include/linux/overflow.h includes helper macros intended for calculating
sizes of allocations. These macros prevent accidental overflow by
saturating at SIZE_MAX.
In general when calculating such sizes use of the macros is preferred. Add
a semantic patch which can detect code patterns which can be replaced by
struct_size.
Note that I set the confidence to medium because this patch doesn't make an
attempt to ensure that the relevant array is actually a flexible array. The
struct_size macro does specifically require a flexible array. In many cases
the detected code could be refactored to a flexible array, but this is not
always possible (such as if there are multiple over-allocations).
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://lore.kernel.org/r/20230227202428.3657443-1-jacob.e.keller@intel.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Add rules for finding places where str_plural() can be used. This
currently finds:
54 files changed, 62 insertions(+), 61 deletions(-)
Co-developed-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com>
Link: https://lore.kernel.org/all/fc1b25a8-6381-47c2-831c-ab6b8201a82b@intel.com/
Signed-off-by: Kees Cook <keescook@chromium.org>
Commit ff82e84e80 ("coccinelle: device_attr_show: simplify patch case")
simplifies the patch case, as a result, STR is no longer needed.
This also helps to fix below coccicheck warning:
> warning: rp: metavariable STR not used in the - or context code
CC: Julia Lawall <Julia.Lawall@inria.fr>
CC: Nicolas Palix <nicolas.palix@imag.fr>
CC: cocci@inria.fr
Fixes: ff82e84e80 ("coccinelle: device_attr_show: simplify patch case")
Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Replacing the final expression argument by ... allows the format
string to have multiple arguments.
It also has the advantage of allowing the change to be recognized as
a change in a single statement, thus avoiding adding unneeded braces.
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
A common practice is to grep for "WARNING" or "ERROR" text in the report
output from a Coccinelle semantic patch script. So, include the text
"WARNING: " in the report output generated by the semantic patch for
desired filtering of the output. Also improves the readability of the
output. Here is an example of the old and new outputs reported:
xyz_file.c:131:39-40: atomic_add_unless
xyz_file.c:131:39-40: WARNING: atomic_add_unless
xyz_file.c:196:6-25: atomic_dec_and_test variation before object free at line 208.
xyz_file.c:196:6-25: WARNING: atomic_dec_and_test variation before object free at line 208.
Signed-off-by: Deepak R Varma <drv@mailo.com>
Acked-by: Julia Lawall <Julia.Lawall@inria.fr>
Since commit b37a466837 ("netdevice: add the case if dev is NULL"),
NULL check before dev_{put, hold} functions is not needed.
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
The test of an expression's address does not necessarily represent the
whole condition, it may only be a part of it. Also, an expression's
address is likely to be non-zero in every test expression, not only in
if statements.
This change aims at detecting an address test in more complex conditions
and not only in if statements.
Signed-off-by: Jérémy Lefaure <jeremy.lefaure@netatmo.com>
Signed-off-by: Julia Lawall <julia.lawall@inria.fr>
This semantic patch does not take into account the fact that of_node_put
can be safely applied to NULL. Thus it gives only false positives.
Drop it.
Reported-by: Qing Wang <wangqing@vivo.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
The BUG_ON script was never safe, in that it was not able to check
whether the condition was side-effecting. At this point, BUG_ON
should be well known, so it has probably outlived its usefuless.
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Suggested-by: Matthew Wilcox <willy@infradead.org>
Update MAINTAINERS information (mailing list, web page, etc).
