Print this page
12166 resync smatch to 0.6.1-rc1-il-3
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/tools/smatch/src/smatch_data/db/fixup_kernel.sh
+++ new/usr/src/tools/smatch/src/smatch_data/db/fixup_kernel.sh
1 1 #!/bin/bash
2 2
3 3 db_file=$1
4 4 cat << EOF | sqlite3 $db_file
5 5 /* we only care about the main ->read/write() functions. */
6 6 delete from caller_info where function = '(struct file_operations)->read' and file != 'fs/read_write.c';
7 7 delete from caller_info where function = '(struct file_operations)->write' and file != 'fs/read_write.c';
8 8 delete from caller_info where function = '(struct file_operations)->read' and caller != '__vfs_read';
9 9 delete from caller_info where function = '(struct file_operations)->write' and caller != '__vfs_write';
10 10 delete from function_ptr where function = '(struct file_operations)->read';
11 11 delete from function_ptr where function = '(struct file_operations)->write';
12 12 delete from caller_info where function = '__vfs_write' and caller != 'vfs_write';
13 13 delete from caller_info where function = '__vfs_read' and caller != 'vfs_read';
14 14 delete from caller_info where function = '(struct file_operations)->write' and caller = 'do_loop_readv_writev';
15 15 delete from caller_info where function = 'do_splice_from' and caller = 'direct_splice_actor';
16 16
17 17 /* delete these function pointers which cause false positives */
18 18 delete from caller_info where function = '(struct file_operations)->open' and type != 0;
19 19 delete from caller_info where function = '(struct notifier_block)->notifier_call' and type != 0;
20 20 delete from caller_info where function = '(struct mISDNchannel)->send' and type != 0;
21 21 delete from caller_info where function = '(struct irq_router)->get' and type != 0;
22 22 delete from caller_info where function = '(struct irq_router)->set' and type != 0;
23 23 delete from caller_info where function = '(struct net_device_ops)->ndo_change_mtu' and caller = 'i40e_dbg_netdev_ops_write';
24 24 delete from caller_info where function = '(struct timer_list)->function' and type != 0;
25 25
26 26 /* 8017 is USER_DATA and 9017 is USER_DATA_SET */
27 27 delete from caller_info where function = 'dev_hard_start_xmit' and type = 8017;
28 28 delete from return_states where function='vscnprintf' and type = 9017;
29 29 delete from return_states where function='scnprintf' and type = 9017;
30 30 delete from return_states where function='vsnprintf' and type = 9017;
31 31 delete from return_states where function='snprintf' and type = 9017;
32 32 delete from return_states where function='sprintf' and type = 9017;
33 33 delete from return_states where function='vscnprintf' and type = 8017;
34 34 delete from return_states where function='scnprintf' and type = 8017;
35 35 delete from return_states where function='vsnprintf' and type = 8017;
36 36 delete from return_states where function='snprintf' and type = 8017;
37 37 delete from return_states where function='sprintf' and type = 8017;
38 38 /* There is something setting skb->sk->sk_mark and friends to user_data and */
39 39 /* because of recursion it gets passed to everything and is impossible to debug */
40 40 delete from caller_info where function = '__dev_queue_xmit' and type = 8017;
41 41 delete from caller_info where function = '__netdev_start_xmit' and type = 8017;
42 42 delete from caller_info where function = '(struct packet_type)->func' and type = 8017;
43 43 delete from caller_info where function = '(struct bio)->bi_end_io' and type = 8017;
44 44 delete from caller_info where type = 8017 and key = '*\$->bi_private';
45 45 delete from caller_info where type = 8017 and key = '\$->bi_private';
46 46 delete from caller_info where caller = 'NF_HOOK_COND' and type = 8017;
47 47 delete from caller_info where caller = 'NF_HOOK' and type = 8017;
