2 * Copyright (C) 2010 Dan Carpenter.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
19 * This is kernel specific stuff for smatch_extra.
24 #include "smatch_slist.h"
25 #include "smatch_extra.h"
27 static int implied_err_cast_return(struct expression
*call
, void *unused
, struct range_list
**rl
)
29 struct expression
*arg
;
31 arg
= get_argument_from_call_expr(call
->args
, 0);
32 if (!get_implied_rl(arg
, rl
))
33 *rl
= alloc_rl(ptr_err_min
, ptr_err_max
);
35 *rl
= cast_rl(get_type(call
), *rl
);
39 static void hack_ERR_PTR(struct symbol
*sym
)
42 struct smatch_state
*estate
;
43 struct range_list
*after
;
57 if (!sym
|| !sym
->ident
)
59 if (strcmp(sym
->ident
->name
, "ERR_PTR") != 0)
62 arg
= first_ptr_list((struct ptr_list
*)sym
->ctype
.base_type
->arguments
);
63 if (!arg
|| !arg
->ident
)
66 estate
= get_state(SMATCH_EXTRA
, arg
->ident
->name
, arg
);
68 after
= alloc_rl(low_error
, minus_one
);
70 after
= rl_intersection(estate_rl(estate
), alloc_rl(low_error
, zero
));
71 if (rl_equiv(estate_rl(estate
), after
))
74 set_state(SMATCH_EXTRA
, arg
->ident
->name
, arg
, alloc_estate_rl(after
));
77 static void match_param_valid_ptr(const char *fn
, struct expression
*call_expr
,
78 struct expression
*assign_expr
, void *_param
)
80 int param
= PTR_INT(_param
);
81 struct expression
*arg
;
82 struct smatch_state
*pre_state
;
83 struct smatch_state
*end_state
;
84 struct range_list
*rl
;
86 arg
= get_argument_from_call_expr(call_expr
->args
, param
);
87 pre_state
= get_state_expr(SMATCH_EXTRA
, arg
);
88 if (estate_rl(pre_state
)) {
89 rl
= estate_rl(pre_state
);
90 rl
= remove_range(rl
, ptr_null
, ptr_null
);
91 rl
= remove_range(rl
, ptr_err_min
, ptr_err_max
);
93 rl
= alloc_rl(valid_ptr_min_sval
, valid_ptr_max_sval
);
95 end_state
= alloc_estate_rl(rl
);
96 set_extra_expr_nomod(arg
, end_state
);
99 static void match_param_err_or_null(const char *fn
, struct expression
*call_expr
,
100 struct expression
*assign_expr
, void *_param
)
102 int param
= PTR_INT(_param
);
103 struct expression
*arg
;
104 struct range_list
*pre
, *rl
;
105 struct smatch_state
*pre_state
;
106 struct smatch_state
*end_state
;
108 arg
= get_argument_from_call_expr(call_expr
->args
, param
);
109 pre_state
= get_state_expr(SMATCH_EXTRA
, arg
);
111 pre
= estate_rl(pre_state
);
113 pre
= alloc_whole_rl(&ptr_ctype
);
114 call_results_to_rl(call_expr
, &ptr_ctype
, "0,(-4095)-(-1)", &rl
);
115 rl
= rl_intersection(pre
, rl
);
116 rl
= cast_rl(get_type(arg
), rl
);
117 end_state
= alloc_estate_rl(rl
);
118 set_extra_expr_nomod(arg
, end_state
);
121 static void match_not_err(const char *fn
, struct expression
*call_expr
,
122 struct expression
*assign_expr
, void *unused
)
124 struct expression
*arg
;
125 struct smatch_state
*pre_state
;
126 struct range_list
*rl
;
128 arg
= get_argument_from_call_expr(call_expr
->args
, 0);
129 pre_state
= get_state_expr(SMATCH_EXTRA
, arg
);
131 rl
= estate_rl(pre_state
);
132 rl
= remove_range(rl
, ptr_err_min
, ptr_err_max
);
134 rl
= alloc_rl(valid_ptr_min_sval
, valid_ptr_max_sval
);
136 rl
= cast_rl(get_type(arg
), rl
);
137 /* These are implied. But implications don't work for empty states. */
140 set_extra_expr_nomod(arg
, alloc_estate_rl(rl
));
143 static void match_err(const char *fn
, struct expression
*call_expr
,
144 struct expression
*assign_expr
, void *unused
)
146 struct expression
*arg
;
147 struct smatch_state
*pre_state
;
148 struct range_list
*rl
;
150 arg
= get_argument_from_call_expr(call_expr
->args
, 0);
151 pre_state
= get_state_expr(SMATCH_EXTRA
, arg
);
152 rl
= estate_rl(pre_state
);
154 rl
= alloc_rl(ptr_err_min
, ptr_err_max
);
155 rl
= rl_intersection(rl
, alloc_rl(ptr_err_min
, ptr_err_max
));
156 rl
= cast_rl(get_type(arg
), rl
);
157 if (pre_state
&& rl
) {
159 * Ideally this would all be handled by smatch_implied.c
160 * but it doesn't work very well for impossible paths.
