Dan Carpenter [Mon, 16 Sep 2024 14:35:19 +0000 (16 17:35 +0300)]
capped: fix handling of assignments
The problem that this change tries to address is:
if (x > foo)
return;
// x is now capped
if (x < 0)
x = 0; // <- this assignement makes it uncapped
When we're handling this assignment the modification hook first sets it
to uncapped. Then this assignment can set things back to capped. The
!is_capped() condition makes no sense, because it won't be capped.
If it's a += assignment then that's uncapped. If the right hand side is
capped then it's capped. If we had a state and we're setting it to a
partial range then set it to capped. (If we don't have a state then forget
about it).
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 16 Sep 2024 14:25:16 +0000 (16 17:25 +0300)]
integer_overflow_sizeof: add a check for integer overflows involving sizeof()
The problem with integer overflows is that they are often harmless so there
are a lot of false positives. By targeting math which involves sizeof()
then the hope is that this will be warn about high value overflows.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 16 Sep 2024 14:15:31 +0000 (16 17:15 +0300)]
simple_no_overflow: record if a variable has been checked for integer overflows
This doesn't record whether the connection between variables. If we see
a check like "if (a + b < a)" then we record both "a" and "b" as safe.
That makes the checking simpler.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 4 Sep 2024 06:33:55 +0000 (4 09:33 +0300)]
db/kernel.return_fixes: add class_write_lock_irqsave_lock_ptr()
More cleanup.h fixing.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Aug 2024 19:27:54 +0000 (19 22:27 +0300)]
kernel.unreachable.ignore: add scoped_guard()
Also add iio_device_claim_direct_scoped().
Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Aug 2024 06:10:34 +0000 (19 09:10 +0300)]
db/smdb.py: fix param names
The get_param_names() function wasn't updated to handle hashed file
names properly.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Aug 2024 06:08:55 +0000 (19 09:08 +0300)]
db/smdb.py: escape escapes properly
Apparently you need to do \\s instead of just \s.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 15 Aug 2024 11:07:16 +0000 (15 14:07 +0300)]
flow: reset position after calling cleanup functions
When there is a cleanup function then what happens is that Smatch
generates a fake function call. The issue is that the fake call messes
up the current position. So if you're planning to print an warning
message for that return, it instead get printed on the line where the
cleanup function was declared.
Save the current position, and reset it back to where it was after calling
the cleanup function.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 7 Aug 2024 12:26:48 +0000 (7 15:26 +0300)]
unreachable: silence some false positives with known conditions
I wrote this code some time ago. My guess is that what happens here is
we have:
if (!CONFIG_ENABLED()) {
But that's just a guess based on the comments... Anyway, I've been
running with this code for some time so it must be good.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 2 Aug 2024 15:59:45 +0000 (2 10:59 -0500)]
implied: bail out earlier in get_tf_stacks_from_pool()
This function can end up taking way way too long. Add a recursion
counter and bail out early if it's an issue. This change means that
compiling drivers/block/drbd/drbd_nl.c with option now compiles in
24 seconds. Before if you passed --info then it would die or for regular
runs it would take 5 minutes to compile.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 2 Aug 2024 15:55:43 +0000 (2 10:55 -0500)]
helper: add timeout counter in getting_address()
The min/max changes make this function too slow and the kernel is unable
to build. Add a counter and bail out early.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 2 Aug 2024 04:58:11 +0000 (1 23:58 -0500)]
kernel_user_data: add a timeout
The kernel devs have re-written the min()/max() macros so now this
search ends up taking forever and the kernel can never finish building.
At a counter and bail out early.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 30 Jul 2024 16:58:56 +0000 (30 11:58 -0500)]
preempt_info: hard code some functions
class_task_rq_lock_destructor() does that if statement thing which is
not really an if statement in real life.
affine_move_task() does some slightly tricky stuff with regards to
preemption. It bumps the counter, then it calls task_rq_unlock() which
decrements the counter, then it decrements the counter. This check is
deliberately written so complicated things like that have to be handled
manually. It gets pretty complicated to track multiple decrements and
increments automatically and I've never found a way to do it correctly.
This way works, it's still a headache to manually add functions like
affine_move_task() but it's less of a headache.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Sat, 27 Jul 2024 00:51:43 +0000 (26 19:51 -0500)]
checking_for_null_instead_of_err_ptr: silence IS_ERR_OR_NULL() warnings
This check is only enabled when --spammy is turned on. It complains when
a potential error pointer is checked against NULL. Of course, pointers
can sometimes be either NULL or error pointers. Which is why the
IS_ERR_OR_NULL() function exists.
