Print this page
11506 smatch resync


   6 delete from caller_info where function = '(struct file_operations)->read' and file != 'fs/read_write.c';
   7 delete from caller_info where function = '(struct file_operations)->write' and file != 'fs/read_write.c';
   8 delete from caller_info where function = '(struct file_operations)->read' and caller != '__vfs_read';
   9 delete from caller_info where function = '(struct file_operations)->write' and caller != '__vfs_write';
  10 delete from function_ptr where function = '(struct file_operations)->read';
  11 delete from function_ptr where function = '(struct file_operations)->write';
  12 delete from caller_info where function = '__vfs_write' and caller != 'vfs_write';
  13 delete from caller_info where function = '__vfs_read' and caller != 'vfs_read';
  14 delete from caller_info where function = '(struct file_operations)->write' and caller = 'do_loop_readv_writev';
  15 delete from caller_info where function = 'do_splice_from' and caller = 'direct_splice_actor';
  16 
  17 /* delete these function pointers which cause false positives */
  18 delete from caller_info where function = '(struct file_operations)->open' and type != 0;
  19 delete from caller_info where function = '(struct notifier_block)->notifier_call' and type != 0;
  20 delete from caller_info where function = '(struct mISDNchannel)->send' and type != 0;
  21 delete from caller_info where function = '(struct irq_router)->get' and type != 0;
  22 delete from caller_info where function = '(struct irq_router)->set' and type != 0;
  23 delete from caller_info where function = '(struct net_device_ops)->ndo_change_mtu' and caller = 'i40e_dbg_netdev_ops_write';
  24 delete from caller_info where function = '(struct timer_list)->function' and type != 0;
  25 
  26 /* type 1003 is USER_DATA */
  27 delete from caller_info where caller = 'hid_input_report' and type = 1003;
  28 delete from caller_info where caller = 'nes_process_iwarp_aeqe' and type = 1003;
  29 delete from caller_info where caller = 'oz_process_ep0_urb' and type = 1003;
  30 delete from caller_info where function = 'dev_hard_start_xmit' and key = '\$' and type = 1003;
  31 delete from caller_info where function like '%->ndo_start_xmit' and key = '\$' and type = 1003;
  32 delete from caller_info where caller = 'packet_rcv_fanout' and function = '(struct packet_type)->func' and parameter = 1 and type = 1003;
  33 delete from caller_info where caller = 'hptiop_probe' and type = 1003;
  34 delete from caller_info where caller = 'p9_fd_poll' and function = '(struct file_operations)->poll' and type = 1003;
  35 delete from caller_info where caller = 'proc_reg_poll' and function = 'proc_reg_poll ptr poll' and type = 1003;
  36 delete from caller_info where function = 'blkdev_ioctl' and type = 1003 and parameter = 0 and key = '\$';
  37 /* 9017 is USER_DATA3_SET */
  38 delete from return_states where function='vscnprintf' and type = 9017;
  39 delete from return_states where function='scnprintf' and type = 9017;
  40 delete from return_states where function='vsnprintf' and type = 9017;
  41 delete from return_states where function='snprintf' and type = 9017;
  42 delete from return_states where function='sprintf' and type = 9017;
  43 delete from return_states where function='vscnprintf' and type = 8017;
  44 delete from return_states where function='scnprintf' and type = 8017;
  45 delete from return_states where function='vsnprintf' and type = 8017;
  46 delete from return_states where function='snprintf' and type = 8017;
  47 delete from return_states where function='sprintf' and type = 8017;
  48 /* There is something setting skb->sk->sk_mark and friends to user_data and */
  49 /* because of recursion it gets passed to everything and is impossible to debug */
  50 delete from caller_info where function = '__dev_queue_xmit' and type = 8017;
  51 delete from caller_info where function = '__netdev_start_xmit' and type = 8017;




  52 /* comparison doesn't deal with chunks, I guess.  */
  53 delete from return_states where function='get_tty_driver' and type = 8017;
  54 delete from caller_info where caller = 'snd_ctl_elem_write' and function = '(struct snd_kcontrol)->put' and type = 8017;
  55 delete from caller_info where caller = 'snd_ctl_elem_read' and function = '(struct snd_kcontrol)->get' and type = 8017;
  56 delete from caller_info where function = 'nf_tables_newexpr' and type = 8017 and key = '\$->family';
  57 delete from caller_info where caller = 'fb_set_var' and function = '(struct fb_ops)->fb_set_par' and type = 8017 and parameter = 0;
  58 delete from return_states where function = 'tty_lookup_driver' and parameter = 2 and type = 8017;
  59 
  60 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 1003, 0, '\$', '1');
  61 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 1003, 1, '\$', '1');
  62 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 1003, 2, '\$', '1');
  63 
  64 delete from caller_info where function = '(struct timer_list)->function' and parameter = 0;
  65 
  66 /*
  67  * rw_verify_area is a very central function for the kernel.  The 1000000000
  68  * isn't accurate but I've picked it so that we can add "pos + count" without
  69  * wrapping on 32 bits.
