From mboxrd@z Thu Jan 1 00:00:00 1970 From: ydroneaud@opteya.com (Yann Droneaud) Date: Mon, 22 Feb 2016 16:24:34 +0100 Subject: [Cocci] [PATCHv1 1/3] coccinelle: also catch kzfree() issues In-Reply-To: References: <326298cef17f5109dc7b08094901aa1c69be83d5.1455638829.git.ydroneaud@opteya.com> <1456150168-24028-1-git-send-email-ydroneaud@opteya.com> Message-ID: <1456154674.5678.17.camel@opteya.com> To: cocci@systeme.lip6.fr List-Id: cocci@systeme.lip6.fr Le lundi 22 f?vrier 2016 ? 09:20 -0500, Julia Lawall a ?crit?: > On Mon, 22 Feb 2016, Yann Droneaud wrote: > > > Since commit 3ef0e5ba4673 ('slab: introduce kzfree()'), > > kfree() is no more the only function to be considered. > > > > In particular, kzfree() must not be called on memory > > allocated through devm_*() functions. > > > > Cc: Johannes Weiner > > Signed-off-by: Yann Droneaud > > --- > > Hi Julia, > > > > As you suggested, I've use disjunctions instead of regular > > expressions (which I managed to use incorrectly: eg. > > without ^...$ they catch other functions than kfree(), > > such as kfree_skb()). > > > > I've think we should also catch krealloc(, size), where size > > is 0, but it's beyond my understanding of coccinelle if size > > is not a plain 0 constant. > > > > Perhaps you could help me for this one. > > Do you have some examples? I don't have any real world examples (hopefully) and I don't think it's going to catch issues, as it's unlikely someone would write krealloc(ptr, 0) instead of kfree(). > ? Coccinelle is not very good at tracking > values.? You can say something like: > > size = 0 > ... when != size = e > krealloc(...,size) > It works for the most simple cases I can think of. Thanks a lot ! > I don't know if that would be useful in practice though. > It will be difficult to shoehorn such construct in the dijunctions added here. Perhaps we could add a new cocci rules file that would translate such call to krealloc() to kfree(): @@ expression e; expression p; identifier size; @@ ? size = 0 ? ... when != size = e -??krealloc(p,size) +??kfree(p) @@ expression p; @@ -??krealloc(p, 0) +??kfree(p) But I'm not sure it worth it. > > Regards. > > > >? scripts/coccinelle/free/devm_free.cocci |? 2 ++ > >? scripts/coccinelle/free/kfree.cocci???? | 18 +++++++++++++++--- > >? scripts/coccinelle/free/kfreeaddr.cocci |? 6 +++++- > >? 3 files changed, 22 insertions(+), 4 deletions(-) > > > > diff --git a/scripts/coccinelle/free/devm_free.cocci > b/scripts/coccinelle/free/devm_free.cocci > > index 3d9349012bb3..83c03adec1c5 100644 > > --- a/scripts/coccinelle/free/devm_free.cocci > > +++ b/scripts/coccinelle/free/devm_free.cocci > > @@ -48,6 +48,8 @@ position p; > >? ( > >? * kfree at p(x) > >? | > > +* kzfree at p(x) > > +| > >? * free_irq at p(x) > >? | > >? * iounmap at p(x) > > diff --git a/scripts/coccinelle/free/kfree.cocci > b/scripts/coccinelle/free/kfree.cocci > > index 577b78056990..ac438da4fd7b 100644 > > --- a/scripts/coccinelle/free/kfree.cocci > > +++ b/scripts/coccinelle/free/kfree.cocci > > @@ -20,7 +20,11 @@ expression E; > >? position p1; > >? @@ > > > > -kfree at p1(E) > > +( > > +* kfree at p1(E) > > +| > > +* kzfree at p1(E) > > +) > > > >? @print expression@ > >? constant char [] c; > > @@ -60,7 +64,11 @@ position ok; > >? @@ > > > >? while (1) { ... > > -? kfree at ok(E) > > +( > > +* kfree at ok(E) > > +| > > +* kzfree at ok(E) > > +) > >??? ... when != break; > >??????? when != goto l; > >??????? when forall > > @@ -74,7 +82,11 @@ statement S; > >? position free.p1!=loop.ok,p2!={print.p,sz.p}; > >? @@ > > > > -kfree at p1(E,...) > > +( > > +* kfree at p1(E,...) > > +| > > +* kzfree at p1(E,...) > > +) > >? ... > >? ( > >?? iter(...,subE,...) S // no use > > diff --git a/scripts/coccinelle/free/kfreeaddr.cocci > b/scripts/coccinelle/free/kfreeaddr.cocci > > index ce8aacc314cb..d46063b1db8b 100644 > > --- a/scripts/coccinelle/free/kfreeaddr.cocci > > +++ b/scripts/coccinelle/free/kfreeaddr.cocci > > @@ -16,7 +16,11 @@ identifier f; > >? position p; > >? @@ > > > > +( > >? * kfree at p(&e->f) > > +| > > +* kzfree at p(&e->f) > > +) > > > >? @script:python depends on org@ > >? p << r.p; > > @@ -28,5 +32,5 @@ cocci.print_main("kfree",p) > >? p << r.p; > >? @@ > > > > -msg = "ERROR: kfree of structure field" > > +msg = "ERROR: invalid free of structure field" > >? coccilib.report.print_report(p[0],msg) > > -- > > 2.5.0 > > > > Regards. --? Yann Droneaud OPTEYA From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754131AbcBVPYt (ORCPT ); Mon, 22 Feb 2016 10:24:49 -0500 Received: from ou.quest-ce.net ([195.154.187.82]:51780 "EHLO ou.quest-ce.