I don't see this warning on my system, but it's simple enough to silence
it.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 24 Jul 2024 22:10:51 +0000 (24 17:10 -0500)]
implied: print is_leaf() instead of ->merged in debug output
What matters if it's a leaf, not whether or not it's a merged.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 24 Jul 2024 19:00:54 +0000 (24 14:00 -0500)]
struct_assignment: use assigned expression
These days kzalloc() is some kind of macro so we need to use the
assigned expression.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 24 Jul 2024 18:54:53 +0000 (24 13:54 -0500)]
locking: use a cull hook to handle dma_resv_lock()
The thing about dma_resv_lock() is that if you pass a NULL ctx then
it can't fail. Smatch knows that we don't take the lock on the failure
path, but not that it can't fail. Most callers, when they pass a NULL,
then they don't check for failure and Smatch is like "Wait, are we holding
the lock or not?".
So at first I changed it to say that "We take the lock on the failure
path as well". And that works for most things because they don't
check for failure and Smatch is no longer confused, "Yes. We're holding
the lock. Fine."
But the problem arises because some callers *do* check for failure and
now Smatch is like, "Wait, we forgot to drop the lock on that path."
So the real fix is to say, "If the ctx is NULL then we can't fail". The
difficulty with this approach is that I had to create the cull hook
infrastructure first. But that's done now.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 24 Jul 2024 18:47:51 +0000 (24 13:47 -0500)]
function_hooks: add cull hooks infrastructure
This lets us delete a return patch from the database. It's similar to
smatch_data/db/kernel.delete.return_states but more powerful because it's
done in code so you can check other variables instead of just the return.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 24 Jul 2024 18:38:21 +0000 (24 13:38 -0500)]
kernel_kref_put: fix checking kref_get() refcounting
The has_inc_state() function is supposed to check whether we called
kref_get() earlier in the function. However I renamed the reference
count checking and forgot to update this so it always returns false.
s/check_refcount_info/register_refcount_info/
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 23 Jul 2024 21:25:13 +0000 (23 16:25 -0500)]
free_strict: silence refcounted false positive
I'm trying to figure out what went wrong and why I have tons and tons
of false positives. I'm going to merge this just to get my diffstat
smaller.
I removes some false positives related to refcounted variables. However
the false positives might not be an issue in the published code.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Sat, 20 Jul 2024 02:24:43 +0000 (19 21:24 -0500)]
apply_return_fixes.sh: exit with success
The set -e change means we have to be a bit more careful about error
codes. Before if the ${PROJ}.return file didn't exist then it would
return an error but no one was checking so it didn't matter.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Sat, 20 Jul 2024 01:48:53 +0000 (19 20:48 -0500)]
Merge ../was_dev-
20240719 into devel
Dan Carpenter [Sat, 20 Jul 2024 01:44:20 +0000 (19 20:44 -0500)]
Merge pull request #11 from walshb/bw-strict-errors
shell scripts: stricter error handling
Dan Carpenter [Fri, 19 Jul 2024 16:47:02 +0000 (19 11:47 -0500)]
locking: fix dma_resv_lock() hack around
The lock_to_name_sym() function adds a dereference so we have to
add a '&' pre-op to cancel that out. It looks like this has been broken
since the big re-write in 2019. :/
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 19 Jul 2024 16:42:25 +0000 (19 11:42 -0500)]
locking: add a few new locks to the locking table
class_mvm_destructor() is cleanup.h stuff. Normal.
lock_cluster_or_swap_info() is one of those slightly complicated locks
which need to be hand annotated. It can take one of two locks depending.
But for Smatch we can just treat it a mirrored lock/unlock. Also kind of
a normal thing.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 18 Jul 2024 20:07:31 +0000 (18 15:07 -0500)]
preempt_info: add class_write_lock_destructor()
This is more cleanup.h stuff which has to be handled by hand.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 18 Jul 2024 20:06:12 +0000 (18 15:06 -0500)]
data/kernel.ignore_uninitialized_param: add more functions
This is mostly boring stuff. The ones that are interesting are
dma_alloc_*(). I wish I time to investigate why these function returns
aren't getting split up properly but I don't... Just silence the
false positives and move on.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 17 Jul 2024 14:43:07 +0000 (17 09:43 -0500)]
dereference: function calls are dereferences
Add function calls as a kind of dereference of the function pointer.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Ben Walsh [Sat, 13 Jul 2024 18:26:45 +0000 (13 19:26 +0100)]
shell scripts: stricter error handling
Various shell scripts exit with return code zero even their
subprocesses fail (for example, due to missing libraries).