  70  */
  71 delete from return_states where function = 'rw_verify_area';
  72 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 0,   -1,      '', '');
  73 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 104,  2, '*\$', '0-1000000000');
  74 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 103, 3,  '\$', '0-1000000000');
  75 insert into return_states values ('faked', 'rw_verify_area', 0, 2, '(-4095)-(-1)',     0, 0,   -1,      '', '');
  76 
  77 delete from return_states where function = 'is_kernel_rodata';
  78 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 0,   -1,  '', '');
  79 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 103,  0,  '\$', '100000000-177777777');
  80 insert into return_states values ('faked', 'is_kernel_rodata', 0, 2, '0', 0, 0,   -1,  '', '');
  81 
  82 /*
  83  * I am a bad person for doing this to __kmalloc() which is a very deep function
  84  * and can easily be removed instead of to kmalloc().  But kmalloc() is an
  85  * inline function so it ends up being recorded thousands of times in the
  86  * database.  Doing this is easier.
  87  *
  88  */
  89 delete from return_states where function = '__kmalloc';
  90 insert into return_states values ('faked', '__kmalloc', 0, 1, '16', 0,    0,  -1, '', '');
  91 insert into return_states values ('faked', '__kmalloc', 0, 1, '16', 0, 103,   0, '\$', '0');
  92 insert into return_states values ('faked', '__kmalloc', 0, 2, '0,500000000-577777777', 0,    0, -1, '', '');
  93 insert into return_states values ('faked', '__kmalloc', 0, 2, '0,500000000-577777777', 0, 103,  0, '\$', '1-4000000');
  94 insert into return_states values ('faked', '__kmalloc', 0, 2, '0,500000000-577777777', 0, 1037,  -1, '', 400);
  95 insert into return_states values ('faked', '__kmalloc', 0, 3, '0', 0,    0,  -1, '', '');
  96 insert into return_states values ('faked', '__kmalloc', 0, 3, '0', 0,    103,  0, '\$', '4000000-long_max');
  97 
  98 /*
  99  * Other kmalloc hacking.
 100  */
 101 update return_states set return = '0,500000000-577777777' where function = 'kmalloc_slab' and return = 's64min-s64max';
 102 update return_states set return = '0,500000000-577777777' where function = 'slab_alloc_node' and return = 's64min-s64max';
 103 update return_states set return = '0,500000000-577777777' where function = 'kmalloc_large' and return != '0';
 104 update return_states set return = '0,500000000-577777777' where function = 'kmalloc_order_trace' and return != '0';
 105 
 106 delete from return_states where function = 'vmalloc';
 107 insert into return_states values ('faked', 'vmalloc', 0, 1, '0,600000000-677777777', 0,    0, -1, '', '');
 108 insert into return_states values ('faked', 'vmalloc', 0, 1, '0,600000000-677777777', 0, 103,  0, '\$', '1-128000000');
 109 insert into return_states values ('faked', 'vmalloc', 0, 2, '0', 0,    0,  -1, '', '');
 110 
 111 delete from return_states where function = 'ksize';
 112 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0,    0, -1, '', '');
 113 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0, 103,  0, '\$', '16');
 114 insert into return_states values ('faked', 'ksize', 0, 2, '1-4000000', 0,    0,  -1, '', '');
 115 
 116 /* store a bunch of capped functions */
 117 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_to_user';
 118 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_to_user';
 119 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_to_user';
 120 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_from_user';
 121 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_from_user';
 122 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_from_user';
 123 
 124 update return_states set return = '0-8' where function = '__arch_hweight8';
 125 update return_states set return = '0-16' where function = '__arch_hweight16';
 126 update return_states set return = '0-32' where function = '__arch_hweight32';
 127 update return_states set return = '0-64' where function = '__arch_hweight64';
 128 
 129 /*
 130  * Preserve the value across byte swapping.  By the time we use it for math it
 131  * will be byte swapped back to CPU endian.