48 48 /* comparison doesn't deal with chunks, I guess. */
49 49 delete from return_states where function='get_tty_driver' and type = 8017;
50 50 delete from caller_info where caller = 'snd_ctl_elem_write' and function = '(struct snd_kcontrol)->put' and type = 8017;
51 51 delete from caller_info where caller = 'snd_ctl_elem_read' and function = '(struct snd_kcontrol)->get' and type = 8017;
52 52 delete from caller_info where function = 'nf_tables_newexpr' and type = 8017 and key = '\$->family';
53 53 delete from caller_info where caller = 'fb_set_var' and function = '(struct fb_ops)->fb_set_par' and type = 8017 and parameter = 0;
54 54 delete from return_states where function = 'tty_lookup_driver' and parameter = 2 and type = 8017;
55 55 delete from caller_info where function = 'iomap_apply' and type = 8017 and key = '*\$';
56 56
57 57 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 0, '\$', '1');
58 58 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 1, '\$', '1');
59 59 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 2, '\$', '1');
60 60
61 61 delete from caller_info where function = '(struct timer_list)->function' and parameter = 0;
62 62
63 63 /*
64 64 * rw_verify_area is a very central function for the kernel. The 1000000000
65 65 * isn't accurate but I've picked it so that we can add "pos + count" without
66 66 * wrapping on 32 bits.
67 67 */
68 68 delete from return_states where function = 'rw_verify_area';
69 69 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 0, -1, '', '');
70 70 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 104, 2, '*\$', '0-1000000000');
71 71 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 103, 3, '\$', '0-1000000000');
72 72 insert into return_states values ('faked', 'rw_verify_area', 0, 2, '(-4095)-(-1)', 0, 0, -1, '', '');
73 73
74 74 delete from return_states where function = 'is_kernel_rodata';
75 75 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 0, -1, '', '');
76 76 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 103, 0, '\$', '4096-ptr_max');
77 77 insert into return_states values ('faked', 'is_kernel_rodata', 0, 2, '0', 0, 0, -1, '', '');
78 78
79 79 /*
80 80 * Other kmalloc hacking.
81 81 */
82 82 delete from return_states where function = 'vmalloc';
83 83 insert into return_states values ('faked', 'vmalloc', 0, 1, '4096-ptr_max', 0, 0, -1, '', '');
84 84 insert into return_states values ('faked', 'vmalloc', 0, 1, '4096-ptr_max', 0, 103, 0, '\$', '1-128000000');
85 85 insert into return_states values ('faked', 'vmalloc', 0, 2, '0', 0, 0, -1, '', '');
86 86
87 87 delete from return_states where function = 'ksize';
88 88 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0, 0, -1, '', '');
89 89 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0, 103, 0, '\$', '16');
90 90 insert into return_states values ('faked', 'ksize', 0, 2, '1-4000000', 0, 0, -1, '', '');
91 91
92 92 /* store a bunch of capped functions */
93 93 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_to_user';
94 94 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_to_user';
95 95 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_to_user';
96 96 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_from_user';
97 97 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_from_user';
98 98 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_from_user';
99 99
100 100 update return_states set return = '0-8' where function = '__arch_hweight8';
101 101 update return_states set return = '0-16' where function = '__arch_hweight16';
102 102 update return_states set return = '0-32' where function = '__arch_hweight32';
103 103 update return_states set return = '0-64' where function = '__arch_hweight64';
104 104
105 105 /*
106 106 * Preserve the value across byte swapping. By the time we use it for math it
107 107 * will be byte swapped back to CPU endian.