Use set -e to exit immediately with an error code if a subprocess
fails.
Dan Carpenter [Wed, 10 Jul 2024 23:06:19 +0000 (10 18:06 -0500)]
kmalloc_array_zero: Disable this until macro_to_ul() is fixed
The macro_to_ul() can basically only handle literals. The __GFP_ flags
were changed to OR stuff together so this test no longer works and
generates false positives. Disable it for now.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 10 Jul 2024 22:11:18 +0000 (10 17:11 -0500)]
db: fix recursive crash in linux-next
Somehow it's parsing copy_from_user() over and over and over until it
crashes. Fix the crash for now. I think this means that forced splits
are basically useless... I'll revisit this when it becomes an issue again
I guess.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 2 Jul 2024 19:33:41 +0000 (2 14:33 -0500)]
preempt: introduce a new preempt_table to edit out caller_info() data
How this works is you give a function and a caller and that specific
function call is now not marked as calling with PREMPT_DISABLED.
Of course, if a function calls the same function twice both calls are now
marked as not-preempt. It's not perfect but it's fine grained enough.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Dan Carpenter [Thu, 20 Jun 2024 13:07:29 +0000 (20 16:07 +0300)]
check_deref: use add_dereference_hook()
I overlooked converting this check to add_dereference_hook(). It
simplifies the code quite a bit and improves the handling of cross function
dereferences.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 20 Jun 2024 09:17:42 +0000 (20 12:17 +0300)]
points_to_user_data: Add nvmet_copy_from_sgl() function
The nvmet_copy_from_sgl() function gives us user data too.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 20 Jun 2024 09:16:13 +0000 (20 12:16 +0300)]
impossible_compare: silence some false positives
I think this is to silence warnings on 32 bit where it says:
if (u32_var > UINT_MAX)
I wrote this some time ago... :( I wish it were more perfect.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 20 Jun 2024 08:57:54 +0000 (20 11:57 +0300)]
modification_hooks: add get_modification_state_name_sym()
This is get_modification_state() but it takes a name/sym pair.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 20 Jun 2024 08:55:48 +0000 (20 11:55 +0300)]
kernel: ignore more stuff
These are not life changing ignores any more. But it's like remove 500k
entries here and 500k there. It has started to be noticeable.
The nice one is parent->parent from an emotional stand point. Lots of
recursion. I didn't measure how many actual entries it was though.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Cristian Ciocaltea [Tue, 18 Jun 2024 20:20:17 +0000 (18 23:20 +0300)]
kernel: Add support for custom build directory
Pass the 'O' environment variable to the kernel build system in order to
allow specifying a custom build directory.
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Cristian Ciocaltea [Tue, 18 Jun 2024 20:20:16 +0000 (18 23:20 +0300)]
kchecker: Fix --outfile handling
Use the actual value of the 'outfile' variable instead of its name when
testing for empty string.
Fixes:
6d859db5d033 ("*new* smatch_scripts/whitespase_only.sh")
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 18 Jun 2024 09:23:38 +0000 (18 12:23 +0300)]
buf_size: don't store so many (-1)-0 entries
-1 means unknown. 0 means zero bytes. We already filter these values
out independently but when they're together we insert them. They are
useless. Filter them out.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Joel Granados [Fri, 14 Jun 2024 12:29:41 +0000 (14 14:29 +0200)]
sentinel_ctltable: Add a check for sentinel elements in ctl_table arrays
Added a new check named check_sentinel_ctltable that prints a warning
when a sentinel element is detected in a ctl_table struct array.
Sentinels marking the end of a ctl_table array where completely removed
from the linux kernel in [1]. We add this warning to avoid cases where a
sentinel gets added by mistake.
[1] https://lore.kernel.org/
20240604-jag-sysctl_remset-v1-0-
2df7ecdba0bd@samsung.com
Signed-off-by: Joel Granados <j.granados@samsung.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 13 Jun 2024 06:53:36 +0000 (13 09:53 +0300)]
kernel: ignore "->bio->bi_private"
Nothing good can come from tracking ->bi_private data.
This came from looking at iomap_readpage_iter() returns states. The
unfortunate thing is that most of this is from PARAM_USED. It's possible
that it is all used, or that there is a bug where too much stuff is marked
as used. Or it could be that there is recursion and that an old bug was
marking it as used but recursion means we don't get rid of it...
