[PATCH 0/7] remove invalid reference to list iterator variable

[PATCH 0/7] remove invalid reference to list iterator variable

[Julia Lawall]

If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure.  Thus this value should not be used after
the end of the iterator.

The complete semantic match that finds this problem is:
(http://coccinelle.lip6.fr/)

@@
identifier c,member;
expression E,x;
iterator name list_for_each_entry;
iterator name list_for_each_entry_reverse;
iterator name list_for_each_entry_continue;
iterator name list_for_each_entry_continue_reverse;
iterator name list_for_each_entry_from;
iterator name list_for_each_entry_safe;
iterator name list_for_each_entry_safe_continue;
iterator name list_for_each_entry_safe_from;
iterator name list_for_each_entry_safe_reverse;
iterator name hlist_for_each_entry;
iterator name hlist_for_each_entry_continue;
iterator name hlist_for_each_entry_from;
iterator name hlist_for_each_entry_safe;
statement S;
@@

(
list_for_each_entry(c,...,member) { ... when != break;
                                 when forall
                                 when strict
}
|
list_for_each_entry_reverse(c,...,member) { ... when != break;
                                 when forall
                                 when strict
}
|
list_for_each_entry_continue(c,...,member) { ... when != break;
                                 when forall
                                 when strict
}
|
list_for_each_entry_continue_reverse(c,...,member) { ... when != break;
                                 when forall
                                 when strict
}
|
list_for_each_entry_from(c,...,member) { ... when != break;
                                 when forall
                                 when strict
}
|
list_for_each_entry_safe(c,...,member) { ... when != break;
                                 when forall
                                 when strict
}
|
list_for_each_entry_safe_continue(c,...,member) { ... when != break;
                                 when forall
                                 when strict
}
|
list_for_each_entry_safe_from(c,...,member) { ... when != break;
                                 when forall
                                 when strict
}
|
list_for_each_entry_safe_reverse(c,...,member) { ... when != break;
                                 when forall
                                 when strict
}
)
...
(
list_for_each_entry(c,...) S
|
list_for_each_entry_reverse(c,...) S
|
list_for_each_entry_continue(c,...) S
|
list_for_each_entry_continue_reverse(c,...) S
|
list_for_each_entry_from(c,...) S
|
list_for_each_entry_safe(c,...) S
|
list_for_each_entry_safe(x,c,...) S
|
list_for_each_entry_safe_continue(c,...) S
|
list_for_each_entry_safe_continue(x,c,...) S
|
list_for_each_entry_safe_from(c,...) S
|
list_for_each_entry_safe_from(x,c,...) S
|
list_for_each_entry_safe_reverse(c,...) S
|
list_for_each_entry_safe_reverse(x,c,...) S
|
hlist_for_each_entry(c,...) S
|
hlist_for_each_entry_continue(c,...) S
|
hlist_for_each_entry_from(c,...) S
|
hlist_for_each_entry_safe(c,...) S
|
list_remove_head(x,c,...)
|
sizeof(<+...c...+>)
|
&c->member
|
c = E
|
*c
)

[PATCH 1/7] drivers/isdn/mISDN/stack.c: remove invalid reference to list iterator variable

[Julia Lawall]

From: Julia Lawall <Julia.Lawall@lip6.fr>

If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure.  Thus this value should not be used after
the end of the iterator.  The dereferences are just deleted from the
debugging statement.

This problem was found using Coccinelle (http://coccinelle.lip6.fr/).

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

---
 drivers/isdn/mISDN/stack.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/isdn/mISDN/stack.c b/drivers/isdn/mISDN/stack.c
index 1a0ae44..5f21f62 100644
--- a/drivers/isdn/mISDN/stack.c
+++ b/drivers/isdn/mISDN/stack.c
@@ -135,8 +135,8 @@ send_layer2(struct mISDNstack *st, struct sk_buff *skb)
 			skb = NULL;
 		else if (*debug & DEBUG_SEND_ERR)
 			printk(KERN_DEBUG
-			       "%s ch%d mgr prim(%x) addr(%x) err %d\n",
-			       __func__, ch->nr, hh->prim, ch->addr, ret);
+			       "%s mgr prim(%x) err %d\n",
+			       __func__, hh->prim, ret);
 	}
 out:
 	mutex_unlock(&st->lmutex);

[PATCH 2/7] net/rxrpc/ar-peer.c: remove invalid reference to list iterator variable

[Julia Lawall]

From: Julia Lawall <Julia.Lawall@lip6.fr>

If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure.  Thus this value should not be used after
the end of the iterator.  This seems to be a copy-paste bug from a previous
debugging message, and so the meaningless value is just deleted.

