1// SPDX-License-Identifier: GPL-2.0-only
2/// Find uses of standard freeing functons on values allocated using devm_
3/// functions.  Values allocated using the devm_functions are freed when
4/// the device is detached, and thus the use of the standard freeing
5/// function would cause a double free.
6/// See Documentation/driver-api/driver-model/devres.rst for more information.
7///
8/// A difficulty of detecting this problem is that the standard freeing
9/// function might be called from a different function than the one
10/// containing the allocation function.  It is thus necessary to make the
11/// connection between the allocation function and the freeing function.
12/// Here this is done using the specific argument text, which is prone to
13/// false positives.  There is no rule for the request_region and
14/// request_mem_region variants because this heuristic seems to be a bit
15/// less reliable in these cases.
16///
17// Confidence: Moderate
18// Copyright: (C) 2011 Julia Lawall, INRIA/LIP6.
19// Copyright: (C) 2011 Gilles Muller, INRIA/LiP6.
20// URL: http://coccinelle.lip6.fr/
21// Comments:
22// Options: --no-includes --include-headers
23
24virtual org
25virtual report
26virtual context
27
28@r depends on context || org || report@
29expression x;
30@@
31
32(
33 x = devm_kmalloc(...)
34|
35 x = devm_kvasprintf(...)
36|
37 x = devm_kasprintf(...)
38|
39 x = devm_kzalloc(...)
40|
41 x = devm_kmalloc_array(...)
42|
43 x = devm_kcalloc(...)
44|
45 x = devm_kstrdup(...)
46|
47 x = devm_kmemdup(...)
48|
49 x = devm_get_free_pages(...)
50|
51 x = devm_request_irq(...)
52|
53 x = devm_ioremap(...)
54|
55 x = devm_ioport_map(...)
56)
57
58@safe depends on context || org || report exists@
59expression x;
60position p;
61@@
62
63(
64 x = kmalloc(...)
65|
66 x = kvasprintf(...)
67|
68 x = kasprintf(...)
69|
70 x = kzalloc(...)
71|
72 x = kmalloc_array(...)
73|
74 x = kcalloc(...)
75|
76 x = kstrdup(...)
77|
78 x = kmemdup(...)
79|
80 x = get_free_pages(...)
81|
82 x = request_irq(...)
83|
84 x = ioremap(...)
85|
86 x = ioport_map(...)
87)
88...
89(
90 kfree@p(x)
91|
92 kfree_sensitive@p(x)
93|
94 krealloc@p(x, ...)
95|
96 free_pages@p(x, ...)
97|
98 free_page@p(x)
99|
100 free_irq@p(x)
101|
102 iounmap@p(x)
103|
104 ioport_unmap@p(x)
105)
106
107@pb@
108expression r.x;
109position p != safe.p;
110@@
111
112(
113* kfree@p(x)
114|
115* kfree_sensitive@p(x)
116|
117* krealloc@p(x, ...)
118|
119* free_pages@p(x, ...)
120|
121* free_page@p(x)
122|
123* free_irq@p(x)
124|
125* iounmap@p(x)
126|
127* ioport_unmap@p(x)
128)
129
130@script:python depends on org@
131p << pb.p;
132@@
133
134msg="WARNING: invalid free of devm_ allocated data"
135coccilib.org.print_todo(p[0], msg)
136
137@script:python depends on report@
138p << pb.p;
139@@
140
141msg="WARNING: invalid free of devm_ allocated data"
142coccilib.report.print_report(p[0], msg)
143
144