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 12 Jun 2024 17:25:09 +0000 (12 20:25 +0300)]
extra: fix some SQL
Oops. I am dumb. Add the missing count().
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Wed, 12 Jun 2024 11:14:53 +0000 (12 14:14 +0300)]
no_increment: complain when i and j don't have an i++
You would expect interators to be incremented. Example bugs look like:
i = 0;
for_each_foo() {
// i++ was accidentally deleted
}
count = i;
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 11 Jun 2024 15:27:37 +0000 (11 18:27 +0300)]
extra: fix and improve used_param_value_info()
I was fixing this code and I noticed that the return from the
call_is_leaf_fn() path is reversed. I'm not sure how this worked...
Re-write it to to be more readable and fix the bugs.
Functional changes:
1) Either long variables or -> -> -> variables are considered long. Btw,
40 characters is very long.
2) Consider $ and *$ before the leaf check.
3) NULL/non-NULL pointers are useless if they are a long variable. (The
reason why they would be considered useful at all is because of error
pointers)
Style changes:
1) Use get_row_count(). This is just way cleaner.
2) Rename the function to used_param_value_info().
3) Reverse the returns so it returns true for used and false for unused.
4) Change the type to bool.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 11 Jun 2024 14:35:33 +0000 (11 17:35 +0300)]
db: don't load silly amounts of caller info
The issue here was is_inode_flag_set(). We say functions which are called
over 200 times as too common. Don't save anything about them. But
is_inode_flag_set() was called 166 times.
Apparently, there is no limit to the amount of caller info per call which
gets saved in the database. This is hard to limit in a sensible ways as
well.
So is_inode_flag_set() was loading 28k entries of caller_info. Which is
too much. Cap it at 5000. (This number is picked by guessing what an
appropriate number is).
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 11 Jun 2024 14:29:59 +0000 (11 17:29 +0300)]
leaf_fn: be stricter with PARAM_USED
Before the PARAM_USED was kind of mean "This is probably not used". Smatch
would filter out variables which were zero. (There are a lot of known
zero variables because of kzalloc()).
But it turned out we were passing ridiculous amounts of data to functions
that only did "return foo + 1; or whatever. So lets mark "leaf" functions
where we're sure that no recursion, function pointers, or whatever is
involved as leaf functions. For these functions we'll only pass exactly
what is needed.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Sat, 8 Jun 2024 12:54:08 +0000 (8 15:54 +0300)]
ranges: fix alloc_whole_rl() for functions
Functions are pointers. But this isn't there then what can happen is
that min is greater than max and we try again. And again until eventually
the recursion leads to a crash.
This doesn't affect anything yet, but it affects up coming commits.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 6 Jun 2024 21:07:15 +0000 (7 00:07 +0300)]
param_used: don't record stuff from __in_fake_struct_assign
Smatch is way to slow recently... There are too many PARAM_USED states
being recorded. The FREE_I() function is basically a return statement but
it was saying tons and tons of stuff was used.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 31 May 2024 10:23:13 +0000 (31 13:23 +0300)]
unlikely_parens: warn about other things besides comparison
This generates a warning for "if (likely(foo) & bar) {". It only triggers
one warning which is in lib/lz4/lz4_decompress.c and it's a false positive.
202 } while (likely(endOnInput
203 ? ip < iend - RUN_MASK
204 : 1) & (s == 255));
But it's a quite high quality false positive so that's okay.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 28 May 2024 11:09:53 +0000 (28 14:09 +0300)]
unlikely_parens: add a check for putting the parentheses in the wrong place
The bug here would look like:
bad: if (unlikely(frob(x)) >= 0)
good: if (unlikely(frob(x) >= 0))
Reported-by: Mateusz Guzik <mjguzik@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 24 May 2024 08:41:17 +0000 (24 11:41 +0300)]
mixing_irq_and_irqsave: warn about mixing _irq() and _irqsave()
It seldom makes sense to mix spinlock_irq() and spinlock_irqsave(). The
one is for when we know IRQs are not disabled and the other is for when
they are. It can't be both.
These warning are mostly not bugs, but just places which should be changed
to _irq(). Except changing to _irgsave() is potentially safer. The point
is the either works. It's just sloppy and wrong to mix them.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Andrey Albershteyn [Fri, 10 May 2024 15:12:14 +0000 (10 17:12 +0200)]
pre-proc: use uname() syscall instead of invoking uname
Not all systems have uname at /bin/uname and using uname() directly
seems to be a better case than spawning shell.
