The of_find_device_by_node() takes a reference to the underlying device
structure, we should release that reference.
The implementation of this semantic code search is:
In a function, for a local variable returned by calling
of_find_device_by_node(),
a, if it is released by a function such as
put_device()/of_dev_put()/platform_device_put() after the last use,
it is considered that there is no reference leak;
b, if it is passed back to the caller via
dev_get_drvdata()/platform_get_drvdata()/get_device(), etc., the
reference will be released in other functions, and the current function
also considers that there is no reference leak;
c, for the rest of the situation, the current function should release the
reference by calling put_device, this code search will report the
corresponding error message.
By using this semantic code search, we have found some object reference leaks,
such as:
commit 11907e9d35 ("ASoC: fsl-asoc-card: fix object reference leaks in
fsl_asoc_card_probe")
commit a12085d139 ("mtd: rawnand: atmel: fix possible object reference leak")
commit 11493f2685 ("mtd: rawnand: jz4780: fix possible object reference leak")
There are still dozens of reference leaks in the current kernel code.
Further, for the case of b, the object returned to other functions may also
have a reference leak, we will continue to develop other cocci scripts to
further check the reference leak.
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Reviewed-by: Julia Lawall <Julia.Lawall@lip6.fr>
Reviewed-by: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Some files use both a non-devm allocation and a devm_allocation. Don't
complain about a free when the same function contains a non-devm
allocation.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Remove the unncessary part of the warning reported, in the report
mode, so that a single warning produced does not exceed more than line
and hence improve readability of the warnings produced in the subsequent
reports to a file.
Signed-off-by: Himanshu Jha <himanshujha199640@gmail.com>
Acked-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
krealloc() must not be used against devm_*() allocated
memory regions:
- if a bigger memory is to be allocated, krealloc() and
__krealloc() could return a different pointer than the
one given to them, creating a memory region which is not
managed, thus it will not be automatically released on
device removal.
- if a bigger memory is to be allocated, krealloc() could
kfree() the managed memory region which is passed to it.
The old pointer is left registered as a resource for the
device. On device removal, this dangling pointer will be
used and an unrelated memory region could be released.
- if the requested size is equal to 0, krealloc() can also
just behave like kfree(). Here too, the old pointer is
kept associated with the device. On device removal, this
invalid pointer will be used and an unrelated memory
region could be released.
For all these reasons, krealloc() must not be used on a
pointer returned by devm_*() functions.
Cc: Tejun Heo <tj@kernel.org>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Acked-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Michal Marek <mmarek@suse.com>
Since commit 3ef0e5ba46 ('slab: introduce kzfree()'),
kfree() is no more the only function to be considered:
kzfree() should be recognized too.
In particular, kzfree() must not be called on memory
allocated through devm_*() functions.
Cc: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Michal Marek <mmarek@suse.com>
Extend ifnullfree to the various destroy functions that were recently
extended to tolerate NULL arguments.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Michal Marek <mmarek@suse.cz>
Adjust tests to compare against NULL, to match cases that explicitly make
that comparison.
Remove removal and re-addition of freeing functions.
Add position variable on usb_free_urb in the non-patch case.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Michal Marek <mmarek@suse.cz>
All coccinelle scripts have a copyright in the header.
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Suggested-by: Julia Lawall <Julia.Lawall@lip6.fr>
Acked-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Warns or generates patch for NULL check before the following functions:
kfree
usb_free_urb
debugfs_remove
debugfs_remove_recursive
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Acked-by: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: Gilles Muller <Gilles.Muller@lip6.fr>
Cc: Joe Perches <joe@perches.com>
Cc: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
spatch has changed its option scheme.
E.g., --no_show_diff is now --no-show-diff
This patch updates:
- scripts/coccicheck
- Semantic patches under scripts/coccinelle/
Signed-off-by: Nicolas Palix <nicolas.palix@imag.fr>
Signed-off-by: Michal Marek <mmarek@suse.cz>
Created coccinelle script for reporting missing pci_free_consistent() calls.
Signed-off-by: Petr Strnad <strnape1@fel.cvut.cz>
Signed-off-by: Nicolas Palix <nicolas.palix@imag.fr>
Signed-off-by: Michal Marek <mmarek@suse.cz>
The argument to kfree should not be the address of a structure field.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Michal Marek <mmarek@suse.cz>
This patch ensures that all semantic patches in the scripts/coccinelle
directory provide the report option. Report messages that include line
numbers now have the line number preceded by "line" for easier subsequent
processing.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Michal Marek <mmarek@suse.cz>
devm_ functions allocate memory that is to remain allocated until the
device is detached. This patch checks for freeing of such memory using
standard memory freeing functions.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Michal Marek <mmarek@suse.cz>
Use new comment format to separate proposed commit message
and information about generated false positives
Signed-off-by: Nicolas Palix <npalix.work@gmail.com>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Michal Marek <mmarek@suse.cz>
Find a use after free. Values of variables may imply that some
execution paths are not possible, resulting in false positives.
Another source of false positives are macros such as
SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument
Signed-off-by: Nicolas Palix <npalix@diku.dk>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Michal Marek <mmarek@suse.cz>