165 set_extra_expr_nomod(arg
, alloc_estate_rl(rl
));
168 static void match_container_of_macro(const char *fn
, struct expression
*expr
, void *unused
)
170 set_extra_expr_mod(expr
->left
, alloc_estate_range(valid_ptr_min_sval
, valid_ptr_max_sval
));
173 static void match_container_of(struct expression
*expr
)
175 struct expression
*right
= expr
->right
;
179 * The problem here is that sometimes the container_of() macro is itself
180 * inside a macro and get_macro() only returns the name of the outside
185 * This actually an expression statement assignment but smatch_flow
186 * pre-mangles it for us so we only get the last chunk:
187 * sk = (typeof(sk))((char *)__mptr - offsetof(...))
190 macro
= get_macro_name(right
->pos
);
193 if (right
->type
!= EXPR_CAST
)
195 right
= strip_expr(right
);
196 if (right
->type
!= EXPR_BINOP
|| right
->op
!= '-' ||
197 right
->left
->type
!= EXPR_CAST
)
199 right
= strip_expr(right
->left
);
200 if (right
->type
!= EXPR_SYMBOL
)
202 if (!right
->symbol
->ident
||
203 strcmp(right
->symbol
->ident
->name
, "__mptr") != 0)
205 set_extra_expr_mod(expr
->left
, alloc_estate_range(valid_ptr_min_sval
, valid_ptr_max_sval
));
208 static int match_next_bit(struct expression
*call
, void *unused
, struct range_list
**rl
)
210 struct expression
*start_arg
;
211 struct expression
*size_arg
;
213 sval_t min
, max
, tmp
;
215 size_arg
= get_argument_from_call_expr(call
->args
, 1);
216 /* btw. there isn't a start_arg for find_first_bit() */
217 start_arg
= get_argument_from_call_expr(call
->args
, 2);
219 type
= get_type(call
);
220 min
= sval_type_val(type
, 0);
221 max
= sval_type_val(type
, sizeof(long long) * 8);
223 if (get_implied_max(size_arg
, &tmp
) && tmp
.uvalue
< max
.value
)
225 if (start_arg
&& get_implied_min(start_arg
, &tmp
) && !sval_is_negative(tmp
))
227 if (sval_cmp(min
, max
) > 0)
229 min
= sval_cast(type
, min
);
230 max
= sval_cast(type
, max
);
231 *rl
= alloc_rl(min
, max
);
235 static int match_array_size(struct expression
*call
, void *unused
, struct range_list
**rl
)
237 struct expression
*size
;
238 struct expression
*count
;
239 struct expression
*mult
;
240 struct range_list
*ret
;
242 size
= get_argument_from_call_expr(call
->args
, 0);
243 count
= get_argument_from_call_expr(call
->args
, 1);
244 mult
= binop_expression(size
, '*', count
);
246 if (get_implied_rl(mult
, &ret
)) {
254 static int match_ffs(struct expression
*call
, void *unused
, struct range_list
**rl
)
256 if (get_implied_rl(call
, rl
))
261 static int match_fls(struct expression
*call
, void *unused
, struct range_list
**rl
)
263 struct expression
*arg
;
264 struct range_list
*arg_rl
;
276 arg
= get_argument_from_call_expr(call
->args
, 0);
277 if (!get_implied_rl(arg
, &arg_rl
))
279 if (rl_to_sval(arg_rl
, &sval
)) {
282 for (i
= 63; i
>= 0; i
--) {
283 if (sval
.uvalue
& 1ULL << i
)
287 *rl
= alloc_rl(sval
, sval
);
290 zero
.type
= rl_type(arg_rl
);
291 if (!rl_has_sval(arg_rl
, zero
))
293 *rl
= alloc_rl(start
, end
);
297 static void find_module_init_exit(struct symbol_list
*sym_list
)
301 struct statement
*stmt
;
307 * This is more complicated because Sparse ignores the "alias"
308 * attribute. I search backwards because module_init() is normally at
309 * the end of the file.
