1 /*
   2  * Copyright (C) 2015 Rasmus Villemoes.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17 
  18 #include <assert.h>
  19 #include <ctype.h>
  20 #include <string.h>
  21 #include "smatch.h"
  22 #include "smatch_slist.h"
  23 
  24 #define spam(args...) do {                      \
  25         if (option_spammy)                      \
  26                 sm_msg(args);                   \
  27         } while (0)
  28 
  29 static int my_id;
  30 
  31 /*
  32  * Much of this is taken directly from the kernel (mostly vsprintf.c),
  33  * with a few modifications here and there.
  34  */
  35 
  36 #define KERN_SOH_ASCII  '\001'
  37 
  38 typedef unsigned char u8;
  39 typedef signed short s16;
  40 
  41 #define SIGN    1               /* unsigned/signed, must be 1 */
  42 #define LEFT    2               /* left justified */
  43 #define PLUS    4               /* show plus */
  44 #define SPACE   8               /* space if plus */
  45 #define ZEROPAD 16              /* pad with zero, must be 16 == '0' - ' ' */
  46 #define SMALL   32              /* use lowercase in hex (must be 32 == 0x20) */
  47 #define SPECIAL 64              /* prefix hex with "0x", octal with "0" */
  48 
  49 enum format_type {
  50         FORMAT_TYPE_NONE, /* Just a string part */
  51         FORMAT_TYPE_WIDTH,
  52         FORMAT_TYPE_PRECISION,
  53         FORMAT_TYPE_CHAR,
  54         FORMAT_TYPE_STR,
  55         FORMAT_TYPE_PTR,
  56         FORMAT_TYPE_PERCENT_CHAR,
  57         FORMAT_TYPE_INVALID,
  58         FORMAT_TYPE_LONG_LONG,
  59         FORMAT_TYPE_ULONG,
  60         FORMAT_TYPE_LONG,
  61         FORMAT_TYPE_UBYTE,
  62         FORMAT_TYPE_BYTE,
  63         FORMAT_TYPE_USHORT,
  64         FORMAT_TYPE_SHORT,
  65         FORMAT_TYPE_UINT,
  66         FORMAT_TYPE_INT,
  67         FORMAT_TYPE_SIZE_T,
  68         FORMAT_TYPE_PTRDIFF,
  69         FORMAT_TYPE_NRCHARS, /* Reintroduced for this checker */
  70         FORMAT_TYPE_FLOAT, /* for various floating point formatters */
  71 };
  72 
  73 struct printf_spec {
  74         unsigned int    type:8;         /* format_type enum */
  75         signed int      field_width:24; /* width of output field */
  76         unsigned int    flags:8;        /* flags to number() */
  77         unsigned int    base:8;         /* number base, 8, 10 or 16 only */
  78         signed int      precision:16;   /* # of digits/chars */
  79 } __packed;
  80 #define FIELD_WIDTH_MAX ((1 << 23) - 1)
  81 #define PRECISION_MAX ((1 << 15) - 1)
  82 extern char __check_printf_spec[1-2*(sizeof(struct printf_spec) != 8)];
  83 
  84 static int
  85 skip_atoi(const char **s)
  86 {
  87         int i = 0;
  88 
  89         while (isdigit(**s))
  90                 i = i*10 + *((*s)++) - '0';
  91 
  92         return i;
  93 }
  94 
  95 static int
  96 format_decode(const char *fmt, struct printf_spec *spec)
  97 {
  98         const char *start = fmt;
  99         char qualifier;
 100 
 101         /* we finished early by reading the field width */
 102         if (spec->type == FORMAT_TYPE_WIDTH) {
 103                 if (spec->field_width < 0) {
 104                         spec->field_width = -spec->field_width;
 105                         spec->flags |= LEFT;
 106                 }
 107                 spec->type = FORMAT_TYPE_NONE;
 108                 goto precision;
 109         }
 110 
 111         /* we finished early by reading the precision */
 112         if (spec->type == FORMAT_TYPE_PRECISION) {
 113                 if (spec->precision < 0)
 114                         spec->precision = 0;
 115 
 116                 spec->type = FORMAT_TYPE_NONE;
 117                 goto qualifier;
 118         }
 119 
 120         /* By default */
 121         spec->type = FORMAT_TYPE_NONE;
 122 
 123         for (; *fmt ; ++fmt) {
 124                 if (*fmt == '%')
 125                         break;
 126         }
 127 
 128         /* Return the current non-format string */
 129         if (fmt != start || !*fmt)
 130                 return fmt - start;
 131 
 132         /* Process flags */
 133         spec->flags = 0;
 134 
 135         while (1) { /* this also skips first '%' */
 136                 bool found = true;
 137 
 138                 ++fmt;
 139 
 140                 switch (*fmt) {
 141                 case '-': spec->flags |= LEFT;    break;
 142                 case '+': spec->flags |= PLUS;    break;
 143                 case ' ': spec->flags |= SPACE;   break;
 144                 case '#': spec->flags |= SPECIAL; break;
 145                 case '0': spec->flags |= ZEROPAD; break;
 146                 default:  found = false;
 147                 }
 148 
 149                 if (!found)
 150                         break;
 151         }
 152 
 153         /* get field width */
 154         spec->field_width = -1;
 155 
 156         if (isdigit(*fmt))
 157                 spec->field_width = skip_atoi(&fmt);
 158         else if (*fmt == '*') {
 159                 /* it's the next argument */
 160                 spec->type = FORMAT_TYPE_WIDTH;
 161                 return ++fmt - start;
 162         }
 163 
 164 precision:
 165         /* get the precision */
 166         spec->precision = -1;
 167         if (*fmt == '.') {
 168                 ++fmt;
 169                 if (isdigit(*fmt)) {
 170                         spec->precision = skip_atoi(&fmt);
 171                         if (spec->precision < 0)
 172                                 spec->precision = 0;
 173                 } else if (*fmt == '*') {
 174                         /* it's the next argument */
 175                         spec->type = FORMAT_TYPE_PRECISION;
 176                         return ++fmt - start;
 177                 }
 178         }
 179 
 180 qualifier:
 181         /* get the conversion qualifier */
 182         qualifier = 0;
 183         if (*fmt == 'h' || _tolower(*fmt) == 'l' ||
 184             _tolower(*fmt) == 'z' || *fmt == 't') {
 185                 qualifier = *fmt++;
 186                 if (qualifier == *fmt) {
 187                         if (qualifier == 'l') {
 188                                 qualifier = 'L';
 189                                 ++fmt;
 190                         } else if (qualifier == 'h') {
 191                                 qualifier = 'H';
 192                                 ++fmt;
 193                         } else {
 194                                 sm_warning("invalid repeated qualifier '%c'", *fmt);
 195                         }
 196                 }
 197         }
 198 
 199         /* default base */
 200         spec->base = 10;
 201         switch (*fmt) {
 202         case 'c':
 203                 if (qualifier)
 204                         sm_warning("qualifier '%c' ignored for %%c specifier", qualifier);
 205 
 206                 spec->type = FORMAT_TYPE_CHAR;
 207                 return ++fmt - start;
 208 
 209         case 's':
 210                 if (qualifier)
 211                         sm_warning("qualifier '%c' ignored for %%s specifier", qualifier);
 212 
 213                 spec->type = FORMAT_TYPE_STR;
 214                 return ++fmt - start;
 215 
 216         case 'p':
 217                 spec->type = FORMAT_TYPE_PTR;
 218                 return ++fmt - start;
 219 
 220         case '%':
 221                 spec->type = FORMAT_TYPE_PERCENT_CHAR;
 222                 return ++fmt - start;
 223 
 224         /* integer number formats - set up the flags and "break" */
 225         case 'o':
 226                 spec->base = 8;
 227                 break;
 228 
 229         case 'x':
 230                 spec->flags |= SMALL;
 231 
 232         case 'X':
 233                 spec->base = 16;
 234                 break;
 235 
 236         case 'd':
 237         case 'i':
 238                 spec->flags |= SIGN;
 239         case 'u':
 240                 break;
 241 
 242         case 'n':
 243                 spec->type = FORMAT_TYPE_NRCHARS;
 244                 return ++fmt - start;
 245 
 246         case 'a': case 'A':
 247         case 'e': case 'E':
 248         case 'f': case 'F':
 249         case 'g': case 'G':
 250                 spec->type = FORMAT_TYPE_FLOAT;
 251                 return ++fmt - start;
 252 
 253         default:
 254                 spec->type = FORMAT_TYPE_INVALID;
 255                 /* Unlike the kernel code, we 'consume' the invalid
 256                  * character so that it can get included in the
 257                  * report. After that, we bail out. */
 258                 return ++fmt - start;
 259         }
 260 
 261         if (qualifier == 'L')
 262                 spec->type = FORMAT_TYPE_LONG_LONG;
 263         else if (qualifier == 'l') {
 264                 if (spec->flags & SIGN)
 265                         spec->type = FORMAT_TYPE_LONG;
 266                 else
 267                         spec->type = FORMAT_TYPE_ULONG;
 268         } else if (_tolower(qualifier) == 'z') {
 269                 spec->type = FORMAT_TYPE_SIZE_T;
 270         } else if (qualifier == 't') {
 271                 spec->type = FORMAT_TYPE_PTRDIFF;
 272         } else if (qualifier == 'H') {
 273                 if (spec->flags & SIGN)
 274                         spec->type = FORMAT_TYPE_BYTE;
 275                 else
 276                         spec->type = FORMAT_TYPE_UBYTE;
 277         } else if (qualifier == 'h') {
 278                 if (spec->flags & SIGN)
 279                         spec->type = FORMAT_TYPE_SHORT;
 280                 else
 281                         spec->type = FORMAT_TYPE_USHORT;
 282         } else {
 283                 if (spec->flags & SIGN)
 284                         spec->type = FORMAT_TYPE_INT;
 285                 else
 286                         spec->type = FORMAT_TYPE_UINT;
 287         }
 288 
 289         return ++fmt - start;
 290 }
 291 
 292 static int is_struct_tag(struct symbol *type, const char *tag)
 293 {
 294         return type->type == SYM_STRUCT && type->ident && !strcmp(type->ident->name, tag);
 295 }
 296 
 297 static int has_struct_tag(struct symbol *type, const char *tag)
 298 {
 299         struct symbol *tmp;
 300 
 301         if (type->type == SYM_STRUCT)
 302                 return is_struct_tag(type, tag);
 303         if (type->type == SYM_UNION) {
 304                 FOR_EACH_PTR(type->symbol_list, tmp) {
 305                         tmp = get_real_base_type(tmp);
 306                         if (tmp && is_struct_tag(tmp, tag))
 307                                 return 1;
 308                 } END_FOR_EACH_PTR(tmp);
 309         }
 310         return 0;
 311 }
 312 
 313 static int is_char_type(struct symbol *type)
 314 {
 315         return type == &uchar_ctype || type == &char_ctype || type == &schar_ctype;
 316 }
 317 
 318 /*
 319  * I have absolutely no idea if this is how one is supposed to get the
 320  * symbol representing a typedef, but it seems to work.
