I've added the smatch@xxxxxxxxxxxxxxx list to the CC.
On Tue, Apr 04, 2023 at 04:48:45PM +0800, Dongliang Mu wrote:
> > > > ---
> > I already sent this fix a while back.
>
> Dan,
>
> Any idea to avoid this situation: more than one person work on the same
> kernel issue at the same time?
People just have to search lore.kernel.org... I sometimes do that for
error pointer bugs and for uninitialized variables because other people
look at those as well.
In the end, I need to look at Smatch warnings every day because I'm
always changing the Smatch code so I end up patching a bunch of the bugs
and reporting the rest. There are some catagories where I find it a bit
overwhelming to deal with everything like the resource leaks so I tend
to not look at those.
I'm also always writing new stuff. And it takes me overnight to
rebuild my database and test the latest kernel so I work for a bit, then
test it, fix it and then test again. It's slow. Sometimes I get sort
of interesting results but it's not quite to the point where it's
useful. So I'll let the check sit there and hope that maybe I will
think of a solution.
My published tree is quite different from the released tree.
My smatch_warns.txt file is 400k lines long. 100k is stuff that I have
marked as old. 200k is "parse error: out_of_memory: sm_state_counter="
The remaining 100k is stuff that I'm working on. I've attached the
smatch_scripts/generisize.pl summary of my new warnings.
Maybe some of it will be interesting to someone or give someone ideas.
regards,
dan carpenter
216189 parse error: out_of_memory: sm_state_counter=
23195 warn: uncapped user rl to enum ''
10760 warn: assigning negative subtract to bytes: ''
6125 info: returning a literal zero is cleaner
5490 warn: '' '' implies '' is ''
5433 warn: constraint '' overflow '' <= abs_rl '' user_rl '' required = ''
4620 warn: potential integer overflow from user ''
4386 warn: plus plus leak '': is_static= is_global= has_dec= lines=''
4079 warn: risky ptr math: '' rl=''
3615 warn: crazy rl = - ulong int
3375 warn: '' other places check '' for NULL
2965 warn: untrusted user subtract: ''
2802 warn: user controlled '' cast to postive rl = ''
2174 warn: dereferencing zero sized pointer: ''
2165 warn: '' sometimes too small '' size =
1805 warn: decrementing unincremented refcount ''
1726 warn: untrusted user subtract (local): ''
1682 warn: potential integer overflow: ''
1538 warn: '' was never checked for NULL
1487 warn: potential spectre issue '' [r]
1271 warn: potential base one array underflow sm=''-''
1261 warn: potential base one array underflow sm=''
1178 warn: using error codes for math ''
1152 warn: copying '' bytes into unknown size buffer ''
1145 warn: negative user subtract: - -
1133 warn: this assumes skb->len is at least bytes (-)
1094 warn: '' from ... not released on lines: .
1088 warn: ambiguous units merge '' '' or ''
1083 warn: dead code because of '' and ''
975 warn: unlocked access '' (line ) expected lock ''
952 warn: untrusted skb->len subtract
915 warn: wrong incrementing: name='' inc= dec= sm=''inc''
857 warn: truncating user data '' ''
830 warn: potential spectre issue '' [r] (local cap)
800 warn: '' [zero= neg=] (start buckets) not decremented on lines: .
788 warn: overflowed symbol reused: ''
770 warn: potential spectre issue '' [w]
746 error: out of bounds bit '' '' to '' ''
697 warn: untrusted unsigned subtract. ''
656 warn: possible spectre second half. ''
655 warn: returning EPROBE_DEFER from non probe() function
612 warn: call of '' with non-constant format argument
591 warn: min_t truncates here '' ( vs )
589 warn: '' returns positive and negative
585 warn: truncacted user data: ''
547 error: ...() '' too small ( vs )
546 warn: potential shift to negative
531 warn: neither side of comparison is trusted ''
500 warn: possible truncation issue? vs bits.
485 warn: potential spectre issue '' [w] (local cap)
484 warn: wrong incrementing: name='' inc= dec= sm=''merged''
466 warn: crazy rl = - ulong uint
403 error: potential divide by zero bug ''.
394 warn: XXX '' both locked and unlocked.
390 warn: potential left shift more than type allows ''
386 warn: uncapped user loop: ''
384 warn: already decremented on line ''
371 warn: '' is never (-)
364 warn: was negative '' intended?