 132  */
 133 update return_states set return = '0-u64max[==\$0]' where function = '__fswab64';
 134 update return_states set return = '0-u32max[==\$0]' where function = '__fswab32';
 135 update return_states set return = '0-u16max[==\$0]' where function = '__fswab16';
 136 update return_states set return = '0-u64max[==\$0]' where function = '__builtin_bswap64';
 137 update return_states set return = '0-u32max[==\$0]' where function = '__builtin_bswap32';
 138 update return_states set return = '0-u16max[==\$0]' where function = '__builtin_bswap16';
 139 
 140 delete from return_states where function = 'bitmap_allocate_region' and return = '1';
 141 /* Just delete a lot of returns that everyone ignores */
 142 delete from return_states where file = 'drivers/pci/access.c' and (return >= 129 and return <= 137);
 143 
 144 update return_states set return = '(-4095)-s32max[<=\$1]' where function = 'get_user_pages' and return = 's32min-s32max';
 145 update return_states set return = '(-4095)-s64max[<=\$1]' where function = 'get_user_pages' and return = 's64min-s64max';
 146 
 147 /* Smatch can't parse wait_for_completion() */
 148 update return_states set return = '(-108),(-22),0' where function = '__spi_sync' and return = '(-115),(-108),(-22)';
 149 
 150 delete from caller_info where caller = '__kernel_write';
 151 
 152 /* We sometimes use pre-allocated 4097 byte buffers for performance critical code but pretend it is always PAGE_SIZE */
 153 update caller_info set value = 4096 where caller='kernfs_file_direct_read' and function='(struct kernfs_ops)->read' and type = 1002 and parameter = 1;
 154 /* let's pretend firewire doesn't exist */
 155 delete from caller_info where caller='init_fw_attribute_group' and function='(struct device_attribute)->show';
 156 /* and let's fake the next dev_attr_show() call entirely */
 157 delete from caller_info where caller='sysfs_kf_seq_show' and function='(struct sysfs_ops)->show';
 158 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 0, '\$', '4096-2117777777777777777');
 159 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1002, 2, '\$', '4096');
 160 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 2, '\$', '4096-2117777777777777777');
 161 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 0,   -1, ''  , '');
 162 /* config fs confuses smatch a little */
 163 update caller_info set value = 4096 where caller='fill_read_buffer' and function='(struct configfs_item_operations)->show_attribute' and type = 1002 and parameter = 2;
 164 
 165 /* smatch sees the memset() but not the subsequent changes */
 166 update return_states set value = "" where function = 'gfs2_ea_find' and return = '0' and type = 101 and parameter = 3;
 167 
 168 delete from type_value where type = '(struct fd)->file';
 169 delete from type_value where type = '(struct fd)->flags';
 170 
 171 /* This is sometimes an enum or a u64 */
 172 delete from type_value where type = '(struct mc_cmd_header)->status';
 173 
 174 /* this is handled in check_kernel.c */
 175 delete from return_states where function = "__write_once_size";
 176 
 177 update return_states set value = "s32min-s32max[\$1]" where function = 'atomic_set' and parameter = 0 and type = 1025;
 178 
 179 /* handled in the check itself */
 180 delete from return_states where function = 'atomic_inc_return' and (type = 8023 or type = 8024);
 181 delete from return_states where function = 'atomic_add_return' and (type = 8023 or type = 8024);
 182 delete from return_states where function = 'atomic_sub_return' and (type = 8023 or type = 8024);
 183 delete from return_states where function = 'atomic_sub_and_test' and (type = 8023 or type = 8024);
 184 delete from return_states where function = 'atomic_dec_and_test' and (type = 8023 or type = 8024);
 185 delete from return_states where function = 'atomic_dec' and (type = 8023 or type = 8024);
 186 delete from return_states where function = 'atomic_inc' and (type = 8023 or type = 8024);
 187 delete from return_states where function = 'atomic_sub' and (type = 8023 or type = 8024);
 188 delete from return_states where function = 'refcount_add_not_zero' and (type = 8023 or type = 8024);
 189 delete from return_states where function = 'refcount_inc_not_zero' and (type = 8023 or type = 8024);
 190 delete from return_states where function = 'refcount_sub_and_test' and (type = 8023 or type = 8024);
 191 
 192 update return_states set return = '0-32,2147483648-2147483690' where function = '_parse_integer' and return = '0';
 193 update return_states set value = '0-u64max' where function = '_parse_integer' and type = 1025 and parameter = 2 and key = '*$';
 194 
 195 /* delete some function pointers which are sometimes byte units */
 196 delete from caller_info where function = '(struct i2c_algorithm)->master_xfer' and type = 1027;
 197 
 198 /* this if from READ_ONCE().  We can't know anything about the data.  */
 199 delete from type_info where key = '(union anonymous)->__val';
 200 






 201 EOF
 202 
 203 # fixme: this is totally broken
 204 call_id=$(echo "select distinct call_id from caller_info where function = '__kernel_write';" | sqlite3 $db_file)
 205 for id in $call_id ; do
 206     echo "insert into caller_info values ('fake', '', '__kernel_write', $id, 0, 1003, 1, '*\$', '');" | sqlite3 $db_file
 207 done
 208 
 209 for i in $(echo "select distinct return from return_states where function = 'clear_user';" | sqlite3 $db_file ) ; do
 210     echo "update return_states set return = \"$i[<=\$1]\" where return = \"$i\" and function = 'clear_user';" | sqlite3 $db_file
 211 done
 212 
 213 echo "select distinct file, function from function_ptr where ptr='(struct rtl_hal_ops)->set_hw_reg';" \
 214         | sqlite3 $db_file | sed -e 's/|/ /' | while read file function ; do
 215 
 216     drv=$(echo $file | perl -ne 's/.*\/rtlwifi\/(.*?)\/sw.c/$1/; print')
 217     if [ $drv = "" ] ; then
 218         continue
 219     fi
 220 
 221     echo "update caller_info
 222           set function = '$drv (struct rtl_hal_ops)->set_hw_reg'
 223           where function = '(struct rtl_hal_ops)->set_hw_reg' and file like 'drivers/net/wireless/rtlwifi/$drv/%';" \
 224          | sqlite3 $db_file
 225 
 226     echo "insert into function_ptr values ('$file', '$function', '$drv (struct rtl_hal_ops)->set_hw_reg', 1);" \
 227          | sqlite3 $db_file
 228 done
 229 
















   6 delete from caller_info where function = '(struct file_operations)->read' and file != 'fs/read_write.c';
   7 delete from caller_info where function = '(struct file_operations)->write' and file != 'fs/read_write.c';
   8 delete from caller_info where function = '(struct file_operations)->read' and caller != '__vfs_read';
   9 delete from caller_info where function = '(struct file_operations)->write' and caller != '__vfs_write';
  10 delete from function_ptr where function = '(struct file_operations)->read';
  11 delete from function_ptr where function = '(struct file_operations)->write';
  12 delete from caller_info where function = '__vfs_write' and caller != 'vfs_write';
  13 delete from caller_info where function = '__vfs_read' and caller != 'vfs_read';
  14 delete from caller_info where function = '(struct file_operations)->write' and caller = 'do_loop_readv_writev';
  15 delete from caller_info where function = 'do_splice_from' and caller = 'direct_splice_actor';
  16 
  17 /* delete these function pointers which cause false positives */
  18 delete from caller_info where function = '(struct file_operations)->open' and type != 0;
  19 delete from caller_info where function = '(struct notifier_block)->notifier_call' and type != 0;
  20 delete from caller_info where function = '(struct mISDNchannel)->send' and type != 0;
  21 delete from caller_info where function = '(struct irq_router)->get' and type != 0;
  22 delete from caller_info where function = '(struct irq_router)->set' and type != 0;