312 FOR_EACH_PTR_REVERSE(sym_list
, sym
) {
313 if (sym
->type
!= SYM_NODE
)
315 if (!(sym
->ctype
.modifiers
& MOD_STATIC
))
317 fn
= get_base_type(sym
);
320 if (fn
->type
!= SYM_FN
)
324 if (!fn
->inline_stmt
)
326 if (strcmp(sym
->ident
->name
, "__inittest") == 0)
328 else if (strcmp(sym
->ident
->name
, "__exittest") == 0)
335 stmt
= first_ptr_list((struct ptr_list
*)fn
->inline_stmt
->stmts
);
336 if (!stmt
|| stmt
->type
!= STMT_RETURN
)
338 name
= expr_to_var(stmt
->ret_value
);
342 sql_insert_function_ptr(name
, "(struct module)->init");
344 sql_insert_function_ptr(name
, "(struct module)->exit");
348 } END_FOR_EACH_PTR_REVERSE(sym
);
351 static void match_end_file(struct symbol_list
*sym_list
)
355 /* find the last static symbol in the file */
356 FOR_EACH_PTR_REVERSE(sym_list
, sym
) {
357 if (!(sym
->ctype
.modifiers
& MOD_STATIC
))
361 find_module_init_exit(sym
->scope
->symbols
);
363 } END_FOR_EACH_PTR_REVERSE(sym
);
366 static struct expression
*get_val_expr(struct expression
*expr
)
368 struct symbol
*sym
, *val
;
370 if (expr
->type
!= EXPR_DEREF
)
373 if (expr
->type
!= EXPR_SYMBOL
)
375 if (strcmp(expr
->symbol_name
->name
, "__u") != 0)
377 sym
= get_base_type(expr
->symbol
);
378 val
= first_ptr_list((struct ptr_list
*)sym
->symbol_list
);
379 if (!val
|| strcmp(val
->ident
->name
, "__val") != 0)
381 return member_expression(expr
, '.', val
->ident
);
384 static void match__write_once_size(const char *fn
, struct expression
*call
,
387 struct expression
*dest
, *data
, *assign
;
388 struct range_list
*rl
;
390 dest
= get_argument_from_call_expr(call
->args
, 0);
391 if (dest
->type
!= EXPR_PREOP
|| dest
->op
!= '&')
393 dest
= strip_expr(dest
->unop
);
395 data
= get_argument_from_call_expr(call
->args
, 1);
396 data
= get_val_expr(data
);
399 get_absolute_rl(data
, &rl
);
400 assign
= assign_expression(dest
, '=', data
);
403 __split_expr(assign
);
407 static void match__read_once_size(const char *fn
, struct expression
*call
,
410 struct expression
*dest
, *data
, *assign
;
411 struct symbol
*type
, *val_sym
;
415 * __read_once_size_nocheck(&(x), __u.__c, sizeof(x));
416 * into a fake assignment:
421 data
= get_argument_from_call_expr(call
->args
, 0);
422 if (data
->type
!= EXPR_PREOP
|| data
->op
!= '&')
424 data
= strip_parens(data
->unop
);
426 dest
= get_argument_from_call_expr(call
->args
, 1);
427 if (dest
->type
!= EXPR_DEREF
|| dest
->op
!= '.')
429 if (!dest
->member
|| strcmp(dest
->member
->name
, "__c") != 0)
432 type
= get_type(dest
);
435 val_sym
= first_ptr_list((struct ptr_list
*)type
->symbol_list
);
436 dest
= member_expression(dest
, '.', val_sym
->ident
);
438 assign
= assign_expression(dest
, '=', data
);
440 __split_expr(assign
);
444 static void match_closure_call(const char *name
, struct expression
*call
,
447 struct expression
*cl
, *fn
, *fake_call
;
448 struct expression_list
*args
= NULL
;
450 cl
= get_argument_from_call_expr(call
->args
, 0);
451 fn
= get_argument_from_call_expr(call
->args
, 1);
455 add_ptr_list(&args
, cl
);
456 fake_call
= call_expression(fn
, args
);
457 __split_expr(fake_call
);
460 static bool has_inc_state(const char *name
, struct symbol
*sym
)
462 static int refcount_id
;
463 struct sm_state
*sm
, *tmp
;
466 refcount_id
= id_from_name("check_refcount_info");
468 sm
= get_sm_state(refcount_id
, name
, sym
);
472 FOR_EACH_PTR(sm
->possible
, tmp
) {
473 if (strcmp(tmp
->state
->name
, "inc") == 0)
476 * &ignore counts as an inc, because that's what happens when
477 * you double increment. Not ideal.