 321  */
 322 struct typedef_lookup {
 323         const char *name;
 324         struct symbol *sym;
 325         int failed;
 326 };
 327 
 328 static struct symbol *_typedef_lookup(const char *name)
 329 {
 330         struct ident *id;
 331         struct symbol *node;
 332 
 333         id = built_in_ident(name);
 334         if (!id)
 335                 return NULL;
 336         node = lookup_symbol(id, NS_TYPEDEF);
 337         if (!node || node->type != SYM_NODE)
 338                 return NULL;
 339         return get_real_base_type(node);
 340 }
 341 
 342 static void typedef_lookup(struct typedef_lookup *tl)
 343 {
 344         if (tl->sym || tl->failed)
 345                 return;
 346         tl->sym = _typedef_lookup(tl->name);
 347         if (!tl->sym) {
 348                 sm_perror(" could not find typedef '%s'", tl->name);
 349                 tl->failed = 1;
 350         }
 351 }
 352 
 353 
 354 static void ip4(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 355 {
 356         enum { ENDIAN_BIG, ENDIAN_LITTLE, ENDIAN_HOST } endian = ENDIAN_BIG;
 357 
 358         assert(fmt[0] == 'i' || fmt[0] == 'I');
 359         assert(fmt[1] == '4');
 360 
 361         if (isalnum(fmt[2])) {
 362                 switch (fmt[2]) {
 363                 case 'h':
 364                         endian = ENDIAN_HOST;
 365                         break;
 366                 case 'l':
 367                         endian = ENDIAN_LITTLE;
 368                         break;
 369                 case 'n':
 370                 case 'b':
 371                         endian = ENDIAN_BIG;
 372                         break;
 373                 default:
 374                         sm_warning("'%%p%c4' can only be followed by one of [hnbl], not '%c'", fmt[0], fmt[2]);
 375                 }
 376                 if (isalnum(fmt[3]))
 377                         sm_warning("'%%p%c4' can only be followed by precisely one of [hnbl]", fmt[0]);
 378         }
 379 
 380 
 381         if (type->ctype.modifiers & MOD_NODEREF)
 382                 sm_error("passing __user pointer to '%%p%c4'", fmt[0]);
 383 
 384         /*
 385          * If we have a pointer to char/u8/s8, we expect the caller to
 386          * handle endianness; I don't think there's anything we can
 387          * do. I'd like to check that if we're passed a pointer to a
 388          * __bitwise u32 (most likely a __be32), we should have endian
 389          * == ENDIAN_BIG. But I can't figure out how to get that
 390          * information (it also seems to require ensuring certain
 391          * macros are defined). But struct in_addr certainly consists
 392          * of only a single __be32, so in that case we can do a check.
 393          */
 394         if (is_char_type(basetype))
 395                 return;
 396 
 397         if (is_struct_tag(basetype, "in_addr") && endian != ENDIAN_BIG)
 398                 sm_warning("passing struct in_addr* to '%%p%c4%c', is the endianness ok?", fmt[0], fmt[2]);
 399 
 400         /* ... */
 401 }
 402 
 403 static void ip6(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 404 {
 405         assert(fmt[0] == 'i' || fmt[0] == 'I');
 406         assert(fmt[1] == '6');
 407 
 408         if (isalnum(fmt[2])) {
 409                 if (fmt[2] != 'c')
 410                         sm_warning("'%%p%c6' can only be followed by c", fmt[0]);
 411                 else if (fmt[0] == 'i')
 412                         sm_warning("'%%pi6' does not allow flag c");
 413                 if (isalnum(fmt[3]))
 414                         sm_warning("'%%p%c6%c' cannot be followed by other alphanumerics", fmt[0], fmt[2]);
 415         }
 416 
 417         if (type->ctype.modifiers & MOD_NODEREF)
 418                 sm_error("passing __user pointer to '%%p%c6'", fmt[0]);
 419 }
 420 
 421 static void ipS(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 422 {
 423         const char *f;
 424 
 425         assert(tolower(fmt[0]) == 'i');
 426         assert(fmt[1] == 'S');
 427 
 428         for (f = fmt+2; isalnum(*f); ++f) {
 429                 /* It's probably too anal checking for duplicate flags. */
 430                 if (!strchr("pfschnbl", *f))
 431                         sm_warning("'%%p%cS' cannot be followed by '%c'", fmt[0], *f);
 432         }
 433 
 434         /*
 435          * XXX: Should we also allow passing a pointer to a union, one
 436          * member of which is a struct sockaddr? It may be slightly
 437          * cleaner actually passing &u.raw instead of just &u, though
 438          * the generated code is of course exactly the same. For now,
 439          * we do accept struct sockaddr_in and struct sockaddr_in6,
 440          * since those are easy to handle and rather harmless.