Add a semantic patch from Wen Yang to check for do_div calls that may
cause truncation, motivated by
commit b0ab99e773 ("sched: Fix possible divide by zero in avg_atom() calculation")
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEnGZC8gbRfLXdcpA0F+92B3f5RZ0FAmGOQVMACgkQF+92B3f5
RZ37Hw//R4CEHgb+E5hUUFhejNZTdX93pgoc1nMO8lmE1OwGf1ZMrsdBDrRZe270
LYKKXgH3H/J/Mc3MstPRDPjIeN6K/DRB1LrYksSEtTJnLwdcd4MoLX5ozwQdWfDQ
7pJkmdEAhrfGUh7Z2qopINa8XzaE6vAk3alo81GLUL2rOFDaJrtqoSKGZIZ/SPHZ
p9bnyqfU2Jv/PHCJrnIhAx4af6kae9WY4dSnVd16cB+e5h8u3x/2xEPobNF5+awd
hUNH+zu3QRP362Mb2rDa8P5Z15bAxLhAv4SwY8BJ8LYYvTtCGv4Vbu661egPahit
Jgj9mDUoEDMHVBqDMqH4LEc+aCmhKIl4k3p4rODQvW8L+hEP/2Q++FsKuJOK8CfF
a24NaMed1j6ORW00n1XW6c1AEbPAlfsNYfEGTin6LYtP/AA1FL04jW3FeF/WlPuv
X1P9U6X0Y/qCzLeCk5IqcoBD9Zf4iYOxEGGXuFEiXm7S41jK7N+TiwXhlEMUKsqF
0V/xfiXnwzrsCQQLaF5tX4CU9gXDxuZw1b5QfUVDptD42KTfdmss9xGxYVCrRKZy
R6rLgMcdgTHgRaYzGb3qlIQ0chyjBo8HGCbW1EDYWJwQoR92AkTlFcrWuqxsD2lM
GDafd6jqDQxdl441siJlZrjxY2EDiXfuWfdJ+fl60yVF6lo1YW0=
=vMjw
-----END PGP SIGNATURE-----
Merge tag 'coccinelle-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlawall/linux
Pull coccinelle updates from Julia Lawall:
- Update MAINTAINERS information (mailing list, web page, etc).
- Add a semantic patch from Wen Yang to check for do_div calls that may
cause truncation, motivated by commit b0ab99e773 ("sched: Fix
possible divide by zero in avg_atom() calculation")
* tag 'coccinelle-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlawall/linux:
coccinelle: update Coccinelle entry
coccinelle: semantic patch to check for inappropriate do_div() calls
do_div() does a 64-by-32 division.
When the divisor is unsigned long, u64, or s64,
do_div() truncates it to 32 bits, this means it
can test non-zero and be truncated to zero for division.
This semantic patch is inspired by Mateusz Guzik's patch:
commit b0ab99e773 ("sched: Fix possible divide by zero in avg_atom() calculation")
Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
Signed-off-by: Julia Lawall <julia.lawall@inria.fr>
Cc: Gilles Muller <Gilles.Muller@lip6.fr>
Cc: Nicolas Palix <nicolas.palix@imag.fr>
Cc: Michal Marek <michal.lkml@markovi.net>
Cc: Matthias Maennich <maennich@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: cocci@systeme.lip6.fr
Cc: linux-kernel@vger.kernel.org
Currently use_after_iter.cocci generates false positives for code of the
following form:
~~~
list_for_each_entry(d, &ddata->irq_list, node) {
if (irq == d->irq)
break;
}
if (list_entry_is_head(d, &ddata->irq_list, node))
return IRQ_NONE;
~~~
[This specific example comes from drivers/power/supply/cpcap-battery.c]
Most list macros use list_entry_is_head() as loop exit condition meaning it
is not unsafe to reuse pos (a.k.a. d) in the code above.
Let's avoid reporting these cases.
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Commit 453431a549 ("mm, treewide: rename kzfree() to
kfree_sensitive()") renamed kzfree() to kfree_sensitive(),
it should be applied to coccinelle.
Signed-off-by: Weizhao Ouyang <o451686892@gmail.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Acked-by: Denis Efremov <efremov@linux.com>
Using kobj_to_dev() instead of container_of() is not universally
accepted among maintainers as an improvement. The warning leads to
repeated patch submissions that won't be accepted. Remove the script.
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Denis Efremov <efremov@linux.com>
Cc: Julia Lawall <Julia.Lawall@inria.fr>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Acked-by: Jens Axboe <axboe@kernel.dk>
Acked-by: Denis Efremov <efremov@linux.com>
There is a standard idiom for "if 'ret' holds an error, return it":
return ret < 0 ? ret : 0;
Developers prefer to keep the things as they are because stylistic
change to "return min(ret, 0);" breaks readability.
Let's suppress automatic generation for this type of patches.
Signed-off-by: Denis Efremov <efremov@linux.com>
The IRQF_ONESHOT should be present for threaded IRQ using default
primary handler. However intetrupt of many child devices, e.g. children
of MFD, is nested thus the IRQF_ONESHOT is not needed. The coccinelle
message about error misleads submitters and reviewers about the severity
of the issue, so make it a warning and mention possible false positive.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Remove the documentation link from the warning message because commit
3942ea7a10 ("deprecated.rst: Remove now removed uninitialized_var")
removed the section from documentation. Update the rule documentation
accordingly.
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <julia.lawall@inria.fr>
Skip patches generation for structs with a single field.
Changing a zero-length array to a flexible array member in a struct
with no named members breaks the compilation. However, reporting
such cases is still valuable, e.g. commit 637464c59e
("ACPI: NFIT: Fix flexible_array.cocci warnings").
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <julia.lawall@inria.fr>
of_dev_get() and of_dev_put are just wrappers for get_device()/put_device()
on a platform_device. There's also already platform_device_{get,put}()
wrappers for this purpose. Let's update the few users and remove
of_dev_{get,put}().
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Frank Rowand <frowand.list@gmail.com>
Cc: Patrice Chotard <patrice.chotard@st.com>
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Julia Lawall <Julia.Lawall@inria.fr>
Cc: Gilles Muller <Gilles.Muller@inria.fr>
Cc: Nicolas Palix <nicolas.palix@imag.fr>
Cc: Michal Marek <michal.lkml@markovi.net>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: netdev@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-usb@vger.kernel.org
Cc: cocci@systeme.lip6.fr
Signed-off-by: Rob Herring <robh@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20210211232745.1498137-2-robh@kernel.org
The ptr_ret script script addresses a number of situations where we end up
testing an error pointer, and if it's an error returning it, or return 0
otherwise to transform it into a PTR_ERR_OR_ZERO call.
So it will convert a block like this:
if (IS_ERR(err))
return PTR_ERR(err);
return 0;
into
return PTR_ERR_OR_ZERO(err);
While this is technically correct, it has a number of drawbacks. First, it
merges the error and success path, which will make it harder for a reviewer
or reader to grasp.
It's also more difficult to extend if we were to add some code between the
error check and the function return, making the author essentially revert
that patch before adding new lines, while it would have been a trivial
addition otherwise for the rewiever.
Therefore, since that script is only about cosmetic in the first place,
let's remove it since it's not worth it.
Acked-by: Jani Nikula <jani.nikula@intel.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Acked-by: Julia Lawall <julia.lawall@inria.fr>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Signed-off-by: Julia Lawall <julia.lawall@inria.fr>
0/1 for booleans is perfectly valid C.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Check that alloc and free types of functions match each other.
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
While iterating over child nodes with the for_each functions, if
control is transferred from the middle of the loop, as in the case
of a break or return or goto, there is no decrement in the
reference counter thus ultimately resulting in a memory leak.
Add this script to detect potential memory leaks caused by
the absence of of_node_put() before break, goto, or, return
statements which transfer control outside the loop.
Signed-off-by: Sumera Priyadarsini <sylphrenadin@gmail.com>
Signed-off-by: Julia Lawall <julia.lawall@inria.fr>
Print memset() call position in addition to the kfree() position to
ease issues identification.
