| commit | 15aded24139821bd44bf18833815a4bb82443de9 | |
| author | Rasmus Villemoes <rv@rasmusvillemoes.dk> | |
| Thu, 29 Jan 2015 16:03:35 +0000 (29 17:03 +0100) | ||
| committer | Dan Carpenter <dan.carpenter@oracle.com> | |
| Wed, 11 Feb 2015 18:51:21 +0000 (11 21:51 +0300) | ||
| tree | b5ba150ddc84784f3f4d483857824312c2a13cf9 | treesnapshot (tar.gz zip) |
| parent | 96c3a7c2459bdafdbd12f307aa5d1e7c61c9bc52 | commitdiff |
smatch: Check the kernel's %p format extensions
The kernel has a nice printf extension where %p can be followed by
certain alphanumerics, causing the pointer argument to be treated and
printed specially. Of course, for this to work the pointer must
actually point to what is expected, e.g. a struct dentry. For some
extensions, there isn't much to check (%pE and %ph can handle pretty
much any valid pointer). We also check whether all the alphanumerics
make sense (in particular, that %p itself is not followed by a
currently-unrecognized character), since a future extension may cause
existing code to behave differently.
While at it, there are certain other things we can warn about:
* Incomplete conversions to pr_*, e.g. pr_warn(KERN_WARNING
"blabla"). While many of these can be found with 'git grep',
everybody and their dog define their own wrapper macros, so it's
sometimes easier to find them after preprocessing.
* Format strings containing the name of the caller, while __func__ is
also passed (typically via a definition of pr_fmt(fmt) as "%s: "
fmt, __func__).
* Passing __user pointers to formats which actually dereference the
pointer.
Note: The list of printf functions is hard-coded (the list has been
extracted using a stupid perl script), since sparse currently ignores
the format attribute.
The kernel has a nice printf extension where %p can be followed by
certain alphanumerics, causing the pointer argument to be treated and
printed specially. Of course, for this to work the pointer must
actually point to what is expected, e.g. a struct dentry. For some
extensions, there isn't much to check (%pE and %ph can handle pretty
much any valid pointer). We also check whether all the alphanumerics
make sense (in particular, that %p itself is not followed by a
currently-unrecognized character), since a future extension may cause
existing code to behave differently.
While at it, there are certain other things we can warn about:
* Incomplete conversions to pr_*, e.g. pr_warn(KERN_WARNING
"blabla"). While many of these can be found with 'git grep',
everybody and their dog define their own wrapper macros, so it's
sometimes easier to find them after preprocessing.
* Format strings containing the name of the caller, while __func__ is
also passed (typically via a definition of pr_fmt(fmt) as "%s: "
fmt, __func__).
* Passing __user pointers to formats which actually dereference the
pointer.
Note: The list of printf functions is hard-coded (the list has been
extracted using a stupid perl script), since sparse currently ignores
the format attribute.
| check_kernel_printf.c | [new file with mode: 0644] | blob |
| check_list.h | diffblobblamehistory |