 441          */
 442         if (!has_struct_tag(basetype, "sockaddr") &&
 443             !has_struct_tag(basetype, "sockaddr_in") &&
 444             !has_struct_tag(basetype, "sockaddr_in6") &&
 445             !has_struct_tag(basetype, "__kernel_sockaddr_storage"))
 446                 sm_error("'%%p%cS' expects argument of type struct sockaddr *, "
 447                         "argument %d has type '%s'", fmt[0], vaidx, type_to_str(type));
 448 }
 449 
 450 static void hex_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 451 {
 452         assert(fmt[0] == 'h');
 453         if (isalnum(fmt[1])) {
 454                 if (!strchr("CDN", fmt[1]))
 455                         sm_warning("'%%ph' cannot be followed by '%c'", fmt[1]);
 456                 if (isalnum(fmt[2]))
 457                         sm_warning("'%%ph' can be followed by at most one of [CDN], and no other alphanumerics");
 458         }
 459         if (type->ctype.modifiers & MOD_NODEREF)
 460                 sm_error("passing __user pointer to %%ph");
 461 }
 462 
 463 static void escaped_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 464 {
 465         assert(fmt[0] == 'E');
 466         while (isalnum(*++fmt)) {
 467                 if (!strchr("achnops", *fmt))
 468                         sm_warning("%%pE can only be followed by a combination of [achnops]");
 469         }
 470         if (type->ctype.modifiers & MOD_NODEREF)
 471                 sm_error("passing __user pointer to %%pE");
 472 }
 473 
 474 static void resource_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 475 {
 476         assert(tolower(fmt[0]) == 'r');
 477         if (!is_struct_tag(basetype, "resource")) {
 478                 sm_error("'%%p%c' expects argument of type struct resource *, "
 479                         "but argument %d has type '%s'", fmt[0], vaidx, type_to_str(type));
 480         }
 481         if (isalnum(fmt[1]))
 482                 sm_warning("'%%p%c' cannot be followed by '%c'", fmt[0], fmt[1]);
 483 }
 484 
 485 static void mac_address_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 486 {
 487         assert(tolower(fmt[0]) == 'm');
 488         if (isalnum(fmt[1])) {
 489                 if (!(fmt[1] == 'F' || fmt[1] == 'R'))
 490                         sm_warning("'%%p%c' cannot be followed by '%c'", fmt[0], fmt[1]);
 491                 if (fmt[0] == 'm' && fmt[1] == 'F')
 492                         sm_warning("it is pointless to pass flag F to %%pm");
 493                 if (isalnum(fmt[2]))
 494                         sm_warning("'%%p%c%c' cannot be followed by other alphanumeric", fmt[0], fmt[1]);
 495         }
 496         /* Technically, bdaddr_t is a typedef for an anonymous struct, but this still seems to work. */
 497         if (!is_char_type(basetype) && !is_struct_tag(basetype, "bdaddr_t") && basetype != &void_ctype) {
 498                 sm_warning("'%%p%c' expects argument of type u8 * or bdaddr_t *, argument %d has type '%s'",
 499                         fmt[0], vaidx, type_to_str(type));
 500         }
 501         if (type->ctype.modifiers & MOD_NODEREF)
 502                 sm_error("passing __user pointer to '%%p%c'", fmt[0]);
 503 }
 504 
 505 static void dentry_file(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 506 {
 507         const char *tag;
 508 
 509         assert(tolower(fmt[0]) == 'd');
 510         tag = fmt[0] == 'd' ? "dentry" : "file";
 511 
 512         if (isalnum(fmt[1])) {
 513                 if (!strchr("234", fmt[1]))
 514                         sm_warning("'%%p%c' can only be followed by one of [234]", fmt[0]);
 515                 if (isalnum(fmt[2]))
 516                         sm_warning("'%%p%c%c' cannot be followed by '%c'", fmt[0], fmt[1], fmt[2]);
 517         }
 518 
 519         if (!is_struct_tag(basetype, tag))
 520                 sm_error("'%%p%c' expects argument of type struct '%s*', argument %d has type '%s'",
 521                         fmt[0], tag, vaidx, type_to_str(type));
 522 }
 523 
 524 static void check_clock(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 525 {
 526         assert(fmt[0] == 'C');
 527         if (isalnum(fmt[1])) {
 528                 if (!strchr("nr", fmt[1]))
 529                         sm_warning("'%%pC' can only be followed by one of [nr]");
 530                 if (isalnum(fmt[2]))
 531                         sm_warning("'%%pC%c' cannot be followed by '%c'", fmt[1], fmt[2]);
 532         }
 533         if (!is_struct_tag(basetype, "clk"))
 534                 sm_error("'%%pC' expects argument of type 'struct clk*', argument %d has type '%s'",
 535                        vaidx, type_to_str(type));
 536 }
 537 
 538 static void va_format(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 539 {
 540         assert(fmt[0] == 'V');
 541         if (isalnum(fmt[1]))
 542                 sm_warning("%%pV cannot be followed by any alphanumerics");
 543         if (!is_struct_tag(basetype, "va_format"))
 544                 sm_error("%%pV expects argument of type struct va_format*, argument %d has type '%s'", vaidx, type_to_str(type));
 545 }
 546 
 547 static void netdev_feature(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 548 {
 549         static struct typedef_lookup netdev = { .name = "netdev_features_t" };
 550 
 551         assert(fmt[0] == 'N');
 552         if (fmt[1] != 'F') {
 553                 sm_error("%%pN must be followed by 'F'");
 554                 return;
 555         }
 556         if (isalnum(fmt[2]))
 557                 sm_warning("%%pNF cannot be followed by '%c'", fmt[2]);
 558 
 559         typedef_lookup(&netdev);
 560         if (!netdev.sym)
 561                 return;
 562         if (basetype != netdev.sym)
 563                 sm_error("%%pNF expects argument of type netdev_features_t*, argument %d has type '%s'",
 564                         vaidx, type_to_str(type));
 565 
 566 }
 567 static void address_val(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 568 {
 569         static struct typedef_lookup dma = { .name = "dma_addr_t" };
 570         static struct typedef_lookup phys = { .name = "phys_addr_t" };
 571         struct typedef_lookup *which = &phys;
 572         const char *suf = "";
 573         assert(fmt[0] == 'a');
 574 
 575         if (isalnum(fmt[1])) {
 576                 switch (fmt[1]) {
 577                 case 'd':
 578                         which = &dma;
 579                         suf = "d";
 580                         break;
 581                 case 'p':
 582                         suf = "p";
 583                         break;
 584                 default:
 585                         sm_error("'%%pa' can only be followed by one of [dp]");
 586                 }
 587                 if (isalnum(fmt[2]))
 588                         sm_error("'%%pa%c' cannot be followed by '%c'", fmt[1], fmt[2]);
 589         }
 590 
 591         typedef_lookup(which);
 592         if (!which->sym)
 593                 return;
 594         if (basetype != which->sym) {
 595                 sm_error("'%%pa%s' expects argument of type '%s*', argument %d has type '%s'",
 596                         suf, which->name, vaidx, type_to_str(type));
 597         }
 598 }
 599 
 600 static void block_device(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 601 {
 602         const char *tag = "block_device";
 603 
 604         assert(fmt[0] == 'g');
 605         if (isalnum(fmt[1])) {
 606                 sm_warning("%%pg cannot be followed by '%c'", fmt[1]);
 607         }
 608         if (!is_struct_tag(basetype, tag))
 609                 sm_error("'%%p%c' expects argument of type struct '%s*', argument %d has type '%s'",
 610                         fmt[0], tag, vaidx, type_to_str(type));
 611 }
 612 
 613 static void flag_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 614 {
 615         static struct typedef_lookup gfp = { .name = "gfp_t" };
 616 
 617         assert(fmt[0] == 'G');
 618         if (!isalnum(fmt[1])) {
 619                 sm_error("%%pG must be followed by one of [gpv]");
 620                 return;
 621         }
 622         switch (fmt[1]) {
 623         case 'p':
 624         case 'v':
 625                 if (basetype != &ulong_ctype)
 626                         sm_error("'%%pG%c' expects argument of type 'unsigned long *', argument %d has type '%s'",
 627                                 fmt[1], vaidx, type_to_str(type));
 628                 break;
 629         case 'g':
 630                 typedef_lookup(&gfp);
 631                 if (basetype != gfp.sym)
 632                         sm_error("'%%pGg' expects argument of type 'gfp_t *', argument %d has type '%s'",
 633                                 vaidx, type_to_str(type));
 634                 break;
 635         default:
 636                 sm_error("'%%pG' must be followed by one of [gpv]");
 637         }
 638 }
 639 
 640 static void device_node_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
 641 {
 642         if (fmt[1] != 'F') {
 643                 sm_error("%%pO can only be followed by 'F'");
 644                 return;
 645         }
 646         if (!is_struct_tag(basetype, "device_node"))
 647                 sm_error("'%%pOF' expects argument of type 'struct device_node*', argument %d has type '%s'",
 648                        vaidx, type_to_str(type));
 649 }
 650 
 651 static void
 652 pointer(const char *fmt, struct expression *arg, int vaidx)
 653 {
 654         struct symbol *type, *basetype;
 655 
 656         type = get_type(arg);
 657         if (!type) {
 658                 sm_warning("could not determine type of argument %d", vaidx);
 659                 return;
 660         }
 661         if (!is_ptr_type(type)) {
 662                 sm_error("%%p expects pointer argument, but argument %d has type '%s'",
 663                         vaidx, type_to_str(type));
 664                 return;
 665         }
 666         /* Just plain %p, nothing to check. */
 667         if (!isalnum(*fmt))
 668                 return;
 669 
 670         basetype = get_real_base_type(type);
 671         if (is_void_type(basetype))
 672                 return;
 673         /*
 674          * Passing a pointer-to-array is harmless, but most likely one
 675          * meant to pass pointer-to-first-element. If basetype is
 676          * array type, we issue a notice and "dereference" the types
 677          * once more.
 678          */
 679         if (basetype->type == SYM_ARRAY) {
 680                 spam("note: passing pointer-to-array; is the address-of redundant?");
 681                 type = basetype;
 682                 basetype = get_real_base_type(type);
 683         }
 684 
 685         /*
 686          * We pass both the type and the basetype to the helpers. If,
 687          * for example, the pointer is really a decayed array which is
 688          * passed to %pI4, we might want to check that it is in fact
 689          * an array of four bytes. But most are probably only
 690          * interested in whether the basetype makes sense. Also, the
 691          * pointer may carry some annotation such as __user which
 692          * might be worth checking in the handlers which actually
 693          * dereference the pointer.
 694          */
 695 
 696         switch (*fmt) {
 697         case 'b':
 698         case 'F':
 699         case 'f':
 700         case 'S':
 701         case 's':
 702         case 'B':
 703                 /* Can we do anything sensible? Check that the arg is a function pointer, for example? */
 704                 break;
 705 
 706         case 'R':
 707         case 'r':
 708                 resource_string(fmt, type, basetype, vaidx);
 709                 break;
 710         case 'M':
 711         case 'm':
 712                 mac_address_string(fmt, type, basetype, vaidx);
 713                 break;
 714         case 'I':
 715         case 'i':
 716                 switch (fmt[1]) {
 717                 case '4':
 718                         ip4(fmt, type, basetype, vaidx);
 719                         break;
 720                 case '6':
 721                         ip6(fmt, type, basetype, vaidx);
 722                         break;
 723                 case 'S':
 724                         ipS(fmt, type, basetype, vaidx);
 725                         break;
 726                 default:
 727                         sm_warning("'%%p%c' must be followed by one of [46S]", fmt[0]);
 728                         break;
 729                 }
 730                 break;
 731        /*
 732         * %pE and %ph can handle any valid pointer. We still check
 733         * whether all the subsequent alphanumerics are valid for the
 734         * particular %pX conversion.
