17f904d7eSThomas Gleixner// SPDX-License-Identifier: GPL-2.0-only 2fb3f8af4SJulia Lawall/// Find uses of standard freeing functons on values allocated using devm_ 3fb3f8af4SJulia Lawall/// functions. Values allocated using the devm_functions are freed when 4fb3f8af4SJulia Lawall/// the device is detached, and thus the use of the standard freeing 5fb3f8af4SJulia Lawall/// function would cause a double free. 6fe34c89dSMauro Carvalho Chehab/// See Documentation/driver-api/driver-model/devres.rst for more information. 7fb3f8af4SJulia Lawall/// 8fb3f8af4SJulia Lawall/// A difficulty of detecting this problem is that the standard freeing 9fb3f8af4SJulia Lawall/// function might be called from a different function than the one 10fb3f8af4SJulia Lawall/// containing the allocation function. It is thus necessary to make the 11fb3f8af4SJulia Lawall/// connection between the allocation function and the freeing function. 12fb3f8af4SJulia Lawall/// Here this is done using the specific argument text, which is prone to 13fb3f8af4SJulia Lawall/// false positives. There is no rule for the request_region and 14fb3f8af4SJulia Lawall/// request_mem_region variants because this heuristic seems to be a bit 15fb3f8af4SJulia Lawall/// less reliable in these cases. 16fb3f8af4SJulia Lawall/// 17fb3f8af4SJulia Lawall// Confidence: Moderate 187f904d7eSThomas Gleixner// Copyright: (C) 2011 Julia Lawall, INRIA/LIP6. 197f904d7eSThomas Gleixner// Copyright: (C) 2011 Gilles Muller, INRIA/LiP6. 20*f01701ceSJulia Lawall// URL: https://coccinelle.gitlabpages.inria.fr/website 21fb3f8af4SJulia Lawall// Comments: 2293f14468SNicolas Palix// Options: --no-includes --include-headers 23fb3f8af4SJulia Lawall 24fb3f8af4SJulia Lawallvirtual org 25fb3f8af4SJulia Lawallvirtual report 26fb3f8af4SJulia Lawallvirtual context 27fb3f8af4SJulia Lawall 28fb3f8af4SJulia Lawall@r depends on context || org || report@ 29fb3f8af4SJulia Lawallexpression x; 30fb3f8af4SJulia Lawall@@ 31fb3f8af4SJulia Lawall 32fb3f8af4SJulia Lawall( 33a720c064SYann Droneaud x = devm_kmalloc(...) 34a720c064SYann Droneaud| 35a720c064SYann Droneaud x = devm_kvasprintf(...) 36a720c064SYann Droneaud| 37a720c064SYann Droneaud x = devm_kasprintf(...) 38a720c064SYann Droneaud| 39fb3f8af4SJulia Lawall x = devm_kzalloc(...) 40fb3f8af4SJulia Lawall| 41a720c064SYann Droneaud x = devm_kmalloc_array(...) 42a720c064SYann Droneaud| 43a720c064SYann Droneaud x = devm_kcalloc(...) 44a720c064SYann Droneaud| 45a720c064SYann Droneaud x = devm_kstrdup(...) 46a720c064SYann Droneaud| 47a720c064SYann Droneaud x = devm_kmemdup(...) 48a720c064SYann Droneaud| 49a720c064SYann Droneaud x = devm_get_free_pages(...) 50a720c064SYann Droneaud| 51fb3f8af4SJulia Lawall x = devm_request_irq(...) 52fb3f8af4SJulia Lawall| 53fb3f8af4SJulia Lawall x = devm_ioremap(...) 54fb3f8af4SJulia Lawall| 55fb3f8af4SJulia Lawall x = devm_ioport_map(...) 