├── Documentation ├── Setup.md ├── Setup.md.license ├── Usage.md └── Usage.md.license ├── LICENSES ├── CC-BY-SA-4.0.txt └── GPL-2.0.txt ├── README.md ├── README.md.license ├── docker ├── kernel-clang │ └── Dockerfile ├── kernel-coccinelle │ └── Dockerfile └── kernel-gcc │ └── Dockerfile ├── infer ├── Documentation │ └── Setup.md ├── Reports │ ├── images │ │ └── blk_rq_unmap_user.ver1.png │ ├── report-on-memory-leak-0002.md │ ├── report-on-memory-leak-0003.md │ ├── report-on-resource-leak-0001.md │ ├── report-on-use-after-free-0004.md │ ├── report-on-use-after-free-0005.md │ └── report-on-use-after-free-0006.md ├── models │ └── kapis.c ├── results │ ├── v1 │ │ └── bugs.txt │ └── v2 │ │ └── bugs_with_kmalloc_kfree.txt └── scripts │ └── README.md └── scripts ├── build-docker.sh └── compile-kernel.sh /Documentation/Setup.md: -------------------------------------------------------------------------------- 1 | # Setting up the work environment 2 | 3 | This document describes how to set up your system to use the `compile-kernel.sh` 4 | script. 5 | 6 | We assume that you have cloned the git repository and you are now at the 7 | top-level directory of that git repository to follow through with these steps: 8 | 9 | Build the needed docker containers with `build-docker.sh` script: 10 | 11 | ``` 12 | ./scripts/build-docker.sh 13 | ``` 14 | 15 | Set directory where you place your kernel git repositories: 16 | 17 | ``` 18 | export KERNEL_SRC_BASE= 19 | ``` 20 | 21 | For example, here is the setup to place git repositories in a subdirectory 22 | structure that matches the URLs of its origin: 23 | 24 | ``` 25 | mkdir -p ~/repositories/kernel.org/pub/scm/linux/kernel/git 26 | export KERNEL_SRC_BASE=~/repositories/kernel.org/pub/scm/linux/kernel/git 27 | ``` 28 | 29 | Add this environment variable in your `.bash_profile` to make this 30 | environment variable persistent: 31 | 32 | ``` 33 | echo "export KERNEL_SRC_BASE=$KERNEL_SRC_BASE" >> ~/.bash_profile 34 | ``` 35 | 36 | Clone the git repositories, torvalds, stable and next, from git.kernel.org 37 | into the `KERNEL_SRC_BASE` directory: 38 | 39 | ``` 40 | pushd $KERNEL_SRC_BASE 41 | export KERNEL_GIT_BASE_URL=https://git.kernel.org/pub/scm/linux/kernel/git/ 42 | git clone $KERNEL_GIT_BASE_URL/torvalds/linux.git torvalds/linux 43 | git clone $KERNEL_GIT_BASE_URL/stable/linux-stable.git stable/linux-stable 44 | git clone $KERNEL_GIT_BASE_URL/next/linux-next.git next/linux-next 45 | popd 46 | ``` 47 | 48 | Now, everything is set up and you can use `./scripts/compile-kernel.sh`. 49 | For more information, how to use `./scripts/compile-kernel.sh`, see 50 | [Usage.md](Usage.md). 51 | -------------------------------------------------------------------------------- /Documentation/Setup.md.license: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2018 Lukas Bulwahn, BMW Car IT GmbH 3 | // 4 | // SPDX-License-Identifier: CC-BY-SA-4.0 5 | // 6 | -------------------------------------------------------------------------------- /Documentation/Usage.md: -------------------------------------------------------------------------------- 1 | # Usage 2 | 3 | ## Using `compile-kernel.sh` 4 | 5 | The `compile-kernel.sh` script is a shortcut to compile different branches of 6 | the kernel with a given standard kernel configuration and compiler. 7 | 8 | The script takes these three arguments (at least): 9 | `./scripts/compile-kernel.sh ` 10 | 11 | The 4th argument `` is optional. 12 | 13 | For example, to build the current main-line kernel with the default kernel 14 | configuration and clang compiler, run: 15 | 16 | ``` 17 | ./scripts/compile-kernel.sh torvalds defconfig clang 18 | ``` 19 | 20 | For other help, use `./scripts/compile-kernel.sh --help`. 21 | -------------------------------------------------------------------------------- /Documentation/Usage.md.license: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2018 Lukas Bulwahn, BMW Car IT GmbH 3 | // 4 | // SPDX-License-Identifier: CC-BY-SA-4.0 5 | // 6 | -------------------------------------------------------------------------------- /LICENSES/CC-BY-SA-4.0.txt: -------------------------------------------------------------------------------- 1 | Valid-License-Identifier: CC-BY-SA-4.0 2 | License-Text: 3 | Creative Commons Attribution-ShareAlike 4.0 International Public License 4 | 5 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. 6 | 7 | Section 1 – Definitions. 8 | Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. 9 | Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. 10 | BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License. 11 | Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. 12 | Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. 13 | Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. 14 | License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike. 15 | Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License. 16 | Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. 17 | Licensor means the individual(s) or entity(ies) granting rights under this Public License. 18 | Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. 19 | Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. 20 | You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. 21 | 22 | Section 2 – Scope. 23 | License grant. 24 | Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: 25 | reproduce and Share the Licensed Material, in whole or in part; and 26 | produce, reproduce, and Share Adapted Material. 27 | Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. 28 | Term. The term of this Public License is specified in Section 6(a). 29 | Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. 30 | Downstream recipients. 31 | Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. 32 | Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply. 33 | No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. 34 | No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). 35 | Other rights. 36 | 37 | Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. 38 | Patent and trademark rights are not licensed under this Public License. 39 | To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties. 40 | 41 | Section 3 – License Conditions. 42 | Your exercise of the Licensed Rights is expressly made subject to the following conditions. 43 | 44 | Attribution. 45 | 46 | If You Share the Licensed Material (including in modified form), You must: 47 | 48 | retain the following if it is supplied by the Licensor with the Licensed Material: 49 | identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); 50 | a copyright notice; 51 | a notice that refers to this Public License; 52 | a notice that refers to the disclaimer of warranties; 53 | a URI or hyperlink to the Licensed Material to the extent reasonably practicable; 54 | indicate if You modified the Licensed Material and retain an indication of any previous modifications; and 55 | indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. 56 | You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. 