| blob | 7442712db6cdd8380d97da059c299f19d3ef662b |
1 #!/bin/bash
11 /* we only care about the main ->read/write() functions. */
12 delete from caller_info where function = '(struct file_operations)->read' and caller != 'vfs_read';
13 delete from caller_info where function = '(struct file_operations)->write' and caller != 'vfs_write';
14 delete from function_ptr where function = '(struct file_operations)->read';
15 delete from function_ptr where function = '(struct file_operations)->write';
16 delete from caller_info where function = '(struct file_operations)->write' and caller = 'do_loop_readv_writev';
17 delete from caller_info where caller = '__kernel_write';
18 delete from caller_info where function = 'do_splice_from' and caller = 'direct_splice_actor';
19 delete from caller_info where function = 'vfs_write' and type = 8017 and parameter = 0;
20 delete from caller_info where function = 'vfs_read' and type = 8017 and parameter = 0;
22 /* delete these function pointers which cause false positives */
23 delete from caller_info where function = '(struct file_operations)->open' and type != 0;
24 delete from caller_info where function = '(struct notifier_block)->notifier_call' and type != 0;
25 delete from caller_info where function = '(struct mISDNchannel)->send' and type != 0;
26 delete from caller_info where function = '(struct irq_router)->get' and type != 0;
27 delete from caller_info where function = '(struct irq_router)->set' and type != 0;
28 delete from caller_info where function = '(struct net_device_ops)->ndo_change_mtu' and caller = 'i40e_dbg_netdev_ops_write';
29 delete from caller_info where function = '(struct timer_list)->function' and type != 0;
30 delete from caller_info where function = '(struct work_struct)->func' and type != 0;
32 /* 8017 is USER_DATA and 9017 is USER_DATA_SET */
33 delete from caller_info where function = 'dev_hard_start_xmit' and type = 8017;
34 delete from return_states where function='vscnprintf' and type = 9017;
35 delete from return_states where function='scnprintf' and type = 9017;
36 delete from return_states where function='vsnprintf' and type = 9017;
37 delete from return_states where function='snprintf' and type = 9017;
38 delete from return_states where function='sprintf' and type = 9017;
39 delete from return_states where function='vscnprintf' and type = 8017;
40 delete from return_states where function='scnprintf' and type = 8017;
41 delete from return_states where function='vsnprintf' and type = 8017;
42 delete from return_states where function='snprintf' and type = 8017;
43 delete from return_states where function='sprintf' and type = 8017;
44 delete from return_states where function='poly1305_update' and type = 8017 and key = '\$->buflen';
45 /* There is something setting skb->sk->sk_mark and friends to user_data and */
46 /* because of recursion it gets passed to everything and is impossible to debug */
47 delete from caller_info where function = '__dev_queue_xmit' and type = 8017;
48 delete from caller_info where function = '__netdev_start_xmit' and type = 8017;
49 delete from caller_info where function = '(struct net_device_ops)->ndo_start_xmit' and type = 8017;
50 delete from caller_info where function = '(struct net_device_ops)->ndo_start_xmit' and type = 9018;
51 delete from caller_info where function = '(struct ieee80211_ops)->tx' and type = 8017;
52 delete from caller_info where function = '(struct ieee80211_ops)->tx' and type = 9018;
53 delete from caller_info where function = '(struct inet6_protocol)->handler' and type = 8017;
54 delete from caller_info where function = '(struct inet6_protocol)->handler' and type = 9018;
55 delete from caller_info where function = '__udp6_lib_rcv' and (type = 8017 or type = 9018);