479 if (strcmp(tmp
->state
->name
, "ignore") == 0)
481 } END_FOR_EACH_PTR(tmp
);
486 static void match_kref_put(const char *fn
, struct expression
*call_expr
,
487 struct expression
*expr
, void *_unused
)
489 struct expression
*data
, *release
, *fake_call
;
490 struct expression_list
*args
= NULL
;
495 if (call_expr
->type
!= EXPR_CALL
)
498 data
= get_argument_from_call_expr(call_expr
->args
, 0);
500 ref
= get_name_sym_from_param_key(call_expr
, 0, "$->refcount.refs.counter", &sym
);
501 if (has_inc_state(ref
, sym
))
504 release
= get_argument_from_call_expr(call_expr
->args
, 1);
506 add_ptr_list(&args
, data
);
507 fake_call
= call_expression(release
, args
);
508 add_fake_call_after_return(fake_call
);
511 static void match_kernel_param(struct symbol
*sym
)
513 struct expression
*var
;
516 /* This was designed to parse the module_param_named() macro */
520 sym
->initializer
->type
!= EXPR_INITIALIZER
)
523 type
= get_real_base_type(sym
);
524 if (!type
|| type
->type
!= SYM_STRUCT
|| !type
->ident
)
526 if (strcmp(type
->ident
->name
, "kernel_param") != 0)
529 var
= last_ptr_list((struct ptr_list
*)sym
->initializer
->expr_list
);
530 if (!var
|| var
->type
!= EXPR_INITIALIZER
)
532 var
= first_ptr_list((struct ptr_list
*)var
->expr_list
);
533 if (!var
|| var
->type
!= EXPR_PREOP
|| var
->op
!= '&')
535 var
= strip_expr(var
->unop
);
537 type
= get_type(var
);
538 update_mtag_data(var
, alloc_estate_whole(type
));
541 bool is_ignored_kernel_data(const char *name
)
545 if (option_project
!= PROJ_KERNEL
)
549 * On the file I was looking at lockdep was 25% of the DB.
551 if (strstr(name
, ".dep_map."))
553 if (strstr(name
, "->dep_map."))
555 if (strstr(name
, ".lockdep_map."))
558 if (strstr(name
, ".rwsem."))
560 if (strstr(name
, "->rwsem."))
563 if (strstr(name
, "->mutex."))
565 if (strstr(name
, "->lockdep_mutex."))
568 if (strstr(name
, ".completion.wait."))
571 if (strstr(name
, "kobj.kset-"))
573 if (strstr(name
, "power.suspend_timer."))
575 if (strstr(name
, "power.work."))
577 if (strstr(name
, ".lock.rlock."))
579 if (strstr(name
, "lockdep_mutex."))
582 if (strstr(name
, ">klist_devices."))
585 if (strstr(name
, "->m_log->"))
588 if (strstr(name
, ".wait_lock."))
