0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /// Find uses of standard freeing functons on values allocated using devm_
0003 /// functions. Values allocated using the devm_functions are freed when
0004 /// the device is detached, and thus the use of the standard freeing
0005 /// function would cause a double free.
0006 /// See Documentation/driver-api/driver-model/devres.rst for more information.
0007 ///
0008 /// A difficulty of detecting this problem is that the standard freeing
0009 /// function might be called from a different function than the one
0010 /// containing the allocation function. It is thus necessary to make the
0011 /// connection between the allocation function and the freeing function.
0012 /// Here this is done using the specific argument text, which is prone to
0013 /// false positives. There is no rule for the request_region and
0014 /// request_mem_region variants because this heuristic seems to be a bit
0015 /// less reliable in these cases.
0016 ///
0017 // Confidence: Moderate
0018 // Copyright: (C) 2011 Julia Lawall, INRIA/LIP6.
0019 // Copyright: (C) 2011 Gilles Muller, INRIA/LiP6.
0020 // URL: https://coccinelle.gitlabpages.inria.fr/website
0021 // Comments:
0022 // Options: --no-includes --include-headers
0023
0024 virtual org
0025 virtual report
0026 virtual context
0027
0028 @r depends on context || org || report@
0029 expression x;
0030 @@
0031
0032 (
0033 x = devm_kmalloc(...)
0034 |
0035 x = devm_kvasprintf(...)
0036 |
0037 x = devm_kasprintf(...)
0038 |
0039 x = devm_kzalloc(...)
0040 |
0041 x = devm_kmalloc_array(...)
0042 |
0043 x = devm_kcalloc(...)
0044 |
0045 x = devm_kstrdup(...)
0046 |
0047 x = devm_kmemdup(...)
0048 |
0049 x = devm_get_free_pages(...)
0050 |
0051 x = devm_request_irq(...)
0052 |
0053 x = devm_ioremap(...)
0054 |
0055 x = devm_ioport_map(...)
0056 )
0057
0058 @safe depends on context || org || report exists@
0059 expression x;
0060 position p;
0061 @@
0062
0063 (
0064 x = kmalloc(...)
0065 |
0066 x = kvasprintf(...)
0067 |
0068 x = kasprintf(...)
0069 |
0070 x = kzalloc(...)
0071 |
0072 x = kmalloc_array(...)
0073 |
0074 x = kcalloc(...)
0075 |
0076 x = kstrdup(...)
0077 |
0078 x = kmemdup(...)
0079 |
0080 x = get_free_pages(...)
0081 |
0082 x = request_irq(...)
0083 |
0084 x = ioremap(...)
0085 |
0086 x = ioport_map(...)
0087 )
0088 ...
0089 (
0090 kfree@p(x)
0091 |
0092 kfree_sensitive@p(x)
0093 |
0094 krealloc@p(x, ...)
0095 |
0096 free_pages@p(x, ...)
0097 |
0098 free_page@p(x)
0099 |
0100 free_irq@p(x)
0101 |
0102 iounmap@p(x)
0103 |
0104 ioport_unmap@p(x)
0105 )
0106
0107 @pb@
0108 expression r.x;
0109 position p != safe.p;
0110 @@
0111
0112 (
0113 * kfree@p(x)
0114 |
0115 * kfree_sensitive@p(x)
0116 |
0117 * krealloc@p(x, ...)
0118 |
0119 * free_pages@p(x, ...)
0120 |
0121 * free_page@p(x)
0122 |
0123 * free_irq@p(x)
0124 |
0125 * iounmap@p(x)
0126 |
0127 * ioport_unmap@p(x)
0128 )
0129
0130 @script:python depends on org@
0131 p << pb.p;
0132 @@
0133
0134 msg="WARNING: invalid free of devm_ allocated data"
0135 coccilib.org.print_todo(p[0], msg)
0136
0137 @script:python depends on report@
0138 p << pb.p;
0139 @@
0140
0141 msg="WARNING: invalid free of devm_ allocated data"
0142 coccilib.report.print_report(p[0], msg)
0143
