Linux/scripts/coccinelle/free/kfree.cocci

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

1 // SPDX-License-Identifier: GPL-2.0-only 2 /// Find a use after free. 3 //# Values of variables may imply that some 4 //# execution paths are not possible, resulting in false positives. 5 //# Another source of false positives are macros such as 6 //# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument 7 /// 8 // Confidence: Moderate 9 // Copyright: (C) 2010-2012 Nicolas Palix. 10 // Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. 11 // Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. 12 // URL: https://coccinelle.gitlabpages.inria.fr/website 13 // Comments: 14 // Options: --no-includes --include-headers 15 16 virtual org 17 virtual report 18 19 @free@ 20 expression E; 21 position p1; 22 @@ 23 24 ( 25 kfree@p1(E) 26 | 27 kfree_sensitive@p1(E) 28 ) 29 30 @print expression@ 31 constant char [] c; 32 expression free.E,E2; 33 type T; 34 position p; 35 identifier f; 36 @@ 37 38 ( 39 f(...,c,...,(T)E@p,...) 40 | 41 E@p == E2 42 | 43 E@p != E2 44 | 45 E2 == E@p 46 | 47 E2 != E@p 48 | 49 !E@p 50 | 51 E@p || ... 52 ) 53 54 @sz@ 55 expression free.E; 56 position p; 57 @@ 58 59 sizeof(<+...E@p...+>) 60 61 @loop exists@ 62 expression E; 63 identifier l; 64 position ok; 65 @@ 66 67 while (1) { ... 68 ( 69 kfree@ok(E) 70 | 71 kfree_sensitive@ok(E) 72 ) 73 ... when != break; 74 when != goto l; 75 when forall 76 } 77 78 @r exists@ 79 expression free.E, subE<=free.E, E2; 80 expression E1; 81 iterator iter; 82 statement S; 83 position free.p1!=loop.ok,p2!={print.p,sz.p}; 84 @@ 85 86 ( 87 kfree@p1(E,...) 88 | 89 kfree_sensitive@p1(E,...) 90 ) 91 ... 92 ( 93 iter(...,subE,...) S // no use 94 | 95 list_remove_head(E1,subE,...) 96 | 97 subE = E2 98 | 99 subE++ 100 | 101 ++subE 102 | 103 --subE 104 | 105 subE-- 106 | 107 &subE 108 | 109 BUG(...) 110 | 111 BUG_ON(...) 112 | 113 return_VALUE(...) 114 | 115 return_ACPI_STATUS(...) 116 | 117 E@p2 // bad use 118 ) 119 120 @script:python depends on org@ 121 p1 << free.p1; 122 p2 << r.p2; 123 @@ 124 125 cocci.print_main("kfree",p1) 126 cocci.print_secs("ref",p2) 127 128 @script:python depends on report@ 129 p1 << free.p1; 130 p2 << r.p2; 131 @@ 132 133 msg = "ERROR: reference preceded by free on line %s" % (p1[0].line) 134 coccilib.report.print_report(p2[0],msg)

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference Linux/scripts/coccinelle/free/kfree.cocci

TOMOYO Linux Cross Reference
Linux/scripts/coccinelle/free/kfree.cocci