RE: [PATCH 0/3] ipc subsystem refcounter conversions
From: Reshetova, Elena
Date: Mon Feb 20 2017 - 07:30:41 EST
> On Mon, Feb 20, 2017 at 1:29 PM, Elena Reshetova
> <elena.reshetova@xxxxxxxxx> wrote:
> > Now when new refcount_t type and API are finally merged
> > (see include/linux/refcount.h), the following
> > patches convert various refcounters in the ipc susystem from atomic_t
> > to refcount_t. By doing this we prevent intentional or accidental
> > underflows or overflows that can led to use-after-free vulnerabilities.
> > The below patches are fully independent and can be cherry-picked separately.
> > Since we convert all kernel subsystems in the same fashion, resulting
> > in about 300 patches, we have to group them for sending at least in some
> > fashion to be manageable. Please excuse the long cc list.
> Is that done using coccinelle?
Yes and no.
The *finding* of cases that should be converted was done using coccinelle, but actual conversion was done manually for each case and not via semantic patch.
There were many false-positives and all kind of other issues, so we had to analyse each variable separately to the extend we understand the code.
> Can I see the semantic patch (sorry if I missed it earlier)?
Attached is the one we used to initially find variables.