From: ydroneaud@opteya.com (Yann Droneaud)
To: cocci@systeme.lip6.fr
Subject: [Cocci] [PATCHv1 1/3] coccinelle: also catch kzfree() issues
Date: Mon, 22 Feb 2016 16:24:34 +0100 [thread overview]
Message-ID: <1456154674.5678.17.camel@opteya.com> (raw)
In-Reply-To: <alpine.DEB.2.10.1602220918530.2532@hadrien>
Le lundi 22 f?vrier 2016 ? 09:20 -0500, Julia Lawall a ?crit?:
> On Mon, 22 Feb 2016, Yann Droneaud wrote:
>
> > Since commit 3ef0e5ba4673 ('slab: introduce kzfree()'),
> > kfree() is no more the only function to be considered.
> >
> > In particular, kzfree() must not be called on memory
> > allocated through devm_*() functions.
> >
> > Cc: Johannes Weiner <hannes@cmpxchg.org>
> > Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
> > ---
> > Hi Julia,
> >
> > As you suggested, I've use disjunctions instead of regular
> > expressions (which I managed to use incorrectly: eg.
> > without ^...$ they catch other functions than kfree(),
> > such as kfree_skb()).
> >
> > I've think we should also catch krealloc(, size), where size
> > is 0, but it's beyond my understanding of coccinelle if size
> > is not a plain 0 constant.
> >
> > Perhaps you could help me for this one.
>
> Do you have some examples?
I don't have any real world examples (hopefully) and I don't think it's
going to catch issues, as it's unlikely someone would write
krealloc(ptr, 0) instead of kfree().
> ? Coccinelle is not very good at tracking
> values.? You can say something like:
>
> size = 0
> ... when != size = e
> krealloc(...,size)
>
It works for the most simple cases I can think of. Thanks a lot !
> I don't know if that would be useful in practice though.
>
It will be difficult to shoehorn such construct in the dijunctions
added here.
Perhaps we could add a new cocci rules file that would translate such
call to krealloc() to kfree():
@@
expression e;
expression p;
identifier size;
@@
? size = 0
? ... when != size = e
-??krealloc(p,size)
+??kfree(p)
@@
expression p;
@@
-??krealloc(p, 0)
+??kfree(p)
But I'm not sure it worth it.
> > Regards.
> >
> >? scripts/coccinelle/free/devm_free.cocci |? 2 ++
> >? scripts/coccinelle/free/kfree.cocci???? | 18 +++++++++++++++---
> >? scripts/coccinelle/free/kfreeaddr.cocci |? 6 +++++-
> >? 3 files changed, 22 insertions(+), 4 deletions(-)
> >
> > diff --git a/scripts/coccinelle/free/devm_free.cocci
> b/scripts/coccinelle/free/devm_free.cocci
> > index 3d9349012bb3..83c03adec1c5 100644
> > --- a/scripts/coccinelle/free/devm_free.cocci
> > +++ b/scripts/coccinelle/free/devm_free.cocci
> > @@ -48,6 +48,8 @@ position p;
> >? (
> >? * kfree at p(x)
> >? |
> > +* kzfree at p(x)
> > +|
> >? * free_irq at p(x)
> >? |
> >? * iounmap at p(x)
> > diff --git a/scripts/coccinelle/free/kfree.cocci
> b/scripts/coccinelle/free/kfree.cocci
> > index 577b78056990..ac438da4fd7b 100644
> > --- a/scripts/coccinelle/free/kfree.cocci
> > +++ b/scripts/coccinelle/free/kfree.cocci
> > @@ -20,7 +20,11 @@ expression E;
> >? position p1;
> >? @@
> >
> > -kfree at p1(E)
> > +(
> > +* kfree at p1(E)
> > +|
> > +* kzfree at p1(E)
> > +)
> >
> >? @print expression@
> >? constant char [] c;
> > @@ -60,7 +64,11 @@ position ok;
> >? @@
> >
> >? while (1) { ...
> > -? kfree at ok(E)
> > +(
> > +* kfree at ok(E)
> > +|
> > +* kzfree at ok(E)
> > +)
> >??? ... when != break;
> >??????? when != goto l;
> >??????? when forall
> > @@ -74,7 +82,11 @@ statement S;
> >? position free.p1!=loop.ok,p2!={print.p,sz.p};
> >? @@
> >
> > -kfree at p1(E,...)
> > +(
> > +* kfree at p1(E,...)
> > +|
> > +* kzfree at p1(E,...)
> > +)
> >? ...
> >? (
> >?? iter(...,subE,...) S // no use
> > diff --git a/scripts/coccinelle/free/kfreeaddr.cocci
> b/scripts/coccinelle/free/kfreeaddr.cocci
> > index ce8aacc314cb..d46063b1db8b 100644
> > --- a/scripts/coccinelle/free/kfreeaddr.cocci
> > +++ b/scripts/coccinelle/free/kfreeaddr.cocci
> > @@ -16,7 +16,11 @@ identifier f;
> >? position p;
> >? @@
> >
> > +(
> >? * kfree at p(&e->f)
> > +|
> > +* kzfree at p(&e->f)
> > +)
> >
> >? @script:python depends on org@
> >? p << r.p;
> > @@ -28,5 +32,5 @@ cocci.print_main("kfree",p)
> >? p << r.p;
> >? @@
> >
> > -msg = "ERROR: kfree of structure field"
> > +msg = "ERROR: invalid free of structure field"
> >? coccilib.report.print_report(p[0],msg)
> > --
> > 2.5.0
> >
> >
Regards.
--?
Yann Droneaud
OPTEYA
WARNING: multiple messages have this Message-ID (diff)
From: Yann Droneaud <ydroneaud@opteya.com>
To: Julia Lawall <julia.lawall@lip6.fr>
Cc: Gilles Muller <Gilles.Muller@lip6.fr>,
Nicolas Palix <nicolas.palix@imag.fr>,
Michal Marek <mmarek@suse.com>, Tejun Heo <tj@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Johannes Weiner <hannes@cmpxchg.org>,
cocci@systeme.lip6.fr, linux-kernel@vger.kernel.org,
Yann Droneaud <ydroneaud@opteya.com>
Subject: Re: [PATCHv1 1/3] coccinelle: also catch kzfree() issues
Date: Mon, 22 Feb 2016 16:24:34 +0100 [thread overview]
Message-ID: <1456154674.5678.17.camel@opteya.com> (raw)
In-Reply-To: <alpine.DEB.2.10.1602220918530.2532@hadrien>
Le lundi 22 février 2016 à 09:20 -0500, Julia Lawall a écrit :
> On Mon, 22 Feb 2016, Yann Droneaud wrote:
>
> > Since commit 3ef0e5ba4673 ('slab: introduce kzfree()'),
> > kfree() is no more the only function to be considered.
> >
> > In particular, kzfree() must not be called on memory
> > allocated through devm_*() functions.
> >
> > Cc: Johannes Weiner <hannes@cmpxchg.org>
> > Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
> > ---
> > Hi Julia,
> >
> > As you suggested, I've use disjunctions instead of regular
> > expressions (which I managed to use incorrectly: eg.
> > without ^...$ they catch other functions than kfree(),
> > such as kfree_skb()).
> >
> > I've think we should also catch krealloc(, size), where size
> > is 0, but it's beyond my understanding of coccinelle if size
> > is not a plain 0 constant.
> >
> > Perhaps you could help me for this one.
>
> Do you have some examples?
I don't have any real world examples (hopefully) and I don't think it's
going to catch issues, as it's unlikely someone would write
krealloc(ptr, 0) instead of kfree().
> Coccinelle is not very good at tracking
> values. You can say something like:
>
> size = 0
> ... when != size = e
> krealloc(...,size)
>
It works for the most simple cases I can think of. Thanks a lot !
> I don't know if that would be useful in practice though.
>
It will be difficult to shoehorn such construct in the dijunctions
added here.
Perhaps we could add a new cocci rules file that would translate such
call to krealloc() to kfree():
@@
expression e;
expression p;
identifier size;
@@
size = 0
... when != size = e
- krealloc(p,size)
+ kfree(p)
@@
expression p;
@@
- krealloc(p, 0)
+ kfree(p)
But I'm not sure it worth it.
> > Regards.
