4 cat << EOF | sqlite3 $db_file
5 /* we only care about the main ->read/write() functions. */
6 delete from caller_info where function = '(struct file_operations)->read' and file != 'fs/read_write.c';
7 delete from caller_info where function = '(struct file_operations)->write' and file != 'fs/read_write.c';
8 delete from function_ptr where function = '(struct file_operations)->read';
9 delete from function_ptr where function = '(struct file_operations)->write';
10 delete from caller_info where function = '__vfs_write' and caller != 'vfs_write';
11 delete from caller_info where function = '__vfs_read' and caller != 'vfs_read';
13 /* delete these function pointers which cause false positives */
14 delete from caller_info where function = '(struct file_operations)->open' and type != 0;
15 delete from caller_info where function = '(struct notifier_block)->notifier_call' and type != 0;
16 delete from caller_info where function = '(struct mISDNchannel)->send' and type != 0;
17 delete from caller_info where function = '(struct irq_router)->get' and type != 0;
18 delete from caller_info where function = '(struct irq_router)->set' and type != 0;
19 delete from caller_info where function = '(struct net_device_ops)->ndo_change_mtu' and caller = 'i40e_dbg_netdev_ops_write';
20 delete from caller_info where function = '(struct timer_list)->function' and type != 0;
22 /* type 1003 is USER_DATA */
23 delete from caller_info where caller = 'hid_input_report' and type = 1003;
24 delete from caller_info where caller = 'nes_process_iwarp_aeqe' and type = 1003;
25 delete from caller_info where caller = 'oz_process_ep0_urb' and type = 1003;
26 delete from caller_info where function = 'dev_hard_start_xmit' and key = '\$' and type = 1003;
27 delete from caller_info where function like '%->ndo_start_xmit' and key = '\$' and type = 1003;
28 delete from caller_info where caller = 'packet_rcv_fanout' and function = '(struct packet_type)->func' and parameter = 1 and type = 1003;
29 delete from caller_info where caller = 'hptiop_probe' and type = 1003;
30 delete from caller_info where caller = 'p9_fd_poll' and function = '(struct file_operations)->poll' and type = 1003;
31 delete from caller_info where caller = 'proc_reg_poll' and function = 'proc_reg_poll ptr poll' and type = 1003;
32 delete from caller_info where function = 'blkdev_ioctl' and type = 1003 and parameter = 0 and key = '\$';
34 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 1003, 0, '\$', '1');
35 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 1003, 1, '\$', '1');
36 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 1003, 2, '\$', '1');
38 delete from caller_info where function = '(struct timer_list)->function' and parameter = 0;
41 * rw_verify_area is a very central function for the kernel. The 1000000000
42 * isn't accurate but I've picked it so that we can add "pos + count" without
43 * wrapping on 32 bits.
45 delete from return_states where function = 'rw_verify_area';
46 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 0, -1, '', '');
47 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 104, 2, '*\$', '0-1000000000');
48 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 103, 3, '\$', '0-1000000000');
49 insert into return_states values ('faked', 'rw_verify_area', 0, 2, '(-4095)-(-1)', 0, 0, -1, '', '');
51 delete from return_states where function = 'is_kernel_rodata';
52 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 0, -1, '', '');
53 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 103, 0, '\$', '100000000-177777777');
54 insert into return_states values ('faked', 'is_kernel_rodata', 0, 2, '0', 0, 0, -1, '', '');
57 * I am a bad person for doing this to __kmalloc() which is a very deep function
58 * and can easily be removed instead of to kmalloc(). But kmalloc() is an
59 * inline function so it ends up being recorded thousands of times in the
60 * database. Doing this is easier.
63 delete from return_states where function = '__kmalloc';
64 insert into return_states values ('faked', '__kmalloc', 0, 1, '16', 0, 0, -1, '', '');
65 insert into return_states values ('faked', '__kmalloc', 0, 1, '16', 0, 103, 0, '\$', '0');
66 insert into return_states values ('faked', '__kmalloc', 0, 2, '0,500000000-577777777', 0, 0, -1, '', '');
67 insert into return_states values ('faked', '__kmalloc', 0, 2, '0,500000000-577777777', 0, 103, 0, '\$', '1-4000000');
68 insert into return_states values ('faked', '__kmalloc', 0, 3, '0', 0, 0, -1, '', '');
69 insert into return_states values ('faked', '__kmalloc', 0, 3, '0', 0, 103, 0, '\$', '4000000-long_max');
72 * Other kmalloc hacking.
