Re: [Cocci] award for Coccinelle paper

[Vaishali Thakkar]

On Tue, Apr 24, 2018 at 4:42 PM, Julia Lawall  wrote:
> The 2008 Eurosys paper:
>
> Documenting and automating collateral evolutions in Linux device drivers.
>
> received the Eurosys "Test of Time" award.  Many thanks to everyone on
> this list who has helped to make this possible.

Wow, that's amazing. Congratulations to all who worked on this brilliant
tool. Thanks for your work.

> thanks,
> julia
> ___
> Cocci mailing list
> Cocci@systeme.lip6.fr
> https://systeme.lip6.fr/mailman/listinfo/cocci
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v2] Coccinelle: api: Add offset_in_page.cocci

[Vaishali Thakkar]

Use of offset_in_page is preferable instead of open coding.
This patch adds coccinelle script for suggesting the use of
macro offset_in_page.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
Changes since v1:
- Add parenthesis around rule for patch mode to avoid
  extra parenthesis in end result
---
 scripts/coccinelle/api/offset_in_page.cocci | 77 +
 1 file changed, 77 insertions(+)
 create mode 100644 scripts/coccinelle/api/offset_in_page.cocci

diff --git a/scripts/coccinelle/api/offset_in_page.cocci 
b/scripts/coccinelle/api/offset_in_page.cocci
new file mode 100644
index 000..4034864
--- /dev/null
+++ b/scripts/coccinelle/api/offset_in_page.cocci
@@ -0,0 +1,77 @@
+/// Use offset_in_page instead of duplicating its implementation
+///
+// Confidence: High
+// Copyright: (C) 2017 Vaishali Thakkar, Oracle. GPLv2.
+// Options: --no-includes --include-headers
+// Keywords: offset_in_page
+
+virtual patch
+virtual context
+virtual org
+virtual report
+
+@r_patch depends on patch@
+expression e;
+identifier i;
+@@
+- unsigned long i = (unsigned long)e & ~PAGE_MASK;
+...
+- i
++ offset_in_page(e)
+
+@r1_patch depends on patch@
+expression e1;
+@@
+
+(
+- ((unsigned long)e1 & ~PAGE_MASK)
++ offset_in_page(e1)
+|
+- ((unsigned long)e1 % PAGE_SIZE)
++ offset_in_page(e1)
+)
+
+@r_context depends on !patch@
+expression e;
+identifier i;
+position p;
+@@
+
+* unsigned long i = (unsigned long)e@p & ~PAGE_MASK;
+...
+* i
+
+@r1_context depends on !patch@
+expression e1;
+position p1;
+@@
+
+(
+* (unsigned long)e1@p1 & ~PAGE_MASK
+|
+* (unsigned long)e1@p1 % PAGE_SIZE
+)
+
+@script:python depends on org@
+p << r_context.p;
+@@
+
+coccilib.org.print_todo(p[0], "WARNING opportunity for offset_in_page")
+
+@script:python depends on org@
+p << r1_context.p1;
+@@
+
+coccilib.org.print_todo(p[0], "WARNING opportunity for offset_in_page")
+
+@script:python depends on report@
+p << r_context.p;
+@@
+
+coccilib.report.print_report(p[0], "WARNING opportunity for offset_in_page")
+
+@script:python depends on report@
+p << r1_context.p1;
+@@
+
+coccilib.report.print_report(p[0], "WARNING opportunity for offset_in_page")
-- 
2.7.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH] Coccinelle: api: Add offset_in_page.cocci

[Vaishali Thakkar]

Use of offset_in_page is preferable instead of open coding.
This patch adds coccinelle script for suggesting the use of
macro offset_in_page.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
 scripts/coccinelle/api/offset_in_page.cocci | 77 +
 1 file changed, 77 insertions(+)
 create mode 100644 scripts/coccinelle/api/offset_in_page.cocci

diff --git a/scripts/coccinelle/api/offset_in_page.cocci 
b/scripts/coccinelle/api/offset_in_page.cocci
new file mode 100644
index 000..d083109
--- /dev/null
+++ b/scripts/coccinelle/api/offset_in_page.cocci
@@ -0,0 +1,77 @@
+/// Use offset_in_page instead of duplicating its implementation
+///
+// Confidence: High
+// Copyright: (C) 2017 Vaishali Thakkar, Oracle. GPLv2.
+// Options: --no-includes --include-headers
+// Keywords: offset_in_page
+
+virtual patch
+virtual context
+virtual org
+virtual report
+
+@r_patch depends on patch@
+expression e;
+identifier i;
+@@
+- unsigned long i = (unsigned long)e & ~PAGE_MASK;
+...
+- i
++ offset_in_page(e)
+
+@r1_patch depends on patch@
+expression e1;
+@@
+
+(
+- (unsigned long)e1 & ~PAGE_MASK
++ offset_in_page(e1)
+|
+- (unsigned long)e1 % PAGE_SIZE
++ offset_in_page(e1)
+)
+
+@r_context depends on !patch@
+expression e;
+identifier i;
+position p;
+@@
+
+* unsigned long i = (unsigned long)e@p & ~PAGE_MASK;
+...
+* i
+
+@r1_context depends on !patch@
+expression e1;
+position p1;
+@@
+
+(
+* (unsigned long)e1@p1 & ~PAGE_MASK
+|
+* (unsigned long)e1@p1 % PAGE_SIZE
+)
+
+@script:python depends on org@
+p << r_context.p;
+@@
+
+coccilib.org.print_todo(p[0], "WARNING opportunity for offset_in_page")
+
+@script:python depends on org@
+p << r1_context.p1;
+@@
+
+coccilib.org.print_todo(p[0], "WARNING opportunity for offset_in_page")
+
+@script:python depends on report@
+p << r_context.p;
+@@
+
+coccilib.report.print_report(p[0], "WARNING opportunity for offset_in_page")
+
+@script:python depends on report@
+p << r1_context.p1;
+@@
+
+coccilib.report.print_report(p[0], "WARNING opportunity for offset_in_page")
-- 
2.7.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] position confusion?

[Vaishali Thakkar]

On Saturday 28 January 2017 01:48 PM, Johannes Berg wrote:

On Sat, 2017-01-28 at 12:10 +0530, Vaishali Thakkar wrote:

On Saturday 28 January 2017 04:40 AM, Johannes Berg wrote:

This is nonsense, but I don't see why it shouldn't parse:


Hi,


@a@
type T;
identifier x;
position p;
@@
T x@p = { };

@b@
type T;
identifier x;
position p;


This should be "position p != a.p;".


That has no effect on the point I was trying to make. I told you the
spatch was nonsense ... :)


@@
T x@p = { };

@@
position p != a.p;
position q != b.p;


And here no need to put constraint for q.


There was no need to put a constraint anyway, again, the whole patch
made no sense. But assume I wanted to have p and q in different
positions, or whatever. Note that I didn't even *use* @p in the rule,
so you're making wrong assumptions.


Got your point now. Just tried to solve the parsing error in the 
previous mail. :)



position p != {a.p, b.p};


Nevertheless, that's something I learned.

johannes



___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] position confusion?

[Vaishali Thakkar]

On Saturday 28 January 2017 04:40 AM, Johannes Berg wrote:

This is nonsense, but I don't see why it shouldn't parse:


Hi,


@a@
type T;
identifier x;
position p;
@@
T x@p = { };

@b@
type T;
identifier x;
position p;


This should be "position p != a.p;".


@@
T x@p = { };

@@
position p != a.p;
position q != b.p;


And here no need to put constraint for q.

position p != {a.p, b.p};
position q;


type T;
identifier x;
@@
*T x@q = {};

->
148 149
Fatal error: exception Failure("meta: parse error: \n = File \"/tmp/test.spatch\", 
line 17, column 16,  charpos = 148\naround = 'p', whole content = position q != b.p;\n")


if I replace 'p' by 'q' in @b@, it works fine?

johannes
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci



___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user

[Vaishali Thakkar]

On Wednesday 11 January 2017 07:40 AM, Pengfei Wang wrote:



在 2017年1月11日，上午1:46，Vaishali Thakkar <vaishali.thak...@oracle.com
<mailto:vaishali.thak...@oracle.com>> 写道：

On Tuesday 10 January 2017 02:32 PM, Pengfei Wang wrote:



在 2017年1月10日，下午4:40，Vaishali Thakkar <vaishali.thak...@oracle.com
<mailto:vaishali.thak...@oracle.com>> 写道：

On Tuesday 10 January 2017 01:51 PM, Pengfei Wang wrote:



在 2017年1月10日，上午1:05，Vaishali Thakkar <vaishali.thak...@oracle.com
<mailto:vaishali.thak...@oracle.com>> 写道：

On Tuesday 27 December 2016 11:51 PM, Julia Lawall wrote:

I totally dropped the ball on this.  Many thanks to Vaishali for
resurrecting it.

