11f5207b7SJohn Levon /*
21f5207b7SJohn Levon * Copyright (C) 2009 Dan Carpenter.
31f5207b7SJohn Levon *
41f5207b7SJohn Levon * This program is free software; you can redistribute it and/or
51f5207b7SJohn Levon * modify it under the terms of the GNU General Public License
61f5207b7SJohn Levon * as published by the Free Software Foundation; either version 2
71f5207b7SJohn Levon * of the License, or (at your option) any later version.
81f5207b7SJohn Levon *
91f5207b7SJohn Levon * This program is distributed in the hope that it will be useful,
101f5207b7SJohn Levon * but WITHOUT ANY WARRANTY; without even the implied warranty of
111f5207b7SJohn Levon * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
121f5207b7SJohn Levon * GNU General Public License for more details.
131f5207b7SJohn Levon *
141f5207b7SJohn Levon * You should have received a copy of the GNU General Public License
151f5207b7SJohn Levon * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
161f5207b7SJohn Levon */
171f5207b7SJohn Levon
181f5207b7SJohn Levon #include "smatch.h"
191f5207b7SJohn Levon #include "smatch_slist.h"
201f5207b7SJohn Levon #include "smatch_extra.h"
211f5207b7SJohn Levon
221f5207b7SJohn Levon static int my_id;
231f5207b7SJohn Levon
241f5207b7SJohn Levon STATE(err_ptr);
251f5207b7SJohn Levon STATE(checked);
261f5207b7SJohn Levon
271f5207b7SJohn Levon static sval_t err_ptr_min = {
281f5207b7SJohn Levon .type = &int_ctype,
291f5207b7SJohn Levon {.value = -4095},
301f5207b7SJohn Levon };
311f5207b7SJohn Levon
321f5207b7SJohn Levon static sval_t err_ptr_max = {
331f5207b7SJohn Levon .type = &int_ctype,
341f5207b7SJohn Levon {.value = -1},
351f5207b7SJohn Levon };
361f5207b7SJohn Levon
371f5207b7SJohn Levon struct range_list *err_ptr_rl;
381f5207b7SJohn Levon
ok_to_use(struct sm_state * sm,struct expression * mod_expr)391f5207b7SJohn Levon static void ok_to_use(struct sm_state *sm, struct expression *mod_expr)
401f5207b7SJohn Levon {
411f5207b7SJohn Levon if (sm->state != &checked)
421f5207b7SJohn Levon set_state(my_id, sm->name, sm->sym, &checked);
431f5207b7SJohn Levon }
441f5207b7SJohn Levon
check_is_err_ptr(struct expression * expr)451f5207b7SJohn Levon static void check_is_err_ptr(struct expression *expr)
461f5207b7SJohn Levon {
471f5207b7SJohn Levon struct sm_state *sm;
481f5207b7SJohn Levon struct range_list *rl;
491f5207b7SJohn Levon
501f5207b7SJohn Levon sm = get_sm_state_expr(my_id, expr);
511f5207b7SJohn Levon if (!sm)
521f5207b7SJohn Levon return;
531f5207b7SJohn Levon
541f5207b7SJohn Levon if (!slist_has_state(sm->possible, &err_ptr))
551f5207b7SJohn Levon return;
561f5207b7SJohn Levon
571f5207b7SJohn Levon get_absolute_rl(expr, &rl);
581f5207b7SJohn Levon if (!possibly_true_rl(rl, SPECIAL_EQUAL, err_ptr_rl))
591f5207b7SJohn Levon return;
601f5207b7SJohn Levon
611f5207b7SJohn Levon sm_error("'%s' dereferencing possible ERR_PTR()", sm->name);
621f5207b7SJohn Levon set_state(my_id, sm->name, sm->sym, &checked);
631f5207b7SJohn Levon }
641f5207b7SJohn Levon
match_returns_err_ptr(const char * fn,struct expression * expr,void * info)651f5207b7SJohn Levon static void match_returns_err_ptr(const char *fn, struct expression *expr,