56 delete from caller_info where function = 'udpv6_rcv' and (type = 8017 or type = 9018);
57 delete from caller_info where function = '(struct packet_type)->func' and type = 8017;
58 delete from caller_info where function = '(struct bio)->bi_end_io' and type = 8017;
59 delete from caller_info where function = '(struct mISDNchannel)->recv' and type = 8017;
60 delete from caller_info where type = 8017 and key = '*\$->bi_private';
61 delete from caller_info where type = 8017 and key = '\$->bi_private';
62 delete from caller_info where caller = 'NF_HOOK_COND' and type = 8017;
63 delete from caller_info where caller = 'NF_HOOK' and type = 8017;
64 delete from caller_info where caller = 'bus_for_each_drv' and type = 8017;
65 /* comparison doesn't deal with chunks, I guess. */
66 delete from return_states where function='get_tty_driver' and type = 8017;
67 delete from caller_info where caller = 'snd_ctl_elem_write' and function = '(struct snd_kcontrol)->put' and type = 8017;
68 delete from caller_info where caller = 'snd_ctl_elem_read' and function = '(struct snd_kcontrol)->get' and type = 8017;
69 delete from caller_info where function = 'nf_tables_newexpr' and type = 8017 and key = '\$->family';
70 delete from caller_info where caller = 'fb_set_var' and function = '(struct fb_ops)->fb_set_par' and type = 8017 and parameter = 0;
71 delete from caller_info where caller = 'f_audio_complete' and function = '(struct usb_audio_control)->set' and type = 8017;
72 delete from return_states where function = 'tty_lookup_driver' and parameter = 2 and type = 8017;
73 delete from caller_info where function = 'iomap_apply' and type = 8017 and key = '*\$';
74 delete from caller_info where function = '(struct inet6_protocol)->handler' and type = 9018;
75 delete from caller_info where function = 'do_dentry_open param 2' and type = 8017;
76 delete from caller_info where function = 'do_dentry_open param 2' and type = 9018;
77 delete from caller_info where function = 'param_array param 7' and type = 9018;
78 # this is just too complicated for Smatch. See how snd_ctl_find_id() is called.
79 delete from caller_info where function = 'snd_ctl_notify_one' and type = 8017;
80 #temporary. Just to fix recursion
81 delete from caller_info where caller = 'ecryptfs_mkdir' and type = 8017;
83 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 0, '\$', '1');
84 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 1, '\$', '1');
85 insert into caller_info values ('userspace', '', 'compat_sys_ioctl', 0, 0, 8017, 2, '\$', '1');
87 delete from caller_info where function = '(struct timer_list)->function' and parameter = 0;
89 /*
90 * rw_verify_area is a very central function for the kernel. The 1000000000
91 * isn't accurate but I've picked it so that we can add "pos + count" without
92 * wrapping on 32 bits.
93 */
94 delete from return_states where function = 'rw_verify_area';
95 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 0, -1, '', '');
96 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 104, 2, '*\$', '0-1000000000');
97 insert into return_states values ('faked', 'rw_verify_area', 0, 1, '0-1000000000[<=\$3]', 0, 103, 3, '\$', '0-1000000000');
98 insert into return_states values ('faked', 'rw_verify_area', 0, 2, '(-4095)-(-1)', 0, 0, -1, '', '');
100 delete from return_states where function = 'is_kernel_rodata';
101 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 0, -1, '', '');
102 insert into return_states values ('faked', 'is_kernel_rodata', 0, 1, '1', 0, 103, 0, '\$', '4096-ptr_max');
103 insert into return_states values ('faked', 'is_kernel_rodata', 0, 2, '0', 0, 0, -1, '', '');
105 /*
106 * Other kmalloc hacking.