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <julia.lawall@inria.fr>
One-element and zero-length arrays are deprecated [1]. Kernel
code should always use "flexible array members" instead, except
for existing uapi definitions.
The script warns about one-element and zero-length arrays in structs.
[1] commit 68e4cd17e2 ("docs: deprecated.rst: Add zero-length and
one-element arrays")
Cc: Kees Cook <keescook@chromium.org>
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <julia.lawall@inria.fr>
Check for !A || A && B condition. It's equivalent to !A || B.
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
uninitialized_var() macro was removed from the sources [1] and
other warning-silencing tricks were deprecated [2]. The purpose of this
cocci script is to prevent new occurrences of uninitialized_var()
open-coded variants.
[1] commit 63a0895d96 ("compiler: Remove uninitialized_var() macro")
[2] commit 4b19bec97c ("docs: deprecated.rst: Add uninitialized_var()")
Cc: Kees Cook <keescook@chromium.org>
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Extend the list of free functions with kvfree(), kvfree_sensitive(),
vfree().
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Commit dfd32cad14 ("dma-mapping: remove dma_zalloc_coherent()")
removed the definition of dma_zalloc_coherent() and also removed the
corresponding patch rule for replacing instances of dma_alloc_coherent +
memset in zalloc-simple.cocci (though left the report rule).
Add a new patch rule to remove unnecessary calls to memset after
allocating with dma_alloc_coherent. While we're at it, fix a couple of
typos.
Fixes: dfd32cad14 ("dma-mapping: remove dma_zalloc_coherent()")
Signed-off-by: Alex Dewar <alex.dewar90@gmail.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
As said by Linus:
A symmetric naming is only helpful if it implies symmetries in use.
Otherwise it's actively misleading.
In "kzalloc()", the z is meaningful and an important part of what the
caller wants.
In "kzfree()", the z is actively detrimental, because maybe in the
future we really _might_ want to use that "memfill(0xdeadbeef)" or
something. The "zero" part of the interface isn't even _relevant_.
The main reason that kzfree() exists is to clear sensitive information
that should not be leaked to other future users of the same memory
objects.
Rename kzfree() to kfree_sensitive() to follow the example of the recently
added kvfree_sensitive() and make the intention of the API more explicit.
In addition, memzero_explicit() is used to clear the memory to make sure
that it won't get optimized away by the compiler.
The renaming is done by using the command sequence:
git grep -w --name-only kzfree |\
xargs sed -i 's/kzfree/kfree_sensitive/'
followed by some editing of the kfree_sensitive() kerneldoc and adding
a kzfree backward compatibility macro in slab.h.
[akpm@linux-foundation.org: fs/crypto/inline_crypt.c needs linux/slab.h]
[akpm@linux-foundation.org: fix fs/crypto/inline_crypt.c some more]
Suggested-by: Joe Perches <joe@perches.com>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: David Howells <dhowells@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Joe Perches <joe@perches.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>
Link: http://lkml.kernel.org/r/20200616154311.12314-3-longman@redhat.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Add vmemdup_user() transformations to the memdup_user.cocci rule.
Commit 50fd2f298b ("new primitive: vmemdup_user()") introduced
vmemdup_user(). The function uses kvmalloc with GPF_USER flag.
Signed-off-by: Denis Efremov <efremov@linux.com>
Match GFP_USER and optional __GFP_NOWARN allocations with
memdup_user.cocci rule.
Commit 6c2c97a24f ("memdup_user(): switch to GFP_USER") switched
memdup_user() from GFP_KERNEL to GFP_USER. In almost all cases it
is still a good idea to recommend memdup_user() for GFP_KERNEL
allocations. The motivation behind altering memdup_user() to GFP_USER:
https://lkml.org/lkml/2018/1/6/333
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Check for memset()/memzero_explicit() followed by kfree()/vfree()/kvfree().
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Detect an opencoded expression that is used before or after
array_size()/array3_size()/struct_size() to compute the same size.
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>