forked from error27/smatch
-
Notifications
You must be signed in to change notification settings - Fork 0
/
check_dev_queue_xmit.c
132 lines (116 loc) · 3.21 KB
/
check_dev_queue_xmit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
/*
* Copyright (C) 2010 Dan Carpenter.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
*/
/*
* According to an email on lkml you are not allowed to reuse the skb
* passed to dev_queue_xmit()
*
*/
#include "smatch.h"
#include "smatch_slist.h"
static int my_id;
STATE(do_not_use);
static void ok_to_use(struct sm_state *sm, struct expression *mod_expr)
{
set_state(my_id, sm->name, sm->sym, &undefined);
}
static int valid_use(void)
{
struct expression *tmp;
int i = 0;
int dot_ops = 0;
FOR_EACH_PTR_REVERSE(big_expression_stack, tmp) {
if (!i++)
continue;
if (tmp->type == EXPR_PREOP && tmp->op == '(')
continue;
if (tmp->op == '.' && !dot_ops++)
continue;
// if (tmp->type == EXPR_POSTOP)
// return 1;
if (tmp->type == EXPR_CALL && sym_name_is("kfree_skb", tmp->fn))
return 1;
return 0;
} END_FOR_EACH_PTR_REVERSE(tmp);
return 0;
}
/* match symbol is expensive. only turn it on after we match the xmit function */
static int match_symbol_active;
static void match_symbol(struct expression *expr)
{
struct sm_state *sm;
char *name;
sm = get_sm_state_expr(my_id, expr);
if (!sm || !slist_has_state(sm->possible, &do_not_use))
return;
if (valid_use())
return;
name = expr_to_var(expr);
sm_error("'%s' was already used up by dev_queue_xmit()", name);
free_string(name);
}
static void match_kfree_skb(const char *fn, struct expression *expr, void *param)
{
struct expression *arg;
arg = get_argument_from_call_expr(expr->args, 0);
if (!arg)
return;
set_state_expr(my_id, arg, &undefined);
}
static void match_xmit(const char *fn, struct expression *expr, void *param)
{
struct expression *arg;
arg = get_argument_from_call_expr(expr->args, PTR_INT(param));
if (!arg)
return;
set_state_expr(my_id, arg, &do_not_use);
if (!match_symbol_active++) {
add_hook(&match_symbol, SYM_HOOK);
add_function_hook("kfree_skb", &match_kfree_skb, NULL);
}
}
static void register_funcs_from_file(void)
{
struct token *token;
const char *func;
int arg;
token = get_tokens_file("kernel.dev_queue_xmit");
if (!token)
return;
if (token_type(token) != TOKEN_STREAMBEGIN)
return;
token = token->next;
while (token_type(token) != TOKEN_STREAMEND) {
if (token_type(token) != TOKEN_IDENT)
return;
func = show_ident(token->ident);
token = token->next;
if (token_type(token) != TOKEN_NUMBER)
return;
arg = atoi(token->number);
add_function_hook(func, &match_xmit, INT_PTR(arg));
token = token->next;
}
clear_token_alloc();
}
void check_dev_queue_xmit(int id)
{
if (option_project != PROJ_KERNEL)
return;
my_id = id;
add_modification_hook(my_id, ok_to_use);
register_funcs_from_file();
}