107 */
108 delete from return_states where function = 'vmalloc';
109 insert into return_states values ('faked', 'vmalloc', 0, 1, '4096-ptr_max', 0, 0, -1, '', '');
110 insert into return_states values ('faked', 'vmalloc', 0, 1, '4096-ptr_max', 0, 103, 0, '\$', '1-128000000');
111 insert into return_states values ('faked', 'vmalloc', 0, 2, '0', 0, 0, -1, '', '');
113 delete from return_states where function = 'ksize';
114 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0, 0, -1, '', '');
115 insert into return_states values ('faked', 'ksize', 0, 1, '0', 0, 103, 0, '\$', '16');
116 insert into return_states values ('faked', 'ksize', 0, 2, '1-4000000', 0, 0, -1, '', '');
118 update return_states set return = '0-8' where function = '__arch_hweight8';
119 update return_states set return = '0-16' where function = '__arch_hweight16';
120 update return_states set return = '0-32' where function = '__arch_hweight32';
121 update return_states set return = '0-64' where function = '__arch_hweight64';
123 /*
124 * Preserve the value across byte swapping. By the time we use it for math it
125 * will be byte swapped back to CPU endian.
126 */
134 delete from return_states where function = 'bitmap_allocate_region' and return = '1';
135 /* Just delete a lot of returns that everyone ignores */
136 delete from return_states where file = ${DRIVERS_PCI_ACCESS} and (return >= 129 and return <= 137);
137 delete from return_states where function = 'pci_bus_read_config_byte' and return != '0';
138 delete from return_states where function = 'pci_bus_read_config_word' and return != '0';
139 delete from return_states where function = 'pci_bus_read_config_dword' and return != '0';
141 /* Smatch can't parse wait_for_completion() */
142 update return_states set return = '(-108),(-22),0' where function = '__spi_sync' and return = '(-115),(-108),(-22)';
144 /* We sometimes use pre-allocated 4097 byte buffers for performance critical code but pretend it is always PAGE_SIZE */
145 update caller_info set value = 4096 where caller='kernfs_file_direct_read' and function='(struct kernfs_ops)->read' and type = 1002 and parameter = 1;
146 /* let's pretend firewire doesn't exist */
147 delete from caller_info where caller='init_fw_attribute_group' and function='(struct device_attribute)->show';
148 /* and let's fake the next dev_attr_show() call entirely */
149 delete from caller_info where caller='sysfs_kf_seq_show' and function='(struct sysfs_ops)->show';
150 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 0, '\$', '4096-ptr_max');
151 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1002, 2, '\$', '4096');
152 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 1001, 2, '\$', '4096-ptr_max');
153 insert into caller_info values ('fake', 'sysfs_kf_seq_show', '(struct sysfs_ops)->show', 0, 0, 0, -1, '' , '');
154 /* config fs confuses smatch a little */
155 update caller_info set value = 4096 where caller='fill_read_buffer' and function='(struct configfs_item_operations)->show_attribute' and type = 1002 and parameter = 2;
157 /* smatch sees the memset() but not the subsequent changes */
158 update return_states set value = "" where function = 'gfs2_ea_find' and return = '0' and type = 101 and parameter = 3;
160 delete from type_value where type = '(struct fd)->file';
161 delete from type_value where type = '(struct fd)->flags';
163 /* This is sometimes an enum or a u64 */
164 delete from type_value where type = '(struct mc_cmd_header)->status';
166 /* this is handled in check_kernel.c */
167 delete from return_states where function = "__write_once_size";
169 update return_states set value = "s32min-s32max[\$1]" where function = 'atomic_set' and parameter = 0 and type = 1025;
171 /* other atomic stuff */
172 delete from return_states where function = 'sg_common_write' and type = 8023;
173 delete from return_states where function = 'schedule' and type = 8024;
174 delete from return_states where function = '__mutex_lock_common' and type = 8024;
175 delete from return_states where function = 'mutex_unlock' and type = 8024;
176 delete from return_states where function = 'printk' and type = 8024;
177 delete from return_states where function = 'vsnprintf' and type = 8024;
