[patch V3 09/12] [RFC] coccinelle: misc: Add scoped_masked_$MODE_access() checker script

Fri Oct 17 21:51:31 AEDT 2025

On Fri, 17 Oct 2025, Thomas Gleixner wrote:

> A common mistake in user access code is that the wrong access mode is
> selected for starting the user access section. As most architectures map
> Read and Write modes to ReadWrite this goes often unnoticed for quite some
> time.
>
> Aside of that the scoped user access mechanism requires that the same
> pointer is used for the actual accessor macros that was handed in to start
> the scope because the pointer can be modified by the scope begin mechanism
> if the architecture supports masking.
>
> Add a basic (and incomplete) coccinelle script to check for the common
> issues. The error output is:
>
> kernel/futex/futex.h:303:2-17: ERROR: Invalid pointer for unsafe_put_user(p) in scoped_masked_user_write_access(to)
> kernel/futex/futex.h:292:2-17: ERROR: Invalid access mode unsafe_get_user() in scoped_masked_user_write_access()
>
> Not-Yet-Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
> Cc: Julia Lawall <Julia.Lawall at inria.fr>
> Cc: Nicolas Palix <nicolas.palix at imag.fr>
> ---
>  scripts/coccinelle/misc/scoped_uaccess.cocci |  108 +++++++++++++++++++++++++++
>  1 file changed, 108 insertions(+)
>
> --- /dev/null
> +++ b/scripts/coccinelle/misc/scoped_uaccess.cocci
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/// Validate scoped_masked_user*access() scopes
> +///
> +// Confidence: Zero
> +// Options: --no-includes --include-headers
> +
> +virtual context
> +virtual report
> +virtual org
> +
> + at initialize:python@
> +@@
> +
> +scopemap = {
> +  'scoped_masked_user_read_access_size'  : 'scoped_masked_user_read_access',
> +  'scoped_masked_user_write_access_size' : 'scoped_masked_user_write_access',
> +  'scoped_masked_user_rw_access_size'    : 'scoped_masked_user_rw_access',
> +}
> +
> +# Most common accessors. Incomplete list
> +noaccessmap = {
> +  'scoped_masked_user_read_access'       : ('unsafe_put_user', 'unsafe_copy_to_user'),
> +  'scoped_masked_user_write_access'      : ('unsafe_get_user', 'unsafe_copy_from_user'),
> +}
> +
> +# Most common accessors. Incomplete list
> +ptrmap = {
> +  'unsafe_put_user'			 : 1,
> +  'unsafe_get_user'			 : 1,
> +  'unsafe_copy_to_user'		 	 : 0,
> +  'unsafe_copy_from_user'		 : 0,
> +}
> +
> +print_mode = None
> +
> +def pr_err(pos, msg):
> +   if print_mode == 'R':
> +      coccilib.report.print_report(pos[0], msg)
> +   elif print_mode == 'O':
> +      cocci.print_main(msg, pos)
> +
> + at r0 depends on report || org@
> +iterator name scoped_masked_user_read_access,
> +	      scoped_masked_user_read_access_size,
> +	      scoped_masked_user_write_access,
> +	      scoped_masked_user_write_access_size,
> +	      scoped_masked_user_rw_access,
> +	      scoped_masked_user_rw_access_size;
> +iterator scope;
> +statement S;
> +@@
> +
> +(
> +(
> +scoped_masked_user_read_access(...) S
> +|
> +scoped_masked_user_read_access_size(...) S
> +|
> +scoped_masked_user_write_access(...) S
> +|
> +scoped_masked_user_write_access_size(...) S
> +|
> +scoped_masked_user_rw_access(...) S
> +|
> +scoped_masked_user_rw_access_size(...) S
> +)
> +&
> +scope(...) S
> +)
> +
> + at script:python depends on r0 && report@
> +@@
> +print_mode = 'R'
> +
> + at script:python depends on r0 && org@
> +@@
> +print_mode = 'O'
> +
> + at r1@
> +expression sp, a0, a1;
> +iterator r0.scope;
> +identifier ac;
> +position p;
> +@@
> +
> +  scope(sp,...) {
> +    <+...
> +    ac at p(a0, a1, ...);
> +    ...+>
> +  }

This will be more efficient and equally useful with <... ...>
Using + requires that there is at least one match, which has a cost.

julia

> +
> + at script:python@
> +pos << r1.p;
> +scope << r0.scope;
> +ac << r1.ac;
> +sp << r1.sp;
> +a0 << r1.a0;
> +a1 << r1.a1;
> +@@
> +
> +scope = scopemap.get(scope, scope)
> +if ac in noaccessmap.get(scope, []):
> +   pr_err(pos, 'ERROR: Invalid access mode %s() in %s()' %(ac, scope))
> +
> +if ac in ptrmap:
> +   ap = (a0, a1)[ptrmap[ac]]
> +   if sp != ap.lstrip('&').split('->')[0].strip():
> +      pr_err(pos, 'ERROR: Invalid pointer for %s(%s) in %s(%s)' %(ac, ap, scope, sp))
>
>