108 108 */
109 109 update return_states set return = '0-u64max[==\$0]' where function = '__fswab64';
110 110 update return_states set return = '0-u32max[==\$0]' where function = '__fswab32';
111 111 update return_states set return = '0-u16max[==\$0]' where function = '__fswab16';
112 112 update return_states set return = '0-u64max[==\$0]' where function = '__builtin_bswap64';
113 113 update return_states set return = '0-u32max[==\$0]' where function = '__builtin_bswap32';
114 114 update return_states set return = '0-u16max[==\$0]' where function = '__builtin_bswap16';
115 115
116 116 delete from return_states where function = 'bitmap_allocate_region' and return = '1';
117 117 /* Just delete a lot of returns that everyone ignores */
118 118 delete from return_states where file = 'drivers/pci/access.c' and (return >= 129 and return <= 137);
119 119
120 120 /* Smatch can't parse wait_for_completion() */
121 121 update return_states set return = '(-108),(-22),0' where function = '__spi_sync' and return = '(-115),(-108),(-22)';
122 122
123 123 delete from caller_info where caller = '__kernel_write';
124 124
125 125 /* We sometimes use pre-allocated 4097 byte buffers for performance critical code but pretend it is always PAGE_SIZE */
126 126 update caller_info set value = 4096 where caller='kernfs_file_direct_read' and function='(struct kernfs_ops)->read' and type = 1002 and parameter = 1;
127 127 /* let's pretend firewire doesn't exist */
128 128 delete from caller_info where caller='init_fw_attribute_group' and function='(struct device_attribute)->show';
129 129 /* and let's fake the next dev_attr_show() call entirely */
130 130 delete from caller_info where caller='sysfs_kf_seq_show' and function='(struct sysfs_ops)->show';
131 131 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 0, '\$', '4096-ptr_max');
132 132 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1002, 2, '\$', '4096');
133 133 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 2, '\$', '4096-ptr_max');
134 134 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 0, -1, '' , '');
135 135 /* config fs confuses smatch a little */
136 136 update caller_info set value = 4096 where caller='fill_read_buffer' and function='(struct configfs_item_operations)->show_attribute' and type = 1002 and parameter = 2;
137 137
138 138 /* smatch sees the memset() but not the subsequent changes */
139 139 update return_states set value = "" where function = 'gfs2_ea_find' and return = '0' and type = 101 and parameter = 3;
140 140
141 141 delete from type_value where type = '(struct fd)->file';
142 142 delete from type_value where type = '(struct fd)->flags';
143 143
144 144 /* This is sometimes an enum or a u64 */
145 145 delete from type_value where type = '(struct mc_cmd_header)->status';
146 146
147 147 /* this is handled in check_kernel.c */
148 148 delete from return_states where function = "__write_once_size";
149 149
150 150 update return_states set value = "s32min-s32max[\$1]" where function = 'atomic_set' and parameter = 0 and type = 1025;
151 151
152 152 /* handled in the check itself */
153 153 delete from return_states where function = 'atomic_inc_return' and (type = 8023 or type = 8024);
154 154 delete from return_states where function = 'atomic_add_return' and (type = 8023 or type = 8024);
155 155 delete from return_states where function = 'atomic_sub_return' and (type = 8023 or type = 8024);
156 156 delete from return_states where function = 'atomic_sub_and_test' and (type = 8023 or type = 8024);
157 157 delete from return_states where function = 'atomic_dec_and_test' and (type = 8023 or type = 8024);
158 158 delete from return_states where function = 'atomic_dec' and (type = 8023 or type = 8024);
159 159 delete from return_states where function = 'atomic_inc' and (type = 8023 or type = 8024);
160 160 delete from return_states where function = 'atomic_sub' and (type = 8023 or type = 8024);
161 161 delete from return_states where function = 'refcount_add_not_zero' and (type = 8023 or type = 8024);