179 update return_states set return = '0-32,2147483648-2147483690' where function = '_parse_integer' and return = '0';
180 update return_states set value = '0-u64max' where function = '_parse_integer' and type = 1025 and parameter = 2 and key = '*$';
181 update return_states set value = '0-s32max' where function = 'dm_split_args' and type = 1025 and parameter = 0 and key = '*$';
182 update return_states set value = '(-4095)-0' where function = 'usb_submit_urb' and return ='0' and type = 1025 and parameter = 0 and key = '\$->status';
184 /* delete some function pointers which are sometimes byte units */
185 delete from caller_info where function = '(struct i2c_algorithm)->master_xfer' and type = 1027;
187 /* this if from READ_ONCE(). We can't know anything about the data. */
188 delete from type_info where key = '(union anonymous)->__val';
190 /* This is RIO_BAD_SIZE */
193 /* Smatch sucks at loops */
194 delete from return_states where function = 'ata_dev_next' and type = 103;
196 /* The problem is that parsing big function pointers is hard. */
197 delete from return_states where function = 'vfs_get_tree' and type = 1024;
199 /* Locking stuff goes here. */
200 update return_states set parameter = -1, key = '\$' where function = 'ipmi_ssif_lock_cond' and type = 8020 and parameter = 1;
201 update return_states set parameter = 1, key = '\$->tree->tree_lock' where function = 'hfs_find_init' and type = 8020 and parameter = 0;
202 delete from return_states where function = '__oom_kill_process' and type = 8021;
204 /* These can not return NULL */
205 delete from return_states where function='ext4_append' and return = '0';
207 /* Smatch doesn't understand the allocation in genl_family_rcv_msg_attrs_parse() */
208 delete from type_size where type = '(struct genl_info)->attrs';
210 delete from return_states where function = 'fib6_tables_dump' and return = '1';
212 insert into function_ptr values ("fixup_kernel.sh", "r get_handler()", "ioctl_standard_call ptr param 4", 1);
213 insert into function_ptr values ("fixup_kernel.sh", "r get_handler()", "ioctl_standard_iw_point param 3", 1);
215 /* device_add() returns too many states so delete stuff */
216 delete from return_states where function = '__device_attach' and type = 1012;
218 delete from return_states where function = 'bus_for_each_dev' and return = '1';
219 /* This matches the wrong function pointers with the wrong data pointer. */
220 /* Delete it until it can be handled correctly. */
221 delete from caller_info where function = 'device_for_each_child' and type != 0;
223 /* The only work queue we care about is process_one_work() */
224 delete from caller_info where caller = 'cache_set_flush' and function = '(struct work_struct)->func';
225 delete from caller_info where caller = 'sctp_inq_push' and function = '(struct work_struct)->func';
227 /* dev_err() stores that dev->[class,bus,driver] is not an error pointer (useless info). */
228 delete from return_states where function = '__dev_printk' and type = 103;
230 EOF
232 for i in $(echo "select distinct return from return_states where function = 'clear_user';" | sqlite3 $db_file ) ; do
233 echo "update return_states set return = \"$i[<=\$1]\" where return = \"$i\" and function = 'clear_user';" | sqlite3 $db_file
234 done
236 echo "select distinct file, function from function_ptr where ptr='(struct rtl_hal_ops)->set_hw_reg';" \
241 continue
242 fi
246 where function = '(struct rtl_hal_ops)->set_hw_reg' and file like 'drivers/net/wireless/rtlwifi/$drv/%';" \
247 | sqlite3 $db_file
249 echo "insert into function_ptr values ('$file', '$function', '$drv (struct rtl_hal_ops)->set_hw_reg', 1);" \
250 | sqlite3 $db_file
251 done
260 insert into return_states values ('faked', '$func', 0, 2, '4096-ptr_max', 0, 103, 0, '\$', '1-4000000');
261 insert into return_states values ('faked', '$func', 0, 2, '4096-ptr_max', 0, 1037, -1, '', 400);
264 EOF
266 done
268 # it's easiest to pretend that invalid kobjects don't exist
269 ID=$(echo "select distinct(return_id) from return_states where function = 'kobject_init' order by return_id desc limit 1;" | sqlite3 $db_file)
270 echo "delete from return_states where function = 'kobject_init' and return_id = '$ID';" | sqlite3 $db_file