 735         */
 736         case 'E':
 737                 escaped_string(fmt, type, basetype, vaidx);
 738                 break;
 739         case 'h':
 740                 hex_string(fmt, type, basetype, vaidx);
 741                 break;
 742         case 'U': /* TODO */
 743                 break;
 744         case 'V':
 745                 va_format(fmt, type, basetype, vaidx);
 746                 break;
 747         case 'K': /* TODO */
 748                 break;
 749         case 'N':
 750                 netdev_feature(fmt, type, basetype, vaidx);
 751                 break;
 752         case 'a':
 753                 address_val(fmt, type, basetype, vaidx);
 754                 break;
 755         case 'D':
 756         case 'd':
 757                 dentry_file(fmt, type, basetype, vaidx);
 758                 break;
 759         case 'C':
 760                 check_clock(fmt, type, basetype, vaidx);
 761                 break;
 762         case 'g':
 763                 block_device(fmt, type, basetype, vaidx);
 764                 break;
 765         case 'G':
 766                 flag_string(fmt, type, basetype, vaidx);
 767                 break;
 768         case 'O':
 769                 device_node_string(fmt, type, basetype, vaidx);
 770                 break;
 771         case 'x':
 772                 /* 'x' is for an unhashed pointer */
 773                 break;
 774         default:
 775                 sm_error("unrecognized %%p extension '%c', treated as normal %%p", *fmt);
 776         }
 777 }
 778 
 779 /*
 780  * A common error is to pass a "char" or "signed char" to %02x (or
 781  * %.2X or some other variant). This can actually be a security
 782  * problem, because a lot of code expects this to produce exactly two
 783  * characters of output. Unfortunately this also produces false
 784  * positives, since we're sometimes in arch-specific code on an arch
 785  * where char is always unsigned.
 786  */
 787 static void
 788 hexbyte(const char *fmt, int fmt_len, struct expression *arg, int vaidx, struct printf_spec spec)
 789 {
 790         struct symbol *type;
 791 
 792         /*
 793          * For now, just check the most common and obvious, which is
 794          * roughly %[.0]2[xX].
 795          */
 796         if (spec.field_width != 2 && spec.precision != 2)
 797                 return;
 798         if (spec.base != 16)
 799                 return;
 800 
 801         type = get_type(arg);
 802         if (!type) {
 803                 sm_warning("could not determine type of argument %d", vaidx);
 804                 return;
 805         }
 806         if (type == &char_ctype || type == &schar_ctype)
 807                 sm_warning("argument %d to %.*s specifier has type '%s'",
 808                        vaidx, fmt_len, fmt, type_to_str(type));
 809 }
 810 
 811 static int
 812 check_format_string(const char *fmt, const char *caller)
 813 {
 814         const char *f;
 815 
 816         for (f = fmt; *f; ++f) {
 817                 unsigned char c = *f;
 818                 switch (c) {
 819                 case KERN_SOH_ASCII:
 820                         /*
 821                          * This typically arises from bad conversion
 822                          * to pr_*, e.g. pr_warn(KERN_WARNING "something").
 823                          */
 824                         if (f != fmt)
 825                                 sm_warning("KERN_* level not at start of string");
 826                         /*
 827                          * In a very few cases, the level is actually
 828                          * computed and passed via %c, as in KERN_SOH
 829                          * "%c...". printk explicitly supports
 830                          * this.
 831                          */
 832                         if (!(('0' <= f[1] && f[1] <= '7') ||
 833                               f[1] == 'd' || /* KERN_DEFAULT */
 834                               f[1] == 'c' || /* KERN_CONT */
 835                               (f[1] == '%' && f[2] == 'c')))
 836                                 sm_warning("invalid KERN_* level: KERN_SOH_ASCII followed by '\\x%02x'", (unsigned char)f[1]);
 837                         break;
 838                 case '\t':
 839                 case '\n':
 840                 case '\r':
 841                 case 0x20 ... 0x7e:
 842                         break;
 843                 case 0x80 ... 0xff:
 844                         sm_warning("format string contains non-ascii character '\\x%02x'", c);
 845                         break;
 846                 case 0x08:
 847                         if (f == fmt)
 848                                 break;
 849                         /* fall through */
 850                 default:
 851                         sm_warning("format string contains unusual character '\\x%02x'", c);
 852                         break;
 853                 }
 854         }
 855 
 856         f = strstr(fmt, caller);
 857         if (f && strstr(f+1, caller))
 858                 sm_warning("format string contains name of enclosing function '%s' twice", caller);
 859 
 860         return f != NULL;
 861 }
 862 
 863 static int arg_is___func__(struct expression *arg)
 864 {
 865         if (arg->type != EXPR_SYMBOL)
 866                 return 0;
 867         return !strcmp(arg->symbol_name->name, "__func__") ||
 868                !strcmp(arg->symbol_name->name, "__FUNCTION__") ||
 869                !strcmp(arg->symbol_name->name, "__PRETTY_FUNCTION__");
 870 }
 871 static int arg_contains_caller(struct expression *arg, const char *caller)
 872 {
 873         if (arg->type != EXPR_STRING)
 874                 return 0;
 875         return strstr(arg->string->data, caller) != NULL;
 876 }
 877 
 878 static int is_array_of_const_char(struct symbol *sym)
 879 {
 880         struct symbol *base = sym->ctype.base_type;
 881         if (base->type != SYM_ARRAY)
 882                 return 0;
 883         if (!(base->ctype.modifiers & MOD_CONST))
 884                 return 0;
 885         if (!is_char_type(base->ctype.base_type)) {
 886                 spam("weird: format argument is array of const '%s'", type_to_str(base->ctype.base_type));
 887                 return 0;
 888         }
 889         return 1;
 890 }
 891 
 892 static int is_const_pointer_to_const_char(struct symbol *sym)
 893 {
 894         struct symbol *base = sym->ctype.base_type;
 895         if (!(sym->ctype.modifiers & MOD_CONST))
 896                 return 0;
 897         if (base->type != SYM_PTR)
 898                 return 0;
 899         if (!(base->ctype.modifiers & MOD_CONST))
 900                 return 0;
 901         if (!is_char_type(base->ctype.base_type)) {
 902                 spam("weird: format argument is pointer to const '%s'", type_to_str(base->ctype.base_type));
 903                 return 0;
 904         }
 905         return 1;
 906 }
 907 
 908 static int unknown_format(struct expression *expr)
 909 {
 910         struct state_list *slist;
 911 
 912         slist = get_strings(expr);
 913         if (!slist)
 914                 return 1;
 915         if (slist_has_state(slist, &undefined))
 916                 return 1;
 917         free_slist(&slist);
 918         return 0;
 919 }
 920 
 921 static bool has_hex_prefix(const char *orig_fmt, const char *old_fmt)
 922 {
 923         return old_fmt >= orig_fmt + 2 &&
 924                 old_fmt[-2] == '0' && _tolower(old_fmt[-1]) == 'x';
 925 }
 926 
 927 static bool is_integer_specifier(int type)
 928 {
 929         switch (type) {
 930         case FORMAT_TYPE_LONG_LONG:
 931         case FORMAT_TYPE_ULONG:
 932         case FORMAT_TYPE_LONG:
 933         case FORMAT_TYPE_UBYTE:
 934         case FORMAT_TYPE_BYTE:
 935         case FORMAT_TYPE_USHORT:
 936         case FORMAT_TYPE_SHORT:
 937         case FORMAT_TYPE_UINT:
 938         case FORMAT_TYPE_INT:
 939         case FORMAT_TYPE_SIZE_T:
 940         case FORMAT_TYPE_PTRDIFF:
 941                 return true;
 942         default:
 943                 return false;
 944         }
 945 }
 946 
 947 static int
 948 is_cast_expr(struct expression *expr)
 949 {
 950         if (!expr)
 951                 return 0;
 952 
 953         switch (expr->type) {
 954         case EXPR_CAST:
 955         case EXPR_FORCE_CAST:
 956                 /* not EXPR_IMPLIED_CAST for our purposes */
 957                 return 1;
 958         default:
 959                 return 0;
 960         }
 961 }
 962 
 963 static void
 964 check_cast_from_pointer(const char *fmt, int len, struct expression *arg, int va_idx)
 965 {
 966         /*
 967          * This can easily be fooled by passing 0+(long)ptr or doing
 968          * "long local_var = (long)ptr" and passing local_var to
 969          * %lx. Tough.