  23 delete from caller_info where function = '(struct net_device_ops)->ndo_change_mtu' and caller = 'i40e_dbg_netdev_ops_write';
  24 delete from caller_info where function = '(struct timer_list)->function' and type != 0;
  25 
  26 /* 8017 is USER_DATA and  9017 is USER_DATA_SET */
  27 delete from caller_info where function = 'dev_hard_start_xmit' and type = 8017;










  28 delete from return_states where function='vscnprintf' and type = 9017;
  29 delete from return_states where function='scnprintf' and type = 9017;
  30 delete from return_states where function='vsnprintf' and type = 9017;
  31 delete from return_states where function='snprintf' and type = 9017;
  32 delete from return_states where function='sprintf' and type = 9017;
  33 delete from return_states where function='vscnprintf' and type = 8017;
  34 delete from return_states where function='scnprintf' and type = 8017;
  35 delete from return_states where function='vsnprintf' and type = 8017;
  36 delete from return_states where function='snprintf' and type = 8017;
  37 delete from return_states where function='sprintf' and type = 8017;
  38 /* There is something setting skb->sk->sk_mark and friends to user_data and */
  39 /* because of recursion it gets passed to everything and is impossible to debug */
  40 delete from caller_info where function = '__dev_queue_xmit' and type = 8017;
  41 delete from caller_info where function = '__netdev_start_xmit' and type = 8017;
  42 delete from caller_info where function = '(struct packet_type)->func' and type = 8017;
  43 delete from caller_info where function = '(struct bio)->bi_end_io' and type = 8017;
  44 delete from caller_info where caller = 'NF_HOOK_COND' and type = 8017;
  45 delete from caller_info where caller = 'NF_HOOK' and type = 8017;
  46 /* comparison doesn't deal with chunks, I guess.  */
  47 delete from return_states where function='get_tty_driver' and type = 8017;
  48 delete from caller_info where caller = 'snd_ctl_elem_write' and function = '(struct snd_kcontrol)->put' and type = 8017;
  49 delete from caller_info where caller = 'snd_ctl_elem_read' and function = '(struct snd_kcontrol)->get' and type = 8017;
  50 delete from caller_info where function = 'nf_tables_newexpr' and type = 8017 and key = '\$->family';
  51 delete from caller_info where caller = 'fb_set_var' and function = '(struct fb_ops)->fb_set_par' and type = 8017 and parameter = 0;
  52 delete from return_states where function = 'tty_lookup_driver' and parameter = 2 and type = 8017;
  53 
  54 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 0, '\$', '1');
  55 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 1, '\$', '1');
  56 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 2, '\$', '1');
  57 
  58 delete from caller_info where function = '(struct timer_list)->function' and parameter = 0;
  59 
  60 /*
  61  * rw_verify_area is a very central function for the kernel.  The 1000000000
  62  * isn't accurate but I've picked it so that we can add "pos + count" without
  63  * wrapping on 32 bits.
  64  */
  65 delete from return_states where function = 'rw_verify_area';
  66 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 0,   -1,      '', '');
  67 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 104,  2, '*\$', '0-1000000000');
  68 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 103, 3,  '\$', '0-1000000000');
  69 insert into return_states values ('faked', 'rw_verify_area', 0, 2, '(-4095)-(-1)',     0, 0,   -1,      '', '');
  70 
  71 delete from return_states where function = 'is_kernel_rodata';
  72 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 0,   -1,  '', '');
  73 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 103,  0,  '\$', '4096-ptr_max');
  74 insert into return_states values ('faked', 'is_kernel_rodata', 0, 2, '0', 0, 0,   -1,  '', '');
  75 
  76 /*
















  77  * Other kmalloc hacking.
