Hi Zhu Yi,
This is a Smatch bug that has me a little puzzled.
drivers/net/wireless/iwmc3200wifi/debugfs.c +447 iwm_debugfs_init(26)
warn: 'iwm->dbg.devdir' dereferencing possible ERR_PTR()
440 iwm->dbg.devdir = debugfs_create_dir(devdir, iwm->dbg.rootdir);
441 result = PTR_ERR(iwm->dbg.devdir);
442 if (IS_ERR(iwm->dbg.devdir) && (result != -ENODEV)) {
443 IWM_ERR(iwm, "Couldn't create devdir: %d\n", result);
444 goto error;
445 }
446
447 iwm->dbg.dbgdir = debugfs_create_dir("debug", iwm->dbg.devdir);
It looks like "iwm->dbg.devdir" could be ERR_PTR(-ENODEV) on line 447 and
that would cause a problem inside debugfs_create_dir(). But at the same
time -ENODEV was deliberately singled out as OK from other possible errors
that debugfs_create_dir() can return.
I'm confused.
regards,
dan carpenter
On Fri, 2010-04-23 at 20:03 +0800, Johannes Berg wrote:
> > The bit that was problematic in this code for me is that passing
> > ERR_PTR(-ENODEV) to debugfs_create_dir() on line 447 will cause an
> oops.
> > But, as you point out, the check on line 442 is never true because
> we
> > already established that debugfs is enabled.
>
> I don't think so. See, that function will only return -ENODEV when
> debugfs is not compiled into the kernel, and in that case the argument
> to debugfs_create_dir is never used anyway.
Yes, there won't be any kernel oops anyway. But the iwm debugfs code is
a little misleading. Dan, please feel free to send a patch to clean up
this. On the error path, either NULL or ERR_PTR(-ENODEV) (no other
errno) is returned. Since all the debugfs functions are defined as no-op
if CONFIG_DEBUG_FS is not selected, maybe we only check against NULL is
enough.
Thanks,
-yi
On Fri, 2010-04-23 at 13:43 +0200, Dan Carpenter wrote:
> > > This is a Smatch bug that has me a little puzzled.
> > >
> > > drivers/net/wireless/iwmc3200wifi/debugfs.c +447 iwm_debugfs_init(26)
> > > warn: 'iwm->dbg.devdir' dereferencing possible ERR_PTR()
> > >
> > > 440 iwm->dbg.devdir = debugfs_create_dir(devdir, iwm->dbg.rootdir);
> > > 441 result = PTR_ERR(iwm->dbg.devdir);
> > > 442 if (IS_ERR(iwm->dbg.devdir) && (result != -ENODEV)) {
> > > 443 IWM_ERR(iwm, "Couldn't create devdir: %d\n", result);
> > > 444 goto error;
> > > 445 }
> > > 446
> > > 447 iwm->dbg.dbgdir = debugfs_create_dir("debug", iwm->dbg.devdir);
> > >
> > > It looks like "iwm->dbg.devdir" could be ERR_PTR(-ENODEV) on line 447 and
> > > that would cause a problem inside debugfs_create_dir(). But at the same
> > > time -ENODEV was deliberately singled out as OK from other possible errors
> > > that debugfs_create_dir() can return.
> >
> > We take -ENODEV for debugfs_create_dir if CONFIG_DEBUG_FS is not
> > enabled. We returns 0 deliberately in this case for rootdir create. I
> > agree we don't need to check it for the subdirs like we did now. But I
> > found lots of code don't even check (or don't use IS_ERR to check) the
> > return value of debugfs_create_dir. Maybe that's more problematic?
>
> Ah. Thanks for the explanation.
>
> The bit that was problematic in this code for me is that passing
> ERR_PTR(-ENODEV) to debugfs_create_dir() on line 447 will cause an oops.
> But, as you point out, the check on line 442 is never true because we
> already established that debugfs is enabled.