57 | If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. 58 | ShareAlike. 59 | In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply. 60 | 61 | The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License. 62 | You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material. 63 | You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply. 64 | 65 | Section 4 – Sui Generis Database Rights. 66 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: 67 | 68 | for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database; 69 | if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and 70 | You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. 71 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. 72 | 73 | Section 5 – Disclaimer of Warranties and Limitation of Liability. 74 | Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You. 75 | To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You. 76 | The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. 77 | 78 | Section 6 – Term and Termination. 79 | This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. 80 | Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: 81 | 82 | automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or 83 | upon express reinstatement by the Licensor. 84 | For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. 85 | For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. 86 | Sections 1, 5, 6, 7, and 8 survive termination of this Public License. 87 | 88 | Section 7 – Other Terms and Conditions. 89 | The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. 90 | Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. 91 | 92 | Section 8 – Interpretation. 93 | For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. 94 | To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. 95 | No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. 96 | Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. 97 | Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. 98 | 99 | Creative Commons may be contacted at creativecommons.org. 100 | -------------------------------------------------------------------------------- /LICENSES/GPL-2.0.txt: -------------------------------------------------------------------------------- 1 | Valid-License-Identifier: GPL-2.0 2 | License-Text: 3 | 4 | GNU GENERAL PUBLIC LICENSE 5 | Version 2, June 1991 6 | 7 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 8 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 9 | Everyone is permitted to copy and distribute verbatim copies 10 | of this license document, but changing it is not allowed. 11 | 12 | Preamble 13 | 14 | The licenses for most software are designed to take away your 15 | freedom to share and change it. By contrast, the GNU General Public 16 | License is intended to guarantee your freedom to share and change free 17 | software--to make sure the software is free for all its users. This 18 | General Public License applies to most of the Free Software 19 | Foundation's software and to any other program whose authors commit to 20 | using it. (Some other Free Software Foundation software is covered by 21 | the GNU Lesser General Public License instead.) You can apply it to 22 | your programs, too. 23 | 24 | When we speak of free software, we are referring to freedom, not 25 | price. Our General Public Licenses are designed to make sure that you 26 | have the freedom to distribute copies of free software (and charge for 27 | this service if you wish), that you receive source code or can get it 28 | if you want it, that you can change the software or use pieces of it 29 | in new free programs; and that you know you can do these things. 30 | 31 | To protect your rights, we need to make restrictions that forbid 32 | anyone to deny you these rights or to ask you to surrender the rights. 33 | These restrictions translate to certain responsibilities for you if you 34 | distribute copies of the software, or if you modify it. 35 | 36 | For example, if you distribute copies of such a program, whether 37 | gratis or for a fee, you must give the recipients all the rights that 38 | you have. You must make sure that they, too, receive or can get the 39 | source code. And you must show them these terms so they know their 40 | rights. 41 | 42 | We protect your rights with two steps: (1) copyright the software, and 43 | (2) offer you this license which gives you legal permission to copy, 44 | distribute and/or modify the software. 45 | 46 | Also, for each author's protection and ours, we want to make certain 47 | that everyone understands that there is no warranty for this free 48 | software. If the software is modified by someone else and passed on, we 49 | want its recipients to know that what they have is not the original, so 50 | that any problems introduced by others will not reflect on the original 51 | authors' reputations. 52 | 53 | Finally, any free program is threatened constantly by software 54 | patents. We wish to avoid the danger that redistributors of a free 55 | program will individually obtain patent licenses, in effect making the 56 | program proprietary. To prevent this, we have made it clear that any 57 | patent must be licensed for everyone's free use or not licensed at all. 58 | 59 | The precise terms and conditions for copying, distribution and 60 | modification follow. 61 | 62 | GNU GENERAL PUBLIC LICENSE 63 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 64 | 65 | 0. This License applies to any program or other work which contains 66 | a notice placed by the copyright holder saying it may be distributed 67 | under the terms of this General Public License. The "Program", below, 68 | refers to any such program or work, and a "work based on the Program" 69 | means either the Program or any derivative work under copyright law: 70 | that is to say, a work containing the Program or a portion of it, 71 | either verbatim or with modifications and/or translated into another 72 | language. (Hereinafter, translation is included without limitation in 73 | the term "modification".) Each licensee is addressed as "you". 74 | 75 | Activities other than copying, distribution and modification are not 76 | covered by this License; they are outside its scope. The act of 77 | running the Program is not restricted, and the output from the Program 78 | is covered only if its contents constitute a work based on the 79 | Program (independent of having been made by running the Program). 80 | Whether that is true depends on what the Program does. 81 | 82 | 1. You may copy and distribute verbatim copies of the Program's 83 | source code as you receive it, in any medium, provided that you 84 | conspicuously and appropriately publish on each copy an appropriate 85 | copyright notice and disclaimer of warranty; keep intact all the 86 | notices that refer to this License and to the absence of any warranty; 87 | and give any other recipients of the Program a copy of this License 88 | along with the Program. 