349 error: no floats in the kernel; invalid format specifier ''
343 warn: can mask fit into '' vs ''
335 warn: passing untrusted pointer ''
317 warn: double put_device() '' (see line )
297 warn: assigning negatives to bytes: '' ''
279 warn: wrong type for '' (should be '')
279 warn: kref has already been modifed (see line )
275 warn: '' could be an error pointer
256 warn: '' was set to NULL
249 warn: refcount leak '': lines=''
248 warn: '' cannot fit into ''
247 warn: comparing different units: '' ''
225 parse error: Function too hairy. Giving up. seconds
211 warn: why is the last element skipped?
208 func_time:
207 warn: check '' for negative offsets '' = . extra = ''
204 warn: AAA no lower bound on '' rl=''
197 error: potential zalloc NULL dereference: ''
196 warn: potential decrement underflow '' rl='' (iterator)
193 warn: match_shift_assignment: should '' be a bit type?
183 warn: uncapped user loop index ''
181 warn: min_t gives a negative user range '' range = ''
165 warn: crazy rl = - ullong ulong
161 warn: potential array out-of-bounds ''
150 warn: NEW missing error code ''
149 warn: Function too hairy. No more merges.
146 warn: cancel after unregister
140 warn: calling kfree() when '' is always NULL.
136 warn: reusing outside iterator: ''
134 warn: div_u() expects '' got ''
133 error: buffer underflow '' ''
124 warn: potential base one array underflow sm=''empty''
124 warn: potential user controlled iterator '' (array size vs )
122 warn: potential leaks (ret = ''): ''
120 warn: check '' for integer overflows ''
117 warn: user data truncated '' ''
116 warn: crazy rl = - ulong ushort
108 warn: uncapped user index ''
103 warn: crazy rl = - ulong long
101 warn: check that offset '' is capped properly
97 warn: uncapped user size for kmalloc() will WARN
97 warn: potential base one array underflow sm=''''
97 error: buffer overflow '' <= user_rl='' uncapped
94 warn: missing conversion: '' ''
86 warn: function puts bytes on stack
85 warn: expected subtract in snprintf limit ''
82 warn: potential NULL parameter dereference ''
79 warn: called with lock held. ''
77 warn: potential out of bound. idx=- (user controlled)
76 warn: potential decrement underflow '' rl=''
75 error: wrong number of bits for '' ( vs ) left= '' ''
71 parse error: OOM: Kb sm_state_count =
69 warn: div_u_rem() expects '' got ''
66 warn: crazy rl = - llong int
63 warn: passing bogus address: '' val =
61 warn: can '' even be NULL?
59 parse error: turning off implications after seconds
59 warn: strcpy() '' of unknown size might be too large for ''
58 warn: make sure GFP_ATOMIC set here
57 warn: using integer overflow function '' for math
56 warn: unlocked access '' expected '' (copy race)
54 warn: decrementing un-incremented counter '' s: i: m:
54 warn: OR assignment is no-op. '' is -.
53 warn: passing negative bit value '' to ''
47 warn: is larger than bits
47 warn: resource freed on success: ''
46 warn: element count is wrong '' vs ''
45 warn: use sg_next() to iterate ''
42 warn: potential out of bounds address '' user_rl=''
41 warn: potential bounds check after use ''
40 warn: possible memory leak of ''
39 warn: '' potentially NULL
36 warn: mixing irq and irqsave
34 error: undefined (user controlled) shift ''
32 warn: wrong incrementing: name='' inc= dec= sm=''dec''
32 warn: crazy rl = ulong int
31 warn: potential base one array underflow sm=''--''
30 warn: div_s() expects '' got ''
29 warn: sleeping in atomic context
29 warn: return assignment ''
27 warn: replace divide condition '' with ''
27 warn: '' puts bytes on stack
27 pedantic: propagate return from '' instead of returning ''
27 check_lock: sm = ''merged''
24 warn: can '' underflow ''
24 warn: untrusted unsigned subtract. '' user_rl=''
23 warn: crazy rl = - ulong uchar
20 warn: list_entry() does not return NULL ''
20 warn: '' isn't an ERR_PTR
19 time:
19 warn: iterator '' changed during iteration
19 warn: is array fully initialized? '' ''
18 warn: negative user subtract: -- -
17 warn: XXX pointer math issue ('' has byte in the name)
17 warn: is it ok to set '' to negative?