I don't think so. See, that function will only return -ENODEV when
debugfs is not compiled into the kernel, and in that case the argument
to debugfs_create_dir is never used anyway.
johannes
On Fri, Apr 23, 2010 at 10:48:31AM +0800, Zhu Yi wrote:
> On Thu, 2010-04-22 at 17:59 +0800, Dan Carpenter wrote:
> > Hi Zhu Yi,
> >
> > This is a Smatch bug that has me a little puzzled.
> >
> > drivers/net/wireless/iwmc3200wifi/debugfs.c +447 iwm_debugfs_init(26)
> > warn: 'iwm->dbg.devdir' dereferencing possible ERR_PTR()
> >
> > 440 iwm->dbg.devdir = debugfs_create_dir(devdir, iwm->dbg.rootdir);
> > 441 result = PTR_ERR(iwm->dbg.devdir);
> > 442 if (IS_ERR(iwm->dbg.devdir) && (result != -ENODEV)) {
> > 443 IWM_ERR(iwm, "Couldn't create devdir: %d\n", result);
> > 444 goto error;
> > 445 }
> > 446
> > 447 iwm->dbg.dbgdir = debugfs_create_dir("debug", iwm->dbg.devdir);
> >
> > It looks like "iwm->dbg.devdir" could be ERR_PTR(-ENODEV) on line 447 and
> > that would cause a problem inside debugfs_create_dir(). But at the same
> > time -ENODEV was deliberately singled out as OK from other possible errors
> > that debugfs_create_dir() can return.
>
> We take -ENODEV for debugfs_create_dir if CONFIG_DEBUG_FS is not
> enabled. We returns 0 deliberately in this case for rootdir create. I
> agree we don't need to check it for the subdirs like we did now. But I
> found lots of code don't even check (or don't use IS_ERR to check) the
> return value of debugfs_create_dir. Maybe that's more problematic?
Ah. Thanks for the explanation.
The bit that was problematic in this code for me is that passing
ERR_PTR(-ENODEV) to debugfs_create_dir() on line 447 will cause an oops.
But, as you point out, the check on line 442 is never true because we
already established that debugfs is enabled.
Couldn't we just check "if (debugfs_initialized()) { " and remove all
the ERR_PTR checking?
If you would like I can send a patch to do this.
regards,
dan carpenter
On Thu, 2010-04-22 at 17:59 +0800, Dan Carpenter wrote:
> Hi Zhu Yi,
>
> This is a Smatch bug that has me a little puzzled.
>
> drivers/net/wireless/iwmc3200wifi/debugfs.c +447 iwm_debugfs_init(26)
> warn: 'iwm->dbg.devdir' dereferencing possible ERR_PTR()
>
> 440 iwm->dbg.devdir = debugfs_create_dir(devdir, iwm->dbg.rootdir);
> 441 result = PTR_ERR(iwm->dbg.devdir);
> 442 if (IS_ERR(iwm->dbg.devdir) && (result != -ENODEV)) {
> 443 IWM_ERR(iwm, "Couldn't create devdir: %d\n", result);
> 444 goto error;
> 445 }
> 446
> 447 iwm->dbg.dbgdir = debugfs_create_dir("debug", iwm->dbg.devdir);
>
> It looks like "iwm->dbg.devdir" could be ERR_PTR(-ENODEV) on line 447 and
> that would cause a problem inside debugfs_create_dir(). But at the same
> time -ENODEV was deliberately singled out as OK from other possible errors
> that debugfs_create_dir() can return.
We take -ENODEV for debugfs_create_dir if CONFIG_DEBUG_FS is not
enabled. We returns 0 deliberately in this case for rootdir create. I
agree we don't need to check it for the subdirs like we did now. But I
found lots of code don't even check (or don't use IS_ERR to check) the
return value of debugfs_create_dir. Maybe that's more problematic?
Thanks,
-yi