89 | 90 | You may charge a fee for the physical act of transferring a copy, and 91 | you may at your option offer warranty protection in exchange for a fee. 92 | 93 | 2. You may modify your copy or copies of the Program or any portion 94 | of it, thus forming a work based on the Program, and copy and 95 | distribute such modifications or work under the terms of Section 1 96 | above, provided that you also meet all of these conditions: 97 | 98 | a) You must cause the modified files to carry prominent notices 99 | stating that you changed the files and the date of any change. 100 | 101 | b) You must cause any work that you distribute or publish, that in 102 | whole or in part contains or is derived from the Program or any 103 | part thereof, to be licensed as a whole at no charge to all third 104 | parties under the terms of this License. 105 | 106 | c) If the modified program normally reads commands interactively 107 | when run, you must cause it, when started running for such 108 | interactive use in the most ordinary way, to print or display an 109 | announcement including an appropriate copyright notice and a 110 | notice that there is no warranty (or else, saying that you provide 111 | a warranty) and that users may redistribute the program under 112 | these conditions, and telling the user how to view a copy of this 113 | License. (Exception: if the Program itself is interactive but 114 | does not normally print such an announcement, your work based on 115 | the Program is not required to print an announcement.) 116 | 117 | These requirements apply to the modified work as a whole. If 118 | identifiable sections of that work are not derived from the Program, 119 | and can be reasonably considered independent and separate works in 120 | themselves, then this License, and its terms, do not apply to those 121 | sections when you distribute them as separate works. But when you 122 | distribute the same sections as part of a whole which is a work based 123 | on the Program, the distribution of the whole must be on the terms of 124 | this License, whose permissions for other licensees extend to the 125 | entire whole, and thus to each and every part regardless of who wrote it. 126 | 127 | Thus, it is not the intent of this section to claim rights or contest 128 | your rights to work written entirely by you; rather, the intent is to 129 | exercise the right to control the distribution of derivative or 130 | collective works based on the Program. 131 | 132 | In addition, mere aggregation of another work not based on the Program 133 | with the Program (or with a work based on the Program) on a volume of 134 | a storage or distribution medium does not bring the other work under 135 | the scope of this License. 136 | 137 | 3. You may copy and distribute the Program (or a work based on it, 138 | under Section 2) in object code or executable form under the terms of 139 | Sections 1 and 2 above provided that you also do one of the following: 140 | 141 | a) Accompany it with the complete corresponding machine-readable 142 | source code, which must be distributed under the terms of Sections 143 | 1 and 2 above on a medium customarily used for software interchange; or, 144 | 145 | b) Accompany it with a written offer, valid for at least three 146 | years, to give any third party, for a charge no more than your 147 | cost of physically performing source distribution, a complete 148 | machine-readable copy of the corresponding source code, to be 149 | distributed under the terms of Sections 1 and 2 above on a medium 150 | customarily used for software interchange; or, 151 | 152 | c) Accompany it with the information you received as to the offer 153 | to distribute corresponding source code. (This alternative is 154 | allowed only for noncommercial distribution and only if you 155 | received the program in object code or executable form with such 156 | an offer, in accord with Subsection b above.) 157 | 158 | The source code for a work means the preferred form of the work for 159 | making modifications to it. For an executable work, complete source 160 | code means all the source code for all modules it contains, plus any 161 | associated interface definition files, plus the scripts used to 162 | control compilation and installation of the executable. However, as a 163 | special exception, the source code distributed need not include 164 | anything that is normally distributed (in either source or binary 165 | form) with the major components (compiler, kernel, and so on) of the 166 | operating system on which the executable runs, unless that component 167 | itself accompanies the executable. 168 | 169 | If distribution of executable or object code is made by offering 170 | access to copy from a designated place, then offering equivalent 171 | access to copy the source code from the same place counts as 172 | distribution of the source code, even though third parties are not 173 | compelled to copy the source along with the object code. 174 | 175 | 4. You may not copy, modify, sublicense, or distribute the Program 176 | except as expressly provided under this License. Any attempt 177 | otherwise to copy, modify, sublicense or distribute the Program is 178 | void, and will automatically terminate your rights under this License. 179 | However, parties who have received copies, or rights, from you under 180 | this License will not have their licenses terminated so long as such 181 | parties remain in full compliance. 182 | 183 | 5. You are not required to accept this License, since you have not 184 | signed it. However, nothing else grants you permission to modify or 185 | distribute the Program or its derivative works. These actions are 186 | prohibited by law if you do not accept this License. Therefore, by 187 | modifying or distributing the Program (or any work based on the 188 | Program), you indicate your acceptance of this License to do so, and 189 | all its terms and conditions for copying, distributing or modifying 190 | the Program or works based on it. 191 | 192 | 6. Each time you redistribute the Program (or any work based on the 193 | Program), the recipient automatically receives a license from the 194 | original licensor to copy, distribute or modify the Program subject to 195 | these terms and conditions. You may not impose any further 196 | restrictions on the recipients' exercise of the rights granted herein. 197 | You are not responsible for enforcing compliance by third parties to 198 | this License. 199 | 200 | 7. If, as a consequence of a court judgment or allegation of patent 201 | infringement or for any other reason (not limited to patent issues), 202 | conditions are imposed on you (whether by court order, agreement or 203 | otherwise) that contradict the conditions of this License, they do not 204 | excuse you from the conditions of this License. If you cannot 205 | distribute so as to satisfy simultaneously your obligations under this 206 | License and any other pertinent obligations, then as a consequence you 207 | may not distribute the Program at all. For example, if a patent 208 | license would not permit royalty-free redistribution of the Program by 209 | all those who receive copies directly or indirectly through you, then 210 | the only way you could satisfy both it and this License would be to 211 | refrain entirely from distribution of the Program. 