24 delete from caller_info where function = '(struct timer_list)->function' and type != 0;
25
26 /* 8017 is USER_DATA and 9017 is USER_DATA_SET */
27 delete from caller_info where function = 'dev_hard_start_xmit' and type = 8017;
28 delete from return_states where function='vscnprintf' and type = 9017;
29 delete from return_states where function='scnprintf' and type = 9017;
30 delete from return_states where function='vsnprintf' and type = 9017;
31 delete from return_states where function='snprintf' and type = 9017;
32 delete from return_states where function='sprintf' and type = 9017;
33 delete from return_states where function='vscnprintf' and type = 8017;
34 delete from return_states where function='scnprintf' and type = 8017;
35 delete from return_states where function='vsnprintf' and type = 8017;
36 delete from return_states where function='snprintf' and type = 8017;
37 delete from return_states where function='sprintf' and type = 8017;
38 /* There is something setting skb->sk->sk_mark and friends to user_data and */
39 /* because of recursion it gets passed to everything and is impossible to debug */
40 delete from caller_info where function = '__dev_queue_xmit' and type = 8017;
41 delete from caller_info where function = '__netdev_start_xmit' and type = 8017;
42 delete from caller_info where function = '(struct packet_type)->func' and type = 8017;
43 delete from caller_info where function = '(struct bio)->bi_end_io' and type = 8017;
44 delete from caller_info where caller = 'NF_HOOK_COND' and type = 8017;
45 delete from caller_info where caller = 'NF_HOOK' and type = 8017;
46 /* comparison doesn't deal with chunks, I guess. */
47 delete from return_states where function='get_tty_driver' and type = 8017;
48 delete from caller_info where caller = 'snd_ctl_elem_write' and function = '(struct snd_kcontrol)->put' and type = 8017;
49 delete from caller_info where caller = 'snd_ctl_elem_read' and function = '(struct snd_kcontrol)->get' and type = 8017;
50 delete from caller_info where function = 'nf_tables_newexpr' and type = 8017 and key = '\$->family';
51 delete from caller_info where caller = 'fb_set_var' and function = '(struct fb_ops)->fb_set_par' and type = 8017 and parameter = 0;
52 delete from return_states where function = 'tty_lookup_driver' and parameter = 2 and type = 8017;
53
54 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 0, '\$', '1');
55 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 1, '\$', '1');
56 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 2, '\$', '1');
57
58 delete from caller_info where function = '(struct timer_list)->function' and parameter = 0;
59
60 /*
61 * rw_verify_area is a very central function for the kernel. The 1000000000
62 * isn't accurate but I've picked it so that we can add "pos + count" without
63 * wrapping on 32 bits.
64 */
65 delete from return_states where function = 'rw_verify_area';
66 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 0, -1, '', '');
67 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 104, 2, '*\$', '0-1000000000');
68 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 103, 3, '\$', '0-1000000000');
69 insert into return_states values ('faked', 'rw_verify_area', 0, 2, '(-4095)-(-1)', 0, 0, -1, '', '');
70
71 delete from return_states where function = 'is_kernel_rodata';
72 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 0, -1, '', '');
157 delete from return_states where function = 'atomic_sub' and (type = 8023 or type = 8024);
158 delete from return_states where function = 'refcount_add_not_zero' and (type = 8023 or type = 8024);
159 delete from return_states where function = 'refcount_inc_not_zero' and (type = 8023 or type = 8024);
160 delete from return_states where function = 'refcount_sub_and_test' and (type = 8023 or type = 8024);
161
162 update return_states set return = '0-32,2147483648-2147483690' where function = '_parse_integer' and return = '0';
163 update return_states set value = '0-u64max' where function = '_parse_integer' and type = 1025 and parameter = 2 and key = '*$';
164
165 /* delete some function pointers which are sometimes byte units */
166 delete from caller_info where function = '(struct i2c_algorithm)->master_xfer' and type = 1027;
167
168 /* this if from READ_ONCE(). We can't know anything about the data. */
169 delete from type_info where key = '(union anonymous)->__val';
170
171 /* This is RIO_BAD_SIZE */
172 delete from return_states where file = 'drivers/rapidio/rio-access.c' and return = '129';
173
174 /* Smatch sucks at loops */
175 delete from return_states where function = 'ata_dev_next' and type = 103;
176
177 EOF
178
179 # fixme: this is totally broken
180 call_id=$(echo "select distinct call_id from caller_info where function = '__kernel_write';" | sqlite3 $db_file)
181 for id in $call_id ; do
182 echo "insert into caller_info values ('fake', '', '__kernel_write', $id, 0, 8017, 1, '*\$', '');" | sqlite3 $db_file
183 done
184
185 for i in $(echo "select distinct return from return_states where function = 'clear_user';" | sqlite3 $db_file ) ; do
186 echo "update return_states set return = \"$i[<=\$1]\" where return = \"$i\" and function = 'clear_user';" | sqlite3 $db_file
187 done
188
189 echo "select distinct file, function from function_ptr where ptr='(struct rtl_hal_ops)->set_hw_reg';" \
190 | sqlite3 $db_file | sed -e 's/|/ /' | while read file function ; do
191
192 drv=$(echo $file | perl -ne 's/.*\/rtlwifi\/(.*?)\/sw.c/$1/; print')
193 if [ $drv = "" ] ; then
194 continue
195 fi
196
|
24 delete from caller_info where function = '(struct timer_list)->function' and type != 0;
25
26 /* 8017 is USER_DATA and 9017 is USER_DATA_SET */
27 delete from caller_info where function = 'dev_hard_start_xmit' and type = 8017;