Some changes are suggested below.

On Tue, 26 Apr 2016, Kees Cook wrote:


This is usually a sign of a resized request. This adds a check for
potential races or confusions. The check isn't 100% accurate, so it
needs some manual review.

Signed-off-by: Kees Cook <keesc...@chromium.org
<mailto:keesc...@chromium.org>>
---
scripts/coccinelle/tests/reusercopy.cocci | 36
+++
1 file changed, 36 insertions(+)
create mode 100644 scripts/coccinelle/tests/reusercopy.cocci

diff --git a/scripts/coccinelle/tests/reusercopy.cocci
b/scripts/coccinelle/tests/reusercopy.cocci
new file mode 100644
index ..53645de8ae95
--- /dev/null
+++ b/scripts/coccinelle/tests/reusercopy.cocci
@@ -0,0 +1,36 @@
+/// Recopying from the same user buffer frequently indicates a pattern of
+/// Reading a size header, allocating, and then re-reading an entire
+/// structure. If the structure's size is not re-validated, this can lead
+/// to structure or data size confusions.
+///
+// Confidence: Moderate
+// Copyright: (C) 2016 Kees Cook, Google. License: GPLv2.
+// URL: http://coccinelle.lip6.fr/
+// Comments:
+// Options: -no_includes -include_headers


The options could be: --no-include --include-headers

Actually, Coccinelle supports both, but it only officially supports the
-- versions.


+
+virtual report
+virtual org


Add, the following for the *s:

virtual context

Then add the following rule:

@ok@
position p;
expression src,dest;
@@

copy_from_user@p(, src, sizeof(dest))


+
+@cfu_twice@
+position p;


Change this to:

position p != ok.p;


+identifier src;
+expression dest1, dest2, size1, size2, offset;
+@@
+
+*copy_from_user(dest1, src, size1)
+ ... when != src = offset
+ when != src += offset


Here, may be we should add few more lines from Pengfei's
script to avoid th potential FPs.


Add the following lines:

  when != if (size2 > e1 || ...) { ... return ...; }
  when != if (size2 > e1 || ...) { ... size2 = e2 ... }

These changes drop cases where the last argument to copy_from_usr is the
size of the first argument, which seems safe enough, and where there is a
test on the size value that can either update it or abort the function.
These changes only eliminate false positives, as far as I could tell.

If it would be more convenient, I could just send the complete revised
patch, or whatever seems convenient.


I was also thinking that probably we should also add other user space
memory API functions. May be get_user and strncpy_from_user. Although I'm
not sure how common it is to find such patterns for both of these functions.


I strongly recommend you adding get_user() API , which is used pervasively
within the kernel just like copy_from user().


Sure. I have changed regetuser-wang.cocci from Kees's RFC patches to
include everything in the pattern matching rule. I'll send that as well.


In many situations, there is a combination use, get_user() copies first then
followed by a copy_from_user() copy. According to our investigation, this
typical
situation works by get_user() firstly copying a field of a specific struct
to check,
then copy_from_user() copies in the whole struct to use. Of course, the struct
field is fetch twice.


Do you mean that there is a problem when we have get_user() followed by
copy_from_user()? Basically something like
this:

get_user(..., src.arg) //where src.arg = field of a structure
...
copy_from_user(..., src, ...) //where src is a whole structure

If that is the case then we would need to have one more new script
or rule for such kind of combinational patterns. Disjunction can
probably give FPs.


Yes, I’ve seen these cases when examining the source code. Actually, copying
a field
first and then copying the whole struct is very common in the kernel
especially the driver.
For example, when a struct (or a message as we call it) is variable length,
the first copy is
used to check its size field, and allocate a kernel buffer based on it, then
the second copy is
to copy the whole message also based on the size. There are also situations
of the
variable type messages.

The reason that they use get_user() instead of copy_from_user() for the first
copy is because
get_user() is defined as a macro, which works faster than a function call
that copy_from_user() does
wh

Re: [Cocci] [RFC] coccicheck: add a test for repeat memory fetches

[Vaishali Thakkar]

On Wednesday 11 January 2017 05:34 AM, Kees Cook wrote:

On Tue, Jan 10, 2017 at 1:14 PM, Julia Lawall  wrote:

OK, I have the impression that what you are looking for is the following,
that currently does not seem to work well. Still maybe it gives an idea.

The basic pattern is the following sequence:

1. copy_from_user
2. test on a field of the copied value
3. another copy_from_user
4. a use of the same field as tested in step 2 from the structure obtained
by the second copy_from_user or a function call with the structure as an
argument


This looks pretty good!


In the case where the second copy_from_user stores the result in a
pointer, then a return with no reference of the tested field is also a
concern, unless, the pointer was already kfreed.


I think sequence "2" above missing just looking at a direct value,
like if instead of a field it was a u32. Also, should binop include
"=="?

And we need to add back in get_user() too... hmmm


May be having a separate script for get_user would be a good idea. 
get_user needs few more tests than copy_from_user. Also, for the both 
cases we can later add multi-function handling rules. And for the 
get_user, may be combinational usage rule as well.



-Kees



___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user

[Vaishali Thakkar]

On Tuesday 10 January 2017 02:32 PM, Pengfei Wang wrote:



在 2017年1月10日，下午4:40，Vaishali Thakkar <vaishali.thak...@oracle.com> 写道：

On Tuesday 10 January 2017 01:51 PM, Pengfei Wang wrote:



在 2017年1月10日，上午1:05，Vaishali Thakkar <vaishali.thak...@oracle.com> 写道：

On Tuesday 27 December 2016 11:51 PM, Julia Lawall wrote:

I totally dropped the ball on this.  Many thanks to Vaishali for
resurrecting it.

Some changes are suggested below.

On Tue, 26 Apr 2016, Kees Cook wrote:


This is usually a sign of a resized request. This adds a check for
potential races or confusions. The check isn't 100% accurate, so it
needs some manual review.

Signed-off-by: Kees Cook <keesc...@chromium.org>
---
scripts/coccinelle/tests/reusercopy.cocci | 36 +++
1 file changed, 36 insertions(+)
create mode 100644 scripts/coccinelle/tests/reusercopy.cocci

diff --git a/scripts/coccinelle/tests/reusercopy.cocci 
b/scripts/coccinelle/tests/reusercopy.cocci
new file mode 100644
index ..53645de8ae95
--- /dev/null
+++ b/scripts/coccinelle/tests/reusercopy.cocci
@@ -0,0 +1,36 @@
+/// Recopying from the same user buffer frequently indicates a pattern of
+/// Reading a size header, allocating, and then re-reading an entire
+/// structure. If the structure's size is not re-validated, this can lead
+/// to structure or data size confusions.
+///
+// Confidence: Moderate
+// Copyright: (C) 2016 Kees Cook, Google. License: GPLv2.
+// URL: http://coccinelle.lip6.fr/
+// Comments:
+// Options: -no_includes -include_headers


The options could be: --no-include --include-headers

Actually, Coccinelle supports both, but it only officially supports the
-- versions.


+
+virtual report
+virtual org


Add, the following for the *s:

virtual context

Then add the following rule:

@ok@
position p;
expression src,dest;
@@

copy_from_user@p(, src, sizeof(dest))


+
+@cfu_twice@
+position p;


Change this to:

position p != ok.p;


+identifier src;
+expression dest1, dest2, size1, size2, offset;
+@@
+
+*copy_from_user(dest1, src, size1)
+ ... when != src = offset
+ when != src += offset


Here, may be we should add few more lines from Pengfei's
script to avoid th potential FPs.


Add the following lines:

   when != if (size2 > e1 || ...) { ... return ...; }
   when != if (size2 > e1 || ...) { ... size2 = e2 ... }

These changes drop cases where the last argument to copy_from_usr is the
size of the first argument, which seems safe enough, and where there is a
test on the size value that can either update it or abort the function.
These changes only eliminate false positives, as far as I could tell.

If it would be more convenient, I could just send the complete revised
patch, or whatever seems convenient.


I was also thinking that probably we should also add other user space memory 
API functions. May be get_user and strncpy_from_user. Although I'm not sure how 
common it is to find such patterns for both of these functions.


I strongly recommend you adding get_user() API , which is used pervasively
within the kernel just like copy_from user().


Sure. I have changed regetuser-wang.cocci from Kees's RFC patches to
include everything in the pattern matching rule. I'll send that as well.


In many situations, there is a combination use, get_user() copies first then
followed by a copy_from_user() copy. According to our investigation, this 
typical
situation works by get_user() firstly copying a field of a specific struct to 
check,
then copy_from_user() copies in the whole struct to use. Of course, the struct
field is fetch twice.


Do you mean that there is a problem when we have get_user() followed by 
copy_from_user()? Basically something like
this:

get_user(..., src.arg) //where src.arg = field of a structure
...
copy_from_user(..., src, ...) //where src is a whole structure

If that is the case then we would need to have one more new script
or rule for such kind of combinational patterns. Disjunction can
probably give FPs.


Yes, I’ve seen these cases when examining the source code. Actually, copying a 
field
first and then copying the whole struct is very common in the kernel especially 
the driver.
For example, when a struct (or a message as we call it) is variable length, the 
first copy is
used to check its size field, and allocate a kernel buffer based on it, then 
the second copy is
to copy the whole message also based on the size. There are also situations of 
the
variable type messages.

The reason that they use get_user() instead of copy_from_user() for the first 
copy is because
get_user() is defined as a macro, which works faster than a function call that 
copy_from_user() does
when copy simple data type such as char and int.


I see. If possible, can you point me to a code or actual bug
[reported by you or others] which has this kind of pattern
particularly?

I wrote a separate rule for the kind of pattern you have
described but I am not sure if this kind of code is s

Re: [Cocci] [RFC] coccicheck: add a test for repeat memory fetches

[Vaishali Thakkar]

On Tue, Jan 10, 2017 at 1:31 PM, Julia Lawall  wrote:
>
>
> On Tue, 10 Jan 2017, Pengfei Wang wrote:
>
>>
>> > 在 2017年1月10日，下午2:06，Julia Lawall  写道：
>> >
>> >
>> >
>> > On Mon, 9 Jan 2017, Kees Cook wrote:
>> >
>> >> Okay, this adds a few tests, for people to examine.
>> >>
>> >> reusercopy-cook.cocci:
>> >> My original test, with recent updates from Julia.
>> >>
>> >> reusercopy-wang.cocci:
>> >> This is Pengfei's test, but with heavily modified reporting to fit in the
>> >> kernel coccicheck target, and with all the getuser checks removed so that
>> >> Julia's size test could be added (this lets us compare the results between
>> >> this and my original test).
>> >
>> > Thanks for the update.
>> >
>> > I'm not enthusiastic about all the python filtering.  It would be better
>> > to try to put it into the pattern matching rules.
>>
>> I agree with that. I used the python filtering because I could not filter 
>> out the false
>> positives with the rules since I was a beginner to Coccinelle. I encourage 
>> you to use
>> the pattern matching rules if possible.
>> >
>> > I'm not sure what is the point of func in the various rules.  Is there a
>> > need to ensure that the pattern appears only once in a function definition?
>>
>> It is unnecessary to use the “func” as long as it won’t cause an error when 
>> running the script.
>> I used it because we found that this pattern usually takes place within a 
>> function. The pattern
>> is not necessarily to appear only once, and our approach should be able to 
>> match multiple
>> occurrences of this pattern within one function.
>>
>> However, our approach currently cannot match an inter-function pattern, 
>> within which the two
>> copy operations reside in two functions respectively. The first function 
>> copies the user data first,
>> and it calls the second function, then within the second function, the user 
>> data is copied again
>> and used. This situation actually exists(CVE-2016-6516), and could cause bad 
>> consequences.

Thanks for the inputs on this issue. Indeed finding things under one
function are
obvious cases. /kernel/kexec_core.c was removed from the output because of
that approach. This can be easily done in the reusercopy-cook.cocci as well.

Also, reusercopy-wang.cocci  finds few more cases. I have done few changes in
reusercopy-cook.cocci to cover them in pattern matching rule only so
that we don't
need the whole python rule from reusercopy-wang.cocci. Was supposed to send it
but now that you have mentioned the issue with the inter function
pattern, let me try
to see if we can do that with Coccinelle. As far as it is within a
single file, I think
coccinelle would be able to do that. I'll send my proposed changes
after testing the
inter function pattern.

>> I also suggest adding more copy function APIs, such as strncpy_from_user(). 
>> I didn’t do so for
>> two reasons.
>> 1. My script already looks redundant and I’m trying to use a better 
>> structure.
>> 2. The other copy functions are not so prevalent as the four I used.
>> But adding more copy functions could make it more accurate.

I'll check about strncpy_from_user once we will have a coccinelle
script in a good shape
for both of these cases.

Thanks!

>> Please feel free to contact me if you have any questions about my script.
>
> Thanks for the feedback!  Indeed Coccinelle is not well adapted to
> interprocedural analysis, but it could be added to a limited extent, eg
> one level of function call if it seems useful, once the rest is in good
> shape.
>
> julia
>
>
>>
>> Regards
>> Pengfei
>>
>> >
>> > I'll look at this in more detail this evening, and try to remove more false
>> > positives.  If you know of some specifically, please let me know what they 
>> > are.
>> >
>> > thanks,
>> > julia
>> >
>> >
>> >>
>> >> regetuser-wang.cocci:
>> >> This is Pengfei's get_user() tests only (to compare against hits from just
>> >> the copy_from_user() tests).
>> >>
>> >> Comparing reusercopy-cook.cocci with reusercopy-wang.cocci:
>> >> -./arch/ia64/kernel/perfmon.c:4833
>> >> +./arch/powerpc/kernel/signal_32.c:742
>> >> +./arch/powerpc/kernel/signal_32.c:850
>> >> ./arch/powerpc/platforms/powernv/opal-prd.c:248
>> >> ./drivers/acpi/custom_method.c:54
>> >> -./drivers/firmware/efi/test/efi_test.c:617
>> >> -./drivers/hid/hid-picolcd_debugfs.c:283
>> >> +./drivers/gpu/drm/radeon/radeon_cs.c:635
>> >> ./drivers/hwtracing/stm/core.c:580
>> >> ./drivers/isdn/i4l/isdn_ppp.c:875
>> >> ./drivers/md/dm-ioctl.c:1741
>> >> -./drivers/misc/mic/vop/vop_vringh.c:775
>> >> +./drivers/md/md.c:7030
>> >> +./drivers/misc/lkdtm_usercopy.c:106
>> >> +./drivers/misc/lkdtm_usercopy.c:160
>> >> +./drivers/misc/lkdtm_usercopy.c:232
>> >> ./drivers/misc/mic/vop/vop_vringh.c:944
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2159
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2257
>> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2302
>> >> 

Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user

[Vaishali Thakkar]

On Tuesday 27 December 2016 11:51 PM, Julia Lawall wrote:

I totally dropped the ball on this.  Many thanks to Vaishali for
resurrecting it.

Some changes are suggested below.

On Tue, 26 Apr 2016, Kees Cook wrote:


This is usually a sign of a resized request. This adds a check for
potential races or confusions. The check isn't 100% accurate, so it
needs some manual review.

Signed-off-by: Kees Cook 
---
 scripts/coccinelle/tests/reusercopy.cocci | 36 +++
 1 file changed, 36 insertions(+)
 create mode 100644 scripts/coccinelle/tests/reusercopy.cocci

diff --git a/scripts/coccinelle/tests/reusercopy.cocci 
b/scripts/coccinelle/tests/reusercopy.cocci
new file mode 100644
index ..53645de8ae95
--- /dev/null
+++ b/scripts/coccinelle/tests/reusercopy.cocci
@@ -0,0 +1,36 @@
+/// Recopying from the same user buffer frequently indicates a pattern of
+/// Reading a size header, allocating, and then re-reading an entire
+/// structure. If the structure's size is not re-validated, this can lead
+/// to structure or data size confusions.
+///
+// Confidence: Moderate
+// Copyright: (C) 2016 Kees Cook, Google. License: GPLv2.
+// URL: http://coccinelle.lip6.fr/
+// Comments:
+// Options: -no_includes -include_headers


The options could be: --no-include --include-headers

Actually, Coccinelle supports both, but it only officially supports the
-- versions.


+
+virtual report
+virtual org


Add, the following for the *s:

virtual context

Then add the following rule:

@ok@
position p;
expression src,dest;
@@

copy_from_user@p(, src, sizeof(dest))


+
+@cfu_twice@
+position p;


Change this to:

position p != ok.p;


+identifier src;
+expression dest1, dest2, size1, size2, offset;
+@@
+
+*copy_from_user(dest1, src, size1)
+ ... when != src = offset
+ when != src += offset


Here, may be we should add few more lines from Pengfei's
script to avoid th potential FPs.


Add the following lines:

 when != if (size2 > e1 || ...) { ... return ...; }
 when != if (size2 > e1 || ...) { ... size2 = e2 ... }

These changes drop cases where the last argument to copy_from_usr is the
size of the first argument, which seems safe enough, and where there is a
test on the size value that can either update it or abort the function.
These changes only eliminate false positives, as far as I could tell.

If it would be more convenient, I could just send the complete revised
patch, or whatever seems convenient.