212 | 213 | If any portion of this section is held invalid or unenforceable under 214 | any particular circumstance, the balance of the section is intended to 215 | apply and the section as a whole is intended to apply in other 216 | circumstances. 217 | 218 | It is not the purpose of this section to induce you to infringe any 219 | patents or other property right claims or to contest validity of any 220 | such claims; this section has the sole purpose of protecting the 221 | integrity of the free software distribution system, which is 222 | implemented by public license practices. Many people have made 223 | generous contributions to the wide range of software distributed 224 | through that system in reliance on consistent application of that 225 | system; it is up to the author/donor to decide if he or she is willing 226 | to distribute software through any other system and a licensee cannot 227 | impose that choice. 228 | 229 | This section is intended to make thoroughly clear what is believed to 230 | be a consequence of the rest of this License. 231 | 232 | 8. If the distribution and/or use of the Program is restricted in 233 | certain countries either by patents or by copyrighted interfaces, the 234 | original copyright holder who places the Program under this License 235 | may add an explicit geographical distribution limitation excluding 236 | those countries, so that distribution is permitted only in or among 237 | countries not thus excluded. In such case, this License incorporates 238 | the limitation as if written in the body of this License. 239 | 240 | 9. The Free Software Foundation may publish revised and/or new versions 241 | of the General Public License from time to time. Such new versions will 242 | be similar in spirit to the present version, but may differ in detail to 243 | address new problems or concerns. 244 | 245 | Each version is given a distinguishing version number. If the Program 246 | specifies a version number of this License which applies to it and "any 247 | later version", you have the option of following the terms and conditions 248 | either of that version or of any later version published by the Free 249 | Software Foundation. If the Program does not specify a version number of 250 | this License, you may choose any version ever published by the Free Software 251 | Foundation. 252 | 253 | 10. If you wish to incorporate parts of the Program into other free 254 | programs whose distribution conditions are different, write to the author 255 | to ask for permission. For software which is copyrighted by the Free 256 | Software Foundation, write to the Free Software Foundation; we sometimes 257 | make exceptions for this. Our decision will be guided by the two goals 258 | of preserving the free status of all derivatives of our free software and 259 | of promoting the sharing and reuse of software generally. 260 | 261 | NO WARRANTY 262 | 263 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 264 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 265 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 266 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 267 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 268 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 269 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 270 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 271 | REPAIR OR CORRECTION. 272 | 273 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 274 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 275 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 276 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 277 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 278 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 279 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 280 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 281 | POSSIBILITY OF SUCH DAMAGES. 282 | 283 | END OF TERMS AND CONDITIONS 284 | 285 | How to Apply These Terms to Your New Programs 286 | 287 | If you develop a new program, and you want it to be of the greatest 288 | possible use to the public, the best way to achieve this is to make it 289 | free software which everyone can redistribute and change under these terms. 290 | 291 | To do so, attach the following notices to the program. It is safest 292 | to attach them to the start of each source file to most effectively 293 | convey the exclusion of warranty; and each file should have at least 294 | the "copyright" line and a pointer to where the full notice is found. 295 | 296 | 297 | Copyright (C) 298 | 299 | This program is free software; you can redistribute it and/or modify 300 | it under the terms of the GNU General Public License as published by 301 | the Free Software Foundation; either version 2 of the License, or 302 | (at your option) any later version. 303 | 304 | This program is distributed in the hope that it will be useful, 305 | but WITHOUT ANY WARRANTY; without even the implied warranty of 306 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 307 | GNU General Public License for more details. 308 | 309 | You should have received a copy of the GNU General Public License along 310 | with this program; if not, write to the Free Software Foundation, Inc., 311 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 312 | 313 | Also add information on how to contact you by electronic and paper mail. 314 | 315 | If the program is interactive, make it output a short notice like this 316 | when it starts in an interactive mode: 317 | 318 | Gnomovision version 69, Copyright (C) year name of author 319 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 320 | This is free software, and you are welcome to redistribute it 321 | under certain conditions; type `show c' for details. 322 | 323 | The hypothetical commands `show w' and `show c' should show the appropriate 324 | parts of the General Public License. Of course, the commands you use may 325 | be called something other than `show w' and `show c'; they could even be 326 | mouse-clicks or menu items--whatever suits your program. 327 | 328 | You should also get your employer (if you work as a programmer) or your 329 | school, if any, to sign a "copyright disclaimer" for the program, if 330 | necessary. Here is a sample; alter the names: 331 | 332 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 333 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 334 | 335 | , 1 April 1989 336 | Ty Coon, President of Vice 337 | 338 | This General Public License does not permit incorporating your program into 339 | proprietary programs. If your program is a subroutine library, you may 340 | consider it more useful to permit linking proprietary applications with the 341 | library. If this is what you want to do, use the GNU Lesser General 342 | Public License instead of this License. 