28 delete from return_states where function='vscnprintf' and type = 9017;
29 delete from return_states where function='scnprintf' and type = 9017;
30 delete from return_states where function='vsnprintf' and type = 9017;
31 delete from return_states where function='snprintf' and type = 9017;
32 delete from return_states where function='sprintf' and type = 9017;
33 delete from return_states where function='vscnprintf' and type = 8017;
34 delete from return_states where function='scnprintf' and type = 8017;
35 delete from return_states where function='vsnprintf' and type = 8017;
36 delete from return_states where function='snprintf' and type = 8017;
37 delete from return_states where function='sprintf' and type = 8017;
38 /* There is something setting skb->sk->sk_mark and friends to user_data and */
39 /* because of recursion it gets passed to everything and is impossible to debug */
40 delete from caller_info where function = '__dev_queue_xmit' and type = 8017;
41 delete from caller_info where function = '__netdev_start_xmit' and type = 8017;
42 delete from caller_info where function = '(struct packet_type)->func' and type = 8017;
43 delete from caller_info where function = '(struct bio)->bi_end_io' and type = 8017;
44 delete from caller_info where type = 8017 and key = '*\$->bi_private';
45 delete from caller_info where type = 8017 and key = '\$->bi_private';
46 delete from caller_info where caller = 'NF_HOOK_COND' and type = 8017;
47 delete from caller_info where caller = 'NF_HOOK' and type = 8017;
48 /* comparison doesn't deal with chunks, I guess. */
49 delete from return_states where function='get_tty_driver' and type = 8017;
50 delete from caller_info where caller = 'snd_ctl_elem_write' and function = '(struct snd_kcontrol)->put' and type = 8017;
51 delete from caller_info where caller = 'snd_ctl_elem_read' and function = '(struct snd_kcontrol)->get' and type = 8017;
52 delete from caller_info where function = 'nf_tables_newexpr' and type = 8017 and key = '\$->family';
53 delete from caller_info where caller = 'fb_set_var' and function = '(struct fb_ops)->fb_set_par' and type = 8017 and parameter = 0;
54 delete from return_states where function = 'tty_lookup_driver' and parameter = 2 and type = 8017;
55 delete from caller_info where function = 'iomap_apply' and type = 8017 and key = '*\$';
56
57 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 0, '\$', '1');
58 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 1, '\$', '1');
59 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 2, '\$', '1');
60
61 delete from caller_info where function = '(struct timer_list)->function' and parameter = 0;
62
63 /*
64 * rw_verify_area is a very central function for the kernel. The 1000000000
65 * isn't accurate but I've picked it so that we can add "pos + count" without
66 * wrapping on 32 bits.
67 */
68 delete from return_states where function = 'rw_verify_area';
69 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 0, -1, '', '');
70 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 104, 2, '*\$', '0-1000000000');
71 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 103, 3, '\$', '0-1000000000');
72 insert into return_states values ('faked', 'rw_verify_area', 0, 2, '(-4095)-(-1)', 0, 0, -1, '', '');
73
74 delete from return_states where function = 'is_kernel_rodata';
75 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 0, -1, '', '');
160 delete from return_states where function = 'atomic_sub' and (type = 8023 or type = 8024);
161 delete from return_states where function = 'refcount_add_not_zero' and (type = 8023 or type = 8024);
162 delete from return_states where function = 'refcount_inc_not_zero' and (type = 8023 or type = 8024);
163 delete from return_states where function = 'refcount_sub_and_test' and (type = 8023 or type = 8024);
164
165 update return_states set return = '0-32,2147483648-2147483690' where function = '_parse_integer' and return = '0';
166 update return_states set value = '0-u64max' where function = '_parse_integer' and type = 1025 and parameter = 2 and key = '*$';
167
168 /* delete some function pointers which are sometimes byte units */
169 delete from caller_info where function = '(struct i2c_algorithm)->master_xfer' and type = 1027;
170
171 /* this if from READ_ONCE(). We can't know anything about the data. */
172 delete from type_info where key = '(union anonymous)->__val';
173
174 /* This is RIO_BAD_SIZE */
175 delete from return_states where file = 'drivers/rapidio/rio-access.c' and return = '129';
176
177 /* Smatch sucks at loops */
178 delete from return_states where function = 'ata_dev_next' and type = 103;
179
180 /* The problem is that parsing big function pointers is hard. */
181 delete from return_states where function = 'vfs_get_tree' and type = 1024;
182
183 EOF
184
185 # fixme: this is totally broken
186 call_id=$(echo "select distinct call_id from caller_info where function = '__kernel_write';" | sqlite3 $db_file)
187 for id in $call_id ; do
188 echo "insert into caller_info values ('fake', '', '__kernel_write', $id, 0, 8017, 1, '*\$', '');" | sqlite3 $db_file
189 done
190
191 for i in $(echo "select distinct return from return_states where function = 'clear_user';" | sqlite3 $db_file ) ; do
192 echo "update return_states set return = \"$i[<=\$1]\" where return = \"$i\" and function = 'clear_user';" | sqlite3 $db_file
193 done
194
195 echo "select distinct file, function from function_ptr where ptr='(struct rtl_hal_ops)->set_hw_reg';" \
196 | sqlite3 $db_file | sed -e 's/|/ /' | while read file function ; do
197
198 drv=$(echo $file | perl -ne 's/.*\/rtlwifi\/(.*?)\/sw.c/$1/; print')
199 if [ $drv = "" ] ; then
200 continue
201 fi
202
|