Re: [PATCH v2 31/34] drivers/tty: Enable capability analysis for core files

From: Jiri Slaby
Date: Wed Mar 05 2025 - 04:15:22 EST

Next message: tip-bot2 for Charles Han: "[tip: x86/cleanups] x86/delay: Fix inconsistent whitespace"
Previous message: Chao Yu: "[PATCH v2 3/3] f2fs: introduce FAULT_INCONSISTENT_FOOTER"
In reply to: Marco Elver: "[PATCH v2 31/34] drivers/tty: Enable capability analysis for core files"
Next in thread: Marco Elver: "Re: [PATCH v2 31/34] drivers/tty: Enable capability analysis for core files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 04. 03. 25, 10:21, Marco Elver wrote:

Enable capability analysis for drivers/tty/*.

This demonstrates a larger conversion to use Clang's capability
analysis. The benefit is additional static checking of locking rules,
along with better documentation.

Signed-off-by: Marco Elver <elver@xxxxxxxxxx>
Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Cc: Jiri Slaby <jirislaby@xxxxxxxxxx>

...

--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -52,10 +52,8 @@
*/
void tty_buffer_lock_exclusive(struct tty_port *port)
{
- struct tty_bufhead *buf = &port->buf;
-
- atomic_inc(&buf->priority);
- mutex_lock(&buf->lock);
+ atomic_inc(&port->buf.priority);
+ mutex_lock(&port->buf.lock);

Here and:

@@ -73,7 +71,7 @@ void tty_buffer_unlock_exclusive(struct tty_port *port)
bool restart = buf->head->commit != buf->head->read;
atomic_dec(&buf->priority);
- mutex_unlock(&buf->lock);
+ mutex_unlock(&port->buf.lock);

here, this appears excessive. You are changing code to adapt to one kind of static analysis. Adding function annotations is mostly fine, but changing code is too much. We don't do that. Fix the analyzer instead.

--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -167,6 +167,7 @@ static void release_tty(struct tty_struct *tty, int idx);
* Locking: none. Must be called after tty is definitely unused
*/
static void free_tty_struct(struct tty_struct *tty)
+ __capability_unsafe(/* destructor */)
{
tty_ldisc_deinit(tty);
put_device(tty->dev);
@@ -965,7 +966,7 @@ static ssize_t iterate_tty_write(struct tty_ldisc *ld, struct tty_struct *tty,
ssize_t ret, written = 0;
ret = tty_write_lock(tty, file->f_flags & O_NDELAY);
- if (ret < 0)
+ if (ret)

This change is not documented.

@@ -1154,7 +1155,7 @@ int tty_send_xchar(struct tty_struct *tty, u8 ch)
return 0;
}
- if (tty_write_lock(tty, false) < 0)
+ if (tty_write_lock(tty, false))

And this one. And more times later.

--- a/drivers/tty/tty_ldisc.c
+++ b/drivers/tty/tty_ldisc.c

...

+/*
+ * Note: Capability analysis does not like asymmetric interfaces (above types
+ * for ref and deref are tty_struct and tty_ldisc respectively -- which are
+ * dependent, but the compiler cannot figure that out); in this case, work
+ * around that with this helper which takes an unused @tty argument but tells
+ * the analysis which lock is released.
+ */
+static inline void __tty_ldisc_deref(struct tty_struct *tty, struct tty_ldisc *ld)
+ __releases_shared(&tty->ldisc_sem)
+ __capability_unsafe(/* matches released with tty_ldisc_ref() */)
+{
+ tty_ldisc_deref(ld);
+}

You want to invert the __ prefix for these two. tty_ldisc_deref() should be kept as the one to be called by everybody.

thanks,
--
js
suse labs

Next message: tip-bot2 for Charles Han: "[tip: x86/cleanups] x86/delay: Fix inconsistent whitespace"
Previous message: Chao Yu: "[PATCH v2 3/3] f2fs: introduce FAULT_INCONSISTENT_FOOTER"
In reply to: Marco Elver: "[PATCH v2 31/34] drivers/tty: Enable capability analysis for core files"
Next in thread: Marco Elver: "Re: [PATCH v2 31/34] drivers/tty: Enable capability analysis for core files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]