Faults in Linux Kernel 3.x : Using Freed Memory

As part of my work, I need to annotate  the reports generated using Coccinelle Scripts as bugs/FPs for recent Linux Kernels, recent as in versions > 3.0 till the current one 3.18.

So in reading the reports (newer ones) I have recently completed Linux_kfree.new.org.

As you can see that there were a lot of TODOs for 3.x versions. I have written a blog post on why using freed memory is a bug?

What is kfree?

I have explained it all here.

What did I find?

From so many TODOs I checked, I would say most were FPs for this case.

There were a lot of cases where a call to goto was being done immediately after kfree which doesn’t allow the statement (to fetch the variable after freeing) to execute, but Coccinelle script was not recognizing it.

There were many cases where a immediate return is being done after kfree, and not executing the statement where variable is accessed after kfree.

There were some cases where a check on the variable just freed (inside if) is being done and hence avoiding a buggy situation.

I have found some bugs also and I’ll be sending some patches to fix them for the current Linux Kernel, once I’m done with reading the reports.

#bugs, #coccinelle-scripts, #faults, #kfree, #linux-kernel, #linux-kernels