1// SPDX-License-Identifier: GPL-2.0-only 2/// Find uses of standard freeing functons on values allocated using devm_ 3/// functions. Values allocated using the devm_functions are freed when 4/// the device is detached, and thus the use of the standard freeing 5/// function would cause a double free. 6/// See Documentation/driver-api/driver-model/devres.rst for more information. 7/// 8/// A difficulty of detecting this problem is that the standard freeing 9/// function might be called from a different function than the one 10/// containing the allocation function. It is thus necessary to make the 11/// connection between the allocation function and the freeing function. 12/// Here this is done using the specific argument text, which is prone to 13/// false positives. There is no rule for the request_region and 14/// request_mem_region variants because this heuristic seems to be a bit 15/// less reliable in these cases. 16/// 17// Confidence: Moderate 18// Copyright: (C) 2011 Julia Lawall, INRIA/LIP6. 19// Copyright: (C) 2011 Gilles Muller, INRIA/LiP6. 20// URL: https://coccinelle.gitlabpages.inria.fr/website 21// Comments: 22// Options: --no-includes --include-headers 23 24virtual org 25virtual report 26virtual context 27 28@r depends on context || org || report@ 29expression x; 30@@ 31 32( 33 x = devm_kmalloc(...) 34| 35 x = devm_kvasprintf(...) 36| 37 x = devm_kasprintf(...) 38| 39 x = devm_kzalloc(...) 40| 41 x = devm_kmalloc_array(...) 42| 43 x = devm_kcalloc(...) 44| 45 x = devm_kstrdup(...) 46| 47 x = devm_kmemdup(...) 48| 49 x = devm_get_free_pages(...) 50| 51 x = devm_request_irq(...) 52| 53 x = devm_ioremap(...) 54| 55 x = devm_ioport_map(...) 56) 57 58@safe depends on context || org || report exists@ 59expression x; 60position p; 61@@ 62 63( 64 x = kmalloc(...) 65| 66 x = kvasprintf(...) 67| 68 x = kasprintf(...) 69| 70 x = kzalloc(...) 71| 72 x = kmalloc_array(...) 73| 74 x = kcalloc(...) 75| 76 x = kstrdup(...) 77| 78 x = kmemdup(...) 79| 80 x = get_free_pages(...) 81| 82 x = request_irq(...) 83| 84 x = ioremap(...) 85| 86 x = ioport_map(...) 87) 88... 89( 90 kfree@p(x) 91| 92 kfree_sensitive@p(x) 93| 94 krealloc@p(x, ...) 95| 96 free_pages@p(x, ...) 97| 98 free_page@p(x) 99| 100 free_irq@p(x) 101| 102 iounmap@p(x) 103| 104 ioport_unmap@p(x) 105) 106 107@pb@ 108expression r.x; 109position p != safe.p; 110@@ 111 112( 113* kfree@p(x) 114| 115* kfree_sensitive@p(x) 116| 117* krealloc@p(x, ...) 118| 119* free_pages@p(x, ...) 120| 121* free_page@p(x) 122| 123* free_irq@p(x) 124| 125* iounmap@p(x) 126| 127* ioport_unmap@p(x) 128) 129 130@script:python depends on org@ 131p << pb.p; 132@@ 133 134msg="WARNING: invalid free of devm_ allocated data" 135coccilib.org.print_todo(p[0], msg) 136 137@script:python depends on report@ 138p << pb.p; 139@@ 140 141msg="WARNING: invalid free of devm_ allocated data" 142coccilib.report.print_report(p[0], msg) 143 144