 970          */
 971         if (!is_cast_expr(arg))
 972                 return;
 973         while (is_cast_expr(arg))
 974                 arg = arg->cast_expression;
 975         if (is_ptr_type(get_final_type(arg)))
 976                 sm_warning("argument %d to %.*s specifier is cast from pointer",
 977                         va_idx, len, fmt);
 978 }
 979 
 980 static void
 981 do_check_printf_call(const char *caller, const char *name, struct expression *callexpr, struct expression *fmtexpr, int vaidx)
 982 {
 983         struct printf_spec spec = {0};
 984         const char *fmt, *orig_fmt;
 985         int caller_in_fmt;
 986 
 987         fmtexpr = strip_parens(fmtexpr);
 988         if (fmtexpr->type == EXPR_CONDITIONAL) {
 989                 do_check_printf_call(caller, name, callexpr, fmtexpr->cond_true ? : fmtexpr->conditional, vaidx);
 990                 do_check_printf_call(caller, name, callexpr, fmtexpr->cond_false, vaidx);
 991                 return;
 992         }
 993         if (fmtexpr->type == EXPR_SYMBOL) {
 994                 /*
 995                  * If the symbol has an initializer, we can handle
 996                  *
 997                  *   const char foo[] = "abc";         and
 998                  *   const char * const foo = "abc";
 999                  *
1000                  * We simply replace fmtexpr with the initializer
1001                  * expression. If foo is not one of the above, or if
1002                  * the initializer expression is somehow not a string
1003                  * literal, fmtexpr->type != EXPR_STRING will trigger
1004                  * below and we'll spam+return.
1005                  */
1006                 struct symbol *sym = fmtexpr->symbol;
1007                 if (sym && sym->initializer &&
1008                     (is_array_of_const_char(sym) ||
1009                      is_const_pointer_to_const_char(sym))) {
1010                         fmtexpr = strip_parens(sym->initializer);
1011                 }
1012         }
1013 
1014         if (fmtexpr->type != EXPR_STRING) {
1015                 if (!unknown_format(fmtexpr))
1016                         return;
1017                 /*
1018                  * Since we're now handling both ?: and static const
1019                  * char[] arguments, we don't get as much noise. It's
1020                  * still spammy, though.
1021                  */
1022                 spam("warn: call of '%s' with non-constant format argument", name);
1023                 return;
1024         }
1025 
1026         orig_fmt = fmt = fmtexpr->string->data;
1027         caller_in_fmt = check_format_string(fmt, caller);
1028 
1029         while (*fmt) {
1030                 const char *old_fmt = fmt;
1031                 int read = format_decode(fmt, &spec);
1032                 struct expression *arg;
1033 
1034                 fmt += read;
1035                 if (spec.type == FORMAT_TYPE_NONE ||
1036                     spec.type == FORMAT_TYPE_PERCENT_CHAR)
1037                         continue;
1038 
1039                 /*
1040                  * vaidx is currently the correct 0-based index for
1041                  * get_argument_from_call_expr. We post-increment it
1042                  * here so that it is the correct 1-based index for
1043                  * all the handlers below. This of course requires
1044                  * that we handle all FORMAT_TYPE_* things not taking
1045                  * an argument above.
1046                  */
1047                 arg = get_argument_from_call_expr(callexpr->args, vaidx++);
1048 
1049                 if (spec.flags & SPECIAL && has_hex_prefix(orig_fmt, old_fmt))
1050                         sm_warning("'%.2s' prefix is redundant when # flag is used", old_fmt-2);
1051                 if (is_integer_specifier(spec.type)) {
1052                         if (spec.base != 16 && has_hex_prefix(orig_fmt, old_fmt))
1053                                 sm_warning("'%.2s' prefix is confusing together with '%.*s' specifier",
1054                                        old_fmt-2, (int)(fmt-old_fmt), old_fmt);
1055 
1056                         check_cast_from_pointer(old_fmt, read, arg, vaidx);
1057                 }
1058 
1059                 switch (spec.type) {
1060                 /* case FORMAT_TYPE_NONE: */
1061                 /* case FORMAT_TYPE_PERCENT_CHAR: */
1062                 /*      break; */
1063 
1064                 case FORMAT_TYPE_INVALID:
1065                         sm_error("format specifier '%.*s' invalid", read, old_fmt);
1066                         return;
1067 
1068                 case FORMAT_TYPE_FLOAT:
1069                         sm_error("no floats in the kernel; invalid format specifier '%.*s'", read, old_fmt);
1070                         return;
1071 
1072                 case FORMAT_TYPE_NRCHARS:
1073                         sm_error("%%n not supported in kernel");
1074                         return;
1075 
1076                 case FORMAT_TYPE_WIDTH:
1077                 case FORMAT_TYPE_PRECISION:
1078                         /* check int argument */
1079                         break;
1080 
1081                 case FORMAT_TYPE_STR:
1082                         /*
1083                          * If the format string already contains the
1084                          * function name, it probably doesn't make
1085                          * sense to pass __func__ as well (or rather
1086                          * vice versa: If pr_fmt(fmt) has been defined
1087                          * to '"%s: " fmt, __func__', it doesn't make
1088                          * sense to use a format string containing the
1089                          * function name).
1090                          *
1091                          * This produces a lot of hits. They are not
1092                          * false positives, but it is easier to handle
1093                          * the things which don't occur that often
1094                          * first, so we use spam().
1095                          */
1096                         if (caller_in_fmt) {
1097                                 if (arg_is___func__(arg))
1098                                         spam("warn: passing __func__ while the format string already contains the name of the function '%s'",
1099                                              caller);
1100                                 else if (arg_contains_caller(arg, caller))
1101                                         sm_warning("passing string constant '%s' containing '%s' which is already part of the format string",
1102                                                arg->string->data, caller);
1103                         }
1104                         break;
1105 
1106                 case FORMAT_TYPE_PTR:
1107                         /* This is the most important part: Checking %p extensions. */
1108                         pointer(fmt, arg, vaidx);
1109                         while (isalnum(*fmt))
1110                                 fmt++;
1111                         break;
1112 
1113                 case FORMAT_TYPE_CHAR:
1114 
1115                 case FORMAT_TYPE_UBYTE:
1116                 case FORMAT_TYPE_BYTE:
1117                 case FORMAT_TYPE_USHORT:
1118                 case FORMAT_TYPE_SHORT:
1119                 case FORMAT_TYPE_INT:
1120                         /* argument should have integer type of width <= sizeof(int) */
1121                         break;
1122 
1123                 case FORMAT_TYPE_UINT:
1124                         hexbyte(old_fmt, fmt-old_fmt, arg, vaidx, spec);
1125                 case FORMAT_TYPE_LONG:
1126                 case FORMAT_TYPE_ULONG:
1127                 case FORMAT_TYPE_LONG_LONG:
1128                 case FORMAT_TYPE_PTRDIFF:
1129                 case FORMAT_TYPE_SIZE_T:
1130                         break;
1131                 }
1132 
1133 
1134         }
1135 
1136         if (get_argument_from_call_expr(callexpr->args, vaidx))
1137                 sm_warning("excess argument passed to '%s'", name);
1138 
1139 
1140 }
1141 
1142 static void
1143 check_printf_call(const char *name, struct expression *callexpr, void *_info)
1144 {
1145         /*
1146          * Note: attribute(printf) uses 1-based indexing, but
1147          * get_argument_from_call_expr() uses 0-based indexing.
1148          */
1149         int info = PTR_INT(_info);
1150         int fmtidx = (info & 0xff) - 1;
1151         int vaidx = ((info >> 8) & 0xff) - 1;
1152         struct expression *fmtexpr;
1153         const char *caller = get_function();
1154 
1155         if (!caller)
1156                 return;
1157 
1158         /*
1159          * Calling a v*printf function with a literal format arg is
1160          * extremely rare, so we don't bother doing the only checking
1161          * we could do, namely checking that the format string is
1162          * valid.
1163          */
1164         if (vaidx < 0)
1165                 return;
1166 
1167         /*
1168          * For the things we use the name of the calling function for,
1169          * it is more appropriate to skip a potential SyS_ prefix; the
1170          * same goes for leading underscores.