  78  */





  79 delete from return_states where function = 'vmalloc';
  80 insert into return_states values ('faked', 'vmalloc', 0, 1, '4096-ptr_max', 0,    0, -1, '', '');
  81 insert into return_states values ('faked', 'vmalloc', 0, 1, '4096-ptr_max', 0, 103,  0, '\$', '1-128000000');
  82 insert into return_states values ('faked', 'vmalloc', 0, 2, '0', 0,    0,  -1, '', '');
  83 
  84 delete from return_states where function = 'ksize';
  85 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0,    0, -1, '', '');
  86 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0, 103,  0, '\$', '16');
  87 insert into return_states values ('faked', 'ksize', 0, 2, '1-4000000', 0,    0,  -1, '', '');
  88 
  89 /* store a bunch of capped functions */
  90 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_to_user';
  91 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_to_user';
  92 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_to_user';
  93 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_from_user';
  94 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_from_user';
  95 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_from_user';
  96 
  97 update return_states set return = '0-8' where function = '__arch_hweight8';
  98 update return_states set return = '0-16' where function = '__arch_hweight16';
  99 update return_states set return = '0-32' where function = '__arch_hweight32';
 100 update return_states set return = '0-64' where function = '__arch_hweight64';
 101 
 102 /*
 103  * Preserve the value across byte swapping.  By the time we use it for math it
 104  * will be byte swapped back to CPU endian.
 105  */
 106 update return_states set return = '0-u64max[==\$0]' where function = '__fswab64';
 107 update return_states set return = '0-u32max[==\$0]' where function = '__fswab32';
 108 update return_states set return = '0-u16max[==\$0]' where function = '__fswab16';
 109 update return_states set return = '0-u64max[==\$0]' where function = '__builtin_bswap64';
 110 update return_states set return = '0-u32max[==\$0]' where function = '__builtin_bswap32';
 111 update return_states set return = '0-u16max[==\$0]' where function = '__builtin_bswap16';
 112 
 113 delete from return_states where function = 'bitmap_allocate_region' and return = '1';
 114 /* Just delete a lot of returns that everyone ignores */
 115 delete from return_states where file = 'drivers/pci/access.c' and (return >= 129 and return <= 137);
 116 



 117 /* Smatch can't parse wait_for_completion() */
 118 update return_states set return = '(-108),(-22),0' where function = '__spi_sync' and return = '(-115),(-108),(-22)';
 119 
 120 delete from caller_info where caller = '__kernel_write';
 121 
 122 /* We sometimes use pre-allocated 4097 byte buffers for performance critical code but pretend it is always PAGE_SIZE */
 123 update caller_info set value = 4096 where caller='kernfs_file_direct_read' and function='(struct kernfs_ops)->read' and type = 1002 and parameter = 1;
 124 /* let's pretend firewire doesn't exist */
 125 delete from caller_info where caller='init_fw_attribute_group' and function='(struct device_attribute)->show';
 126 /* and let's fake the next dev_attr_show() call entirely */
 127 delete from caller_info where caller='sysfs_kf_seq_show' and function='(struct sysfs_ops)->show';
 128 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 0, '\$', '4096-ptr_max');
 129 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1002, 2, '\$', '4096');
 130 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 2, '\$', '4096-ptr_max');
 131 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 0,   -1, ''  , '');
 132 /* config fs confuses smatch a little */
 133 update caller_info set value = 4096 where caller='fill_read_buffer' and function='(struct configfs_item_operations)->show_attribute' and type = 1002 and parameter = 2;
 134 
 135 /* smatch sees the memset() but not the subsequent changes */
 136 update return_states set value = "" where function = 'gfs2_ea_find' and return = '0' and type = 101 and parameter = 3;
 137 
 138 delete from type_value where type = '(struct fd)->file';
 139 delete from type_value where type = '(struct fd)->flags';
 140 
 141 /* This is sometimes an enum or a u64 */
 142 delete from type_value where type = '(struct mc_cmd_header)->status';
 143 
 144 /* this is handled in check_kernel.c */