343 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Linux Kernel Analysis 2 | 3 | [![reuse compliant](https://img.shields.io/badge/reuse-compliant-green.svg)](https://git.fsfe.org/fsfe/reuse-web) 4 | [![standard-readme compliant](https://img.shields.io/badge/readme%20style-standard-brightgreen.svg?style=flat-square)](https://github.com/RichardLitt/standard-readme) 5 | 6 | > Collection of scripts to analyse the Linux kernel 7 | 8 | ## Install 9 | 10 | see [Documentation/Setup.md](Documentation/Setup.md). 11 | 12 | ## Usage 13 | 14 | see [Documentation/Usage.md](Documentation/Usage.md). 15 | 16 | ## Maintainers 17 | 18 | [@Lukas Bulwahn](https://github.com/bulwahn). 19 | 20 | ## Contribute 21 | 22 | Feel free to contribute whatever you think is useful. Just submit a pull 23 | request to this repository. 24 | 25 | To know what we are currently working on, have a look at our github issue tracker. 26 | 27 | ## License 28 | 29 | Documentation is licensed under [CC-BY-SA-4.0 License](LICENSES/CC-BY-SA-4.0.txt). 30 | Code is licensed under [GPL-2.0 License](LICENSES/GPL-2.0.txt). 31 | -------------------------------------------------------------------------------- /README.md.license: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2018 Lukas Bulwahn, BMW Car IT GmbH 3 | // 4 | // SPDX-License-Identifier: CC-BY-SA-4.0 5 | // 6 | -------------------------------------------------------------------------------- /docker/kernel-clang/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright (C) Lukas Bulwahn, BMW Car IT GmbH 2 | # SPDX-License-Identifier: GPL-2.0 3 | FROM debian:buster 4 | 5 | LABEL maintainer="Lukas Bulwahn " 6 | 7 | # Install tools needed for kernel build and clang compiler 8 | RUN apt-get update && apt-get install --no-install-recommends -y \ 9 | bc \ 10 | bison \ 11 | bsdmainutils \ 12 | clang-7 \ 13 | flex \ 14 | libelf-dev \ 15 | libssl-dev \ 16 | make \ 17 | git \ 18 | build-essential \ 19 | autoconf \ 20 | automake \ 21 | libxml2-dev \ 22 | libgtk-3-dev \ 23 | llvm-dev \ 24 | ca-certificates \ 25 | && rm -rf /var/lib/apt/lists/* 26 | RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 10 27 | RUN git clone https://git.kernel.org/pub/scm/devel/sparse/sparse.git /sparse 28 | WORKDIR /sparse 29 | RUN make && make install PREFIX=/usr 30 | WORKDIR / 31 | -------------------------------------------------------------------------------- /docker/kernel-coccinelle/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright (C) Lukas Bulwahn, BMW Car IT GmbH 2 | # SPDX-License-Identifier: GPL-2.0 3 | FROM debian:buster 4 | 5 | LABEL maintainer="Lukas Bulwahn " 6 | 7 | # Install tools needed for kernel build and gcc compiler 8 | RUN apt-get update && apt-get install --no-install-recommends -y \ 9 | bc \ 10 | bison \ 11 | bsdmainutils \ 12 | gcc \ 13 | make \ 14 | git \ 15 | build-essential \ 16 | autoconf \ 17 | automake \ 18 | pkg-config \ 19 | ocaml \ 20 | ocaml-findlib \ 21 | python3 \ 22 | libpython3-dev \ 23 | ca-certificates \ 24 | && rm -rf /var/lib/apt/lists/* 25 | RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 10 26 | RUN git clone https://github.com/coccinelle/coccinelle.git /coccinelle 27 | WORKDIR /coccinelle 28 | RUN ./autogen && ./configure && make && make install 29 | WORKDIR / 30 | -------------------------------------------------------------------------------- /docker/kernel-gcc/Dockerfile: -------------------------------------------------------------------------------- 1 | # Copyright (C) Lukas Bulwahn, BMW Car IT GmbH 2 | # SPDX-License-Identifier: GPL-2.0 3 | FROM debian:buster 4 | 5 | LABEL maintainer="Lukas Bulwahn " 6 | 7 | # Install tools needed for kernel build and gcc compiler 8 | RUN apt-get update && apt-get install --no-install-recommends -y \ 9 | bc \ 10 | bison \ 11 | bsdmainutils \ 12 | gcc \ 13 | flex \ 14 | libelf-dev \ 15 | libssl-dev \ 16 | make \ 17 | openssl \ 18 | git \ 19 | build-essential \ 20 | autoconf \ 21 | automake \ 22 | libxml2-dev \ 23 | libgtk-3-dev \ 24 | llvm-dev \ 25 | ca-certificates \ 26 | && rm -rf /var/lib/apt/lists/* 27 | RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 10 28 | RUN git clone https://git.kernel.org/pub/scm/devel/sparse/sparse.git /sparse 29 | WORKDIR /sparse 30 | RUN make && make install PREFIX=/usr 31 | WORKDIR / 32 | -------------------------------------------------------------------------------- /infer/Documentation/Setup.md: -------------------------------------------------------------------------------- 1 | 1. Download the release of Infer packaged with pre-built binaries 2 | for clang and facebook-clang-plugins for Linux and MacOS. 3 | 4 | https://github.com/facebook/infer/releases/tag/v0.13.1 5 | 6 | 2. Install the dependencies for Linux or MacOS 7 | 8 | https://github.com/facebook/infer/blob/master/INSTALL.md#pre-compiled-versions 9 | 10 | 3. Install from the source 11 | 12 | ``` 13 | tar xf infer-.tar.xz 14 | cd infer-/ 15 | ./build-infer.sh 16 | make install 17 | ``` 18 | 19 | > I met some dependency problems in opam during building infer. In my case, it's about the camlzip.1.07 and sqlite3.4.3.2. Use following commands to solve the problems. 20 | 21 | ``` 22 | opam depext sqlite3.4.3.2 23 | opam depext camlzip.1.07 24 | ``` 25 | 26 | 4. After run `make install`, you can use infer in you terminal, 27 | the most frequently used command are like: 28 | 29 | ``` 30 | infer run -- make 31 | infer run -- clang -c example.c 32 | ``` 33 | 34 | According to the Infer documentation, `infer run` combine two independent command,`infer capture` and `infer analyze`. So you can run those two commands separately. 35 | 36 | 5. Add models in `infer/models/c/src/`. e.g. In `infer/models/c/src/kapis.c`, by adding 37 | 38 | ```c 39 | #include "infer_builtins.h" 40 | #include 41 | 42 | void* kmalloc(size_t size, unsigned flags) { 43 | if (size == 0) 44 | return NULL; 45 | void* res = malloc(size); 46 | INFER_EXCLUDE_CONDITION(!res); 47 | return res; 48 | } 49 | 50 | void kfree(void* ptr) { free(ptr); } 51 | ``` 52 | 53 | To install the new model into your infer lib, you should recompile infer and reinstall again. 54 | 55 | ``` 56 | $ make clean 57 | $ make 58 | # make uninstall 59 | # make install 60 | ``` 61 | 62 | 6. To run infer on Linux kernel code, there are several dirctories needed to skip. Under the root directory of Linu kernel code, add a new file named `.inferconfig`. Add those dircotries for stable v4.15, "arch/x86", "arch", "mm", "drivers/acpi", "fs", "kernel/bpf", "net/mac80211". In my case, the file looks like: 63 | 64 | ``` 65 | { 66 | "skip-analysis-in-path": ["home/evan/Repository/linux/stable/linux-stable/arch/x86", "home/evan/Repository/linux/stable/linux-stable/arch", "home/evan/Repository/linux/stable/linux-stable/mm", "home/evan/Repository/linux/stable/linux-stable/drivers/acpi", "home/evan/Repository/linux/stable/linux-stable/fs", "home/evan/Repository/linux/stable/linux-stable/kernel/bpf", "home/evan/Repository/linux/stable/linux-stable/net/mac80211"] 67 | } 68 | ``` 69 | 70 | Run `infer run -- make -jn` will let infer start to do the analysis. -------------------------------------------------------------------------------- /infer/Reports/images/blk_rq_unmap_user.ver1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bulwahn/linux-kernel-analysis/dd68de66139c3fde0be3ae02597c77907cba086d/infer/Reports/images/blk_rq_unmap_user.ver1.png -------------------------------------------------------------------------------- /infer/Reports/report-on-memory-leak-0002.md: -------------------------------------------------------------------------------- 1 | ## Summary 2 | There are 2 MEMORY_LEAK errors in both raw and version 1.1 infer analysis which would decriped below. 