The utsname.sysname seems to be returning different name ("Linux"
instead of "GNU/Linux") but this doesn't seem to be a problem.
"uname -o" does seem to be returning HOST_OPERATING_SYSTEM and
utsname.sysname being defined as KERNEL_NAME.
Signed-off-by: Andrey Albersteyn <aalbersh@redhat.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Sat, 27 Apr 2024 10:22:37 +0000 (27 13:22 +0300)]
db/fixup_kernel.sh: fix clear_user() handling
There are two changes here:
1) Switch from double quotes to single quotes. Atin Bainada reported that
this was still an issue.
2) Add a grep -v '\['. Apparently current versions of smatch are able to
determine some of these relationship automatically and this code was
recording bogus relationships like: "1-u64max[==$1][<=$1]" when it
should have just been "1-u64max[==$1]".
Reported-by: Atin Bainada
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 26 Apr 2024 20:30:38 +0000 (26 23:30 +0300)]
db/fixup_kernel.sh: add kmalloc_noprof()
kmalloc() is now a macro and the function on my system is now called
kmalloc_noprof(). Add it.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 26 Apr 2024 20:28:39 +0000 (26 23:28 +0300)]
db/fixup_kernel.sh: use single quotes
Atin Bainada reported that these double quote lines were causing parse
errors. I expect there is a new version of bash or sqlite which is
causing the issue? Anyway, it's simple enough to fix it.
Reported-by: Atin Bainada
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 26 Apr 2024 20:21:05 +0000 (26 23:21 +0300)]
db/fixup_kernel: delete bogus code
There are a few things to note about this line:
1) Atin Bainada reported that I used the wrong quotes (double instead of
single) so it causes a SQL error. It's strange the it works on my
system.
2) The line doesn't isn't required any more because of other improvements
so now gfs2_ea_find() seems to be parsed correctly.
3) Also the type should have been updated from 101 to 501 so it doesn't do
anything.
Since it isn't required then delete it.
Reported-by: Atin Bainada
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 15 Apr 2024 10:43:33 +0000 (15 13:43 +0300)]
kernel.return_fixes: add mipi_dsi_device_transfer(), timer_delete() and get_device()
The interesting function here is get_device(). It returns the parameter
that was passed in but it does some complicated pointer math to get there.
The problem with mipi_dsi_device_transfer() is the typical thing where
it returns an unknown long, but actually it can't return negatives except
error codes or positives above INT_MAX.
For some reason Smatch was parsing timer_delete() as returning zero. Was
this a fundamental problem or because of the bugs in smatch_implied.c???
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 12 Apr 2024 13:52:48 +0000 (12 16:52 +0300)]
implied: try again in get_tf_stacks_from_pool()
This reverts the code back almost to what it was a month ago or whatever...
The problem that you can have a merged state which looks the same as a
leaf state but we only wanted to deal with leaf states. So add a check
for that. Simple enough.
But then it only makes sense to check the ->possible list for merged
states. Skipping that some how broke the parsing of the contains_operator()
function.
So this change basically takes it back to the old code except for the
new is_leaf() check.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 11 Apr 2024 09:57:56 +0000 (11 12:57 +0300)]
buf_size: add kmalloc_noprof()
These days kmalloc() is just a wrapper around kmalloc_noprof().
(Ideally I would re-write this check to use the information from
smatch_allocations.c but I haven't gotten around to it yet).
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 11 Apr 2024 09:56:06 +0000 (11 12:56 +0300)]
comparison: add support for COMPARE_LIMIT
I'm committing this code long after I actually made this change so I had
to look up what the logic is. The comments are kind of crap... The
difference between PARAM_COMPARE and COMPARE_LIMIT is PARAM_COMPARE only
looks at unmodified parameters where COMPARE_LIMIT looks at the values at
the end of the function as in "*offset <= length".
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 11 Apr 2024 09:49:57 +0000 (11 12:49 +0300)]
allocations: add some more allocation functions
The really important ones are that kmalloc() is now just a wrapper around
kmalloc_noprof().
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 11 Apr 2024 09:48:36 +0000 (11 12:48 +0300)]
struct_assignment: use the ->zeroed flag from allocations
The struct assignment tracks when we assign a zeroed buffer to a struct.
Basically the current code said that kcalloc() returns zero and in the
kernel if it has "zalloc" name then it's zero. This works when it works,
but now we have better data in smatch_allocations.c so we can use that
instead.
