Add CodeQL check to detect cause of issue openzfs#12014

Signed-off-by: Richard Yao <[email protected]>

Author: ryao

.github/codeql-cpp.yml

@@ -2,3 +2,4 @@ name: "Custom CodeQL Analysis"
 
 queries:
   - uses: ./.github/codeql/custom-queries/cpp/deprecatedFunctionUsage.ql
+  - uses: ./.github/codeql/custom-queries/cpp/dsl_dataset_hold_rele_mismatch.ql

.github/codeql/custom-queries/cpp/dsl_dataset_hold_rele_mismatch.ql

@@ -0,0 +1,81 @@
+/**
+ * @name Detect mismatched dsl_dataset_hold/_rele pairs
+ * @description Flags instances of issue #12014 where
+ *   - a dataset held with dsl_dataset_hold_obj() ends up in dsl_dataset_rele_flags(), or
+ *   - a dataset held with dsl_dataset_hold_obj_flags() ends up in dsl_dataset_rele(). 
+ * @kind path-problem
+ * @severity error
+ * @tags correctness
+ * @id cpp/dsl_dataset_hold_rele_mismatch
+ */
+
+import cpp
+import dataflow
+
+/**
+ * Taint any `&X` passed to dsl_dataset_hold_obj(..., &X)
+ * and look for it in dsl_dataset_rele_flags(X, ...).
+ */
+class HoldObjToReleFlagsConfig extends DataFlow::Configuration {
+  HoldObjToReleFlagsConfig() { this = "HoldObjToReleFlags" }
+
+  override predicate isSource(Node n) {
+    exists(FunctionCall hold, AddressOfExpr ao, DeclRefExpr dre |
+      hold.getTarget().getName() = "dsl_dataset_hold_obj" and
+      // the 4th argument is “&X”
+      ao = hold.getArgument(3).(AddressOfExpr) and
+      // its operand is the decl-ref of X
+      dre = ao.getOperand().(DeclRefExpr) and
+      n.getNode() = dre
+    )
+  }
+
+  override predicate isSink(Node n) {
+    exists(FunctionCall rele, DeclRefExpr dre |
+      rele.getTarget().getName() = "dsl_dataset_rele_flags" and
+      // the 1st argument is X
+      dre = rele.getArgument(0).(DeclRefExpr) and
+      n.getNode() = dre
+    )
+  }
+}
+
+/**
+ * Taint any `&X` passed to dsl_dataset_hold_obj_flags(..., &X)
+ * and look for it in dsl_dataset_rele(X, ...).
+ */
+class HoldObjFlagsToReleConfig extends DataFlow::Configuration {
+  HoldObjFlagsToReleConfig() { this = "HoldObjFlagsToRele" }
+
+  override predicate isSource(Node n) {
+    exists(FunctionCall hold, AddressOfExpr ao, DeclRefExpr dre |
+      hold.getTarget().getName() = "dsl_dataset_hold_obj_flags" and
+      // the 5th argument is “&X”
+      ao = hold.getArgument(4).(AddressOfExpr) and
+      dre = ao.getOperand().(DeclRefExpr) and
+      n.getNode() = dre
+    )
+  }
+
+  override predicate isSink(Node n) {
+    exists(FunctionCall rele, DeclRefExpr dre |
+      rele.getTarget().getName() = "dsl_dataset_rele" and
+      dre = rele.getArgument(0).(DeclRefExpr) and
+      n.getNode() = dre
+    )
+  }
+}
+
+// Single select covers both mismatch kinds, so no “multiple select” error.
+from DataFlow::PathNode src, DataFlow::PathNode snk, DataFlow::Configuration cfg
+where
+  // either hold_obj → rele_flags or hold_obj_flags → rele
+  (cfg instanceof HoldObjToReleFlagsConfig or cfg instanceof HoldObjFlagsToReleConfig) and
+  cfg.hasPath(src, snk)
+select
+  snk.getNode(),
+  if(
+    cfg instanceof HoldObjToReleFlagsConfig,
+    "Pointer held by dsl_dataset_hold_obj() is flowing into dsl_dataset_rele_flags() — you should pair `hold_obj()` with `rele()`, not `rele_flags()`.",
+    "Pointer held by dsl_dataset_hold_obj_flags() is flowing into dsl_dataset_rele() — you should pair `hold_obj_flags()` with `rele_flags()`, not `rele()`."
+  )