I was also thinking that probably we should also add other user space 
memory API functions. May be get_user and strncpy_from_user. Although 
I'm not sure how common it is to find such patterns for both of these 
functions.



thanks,
julia


+*copy_from_user@p(dest2, src, size2)
+
+@script:python depends on org@
+p << cfu_twice.p;
+@@
+
+cocci.print_main("potentially dangerous second copy_from_user()",p)
+
+@script:python depends on report@
+p << cfu_twice.p;
+@@
+
+coccilib.report.print_report(p[0],"potentially dangerous second 
copy_from_user()")
--
2.6.3


--
Kees Cook
Chrome OS & Brillo Security


___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci



___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v4 2/3] Coccinelle: misc: Improve the result given by context mode

[Vaishali Thakkar]

To eliminate false positives given by the context mode, add
necessary arguments for the function request_threaded_irq.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
Acked-by: Julia Lawall <julia.law...@lip6.fr>
---
Changes since v3:
- No changes in this patch
Changes since v2:
- Add missing declaration of metavariable irq
Changes since v1:
- Split patch in to the patch set
---
 scripts/coccinelle/misc/irqf_oneshot.cocci | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
b/scripts/coccinelle/misc/irqf_oneshot.cocci
index bd3e140..cec3672 100644
--- a/scripts/coccinelle/misc/irqf_oneshot.cocci
+++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
@@ -79,9 +79,10 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 )
 
 @depends on context@
+expression irq;
 position p != {r1.p,r2.p};
 @@
-*request_threaded_irq@p(...)
+*request_threaded_irq@p(irq, NULL, ...)
 
 @match depends on report || org@
 expression irq;
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v4 1/3] Coccinelle: misc: Improve the matching of rules

[Vaishali Thakkar]

Currently because of the left associativity of the operators, pattern
IRQF_ONESHOT | flags does not match with the pattern when we have more
than one flag after the disjunction. This eventually results in giving
false positives by the script. This patch eliminates these FPs by
improving the rule.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
Changes since v3:
- Few more changes in the script to avoid some
  possible false positives
- Moved initialization of all expressions in a single line
Changes since v2:
- No change in this patch
Changes since v1:
- Splitted patch in the patchset
---
 scripts/coccinelle/misc/irqf_oneshot.cocci | 36 +++---
 1 file changed, 23 insertions(+), 13 deletions(-)

diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
b/scripts/coccinelle/misc/irqf_oneshot.cocci
index b421150..bd3e140 100644
--- a/scripts/coccinelle/misc/irqf_oneshot.cocci
+++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
@@ -15,16 +15,13 @@ virtual org
 virtual report
 
 @r1@
-expression dev;
-expression irq;
-expression thread_fn;
-expression flags;
+expression dev, irq, thread_fn;
 position p;
 @@
 (
 request_threaded_irq@p(irq, NULL, thread_fn,
 (
-flags | IRQF_ONESHOT
+IRQF_ONESHOT | ...
 |
 IRQF_ONESHOT
 )
@@ -32,21 +29,34 @@ IRQF_ONESHOT
 |
 devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 (
-flags | IRQF_ONESHOT
+IRQF_ONESHOT | ...
 |
 IRQF_ONESHOT
 )
 , ...)
 )
 
-@depends on patch@
-expression dev;
-expression irq;
-expression thread_fn;
-expression flags;
+@r2@
+expression dev, irq, thread_fn, flags, e;
 position p != r1.p;
 @@
 (
+flags = IRQF_ONESHOT | ...
+|
+flags |= IRQF_ONESHOT | ...
+)
+... when != flags = e
+(
+request_threaded_irq@p(irq, NULL, thread_fn, flags, ...);
+|
+devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...);
+)
+
+@depends on patch@
+expression dev, irq, thread_fn, flags;
+position p != {r1.p,r2.p};
+@@
+(
 request_threaded_irq@p(irq, NULL, thread_fn,
 (
 -0
@@ -69,13 +79,13 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 )
 
 @depends on context@
-position p != r1.p;
+position p != {r1.p,r2.p};
 @@
 *request_threaded_irq@p(...)
 
 @match depends on report || org@
 expression irq;
-position p != r1.p;
+position p != {r1.p,r2.p};
 @@
 request_threaded_irq@p(irq, NULL, ...)
 
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v4 0/3] Coccinelle: misc: Improve the script for more accurate results

[Vaishali Thakkar]

Few changes to improve the results given by the irqf_oneshot.cocci:

- Change in the matching rules to eliminate false postives in the
  patch mode
- Change in the context mode to eliminate false postives in the
  context mode
- Support for the missing devm_request_threaded_irq in context, report
  and org mode

Changes since v3:
- Few more changes in the script to avoid some
  possible false positives
- Moved initialization of all expressions in a single line 
Changes since v2:
- Add missing initialization of metavariables
Changes since v1:
- Split patch in to the patchset

Vaishali Thakkar (3):
  Coccinelle: misc: Improve the matching of rules
  Coccinelle: misc: Improve the result given by context mode
  Coccinelle: misc: Add support for devm variant in all modes

 scripts/coccinelle/misc/irqf_oneshot.cocci | 52 +-
 1 file changed, 36 insertions(+), 16 deletions(-)

-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] [PATCH v3 1/3] Coccinelle: misc: Improve the matching of rules

[Vaishali Thakkar]

On Saturday 12 November 2016 11:36 PM, Julia Lawall wrote:
> 
> 
> On Mon, 24 Oct 2016, Vaishali Thakkar wrote:
> 
>> Currently because of the left associativity of the operators, pattern
>> IRQF_ONESHOT | flags does not match with the pattern when we have more
>> than one flag after the disjunction. This eventually results in giving
>> false positives by the script. This patch eliminates these FPs by
>> improving the rule.
>>
>> Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
>> ---
>> Changes since v2:
>>  - No change in this patch
>> Changes since v1:
>>  - Splitted patch in the patchset
>> ---
>>  scripts/coccinelle/misc/irqf_oneshot.cocci | 30 
>> --
>>  1 file changed, 24 insertions(+), 6 deletions(-)
>>
>> diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
>> b/scripts/coccinelle/misc/irqf_oneshot.cocci
>> index b421150..a8537fb 100644
>> --- a/scripts/coccinelle/misc/irqf_oneshot.cocci
>> +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
>> @@ -18,13 +18,12 @@ virtual report
>>  expression dev;
>>  expression irq;
>>  expression thread_fn;
>> -expression flags;
>>  position p;
>>  @@
>>  (
>>  request_threaded_irq@p(irq, NULL, thread_fn,
>>  (
>> -flags | IRQF_ONESHOT
>> +IRQF_ONESHOT | ...
>>  |
>>  IRQF_ONESHOT
>>  )
>> @@ -32,20 +31,39 @@ IRQF_ONESHOT
>>  |
>>  devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
>>  (
>> -flags | IRQF_ONESHOT
>> +IRQF_ONESHOT | ...
>>  |
>>  IRQF_ONESHOT
>>  )
>>  , ...)
>>  )
>>
>> -@depends on patch@
>> +@r2@
>>  expression dev;
>>  expression irq;
>>  expression thread_fn;
>>  expression flags;
>> +expression ret;
>>  position p != r1.p;
>>  @@
>> +flags = IRQF_ONESHOT | ...;
>> +(
>> +ret = request_threaded_irq@p(irq, NULL, thread_fn, flags, ...);
>> +|
>> +ret = devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...);
>> +|
>> +return request_threaded_irq@p(irq, NULL, thread_fn, flags, ...);
>> +|
>> +return devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...);
>> +)
> 
> This rule needs some improvement.
> 
> flags = IRQF_ONESHOT | ...;
> 
> should be replaced by:
> 
> (
> flags = IRQF_ONESHOT | ...
> |
> flags |= IRQF_ONESHOT | ...
> )
> ... when != flags = e
> 
> where e should be a new expression metavariable.  This effects a number of
> changes.  1) Dropping the ; after the assignment allows an isomorphism to
> trigger that allows it to match a variable declaration as well, 2)
> IRQF_ONESHOT can be added after the original initialization by a |=, 3)
> there can be some instructions between the initialization of flags and the
> use.

Ok, this makes sense.

> Afterwards, the big disjunction with the irq calls is too specific.
> In particular, these calls can also occur in an if test.  The disjunction
> should be replaced by the following:
> 
> (
> request_threaded_irq@p(irq, NULL, thread_fn, flags, ...)
> |
> devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...)
> )

Ok, primary motivation with having specified pattern was to have less
running time. But as discussed, it doesn't make much difference. So,
going with the more general way sounds good. 

Thanks for the suggestions. I'll send the the revised version with these
changes.

> julia
> 
> 
>> +
>> +@depends on patch@
>> +expression dev;
>> +expression irq;
>> +expression thread_fn;
>> +expression flags;
>> +position p != {r1.p,r2.p};
>> +@@
>>  (
>>  request_threaded_irq@p(irq, NULL, thread_fn,
>>  (
>> @@ -69,13 +87,13 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
>>  )
>>
>>  @depends on context@
>> -position p != r1.p;
>> +position p != {r1.p,r2.p};
>>  @@
>>  *request_threaded_irq@p(...)
>>
>>  @match depends on report || org@
>>  expression irq;
>> -position p != r1.p;
>> +position p != {r1.p,r2.p};
>>  @@
>>  request_threaded_irq@p(irq, NULL, ...)
>>
>> --
>> 2.1.4
>>
>>

-- 
Vaishali
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v3 3/3] Coccinelle: misc: Add support for devm variant in all modes

[Vaishali Thakkar]

Add missing support for the devm_request_threaded_irq in
the rules of context, report and org modes.

Misc:

To be consistent with other scripts, change confidence level
of the script to 'Moderate'.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
Changes since v2:
- Add missing initialization of metavariables
Changes since v1:
- Split patch in to the patchset
---
 scripts/coccinelle/misc/irqf_oneshot.cocci | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
b/scripts/coccinelle/misc/irqf_oneshot.cocci
index e53372e..ca78125 100644
--- a/scripts/coccinelle/misc/irqf_oneshot.cocci
+++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
@@ -5,7 +5,7 @@
 /// So pass the IRQF_ONESHOT flag in this case.
 ///
 //
-// Confidence: Good
+// Confidence: Moderate
 // Comments:
 // Options: --no-includes
 
@@ -87,16 +87,26 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 )
 
 @depends on context@
+expression dev;
 expression irq;
 position p != {r1.p,r2.p};
 @@
+(
 *request_threaded_irq@p(irq, NULL, ...)
+|
+*devm_request_threaded_irq@p(dev, irq, NULL, ...)
+)
 
 @match depends on report || org@
+expression dev;
 expression irq;
 position p != {r1.p,r2.p};
 @@
+(
 request_threaded_irq@p(irq, NULL, ...)
+|
+devm_request_threaded_irq@p(dev, irq, NULL, ...)
+)
 
 @script:python depends on org@
 p << match.p;
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v3 1/3] Coccinelle: misc: Improve the matching of rules

[Vaishali Thakkar]

Currently because of the left associativity of the operators, pattern
IRQF_ONESHOT | flags does not match with the pattern when we have more
than one flag after the disjunction. This eventually results in giving
false positives by the script. This patch eliminates these FPs by
improving the rule.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
Changes since v2:
- No change in this patch
Changes since v1:
- Splitted patch in the patchset
---
 scripts/coccinelle/misc/irqf_oneshot.cocci | 30 --
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
b/scripts/coccinelle/misc/irqf_oneshot.cocci
index b421150..a8537fb 100644
--- a/scripts/coccinelle/misc/irqf_oneshot.cocci
+++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
@@ -18,13 +18,12 @@ virtual report
 expression dev;
 expression irq;
 expression thread_fn;
-expression flags;
 position p;
 @@
 (
 request_threaded_irq@p(irq, NULL, thread_fn,
 (
-flags | IRQF_ONESHOT
+IRQF_ONESHOT | ...
 |
 IRQF_ONESHOT
 )
@@ -32,20 +31,39 @@ IRQF_ONESHOT
 |
 devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 (
-flags | IRQF_ONESHOT
+IRQF_ONESHOT | ...
 |
 IRQF_ONESHOT
 )
 , ...)
 )
 
-@depends on patch@
+@r2@
 expression dev;
 expression irq;
 expression thread_fn;
 expression flags;
+expression ret;
 position p != r1.p;
 @@
+flags = IRQF_ONESHOT | ...;
+(
+ret = request_threaded_irq@p(irq, NULL, thread_fn, flags, ...);
+|
+ret = devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...);
+|
+return request_threaded_irq@p(irq, NULL, thread_fn, flags, ...);
+|
+return devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...);
+)
+
+@depends on patch@
+expression dev;
+expression irq;
+expression thread_fn;
+expression flags;
+position p != {r1.p,r2.p};
+@@
 (
 request_threaded_irq@p(irq, NULL, thread_fn,
 (
@@ -69,13 +87,13 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 )
 
 @depends on context@
-position p != r1.p;
+position p != {r1.p,r2.p};
 @@
 *request_threaded_irq@p(...)
 
 @match depends on report || org@
 expression irq;
-position p != r1.p;
+position p != {r1.p,r2.p};
 @@
 request_threaded_irq@p(irq, NULL, ...)
 
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v3 0/3] Coccinelle: misc: Improve the script for more accurate results

[Vaishali Thakkar]

Few changes to improve the results given by the irqf_oneshot.cocci:

- Change in the matching rules to eliminate false postives in the
  patch mode
- Change in the context mode to eliminate false postives in the
  context mode
- Support for the missing devm_request_threaded_irq in context, report
  and org mode

Changes since v2:
- Add missing initialization of metavariables
Changes since v1:
- Split patch in to the patchset

Vaishali Thakkar (3):
  Coccinelle: misc: Improve the matching of rules
  Coccinelle: misc: Improve the result given by context mode
  Coccinelle: misc: Add support for devm variant in all modes

 scripts/coccinelle/misc/irqf_oneshot.cocci | 45 --
 1 file changed, 37 insertions(+), 8 deletions(-)

-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v3 2/3] Coccinelle: misc: Improve the result given by context mode

[Vaishali Thakkar]

To eliminate false positives given by the context mode, add
necessary arguments for the function request_threaded_irq.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
Changes since v2:
- Add missing declaration of metavariable irq
Changes since v1:
- Split patch in to the patch set
---
 scripts/coccinelle/misc/irqf_oneshot.cocci | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
b/scripts/coccinelle/misc/irqf_oneshot.cocci
index a8537fb..e53372e 100644
--- a/scripts/coccinelle/misc/irqf_oneshot.cocci
+++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
@@ -87,9 +87,10 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 )
 
 @depends on context@
+expression irq;
 position p != {r1.p,r2.p};
 @@
-*request_threaded_irq@p(...)
+*request_threaded_irq@p(irq, NULL, ...)
 
 @match depends on report || org@
 expression irq;
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] [PATCH v2 0/3] Coccinelle: misc: Improve the script for more accurate results

[Vaishali Thakkar]

On Tuesday 18 October 2016 10:31 PM, Julia Lawall wrote:
> 
> 
> On Tue, 18 Oct 2016, Vaishali Thakkar wrote:
> 
>>
>>
>> On Tuesday 18 October 2016 10:04 PM, Julia Lawall wrote:
>>> I get the following in patch mode that I don't get in context mode:
>>
>> Hi,
>>
>> Are you getting same number of devm cases in your report for the context
>> and patch mode? [except this case]
> 
> The only devm case I get in context mode is:
> 
> diff -u -p /var/linuxes/linux-next/drivers/acpi/evged.c
> /tmp/nothing/drivers/ac\
> pi/evged.c
> --- /var/linuxes/linux-next/drivers/acpi/evged.c
> +++ /tmp/nothing/drivers/acpi/evged.c
> @@ -116,8 +116,6 @@ static acpi_status acpi_ged_request_inte
> if (r.flags & IORESOURCE_IRQ_SHAREABLE)
> irqflags |= IRQF_SHARED;
> 
> -   if (devm_request_threaded_irq(dev, irq, NULL, acpi_ged_irq_handler,
> - irqflags, "ACPI:Ged", event)) {
> dev_err(dev, "failed to setup event handler for irq %u\n", 
> irq);
> return AE_ERROR;
> }
> 
> This one has the property that the first argument is an identifier.  The
> other cases seem to have a & expression.  There are around 20 of them.

Although I got the issue with the patches, I am wondering why even context mode
gave result for the identifiers even though they are not initialized? Does that
mean it automatically assumes the type of meta variables even though they are 
not
initialized? I think spatch gives warnings for such cases. But I am not sure 
about
the coccicheck.
 