661f5207b7SJohn Levon void *info)
671f5207b7SJohn Levon {
681f5207b7SJohn Levon set_state_expr(my_id, expr->left, &err_ptr);
691f5207b7SJohn Levon }
701f5207b7SJohn Levon
set_param_dereferenced(struct expression * call,struct expression * arg,char * key,char * unused)711f5207b7SJohn Levon static void set_param_dereferenced(struct expression *call, struct expression *arg, char *key, char *unused)
721f5207b7SJohn Levon {
731f5207b7SJohn Levon struct sm_state *sm;
741f5207b7SJohn Levon struct smatch_state *estate;
751f5207b7SJohn Levon struct symbol *sym;
761f5207b7SJohn Levon char *name;
771f5207b7SJohn Levon
781f5207b7SJohn Levon name = get_variable_from_key(arg, key, &sym);
791f5207b7SJohn Levon if (!name || !sym)
801f5207b7SJohn Levon goto free;
811f5207b7SJohn Levon
821f5207b7SJohn Levon sm = get_sm_state(my_id, name, sym);
831f5207b7SJohn Levon if (!sm)
841f5207b7SJohn Levon goto free;
851f5207b7SJohn Levon
861f5207b7SJohn Levon if (!slist_has_state(sm->possible, &err_ptr))
871f5207b7SJohn Levon goto free;
881f5207b7SJohn Levon
891f5207b7SJohn Levon estate = get_state(SMATCH_EXTRA, name, sym);
901f5207b7SJohn Levon if (!estate || !possibly_true_rl(estate_rl(estate), SPECIAL_EQUAL, err_ptr_rl))
911f5207b7SJohn Levon goto free;
921f5207b7SJohn Levon
931f5207b7SJohn Levon sm_error("'%s' dereferencing possible ERR_PTR()", sm->name);
941f5207b7SJohn Levon set_state(my_id, sm->name, sm->sym, &checked);
951f5207b7SJohn Levon
961f5207b7SJohn Levon free:
971f5207b7SJohn Levon free_string(name);
981f5207b7SJohn Levon }
991f5207b7SJohn Levon
match_checked(const char * fn,struct expression * call_expr,struct expression * assign_expr,void * unused)1001f5207b7SJohn Levon static void match_checked(const char *fn, struct expression *call_expr,
1011f5207b7SJohn Levon struct expression *assign_expr, void *unused)
1021f5207b7SJohn Levon {
1031f5207b7SJohn Levon struct expression *arg;
1041f5207b7SJohn Levon
1051f5207b7SJohn Levon arg = get_argument_from_call_expr(call_expr->args, 0);
1061f5207b7SJohn Levon arg = strip_expr(arg);
1071f5207b7SJohn Levon while (arg->type == EXPR_ASSIGNMENT)
1081f5207b7SJohn Levon arg = strip_expr(arg->left);
1091f5207b7SJohn Levon set_state_expr(my_id, arg, &checked);
1101f5207b7SJohn Levon }
1111f5207b7SJohn Levon
match_err(const char * fn,struct expression * call_expr,struct expression * assign_expr,void * unused)1121f5207b7SJohn Levon static void match_err(const char *fn, struct expression *call_expr,
1131f5207b7SJohn Levon struct expression *assign_expr, void *unused)
1141f5207b7SJohn Levon {
1151f5207b7SJohn Levon struct expression *arg;
1161f5207b7SJohn Levon
1171f5207b7SJohn Levon arg = get_argument_from_call_expr(call_expr->args, 0);
1181f5207b7SJohn Levon arg = strip_expr(arg);
1191f5207b7SJohn Levon while (arg->type == EXPR_ASSIGNMENT)
1201f5207b7SJohn Levon arg = strip_expr(arg->left);
1211f5207b7SJohn Levon set_state_expr(my_id, arg, &err_ptr);
1221f5207b7SJohn Levon }
1231f5207b7SJohn Levon
match_dereferences(struct expression * expr)1241f5207b7SJohn Levon static void match_dereferences(struct expression *expr)
1251f5207b7SJohn Levon {
1261f5207b7SJohn Levon if (expr->type != EXPR_PREOP)