I had to add support for early allocation hooks to do this.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 11 Apr 2024 09:42:41 +0000 (11 12:42 +0300)]
function_hooks: remove some dead code
The starting values for the 'left' side of an assignment are not important
and not used. Delete.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 11 Apr 2024 09:39:40 +0000 (11 12:39 +0300)]
implied: remove some dead code
I had intended to move this as part of the previous commit but I screwed
up. Fortunately, I think it's dead code.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 9 Apr 2024 13:09:05 +0000 (9 16:09 +0300)]
implied: fix get_tf_stacks_from_pool()
I completely broke get_tf_stacks_from_pool(). Leaf nodes rarely ever have
have ->left or ->right so this basically finds no implications.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 8 Apr 2024 15:47:37 +0000 (8 18:47 +0300)]
implied: fix leaf checking
Hm... I thought I had committed this. The interesting part of this is
in get_tf_stacks_from_pool(). What happens is that when we're parsing
return statements then we take the string "ret = 1" or "ret = 0-u64max"
and then we look at all the leaf nodes where that is true.
However, actually it wasn't checking leaf nodes, it was checking merged
nodes as well. And when we merge 1 and 0-u64max then the merged range
is still 0-u64max. So we end up saying there basically are no implication
on that path. (The 0-u64max value might not be the interesting bit, it's
just a marker for the path and there might be interesting implications on
that path).
The is_merged() -> is_leaf() change in sm_in_keep_leafs() is just for
correctness and might not fix a real life bug at all.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 8 Apr 2024 15:37:20 +0000 (8 18:37 +0300)]
flow: bail out earlier on parsing giant arrays
The drivers/net/wireless/realtek/rtw89/rtw8851b_table.c file has a bunch
of arrays which are giant. The first one is 976 elements. When you were
doing an --info run then it took Smatch over an hour to parse that file.
And actually the information we're saving is kind of garbage. Instead of
saying 0-s32max it ends up being some list of numbers with a ... on the
end. "0,4,7,1999, 2000, ...".
This function does a weird thing where it treats globals differently from
local variables. I feel like I probably did that because globals are
often huge and parsing them is slow... But really I think that ideally
we would use __split_expr().
Anyway, what I've done here is that I've said if the array is more than 256
elements then do:
my_array[unknown()] = unknown();
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 8 Apr 2024 15:28:01 +0000 (8 18:28 +0300)]
helper: cache get_member_name()
I've been calling get_member_name() more and more often so it's worth
caching the results. That means that instead of allocating a permanent
string, I need to allocate and sname string which is not freed until the
end of the function. The callers used to be responsible for freeing the
returned string but now they must leave it alone.
Some of the callers return the string again, so sometimes I just allocate
a new string in that situation.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 8 Apr 2024 15:08:38 +0000 (8 18:08 +0300)]
conditions: fix parsing expression statements with a cast
When smatch sees an expression statement like:
foo = ({frob(); frob(); frob(); 1;});
Then it tries to parse the frob(); frob(); frob(); and create a fake
"foo = 1;" assignment. The problem arises when there is a cast in front
of the expression statement:
foo = (void *)({frob(); frob(); frob(); 1;});
I wrote the original code this way because originally strip_expr() would
have stripped away the cast and the (). Also, although I didn't care about
it at the time, it's not right to ignore casts.
To fix it, I've created a new strip_expr_cast() function which separates
out the casts and returns them. (There would be a string of casts like
"(void *)(unsigned long)"). Then we add the casts back as the final
step:
foo = (void *)(unsigned long)1;
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 4 Apr 2024 15:22:01 +0000 (4 18:22 +0300)]
math: add a short cut for fake calls in handle_call_rl()
I don't know if this is speed up, but that was the intention here.
Hopefully, it's not a slow down.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 4 Apr 2024 15:19:35 +0000 (4 18:19 +0300)]
kernel_printf: update to the latest kernel
It used to that only %p4cc was allowed but now it can be %p4c[bchlr].
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 4 Apr 2024 15:14:20 +0000 (4 18:14 +0300)]
get_user_overflow: "x + 0" doesn't overflow
Silence some false positives where it warns that value plus zero will
overflow.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Javier Carrasco [Mon, 1 Apr 2024 20:45:12 +0000 (1 22:45 +0200)]
Documentation/smatch: fix typo in submitting-patches.md
Fix a small typo in the smatch documentation about the patch submission
process.
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Javier Carrasco [Mon, 1 Apr 2024 20:45:11 +0000 (1 22:45 +0200)]
Documentation/smatch: convert to RST
Convert existing smatch documentation to RST, and add it to the index
accordingly.