> julia
> 
> 
> 
>>
>>
>>> diff -u -p a/drivers/power/supply/tps65090-charger.c
>>> b/drivers/power/supply/tps\
>>> 65090-charger.c
>>> --- a/drivers/power/supply/tps65090-charger.c
>>> +++ b/drivers/power/supply/tps65090-charger.c
>>> @@ -311,7 +311,8 @@ static int tps65090_charger_probe(struct
>>>
>>> if (irq != -ENXIO) {
>>> ret = devm_request_threaded_irq(>dev, irq, NULL,
>>> -   tps65090_charger_isr, 0, "tps65090-charger", cdata);
>>> +   tps65090_charger_isr, IRQF_ONESHOT,
>>> +   "tps65090-charger", cdata);
>>> if (ret) {
>>> dev_err(cdata->dev,
>>> "Unable to register irq %d err %d\n", irq,
>>>
>>>
>>> julia
>>>
>>
>> --
>> Vaishali
>>

-- 
Vaishali
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] [PATCH v2 3/3] Coccinelle: misc: Add support for devm variant in all modes

[Vaishali Thakkar]

On Sunday 16 October 2016 10:37 PM, Vaishali Thakkar wrote:
> Add missing support for the devm_request_threaded_irq in
> the rules of context, report and org modes.
> 
> Misc:
> 
> To be consistent with other scripts, change confidence level
> of the script to 'Moderate'.
> 
> Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
> ---
>  scripts/coccinelle/misc/irqf_oneshot.cocci | 10 +-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
> b/scripts/coccinelle/misc/irqf_oneshot.cocci
> index 03b748d..f6c93fd 100644
> --- a/scripts/coccinelle/misc/irqf_oneshot.cocci
> +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
> @@ -5,7 +5,7 @@
>  /// So pass the IRQF_ONESHOT flag in this case.
>  ///
>  //
> -// Confidence: Good
> +// Confidence: Moderate
>  // Comments:
>  // Options: --no-includes
>  
> @@ -89,13 +89,21 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
>  @depends on context@
>  position p != {r1.p,r2.p};
>  @@
> +(
>  *request_threaded_irq@p(irq, NULL, ...)
> +|
> +*devm_request_threaded_irq@p(dev, irq, NULL, ...)
> +)
>  
>  @match depends on report || org@
>  expression irq;
>  position p != {r1.p,r2.p};
>  @@
> +(
>  request_threaded_irq@p(irq, NULL, ...)
> +|
> +devm_request_threaded_irq@p(dev, irq, NULL, ...)
> +)

Oh, my bad here. :(

Forgot the initialization of meta variables for the
arguments.

But I am wondering why coccicheck didn't fail here.
Isn't it suppose to give parsing errors? Or it doesn't
do that?

In any case, I am sorry for this. I'll send the revised
version of the patches.
 
>  @script:python depends on org@
>  p << match.p;
> 

-- 
Vaishali
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] [PATCH v2 0/3] Coccinelle: misc: Improve the script for more accurate results

[Vaishali Thakkar]

On Tuesday 18 October 2016 10:04 PM, Julia Lawall wrote:
> I get the following in patch mode that I don't get in context mode:

Hi,

Are you getting same number of devm cases in your report for the context
and patch mode? [except this case]


> diff -u -p a/drivers/power/supply/tps65090-charger.c
> b/drivers/power/supply/tps\
> 65090-charger.c
> --- a/drivers/power/supply/tps65090-charger.c
> +++ b/drivers/power/supply/tps65090-charger.c
> @@ -311,7 +311,8 @@ static int tps65090_charger_probe(struct
> 
>   if (irq != -ENXIO) {
>   ret = devm_request_threaded_irq(>dev, irq, NULL,
> -   tps65090_charger_isr, 0, "tps65090-charger", cdata);
> +   tps65090_charger_isr, IRQF_ONESHOT,
> +   "tps65090-charger", cdata);
>   if (ret) {
> dev_err(cdata->dev,
>   "Unable to register irq %d err %d\n", irq,
> 
> 
> julia
> 

-- 
Vaishali
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v2 3/3] Coccinelle: misc: Add support for devm variant in all modes

[Vaishali Thakkar]

Add missing support for the devm_request_threaded_irq in
the rules of context, report and org modes.

Misc:

To be consistent with other scripts, change confidence level
of the script to 'Moderate'.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
 scripts/coccinelle/misc/irqf_oneshot.cocci | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
b/scripts/coccinelle/misc/irqf_oneshot.cocci
index 03b748d..f6c93fd 100644
--- a/scripts/coccinelle/misc/irqf_oneshot.cocci
+++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
@@ -5,7 +5,7 @@
 /// So pass the IRQF_ONESHOT flag in this case.
 ///
 //
-// Confidence: Good
+// Confidence: Moderate
 // Comments:
 // Options: --no-includes
 
@@ -89,13 +89,21 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 @depends on context@
 position p != {r1.p,r2.p};
 @@
+(
 *request_threaded_irq@p(irq, NULL, ...)
+|
+*devm_request_threaded_irq@p(dev, irq, NULL, ...)
+)
 
 @match depends on report || org@
 expression irq;
 position p != {r1.p,r2.p};
 @@
+(
 request_threaded_irq@p(irq, NULL, ...)
+|
+devm_request_threaded_irq@p(dev, irq, NULL, ...)
+)
 
 @script:python depends on org@
 p << match.p;
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v2 0/3] Coccinelle: misc: Improve the script for more accurate results

[Vaishali Thakkar]

Few changes to improve the results given by the irqf_oneshot.cocci:

- Change in the matching rules to eliminate false postives in the
  patch mode
- Change in the context mode to eliminate false postives in the
  context mode
- Support for the missing devm_request_threaded_irq in context, report
  and org mode


Vaishali Thakkar (3):
  Coccinelle: misc: Improve the matching of rules
  Coccinelle: misc: Improve the result given by context mode
  Coccinelle: misc: Add support for devm variant in all modes

 scripts/coccinelle/misc/irqf_oneshot.cocci | 42 --
 1 file changed, 34 insertions(+), 8 deletions(-)

-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v2 1/3] Coccinelle: misc: Improve the matching of rules

[Vaishali Thakkar]

Currently because of the left associativity of the operators, pattern
IRQF_ONESHOT | flags does not match with the pattern when we have more
than one flag after the disjunction. This eventually results in giving
false positives by the script. This patch eliminates these FPs by
improving the rule.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
 scripts/coccinelle/misc/irqf_oneshot.cocci | 30 --
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
b/scripts/coccinelle/misc/irqf_oneshot.cocci
index b421150..b538d08 100644
--- a/scripts/coccinelle/misc/irqf_oneshot.cocci
+++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
@@ -18,13 +18,12 @@ virtual report
 expression dev;
 expression irq;
 expression thread_fn;
-expression flags;
 position p;
 @@
 (
 request_threaded_irq@p(irq, NULL, thread_fn,
 (
-flags | IRQF_ONESHOT
+IRQF_ONESHOT | ...
 |
 IRQF_ONESHOT
 )
@@ -32,20 +31,39 @@ IRQF_ONESHOT
 |
 devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 (
-flags | IRQF_ONESHOT
+IRQF_ONESHOT | ...
 |
 IRQF_ONESHOT
 )
 , ...)
 )
 
-@depends on patch@
+@r2@
 expression dev;
 expression irq;
 expression thread_fn;
 expression flags;
+expression ret;
 position p != r1.p;
 @@
+flags = IRQF_ONESHOT | ...;
+(
+ret = request_threaded_irq@p(irq, NULL, thread_fn, flags, ...);
+|
+ret = devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...);
+|
+return request_threaded_irq@p(irq, NULL, thread_fn, flags, ...);
+|
+return devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...);
+)
+
+@depends on patch@
+expression dev;
+expression irq;
+expression thread_fn;
+expression flags;
+position p != {r1.p,r2.p};
+@@
 (
 request_threaded_irq@p(irq, NULL, thread_fn,
 (
@@ -69,13 +87,13 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 )
 
 @depends on context@
-position p != r1.p;
+position p != {r1.p,r2.p};
 @@
 *request_threaded_irq@p(...)
 
 @match depends on report || org@
 expression irq;
-position p != r1.p;
+position p != {r1.p,r2.p};
 @@
 request_threaded_irq@p(irq, NULL, ...)
 
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] [PATCH] Coccinelle: misc: Improve the script for more accurate results

[Vaishali Thakkar]

On Friday 14 October 2016 02:21 PM, Lars-Peter Clausen wrote:
> On 10/13/2016 07:01 PM, Vaishali Thakkar wrote:
>>
>>
>> On Thursday 13 October 2016 09:45 PM, Julia Lawall wrote:
>>>
>>>
>>> On Thu, 13 Oct 2016, Vaishali Thakkar wrote:
>>>
>>>> Currently because of the left associativity of the operators,
>>>> pattern IRQF_ONESHOT | flags does not match with the pattern
>>>> when we have more than one flag after the disjunction. This
>>>> eventually results in giving false positives by the script.
>>>> The patch eliminates these FPs by improving the rule.
>>>>
>>>> Also, add a new rule to eliminate the false positives given by
>>>> the new line issue.
>>>>
>>>> Misc:
>>>>
>>>> 1. Add support for the context, org and report mode in the case
>>>>of devm_request_threaded_irq
>>>> 2. To be consistent with other scripts, change the confidence
>>>>level to 'Moderate'
>>>
>>> I'm getting a lot more reports for context mode than for patch mode, eg
>>> for sound/pcmcia/vx/vxpocket.c.  Is this normal?
>>
>> This seems to be because of the ... in '*request_threaded_irq@p(...)'.
>> Usually I think we should have same rules for the patch  and context mode.
>> But the original code does not do that. So, I was not sure if that was
>> intentional or not.
>> [just in case, person wants to check all cases of these functions using
>> context mode]
> 
> To be honest, I don't remember if it was intentional or not. But looking at
> it now, I'd say context mode should use the same pattern as the report mode.
> The way it is right now context mode certainly generates a fair amount of
> false positives.
> 
> As for your patch I'd say split this into multiple patches, one patch to add
> the missing devm_ variants to the context and report mode and one patch to
> improve the matching, since these are two independent changes.