3 | 4 | ## Error Location 5 | ```c 6 | // In file tools/lib/subcmd/sigchain.c 7 | 21 static int sigchain_push(int sig, sigchain_fun f) 8 | 22 { 9 | 23 struct sigchain_signal *s = signals + sig; 10 | 24 check_signum(sig); 11 | 25 12 | 13 | tools/lib/subcmd/sigchain.c:30: error: MEMORY_LEAK 14 | memory dynamically allocated by call to `xrealloc()` at line 26, column 2 is not reachable after line 30, column 2. 15 | 16 | 26 ALLOC_GROW(s->old, s->n + 1, s->alloc); 17 | 27 s->old[s->n] = signal(sig, f); 18 | 28 > if (s->old[s->n] == SIG_ERR) 19 | 29 return -1; 20 | 21 | tools/lib/subcmd/sigchain.c:29: error: MEMORY_LEAK 22 | memory dynamically allocated to `return` by call to `xrealloc()` at line 26, column 2 is not reachable after line 29, column 3. 23 | 24 | 30 s->n++; 25 | 31 return 0; 26 | 32 } 27 | ``` 28 | 29 | 30 | ## Analysis 31 | Within this function, the variable `signals` is a global static array with the type of struct sigchain_signal. 32 | 33 | `static struct sigchain_signal signals[SIGCHAIN_MAX_SIGNALS];` 34 | 35 | the pointer `*s` get the slot from `signals` and resize the space in macro `ALLOC_GROW` where the xrealloc was called. 36 | ```c 37 | #define ALLOC_GROW(x, nr, alloc) \ 38 | do { \ 39 | if ((nr) > alloc) { \ 40 | if (alloc_nr(alloc) < (nr)) \ 41 | alloc = (nr); \ 42 | else \ 43 | alloc = alloc_nr(alloc); \ 44 | x = xrealloc((x), alloc * sizeof(*(x))); \ 45 | } \ 46 | } while(0) 47 | ``` 48 | 49 | Then it assigns the value of `signal(sig, f)` to `s->old[s->n]` and decides to return or continue. To sum up, It uses pointer `*s` to manipulate the variable `singals` and wouldn't cause any memory leak. 50 | 51 | ## Conclusion 52 | User space tool, False Positive 53 | -------------------------------------------------------------------------------- /infer/Reports/report-on-memory-leak-0003.md: -------------------------------------------------------------------------------- 1 | ## Summary 2 | This MEMORY_LEAK error only exists version 1.1 infer analysis. 3 | 4 | ## Error Location 5 | ```c 6 | // In file scripts/basic/fixdep.c 7 | 269 static void do_config_file(const char *filename) 8 | 270 { 9 | 271 struct stat st; 10 | 272 int fd; 11 | 273 char *map; 12 | 274 13 | 275 fd = open(filename, O_RDONLY); 14 | 276 if (fd < 0) { 15 | 277 fprintf(stderr, "fixdep: error opening config file: "); 16 | 278 perror(filename); 17 | 279 exit(2); 18 | 280 } 19 | 281 if (fstat(fd, &st) < 0) { 20 | 282 fprintf(stderr, "fixdep: error fstat'ing config file: "); 21 | 283 perror(filename); 22 | 284 exit(2); 23 | 285 } 24 | 286 if (st.st_size == 0) { 25 | 287 close(fd); 26 | 288 return; 27 | 289 } 28 | 29 | scripts/basic/fixdep.c:297: error: MEMORY_LEAK 30 | memory dynamically allocated by call to `malloc()` at line 290, column 8 is not reachable after line 297, column 3. 31 | 32 | 290 map = malloc(st.st_size + 1); 33 | 291 if (!map) { 34 | 292 perror("fixdep: malloc"); 35 | 293 close(fd); 36 | 294 return; 37 | 295 } 38 | 296 if (read(fd, map, st.st_size) != st.st_size) { 39 | 297 > perror("fixdep: read"); 40 | 298 close(fd); 41 | 299 return; 42 | 300 } 43 | 301 map[st.st_size] = '\0'; 44 | 302 close(fd); 45 | 303 46 | 304 parse_config_file(map); 47 | 305 48 | 306 free(map); 49 | 307 } 50 | ``` 51 | 52 | 53 | ## Analysis 54 | In this function, it opens config file and tries to read the content into 55 | the memory created by malloc, if memory allocation failes or content size 56 | returned by read is not equal to file size, it will print error message and 57 | exit. 58 | 59 | `296 if (read(fd, map, st.st_size) != st.st_size) {` 60 | 61 | In line 297, it returns without freeing map. That's why Infer raises 62 | the warning. It's not serious and we can simply add one extra line 63 | 64 | `free(map);` 65 | 66 | in line 298 and disable this error reporting. 67 | 68 | ## Conclusion 69 | User space tool, Low Severity 70 | -------------------------------------------------------------------------------- /infer/Reports/report-on-resource-leak-0001.md: -------------------------------------------------------------------------------- 1 | ## Summary 2 | There are 7 RESOURCE_LEAK errors in one file within one function. 3 | They are being detected in both raw and version 1.1 infer analysis. 4 | 5 | ## Error Location 6 | ```c 7 | // In file tools/objtool/orc_dump.c. 8 | 74 int orc_dump(const char *_objname) 9 | 75 { 10 | // .... 11 | 12 | 94 fd = open(objname, O_RDONLY); 13 | 95 if (fd == -1) { 14 | 96 perror("open"); 15 | 97 return -1; 16 | 98 } 17 | 99 18 | 100 elf = elf_begin(fd, ELF_C_READ_MMAP, NULL); 19 | 101 if (!elf) { 20 | 21 | tools/objtool/orc_dump.c:102: error: RESOURCE_LEAK 22 | resource acquired by call to `open()` at line 94, column 7 is not released after line 102, column 3. 23 | 24 | 102 > WARN_ELF("elf_begin"); 25 | 103 return -1; 26 | 104 } 27 | 105 28 | 29 | tools/objtool/orc_dump.c:107: error: RESOURCE_LEAK 30 | resource acquired by call to `open()` at line 94, column 7 is not released after line 107, column 3. 31 | 32 | 106 if (elf_getshdrnum(elf, &nr_sections)) { 33 | 107 > WARN_ELF("elf_getshdrnum"); 34 | 108 return -1; 35 | 109 } 36 | 110 37 | 38 | tools/objtool/orc_dump.c:112: error: RESOURCE_LEAK 39 | resource acquired by call to `open()` at line 94, column 7 is not released after line 112, column 3. 40 | 41 | 111 if (elf_getshdrstrndx(elf, &shstrtab_idx)) { 42 | 112 > WARN_ELF("elf_getshdrstrndx"); 43 | 113 return -1; 44 | 114 } 45 | 115 46 | 47 | tools/objtool/orc_dump.c:119: error: RESOURCE_LEAK 48 | resource acquired by call to `open()` at line 94, column 7 is not released after line 119, column 4. 49 | 50 | 116 for (i = 0; i < nr_sections; i++) { 51 | 117 scn = elf_getscn(elf, i); 52 | 118 if (!scn) { 53 | 119 > WARN_ELF("elf_getscn"); 54 | 120 return -1; 55 | 121 } 56 | 122 57 | 58 | tools/objtool/orc_dump.c:124: error: RESOURCE_LEAK 59 | resource acquired by call to `open()` at line 94, column 7 is not released after line 124, column 4. 60 | 61 | 123 if (!gelf_getshdr(scn, &sh)) { 62 | 124 > WARN_ELF("gelf_getshdr"); 63 | 125 return -1; 64 | 126 } 65 | 127 66 | 67 | tools/objtool/orc_dump.c:130: error: RESOURCE_LEAK 68 | resource acquired by call to `open()` at line 94, column 7 is not released after line 130, column 4. 