From de462ba2c79d9347368c887ed93113e7818a7b07 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 17 Sep 2014 13:31:16 +0300
Subject: [PATCH] err_ptr_deref: passing an ERR_PTR to kfree() is a bug

Reported-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 check_err_ptr_deref.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/check_err_ptr_deref.c b/check_err_ptr_deref.c
index b65aa5eb..2b1fc469 100644
--- a/check_err_ptr_deref.c
+++ b/check_err_ptr_deref.c
@@ -85,6 +85,18 @@ static void match_dereferences(struct expression *expr)
 	check_is_err_ptr(sm);
 }
 
+static void match_kfree(const char *fn, struct expression *expr, void *_arg_nr)
+{
+	int arg_nr = PTR_INT(_arg_nr);
+	struct expression *arg;
+	struct sm_state *sm;
+
+	arg = get_argument_from_call_expr(expr->args, arg_nr);
+
+	sm = get_sm_state_expr(my_id, arg);
+	check_is_err_ptr(sm);
+}
+
 static void match_condition(struct expression *expr)
 {
 	if (expr->type == EXPR_ASSIGNMENT) {
@@ -163,5 +175,9 @@ void check_err_ptr_deref(int id)
 	add_function_hook("ERR_PTR", &match_err_ptr, NULL);
 	add_hook(&match_condition, CONDITION_HOOK);
 	add_modification_hook(my_id, &ok_to_use);
+	add_function_hook("kfree", &match_kfree, INT_PTR(0));
+	add_function_hook("brelse", &match_kfree, INT_PTR(0));
+	add_function_hook("kmem_cache_free", &match_kfree, INT_PTR(1));
+	add_function_hook("vfree", &match_kfree, INT_PTR(0));
 }
 
-- 
2.11.4.GIT