[See below for a comment]
On Mon, 3 Aug 2020, Denis Efremov wrote: > Check that alloc and free types of functions match each other. > > Signed-off-by: Denis Efremov <efre...@linux.com> > --- > Changes in v2: > - Lines are limited to 80 characters where possible > - Confidence changed from High to Medium because of > fs/btrfs/send.c:1119 false-positive > - __vmalloc_area_node() explicitly excluded from analysis > instead of !(file in "mm/vmalloc.c") condition > Changes in v3: > - prints style in org && report modes changed for python2 > Changes in v4: > - missing msg argument to print_todo fixed > Changes in v5: > - fix position p in kfree rule > - move @kok and @v positions in choice rule after the arguments > - remove kvmalloc suggestions > Changes in v6: > - more asterisks added in context mode > - second @kok added to the choice rule > Changes in v7: > - file renamed to kfree_mismatch.cocci > - python function relevant() removed > - additional rule for filtering free positions added > - btrfs false-positive fixed > - confidence level changed to high > - kvfree_switch rule added > - names for position variables changed to @a (alloc) and @f (free) > > scripts/coccinelle/api/kfree_mismatch.cocci | 229 ++++++++++++++++++++ > 1 file changed, 229 insertions(+) > create mode 100644 scripts/coccinelle/api/kfree_mismatch.cocci > > diff --git a/scripts/coccinelle/api/kfree_mismatch.cocci > b/scripts/coccinelle/api/kfree_mismatch.cocci > new file mode 100644 > index 000000000000..9e9ef9fd7a25 > --- /dev/null > +++ b/scripts/coccinelle/api/kfree_mismatch.cocci > @@ -0,0 +1,229 @@ > +// SPDX-License-Identifier: GPL-2.0-only > +/// > +/// Check that kvmalloc'ed memory is freed by kfree functions, > +/// vmalloc'ed by vfree functions and kvmalloc'ed by kvfree > +/// functions. > +/// > +// Confidence: High > +// Copyright: (C) 2020 Denis Efremov ISPRAS > +// Options: --no-includes --include-headers > +// > + > +virtual patch > +virtual report > +virtual org > +virtual context > + > +@alloc@ > +expression E, E1; > +position kok, vok; > +@@ > + > +( > + if (...) { > + ... > + E = \(kmalloc\|kzalloc\|krealloc\|kcalloc\| > + kmalloc_node\|kzalloc_node\|kmalloc_array\| > + kmalloc_array_node\|kcalloc_node\)(...)@kok > + ... > + } else { > + ... > + E = \(vmalloc\|vzalloc\|vmalloc_user\|vmalloc_node\| > + vzalloc_node\|vmalloc_exec\|vmalloc_32\| > + vmalloc_32_user\|__vmalloc\|__vmalloc_node_range\| > + __vmalloc_node\)(...)@vok > + ... > + } > +| > + E = \(kmalloc\|kzalloc\|krealloc\|kcalloc\|kmalloc_node\|kzalloc_node\| > + kmalloc_array\|kmalloc_array_node\|kcalloc_node\)(...)@kok > + ... when != E = E1 > + when any > + if (E == NULL) { > + ... > + E = \(vmalloc\|vzalloc\|vmalloc_user\|vmalloc_node\| > + vzalloc_node\|vmalloc_exec\|vmalloc_32\| > + vmalloc_32_user\|__vmalloc\|__vmalloc_node_range\| > + __vmalloc_node\)(...)@vok > + ... > + } > +) > + > +@free@ > +expression E; > +position fok; > +@@ > + > + E = \(kvmalloc\|kvzalloc\|kvcalloc\|kvzalloc_node\|kvmalloc_node\| > + kvmalloc_array\)(...) > + ... > + kvfree(E)@fok > + > +@vfree depends on !patch@ > +expression E; > +position a != alloc.kok; > +position f != free.fok; > +@@ > + > +* E = \(kmalloc\|kzalloc\|krealloc\|kcalloc\|kmalloc_node\| > +* kzalloc_node\|kmalloc_array\|kmalloc_array_node\| > +* kcalloc_node\)(...)@a > + ... when != if (...) { ... E = > \(vmalloc\|vzalloc\|vmalloc_user\|vmalloc_node\|vzalloc_node\|vmalloc_exec\|vmalloc_32\|vmalloc_32_user\|__vmalloc\|__vmalloc_node_range\|__vmalloc_node\)(...); > ... } > + when != is_vmalloc_addr(E) > + when any > +* \(vfree\|vfree_atomic\|kvfree\)(E)@f > + > +@depends on patch exists@ > +expression E; > +position a != alloc.kok; > +position f != free.fok; > +@@ > + > + E = \(kmalloc\|kzalloc\|krealloc\|kcalloc\|kmalloc_node\| > + kzalloc_node\|kmalloc_array\|kmalloc_array_node\| > + kcalloc_node\)(...)@a > + ... when != if (...) { ... E = > \(vmalloc\|vzalloc\|vmalloc_user\|vmalloc_node\|vzalloc_node\|vmalloc_exec\|vmalloc_32\|vmalloc_32_user\|__vmalloc\|__vmalloc_node_range\|__vmalloc_node\)(...); > ... } > + when != is_vmalloc_addr(E) > + when any > +- \(vfree\|vfree_atomic\|kvfree\)(E)@f > ++ kfree(E) > + > +@kfree depends on !patch@ > +expression E; > +position a != alloc.vok; > +position f != free.fok; > +@@ > + > +* E = \(vmalloc\|vzalloc\|vmalloc_user\|vmalloc_node\|vzalloc_node\| > +* vmalloc_exec\|vmalloc_32\|vmalloc_32_user\|__vmalloc\| > +* __vmalloc_node_range\|__vmalloc_node\)(...)@a > + ... when != is_vmalloc_addr(E) > + when any > +* \(kfree\|kzfree\|kvfree\)(E)@f > + > +@depends on patch exists@ > +expression E; > +position a != alloc.vok; > +position f != free.fok; > +@@ > + > + E = \(vmalloc\|vzalloc\|vmalloc_user\|vmalloc_node\|vzalloc_node\| > + vmalloc_exec\|vmalloc_32\|vmalloc_32_user\|__vmalloc\| > + __vmalloc_node_range\|__vmalloc_node\)(...)@a > + ... when != is_vmalloc_addr(E) > + when any > +- \(kfree\|kvfree\)(E)@f > ++ vfree(E) > + > +@kvfree depends on !patch@ > +expression E; > +position a, f; > +@@ > + > +* E = \(kvmalloc\|kvzalloc\|kvcalloc\|kvzalloc_node\|kvmalloc_node\| > +* kvmalloc_array\)(...)@a > + ... when != is_vmalloc_addr(E) > + when any > +* \(kfree\|kzfree\|vfree\|vfree_atomic\)(E)@f > + > +@depends on patch exists@ > +expression E; > +@@ > + > + E = \(kvmalloc\|kvzalloc\|kvcalloc\|kvzalloc_node\|kvmalloc_node\| > + kvmalloc_array\)(...) > + ... when != is_vmalloc_addr(E) > + when any > +- \(kfree\|vfree\)(E) > ++ kvfree(E) > + > +@kvfree_switch depends on !patch@ > +expression alloc.E; > +position f != free.fok; > +@@ > + > + ... when != is_vmalloc_addr(E) > + when any > +* \(kfree\|kzfree\|vfree\|vfree_atomic\)(E)@f > + > +@depends on patch exists@ > +expression alloc.E; > +position f != free.fok; > +@@ > + > + ... when != is_vmalloc_addr(E) > + when any > +( > +- \(kfree\|vfree\)(E)@f > ++ kvfree(E) > +| > +- kzfree(E)@f > ++ kvfree_sensitive(E) > +) The above two rules refer to free.fok, but it is not clear why, because free.fok only occurs on a kvfree call. Is there a mistake, or is it just an unnecessary copy-pasted constraint? julia > + > +@script: python depends on report@ > +a << vfree.a; > +f << vfree.f; > +@@ > + > +msg = "WARNING: kmalloc is used to allocate this memory at line %s" % > (a[0].line) > +coccilib.report.print_report(f[0], msg) > + > +@script: python depends on org@ > +a << vfree.a; > +f << vfree.f; > +@@ > + > +msg = "WARNING: kmalloc is used to allocate this memory at line %s" % > (a[0].line) > +coccilib.org.print_todo(f[0], msg) > + > +@script: python depends on report@ > +a << kfree.a; > +f << kfree.f; > +@@ > + > +msg = "WARNING: vmalloc is used to allocate this memory at line %s" % > (a[0].line) > +coccilib.report.print_report(f[0], msg) > + > +@script: python depends on org@ > +a << kfree.a; > +f << kfree.f; > +@@ > + > +msg = "WARNING: vmalloc is used to allocate this memory at line %s" % > (a[0].line) > +coccilib.org.print_todo(f[0], msg) > + > +@script: python depends on report@ > +a << kvfree.a; > +f << kvfree.f; > +@@ > + > +msg = "WARNING: kvmalloc is used to allocate this memory at line %s" % > (a[0].line) > +coccilib.report.print_report(f[0], msg) > + > +@script: python depends on org@ > +a << kvfree.a; > +f << kvfree.f; > +@@ > + > +msg = "WARNING: kvmalloc is used to allocate this memory at line %s" % > (a[0].line) > +coccilib.org.print_todo(f[0], msg) > + > +@script: python depends on report@ > +ka << alloc.kok; > +va << alloc.vok; > +f << kvfree_switch.f; > +@@ > + > +msg = "WARNING: kmalloc (line %s) && vmalloc (line %s) are used to allocate > this memory" % (ka[0].line, va[0].line) > +coccilib.report.print_report(f[0], msg) > + > +@script: python depends on org@ > +ka << alloc.kok; > +va << alloc.vok; > +f << kvfree_switch.f; > +@@ > + > +msg = "WARNING: kmalloc (line %s) && vmalloc (line %s) are used to allocate > this memory" % (ka[0].line, va[0].line) > +coccilib.org.print_todo(f[0], msg) > + > -- > 2.26.2 > >