1/// Find uses of standard freeing functons on values allocated using devm_
2/// functions.  Values allocated using the devm_functions are freed when
3/// the device is detached, and thus the use of the standard freeing
4/// function would cause a double free.
5/// See Documentation/driver-model/devres.txt for more information.
6///
7/// A difficulty of detecting this problem is that the standard freeing
8/// function might be called from a different function than the one
9/// containing the allocation function.  It is thus necessary to make the
10/// connection between the allocation function and the freeing function.
11/// Here this is done using the specific argument text, which is prone to
12/// false positives.  There is no rule for the request_region and
13/// request_mem_region variants because this heuristic seems to be a bit
14/// less reliable in these cases.
15///
16// Confidence: Moderate
17// Copyright: (C) 2011 Julia Lawall, INRIA/LIP6.  GPLv2.
18// Copyright: (C) 2011 Gilles Muller, INRIA/LiP6.  GPLv2.
19// URL: http://coccinelle.lip6.fr/
20// Comments:
21// Options: --no-includes --include-headers
22
23virtual org
24virtual report
25virtual context
26
27@r depends on context || org || report@
28expression x;
29@@
30
31(
32 x = devm_kmalloc(...)
33|
34 x = devm_kvasprintf(...)
35|
36 x = devm_kasprintf(...)
37|
38 x = devm_kzalloc(...)
39|
40 x = devm_kmalloc_array(...)
41|
42 x = devm_kcalloc(...)
43|
44 x = devm_kstrdup(...)
45|
46 x = devm_kmemdup(...)
47|
48 x = devm_get_free_pages(...)
49|
50 x = devm_request_irq(...)
51|
52 x = devm_ioremap(...)
53|
54 x = devm_ioremap_nocache(...)
55|
56 x = devm_ioport_map(...)
57)
58
59@safe depends on context || org || report exists@
60expression x;
61position p;
62@@
63
64(
65 x = kmalloc(...)
66|
67 x = kvasprintf(...)
68|
69 x = kasprintf(...)
70|
71 x = kzalloc(...)
72|
73 x = kmalloc_array(...)
74|
75 x = kcalloc(...)
76|
77 x = kstrdup(...)
78|
79 x = kmemdup(...)
80|
81 x = get_free_pages(...)
82|
83 x = request_irq(...)
84|
85 x = ioremap(...)
86|
87 x = ioremap_nocache(...)
88|
89 x = ioport_map(...)
90)
91...
92(
93 kfree@p(x)
94|
95 kzfree@p(x)
96|
97 __krealloc@p(x, ...)
98|
99 krealloc@p(x, ...)
100|
101 free_pages@p(x, ...)
102|
103 free_page@p(x)
104|
105 free_irq@p(x)
106|
107 iounmap@p(x)
108|
109 ioport_unmap@p(x)
110)
111
112@pb@
113expression r.x;
114position p != safe.p;
115@@
116
117(
118* kfree@p(x)
119|
120* kzfree@p(x)
121|
122* __krealloc@p(x, ...)
123|
124* krealloc@p(x, ...)
125|
126* free_pages@p(x, ...)
127|
128* free_page@p(x)
129|
130* free_irq@p(x)
131|
132* iounmap@p(x)
133|
134* ioport_unmap@p(x)
135)
136
137@script:python depends on org@
138p << pb.p;
139@@
140
141msg="WARNING: invalid free of devm_ allocated data"
142coccilib.org.print_todo(p[0], msg)
143
144@script:python depends on report@
145p << pb.p;
146@@
147
148msg="WARNING: invalid free of devm_ allocated data"
149coccilib.report.print_report(p[0], msg)
150
151