cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

devm_free.cocci (2565B)

      1// SPDX-License-Identifier: GPL-2.0-only
      2/// Find uses of standard freeing functons on values allocated using devm_
      3/// functions.  Values allocated using the devm_functions are freed when
      4/// the device is detached, and thus the use of the standard freeing
      5/// function would cause a double free.
      6/// See Documentation/driver-api/driver-model/devres.rst for more information.
      7///
      8/// A difficulty of detecting this problem is that the standard freeing
      9/// function might be called from a different function than the one
     10/// containing the allocation function.  It is thus necessary to make the
     11/// connection between the allocation function and the freeing function.
     12/// Here this is done using the specific argument text, which is prone to
     13/// false positives.  There is no rule for the request_region and
     14/// request_mem_region variants because this heuristic seems to be a bit
     15/// less reliable in these cases.
     16///
     17// Confidence: Moderate
     18// Copyright: (C) 2011 Julia Lawall, INRIA/LIP6.
     19// Copyright: (C) 2011 Gilles Muller, INRIA/LiP6.
     20// URL: http://coccinelle.lip6.fr/
     21// Comments:
     22// Options: --no-includes --include-headers
     23
     24virtual org
     25virtual report
     26virtual context
     27
     28@r depends on context || org || report@
     29expression x;
     30@@
     31
     32(
     33 x = devm_kmalloc(...)
     34|
     35 x = devm_kvasprintf(...)
     36|
     37 x = devm_kasprintf(...)
     38|
     39 x = devm_kzalloc(...)
     40|
     41 x = devm_kmalloc_array(...)
     42|
     43 x = devm_kcalloc(...)
     44|
     45 x = devm_kstrdup(...)
     46|
     47 x = devm_kmemdup(...)
     48|
     49 x = devm_get_free_pages(...)
     50|
     51 x = devm_request_irq(...)
     52|
     53 x = devm_ioremap(...)
     54|
     55 x = devm_ioport_map(...)
     56)
     57
     58@safe depends on context || org || report exists@
     59expression x;
     60position p;
     61@@
     62
     63(
     64 x = kmalloc(...)
     65|
     66 x = kvasprintf(...)
     67|
     68 x = kasprintf(...)
     69|
     70 x = kzalloc(...)
     71|
     72 x = kmalloc_array(...)
     73|
     74 x = kcalloc(...)
     75|
     76 x = kstrdup(...)
     77|
     78 x = kmemdup(...)
     79|
     80 x = get_free_pages(...)
     81|
     82 x = request_irq(...)
     83|
     84 x = ioremap(...)
     85|
     86 x = ioport_map(...)
     87)
     88...
     89(
     90 kfree@p(x)
     91|
     92 kfree_sensitive@p(x)
     93|
     94 krealloc@p(x, ...)
     95|
     96 free_pages@p(x, ...)
     97|
     98 free_page@p(x)
     99|
    100 free_irq@p(x)
    101|
    102 iounmap@p(x)
    103|
    104 ioport_unmap@p(x)
    105)
    106
    107@pb@
    108expression r.x;
    109position p != safe.p;
    110@@
    111
    112(
    113* kfree@p(x)
    114|
    115* kfree_sensitive@p(x)
    116|
    117* krealloc@p(x, ...)
    118|
    119* free_pages@p(x, ...)
    120|
    121* free_page@p(x)
    122|
    123* free_irq@p(x)
    124|
    125* iounmap@p(x)
    126|
    127* ioport_unmap@p(x)
    128)
    129
    130@script:python depends on org@
    131p << pb.p;
    132@@
    133
    134msg="WARNING: invalid free of devm_ allocated data"
    135coccilib.org.print_todo(p[0], msg)
    136
    137@script:python depends on report@
    138p << pb.p;
    139@@
    140
    141msg="WARNING: invalid free of devm_ allocated data"
    142coccilib.report.print_report(p[0], msg)
    143