 145 delete from return_states where function = "__write_once_size";
 146 
 147 update return_states set value = "s32min-s32max[\$1]" where function = 'atomic_set' and parameter = 0 and type = 1025;
 148 
 149 /* handled in the check itself */
 150 delete from return_states where function = 'atomic_inc_return' and (type = 8023 or type = 8024);
 151 delete from return_states where function = 'atomic_add_return' and (type = 8023 or type = 8024);
 152 delete from return_states where function = 'atomic_sub_return' and (type = 8023 or type = 8024);
 153 delete from return_states where function = 'atomic_sub_and_test' and (type = 8023 or type = 8024);
 154 delete from return_states where function = 'atomic_dec_and_test' and (type = 8023 or type = 8024);
 155 delete from return_states where function = 'atomic_dec' and (type = 8023 or type = 8024);
 156 delete from return_states where function = 'atomic_inc' and (type = 8023 or type = 8024);
 157 delete from return_states where function = 'atomic_sub' and (type = 8023 or type = 8024);
 158 delete from return_states where function = 'refcount_add_not_zero' and (type = 8023 or type = 8024);
 159 delete from return_states where function = 'refcount_inc_not_zero' and (type = 8023 or type = 8024);
 160 delete from return_states where function = 'refcount_sub_and_test' and (type = 8023 or type = 8024);
 161 
 162 update return_states set return = '0-32,2147483648-2147483690' where function = '_parse_integer' and return = '0';
 163 update return_states set value = '0-u64max' where function = '_parse_integer' and type = 1025 and parameter = 2 and key = '*$';
 164 
 165 /* delete some function pointers which are sometimes byte units */
 166 delete from caller_info where function = '(struct i2c_algorithm)->master_xfer' and type = 1027;
 167 
 168 /* this if from READ_ONCE().  We can't know anything about the data.  */
 169 delete from type_info where key = '(union anonymous)->__val';
 170 
 171 /* This is RIO_BAD_SIZE */
 172 delete from return_states where file = 'drivers/rapidio/rio-access.c' and return = '129';
 173 
 174 /* Smatch sucks at loops */
 175 delete from return_states where function = 'ata_dev_next' and type = 103;
 176 
 177 EOF
 178 
 179 # fixme: this is totally broken
 180 call_id=$(echo "select distinct call_id from caller_info where function = '__kernel_write';" | sqlite3 $db_file)
 181 for id in $call_id ; do
 182     echo "insert into caller_info values ('fake', '', '__kernel_write', $id, 0, 8017, 1, '*\$', '');" | sqlite3 $db_file
 183 done
 184 
 185 for i in $(echo "select distinct return from return_states where function = 'clear_user';" | sqlite3 $db_file ) ; do
 186     echo "update return_states set return = \"$i[<=\$1]\" where return = \"$i\" and function = 'clear_user';" | sqlite3 $db_file
 187 done
 188 
 189 echo "select distinct file, function from function_ptr where ptr='(struct rtl_hal_ops)->set_hw_reg';" \
 190         | sqlite3 $db_file | sed -e 's/|/ /' | while read file function ; do
 191 
 192     drv=$(echo $file | perl -ne 's/.*\/rtlwifi\/(.*?)\/sw.c/$1/; print')
 193     if [ $drv = "" ] ; then
 194         continue
 195     fi
 196 
 197     echo "update caller_info
 198           set function = '$drv (struct rtl_hal_ops)->set_hw_reg'
 199           where function = '(struct rtl_hal_ops)->set_hw_reg' and file like 'drivers/net/wireless/rtlwifi/$drv/%';" \
 200          | sqlite3 $db_file
 201 
 202     echo "insert into function_ptr values ('$file', '$function', '$drv (struct rtl_hal_ops)->set_hw_reg', 1);" \
 203          | sqlite3 $db_file
 204 done
 205 
 206 
 207 for func in __kmalloc __kmalloc_track_caller ; do
 208 
 209     cat << EOF | sqlite3 $db_file
 210 delete from return_states where function = '$func';
 211 insert into return_states values ('faked', '$func', 0, 1, '16', 0,    0,  -1, '', '');
 212 insert into return_states values ('faked', '$func', 0, 1, '16', 0, 103,   0, '\$', '0');
 213 insert into return_states values ('faked', '$func', 0, 2, '4096-ptr_max', 0,    0, -1, '', '');
 214 insert into return_states values ('faked', '$func', 0, 2, '4096-ptr_max', 0, 103,  0, '\$', '1-4000000');
 215 insert into return_states values ('faked', '$func', 0, 2, '4096-ptr_max', 0, 1037,  -1, '', 400);
 216 insert into return_states values ('faked', '$func', 0, 3, '0', 0,    0,  -1, '', '');
 217 insert into return_states values ('faked', '$func', 0, 3, '0', 0,    103,  0, '\$', '1-long_max');
 218 EOF
 219 done