1171          */
1172         if (!strncmp(caller, "SyS_", 4))
1173                 caller += 4;
1174         while (*caller == '_')
1175                 ++caller;
1176 
1177         /* Lack of format argument is a bug. */
1178         fmtexpr = get_argument_from_call_expr(callexpr->args, fmtidx);
1179         if (!fmtexpr) {
1180                 sm_error("call of '%s' with no format argument", name);
1181                 return;
1182         }
1183 
1184         do_check_printf_call(caller, name, callexpr, fmtexpr, vaidx);
1185 }
1186 
1187 
1188 void check_kernel_printf(int id)
1189 {
1190         if (option_project != PROJ_KERNEL)
1191                 return;
1192 
1193         my_id = id;
1194 
1195 #define printf_hook(func, fmt, first_to_check)  \
1196         add_function_hook(#func, check_printf_call, INT_PTR(fmt + (first_to_check << 8)))
1197 
1198         /* Extracted using stupid perl script. */
1199 
1200 #if 0
1201         printf_hook(srm_printk, 1, 2);                    /* arch/alpha/include/asm/console.h */
1202         printf_hook(die_if_kernel, 1, 2);                 /* arch/frv/include/asm/bug.h */
1203         printf_hook(ia64_mca_printk, 1, 2);               /* arch/ia64/include/asm/mca.h */
1204         printf_hook(nfprint, 1, 2);                       /* arch/m68k/include/asm/natfeat.h */
1205         printf_hook(gdbstub_printk, 1, 2);                /* arch/mn10300/include/asm/gdb-stub.h */
1206         printf_hook(DBG, 1, 2);                           /* arch/powerpc/boot/ps3.c */
1207         printf_hook(printf, 1, 2);                        /* arch/powerpc/boot/stdio.h */
1208         printf_hook(udbg_printf, 1, 2);                   /* arch/powerpc/include/asm/udbg.h */
1209         printf_hook(__debug_sprintf_event, 3, 4);         /* arch/s390/include/asm/debug.h */
1210         printf_hook(__debug_sprintf_exception, 3, 4);     /* arch/s390/include/asm/debug.h */
1211         printf_hook(prom_printf, 1, 2);                   /* arch/sparc/include/asm/oplib_32.h */
1212 
1213         printf_hook(fail, 1, 2);                          /* arch/x86/vdso/vdso2c.c */
1214 #endif
1215 
1216         printf_hook(_ldm_printk, 3, 4);                   /* block/partitions/ldm.c */
1217         printf_hook(rbd_warn, 2, 3);                      /* drivers/block/rbd.c */
1218         printf_hook(fw_err, 2, 3);                        /* drivers/firewire/core.h */
1219         printf_hook(fw_notice, 2, 3);                     /* drivers/firewire/core.h */
1220         printf_hook(i915_error_printf, 2, 3);             /* drivers/gpu/drm/i915/i915_drv.h */
1221         printf_hook(i915_handle_error, 3, 4);             /* drivers/gpu/drm/i915/i915_drv.h */
1222         printf_hook(nv_printk_, 3, 4);                    /* drivers/gpu/drm/nouveau/core/include/core/printk.h */
1223         printf_hook(host1x_debug_output, 2, 3);           /* drivers/gpu/host1x/debug.h */
1224         printf_hook(callc_debug, 2, 3);                   /* drivers/isdn/hisax/callc.c */
1225         printf_hook(link_debug, 3, 4);                    /* drivers/isdn/hisax/callc.c */
1226         printf_hook(HiSax_putstatus, 3, 4);               /* drivers/isdn/hisax/hisax.h */
1227         printf_hook(VHiSax_putstatus, 3, 0);              /* drivers/isdn/hisax/hisax.h */
1228         printf_hook(debugl1, 2, 3);                       /* drivers/isdn/hisax/isdnl1.h */
1229         printf_hook(l3m_debug, 2, 3);                     /* drivers/isdn/hisax/isdnl3.c */
1230         printf_hook(dout_debug, 2, 3);                    /* drivers/isdn/hisax/st5481_d.c */
1231         printf_hook(l1m_debug, 2, 3);                     /* drivers/isdn/hisax/st5481_d.c */
1232         printf_hook(bch_cache_set_error, 2, 3);           /* drivers/md/bcache/bcache.h */
1233         printf_hook(_tda_printk, 4, 5);                   /* drivers/media/tuners/tda18271-priv.h */
1234         printf_hook(i40evf_debug_d, 3, 4);                /* drivers/net/ethernet/intel/i40evf/i40e_osdep.h */
1235         printf_hook(en_print, 3, 4);                      /* drivers/net/ethernet/mellanox/mlx4/mlx4_en.h */
1236         printf_hook(_ath_dbg, 3, 4);                      /* drivers/net/wireless/ath/ath.h */
1237         printf_hook(ath_printk, 3, 4);                    /* drivers/net/wireless/ath/ath.h */
1238         printf_hook(ath10k_dbg, 3, 4);                    /* drivers/net/wireless/ath/ath10k/debug.h */
1239         printf_hook(ath10k_err, 2, 3);                    /* drivers/net/wireless/ath/ath10k/debug.h */
1240         printf_hook(ath10k_info, 2, 3);                   /* drivers/net/wireless/ath/ath10k/debug.h */
1241         printf_hook(ath10k_warn, 2, 3);                   /* drivers/net/wireless/ath/ath10k/debug.h */
1242         printf_hook(_ath5k_printk, 3, 4);                 /* drivers/net/wireless/ath/ath5k/ath5k.h */
1243         printf_hook(ATH5K_DBG, 3, 4);                     /* drivers/net/wireless/ath/ath5k/debug.h */
1244         printf_hook(ATH5K_DBG_UNLIMIT, 3, 4);             /* drivers/net/wireless/ath/ath5k/debug.h */
1245         printf_hook(ath6kl_printk, 2, 3);                 /* drivers/net/wireless/ath/ath6kl/common.h */
1246         printf_hook(ath6kl_err, 1, 2);                    /* drivers/net/wireless/ath/ath6kl/debug.h */
1247         printf_hook(ath6kl_info, 1, 2);                   /* drivers/net/wireless/ath/ath6kl/debug.h */
1248         printf_hook(ath6kl_warn, 1, 2);                   /* drivers/net/wireless/ath/ath6kl/debug.h */
1249         printf_hook(wil_dbg_trace, 2, 3);                 /* drivers/net/wireless/ath/wil6210/wil6210.h */
1250         printf_hook(wil_err, 2, 3);                       /* drivers/net/wireless/ath/wil6210/wil6210.h */
1251         printf_hook(wil_err_ratelimited, 2, 3);           /* drivers/net/wireless/ath/wil6210/wil6210.h */
1252         printf_hook(wil_info, 2, 3);                      /* drivers/net/wireless/ath/wil6210/wil6210.h */
1253         printf_hook(b43dbg, 2, 3);                        /* drivers/net/wireless/b43/b43.h */
1254         printf_hook(b43err, 2, 3);                        /* drivers/net/wireless/b43/b43.h */
1255         printf_hook(b43info, 2, 3);                       /* drivers/net/wireless/b43/b43.h */
1256         printf_hook(b43warn, 2, 3);                       /* drivers/net/wireless/b43/b43.h */
1257         printf_hook(b43legacydbg, 2, 3);                  /* drivers/net/wireless/b43legacy/b43legacy.h */
1258         printf_hook(b43legacyerr, 2, 3);                  /* drivers/net/wireless/b43legacy/b43legacy.h */
1259         printf_hook(b43legacyinfo, 2, 3);                 /* drivers/net/wireless/b43legacy/b43legacy.h */
1260         printf_hook(b43legacywarn, 2, 3);                 /* drivers/net/wireless/b43legacy/b43legacy.h */
1261         printf_hook(__brcmf_dbg, 3, 4);                   /* drivers/net/wireless/brcm80211/brcmfmac/debug.h */
1262         printf_hook(__brcmf_err, 2, 3);                   /* drivers/net/wireless/brcm80211/brcmfmac/debug.h */
1263         printf_hook(__brcms_crit, 2, 3);                  /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1264         printf_hook(__brcms_dbg, 4, 5);                   /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1265         printf_hook(__brcms_err, 2, 3);                   /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1266         printf_hook(__brcms_info, 2, 3);                  /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1267         printf_hook(__brcms_warn, 2, 3);                  /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1268         printf_hook(brcmu_dbg_hex_dump, 3, 4);            /* drivers/net/wireless/brcm80211/include/brcmu_utils.h */
1269         printf_hook(__iwl_crit, 2, 3);                    /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1270         printf_hook(__iwl_dbg, 5, 6);                     /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1271         printf_hook(__iwl_err, 4, 5);                     /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1272         printf_hook(__iwl_info, 2, 3);                    /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1273         printf_hook(__iwl_warn, 2, 3);                    /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1274         printf_hook(rsi_dbg, 2, 3);                       /* drivers/net/wireless/rsi/rsi_main.h */
1275         printf_hook(RTPRINT, 4, 5);                       /* drivers/net/wireless/rtlwifi/debug.h */
1276         printf_hook(RT_ASSERT, 2, 3);                     /* drivers/net/wireless/rtlwifi/debug.h */
