check_dev_queue_xmit.c

   1 /*
   2  * sparse/check_dev_queue_xmit.c
   3  *
   4  * Copyright (C) 2010 Dan Carpenter.
   5  *
   6  * Licensed under the Open Software License version 1.1
   7  *
   8  */
   9
  10 /*
  11  * According to an email on lkml you are not allowed to reuse the skb
  12  * passed to dev_queue_xmit()
  13  *
  14  */
  15
  16 #include "smatch.h"
  17
  18 static int my_id;
  19
  20 STATE(do_not_use);
  21
  22 static void ok_to_use(const char *name, struct symbol *sym, struct expression *expr, void *unused)
  23 {
  24         delete_state(my_id, name, sym);
  25 }
  26
  27 static int valid_use(void)
  28 {
  29         struct expression *tmp;
  30         int i = 0;
  31         int dot_ops = 0;
  32
  33         FOR_EACH_PTR_REVERSE(big_expression_stack, tmp) {
  34                 if (!i++)
  35                         continue;
  36                 if (tmp->type == EXPR_PREOP && tmp->op == '(')
  37                         continue;
  38                 if (tmp->op == '.' && !dot_ops++)
  39                         continue;
  40 //              if (tmp->type == EXPR_POSTOP)
  41 //                      return 1;
  42                 if (tmp->type == EXPR_CALL && sym_name_is("kfree_skb", tmp->fn))
  43                         return 1;
  44                 return 0;
  45         } END_FOR_EACH_PTR_REVERSE(tmp);
  46         return 0;
  47 }
  48
  49 /* match symbol is expensive.  only turn it on after we match the xmit function */
  50 static int match_symbol_active;
  51 static void match_symbol(struct expression *expr)
  52 {
  53         struct sm_state *sm;
  54         char *name;
  55
  56         sm = get_sm_state_expr(my_id, expr);
  57         if (!sm)
  58                 return;
  59         if (valid_use())
  60                 return;
  61         name = get_variable_from_expr(expr, NULL);
  62         sm_msg("error: '%s' was already used up by dev_queue_xmit()", name);
  63         free_string(name);
  64 }
  65
  66 static void match_kfree_skb(const char *fn, struct expression *expr, void *param)
  67 {
  68         struct expression *arg;
  69
  70         arg = get_argument_from_call_expr(expr->args, 0);
  71         if (!arg)
  72                 return;
  73         delete_state_expr(my_id, arg);
  74 }
  75
  76 static void match_xmit(const char *fn, struct expression *expr, void *param)
  77 {
  78         struct expression *arg;
  79
  80         arg = get_argument_from_call_expr(expr->args, (int)param);
  81         if (!arg)
  82                 return;
  83         set_state_expr(my_id, arg, &do_not_use);
  84         if (!match_symbol_active++) {
  85                 add_hook(&match_symbol, SYM_HOOK);
  86                 add_function_hook("kfree_skb", &match_kfree_skb, NULL);
  87         }
  88 }
  89
  90 static void register_funcs_from_file(void)
  91 {
  92         struct token *token;
  93         const char *func;
  94         int arg;
  95
  96         token = get_tokens_file("kernel.dev_queue_xmit");
  97         if (!token)
  98                 return;
  99         if (token_type(token) != TOKEN_STREAMBEGIN)
 100                 return;
 101         token = token->next;
 102         while (token_type(token) != TOKEN_STREAMEND) {
 103                 if (token_type(token) != TOKEN_IDENT)
 104                         return;
 105                 func = show_ident(token->ident);
 106                 token = token->next;
 107                 if (token_type(token) != TOKEN_NUMBER)
 108                         return;
 109                 arg = atoi(token->number);
 110                 add_function_hook(func, &match_xmit, INT_PTR(arg));
 111                 token = token->next;
 112         }
 113         clear_token_alloc();
 114 }
 115
 116 void check_dev_queue_xmit(int id)
 117 {
 118         if (option_project != PROJ_KERNEL || !option_spammy)
 119                 return;
 120         my_id = id;
 121         set_default_modification_hook(my_id, ok_to_use);
 122         register_funcs_from_file();
 123 }