This problem was found using Coccinelle (http://coccinelle.lip6.fr/).

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

---
 net/rxrpc/ar-peer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/rxrpc/ar-peer.c b/net/rxrpc/ar-peer.c
index 2754f09..bebaa43 100644
--- a/net/rxrpc/ar-peer.c
+++ b/net/rxrpc/ar-peer.c
@@ -229,7 +229,7 @@ found_UDP_peer:
 	return peer;
 
 new_UDP_peer:
-	_net("Rx UDP DGRAM from NEW peer %d", peer->debug_id);
+	_net("Rx UDP DGRAM from NEW peer");
 	read_unlock_bh(&rxrpc_peer_lock);
 	_leave(" = -EBUSY [new]");
 	return ERR_PTR(-EBUSY);

[PATCH 3/7] mm/slub.c: remove invalid reference to list iterator variable

[Julia Lawall]

From: Julia Lawall <Julia.Lawall@lip6.fr>

If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure.  Thus this value should not be used after
the end of the iterator.  The patch replaces s->name by al->name, which is
referenced nearby.

This problem was found using Coccinelle (http://coccinelle.lip6.fr/).

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

---
 mm/slub.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/slub.c b/mm/slub.c
index cc4ed03..ef9bf01 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5395,7 +5395,7 @@ static int __init slab_sysfs_init(void)
 		err = sysfs_slab_alias(al->s, al->name);
 		if (err)
 			printk(KERN_ERR "SLUB: Unable to add boot slab alias"
-					" %s to sysfs\n", s->name);
+					" %s to sysfs\n", al->name);
 		kfree(al);
 	}
 

[PATCH 4/7] drivers/gpu/drm: remove invalid reference to list iterator variable

[Julia Lawall]

From: Julia Lawall <Julia.Lawall@lip6.fr>

If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure.  Thus this value should not be used after
the end of the iterator.

In the first two cases, a a break is added after the switch; the break in
the switch would jump out of the switch, but not out of the complete
iteration.

In the first case, the null test on connector is removed, because the
iterator variable of list_for_each_entry is never null.

In the third case, entry->base.crtc.fb is not a meaningful value.  What
seems to be intended is crtc->fb, which gets the information from the last
element of the list.

These problems were found using Coccinelle (http://coccinelle.lip6.fr/).

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

---
 drivers/gpu/drm/gma500/mdfld_intel_display.c |    4 +---
 drivers/gpu/drm/gma500/oaktrail_crtc.c       |    1 +
 drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c          |    2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/gma500/mdfld_intel_display.c b/drivers/gpu/drm/gma500/mdfld_intel_display.c
index 3f3cd61..fc1ced0 100644
--- a/drivers/gpu/drm/gma500/mdfld_intel_display.c
+++ b/drivers/gpu/drm/gma500/mdfld_intel_display.c
@@ -755,9 +755,6 @@ static int mdfld_crtc_mode_set(struct drm_crtc *crtc,
 					sizeof(struct drm_display_mode));
 
 	list_for_each_entry(connector, &mode_config->connector_list, head) {
-		if (!connector)
-			continue;
-
 		encoder = connector->encoder;
 
 		if (!encoder)
@@ -779,6 +776,7 @@ static int mdfld_crtc_mode_set(struct drm_crtc *crtc,
 			is_hdmi = true;
 			break;
 		}
+		break;
 	}
 
 	/* Disable the VGA plane that we never use */
diff --git a/drivers/gpu/drm/gma500/oaktrail_crtc.c b/drivers/gpu/drm/gma500/oaktrail_crtc.c
index f821c83..4b2172e 100644
--- a/drivers/gpu/drm/gma500/oaktrail_crtc.c
+++ b/drivers/gpu/drm/gma500/oaktrail_crtc.c
@@ -329,6 +329,7 @@ static int oaktrail_crtc_mode_set(struct drm_crtc *crtc,
 			is_mipi = true;
 			break;
 		}
+		break;
 	}
 
 	/* Disable the VGA plane that we never use */
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
index 070fb23..634611a 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
@@ -93,7 +93,7 @@ static int vmw_ldu_commit_list(struct vmw_private *dev_priv)
 
 		if (crtc == NULL)
 			return 0;
-		fb = entry->base.crtc.fb;
+		fb = crtc->fb;
 
 		return vmw_kms_write_svga(dev_priv, w, h, fb->pitches[0],
 					  fb->bits_per_pixel, fb->depth);

[PATCH 5/7] drivers/iommu/tegra-smmu.c: remove invalid reference to list iterator variable

[Julia Lawall]

From: Julia Lawall <Julia.Lawall@lip6.fr>

If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure.  Thus this value should not be used after
the end of the iterator.  Replace c->dev by dev, which is the value that
c->dev has been compared to.

This problem was found using Coccinelle (http://coccinelle.lip6.fr/).

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

---
 drivers/iommu/tegra-smmu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c
index 3757bb5..d3fbf37 100644
--- a/drivers/iommu/tegra-smmu.c
+++ b/drivers/iommu/tegra-smmu.c
@@ -780,7 +780,7 @@ static void smmu_iommu_detach_dev(struct iommu_domain *domain,
 			goto out;
 		}
 	}
-	dev_err(smmu->dev, "Couldn't find %s\n", dev_name(c->dev));
+	dev_err(smmu->dev, "Couldn't find %s\n", dev_name(dev));
 out:
 	spin_unlock(&as->client_lock);
 }

[PATCH 6/7] drivers/net/ethernet/broadcom/cnic.c: remove invalid reference to list iterator variable

[Julia Lawall]

From: Julia Lawall <Julia.Lawall@lip6.fr>

If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure.  Thus this value should not be used after
the end of the iterator.  There does not seem to be a meaningful value to
provide to netdev_warn.  Replace with pr_warn, since pr_err is used
elsewhere.

This problem was found using Coccinelle (http://coccinelle.lip6.fr/).

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

---
 drivers/net/ethernet/broadcom/cnic.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/cnic.c b/drivers/net/ethernet/broadcom/cnic.c
index 22ad7b6..6eaca60 100644
--- a/drivers/net/ethernet/broadcom/cnic.c
+++ b/drivers/net/ethernet/broadcom/cnic.c
@@ -542,7 +542,8 @@ int cnic_unregister_driver(int ulp_type)
 	}
 
 	if (atomic_read(&ulp_ops->ref_count) != 0)
-		netdev_warn(dev->netdev, "Failed waiting for ref count to go to zero\n");
+		pr_warn("%s: Failed waiting for ref count to go to zero\n",
+			__func__);
 	return 0;
 
 out_unlock:

[PATCH 7/7] drivers/s390/scsi/zfcp_cfdc.c: remove invalid reference to list iterator variable

[Julia Lawall]

From: Julia Lawall <Julia.Lawall@lip6.fr>

If list_for_each_entry, etc complete a traversal of the list, the iterator
variable ends up pointing to an address at an offset from the list head,
and not a meaningful structure.  Thus this value should not be used after
the end of the iterator.  Replace port->adapter->scsi_host by
adapter->scsi_host.

This problem was found using Coccinelle (http://coccinelle.lip6.fr/).

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

---
This is not tested, an I am not sure that this is the right change.
Indeed, I'm not at all sure how the original code could have worked, since
port->adapter->scsi_host should be a completely random value.

 drivers/s390/scsi/zfcp_cfdc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/s390/scsi/zfcp_cfdc.c b/drivers/s390/scsi/zfcp_cfdc.c
index fab2c25..8ed63aa 100644
--- a/drivers/s390/scsi/zfcp_cfdc.c
+++ b/drivers/s390/scsi/zfcp_cfdc.c
@@ -293,7 +293,7 @@ void zfcp_cfdc_adapter_access_changed(struct zfcp_adapter *adapter)
 	}
 	read_unlock_irqrestore(&adapter->port_list_lock, flags);
 
-	shost_for_each_device(sdev, port->adapter->scsi_host) {
+	shost_for_each_device(sdev, adapter->scsi_host) {
 		zfcp_sdev = sdev_to_zfcp(sdev);
 		status = atomic_read(&zfcp_sdev->status);
 		if ((status & ZFCP_STATUS_COMMON_ACCESS_DENIED) ||

Re: [PATCH 4/7] drivers/gpu/drm: remove invalid reference to list iterator variable

[Paul Menzel]

[-- Attachment #1: Type: text/plain, Size: 3218 bytes --]

Dear Julia,


Am Sonntag, den 08.07.2012, 13:37 +0200 schrieb Julia Lawall:
> From: Julia Lawall <Julia.Lawall@lip6.fr>
> 
> If list_for_each_entry, etc complete a traversal of the list, the iterator
> variable ends up pointing to an address at an offset from the list head,
> and not a meaningful structure.  Thus this value should not be used after
> the end of the iterator.
> 
> In the first two cases, a a break is added after the switch; the break in

s,a a,a,

> the switch would jump out of the switch, but not out of the complete
> iteration.
> 
> In the first case, the null test on connector is removed, because the
> iterator variable of list_for_each_entry is never null.
> 
> In the third case, entry->base.crtc.fb is not a meaningful value.  What
> seems to be intended is crtc->fb, which gets the information from the last
> element of the list.

maybe three separate patches would have been better?

> These problems were found using Coccinelle (http://coccinelle.lip6.fr/).

I always liked your example Coccinelle code snippets. Could you add them
again to your commit messages? That would be awesome!

> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
> 
> ---
>  drivers/gpu/drm/gma500/mdfld_intel_display.c |    4 +---
>  drivers/gpu/drm/gma500/oaktrail_crtc.c       |    1 +
>  drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c          |    2 +-
>  3 files changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/gma500/mdfld_intel_display.c b/drivers/gpu/drm/gma500/mdfld_intel_display.c
> index 3f3cd61..fc1ced0 100644
> --- a/drivers/gpu/drm/gma500/mdfld_intel_display.c
> +++ b/drivers/gpu/drm/gma500/mdfld_intel_display.c
> @@ -755,9 +755,6 @@ static int mdfld_crtc_mode_set(struct drm_crtc *crtc,
>  					sizeof(struct drm_display_mode));
>  
>  	list_for_each_entry(connector, &mode_config->connector_list, head) {
> -		if (!connector)
> -			continue;
> -
>  		encoder = connector->encoder;
>  
>  		if (!encoder)
> @@ -779,6 +776,7 @@ static int mdfld_crtc_mode_set(struct drm_crtc *crtc,
>  			is_hdmi = true;
>  			break;
>  		}
> +		break;
>  	}
>  
>  	/* Disable the VGA plane that we never use */
> diff --git a/drivers/gpu/drm/gma500/oaktrail_crtc.c b/drivers/gpu/drm/gma500/oaktrail_crtc.c
> index f821c83..4b2172e 100644
> --- a/drivers/gpu/drm/gma500/oaktrail_crtc.c
> +++ b/drivers/gpu/drm/gma500/oaktrail_crtc.c
> @@ -329,6 +329,7 @@ static int oaktrail_crtc_mode_set(struct drm_crtc *crtc,
>  			is_mipi = true;
>  			break;
>  		}
> +		break;
>  	}
>  
>  	/* Disable the VGA plane that we never use */
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
> index 070fb23..634611a 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
> @@ -93,7 +93,7 @@ static int vmw_ldu_commit_list(struct vmw_private *dev_priv)
>  
>  		if (crtc == NULL)
>  			return 0;
> -		fb = entry->base.crtc.fb;
> +		fb = crtc->fb;
>  
>  		return vmw_kms_write_svga(dev_priv, w, h, fb->pitches[0],
>  					  fb->bits_per_pixel, fb->depth);

Acked-by: Paul Menzel <paulepanter@users.sourceforge.net>


Thanks,

Paul

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [PATCH 4/7] drivers/gpu/drm: remove invalid reference to list iterator variable

[Julia Lawall]

On Sun, 8 Jul 2012, Paul Menzel wrote:

> Dear Julia,
>
>
> Am Sonntag, den 08.07.2012, 13:37 +0200 schrieb Julia Lawall:
>> From: Julia Lawall <Julia.Lawall@lip6.fr>
>>
>> If list_for_each_entry, etc complete a traversal of the list, the iterator
>> variable ends up pointing to an address at an offset from the list head,
>> and not a meaningful structure.  Thus this value should not be used after
>> the end of the iterator.
>>
>> In the first two cases, a a break is added after the switch; the break in
>
> s,a a,a,

Thanks.

>> the switch would jump out of the switch, but not out of the complete
>> iteration.
>>
>> In the first case, the null test on connector is removed, because the
>> iterator variable of list_for_each_entry is never null.
>>
>> In the third case, entry->base.crtc.fb is not a meaningful value.  What
>> seems to be intended is crtc->fb, which gets the information from the last
>> element of the list.
>
> maybe three separate patches would have been better?

OK, I wasn't sure what would be best.  I'll send three patches now.

>> These problems were found using Coccinelle (http://coccinelle.lip6.fr/).
>
> I always liked your example Coccinelle code snippets. Could you add them
> again to your commit messages? That would be awesome!

Sure.  I didn't include it because there was a 0/7 message that has the 
complete semantic patch.

julia

>> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
>>
>> ---
>>  drivers/gpu/drm/gma500/mdfld_intel_display.c |    4 +---
>>  drivers/gpu/drm/gma500/oaktrail_crtc.c       |    1 +
>>  drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c          |    2 +-
>>  3 files changed, 3 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/gma500/mdfld_intel_display.c b/drivers/gpu/drm/gma500/mdfld_intel_display.c
>> index 3f3cd61..fc1ced0 100644
>> --- a/drivers/gpu/drm/gma500/mdfld_intel_display.c
>> +++ b/drivers/gpu/drm/gma500/mdfld_intel_display.c
>> @@ -755,9 +755,6 @@ static int mdfld_crtc_mode_set(struct drm_crtc *crtc,
>>  					sizeof(struct drm_display_mode));
>>
>>  	list_for_each_entry(connector, &mode_config->connector_list, head) {
>> -		if (!connector)
>> -			continue;
>> -
>>  		encoder = connector->encoder;
>>
>>  		if (!encoder)
>> @@ -779,6 +776,7 @@ static int mdfld_crtc_mode_set(struct drm_crtc *crtc,
>>  			is_hdmi = true;
>>  			break;
>>  		}
>> +		break;
>>  	}
>>
>>  	/* Disable the VGA plane that we never use */
>> diff --git a/drivers/gpu/drm/gma500/oaktrail_crtc.c b/drivers/gpu/drm/gma500/oaktrail_crtc.c
>> index f821c83..4b2172e 100644
>> --- a/drivers/gpu/drm/gma500/oaktrail_crtc.c
>> +++ b/drivers/gpu/drm/gma500/oaktrail_crtc.c
>> @@ -329,6 +329,7 @@ static int oaktrail_crtc_mode_set(struct drm_crtc *crtc,
>>  			is_mipi = true;
>>  			break;
>>  		}
>> +		break;
>>  	}
>>
>>  	/* Disable the VGA plane that we never use */
>> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
>> index 070fb23..634611a 100644
>> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
>> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
>> @@ -93,7 +93,7 @@ static int vmw_ldu_commit_list(struct vmw_private *dev_priv)
>>
>>  		if (crtc == NULL)
>>  			return 0;
>> -		fb = entry->base.crtc.fb;
>> +		fb = crtc->fb;
>>
>>  		return vmw_kms_write_svga(dev_priv, w, h, fb->pitches[0],
>>  					  fb->bits_per_pixel, fb->depth);
>
> Acked-by: Paul Menzel <paulepanter@users.sourceforge.net>
>
>
> Thanks,
>
> Paul
>

Re: [PATCH 3/7] mm/slub.c: remove invalid reference to list iterator variable

[Pekka Enberg]

On Sun, 8 Jul 2012, Julia Lawall wrote:

> From: Julia Lawall <Julia.Lawall@lip6.fr>
> 
> If list_for_each_entry, etc complete a traversal of the list, the iterator
> variable ends up pointing to an address at an offset from the list head,
> and not a meaningful structure.  Thus this value should not be used after
> the end of the iterator.  The patch replaces s->name by al->name, which is
> referenced nearby.
> 
> This problem was found using Coccinelle (http://coccinelle.lip6.fr/).
> 
> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
> 
> ---
>  mm/slub.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/slub.c b/mm/slub.c
> index cc4ed03..ef9bf01 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -5395,7 +5395,7 @@ static int __init slab_sysfs_init(void)
>  		err = sysfs_slab_alias(al->s, al->name);
>  		if (err)
>  			printk(KERN_ERR "SLUB: Unable to add boot slab alias"
> -					" %s to sysfs\n", s->name);
> +					" %s to sysfs\n", al->name);
>  		kfree(al);
>  	}

Applied, thanks!

Re: [PATCH 3/7] mm/slub.c: remove invalid reference to list iterator variable

[Christoph Lameter]

On Sun, 8 Jul 2012, Julia Lawall wrote:

> From: Julia Lawall <Julia.Lawall@lip6.fr>
>
> If list_for_each_entry, etc complete a traversal of the list, the iterator
> variable ends up pointing to an address at an offset from the list head,
> and not a meaningful structure.  Thus this value should not be used after
> the end of the iterator.  The patch replaces s->name by al->name, which is
> referenced nearby.

Acked-by: Christoph Lameter <cl@linux.com>

Re: [PATCH 1/7] drivers/isdn/mISDN/stack.c: remove invalid reference to list iterator variable

[David Miller]

From: Julia Lawall <Julia.Lawall@lip6.fr>
Date: Sun,  8 Jul 2012 13:37:38 +0200

> From: Julia Lawall <Julia.Lawall@lip6.fr>
> 
> If list_for_each_entry, etc complete a traversal of the list, the iterator
> variable ends up pointing to an address at an offset from the list head,
> and not a meaningful structure.  Thus this value should not be used after
> the end of the iterator.  The dereferences are just deleted from the
> debugging statement.
> 
> This problem was found using Coccinelle (http://coccinelle.lip6.fr/).
> 
> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

Applied.

Re: [PATCH 2/7] net/rxrpc/ar-peer.c: remove invalid reference to list iterator variable

[David Miller]

From: Julia Lawall <Julia.Lawall@lip6.fr>
Date: Sun,  8 Jul 2012 13:37:39 +0200

> From: Julia Lawall <Julia.Lawall@lip6.fr>
> 
> If list_for_each_entry, etc complete a traversal of the list, the iterator
> variable ends up pointing to an address at an offset from the list head,
> and not a meaningful structure.  Thus this value should not be used after
> the end of the iterator.  This seems to be a copy-paste bug from a previous
> debugging message, and so the meaningless value is just deleted.
> 
> This problem was found using Coccinelle (http://coccinelle.lip6.fr/).
> 
> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

Applied.

Re: [PATCH 6/7] drivers/net/ethernet/broadcom/cnic.c: remove invalid reference to list iterator variable

[David Miller]

From: Julia Lawall <Julia.Lawall@lip6.fr>
Date: Sun,  8 Jul 2012 13:37:43 +0200

> From: Julia Lawall <Julia.Lawall@lip6.fr>
> 
> If list_for_each_entry, etc complete a traversal of the list, the iterator
> variable ends up pointing to an address at an offset from the list head,
> and not a meaningful structure.  Thus this value should not be used after
> the end of the iterator.  There does not seem to be a meaningful value to
> provide to netdev_warn.  Replace with pr_warn, since pr_err is used
> elsewhere.
> 
> This problem was found using Coccinelle (http://coccinelle.lip6.fr/).
> 
> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

Applied.

Re: [PATCH 5/7] drivers/iommu/tegra-smmu.c: remove invalid reference to list iterator variable

[Stephen Warren]

On 07/08/2012 05:37 AM, Julia Lawall wrote:
> From: Julia Lawall <Julia.Lawall@lip6.fr>

Julia,

It looks like this patch hasn't seen any replies since you didn't CC the
maintainers of this code. I've CC'd them now.

> If list_for_each_entry, etc complete a traversal of the list, the iterator
> variable ends up pointing to an address at an offset from the list head,
> and not a meaningful structure.  Thus this value should not be used after
> the end of the iterator.  Replace c->dev by dev, which is the value that
> c->dev has been compared to.
> 
> This problem was found using Coccinelle (http://coccinelle.lip6.fr/).
> 
> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>

Acked-by: Stephen Warren <swarren@wwwdotorg.org>

Re: [PATCH 5/7] drivers/iommu/tegra-smmu.c: remove invalid reference to list iterator variable

[Hiroshi Doyu]

Hi Julia,

On Mon, 23 Jul 2012 19:59:21 +0200
Stephen Warren <swarren@wwwdotorg.org> wrote:

> On 07/08/2012 05:37 AM, Julia Lawall wrote:
> > From: Julia Lawall <Julia.Lawall@lip6.fr>
> 
> Julia,
> 
> It looks like this patch hasn't seen any replies since you didn't CC the
> maintainers of this code. I've CC'd them now.
> 
> > If list_for_each_entry, etc complete a traversal of the list, the iterator
> > variable ends up pointing to an address at an offset from the list head,
> > and not a meaningful structure.  Thus this value should not be used after
> > the end of the iterator.  Replace c->dev by dev, which is the value that
> > c->dev has been compared to.
> > 
> > This problem was found using Coccinelle (http://coccinelle.lip6.fr/).
> > 
> > Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
> 
> Acked-by: Stephen Warren <swarren@wwwdotorg.org>

Acked-by: Hiroshi DOYU <hdoyu@nvidia.com>
Ok to me too. Thanks.

Re: [PATCH 7/7] drivers/s390/scsi/zfcp_cfdc.c: remove invalid reference to list iterator variable

[Steffen Maier]

Hi Julia,

sorry for the long delay until I finally responded.
Thanks a lot for your report and patch.
I'll queue this and send it for v3.6rcX hopefully soon.

On 07/08/2012 01:37 PM, Julia Lawall wrote:
> From: Julia Lawall <Julia.Lawall@lip6.fr>
>
> If list_for_each_entry, etc complete a traversal of the list, the iterator
> variable ends up pointing to an address at an offset from the list head,
> and not a meaningful structure.  Thus this value should not be used after
> the end of the iterator.  Replace port->adapter->scsi_host by
> adapter->scsi_host.
>
> This problem was found using Coccinelle (http://coccinelle.lip6.fr/).
>
> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
>
> ---
> This is not tested, an I am not sure that this is the right change.
> Indeed, I'm not at all sure how the original code could have worked, since
> port->adapter->scsi_host should be a completely random value.

This is most probably a copy & paste oversight in
commit a1ca48319a9aa1c5b57ce142f538e76050bb8972
"[SCSI] zfcp: Move ACL/CFDC code to zfcp_cfdc.c"
v2.6.37
where the content of

static void zfcp_erp_port_access_changed(struct zfcp_port *port, char *id,
                                        void *ref)
{
       struct scsi_device *sdev;
       int status = atomic_read(&port->status);

       if (!(status & (ZFCP_STATUS_COMMON_ACCESS_DENIED |
                       ZFCP_STATUS_COMMON_ACCESS_BOXED))) {
               shost_for_each_device(sdev, port->adapter->scsi_host)
                                           ^^^^

was merged into
zfcp_cfdc_adapter_access_changed(struct zfcp_adapter *adapter)

Since this code is for older hardware and users not using NPIV
and this is only executed on dynamic access changes,
nobody has noticed this so far I guess.

>   drivers/s390/scsi/zfcp_cfdc.c |    2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/s390/scsi/zfcp_cfdc.c b/drivers/s390/scsi/zfcp_cfdc.c
> index fab2c25..8ed63aa 100644
> --- a/drivers/s390/scsi/zfcp_cfdc.c
> +++ b/drivers/s390/scsi/zfcp_cfdc.c
> @@ -293,7 +293,7 @@ void zfcp_cfdc_adapter_access_changed(struct zfcp_adapter *adapter)
>   	}
>   	read_unlock_irqrestore(&adapter->port_list_lock, flags);
>
> -	shost_for_each_device(sdev, port->adapter->scsi_host) {
> +	shost_for_each_device(sdev, adapter->scsi_host) {
>   		zfcp_sdev = sdev_to_zfcp(sdev);
>   		status = atomic_read(&zfcp_sdev->status);
>   		if ((status & ZFCP_STATUS_COMMON_ACCESS_DENIED) ||
>

Steffen

Linux on System z Development

IBM Deutschland Research & Development GmbH
Vorsitzende des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294