1277         printf_hook(RT_TRACE, 4, 5);                      /* drivers/net/wireless/rtlwifi/debug.h */
1278         printf_hook(__of_node_dup, 2, 3);                 /* drivers/of/of_private.h */
1279         printf_hook(BNX2FC_HBA_DBG, 2, 3);                /* drivers/scsi/bnx2fc/bnx2fc_debug.h */
1280         printf_hook(BNX2FC_IO_DBG, 2, 3);                 /* drivers/scsi/bnx2fc/bnx2fc_debug.h */
1281         printf_hook(BNX2FC_TGT_DBG, 2, 3);                /* drivers/scsi/bnx2fc/bnx2fc_debug.h */
1282         printf_hook(ql_dbg, 4, 5);                        /* drivers/scsi/qla2xxx/qla_dbg.h */
1283         printf_hook(ql_dbg_pci, 4, 5);                    /* drivers/scsi/qla2xxx/qla_dbg.h */
1284         printf_hook(ql_log, 4, 5);                        /* drivers/scsi/qla2xxx/qla_dbg.h */
1285         printf_hook(ql_log_pci, 4, 5);                    /* drivers/scsi/qla2xxx/qla_dbg.h */
1286         printf_hook(libcfs_debug_msg, 2, 3);              /* drivers/staging/lustre/include/linux/libcfs/libcfs_debug.h */
1287         printf_hook(libcfs_debug_vmsg2, 4, 5);            /* drivers/staging/lustre/include/linux/libcfs/libcfs_debug.h */
1288         printf_hook(_ldlm_lock_debug, 3, 4);              /* drivers/staging/lustre/lustre/include/lustre_dlm.h */
1289         printf_hook(_debug_req, 3, 4);                    /* drivers/staging/lustre/lustre/include/lustre_net.h */
1290         printf_hook(iscsi_change_param_sprintf, 2, 3);    /* drivers/target/iscsi/iscsi_target_login.c */
1291         printf_hook(dbg, 1, 2);                           /* drivers/tty/serial/samsung.c */
1292         printf_hook(_usb_stor_dbg, 2, 3);                 /* drivers/usb/storage/debug.h */
1293         printf_hook(usb_stor_dbg, 2, 3);                  /* drivers/usb/storage/debug.h */
1294         printf_hook(vringh_bad, 1, 2);                    /* drivers/vhost/vringh.c */
1295         printf_hook(__adfs_error, 3, 4);                  /* fs/adfs/adfs.h */
1296         printf_hook(affs_error, 3, 4);                    /* fs/affs/affs.h */
1297         printf_hook(affs_warning, 3, 4);                  /* fs/affs/affs.h */
1298         printf_hook(befs_debug, 2, 3);                    /* fs/befs/befs.h */
1299         printf_hook(befs_error, 2, 3);                    /* fs/befs/befs.h */
1300         printf_hook(befs_warning, 2, 3);                  /* fs/befs/befs.h */
1301         printf_hook(__btrfs_panic, 5, 6);                 /* fs/btrfs/ctree.h */
1302         printf_hook(__btrfs_std_error, 5, 6);             /* fs/btrfs/ctree.h */
1303         printf_hook(btrfs_printk, 2, 3);                  /* fs/btrfs/ctree.h */
1304         printf_hook(cifs_vfs_err, 1, 2);                  /* fs/cifs/cifs_debug.h */
1305         printf_hook(__ecryptfs_printk, 1, 2);             /* fs/ecryptfs/ecryptfs_kernel.h */
1306         printf_hook(ext2_error, 3, 4);                    /* fs/ext2/ext2.h */
1307         printf_hook(ext2_msg, 3, 4);                      /* fs/ext2/ext2.h */
1308         printf_hook(ext3_abort, 3, 4);                    /* fs/ext3/ext3.h */
1309         printf_hook(ext3_error, 3, 4);                    /* fs/ext3/ext3.h */
1310         printf_hook(ext3_msg, 3, 4);                      /* fs/ext3/ext3.h */
1311         printf_hook(ext3_warning, 3, 4);                  /* fs/ext3/ext3.h */
1312         printf_hook(__ext4_abort, 4, 5);                  /* fs/ext4/ext4.h */
1313         printf_hook(__ext4_error, 4, 5);                  /* fs/ext4/ext4.h */
1314         printf_hook(__ext4_error_file, 5, 6);             /* fs/ext4/ext4.h */
1315         printf_hook(__ext4_error_inode, 5, 6);            /* fs/ext4/ext4.h */
1316         printf_hook(__ext4_grp_locked_error, 7, 8);       /* fs/ext4/ext4.h */
1317         printf_hook(__ext4_msg, 3, 4);                    /* fs/ext4/ext4.h */
1318         printf_hook(__ext4_warning, 4, 5);                /* fs/ext4/ext4.h */
1319         printf_hook(f2fs_msg, 3, 4);                      /* fs/f2fs/f2fs.h */
1320         printf_hook(__fat_fs_error, 3, 4);                /* fs/fat/fat.h */
1321         printf_hook(fat_msg, 3, 4);                       /* fs/fat/fat.h */
1322         printf_hook(gfs2_print_dbg, 2, 3);                /* fs/gfs2/glock.h */
1323         printf_hook(gfs2_lm_withdraw, 2, 3);              /* fs/gfs2/util.h */
1324         printf_hook(hpfs_error, 2, 3);                    /* fs/hpfs/hpfs_fn.h */
1325         printf_hook(jfs_error, 2, 3);                     /* fs/jfs/jfs_superblock.h */
1326         printf_hook(nilfs_error, 3, 4);                   /* fs/nilfs2/nilfs.h */
1327         printf_hook(nilfs_warning, 3, 4);                 /* fs/nilfs2/nilfs.h */
1328         printf_hook(__ntfs_debug, 4, 5);                  /* fs/ntfs/debug.h */
1329         printf_hook(__ntfs_error, 3, 4);                  /* fs/ntfs/debug.h */
1330         printf_hook(__ntfs_warning, 3, 4);                /* fs/ntfs/debug.h */
1331         printf_hook(__ocfs2_abort, 3, 4);                 /* fs/ocfs2/super.h */
1332         printf_hook(__ocfs2_error, 3, 4);                 /* fs/ocfs2/super.h */
1333         printf_hook(_udf_err, 3, 4);                      /* fs/udf/udfdecl.h */
1334         printf_hook(_udf_warn, 3, 4);                     /* fs/udf/udfdecl.h */
1335         printf_hook(ufs_error, 3, 4);                     /* fs/ufs/ufs.h */
1336         printf_hook(ufs_panic, 3, 4);                     /* fs/ufs/ufs.h */
1337         printf_hook(ufs_warning, 3, 4);                   /* fs/ufs/ufs.h */
1338         printf_hook(xfs_alert, 2, 3);                     /* fs/xfs/xfs_message.h */
1339         printf_hook(xfs_alert_tag, 3, 4);                 /* fs/xfs/xfs_message.h */
1340         printf_hook(xfs_crit, 2, 3);                      /* fs/xfs/xfs_message.h */
1341         printf_hook(xfs_debug, 2, 3);                     /* fs/xfs/xfs_message.h */
1342         printf_hook(xfs_emerg, 2, 3);                     /* fs/xfs/xfs_message.h */
1343         printf_hook(xfs_err, 2, 3);                       /* fs/xfs/xfs_message.h */
1344         printf_hook(xfs_info, 2, 3);                      /* fs/xfs/xfs_message.h */
1345         printf_hook(xfs_notice, 2, 3);                    /* fs/xfs/xfs_message.h */
1346         printf_hook(xfs_warn, 2, 3);                      /* fs/xfs/xfs_message.h */
1347         printf_hook(warn_slowpath_fmt, 3, 4);             /* include/asm-generic/bug.h */
1348         printf_hook(warn_slowpath_fmt_taint, 4, 5);       /* include/asm-generic/bug.h */
1349         printf_hook(drm_err, 1, 2);                       /* include/drm/drmP.h */
1350         printf_hook(drm_ut_debug_printk, 2, 3);           /* include/drm/drmP.h */
1351         printf_hook(__acpi_handle_debug, 3, 4);           /* include/linux/acpi.h */
1352         printf_hook(acpi_handle_printk, 3, 4);            /* include/linux/acpi.h */
1353         printf_hook(audit_log, 4, 5);                     /* include/linux/audit.h */
1354         printf_hook(audit_log_format, 2, 3);              /* include/linux/audit.h */
1355         printf_hook(bdi_register, 3, 4);                  /* include/linux/backing-dev.h */
1356         printf_hook(__trace_note_message, 2, 3);          /* include/linux/blktrace_api.h */
1357         printf_hook(_dev_info, 2, 3);                     /* include/linux/device.h */
1358         printf_hook(dev_alert, 2, 3);                     /* include/linux/device.h */
1359         printf_hook(dev_crit, 2, 3);                      /* include/linux/device.h */
1360         printf_hook(dev_emerg, 2, 3);                     /* include/linux/device.h */
1361         printf_hook(dev_err, 2, 3);                       /* include/linux/device.h */
1362         printf_hook(dev_notice, 2, 3);                    /* include/linux/device.h */
1363         printf_hook(dev_printk, 3, 4);                    /* include/linux/device.h */
1364         printf_hook(dev_printk_emit, 3, 4);               /* include/linux/device.h */
1365         printf_hook(dev_set_name, 2, 3);                  /* include/linux/device.h */
1366         printf_hook(dev_vprintk_emit, 3, 0);              /* include/linux/device.h */
1367         printf_hook(dev_warn, 2, 3);                      /* include/linux/device.h */
1368         printf_hook(device_create, 5, 6);                 /* include/linux/device.h */
1369         printf_hook(device_create_with_groups, 6, 7);     /* include/linux/device.h */
1370         printf_hook(devm_kasprintf, 3, 4);                /* include/linux/device.h */
1371         printf_hook(__dynamic_dev_dbg, 3, 4);             /* include/linux/dynamic_debug.h */
1372         printf_hook(__dynamic_netdev_dbg, 3, 4);          /* include/linux/dynamic_debug.h */