162 162 delete from return_states where function = 'refcount_inc_not_zero' and (type = 8023 or type = 8024);
163 163 delete from return_states where function = 'refcount_sub_and_test' and (type = 8023 or type = 8024);
164 164
165 165 update return_states set return = '0-32,2147483648-2147483690' where function = '_parse_integer' and return = '0';
166 166 update return_states set value = '0-u64max' where function = '_parse_integer' and type = 1025 and parameter = 2 and key = '*$';
167 167
168 168 /* delete some function pointers which are sometimes byte units */
169 169 delete from caller_info where function = '(struct i2c_algorithm)->master_xfer' and type = 1027;
170 170
171 171 /* this if from READ_ONCE(). We can't know anything about the data. */
172 172 delete from type_info where key = '(union anonymous)->__val';
|
↓ open down ↓ |
172 lines elided |
↑ open up ↑ |
173 173
174 174 /* This is RIO_BAD_SIZE */
175 175 delete from return_states where file = 'drivers/rapidio/rio-access.c' and return = '129';
176 176
177 177 /* Smatch sucks at loops */
178 178 delete from return_states where function = 'ata_dev_next' and type = 103;
179 179
180 180 /* The problem is that parsing big function pointers is hard. */
181 181 delete from return_states where function = 'vfs_get_tree' and type = 1024;
182 182
183 +/* Locking stuff goes here. */
184 +update return_states set parameter = -1, key = '\$' where function = 'ipmi_ssif_lock_cond' and type = 8020 and parameter = 1;
185 +update return_states set parameter = 1, key = '\$->tree->tree_lock' where function = 'hfs_find_init' and type = 8020 and parameter = 0;
186 +delete from return_states where function = '__oom_kill_process' and type = 8021;
187 +
183 188 EOF
184 189
185 190 # fixme: this is totally broken
186 191 call_id=$(echo "select distinct call_id from caller_info where function = '__kernel_write';" | sqlite3 $db_file)
187 192 for id in $call_id ; do
188 193 echo "insert into caller_info values ('fake', '', '__kernel_write', $id, 0, 8017, 1, '*\$', '');" | sqlite3 $db_file
189 194 done
190 195
191 196 for i in $(echo "select distinct return from return_states where function = 'clear_user';" | sqlite3 $db_file ) ; do
192 197 echo "update return_states set return = \"$i[<=\$1]\" where return = \"$i\" and function = 'clear_user';" | sqlite3 $db_file
193 198 done
194 199
195 200 echo "select distinct file, function from function_ptr where ptr='(struct rtl_hal_ops)->set_hw_reg';" \
196 201 | sqlite3 $db_file | sed -e 's/|/ /' | while read file function ; do
197 202
198 203 drv=$(echo $file | perl -ne 's/.*\/rtlwifi\/(.*?)\/sw.c/$1/; print')
199 204 if [ $drv = "" ] ; then
200 205 continue
201 206 fi
202 207
203 208 echo "update caller_info
204 209 set function = '$drv (struct rtl_hal_ops)->set_hw_reg'
205 210 where function = '(struct rtl_hal_ops)->set_hw_reg' and file like 'drivers/net/wireless/rtlwifi/$drv/%';" \
206 211 | sqlite3 $db_file
207 212
208 213 echo "insert into function_ptr values ('$file', '$function', '$drv (struct rtl_hal_ops)->set_hw_reg', 1);" \
209 214 | sqlite3 $db_file
210 215 done
211 216
212 217
213 218 for func in __kmalloc __kmalloc_track_caller ; do
214 219
215 220 cat << EOF | sqlite3 $db_file
216 221 delete from return_states where function = '$func';
217 222 insert into return_states values ('faked', '$func', 0, 1, '16', 0, 0, -1, '', '');
218 223 insert into return_states values ('faked', '$func', 0, 1, '16', 0, 103, 0, '\$', '0');
219 224 insert into return_states values ('faked', '$func', 0, 2, '4096-ptr_max', 0, 0, -1, '', '');
220 225 insert into return_states values ('faked', '$func', 0, 2, '4096-ptr_max', 0, 103, 0, '\$', '1-4000000');
221 226 insert into return_states values ('faked', '$func', 0, 2, '4096-ptr_max', 0, 1037, -1, '', 400);
222 227 insert into return_states values ('faked', '$func', 0, 3, '0', 0, 0, -1, '', '');
223 228 insert into return_states values ('faked', '$func', 0, 3, '0', 0, 103, 0, '\$', '1-long_max');
224 229 EOF
225 230 done
|
↓ open down ↓ |
33 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX