Public Git Hosting - smatch.git/log

capped: fix handling of assignments

The problem that this change tries to address is:

if (x > foo)
return;
// x is now capped
if (x < 0)
x = 0;  // <- this assignement makes it uncapped

When we're handling this assignment the modification hook first sets it
to uncapped.  Then this assignment can set things back to capped.  The
!is_capped() condition makes no sense, because it won't be capped.

If it's a += assignment then that's uncapped.  If the right hand side is
capped then it's capped.  If we had a state and we're setting it to a
partial range then set it to capped.  (If we don't have a state then forget
about it).

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

integer_overflow_sizeof: add a check for integer overflows involving sizeof()

The problem with integer overflows is that they are often harmless so there
are a lot of false positives. By targeting math which involves sizeof()
then the hope is that this will be warn about high value overflows.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

simple_no_overflow: record if a variable has been checked for integer overflows

This doesn't record whether the connection between variables. If we see
a check like "if (a + b < a)" then we record both "a" and "b" as safe.
That makes the checking simpler.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/kernel.return_fixes: add class_write_lock_irqsave_lock_ptr()

More cleanup.h fixing.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel.unreachable.ignore: add scoped_guard()

Also add iio_device_claim_direct_scoped().

Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/smdb.py: fix param names

The get_param_names() function wasn't updated to handle hashed file
names properly.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/smdb.py: escape escapes properly

Apparently you need to do \\s instead of just \s.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

flow: reset position after calling cleanup functions

When there is a cleanup function then what happens is that Smatch
generates a fake function call. The issue is that the fake call messes
up the current position. So if you're planning to print an warning
message for that return, it instead get printed on the line where the
cleanup function was declared.

Save the current position, and reset it back to where it was after calling
the cleanup function.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

unreachable: silence some false positives with known conditions

I wrote this code some time ago. My guess is that what happens here is
we have:

if (!CONFIG_ENABLED()) {

But that's just a guess based on the comments... Anyway, I've been
running with this code for some time so it must be good.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

implied: bail out earlier in get_tf_stacks_from_pool()

This function can end up taking way way too long.  Add a recursion
counter and bail out early if it's an issue.  This change means that
compiling drivers/block/drbd/drbd_nl.c with option now compiles in
24 seconds.  Before if you passed --info then it would die or for regular
runs it would take 5 minutes to compile.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

helper: add timeout counter in getting_address()

The min/max changes make this function too slow and the kernel is unable
to build. Add a counter and bail out early.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel_user_data: add a timeout

The kernel devs have re-written the min()/max() macros so now this
search ends up taking forever and the kernel can never finish building.
At a counter and bail out early.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

preempt_info: hard code some functions

class_task_rq_lock_destructor() does that if statement thing which is
not really an if statement in real life.

affine_move_task() does some slightly tricky stuff with regards to
preemption.  It bumps the counter, then it calls task_rq_unlock() which
decrements the counter, then it decrements the counter.  This check is
deliberately written so complicated things like that have to be handled
manually.  It gets pretty complicated to track multiple decrements and
increments automatically and I've never found a way to do it correctly.
This way works, it's still a headache to manually add functions like
affine_move_task() but it's less of a headache.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

checking_for_null_instead_of_err_ptr: silence IS_ERR_OR_NULL() warnings

This check is only enabled when --spammy is turned on.  It complains when
a potential error pointer is checked against NULL.  Of course, pointers
can sometimes be either NULL or error pointers.  Which is why the
IS_ERR_OR_NULL() function exists.

I don't see this warning on my system, but it's simple enough to silence
it.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

implied: print is_leaf() instead of ->merged in debug output

What matters if it's a leaf, not whether or not it's a merged.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

struct_assignment: use assigned expression

These days kzalloc() is some kind of macro so we need to use the
assigned expression.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

locking: use a cull hook to handle dma_resv_lock()

The thing about dma_resv_lock() is that if you pass a NULL ctx then
it can't fail.  Smatch knows that we don't take the lock on the failure
path, but not that it can't fail.  Most callers, when they pass a NULL,
then they don't check for failure and Smatch is like "Wait, are we holding
the lock or not?".

So at first I changed it to say that "We take the lock on the failure
path as well".  And that works for most things because they don't
check for failure and Smatch is no longer confused, "Yes.  We're holding
the lock.  Fine."

But the problem arises because some callers *do* check for failure and
now Smatch is like, "Wait, we forgot to drop the lock on that path."

So the real fix is to say, "If the ctx is NULL then we can't fail".  The
difficulty with this approach is that I had to create the cull hook
infrastructure first.  But that's done now.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

function_hooks: add cull hooks infrastructure

This lets us delete a return patch from the database. It's similar to
smatch_data/db/kernel.delete.return_states but more powerful because it's
done in code so you can check other variables instead of just the return.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel_kref_put: fix checking kref_get() refcounting

The has_inc_state() function is supposed to check whether we called
kref_get() earlier in the function. However I renamed the reference
count checking and forgot to update this so it always returns false.

s/check_refcount_info/register_refcount_info/

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

free_strict: silence refcounted false positive

I'm trying to figure out what went wrong and why I have tons and tons
of false positives. I'm going to merge this just to get my diffstat
smaller.

I removes some false positives related to refcounted variables. However
the false positives might not be an issue in the published code.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

apply_return_fixes.sh: exit with success

The set -e change means we have to be a bit more careful about error
codes. Before if the ${PROJ}.return file didn't exist then it would
return an error but no one was checking so it didn't matter.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Merge ../was_dev-20240719 into devel

Merge pull request #11 from walshb/bw-strict-errors

shell scripts: stricter error handling

locking: fix dma_resv_lock() hack around

The lock_to_name_sym() function adds a dereference so we have to
add a '&' pre-op to cancel that out. It looks like this has been broken
since the big re-write in 2019. :/

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

locking: add a few new locks to the locking table

class_mvm_destructor() is cleanup.h stuff.  Normal.

lock_cluster_or_swap_info() is one of those slightly complicated locks
which need to be hand annotated.  It can take one of two locks depending.
But for Smatch we can just treat it a mirrored lock/unlock.  Also kind of
a normal thing.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

preempt_info: add class_write_lock_destructor()

This is more cleanup.h stuff which has to be handled by hand.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

data/kernel.ignore_uninitialized_param: add more functions

This is mostly boring stuff.  The ones that are interesting are
dma_alloc_*().  I wish I time to investigate why these function returns
aren't getting split up properly but I don't...  Just silence the
false positives and move on.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

dereference: function calls are dereferences

Add function calls as a kind of dereference of the function pointer.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

shell scripts: stricter error handling

Various shell scripts exit with return code zero even their
subprocesses fail (for example, due to missing libraries).

Use set -e to exit immediately with an error code if a subprocess
fails.

kmalloc_array_zero: Disable this until macro_to_ul() is fixed

The macro_to_ul() can basically only handle literals. The __GFP_ flags
were changed to OR stuff together so this test no longer works and
generates false positives. Disable it for now.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db: fix recursive crash in linux-next

Somehow it's parsing copy_from_user() over and over and over until it
crashes. Fix the crash for now. I think this means that forced splits
are basically useless... I'll revisit this when it becomes an issue again
I guess.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

preempt: introduce a new preempt_table to edit out caller_info() data

How this works is you give a function and a caller and that specific
function call is now not marked as calling with PREMPT_DISABLED.
Of course, if a function calls the same function twice both calls are now
marked as not-preempt. It's not perfect but it's fine grained enough.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

check_deref: use add_dereference_hook()

I overlooked converting this check to add_dereference_hook(). It
simplifies the code quite a bit and improves the handling of cross function
dereferences.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

points_to_user_data: Add nvmet_copy_from_sgl() function

The nvmet_copy_from_sgl() function gives us user data too.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

impossible_compare: silence some false positives

I think this is to silence warnings on 32 bit where it says:

if (u32_var > UINT_MAX)

I wrote this some time ago... :( I wish it were more perfect.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

modification_hooks: add get_modification_state_name_sym()

This is get_modification_state() but it takes a name/sym pair.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel: ignore more stuff

These are not life changing ignores any more.  But it's like remove 500k
entries here and 500k there.  It has started to be noticeable.

The nice one is parent->parent from an emotional stand point.  Lots of
recursion.  I didn't measure how many actual entries it was though.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel: Add support for custom build directory

Pass the 'O' environment variable to the kernel build system in order to
allow specifying a custom build directory.

Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kchecker: Fix --outfile handling

Use the actual value of the 'outfile' variable instead of its name when
testing for empty string.

Fixes: 6d859db5d033 ("*new* smatch_scripts/whitespase_only.sh")
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

buf_size: don't store so many (-1)-0 entries

-1 means unknown.  0 means zero bytes.  We already filter these values
out independently but when they're together we insert them.  They are
useless.  Filter them out.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

sentinel_ctltable: Add a check for sentinel elements in ctl_table arrays

Added a new check named check_sentinel_ctltable that prints a warning
when a sentinel element is detected in a ctl_table struct array.
Sentinels marking the end of a ctl_table array where completely removed
from the linux kernel in [1]. We add this warning to avoid cases where a
sentinel gets added by mistake.

[1] https://lore.kernel.org/20240604-jag-sysctl_remset-v1-0-2df7ecdba0bd@samsung.com

Signed-off-by: Joel Granados <j.granados@samsung.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel: ignore "->bio->bi_private"

Nothing good can come from tracking ->bi_private data.

This came from looking at iomap_readpage_iter() returns states.  The
unfortunate thing is that most of this is from PARAM_USED.  It's possible
that it is all used, or that there is a bug where too much stuff is marked
as used.  Or it could be that there is recursion and that an old bug was
marking it as used but recursion means we don't get rid of it...

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

extra: fix some SQL

Oops. I am dumb. Add the missing count().

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

no_increment: complain when i and j don't have an i++

You would expect interators to be incremented. Example bugs look like:

i = 0;
for_each_foo() {
// i++ was accidentally deleted
}
count = i;

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

extra: fix and improve used_param_value_info()

I was fixing this code and I noticed that the return from the
call_is_leaf_fn() path is reversed.  I'm not sure how this worked...
Re-write it to to be more readable and fix the bugs.

Functional changes:
1) Either long variables or -> -> -> variables are considered long.  Btw,
   40 characters is very long.
2) Consider $ and *$ before the leaf check.
3) NULL/non-NULL pointers are useless if they are a long variable.  (The
   reason why they would be considered useful at all is because of error
   pointers)

Style changes:
1) Use get_row_count().  This is just way cleaner.
2) Rename the function to used_param_value_info().
3) Reverse the returns so it returns true for used and false for unused.
4) Change the type to bool.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db: don't load silly amounts of caller info

The issue here was is_inode_flag_set().  We say functions which are called
over 200 times as too common.  Don't save anything about them.  But
is_inode_flag_set() was called 166 times.

Apparently, there is no limit to the amount of caller info per call which
gets saved in the database.  This is hard to limit in a sensible ways as
well.

So is_inode_flag_set() was loading 28k entries of caller_info.  Which is
too much.  Cap it at 5000.  (This number is picked by guessing what an
appropriate number is).

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

leaf_fn: be stricter with PARAM_USED

Before the PARAM_USED was kind of mean "This is probably not used".  Smatch
would filter out variables which were zero.  (There are a lot of known
zero variables because of kzalloc()).

But it turned out we were passing ridiculous amounts of data to functions
that only did "return foo + 1; or whatever.  So lets mark "leaf" functions
where we're sure that no recursion, function pointers, or whatever is
involved as leaf functions.  For these functions we'll only pass exactly
what is needed.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

ranges: fix alloc_whole_rl() for functions

Functions are pointers. But this isn't there then what can happen is
that min is greater than max and we try again. And again until eventually
the recursion leads to a crash.

This doesn't affect anything yet, but it affects up coming commits.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

param_used: don't record stuff from __in_fake_struct_assign

Smatch is way to slow recently... There are too many PARAM_USED states
being recorded. The FREE_I() function is basically a return statement but
it was saying tons and tons of stuff was used.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

unlikely_parens: warn about other things besides comparison

This generates a warning for "if (likely(foo) & bar) {".  It only triggers
one warning which is in lib/lz4/lz4_decompress.c and it's a false positive.

   202                          } while (likely(endOnInput
   203                                  ? ip < iend - RUN_MASK
   204                                  : 1) & (s == 255));

But it's a quite high quality false positive so that's okay.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

unlikely_parens: add a check for putting the parentheses in the wrong place

The bug here would look like:

bad: if (unlikely(frob(x)) >= 0)
good: if (unlikely(frob(x) >= 0))

Reported-by: Mateusz Guzik <mjguzik@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

mixing_irq_and_irqsave: warn about mixing _irq() and _irqsave()

It seldom makes sense to mix spinlock_irq() and spinlock_irqsave().  The
one is for when we know IRQs are not disabled and the other is for when
they are.  It can't be both.

These warning are mostly not bugs, but just places which should be changed
to _irq().  Except changing to _irgsave() is potentially safer.  The point
is the either works.  It's just sloppy and wrong to mix them.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

pre-proc: use uname() syscall instead of invoking uname

Not all systems have uname at /bin/uname and using uname() directly
seems to be a better case than spawning shell.

The utsname.sysname seems to be returning different name ("Linux"
instead of "GNU/Linux") but this doesn't seem to be a problem.
"uname -o" does seem to be returning HOST_OPERATING_SYSTEM and
utsname.sysname being defined as KERNEL_NAME.

Signed-off-by: Andrey Albersteyn <aalbersh@redhat.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/fixup_kernel.sh: fix clear_user() handling

There are two changes here:
1) Switch from double quotes to single quotes.  Atin Bainada reported that
   this was still an issue.
2) Add a grep -v '\['.  Apparently current versions of smatch are able to
   determine some of these relationship automatically and this code was
   recording bogus relationships like: "1-u64max[==$1][<=$1]" when it
   should have just been "1-u64max[==$1]".

Reported-by: Atin Bainada
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/fixup_kernel.sh: add kmalloc_noprof()

kmalloc() is now a macro and the function on my system is now called
kmalloc_noprof(). Add it.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/fixup_kernel.sh: use single quotes

Atin Bainada reported that these double quote lines were causing parse
errors. I expect there is a new version of bash or sqlite which is
causing the issue? Anyway, it's simple enough to fix it.

Reported-by: Atin Bainada
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/fixup_kernel: delete bogus code

There are a few things to note about this line:
1) Atin Bainada reported that I used the wrong quotes (double instead of
   single) so it causes a SQL error.  It's strange the it works on my
   system.
2) The line doesn't isn't required any more because of other improvements
   so now gfs2_ea_find() seems to be parsed correctly.
3) Also the type should have been updated from 101 to 501 so it doesn't do
   anything.

Since it isn't required then delete it.

Reported-by: Atin Bainada
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel.return_fixes: add mipi_dsi_device_transfer(), timer_delete() and get_device()

The interesting function here is get_device(). It returns the parameter
that was passed in but it does some complicated pointer math to get there.

The problem with mipi_dsi_device_transfer() is the typical thing where
it returns an unknown long, but actually it can't return negatives except
error codes or positives above INT_MAX.

For some reason Smatch was parsing timer_delete() as returning zero. Was
this a fundamental problem or because of the bugs in smatch_implied.c???

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

implied: try again in get_tf_stacks_from_pool()

This reverts the code back almost to what it was a month ago or whatever...

The problem that you can have a merged state which looks the same as a
leaf state but we only wanted to deal with leaf states.  So add a check
for that.  Simple enough.

But then it only makes sense to check the ->possible list for merged
states.  Skipping that some how broke the parsing of the contains_operator()
function.

So this change basically takes it back to the old code except for the
new is_leaf() check.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

buf_size: add kmalloc_noprof()

These days kmalloc() is just a wrapper around kmalloc_noprof().

(Ideally I would re-write this check to use the information from
smatch_allocations.c but I haven't gotten around to it yet).

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

comparison: add support for COMPARE_LIMIT

I'm committing this code long after I actually made this change so I had
to look up what the logic is. The comments are kind of crap... The
difference between PARAM_COMPARE and COMPARE_LIMIT is PARAM_COMPARE only
looks at unmodified parameters where COMPARE_LIMIT looks at the values at
the end of the function as in "*offset <= length".

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

allocations: add some more allocation functions

The really important ones are that kmalloc() is now just a wrapper around
kmalloc_noprof().

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

struct_assignment: use the ->zeroed flag from allocations

The struct assignment tracks when we assign a zeroed buffer to a struct.
Basically the current code said that kcalloc() returns zero and in the
kernel if it has "zalloc" name then it's zero. This works when it works,
but now we have better data in smatch_allocations.c so we can use that
instead.

I had to add support for early allocation hooks to do this.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

function_hooks: remove some dead code

The starting values for the 'left' side of an assignment are not important
and not used. Delete.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

implied: remove some dead code

I had intended to move this as part of the previous commit but I screwed
up. Fortunately, I think it's dead code.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

implied: fix get_tf_stacks_from_pool()

I completely broke get_tf_stacks_from_pool(). Leaf nodes rarely ever have
have ->left or ->right so this basically finds no implications.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

implied: fix leaf checking

Hm...  I thought I had committed this.  The interesting part of this is
in get_tf_stacks_from_pool().  What happens is that when we're parsing
return statements then we take the string "ret = 1" or "ret = 0-u64max"
and then we look at all the leaf nodes where that is true.

However, actually it wasn't checking leaf nodes, it was checking merged
nodes as well.  And when we merge 1 and 0-u64max then the merged range
is still 0-u64max.  So we end up saying there basically are no implication
on that path.  (The 0-u64max value might not be the interesting bit, it's
just a marker for the path and there might be interesting implications on
that path).

The is_merged() -> is_leaf() change in sm_in_keep_leafs() is just for
correctness and might not fix a real life bug at all.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

flow: bail out earlier on parsing giant arrays

The drivers/net/wireless/realtek/rtw89/rtw8851b_table.c file has a bunch
of arrays which are giant.  The first one is 976 elements.  When you were
doing an --info run then it took Smatch over an hour to parse that file.

And actually the information we're saving is kind of garbage.  Instead of
saying 0-s32max it ends up being some list of numbers with a ... on the
end. "0,4,7,1999, 2000, ...".

This function does a weird thing where it treats globals differently from
local variables.  I feel like I probably did that because globals are
often huge and parsing them is slow...  But really I think that ideally
we would use __split_expr().

Anyway, what I've done here is that I've said if the array is more than 256
elements then do:

my_array[unknown()] = unknown();

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

helper: cache get_member_name()

I've been calling get_member_name() more and more often so it's worth
caching the results. That means that instead of allocating a permanent
string, I need to allocate and sname string which is not freed until the
end of the function. The callers used to be responsible for freeing the
returned string but now they must leave it alone.

Some of the callers return the string again, so sometimes I just allocate
a new string in that situation.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

conditions: fix parsing expression statements with a cast

When smatch sees an expression statement like:

foo = ({frob(); frob(); frob(); 1;});

Then it tries to parse the frob(); frob(); frob(); and create a fake
"foo = 1;" assignment.  The problem arises when there is a cast in front
of the expression statement:

foo = (void *)({frob(); frob(); frob(); 1;});

I wrote the original code this way because originally strip_expr() would
have stripped away the cast and the ().  Also, although I didn't care about
it at the time, it's not right to ignore casts.

To fix it, I've created a new strip_expr_cast() function which separates
out the casts and returns them.  (There would be a string of casts like
"(void *)(unsigned long)").  Then we add the casts back as the final
step:
foo = (void *)(unsigned long)1;

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

math: add a short cut for fake calls in handle_call_rl()

I don't know if this is speed up, but that was the intention here.
Hopefully, it's not a slow down.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel_printf: update to the latest kernel

It used to that only %p4cc was allowed but now it can be %p4c[bchlr].

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

get_user_overflow: "x + 0" doesn't overflow

Silence some false positives where it warns that value plus zero will
overflow.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Documentation/smatch: fix typo in submitting-patches.md

Fix a small typo in the smatch documentation about the patch submission
process.

Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Documentation/smatch: convert to RST

Convert existing smatch documentation to RST, and add it to the index
accordingly.

Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Documentation/smatch: fix paths in the examples

A few examples use the '~/progs/smatch/devel/smatch_scripts/' path,
which seems to be a local reference that does not reflect the real
paths in the project (one would not expect 'devel' inside 'smatch').

Use the generic '~/path/to/smatch_dir/' path, which is already used
in some examples.

Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db: insert line numbers into INTERNAL return states

This seems like good information. I added this, but I've never actually
used this. But I still feel like I might... :)

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db: fix splitting implications

How this looks like to the user, is that you end up losing some return
states.  In one particular example, Smatch said that xt_mttg_seq_next()
always dereferences  *ppos, but actually there is a if statement.  We lost
those states.

Originally ->merged states were not leaf states but then when we started
faking states that changed and now we have ->leaf and is_leaf() to mark
leaf states.  This code should be using is_leaf() too look for leaf states
instead of checking ->merged.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel_user_data: add ceph_decode_n() as returning user data

After this patch: verified couple of instances where we have code like:
foo = ceph_decode_8(bar)

net/ceph/messenger_v2.c:521 decode_preamble()
user rl: 'desc->fd_tag' = '0-255'

Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

new_bugs.pl: add a -d <dir> option

By default this script stores everything in old_warnings/ but make it
configurable option.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

fixup_kernel.sh: remove some calls to (struct device_attribute)->show

The drivers which call (struct device_attribute)->show() are weird and
it's easiest to just ignore them.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/kernel.return_fixes: add some comparisons

I was trying to track more relationships so I added these functions.

There is really just a random tiny sample of the work that needs to be
done. I'm only committing it to shrink my diff with the released code.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/smdb.py: add "irq" option

This displays the call tree where a function is called in IRQ context.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/fixup_kernel.sh: fix kstrtoint() functions

Smatch takes short cuts handling loops and that ended up meaning that
kstrtoint() type functions were recorded as setting the USER_DATA to 0-15
instead of s32min-s32max or whatever the function type was.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

locking: add some hardcoded locks

Add some IGNOREs and hard code mt7530_mutex_lock/unlock() behavior.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

scoped cleanup: update because of sound/ changes

The sound/ subsystem has started using _scoped() locking pretty
extensively all of a sudden.  This patch fixes up the fallout from that.

The bits of this patch are all stuff that I have done before:
In preempt_info.c some of those destructor functions look like they might
be conditional when actually, in real life, they are not.  I guess you
could set them up to be...  But why?  And even if you did make them
conditional we would still prefer to assume they unlocked rather than do
nothing because it silences false positives.  This silences sleeping in
atomic warnings.

The db/kernel.return_fixes change is the same thing.  From reading the code
it looks like those functions can fail but they cannot.  This silences
uninitialized variable warnings.

The complicated bit is in check_locking.c.  I had previously written code
to handle class_mutex_destructor().  However it turned out that it didn't
handle all mutex destructors correctly so it led to double lock false
positives.  The original code did handle class_rwsem_write_destructor()
correctly though so that was handy.

Obviously, it took me some time to patch up all this fall out.  Everyone
would prefer if the code worked correctly the first time without
modification.  I don't really see a way to magic up a solution to make
that happen.  I continue to believe that eventually the common locks will
be handled and I won't have to keep editing stuff to fix _scoped()
breakage.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kvmalloc_NOFS: silence "does not make sense for no sleep code" false positives

The GFP flags were recently re-worked and Smatch is too stupid to figure
out the current value of the __GFP_DIRECT_RECLAIM flag.

Disable this check if the GFP_DIRECT_RECLAIM() function fails.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

helper: fix crashing bug in token_to_ul()

The token_to_ul() function is really rubbish... It basically lets you
parse a define which is a constant but has some parentheses around it.
I'm not sure exactly how parsing constants is supposed to be done.
I'm going to have to figure that out because the new GFP_ defines are
BIT() calls instead of simple constants.

But for now just stop the token_to_ul() function from crashing due to
recursion.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel_xa_err: handle xa_is_err() and xa_err() a little bit better

Ideally, xa_err() would be handled like error pointers, but that is kind of
a lot of work.  For example, I massage the output of error pointers so
they are displayed as negatives.  Ugh... As I'm writing this, I realize
that probably I will need to change ptr_max to be lower to accommodate
xa_errors...  I already wish I had more bits to handle mtags on 32bit
systems...  *sigh*  The other thing which is different about pointer errors
is that they're just casts so they're easier to handle instead of the
"(err << 2) | 2" transforms that xa_err() does.

So this patch is really just a starting point for handling xa_err().  It's
not as widely used as error pointers so I don't know how much work I'm
going to have to do to make this work adequately...

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel: handle scoped_guard(spinlock_irq ...)

Add the preempt_disable bits to check_preempt_info.c and the lock_ptr bits
to kernel.return_fixes.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel.ignore_casted_params: add some more set_bit() functions

This is just more set_bit() stuff. Nothing controversial.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

implied: add the correct expression to the debug output

The debug output is confusing if we don't pass the expression to
set_implied_states().

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

db/kernel.return_fixes: add cred scoped guard annotations

There is a new scoped_guard(cred, ovl_creds(dentry->d_sb)) function which
needs to be annotated.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

mtag: fix a bug on 32 bit systems

When Smatch is creating mtags it was working on u64 values, but it
should be working on unsigned long values. Otherwise what happens is
that the caller is like, "this is an invalid pointer, let's just say we
don't know what this function can return". This leads to confusing error
pointer false positives on 32 bit systems.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel_irq_context: add (struct irqaction)->handler as an ignored function

We already track the IRQ handler so this information is not useful and
it's possibly wrong for our needs. (We want to ignore threaded IRQs).

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

kernel_irq_context: mark the IRQ handler in the function

This information makes debugging sleeping in atomic warnings easier.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

points_to_user_data: Add __wbuf() as setting a user buffer

This is a samba/cifs thing. Add it as a user pointer function.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

double_checking: ignore known/constant conditions

There is no point about warning about these because they were known the
first time so it's okay that they're known the second time. It's not
useful information.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

err_ptr_deref: silence impossible checks

I think this was just a bandaid to cover over some other bugs. Those
bugs are hopefully addressed now. However, it can't really hurt to
silence these warnings.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

function_hooks: add missing return states

There seems to be some kind of mismatch here where fake_a_param_assignment()
seems to think we could fake a parameter assignment, but then we pop
the ->fake_param_assign_stack and there wasn't any assignment set.  The
truth is that I didn't really investigate why that mismatch exists.

Instead, I just said that if we don't have an assignment, then use the
returned value like we normally would.  This is a good thing to do anyway.
Although it might have been interesting to do that investigation and
possibly there are additional changes we could make as well?  Who knows.

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>