1271f5207b7SJohn Levon return;
1281f5207b7SJohn Levon check_is_err_ptr(expr->unop);
1291f5207b7SJohn Levon }
1301f5207b7SJohn Levon
match_kfree(const char * fn,struct expression * expr,void * _arg_nr)1311f5207b7SJohn Levon static void match_kfree(const char *fn, struct expression *expr, void *_arg_nr)
1321f5207b7SJohn Levon {
1331f5207b7SJohn Levon int arg_nr = PTR_INT(_arg_nr);
1341f5207b7SJohn Levon struct expression *arg;
1351f5207b7SJohn Levon
1361f5207b7SJohn Levon arg = get_argument_from_call_expr(expr->args, arg_nr);
1371f5207b7SJohn Levon check_is_err_ptr(arg);
1381f5207b7SJohn Levon }
1391f5207b7SJohn Levon
match_condition(struct expression * expr)1401f5207b7SJohn Levon static void match_condition(struct expression *expr)
1411f5207b7SJohn Levon {
1421f5207b7SJohn Levon if (expr->type == EXPR_ASSIGNMENT) {
1431f5207b7SJohn Levon match_condition(expr->right);
1441f5207b7SJohn Levon match_condition(expr->left);
1451f5207b7SJohn Levon }
1461f5207b7SJohn Levon if (!get_state_expr(my_id, expr))
1471f5207b7SJohn Levon return;
1481f5207b7SJohn Levon /* If we know the variable is zero that means it's not an ERR_PTR */
1491f5207b7SJohn Levon set_true_false_states_expr(my_id, expr, NULL, &checked);
1501f5207b7SJohn Levon }
1511f5207b7SJohn Levon
register_err_ptr_funcs(void)1521f5207b7SJohn Levon static void register_err_ptr_funcs(void)
1531f5207b7SJohn Levon {
1541f5207b7SJohn Levon struct token *token;
1551f5207b7SJohn Levon const char *func;
1561f5207b7SJohn Levon
1571f5207b7SJohn Levon token = get_tokens_file("kernel.returns_err_ptr");
1581f5207b7SJohn Levon if (!token)
1591f5207b7SJohn Levon return;
1601f5207b7SJohn Levon if (token_type(token) != TOKEN_STREAMBEGIN)
1611f5207b7SJohn Levon return;
1621f5207b7SJohn Levon token = token->next;
1631f5207b7SJohn Levon while (token_type(token) != TOKEN_STREAMEND) {
1641f5207b7SJohn Levon if (token_type(token) != TOKEN_IDENT)
1651f5207b7SJohn Levon return;
1661f5207b7SJohn Levon func = show_ident(token->ident);
1671f5207b7SJohn Levon add_function_assign_hook(func, &match_returns_err_ptr, NULL);
1681f5207b7SJohn Levon token = token->next;
1691f5207b7SJohn Levon }
1701f5207b7SJohn Levon clear_token_alloc();
1711f5207b7SJohn Levon }
1721f5207b7SJohn Levon
match_err_ptr_positive_const(const char * fn,struct expression * expr,void * unused)1731f5207b7SJohn Levon static void match_err_ptr_positive_const(const char *fn, struct expression *expr, void *unused)
1741f5207b7SJohn Levon {
1751f5207b7SJohn Levon struct expression *arg;
1761f5207b7SJohn Levon sval_t sval;
1771f5207b7SJohn Levon
1781f5207b7SJohn Levon arg = get_argument_from_call_expr(expr->args, 0);
1791f5207b7SJohn Levon
1801f5207b7SJohn Levon if (!get_value(arg, &sval))
1811f5207b7SJohn Levon return;
1821f5207b7SJohn Levon if (sval_is_positive(sval) && sval_cmp_val(sval, 0) != 0)
1831f5207b7SJohn Levon sm_error("passing non negative %s to ERR_PTR", sval_to_str(sval));
1841f5207b7SJohn Levon }
1851f5207b7SJohn Levon
match_err_ptr(const char * fn,struct expression * expr,void * unused)1861f5207b7SJohn Levon static void match_err_ptr(const char *fn, struct expression *expr, void *unused)
1871f5207b7SJohn Levon {