69 | 70 | 128 name = elf_strptr(elf, shstrtab_idx, sh.sh_name); 71 | 129 if (!name) { 72 | 130 > WARN_ELF("elf_strptr"); 73 | 131 return -1; 74 | 132 } 75 | 133 76 | 77 | tools/objtool/orc_dump.c:136: error: RESOURCE_LEAK 78 | resource acquired by call to `open()` at line 94, column 7 is not released after line 136, column 4. 79 | 80 | 134 data = elf_getdata(scn, NULL); 81 | 135 if (!data) { 82 | 136 > WARN_ELF("elf_getdata"); 83 | 137 return -1; 84 | 138 } 85 | 139 86 | 87 | ``` 88 | 89 | 90 | ## Analysis 91 | 92 | It returns without closing fd, so I think it's kind of resource leak, 93 | but it is a user-space tool and it would be invoked by cmd_orc() as a terminal program and return -1 if failed. 94 | Soon it will be fixed by resource reclamation by the OS. 95 | 96 | ## Conclusion 97 | User space tool, Low Severity 98 | -------------------------------------------------------------------------------- /infer/Reports/report-on-use-after-free-0004.md: -------------------------------------------------------------------------------- 1 | ## Summary 2 | This USE_AFTER_FREE error only exists version 1.1 infer analysis. 3 | 4 | ## Error Location 5 | ```c 6 | // In file kernel/kthread.c 7 | 197 static int kthread(void *_create) 8 | 198 { 9 | 199 /* Copy data: it's on kthread's stack */ 10 | 200 struct kthread_create_info *create = _create; 11 | 201 int (*threadfn)(void *data) = create->threadfn; 12 | 202 void *data = create->data; 13 | 203 struct completion *done; 14 | 204 struct kthread *self; 15 | 205 int ret; 16 | 206 17 | 207 self = kzalloc(sizeof(*self), GFP_KERNEL); 18 | 208 set_kthread_struct(self); 19 | 209 20 | 21 | kernel/kthread.c:218: error: USE_AFTER_FREE 22 | pointer `create` last assigned on line 200 was freed by call to `kfree()` at line 213, 23 | column 3 and is dereferenced or freed at line 218, column 3. 24 | 25 | 210 /* If user was SIGKILLed, I release the structure. */ 26 | 211 done = xchg(&create->done, NULL); 27 | 212 if (!done) { 28 | 213 > kfree(create); 29 | 214 do_exit(-EINTR); 30 | 215 } 31 | 216 32 | 217 if (!self) { 33 | 218 create->result = ERR_PTR(-ENOMEM); 34 | 219 complete(done); 35 | 220 do_exit(-ENOMEM); 36 | 221 } 37 | 222 38 | 223 self->data = data; 39 | 224 init_completion(&self->exited); 40 | 225 init_completion(&self->parked); 41 | 226 current->vfork_done = &self->exited; 42 | 227 43 | 44 | ``` 45 | 46 | 47 | ## Analysis 48 | In line 211, if variable `done` is NULL, it will free create and exit. Otherwise, the code run to line 217 to test variable `!self` where variable `create` is still valid. So there is no USE_AFTER_FREE error. 49 | To solve this false alert, we can simply model `do_exit()` as `exit()`. 50 | 51 | ## Conclusion 52 | Kernel code, False Positive, Shoule add new model for `do_exit()`. 53 | 54 | ## Reference 55 | https://lwn.net/Articles/65178/ 56 | 57 | https://stackoverflow.com/questions/10177641/proper-way-of-handling-threads-in-kernel 58 | -------------------------------------------------------------------------------- /infer/Reports/report-on-use-after-free-0005.md: -------------------------------------------------------------------------------- 1 | ## Summary 2 | This USE_AFTER_FREE error only exists version 1.1 infer analysis. 3 | 4 | ## Error Location 5 | ```c 6 | // In file drivers/iommu/dmar.c 7 | 776 int __init dmar_dev_scope_init(void) 8 | 777 { 9 | 778 struct pci_dev *dev = NULL; 10 | 779 struct dmar_pci_notify_info *info; 11 | 780 12 | 781 if (dmar_dev_scope_status != 1) 13 | 782 return dmar_dev_scope_status; 14 | 783 15 | 784 if (list_empty(&dmar_drhd_units)) { 16 | 785 dmar_dev_scope_status = -ENODEV; 17 | 786 } else { 18 | 787 dmar_dev_scope_status = 0; 19 | 788 20 | 789 dmar_acpi_dev_scope_init(); 21 | 790 22 | 791 for_each_pci_dev(dev) { 23 | 792 if (dev->is_virtfn) 24 | 793 continue; 25 | 794 26 | 27 | drivers/iommu/dmar.c:801: error: USE_AFTER_FREE 28 | pointer `info` last assigned on line 795 was freed by call to `dmar_free_pci_notify_info()` at line 801, column 5 and is dereferenced 29 | or freed at line 801, column 5. 30 | 31 | 795 info = dmar_alloc_pci_notify_info(dev, 32 | 796 BUS_NOTIFY_ADD_DEVICE); 33 | 797 if (!info) { 34 | 798 return dmar_dev_scope_status; 35 | 799 } else { 36 | 800 dmar_pci_bus_add_dev(info); 37 | 801 > dmar_free_pci_notify_info(info); 38 | 802 } 39 | 803 } 40 | 804 } 41 | 805 42 | 806 return dmar_dev_scope_status; 43 | 807 } 44 | ``` 45 | 46 | 47 | ## Analysis 48 | In this function, the variable info is assigned value by function `dmar_alloc_pci_notify_info()`, and then it would be judegd whether it was valid or null value. 49 | 50 | The error message was also self-contradictory, it says info was freed by call to `dmar_free_pci_notify_info()` at line 801, column 5 and it was freed at same line 801, column 5. 51 | 52 | ```c 53 | static inline void dmar_free_pci_notify_info(struct dmar_pci_notify_info *info) 54 | { 55 | if ((void *)info != dmar_pci_notify_info_buf) 56 | kfree(info); 57 | } 58 | ``` 59 | 60 | ## Conclusion 61 | Kernel code, False Positive. 62 | -------------------------------------------------------------------------------- /infer/Reports/report-on-use-after-free-0006.md: -------------------------------------------------------------------------------- 1 | ## Summary 2 | This USE_AFTER_FREE error only exists version 1.1 infer analysis. 3 | 4 | ## Error Location 5 | ```c 6 | // In file block/blk-map.c 7 | 179 int blk_rq_unmap_user(struct bio *bio) 8 | 180 { 9 | 181 struct bio *mapped_bio; 10 | 182 int ret = 0, ret2; 11 | 183 12 | 184 while (bio) { 13 | 185 mapped_bio = bio; 14 | 186 if (unlikely(bio_flagged(bio, BIO_BOUNCED))) 15 | 187 mapped_bio = bio-bi_private; 16 | 188 17 | 18 | block/blk-map.c:194: error: USE_AFTER_FREE 19 | pointer `bio` was freed by call to `__blk_rq_unmap_user()` at line 189, 20 | column 10 and is dereferenced or freed at line 194, column 9. 21 | 22 | 189 ret2 = __blk_rq_unmap_user(mapped_bio); 23 | 190 if (ret2 && !ret) 24 | 191 ret = ret2; 25 | 192 26 | 193 mapped_bio = bio; 27 | 194 > bio = bio->bi_next; 28 | 195 bio_put(mapped_bio); 29 | 196 } 30 | 197 31 | 198 return ret; 32 | 199 } 33 | ``` 34 | 35 | 36 | ## Analysis 37 | This one is in a complex situation. the function `__blk_rq_unmap_user()` will 38 | call `bio_put` which will call `bio_free` to release bio structure. 39 | 40 | But the problem is that each `bio_put` will test the bio reference counter `bio->__bi_cnt` to make sure no one uses the bio and then release it. According to the invocation path, there will be two to three `bio_put` invocations. 41 | 42 | ```c 43 | /** 44 | * bio_put - release a reference to a bio 45 | * @bio: bio to release reference to 46 | * 47 | * Description: 48 | * Put a reference to a &struct bio, either one you have gotten with 49 | * bio_alloc, bio_get or bio_clone_*. The last put of a bio will free it. 50 | **/ 51 | void bio_put(struct bio *bio) 52 | { 53 | if (!bio_flagged(bio, BIO_REFFED)) 54 | bio_free(bio); 55 | else { 56 | BIO_BUG_ON(!atomic_read(&bio->__bi_cnt)); 57 | 58 | /* 59 | * last put frees it 60 | */ 61 | if (atomic_dec_and_test(&bio->__bi_cnt)) 62 | bio_free(bio); 63 | } 64 | } 65 | ``` 66 | 67 | The corresponding function `bio_get` will do atomic increasing on bio 68 | reference counter. 