56fb3f8af4SJulia Lawall) 57fb3f8af4SJulia Lawall 58e856f3a7SJulia Lawall@safe depends on context || org || report exists@ 59e856f3a7SJulia Lawallexpression x; 60e856f3a7SJulia Lawallposition p; 61e856f3a7SJulia Lawall@@ 62e856f3a7SJulia Lawall 63e856f3a7SJulia Lawall( 64e856f3a7SJulia Lawall x = kmalloc(...) 65e856f3a7SJulia Lawall| 66e856f3a7SJulia Lawall x = kvasprintf(...) 67e856f3a7SJulia Lawall| 68e856f3a7SJulia Lawall x = kasprintf(...) 69e856f3a7SJulia Lawall| 70e856f3a7SJulia Lawall x = kzalloc(...) 71e856f3a7SJulia Lawall| 72e856f3a7SJulia Lawall x = kmalloc_array(...) 73e856f3a7SJulia Lawall| 74e856f3a7SJulia Lawall x = kcalloc(...) 75e856f3a7SJulia Lawall| 76e856f3a7SJulia Lawall x = kstrdup(...) 77e856f3a7SJulia Lawall| 78e856f3a7SJulia Lawall x = kmemdup(...) 79e856f3a7SJulia Lawall| 80e856f3a7SJulia Lawall x = get_free_pages(...) 81e856f3a7SJulia Lawall| 82e856f3a7SJulia Lawall x = request_irq(...) 83e856f3a7SJulia Lawall| 84e856f3a7SJulia Lawall x = ioremap(...) 85e856f3a7SJulia Lawall| 86e856f3a7SJulia Lawall x = ioport_map(...) 87e856f3a7SJulia Lawall) 88e856f3a7SJulia Lawall... 89e856f3a7SJulia Lawall( 90e856f3a7SJulia Lawall kfree@p(x) 91e856f3a7SJulia Lawall| 92453431a5SWaiman Long kfree_sensitive@p(x) 93e856f3a7SJulia Lawall| 94e856f3a7SJulia Lawall krealloc@p(x, ...) 95e856f3a7SJulia Lawall| 96e856f3a7SJulia Lawall free_pages@p(x, ...) 97e856f3a7SJulia Lawall| 98e856f3a7SJulia Lawall free_page@p(x) 99e856f3a7SJulia Lawall| 100e856f3a7SJulia Lawall free_irq@p(x) 101e856f3a7SJulia Lawall| 102e856f3a7SJulia Lawall iounmap@p(x) 103e856f3a7SJulia Lawall| 104e856f3a7SJulia Lawall ioport_unmap@p(x) 105e856f3a7SJulia Lawall) 106e856f3a7SJulia Lawall 107fb3f8af4SJulia Lawall@pb@ 108fb3f8af4SJulia Lawallexpression r.x; 109e856f3a7SJulia Lawallposition p != safe.p; 110fb3f8af4SJulia Lawall@@ 111fb3f8af4SJulia Lawall 112fb3f8af4SJulia Lawall( 113fb3f8af4SJulia Lawall* kfree@p(x) 114fb3f8af4SJulia Lawall| 115453431a5SWaiman Long* kfree_sensitive@p(x) 1166dd9379eSYann Droneaud| 117b7b2ee41SYann Droneaud* krealloc@p(x, ...) 118b7b2ee41SYann Droneaud| 119a720c064SYann Droneaud* free_pages@p(x, ...) 120a720c064SYann Droneaud| 121a720c064SYann Droneaud* free_page@p(x) 122a720c064SYann Droneaud| 123fb3f8af4SJulia Lawall* free_irq@p(x) 124fb3f8af4SJulia Lawall| 125fb3f8af4SJulia Lawall* iounmap@p(x) 126fb3f8af4SJulia Lawall| 127fb3f8af4SJulia Lawall* ioport_unmap@p(x) 128fb3f8af4SJulia Lawall) 129fb3f8af4SJulia Lawall 130fb3f8af4SJulia Lawall@script:python depends on org@ 131fb3f8af4SJulia Lawallp << pb.p; 132fb3f8af4SJulia Lawall@@ 133fb3f8af4SJulia Lawall 134fb3f8af4SJulia Lawallmsg="WARNING: invalid free of devm_ allocated data" 135fb3f8af4SJulia Lawallcoccilib.org.print_todo(p[0], msg) 136fb3f8af4SJulia Lawall 137fb3f8af4SJulia Lawall@script:python depends on report@ 138fb3f8af4SJulia Lawallp << pb.p; 139fb3f8af4SJulia Lawall@@ 140fb3f8af4SJulia Lawall 141fb3f8af4SJulia Lawallmsg="WARNING: invalid free of devm_ allocated data" 142fb3f8af4SJulia Lawallcoccilib.report.print_report(p[0], msg) 143fb3f8af4SJulia Lawall 144