74 update return_states set return = '0,500000000-577777777' where function = 'kmalloc_slab' and return = 's64min-s64max';
75 update return_states set return = '0,500000000-577777777' where function = 'slab_alloc_node' and return = 's64min-s64max';
76 update return_states set return = '0,500000000-577777777' where function = 'kmalloc_large' and return != '0';
77 update return_states set return = '0,500000000-577777777' where function = 'kmalloc_order_trace' and return != '0';
79 delete from return_states where function = 'vmalloc';
80 insert into return_states values ('faked', 'vmalloc', 0, 1, '0,600000000-677777777', 0, 0, -1, '', '');
81 insert into return_states values ('faked', 'vmalloc', 0, 1, '0,600000000-677777777', 0, 103, 0, '\$', '1-128000000');
82 insert into return_states values ('faked', 'vmalloc', 0, 2, '0', 0, 0, -1, '', '');
84 delete from return_states where function = 'ksize';
85 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0, 0, -1, '', '');
86 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0, 103, 0, '\$', '16');
87 insert into return_states values ('faked', 'ksize', 0, 2, '1-4000000', 0, 0, -1, '', '');
89 /* store a bunch of capped functions */
90 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_to_user';
91 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_to_user';
92 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_to_user';
93 update return_states set return = '0-u32max[<=\$2]' where function = 'copy_from_user';
94 update return_states set return = '0-u32max[<=\$2]' where function = '_copy_from_user';
95 update return_states set return = '0-u32max[<=\$2]' where function = '__copy_from_user';
97 /* 64 CPUs aught to be enough for anyone */
98 update return_states set return = '1-64' where function = 'cpumask_weight';
100 update return_states set return = '0-8' where function = '__arch_hweight8';
101 update return_states set return = '0-16' where function = '__arch_hweight16';
102 update return_states set return = '0-32' where function = '__arch_hweight32';
103 update return_states set return = '0-64' where function = '__arch_hweight64';
106 * Preserve the value across byte swapping. By the time we use it for math it
107 * will be byte swapped back to CPU endian.
109 update return_states set return = '0-u64max[==\$0]' where function = '__fswab64';
110 update return_states set return = '0-u32max[==\$0]' where function = '__fswab32';
111 update return_states set return = '0-u16max[==\$0]' where function = '__fswab16';
112 update return_states set return = '0-u64max[==\$0]' where function = '__builtin_bswap64';
113 update return_states set return = '0-u32max[==\$0]' where function = '__builtin_bswap32';
114 update return_states set return = '0-u16max[==\$0]' where function = '__builtin_bswap16';
116 delete from return_states where function = 'bitmap_allocate_region' and return = '1';
117 /* Just delete a lot of returns that everyone ignores */
118 delete from return_states where file = 'drivers/pci/access.c' and (return >= 129 and return <= 137);
120 update return_states set return = '(-4095)-s32max[<=\$1]' where function = 'get_user_pages' and return = 's32min-s32max';
121 update return_states set return = '(-4095)-s64max[<=\$1]' where function = 'get_user_pages' and return = 's64min-s64max';
123 /* Smatch can't parse wait_for_completion() */
124 update return_states set return = '(-108),(-22),0' where function = '__spi_sync' and return = '(-115),(-108),(-22)';
126 delete from caller_info where caller = '__kernel_write';
128 /* We sometimes use pre-allocated 4097 byte buffers for performance critical code but pretend it is always PAGE_SIZE */
129 update caller_info set value = 4096 where caller='kernfs_file_direct_read' and function='(struct kernfs_ops)->read' and type = 1002 and parameter = 1;
130 /* let's pretend firewire doesn't exist */
131 delete from caller_info where caller='init_fw_attribute_group' and function='(struct device_attribute)->show';
132 /* and let's fake the next dev_attr_show() call entirely */
133 delete from caller_info where caller='sysfs_kf_seq_show' and function='(struct sysfs_ops)->show';
134 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 0, '\$', '4096-2117777777777777777');
135 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1002, 2, '\$', '4096');
136 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 2, '\$', '4096-2117777777777777777');
137 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 0, -1, '' , '');
138 /* config fs confuses smatch a little */
139 update caller_info set value = 4096 where caller='fill_read_buffer' and function='(struct configfs_item_operations)->show_attribute' and type = 1002 and parameter = 2;
141 /* smatch sees the memset() but not the subsequent changes */
142 update return_states set value = "" where function = 'gfs2_ea_find' and return = '0' and type = 101 and parameter = 3;
144 delete from type_value where type = '(struct fd)->file';
145 delete from type_value where type = '(struct fd)->flags';
147 /* this is handled in check_kernel.c */
148 delete from return_states where function = "__write_once_size";
150 update return_states set value = "s32min-s32max[\$1]" where function = 'atomic_set' and parameter = 0 and type = 1025;
154 # fixme: this is totally broken
155 call_id
=$
(echo "select distinct call_id from caller_info where function = '__kernel_write';" | sqlite3
$db_file)
156 for id
in $call_id ; do
157 echo "insert into caller_info values ('fake', '', '__kernel_write', $id, 0, 1003, 1, '*\$', '');" | sqlite3
$db_file
160 for i
in $
(echo "select distinct return from return_states where function = 'clear_user';" | sqlite3
$db_file ) ; do
161 echo "update return_states set return = \"$i[<=\$1]\" where return = \"$i\" and function = 'clear_user';" | sqlite3
$db_file
164 echo "select distinct file, function from function_ptr where ptr='(struct rtl_hal_ops)->set_hw_reg';" \
165 | sqlite3
$db_file |
sed -e 's/|/ /' |
while read file function ; do
167 drv
=$
(echo $file | perl
-ne 's/.*\/rtlwifi\/(.*?)\/sw.c/$1/; print')
168 if [ $drv = "" ] ; then
172 echo "update caller_info
173 set function = '$drv (struct rtl_hal_ops)->set_hw_reg'
174 where function = '(struct rtl_hal_ops)->set_hw_reg' and file like 'drivers/net/wireless/rtlwifi/$drv/%';" \
177 echo "insert into function_ptr values ('$file', '$function', '$drv (struct rtl_hal_ops)->set_hw_reg', 1);" \