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Javier Carrasco [Mon, 1 Apr 2024 20:45:10 +0000 (1 22:45 +0200)]
Documentation/smatch: fix paths in the examples
A few examples use the '~/progs/smatch/devel/smatch_scripts/' path,
which seems to be a local reference that does not reflect the real
paths in the project (one would not expect 'devel' inside 'smatch').
Use the generic '~/path/to/smatch_dir/' path, which is already used
in some examples.
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 26 Mar 2024 09:35:58 +0000 (26 12:35 +0300)]
db: insert line numbers into INTERNAL return states
This seems like good information. I added this, but I've never actually
used this. But I still feel like I might... :)
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 22 Mar 2024 10:36:22 +0000 (22 13:36 +0300)]
db: fix splitting implications
How this looks like to the user, is that you end up losing some return
states. In one particular example, Smatch said that xt_mttg_seq_next()
always dereferences *ppos, but actually there is a if statement. We lost
those states.
Originally ->merged states were not leaf states but then when we started
faking states that changed and now we have ->leaf and is_leaf() to mark
leaf states. This code should be using is_leaf() too look for leaf states
instead of checking ->merged.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Harshit Mogalapalli [Wed, 20 Mar 2024 10:07:38 +0000 (20 03:07 -0700)]
kernel_user_data: add ceph_decode_n() as returning user data
After this patch: verified couple of instances where we have code like:
foo = ceph_decode_8(bar)
net/ceph/messenger_v2.c:521 decode_preamble()
user rl: 'desc->fd_tag' = '0-255'
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 5 Mar 2024 13:40:00 +0000 (5 16:40 +0300)]
new_bugs.pl: add a -d <dir> option
By default this script stores everything in old_warnings/ but make it
configurable option.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 5 Mar 2024 13:37:46 +0000 (5 16:37 +0300)]
fixup_kernel.sh: remove some calls to (struct device_attribute)->show
The drivers which call (struct device_attribute)->show() are weird and
it's easiest to just ignore them.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 5 Mar 2024 13:36:12 +0000 (5 16:36 +0300)]
db/kernel.return_fixes: add some comparisons
I was trying to track more relationships so I added these functions.
There is really just a random tiny sample of the work that needs to be
done. I'm only committing it to shrink my diff with the released code.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 5 Mar 2024 13:33:47 +0000 (5 16:33 +0300)]
db/smdb.py: add "irq" option
This displays the call tree where a function is called in IRQ context.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 5 Mar 2024 13:26:26 +0000 (5 16:26 +0300)]
db/fixup_kernel.sh: fix kstrtoint() functions
Smatch takes short cuts handling loops and that ended up meaning that
kstrtoint() type functions were recorded as setting the USER_DATA to 0-15
instead of s32min-s32max or whatever the function type was.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 5 Mar 2024 13:24:21 +0000 (5 16:24 +0300)]
locking: add some hardcoded locks
Add some IGNOREs and hard code mt7530_mutex_lock/unlock() behavior.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 5 Mar 2024 13:22:02 +0000 (5 16:22 +0300)]
scoped cleanup: update because of sound/ changes
The sound/ subsystem has started using _scoped() locking pretty
extensively all of a sudden. This patch fixes up the fallout from that.
The bits of this patch are all stuff that I have done before:
In preempt_info.c some of those destructor functions look like they might
be conditional when actually, in real life, they are not. I guess you
could set them up to be... But why? And even if you did make them
conditional we would still prefer to assume they unlocked rather than do
nothing because it silences false positives. This silences sleeping in
atomic warnings.
The db/kernel.return_fixes change is the same thing. From reading the code
it looks like those functions can fail but they cannot. This silences
uninitialized variable warnings.
The complicated bit is in check_locking.c. I had previously written code
to handle class_mutex_destructor(). However it turned out that it didn't
handle all mutex destructors correctly so it led to double lock false
positives. The original code did handle class_rwsem_write_destructor()
correctly though so that was handy.
Obviously, it took me some time to patch up all this fall out. Everyone
would prefer if the code worked correctly the first time without
modification. I don't really see a way to magic up a solution to make
that happen. I continue to believe that eventually the common locks will
be handled and I won't have to keep editing stuff to fix _scoped()
breakage.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 29 Feb 2024 13:57:41 +0000 (29 16:57 +0300)]
kvmalloc_NOFS: silence "does not make sense for no sleep code" false positives
The GFP flags were recently re-worked and Smatch is too stupid to figure
out the current value of the __GFP_DIRECT_RECLAIM flag.
