1// SPDX-License-Identifier: GPL-2.0-only
2/// Find uses of standard freeing functons on values allocated using devm_
3/// functions.  Values allocated using the devm_functions are freed when
4/// the device is detached, and thus the use of the standard freeing
5/// function would cause a double free.
6/// See Documentation/driver-api/driver-model/devres.rst for more information.
7///
8/// A difficulty of detecting this problem is that the standard freeing
9/// function might be called from a different function than the one
10/// containing the allocation function.  It is thus necessary to make the
11/// connection between the allocation function and the freeing function.
12/// Here this is done using the specific argument text, which is prone to
13/// false positives.  There is no rule for the request_region and
14/// request_mem_region variants because this heuristic seems to be a bit
15/// less reliable in these cases.
16///
17// Confidence: Moderate
18// Copyright: (C) 2011 Julia Lawall, INRIA/LIP6.
19// Copyright: (C) 2011 Gilles Muller, INRIA/LiP6.
20// URL: http://coccinelle.lip6.fr/
21// Comments:
22// Options: --no-includes --include-headers
23
24virtual org
25virtual report
26virtual context
27
28@r depends on context || org || report@
29expression x;
30@@
31
32(
33 x = devm_kmalloc(...)
34|
35 x = devm_kvasprintf(...)
36|
37 x = devm_kasprintf(...)
38|
39 x = devm_kzalloc(...)
40|
41 x = devm_kmalloc_array(...)
42|
43 x = devm_kcalloc(...)
44|
45 x = devm_kstrdup(...)
46|
47 x = devm_kmemdup(...)
48|
49 x = devm_get_free_pages(...)
50|
51 x = devm_request_irq(...)
52|
53 x = devm_ioremap(...)
54|
55 x = devm_ioremap_nocache(...)
56|
57 x = devm_ioport_map(...)
58)
59
60@safe depends on context || org || report exists@
61expression x;
62position p;
63@@
64
65(
66 x = kmalloc(...)
67|
68 x = kvasprintf(...)
69|
70 x = kasprintf(...)
71|
72 x = kzalloc(...)
73|
74 x = kmalloc_array(...)
75|
76 x = kcalloc(...)
77|
78 x = kstrdup(...)
79|
80 x = kmemdup(...)
81|
82 x = get_free_pages(...)
83|
84 x = request_irq(...)
85|
86 x = ioremap(...)
87|
88 x = ioremap_nocache(...)
89|
90 x = ioport_map(...)
91)
92...
93(
94 kfree@p(x)
95|
96 kzfree@p(x)
97|
98 __krealloc@p(x, ...)
99|
100 krealloc@p(x, ...)
101|
102 free_pages@p(x, ...)
103|
104 free_page@p(x)
105|
106 free_irq@p(x)
107|
108 iounmap@p(x)
109|
110 ioport_unmap@p(x)
111)
112
113@pb@
114expression r.x;
115position p != safe.p;
116@@
117
118(
119* kfree@p(x)
120|
121* kzfree@p(x)
122|
123* __krealloc@p(x, ...)
124|
125* krealloc@p(x, ...)
126|
127* free_pages@p(x, ...)
128|
129* free_page@p(x)
130|
131* free_irq@p(x)
132|
133* iounmap@p(x)
134|
135* ioport_unmap@p(x)
136)
137
138@script:python depends on org@
139p << pb.p;
140@@
141
142msg="WARNING: invalid free of devm_ allocated data"
143coccilib.org.print_todo(p[0], msg)
144
145@script:python depends on report@
146p << pb.p;
147@@
148
149msg="WARNING: invalid free of devm_ allocated data"
150coccilib.report.print_report(p[0], msg)
151
152