590 if (strstr(name
, "regmap->lock_arg"))
592 if (strstr(name
, "kworker->task"))
594 if (strstr(name
, "->algo_data->"))
597 /* ignore mutex internals */
598 if ((p
= strstr(name
, ".rlock.")) ||
599 (p
= strstr(name
, ">rlock."))) {
601 if (strncmp(p
, "raw_lock", 8) == 0 ||
602 strcmp(p
, "owner") == 0 ||
603 strcmp(p
, "owner_cpu") == 0 ||
604 strcmp(p
, "magic") == 0 ||
605 strcmp(p
, "dep_map") == 0)
612 int get_gfp_param(struct expression
*expr
)
615 struct symbol
*arg
, *arg_type
;
618 if (expr
->type
!= EXPR_CALL
)
620 type
= get_type(expr
->fn
);
623 if (type
->type
== SYM_PTR
)
624 type
= get_real_base_type(type
);
625 if (type
->type
!= SYM_FN
)
629 FOR_EACH_PTR(type
->arguments
, arg
) {
630 arg_type
= get_base_type(arg
);
631 if (arg_type
&& arg_type
->ident
&&
632 strcmp(arg_type
->ident
->name
, "gfp_t") == 0)
635 } END_FOR_EACH_PTR(arg
);
640 static void match_function_def(struct symbol
*sym
)
644 macro
= get_macro_name(sym
->pos
);
647 if (strcmp(macro
, "TRACE_EVENT") == 0)
648 set_function_skipped();
651 static bool delete_pci_error_returns(struct expression
*expr
)
656 if (!get_value(expr
, &sval
))
658 if (sval
.value
< 0x80 || sval
.value
> 0x90)
661 macro
= get_macro_name(expr
->pos
);
665 if (strncmp(macro
, "PCIBIOS_", 8) != 0)
668 if (strcmp(macro
, "PCIBIOS_FUNC_NOT_SUPPORTED") == 0 ||
669 strcmp(macro
, "PCIBIOS_BAD_VENDOR_ID") == 0 ||
670 strcmp(macro
, "PCIBIOS_DEVICE_NOT_FOUND") == 0 ||
671 strcmp(macro
, "PCIBIOS_BAD_REGISTER_NUMBER") == 0 ||
672 strcmp(macro
, "PCIBIOS_SET_FAILED") == 0 ||
673 strcmp(macro
, "PCIBIOS_BUFFER_TOO_SMALL") == 0)
679 static bool match_with_intel_runtime(struct statement
*stmt
)
683 macro
= get_macro_name(stmt
->pos
);
686 if (strncmp(macro
, "with_intel_runtime", 18) == 0)
691 void check_kernel(int id
)
693 if (option_project
!= PROJ_KERNEL
)
696 add_implied_return_hook("ERR_PTR", &implied_err_cast_return
, NULL
);
697 add_implied_return_hook("ERR_CAST", &implied_err_cast_return
, NULL
);
698 add_implied_return_hook("PTR_ERR", &implied_err_cast_return
, NULL
);
699 add_hook(hack_ERR_PTR
, AFTER_DEF_HOOK
);
700 return_implies_state("IS_ERR_OR_NULL", 0, 0, &match_param_valid_ptr
, (void *)0);
701 return_implies_state("IS_ERR_OR_NULL", 1, 1, &match_param_err_or_null
, (void *)0);
702 return_implies_state("IS_ERR", 0, 0, &match_not_err
, NULL
);
703 return_implies_state("IS_ERR", 1, 1, &match_err
, NULL
);
704 return_implies_state("tomoyo_memory_ok", 1, 1, &match_param_valid_ptr
, (void *)0);
706 add_macro_assign_hook_extra("container_of", &match_container_of_macro
, NULL
);
707 add_hook(match_container_of
, ASSIGNMENT_HOOK
);
709 add_implied_return_hook("find_next_bit", &match_next_bit
, NULL
);
710 add_implied_return_hook("find_next_zero_bit", &match_next_bit
, NULL
);
711 add_implied_return_hook("find_first_bit", &match_next_bit
, NULL
);
712 add_implied_return_hook("find_first_zero_bit", &match_next_bit
, NULL
);
714 add_implied_return_hook("array_size", &match_array_size
, NULL
);
716 add_implied_return_hook("__ffs", &match_ffs
, NULL
);
717 add_implied_return_hook("fls", &match_fls
, NULL
);
718 add_implied_return_hook("__fls", &match_fls
, NULL
);
719 add_implied_return_hook("fls64", &match_fls
, NULL
);
721 add_function_hook("__ftrace_bad_type", &__match_nullify_path_hook
, NULL
);
722 add_function_hook("__write_once_size", &match__write_once_size
, NULL
);
724 add_function_hook("__read_once_size", &match__read_once_size
, NULL
);
725 add_function_hook("__read_once_size_nocheck", &match__read_once_size
, NULL
);
727 add_function_hook("closure_call", &match_closure_call
, NULL
);
728 return_implies_state_sval("kref_put", int_one
, int_one
, &match_kref_put
, NULL
);
730 add_once_through_hook(&match_with_intel_runtime
);
732 add_hook(&match_kernel_param
, BASE_HOOK
);
733 add_hook(&match_function_def
, FUNC_DEF_HOOK
);
736 add_hook(match_end_file
, END_FILE_HOOK
);
738 add_delete_return_hook(&delete_pci_error_returns
);