Sure. I'll send the revised version with 3 patches. One more with changing 
the rule of context mode. 

> 

-- 
Vaishali
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH] Coccinelle: misc: Improve the script for more accurate results

[Vaishali Thakkar]

Currently because of the left associativity of the operators,
pattern IRQF_ONESHOT | flags does not match with the pattern
when we have more than one flag after the disjunction. This
eventually results in giving false positives by the script.
The patch eliminates these FPs by improving the rule.

Also, add a new rule to eliminate the false positives given by
the new line issue.

Misc:

1. Add support for the context, org and report mode in the case
   of devm_request_threaded_irq
2. To be consistent with other scripts, change the confidence
   level to 'Moderate'

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
 scripts/coccinelle/misc/irqf_oneshot.cocci | 41 +-
 1 file changed, 34 insertions(+), 7 deletions(-)

diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci 
b/scripts/coccinelle/misc/irqf_oneshot.cocci
index b421150..76fd0a2 100644
--- a/scripts/coccinelle/misc/irqf_oneshot.cocci
+++ b/scripts/coccinelle/misc/irqf_oneshot.cocci
@@ -5,7 +5,7 @@
 /// So pass the IRQF_ONESHOT flag in this case.
 ///
 //
-// Confidence: Good
+// Confidence: Moderate
 // Comments:
 // Options: --no-includes
 
@@ -18,13 +18,12 @@ virtual report
 expression dev;
 expression irq;
 expression thread_fn;
-expression flags;
 position p;
 @@
 (
 request_threaded_irq@p(irq, NULL, thread_fn,
 (
-flags | IRQF_ONESHOT
+IRQF_ONESHOT | ...
 |
 IRQF_ONESHOT
 )
@@ -32,20 +31,40 @@ IRQF_ONESHOT
 |
 devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 (
-flags | IRQF_ONESHOT
+IRQF_ONESHOT | ...
 |
 IRQF_ONESHOT
 )
 , ...)
 )
 
-@depends on patch@
+@r2@
 expression dev;
 expression irq;
 expression thread_fn;
 expression flags;
+expression ret;
 position p != r1.p;
 @@
+flags = IRQF_ONESHOT | ...;
+(
+ret = request_threaded_irq@p(irq, NULL, thread_fn, flags, ...);
+|
+ret = devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...);
+|
+return request_threaded_irq@p(irq, NULL, thread_fn, flags, ...);
+|
+return devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...);
+)
+
+@depends on patch@
+expression dev;
+expression irq;
+expression thread_fn;
+expression flags;
+position p != {r1.p,r2.p};
+@@
+
 (
 request_threaded_irq@p(irq, NULL, thread_fn,
 (
@@ -69,15 +88,23 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn,
 )
 
 @depends on context@
-position p != r1.p;
+position p != {r1.p,r2.p};
 @@
+(
 *request_threaded_irq@p(...)
+|
+*devm_request_threaded_irq@p(...)
+)
 
 @match depends on report || org@
 expression irq;
-position p != r1.p;
+position p != {r1.p,r2.p};
 @@
+(
 request_threaded_irq@p(irq, NULL, ...)
+|
+devm_request_threaded_irq@p(dev, irq, NULL, ...)
+)
 
 @script:python depends on org@
 p << match.p;
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v3] Coccinelle: noderef: Add new rules and correct the old rule

[Vaishali Thakkar]

Add new rules to detect the cases where sizeof is used in
function calls as a argument.

Also, for the patch mode third rule should behave same as
second rule with arguments reversed. So, change that as well.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
Changes since v2:
- Add rules for function calls. This will behave as
  more general rules and covers cases which were
  covered by the rule in previous versions of the patch
- Change subject and commit log accordingly.
Changes since v1:
- Declare i as an expression instead of identifier to
  cover more cases
---
 scripts/coccinelle/misc/noderef.cocci | 18 +-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/scripts/coccinelle/misc/noderef.cocci 
b/scripts/coccinelle/misc/noderef.cocci
index 80a831c..007f0de 100644
--- a/scripts/coccinelle/misc/noderef.cocci
+++ b/scripts/coccinelle/misc/noderef.cocci
@@ -16,6 +16,7 @@ virtual patch
 @depends on patch@
 expression *x;
 expression f;
+expression i;
 type T;
 @@
 
@@ -30,15 +31,26 @@ f(...,(T)(x),...,sizeof(
 + *x
),...)
 |
-f(...,sizeof(x),...,(T)(
+f(...,sizeof(
+- x
++ *x
+   ),...,(T)(x),...)
+|
+f(...,(T)(x),...,i*sizeof(
 - x
 + *x
),...)
+|
+f(...,i*sizeof(
+- x
++ *x
+   ),...,(T)(x),...)
 )
 
 @r depends on !patch@
 expression *x;
 expression f;
+expression i;
 position p;
 type T;
 @@
@@ -49,6 +61,10 @@ type T;
 *f(...,(T)(x),...,sizeof@p(x),...)
 |
 *f(...,sizeof@p(x),...,(T)(x),...)
+|
+*f(...,(T)(x),...,i*sizeof@p(x),...)
+|
+*f(...,i*sizeof@p(x),...,(T)(x),...)
 )
 
 @script:python depends on org@
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH v2] Coccinelle: noderef: Add a rule and correct the old rule

[Vaishali Thakkar]

Add a new rule to detect the cases where sizeof is used as a
subexpression rather than a top level argument.

Also, for the patch mode third rule should behave same as
second rule with arguments reversed. So, change that as well.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
Changes since v1:
- Declare i as an expression instead of identifier to
  cover more cases
---
 scripts/coccinelle/misc/noderef.cocci | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/scripts/coccinelle/misc/noderef.cocci 
b/scripts/coccinelle/misc/noderef.cocci
index 80a831c..584dd01 100644
--- a/scripts/coccinelle/misc/noderef.cocci
+++ b/scripts/coccinelle/misc/noderef.cocci
@@ -16,6 +16,7 @@ virtual patch
 @depends on patch@
 expression *x;
 expression f;
+expression i;
 type T;
 @@
 
@@ -30,7 +31,12 @@ f(...,(T)(x),...,sizeof(
 + *x
),...)
 |
-f(...,sizeof(x),...,(T)(
+f(...,sizeof(
+- x
++ *x
+   ),...,(T)(x),...)
+|
+x = f(...,i*sizeof(
 - x
 + *x
),...)
@@ -39,6 +45,7 @@ f(...,sizeof(x),...,(T)(
 @r depends on !patch@
 expression *x;
 expression f;
+expression i;
 position p;
 type T;
 @@
@@ -49,6 +56,8 @@ type T;
 *f(...,(T)(x),...,sizeof@p(x),...)
 |
 *f(...,sizeof@p(x),...,(T)(x),...)
+|
+*x = f(...,i*sizeof@p(x),...)
 )
 
 @script:python depends on org@
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] [PATCH] Coccinelle: noderef: Add a rule and correct the old rule

[Vaishali Thakkar]

On Friday 06 May 2016 01:40 AM, Julia Lawall wrote:
> 
> 
> On Wed, 27 Apr 2016, Vaishali Thakkar wrote:
> 
>> Add a new rule to detect the cases where sizeof is used as a
>> subexpression rather than a top level argument.
>>
>> Also, for the patch mode third rule should behave same as
>> second rule with arguments reversed. So, change that as well.
>>
>> Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
>> ---
>>  scripts/coccinelle/misc/noderef.cocci | 11 ++-
>>  1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/scripts/coccinelle/misc/noderef.cocci 
>> b/scripts/coccinelle/misc/noderef.cocci
>> index 80a831c..9991ee9 100644
>> --- a/scripts/coccinelle/misc/noderef.cocci
>> +++ b/scripts/coccinelle/misc/noderef.cocci
>> @@ -16,6 +16,7 @@ virtual patch
>>  @depends on patch@
>>  expression *x;
>>  expression f;
>> +identifier i;
> 
> I think that i could be an expression in both cases?

Yeah, that would be fine I guess. I'll send the v2.