69 | 70 | ```c 71 | /* 72 | * get a reference to a bio, so it won't disappear. the intended use is 73 | * something like: 74 | * 75 | * bio_get(bio); 76 | * submit_bio(rw, bio); 77 | * if (bio->bi_flags ...) 78 | * do_something 79 | * bio_put(bio); 80 | * 81 | * without the bio_get(), it could potentially complete I/O before submit_bio 82 | * returns. and then bio would be freed memory when if (bio->bi_flags ...) 83 | * runs 84 | */ 85 | static inline void bio_get(struct bio *bio) 86 | { 87 | bio->bi_flags |= (1 << BIO_REFFED); 88 | smp_mb__before_atomic(); 89 | atomic_inc(&bio->__bi_cnt); 90 | } 91 | ``` 92 | 93 | When `bio` was created, the reference counter `bio->__bi_cnt` will be initialized as `1`. As depicted in the diagram, `bio_unmap_user` will call 3 times of `bio_put`, as for `bio_uncopy_user`, there are 2 times invocation. 94 | 95 | The corresponding `bio_map_user` will call 2 extra `bio_get` and for `bio_copy_user`, it's 1 extra calling. 96 | 97 | Take the inital value into account, they match with each other. 98 | 99 | ![](images/blk_rq_unmap_user.ver1.png) 100 | 101 | ## Conclusion 102 | Kernel code, False Positive. 103 | 104 | 105 | -------------------------------------------------------------------------------- /infer/models/kapis.c: -------------------------------------------------------------------------------- 1 | #include "infer_builtins.h" 2 | 3 | #include 4 | 5 | void* kmalloc(size_t size, unsigned flags) { 6 | if (size == 0) 7 | return NULL; 8 | void* res = malloc(size); 9 | INFER_EXCLUDE_CONDITION(!res); 10 | return res; 11 | } 12 | 13 | void kfree(void* ptr) { free(ptr); } 14 | -------------------------------------------------------------------------------- /infer/scripts/README.md: -------------------------------------------------------------------------------- 1 | Basic scripts to run certain tasks -------------------------------------------------------------------------------- /scripts/build-docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (C) Lukas Bulwahn, BMW Car IT GmbH 4 | # SPDX-License-Identifier: GPL-2.0 5 | # 6 | # Builds the Docker images that we need to compile the kernel source 7 | # 8 | 9 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 10 | 11 | echo 'Building the Docker image "kernel-gcc"' 12 | cd "$SCRIPT_DIR/../docker/kernel-gcc" 13 | docker build -t kernel-gcc . 14 | 15 | echo 'Building the Docker image "kernel-clang"' 16 | cd "$SCRIPT_DIR/../docker/kernel-clang" 17 | docker build -t kernel-clang . 18 | 19 | echo 'Building the Docker image "kernel-coccinelle"' 20 | cd "$SCRIPT_DIR/../docker/kernel-coccinelle" 21 | docker build -t kernel-coccinelle . 22 | -------------------------------------------------------------------------------- /scripts/compile-kernel.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright (C) Lukas Bulwahn, BMW Car IT GmbH 3 | # SPDX-License-Identifier: GPL-2.0 4 | # 5 | # Compiles different branches of the kernel in a Docker container 6 | # with a given standard kernel configuration and compiler 7 | # 8 | 9 | # Provide minimal help 10 | 11 | usage() { 12 | echo "Usage:" 13 | echo " ./compile-kernel.sh " 14 | echo 15 | echo " = torvalds | stable | next" 16 | echo " = allnoconfig | allmodconfig | allyesconfig | defconfig | randconfig" 17 | echo " = gcc | clang | coccinelle" 18 | echo " = sparse (optional)" 19 | } 20 | 21 | # Provide help if requested 22 | 23 | if [[ "$1" == "-h" || "$1" == "--help" ]]; then 24 | usage 25 | exit 0 26 | fi 27 | 28 | # Check if KERNEL_SRC_BASE is set and directory exists 29 | 30 | if [ -z "$KERNEL_SRC_BASE" ]; then 31 | echo "Error: KERNEL_SRC_BASE is not set" 32 | echo "Set the env variable KERNEL_SRC_BASE (see also: Documentation/Setup.md)" 33 | exit 1 34 | fi 35 | 36 | if [ ! -d "$KERNEL_SRC_BASE" ]; then 37 | echo "Error: KERNEL_SRC_BASE does not point to an existing directory" 38 | echo "Check the env variable KERNEL_SRC_BASE" 39 | exit 1 40 | fi 41 | 42 | # Check if script is called with three arguments 43 | 44 | if [ "$#" -lt 3 ]; then 45 | echo "Error: Wrong number of arguments" 46 | echo "Script must be called with at least three arguments" 47 | usage 48 | exit 1 49 | fi 50 | 51 | # Check first argument and set KERNEL_SRC_DIR 52 | 53 | case "$1" in 54 | torvalds) 55 | KERNEL_SRC_DIR_EXTENSION=torvalds/linux 56 | ;; 57 | stable) 58 | KERNEL_SRC_DIR_EXTENSION=stable/linux-stable 59 | ;; 60 | next) 61 | KERNEL_SRC_DIR_EXTENSION=next/linux-next 62 | ;; 63 | *) 64 | echo "Error: Invalid repository: $1" 65 | echo 'The repository must be either "torvalds", "stable" or "next"' 66 | exit 1 67 | ;; 68 | esac 69 | KERNEL_SRC_DIR=$KERNEL_SRC_BASE/$KERNEL_SRC_DIR_EXTENSION 70 | 71 | # Check second argument and set KERNEL_CONFIG 72 | 73 | case "$2" in 74 | allnoconfig | allmodconfig | allyesconfig | defconfig | randconfig) 75 | KERNEL_CONFIG=$2 76 | ;; 77 | *) 78 | echo "Error: Invalid kernel config: $2" 79 | echo 'The kernel config must be either "allnoconfig", "allmodconfig", "allyesconfig", "defconfig" or "randconfig"' 80 | exit 1 81 | ;; 82 | esac 83 | 84 | # Check third argument and set COMPILER 85 | 86 | case "$3" in 87 | gcc | clang | coccinelle ) 88 | COMPILER=$3 89 | ;; 90 | *) 91 | echo "Error: Invalid compiler: $3" 92 | echo 'The compiler must be either "gcc" or "clang", "coccinelle"' 93 | exit 1 94 | ;; 95 | esac 96 | 97 | case "$4" in 98 | sparse ) 99 | CHECKER='C=2 CHECK="sparse"' 100 | ;; 101 | esac 102 | 103 | # Start docker container and run build command 104 | 105 | USER_ID=$(id -u) 106 | GROUP_ID=$(id -g) 107 | USER_NAME=$(whoami) 108 | GROUP_NAME=$(id -g -n $USER_NAME) 109 | 110 | case "$COMPILER" in 111 | gcc) 112 | docker run \ 113 | --rm \ 114 | -v "$KERNEL_SRC_DIR:/linux/" \ 115 | kernel-gcc \ 116 | /bin/sh -c "cd linux && \ 117 | groupadd --gid $GROUP_ID $GROUP_NAME && \ 118 | adduser --quiet --uid $USER_ID --gid $GROUP_ID --disabled-password --no-create-home --gecos '' $USER_NAME && \ 119 | su -p $USER_NAME -c 'make clean && make $KERNEL_CONFIG && make -j$(nproc) $CHECKER'" 120 | ;; 121 | clang) 122 | docker run \ 123 | --rm \ 124 | -v "$KERNEL_SRC_DIR:/linux/" \ 125 | kernel-clang \ 126 | /bin/sh -c "cd linux && \ 127 | groupadd --gid $GROUP_ID $GROUP_NAME && \ 128 | adduser --quiet --uid $USER_ID --gid $GROUP_ID --disabled-password --no-create-home --gecos '' $USER_NAME && \ 129 | su -p $USER_NAME -c 'make CC=clang-7 clean && make HOSTCC=clang-7 CC=clang-7 $KERNEL_CONFIG && \ 130 | make -j$(nproc) HOSTCC=clang-7 CC=clang-7 $CHECKER'" 131 | ;; 132 | coccinelle) 133 | docker run \ 134 | --rm \ 135 | -v "$KERNEL_SRC_DIR:/linux/" \ 136 | kernel-coccinelle \ 137 | /bin/sh -c "cd linux && \ 138 | groupadd --gid $GROUP_ID $GROUP_NAME && \ 139 | adduser --quiet --uid $USER_ID --gid $GROUP_ID --disabled-password --no-create-home --gecos '' $USER_NAME && \ 140 | su -p $USER_NAME -c 'make clean && rm -f all.err && \ 141 | make coccicheck MODE=report DEBUG_FILE=all.err V=1'" 142 | ;; 143 | esac 144 | --------------------------------------------------------------------------------