Disable this check if the GFP_DIRECT_RECLAIM() function fails.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 29 Feb 2024 13:53:17 +0000 (29 16:53 +0300)]
helper: fix crashing bug in token_to_ul()
The token_to_ul() function is really rubbish... It basically lets you
parse a define which is a constant but has some parentheses around it.
I'm not sure exactly how parsing constants is supposed to be done.
I'm going to have to figure that out because the new GFP_ defines are
BIT() calls instead of simple constants.
But for now just stop the token_to_ul() function from crashing due to
recursion.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Tue, 27 Feb 2024 12:43:05 +0000 (27 15:43 +0300)]
kernel_xa_err: handle xa_is_err() and xa_err() a little bit better
Ideally, xa_err() would be handled like error pointers, but that is kind of
a lot of work. For example, I massage the output of error pointers so
they are displayed as negatives. Ugh... As I'm writing this, I realize
that probably I will need to change ptr_max to be lower to accommodate
xa_errors... I already wish I had more bits to handle mtags on 32bit
systems... *sigh* The other thing which is different about pointer errors
is that they're just casts so they're easier to handle instead of the
"(err << 2) | 2" transforms that xa_err() does.
So this patch is really just a starting point for handling xa_err(). It's
not as widely used as error pointers so I don't know how much work I'm
going to have to do to make this work adequately...
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 26 Feb 2024 14:25:36 +0000 (26 17:25 +0300)]
kernel: handle scoped_guard(spinlock_irq ...)
Add the preempt_disable bits to check_preempt_info.c and the lock_ptr bits
to kernel.return_fixes.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 23 Feb 2024 09:53:46 +0000 (23 12:53 +0300)]
kernel.ignore_casted_params: add some more set_bit() functions
This is just more set_bit() stuff. Nothing controversial.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Fri, 23 Feb 2024 08:57:15 +0000 (23 11:57 +0300)]
implied: add the correct expression to the debug output
The debug output is confusing if we don't pass the expression to
set_implied_states().
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Thu, 22 Feb 2024 05:55:14 +0000 (22 08:55 +0300)]
db/kernel.return_fixes: add cred scoped guard annotations
There is a new scoped_guard(cred, ovl_creds(dentry->d_sb)) function which
needs to be annotated.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Feb 2024 15:22:36 +0000 (19 18:22 +0300)]
mtag: fix a bug on 32 bit systems
When Smatch is creating mtags it was working on u64 values, but it
should be working on unsigned long values. Otherwise what happens is
that the caller is like, "this is an invalid pointer, let's just say we
don't know what this function can return". This leads to confusing error
pointer false positives on 32 bit systems.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Feb 2024 09:33:57 +0000 (19 12:33 +0300)]
kernel_irq_context: add (struct irqaction)->handler as an ignored function
We already track the IRQ handler so this information is not useful and
it's possibly wrong for our needs. (We want to ignore threaded IRQs).
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Feb 2024 09:32:42 +0000 (19 12:32 +0300)]
kernel_irq_context: mark the IRQ handler in the function
This information makes debugging sleeping in atomic warnings easier.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Feb 2024 09:30:28 +0000 (19 12:30 +0300)]
points_to_user_data: Add __wbuf() as setting a user buffer
This is a samba/cifs thing. Add it as a user pointer function.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Feb 2024 09:28:01 +0000 (19 12:28 +0300)]
double_checking: ignore known/constant conditions
There is no point about warning about these because they were known the
first time so it's okay that they're known the second time. It's not
useful information.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Feb 2024 09:25:57 +0000 (19 12:25 +0300)]
err_ptr_deref: silence impossible checks
I think this was just a bandaid to cover over some other bugs. Those
bugs are hopefully addressed now. However, it can't really hurt to
silence these warnings.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Dan Carpenter [Mon, 19 Feb 2024 09:23:43 +0000 (19 12:23 +0300)]
function_hooks: add missing return states
There seems to be some kind of mismatch here where fake_a_param_assignment()
seems to think we could fake a parameter assignment, but then we pop
the ->fake_param_assign_stack and there wasn't any assignment set. The
truth is that I didn't really investigate why that mismatch exists.
Instead, I just said that if we don't have an assignment, then use the
returned value like we normally would. This is a good thing to do anyway.
Although it might have been interesting to do that investigation and
possibly there are additional changes we could make as well? Who knows.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>