> julia
> 
>>  type T;
>>  @@
>>  
>> @@ -30,7 +31,12 @@ f(...,(T)(x),...,sizeof(
>>  + *x
>> ),...)
>>  |
>> -f(...,sizeof(x),...,(T)(
>> +f(...,sizeof(
>> +- x
>> ++ *x
>> +   ),...,(T)(x),...)
>> +|
>> +x = f(...,i*sizeof(
>>  - x
>>  + *x
>> ),...)
>> @@ -39,6 +45,7 @@ f(...,sizeof(x),...,(T)(
>>  @r depends on !patch@
>>  expression *x;
>>  expression f;
>> +identifier i;
>>  position p;
>>  type T;
>>  @@
>> @@ -49,6 +56,8 @@ type T;
>>  *f(...,(T)(x),...,sizeof@p(x),...)
>>  |
>>  *f(...,sizeof@p(x),...,(T)(x),...)
>> +|
>> +*x = f(...,i*sizeof@p(x),...)
>>  )
>>  
>>  @script:python depends on org@
>> -- 
>> 2.1.4
>>
>>

-- 
Vaishali
___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH] Coccinelle: noderef: Add a rule and correct the old rule

[Vaishali Thakkar]

Add a new rule to detect the cases where sizeof is used as a
subexpression rather than a top level argument.

Also, for the patch mode third rule should behave same as
second rule with arguments reversed. So, change that as well.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
 scripts/coccinelle/misc/noderef.cocci | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/scripts/coccinelle/misc/noderef.cocci 
b/scripts/coccinelle/misc/noderef.cocci
index 80a831c..9991ee9 100644
--- a/scripts/coccinelle/misc/noderef.cocci
+++ b/scripts/coccinelle/misc/noderef.cocci
@@ -16,6 +16,7 @@ virtual patch
 @depends on patch@
 expression *x;
 expression f;
+identifier i;
 type T;
 @@
 
@@ -30,7 +31,12 @@ f(...,(T)(x),...,sizeof(
 + *x
),...)
 |
-f(...,sizeof(x),...,(T)(
+f(...,sizeof(
+- x
++ *x
+   ),...,(T)(x),...)
+|
+x = f(...,i*sizeof(
 - x
 + *x
),...)
@@ -39,6 +45,7 @@ f(...,sizeof(x),...,(T)(
 @r depends on !patch@
 expression *x;
 expression f;
+identifier i;
 position p;
 type T;
 @@
@@ -49,6 +56,8 @@ type T;
 *f(...,(T)(x),...,sizeof@p(x),...)
 |
 *f(...,sizeof@p(x),...,(T)(x),...)
+|
+*x = f(...,i*sizeof@p(x),...)
 )
 
 @script:python depends on org@
-- 
2.1.4

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

Re: [Cocci] Red Hat Women in open source award

[Vaishali Thakkar]

On Wednesday 17 February 2016 06:17 PM, Derek M Jones wrote:
> Julia,
>
>> If you care to put in a vote for me/Coccinelle...
>
> I would be happy to vote for you, but do you really
> want to win this?
>
> The women on the academic side are all students and
> yours is the only name I recognise on the community list.
>

I think Community and Academic awards are different. Julia is
in competition with Valeria Aurora, Jessica Mckellar, Heidi Hills
and Carrie Anne Philbin. 

>> https://www.redhat.com/en/about/women-in-open-source
>>
>> julia
>> ___
>> Cocci mailing list
>> Cocci@systeme.lip6.fr
>> https://systeme.lip6.fr/mailman/listinfo/cocci
>>
>

-- 
Vaishali

___
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

[Cocci] [PATCH] Coccinelle: Add api/setup_timer.cocci

[Vaishali Thakkar]

Use the timer API function setup_timer instead of structure field
assignments to initialize a timer.

Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com>
---
 scripts/coccinelle/api/setup_timer.cocci | 199 +++
 1 file changed, 199 insertions(+)
 create mode 100644 scripts/coccinelle/api/setup_timer.cocci

diff --git a/scripts/coccinelle/api/setup_timer.cocci 
b/scripts/coccinelle/api/setup_timer.cocci
new file mode 100644
index 000..8ee0ac3
--- /dev/null
+++ b/scripts/coccinelle/api/setup_timer.cocci
@@ -0,0 +1,199 @@
+/// Use setup_timer function instead of initializing timer with the function
+/// and data fields
+// Confidence: High
+// Copyright: (C) 2016 Vaishali Thakkar, Oracle. GPLv2
+// Options: --no-includes --include-headers
+// Keywords: init_timer, setup_timer
+
+virtual patch
+virtual context
+virtual org
+virtual report
+
+@match_immediate_function_data_after_init_timer
+depends on patch && !context && !org && !report@
+expression e, func, da;
+@@
+
+-init_timer ();
++setup_timer (, func, da);
+
+(
+-e.function = func;
+-e.data = da;
+|
+-e.data = da;
+-e.function = func;
+)
+
+@match_function_and_data_after_init_timer
+depends on patch && !context && !org && !report@
+expression e1, e2, e3, e4, e5, a, b;
+@@
+
+-init_timer ();
++setup_timer (, a, b);
+
+... when != a = e2
+when != b = e3
+(
+-e1.function = a;
+... when != b = e4
+-e1.data = b;
+|
+-e1.data = b;
+... when != a = e5
+-e1.function = a;
+)
+
+@r1 exists@
+identifier f;
+position p;
+@@
+
+f(...) { ... when any
+  init_timer@p(...)
+  ... when any
+}
+
+@r2 exists@
+identifier g != r1.f;
+struct timer_list t;
+expression e8;
+@@
+
+g(...) { ... when any
+  t.data = e8
+  ... when any
+}
+
+// It is dangerous to use setup_timer if data field is initialized
+// in another function.
+
+@script:python depends on r2@
+p << r1.p;
+@@
+
+cocci.include_match(False)
+
+@r3 depends on patch && !context && !org && !report@
+expression e6, e7, c;
+position r1.p;
+@@
+
+-init_timer@p ();
++setup_timer (, c, 0UL);
+... when != c = e7
+-e6.function = c;
+
+// 
+
+@match_immediate_function_data_after_init_timer_context
+depends on !patch && (context || org || report)@
+expression da, e, func;
+position j0, j1, j2;
+@@
+
+* init_timer@j0 ();
+(
+* e@j1.function = func;
+* e...@j2.data = da;
+|
+* e...@j1.data = da;
+* e@j2.function = func;
+)
+
+@match_function_and_data_after_init_timer_context
+depends on !patch &&
+!match_immediate_function_data_after_init_timer_context &&
+(context || org || report)@
+expression a, b, e1, e2, e3, e4, e5;
+position j0, j1, j2;
+@@
+
+* init_timer@j0 ();
+... when != a = e2
+when != b = e3
+(
+* e1@j1.function = a;
+... when != b = e4
+* e...@j2.data = b;
+|
+* e...@j1.data = b;
+... when != a = e5
+* e1@j2.function = a;
+)
+
+@r3_context depends on !patch &&
+!match_immediate_function_data_after_init_timer_context &&
+!match_function_and_data_after_init_timer_context &&
+(context || org || report)@
+expression c, e6, e7;
+position r1.p;
+position j0, j1;
+@@
+
+* init_timer@j0@p ();
+... when != c = e7
+* e6@j1.function = c;
+
+// 
+
+@script:python match_immediate_function_data_after_init_timer_org
+depends on org@
+j0 << match_immediate_function_data_after_init_timer_context.j0;
+j1 << match_immediate_function_data_after_init_timer_context.j1;
+j2 << match_immediate_function_data_after_init_timer_context.j2;
+@@
+
+msg = "Use setup_timer function."
+coccilib.org.print_todo(j0[0], msg)
+coccilib.org.print_link(j1[0], "")
+coccilib.org.print_link(j2[0], "")
+
+@script:python match_function_and_data_after_init_timer_org depends on org@
+j0 << match_function_and_data_after_init_timer_context.j0;
+j1 << match_function_and_data_after_init_timer_context.j1;
+j2 << match_function_and_data_after_init_timer_context.j2;
+@@
+
+msg = "Use setup_timer function."
+coccilib.org.print_todo(j0[0], msg)
+coccilib.org.print_link(j1[0], "")
+coccilib.org.print_link(j2[0], "")
+
+@script:python r3_org depends on org@
+j0 << r3_context.j0;
+j1 << r3_context.j1;
+@@
+
+msg = "Use setup_timer function."
+coccilib.org.print_todo(j0[0], msg)
+coccilib.org.print_link(j1[0], "")
+
+// 
+
+@script:python match_immediate_function_data_after_init_timer_report
+depends on report@
+j0 << match_immediate_function_data_after_init_timer_context.j0;
+j1 << match_immediate_function_data_after_init_timer_context.j1;
+@@
+
+msg = "Use setup_timer function for function on line %s." % (j1[0].l