17 warn: negative user subtract: -
16 warn: crazy rl = - llong uint
15 warn: pass IRQF_NO_AUTOEN to request_irq() for ''
15 warn: user triggered integer overflow ''
14 error: buffer overflow '' <= subtract
14 warn: potential base one array underflow sm=''(-)-''
13 warn: mask and shift to zero: expr=''
13 warn: check '' for NULL
11 warn: mul_u_u_shr() expects '' got ''
10 warn: XXX '' [zero= neg=] not decremented on lines: .
8 warn: div_s_rem() expects '' got ''
7 warn: count down condition reversed? ''
7 warn: other places set '' to '' instead of ''
7 warn: crazy rl = ulong uint
6 warn: min_t truncates here '' ((-) vs )
5 warn: can '' overflow and turn negative?
5 warn: device not initialized ''
5 warn: mul_u_u_div() expects '' got ''
5 warn: calling '' without access_ok()
5 warn: fix integer overflow by using >=
5 warn: missing unwind goto?
5 error: buffer overflow '' <= user_rl='' uncapped subtract
5 warn: crazy rl = ulong long
4 warn: internal. problem with scope: __fake_assign_
4 warn: crazy rl = - ushort short
3 warn: crazy rl = - int uchar
3 warn: negative user subtract: --- -
3 set_extra_mod_helper: setting address '' expr='' state=''
3 parse error: unhandled comparison -
3 error: '' '' copy overflow ( vs ) rl='' fuzzy= hard_max=
3 warn: argument to %x specifier has type ''
3 type [] > ffffffff / ffffffff
3 warn: check that subtract can't underflow '(frame_status & ) - ' ' '
3 warn: crazy rl = uchar enum firmware_init_step
2 warn: crazy rl = - uchar enum firmware_init_step
2 warn: '' [zero= neg=] (start buckets) not decremented on lines: -.
2 equiv not found: ''
2 error: uninitialized symbol ''.
2 warn: offset '' incremented past end of array
2 stmt->type = . pos = :
2 rel ainfo->cur
2 warn: check that subtract can't underflow 'safe_len - ' ' '
2 start
2 error: double locked '' (orig line )
2 warn: check that subtract can't underflow 'ulen - ' ' '
2 warn: NEW integer overflows ''
2 warn: '' possible negative type promoted to high
2 warn: unlocked access '' expected lock ''
2 warn: check that subtract can't underflow 'uname_len - ' ' '
2 rel valinfo->control
2 warn: crazy rl = ushort llong
2 error: strcpy() too large for ( vs )
2 match_zero_check: known var='' rl=zero
1 set_param_dereferenced: sm=''-ptr_max''
1 warn: variable dereferenced before check '' (see line )
1 warn: use safer allocation function (eg: kmalloc_array)
1 warn: '' is not bool
1 type [] > ffffffffffffffff - ffffffffffffffff
1 rel cmd
1 warn: negative user subtract: - - (-)
1 info: return a literal instead of ''
1 print_struct_members: call = '_dev_warn(&pdev->dev "Failed to obtain MAC address defaulting to random
1 type [] > ffffffffffffffff /
1 warn: crazy rl = uint enum firmware_init_step_e
1 warn: unknown parameter (possibly NULL) '' values=''
1 warn: this assumes skb->len is at least bytes (-(-)-)
1 rel process_info->evicted_bos
1 type [] > fffffffffffffff /
1 warn: check that subtract can't underflow 'byte_cnt - ' ' '
1 rel dram_info->num_psf_gv_points
1 sm = [register_smatch_extra] wb_info->mpcc_inst = '' [merged] ((-) (-)- - (-) (-) - -)
1 type [] > ffffffffffffffff - fffffbf
1 warn: crazy rl = - int ullong
1 error: passing untrusted data '' to ''
1 warn: '' from ... not released on lines: -.
1 warn: crazy rl = - enum asrc_pair_index int
1 warn: missing error code ''
1 warn: potential integer overflow from user (local copy) ''
1 warn: potential shift truncation. ''
1 warn: using underflowed offset ''
1 warn: missing error code here? '' failed. '' = ''
1 warn: potential base one array underflow sm=''(-)--''
1 warn: user controlled negative timeout
1 error: we previously assumed '' could be null (see line )
1 rel zone->zone_start_pfn
1 error: passing non negative to ERR_PTR