1373         printf_hook(__dynamic_pr_debug, 2, 3);            /* include/linux/dynamic_debug.h */
1374         printf_hook(__simple_attr_check_format, 1, 2);    /* include/linux/fs.h */
1375         printf_hook(fscache_init_cache, 3, 4);            /* include/linux/fscache-cache.h */
1376         printf_hook(gameport_set_phys, 2, 3);             /* include/linux/gameport.h */
1377         printf_hook(iio_trigger_alloc, 1, 2);             /* include/linux/iio/trigger.h */
1378         printf_hook(__check_printsym_format, 1, 2);       /* include/linux/kallsyms.h */
1379         printf_hook(kdb_printf, 1, 2);                    /* include/linux/kdb.h */
1380         printf_hook(vkdb_printf, 1, 0);                   /* include/linux/kdb.h */
1381         printf_hook(____trace_printk_check_format, 1, 2);  /* include/linux/kernel.h */
1382         printf_hook(__trace_bprintk, 2, 3);               /* include/linux/kernel.h */
1383         printf_hook(__trace_printk, 2, 3);                /* include/linux/kernel.h */
1384         printf_hook(kasprintf, 2, 3);                     /* include/linux/kernel.h */
1385         printf_hook(panic, 1, 2);                         /* include/linux/kernel.h */
1386         printf_hook(scnprintf, 3, 4);                     /* include/linux/kernel.h */
1387         printf_hook(snprintf, 3, 4);                      /* include/linux/kernel.h */
1388         printf_hook(sprintf, 2, 3);                       /* include/linux/kernel.h */
1389         printf_hook(trace_printk, 1, 2);                  /* include/linux/kernel.h */
1390         printf_hook(vscnprintf, 3, 0);                    /* include/linux/kernel.h */
1391         printf_hook(vsnprintf, 3, 0);                     /* include/linux/kernel.h */
1392         printf_hook(vsprintf, 2, 0);                      /* include/linux/kernel.h */
1393         printf_hook(vmcoreinfo_append_str, 1, 2);         /* include/linux/kexec.h */
1394         printf_hook(__request_module, 2, 3);              /* include/linux/kmod.h */
1395         printf_hook(add_uevent_var, 2, 3);                /* include/linux/kobject.h */
1396         printf_hook(kobject_add, 3, 4);                   /* include/linux/kobject.h */
1397         printf_hook(kobject_init_and_add, 4, 5);          /* include/linux/kobject.h */
1398         printf_hook(kobject_set_name, 2, 3);              /* include/linux/kobject.h */
1399         printf_hook(kthread_create_on_node, 4, 5);        /* include/linux/kthread.h */
1400         printf_hook(__ata_ehi_push_desc, 2, 3);           /* include/linux/libata.h */
1401         printf_hook(ata_dev_printk, 3, 4);                /* include/linux/libata.h */
1402         printf_hook(ata_ehi_push_desc, 2, 3);             /* include/linux/libata.h */
1403         printf_hook(ata_link_printk, 3, 4);               /* include/linux/libata.h */
1404         printf_hook(ata_port_desc, 2, 3);                 /* include/linux/libata.h */
1405         printf_hook(ata_port_printk, 3, 4);               /* include/linux/libata.h */
1406         printf_hook(warn_alloc_failed, 3, 4);             /* include/linux/mm.h */
1407         printf_hook(mmiotrace_printk, 1, 2);              /* include/linux/mmiotrace.h */
1408         printf_hook(netdev_alert, 2, 3);                  /* include/linux/netdevice.h */
1409         printf_hook(netdev_crit, 2, 3);                   /* include/linux/netdevice.h */
1410         printf_hook(netdev_emerg, 2, 3);                  /* include/linux/netdevice.h */
1411         printf_hook(netdev_err, 2, 3);                    /* include/linux/netdevice.h */
1412         printf_hook(netdev_info, 2, 3);                   /* include/linux/netdevice.h */
1413         printf_hook(netdev_notice, 2, 3);                 /* include/linux/netdevice.h */
1414         printf_hook(netdev_printk, 3, 4);                 /* include/linux/netdevice.h */
1415         printf_hook(netdev_warn, 2, 3);                   /* include/linux/netdevice.h */
1416         printf_hook(early_printk, 1, 2);                  /* include/linux/printk.h */
1417         printf_hook(no_printk, 1, 2);                     /* include/linux/printk.h */
1418         printf_hook(printk, 1, 2);                        /* include/linux/printk.h */
1419         printf_hook(printk_deferred, 1, 2);               /* include/linux/printk.h */
1420         printf_hook(printk_emit, 5, 6);                   /* include/linux/printk.h */
1421         printf_hook(vprintk, 1, 0);                       /* include/linux/printk.h */
1422         printf_hook(vprintk_emit, 5, 0);                  /* include/linux/printk.h */
1423         printf_hook(__quota_error, 3, 4);                 /* include/linux/quotaops.h */
1424         printf_hook(seq_buf_printf, 2, 3);                /* include/linux/seq_buf.h */
1425         printf_hook(seq_buf_vprintf, 2, 0);               /* include/linux/seq_buf.h */
1426         printf_hook(seq_printf, 2, 3);                    /* include/linux/seq_file.h */
1427         printf_hook(seq_vprintf, 2, 0);                   /* include/linux/seq_file.h */
1428         printf_hook(bprintf, 3, 4);                       /* include/linux/string.h */
1429         printf_hook(trace_seq_printf, 2, 3);              /* include/linux/trace_seq.h */
1430         printf_hook(trace_seq_vprintf, 2, 0);             /* include/linux/trace_seq.h */
1431         printf_hook(__alloc_workqueue_key, 1, 6);         /* include/linux/workqueue.h */
1432         printf_hook(set_worker_desc, 1, 2);               /* include/linux/workqueue.h */
1433         printf_hook(_p9_debug, 3, 4);                     /* include/net/9p/9p.h */
1434         printf_hook(bt_err, 1, 2);                        /* include/net/bluetooth/bluetooth.h */
1435         printf_hook(bt_info, 1, 2);                       /* include/net/bluetooth/bluetooth.h */
1436         printf_hook(nf_ct_helper_log, 3, 4);              /* include/net/netfilter/nf_conntrack_helper.h */
1437         printf_hook(nf_log_buf_add, 2, 3);                /* include/net/netfilter/nf_log.h */
1438         printf_hook(nf_log_packet, 8, 9);                 /* include/net/netfilter/nf_log.h */
1439         printf_hook(SOCK_DEBUG, 2, 3);                    /* include/net/sock.h */
1440         printf_hook(__snd_printk, 4, 5);                  /* include/sound/core.h */
1441         printf_hook(_snd_printd, 2, 3);                   /* include/sound/core.h */
1442         printf_hook(snd_printd, 1, 2);                    /* include/sound/core.h */
1443         printf_hook(snd_printdd, 1, 2);                   /* include/sound/core.h */
1444         printf_hook(snd_iprintf, 2, 3);                   /* include/sound/info.h */
1445         printf_hook(snd_seq_create_kernel_client, 3, 4);  /* include/sound/seq_kernel.h */
1446         printf_hook(xen_raw_printk, 1, 2);                /* include/xen/hvc-console.h */
1447         printf_hook(xenbus_dev_error, 3, 4);              /* include/xen/xenbus.h */
1448         printf_hook(xenbus_dev_fatal, 3, 4);              /* include/xen/xenbus.h */
1449         printf_hook(xenbus_printf, 4, 5);                 /* include/xen/xenbus.h */
1450         printf_hook(xenbus_watch_pathfmt, 4, 5);          /* include/xen/xenbus.h */
1451         printf_hook(batadv_fdebug_log, 2, 3);             /* net/batman-adv/debugfs.c */
1452         printf_hook(_batadv_dbg, 4, 5);                   /* net/batman-adv/main.h */
1453         printf_hook(batadv_debug_log, 2, 3);              /* net/batman-adv/main.h */
1454         printf_hook(__sdata_dbg, 2, 3);                   /* net/mac80211/debug.h */
1455         printf_hook(__sdata_err, 1, 2);                   /* net/mac80211/debug.h */
1456         printf_hook(__sdata_info, 1, 2);                  /* net/mac80211/debug.h */
1457         printf_hook(__wiphy_dbg, 3, 4);                   /* net/mac80211/debug.h */
1458         printf_hook(mac80211_format_buffer, 4, 5);        /* net/mac80211/debugfs.h */
1459         printf_hook(__rds_conn_error, 2, 3);              /* net/rds/rds.h */
1460         printf_hook(rdsdebug, 1, 2);                      /* net/rds/rds.h */
1461         printf_hook(printl, 1, 2);                        /* net/sctp/probe.c */
1462         printf_hook(svc_printk, 2, 3);                    /* net/sunrpc/svc.c */
1463         printf_hook(tomoyo_io_printf, 2, 3);              /* security/tomoyo/common.c */
1464         printf_hook(tomoyo_supervisor, 2, 3);             /* security/tomoyo/common.h */
1465         printf_hook(tomoyo_write_log, 2, 3);              /* security/tomoyo/common.h */
1466         printf_hook(cmp_error, 2, 3);                     /* sound/firewire/cmp.c */
1467 }