locking: remove release_sock()

[smatch.git] / check_dev_queue_xmit.c

/*
 * Copyright (C) 2010 Dan Carpenter.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
 */

/*
 * According to an email on lkml you are not allowed to reuse the skb
 * passed to dev_queue_xmit()
 *
 */

#include "smatch.h"
#include "smatch_slist.h"

static int my_id;

STATE(do_not_use);

static int valid_use(void)
{
        struct expression *tmp;
        int i = 0;
        int dot_ops = 0;

        FOR_EACH_PTR_REVERSE(big_expression_stack, tmp) {
                if (!i++)
                        continue;
                if (tmp->type == EXPR_PREOP && tmp->op == '(')
                        continue;
                if (tmp->op == '.' && !dot_ops++)
                        continue;
//              if (tmp->type == EXPR_POSTOP)
//                      return 1;
                if (tmp->type == EXPR_CALL && sym_name_is("kfree_skb", tmp->fn))
                        return 1;
                return 0;
        } END_FOR_EACH_PTR_REVERSE(tmp);
        return 0;
}

/* match symbol is expensive.  only turn it on after we match the xmit function */
static int match_symbol_active;
static void match_symbol(struct expression *expr)
{
        struct sm_state *sm;
        char *name;

        sm = get_sm_state_expr(my_id, expr);
        if (!sm || !slist_has_state(sm->possible, &do_not_use))
                return;
        if (valid_use())
                return;
        name = expr_to_var(expr);
        sm_error("'%s' was already used up by dev_queue_xmit()", name);
        free_string(name);
}

static void match_kfree_skb(const char *fn, struct expression *expr, void *param)
{
        struct expression *arg;

        arg = get_argument_from_call_expr(expr->args, 0);
        if (!arg)
                return;
        set_state_expr(my_id, arg, &undefined);
}

static void match_xmit(const char *fn, struct expression *expr, void *param)
{
        struct expression *arg;

        arg = get_argument_from_call_expr(expr->args, PTR_INT(param));
        if (!arg)
                return;
        set_state_expr(my_id, arg, &do_not_use);
        if (!match_symbol_active++) {
                add_hook(&match_symbol, SYM_HOOK);
                add_function_hook("kfree_skb", &match_kfree_skb, NULL);
        }
}

static void register_funcs_from_file(void)
{
        struct token *token;
        const char *func;
        int arg;

        token = get_tokens_file("kernel.dev_queue_xmit");
        if (!token)
                return;
        if (token_type(token) != TOKEN_STREAMBEGIN)
                return;
        token = token->next;
        while (token_type(token) != TOKEN_STREAMEND) {
                if (token_type(token) != TOKEN_IDENT)
                        return;
                func = show_ident(token->ident);
                token = token->next;
                if (token_type(token) != TOKEN_NUMBER)
                        return;
                arg = atoi(token->number);
                add_function_hook(func, &match_xmit, INT_PTR(arg));
                token = token->next;
        }
        clear_token_alloc();
}

void check_dev_queue_xmit(int id)
{
        if (option_project != PROJ_KERNEL)
                return;
        my_id = id;
        add_modification_hook(my_id, &set_undefined);
        register_funcs_from_file();
}