1881f5207b7SJohn Levon struct expression *arg;
1891f5207b7SJohn Levon struct sm_state *sm;
1901f5207b7SJohn Levon struct sm_state *tmp;
1911f5207b7SJohn Levon sval_t tmp_min;
1921f5207b7SJohn Levon sval_t tmp_max;
1931f5207b7SJohn Levon sval_t min = sval_type_max(&llong_ctype);
1941f5207b7SJohn Levon sval_t max = sval_type_min(&llong_ctype);
1951f5207b7SJohn Levon
1961f5207b7SJohn Levon arg = get_argument_from_call_expr(expr->args, 0);
1971f5207b7SJohn Levon sm = get_sm_state_expr(SMATCH_EXTRA, arg);
1981f5207b7SJohn Levon if (!sm)
1991f5207b7SJohn Levon return;
2001f5207b7SJohn Levon FOR_EACH_PTR(sm->possible, tmp) {
2011f5207b7SJohn Levon tmp_min = estate_min(tmp->state);
2021f5207b7SJohn Levon if (!sval_is_a_min(tmp_min) && sval_cmp(tmp_min, min) < 0)
2031f5207b7SJohn Levon min = tmp_min;
2041f5207b7SJohn Levon tmp_max = estate_max(tmp->state);
2051f5207b7SJohn Levon if (!sval_is_a_max(tmp_max) && sval_cmp(tmp_max, max) > 0)
2061f5207b7SJohn Levon max = tmp_max;
2071f5207b7SJohn Levon } END_FOR_EACH_PTR(tmp);
2081f5207b7SJohn Levon if (sval_is_negative(min) && sval_cmp_val(min, -4095) < 0)
2091f5207b7SJohn Levon sm_error("%s too low for ERR_PTR", sval_to_str(min));
2101f5207b7SJohn Levon if (sval_is_positive(max) && sval_cmp_val(max, 0) != 0)
2111f5207b7SJohn Levon sm_error("passing non negative %s to ERR_PTR", sval_to_str(max));
2121f5207b7SJohn Levon }
2131f5207b7SJohn Levon
check_err_ptr_deref(int id)2141f5207b7SJohn Levon void check_err_ptr_deref(int id)
2151f5207b7SJohn Levon {
2161f5207b7SJohn Levon if (option_project != PROJ_KERNEL)
2171f5207b7SJohn Levon return;
2181f5207b7SJohn Levon
2191f5207b7SJohn Levon my_id = id;
2201f5207b7SJohn Levon return_implies_state("IS_ERR", 0, 0, &match_checked, NULL);
2211f5207b7SJohn Levon return_implies_state("IS_ERR", 1, 1, &match_err, NULL);
2221f5207b7SJohn Levon return_implies_state("IS_ERR_OR_NULL", 0, 0, &match_checked, NULL);
2231f5207b7SJohn Levon return_implies_state("IS_ERR_OR_NULL", 1, 1, &match_err, NULL);
2241f5207b7SJohn Levon return_implies_state("PTR_RET", 0, 0, &match_checked, NULL);
225*efe51d0cSJohn Levon return_implies_state("PTR_RET", -4095, -1, &match_err, NULL);
2261f5207b7SJohn Levon register_err_ptr_funcs();
2271f5207b7SJohn Levon add_hook(&match_dereferences, DEREF_HOOK);
2281f5207b7SJohn Levon add_function_hook("ERR_PTR", &match_err_ptr_positive_const, NULL);
2291f5207b7SJohn Levon add_function_hook("ERR_PTR", &match_err_ptr, NULL);
2301f5207b7SJohn Levon add_hook(&match_condition, CONDITION_HOOK);
2311f5207b7SJohn Levon add_modification_hook(my_id, &ok_to_use);
2321f5207b7SJohn Levon add_function_hook("kfree", &match_kfree, INT_PTR(0));
2331f5207b7SJohn Levon add_function_hook("brelse", &match_kfree, INT_PTR(0));
2341f5207b7SJohn Levon add_function_hook("kmem_cache_free", &match_kfree, INT_PTR(1));
2351f5207b7SJohn Levon add_function_hook("vfree", &match_kfree, INT_PTR(0));
2361f5207b7SJohn Levon
2371f5207b7SJohn Levon err_ptr_rl = clone_rl_permanent(alloc_rl(err_ptr_min, err_ptr_max));
2381f5207b7SJohn Levon
2391f5207b7SJohn Levon select_return_implies_hook(DEREFERENCE, &set_param_dereferenced);
2401f5207b7SJohn Levon }
2411f5207b7SJohn Levon
242