> >
> > scripts/coccinelle/free/devm_free.cocci | 2 ++
> > scripts/coccinelle/free/kfree.cocci | 18 +++++++++++++++---
> > scripts/coccinelle/free/kfreeaddr.cocci | 6 +++++-
> > 3 files changed, 22 insertions(+), 4 deletions(-)
> >
> > diff --git a/scripts/coccinelle/free/devm_free.cocci
> b/scripts/coccinelle/free/devm_free.cocci
> > index 3d9349012bb3..83c03adec1c5 100644
> > --- a/scripts/coccinelle/free/devm_free.cocci
> > +++ b/scripts/coccinelle/free/devm_free.cocci
> > @@ -48,6 +48,8 @@ position p;
> > (
> > * kfree@p(x)
> > |
> > +* kzfree@p(x)
> > +|
> > * free_irq@p(x)
> > |
> > * iounmap@p(x)
> > diff --git a/scripts/coccinelle/free/kfree.cocci
> b/scripts/coccinelle/free/kfree.cocci
> > index 577b78056990..ac438da4fd7b 100644
> > --- a/scripts/coccinelle/free/kfree.cocci
> > +++ b/scripts/coccinelle/free/kfree.cocci
> > @@ -20,7 +20,11 @@ expression E;
> > position p1;
> > @@
> >
> > -kfree@p1(E)
> > +(
> > +* kfree@p1(E)
> > +|
> > +* kzfree@p1(E)
> > +)
> >
> > @print expression@
> > constant char [] c;
> > @@ -60,7 +64,11 @@ position ok;
> > @@
> >
> > while (1) { ...
> > - kfree@ok(E)
> > +(
> > +* kfree@ok(E)
> > +|
> > +* kzfree@ok(E)
> > +)
> > ... when != break;
> > when != goto l;
> > when forall
> > @@ -74,7 +82,11 @@ statement S;
> > position free.p1!=loop.ok,p2!={print.p,sz.p};
> > @@
> >
> > -kfree@p1(E,...)
> > +(
> > +* kfree@p1(E,...)
> > +|
> > +* kzfree@p1(E,...)
> > +)
> > ...
> > (
> > iter(...,subE,...) S // no use
> > diff --git a/scripts/coccinelle/free/kfreeaddr.cocci
> b/scripts/coccinelle/free/kfreeaddr.cocci
> > index ce8aacc314cb..d46063b1db8b 100644
> > --- a/scripts/coccinelle/free/kfreeaddr.cocci
> > +++ b/scripts/coccinelle/free/kfreeaddr.cocci
> > @@ -16,7 +16,11 @@ identifier f;
> > position p;
> > @@
> >
> > +(
> > * kfree@p(&e->f)
> > +|
> > +* kzfree@p(&e->f)
> > +)
> >
> > @script:python depends on org@
> > p << r.p;
> > @@ -28,5 +32,5 @@ cocci.print_main("kfree",p)
> > p << r.p;
> > @@
> >
> > -msg = "ERROR: kfree of structure field"
> > +msg = "ERROR: invalid free of structure field"
> > coccilib.report.print_report(p[0],msg)
> > --
> > 2.5.0
> >
> >
Regards.
--
Yann Droneaud
OPTEYA
next prev parent reply other threads:[~2016-02-22 15:24 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-16 17:01 [Cocci] [PATCH 0/3] coccinelle: catchup on memory allocation functions Yann Droneaud
2016-02-16 17:01 ` Yann Droneaud
2016-02-16 17:06 ` [Cocci] [PATCH 1/3] coccinelle: also catch kzfree() issues Yann Droneaud
2016-02-16 17:06 ` Yann Droneaud
2016-02-16 17:16 ` [Cocci] " Julia Lawall
2016-02-16 17:16 ` Julia Lawall
2016-02-16 20:02 ` [Cocci] " SF Markus Elfring
2016-02-16 20:02 ` SF Markus Elfring
2016-02-16 20:17 ` [Cocci] " Julia Lawall
2016-02-16 20:17 ` Julia Lawall
2016-02-16 20:22 ` [Cocci] " SF Markus Elfring
2016-02-16 20:22 ` SF Markus Elfring
2016-02-22 14:09 ` [Cocci] [PATCHv1 1/3] " Yann Droneaud
2016-02-22 14:09 ` Yann Droneaud
2016-02-22 14:20 ` [Cocci] " Julia Lawall
2016-02-22 14:20 ` Julia Lawall
2016-02-22 15:24 ` Yann Droneaud [this message]
2016-02-22 15:24 ` Yann Droneaud
2016-02-16 17:06 ` [Cocci] [PATCH 2/3] coccinelle: recognize more devm_* memory allocation functions Yann Droneaud
2016-02-16 17:06 ` Yann Droneaud
2016-02-16 17:18 ` [Cocci] " Julia Lawall
2016-02-16 17:18 ` Julia Lawall
2016-02-16 17:06 ` [Cocci] [PATCH 3/3] coccinelle: catch krealloc() on devm_*() allocated memory Yann Droneaud
2016-02-16 17:06 ` Yann Droneaud
2016-02-16 17:19 ` [Cocci] " Julia Lawall
2016-02-16 17:19 ` Julia Lawall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1456154674.5678.17.camel@opteya.com \
--to=ydroneaud@opteya.com \
--cc=cocci@systeme.lip6.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.