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752714AbcBVPYq (ORCPT ); Mon, 22 Feb 2016 10:24:46 -0500 Message-ID: <1456154674.5678.17.camel@opteya.com> From: Yann Droneaud To: Julia Lawall Cc: Gilles Muller , Nicolas Palix , Michal Marek , Tejun Heo , Greg Kroah-Hartman , Johannes Weiner , cocci@systeme.lip6.fr, linux-kernel@vger.kernel.org, Yann Droneaud Date: Mon, 22 Feb 2016 16:24:34 +0100 In-Reply-To: References: <326298cef17f5109dc7b08094901aa1c69be83d5.1455638829.git.ydroneaud@opteya.com> <1456150168-24028-1-git-send-email-ydroneaud@opteya.com> Organization: OPTEYA Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.18.4 (3.18.4-1.fc23) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 193.248.32.70 X-SA-Exim-Mail-From: ydroneaud@opteya.com Subject: Re: [PATCHv1 1/3] coccinelle: also catch kzfree() issues X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on ou.quest-ce.net) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le lundi 22 février 2016 à 09:20 -0500, Julia Lawall a écrit : > On Mon, 22 Feb 2016, Yann Droneaud wrote: > > > Since commit 3ef0e5ba4673 ('slab: introduce kzfree()'), > > kfree() is no more the only function to be considered. > > > > In particular, kzfree() must not be called on memory > > allocated through devm_*() functions. > > > > Cc: Johannes Weiner > > Signed-off-by: Yann Droneaud > > --- > > Hi Julia, > > > > As you suggested, I've use disjunctions instead of regular > > expressions (which I managed to use incorrectly: eg. > > without ^...$ they catch other functions than kfree(), > > such as kfree_skb()). > > > > I've think we should also catch krealloc(, size), where size > > is 0, but it's beyond my understanding of coccinelle if size > > is not a plain 0 constant. > > > > Perhaps you could help me for this one. > > Do you have some examples? I don't have any real world examples (hopefully) and I don't think it's going to catch issues, as it's unlikely someone would write krealloc(ptr, 0) instead of kfree(). >   Coccinelle is not very good at tracking > values.  You can say something like: > > size = 0 > ... when != size = e > krealloc(...,size) > It works for the most simple cases I can think of. Thanks a lot ! > I don't know if that would be useful in practice though. > It will be difficult to shoehorn such construct in the dijunctions added here. Perhaps we could add a new cocci rules file that would translate such call to krealloc() to kfree(): @@ expression e; expression p; identifier size; @@   size = 0   ... when != size = e -  krealloc(p,size) +  kfree(p) @@ expression p; @@ -  krealloc(p, 0) +  kfree(p) But I'm not sure it worth it. > > Regards. > > > >  scripts/coccinelle/free/devm_free.cocci |  2 ++ > >  scripts/coccinelle/free/kfree.cocci     | 18 +++++++++++++++--- > >  scripts/coccinelle/free/kfreeaddr.cocci |  6 +++++- > >  3 files changed, 22 insertions(+), 4 deletions(-) > > > > diff --git a/scripts/coccinelle/free/devm_free.cocci > b/scripts/coccinelle/free/devm_free.cocci > > index 3d9349012bb3..83c03adec1c5 100644 > > --- a/scripts/coccinelle/free/devm_free.cocci > > +++ b/scripts/coccinelle/free/devm_free.cocci > > @@ -48,6 +48,8 @@ position p; > >  ( > >  * kfree@p(x) > >  | > > +* kzfree@p(x) > > +| > >  * free_irq@p(x) > >  | > >  * iounmap@p(x) > > diff --git a/scripts/coccinelle/free/kfree.cocci > b/scripts/coccinelle/free/kfree.cocci > > index 577b78056990..ac438da4fd7b 100644 > > --- a/scripts/coccinelle/free/kfree.cocci > > +++ b/scripts/coccinelle/free/kfree.cocci > > @@ -20,7 +20,11 @@ expression E; > >  position p1; > >  @@ > > > > -kfree@p1(E) > > +( > > +* kfree@p1(E) > > +| > > +* kzfree@p1(E) > > +) > > > >  @print expression@ > >  constant char [] c; > > @@ -60,7 +64,11 @@ position ok; > >  @@ > > > >  while (1) { ... > > -  kfree@ok(E) > > +( > > +* kfree@ok(E) > > +| > > +* kzfree@ok(E) > > +) > >    ... when != break; > >        when != goto l; > >        when forall > > @@ -74,7 +82,11 @@ statement S; > >  position free.p1!=loop.ok,p2!={print.p,sz.p}; > >  @@ > > > > -kfree@p1(E,...) > > +( > > +* kfree@p1(E,...) > > +| > > +* kzfree@p1(E,...) > > +) > >  ... > >  ( > >   iter(...,subE,...) S // no use > > diff --git a/scripts/coccinelle/free/kfreeaddr.cocci > b/scripts/coccinelle/free/kfreeaddr.cocci > > index ce8aacc314cb..d46063b1db8b 100644 > > --- a/scripts/coccinelle/free/kfreeaddr.cocci > > +++ b/scripts/coccinelle/free/kfreeaddr.cocci > > @@ -16,7 +16,11 @@ identifier f; > >  position p; > >  @@ > > > > +( > >  * kfree@p(&e->f) > > +| > > +* kzfree@p(&e->f) > > +) > > > >  @script:python depends on org@ > >  p << r.p; > > @@ -28,5 +32,5 @@ cocci.print_main("kfree",p) > >  p << r.p; > >  @@ > > > > -msg = "ERROR: kfree of structure field" > > +msg = "ERROR: invalid free of structure field" > >  coccilib.report.print_report(p[0],msg) > > -- > > 2.5.0 > > > > Regards. --  Yann Droneaud OPTEYA