 99?  Why s?  I'm not a fan of a lot of the naming.
What is s?  What is x?

Blank lines after declaration sections.

   781  fix_vbus_dev_info(dev);
   782  up(&dev->visordriver_callback_lock);
   783  rc = 0;
   784  away:
   785  if (rc != 0)
   786  put_device(&dev->device);
   787  return rc;
   788  }

This is like in my kitchen because when I'm making spaghetti I throw
some against the wall to see if it is done and eventual the whole wall
has tiny spots of pasta stuck to it.

I'm half way through the first file and this code is *almost* so close
to being ready, but could you just go through it once more and do a
final tidy up.

regards,
dan carpenter

___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Time for a code audit?

[Ben Romer]

Greg,

Thank you very much for taking our patches. All of us here appreciate
it a lot. :) 

It looks to me like our driver set is clean as far as
checkpatch.pl is concerned - there's one error, which was said to be
acceptable as it was, and a small number of checks that can't be
made any prettier.

I was hoping we could get started with the code audit and work on
getting the drivers out of the staging tree. What's the best way to
do that? 

Again, thanks for taking the time to put our cleanups in. :)

-- Ben
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel