Enclosed are 54 potential errors where code gets a pointer from a
possibly-failing routine (kmalloc, etc) and dereferences it without
checking. Many follow the simple pattern of alloc-memset:
dev->priv = kmalloc(sizeof(struct awc_private),GFP_KERNEL );
memset(dev->priv,0,sizeof(struct awc_private));
If these kind of errors are useful, let me know --- there are *many*
others that I didn't inspect.
Dawson
# BUGs | File Name
6 | /drivers/se401.c
5 | /char/sis_ds.c
3 | /drivers/aironet4500_card.c
2 | /drivers/catc.c
2 | /drivers/hosts.c
2 | /net/sdla_fr.c
2 | /net/cosa.c
2 | /fs/dcache.c
2 | /drivers/cpqphp_proc.c
2 | /net/skge.c
2 | /drivers/ide-probe.c
1 | /video/sis_main.c
1 | /media/saa7110.c
1 | /drivers/ide-tape.c
1 | /fs/sysctl.c
1 | /net/sch_gred.c
1 | /drivers/pci2220i.c
1 | /fs/inode.c
1 | /drivers/btaudio.c
1 | /drivers/bonding.c
1 | /drivers/dpt_i2o.c
1 | /drivers/i2c-proc.c
1 | /drivers/pppoe.c
1 | /net/sdla_chdlc.c
1 | /fs/binsert.c
1 | /scsi/linit.c
1 | /fs/journal.c
1 | /drivers/cpqfcTScontrol.c
1 | /drivers/DAC960.c
1 | /net/airo_cs.c
1 | /char/drm_context.h
1 | /drivers/eexpress.c
1 | /char/riotable.c
1 | /net/skfddi.c
1 | /drivers/ide-scsi.c
############################################################
# 2.4.17 specific errors
#
---------------------------------------------------------
[BUG] funny --- checking the wrong index.
/u2/engler/mc/oses/linux/2.4.17/net/sched/sch_gred.c:443:gred_change: ERROR:NULL:438:443:Passing unknown ptr "(*table).tab[(*table).def]"! as arg 0 to call "memset"! set by 'kmalloc':438 [COUNTER=kmalloc:438] [fit=1] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
over-written
*/
if (table->tab[table->def] == NULL) {
table->tab[table->def]=
Start --->
kmalloc(sizeof(struct gred_sched_data), GFP_KERNEL);
if (NULL == table->tab[ctl->DP])
return -ENOMEM;
memset(table->tab[table->def], 0,
Error --->
(sizeof(struct gred_sched_data)));
}
q= table->tab[table->def];
q->DP=table->def;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/aironet4500_card.c:570:awc4500_isa_probe: ERROR:NULL:569:570:Passing unknown ptr "(*dev).priv"! as arg 0 to call "memset"! set by 'kmalloc':569 [COUNTER=kmalloc:569] [fit=1] [fit_fn=2] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
if (!dev) {
release_region(isa_ioaddr, AIRONET4X00_IO_SIZE);
return (card == 0) ? -ENOMEM : 0;
}
}
Start --->
dev->priv = kmalloc(sizeof(struct awc_private),GFP_KERNEL );
Error --->
memset(dev->priv,0,sizeof(struct awc_private));
if (!dev->priv) {
printk(KERN_CRIT "aironet4x00: could not allocate device private, some unstability may follow\n");
return -1;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/bonding.c:1671:bond_xmit_activebackup: ERROR:NULL:1670:1671:Passing unknown ptr "arp_target_hw_addr"! as arg 0 to call "memcpy"! set by 'kmalloc':1670 [COUNTER=kmalloc:1670] [fit=1] [fit_fn=3] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
to use a broadcast address */
if ( (arp_interval > 0) && (arp_target_hw_addr==NULL) &&
(skb->protocol == __constant_htons(ETH_P_IP) ) ) {
struct ethhdr *eth_hdr =
(struct ethhdr *) (((char *)skb->data));
Start --->
arp_target_hw_addr = kmalloc(ETH_ALEN, GFP_KERNEL);
Error --->
memcpy(arp_target_hw_addr, eth_hdr->h_dest, ETH_ALEN);
}
read_lock_irqsave(&bond->lock, flags);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/video/sis/sis_main.c:1318:sisfb_poh_new_node: ERROR:NULL:1316:1318:Using ptr "poha" illegally! set by 'kmalloc':1316 [COUNTER=kmalloc:1316] [fit=1] [fit_fn=4] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
unsigned long cOhs;
SIS_OHALLOC *poha;
SIS_OH *poh;
if (sisfb_heap.poh_freelist == NULL) {
Start --->
poha = kmalloc (OH_ALLOC_SIZE, GFP_KERNEL);
Error --->
poha->poha_next = sisfb_heap.poha_chain;
sisfb_heap.poha_chain = poha;
cOhs =
---------------------------------------------------------
[BUG] (synonums aren't working)
/u2/engler/mc/oses/linux/2.4.17/drivers/net/eexpress.c:1088:eexp_hw_probe: ERROR:NULL:1083:1088:Using ptr "lp" illegally! set by 'kmalloc':1083 [COUNTER=kmalloc:1083] [fit=1] [fit_fn=5] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
}
buswidth = !((setupval & 0x400) >> 10);
}
Start --->
dev->priv = lp = kmalloc(sizeof(struct net_local), GFP_KERNEL);
if (!dev->priv)
return -ENOMEM;
memset(dev->priv, 0, sizeof(struct net_local));
Error --->
spin_lock_init(&lp->lock);
printk("(IRQ %d, %s connector, %d-bit bus", dev->irq,
eexp_ifmap[dev->if_port], buswidth?8:16);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/media/video/saa7110.c:211:saa7110_attach: ERROR:NULL:204:211:Passing unknown ptr "decoder"! as arg 0 to call "memset"! set by 'kmalloc':204 [COUNTER=kmalloc:204] [fit=1] [fit_fn=6] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
0xFE, 0x01, 0xCF, 0x0F, 0x03, 0x01, 0x81, 0x03,
0x40, 0x75, 0x01, 0x8C, 0x03};
struct saa7110* decoder;
int rv;
Start --->
device->data = decoder = kmalloc(sizeof(struct saa7110), GFP_KERNEL);
if (device->data == 0)
return -ENOMEM;
MOD_INC_USE_COUNT;
/* clear our private data */
Error --->
memset(decoder, 0, sizeof(struct saa7110));
strcpy(device->name, "saa7110");
decoder->bus = device->bus;
decoder->addr = device->addr;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/aironet4500_card.c:396:awc4500_pnp_probe: ERROR:NULL:395:396:Passing unknown ptr "(*dev).priv"! as arg 0 to call "memset"! set by 'kmalloc':395 [COUNTER=kmalloc:395] [fit=1] [fit_fn=7] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
isapnp_deactivate(logdev->PNP_DEV_NUMBER);
isapnp_cfg_end();
return -ENOMEM;
}
}
Start --->
dev->priv = kmalloc(sizeof(struct awc_private),GFP_KERNEL );
Error --->
memset(dev->priv,0,sizeof(struct awc_private));
if (!dev->priv) {
printk(KERN_CRIT "aironet4x00: could not allocate device private, some unstability may follow\n");
return -1;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/char/drm/sis_ds.c:175:calloc: ERROR:NULL:174:175:Passing unknown ptr "addr"! as arg 0 to call "memset"! set by 'kmalloc':174 [COUNTER=kmalloc:174] [fit=1] [fit_fn=8] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
#define fprintf(fmt, arg...) do{}while(0)
static void *calloc(size_t nmemb, size_t size)
{
void *addr;
Start --->
addr = kmalloc(nmemb*size, GFP_KERNEL);
Error --->
memset(addr, 0, nmemb*size);
return addr;
}
#define free(n) kfree(n)
---------------------------------------------------------
[BUG] checking the wrong thing.
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/dpt_i2o.c:1507:adpt_i2o_parse_lct: ERROR:NULL:1503:1507:Passing unknown ptr "(*pDev).next_lun"! as arg 0 to call "memset"! set by 'kmalloc':1503 [COUNTER=kmalloc:1503] [fit=1] [fit_fn=9] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
memset(pDev,0,sizeof(struct adpt_device));
} else {
for( pDev = pHba->channel[bus_no].device[scsi_id];
pDev->next_lun; pDev = pDev->next_lun){
}
Start --->
pDev->next_lun = kmalloc(sizeof(struct adpt_device),GFP_KERNEL);
if(pDev == NULL) {
return -ENOMEM;
}
Error --->
memset(pDev->next_lun,0,sizeof(struct adpt_device));
pDev = pDev->next_lun;
}
pDev->tid = tid;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/fs/qnx4/inode.c:321:qnx4_checkroot: ERROR:NULL:320:321:Passing unknown ptr "(((*sb).u).qnx4_sb).BitMap"! as arg 0 to call "memcpy"! set by 'kmalloc':320 [COUNTER=kmalloc:320] [fit=1] [fit_fn=11] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
rootdir = (struct qnx4_inode_entry *) (bh->b_data + i * QNX4_DIR_ENTRY_SIZE);
if (rootdir->di_fname != NULL) {
QNX4DEBUG(("Rootdir entry found : [%s]\n", rootdir->di_fname));
if (!strncmp(rootdir->di_fname, QNX4_BMNAME, sizeof QNX4_BMNAME)) {
found = 1;
Start --->
sb->u.qnx4_sb.BitMap = kmalloc( sizeof( struct qnx4_inode_entry ), GFP_KERNEL );
Error --->
memcpy( sb->u.qnx4_sb.BitMap, rootdir, sizeof( struct qnx4_inode_entry ) ); /* keep bitmap inode known */
break;
}
}
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/ide/ide-probe.c:762:init_gendisk: ERROR:NULL:761:762:Using ptr "gd" illegally! set by 'kmalloc':761 [COUNTER=kmalloc:761] [fit=1] [fit_fn=12] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
for (units = MAX_DRIVES; units > 0; --units) {
if (hwif->drives[units-1].present)
break;
}
minors = units * (1<<PARTN_BITS);
Start --->
gd = kmalloc (sizeof(struct gendisk), GFP_KERNEL);
Error --->
gd->sizes = kmalloc (minors * sizeof(int), GFP_KERNEL);
gd->part = kmalloc (minors * sizeof(struct hd_struct), GFP_KERNEL);
bs = kmalloc (minors*sizeof(int), GFP_KERNEL);
max_sect = kmalloc (minors*sizeof(int), GFP_KERNEL);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/wan/sdla_chdlc.c:1068:if_open: ERROR:NULL:1067:1068:Passing unknown ptr "(*chdlc_priv_area).bh_head"! as arg 0 to call "memset"! set by 'kmalloc':1067 [COUNTER=kmalloc:1067] [fit=1] [fit_fn=13] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
chdlc_priv_area->common.wanpipe_task.routine = (void *)(void *)chdlc_bh;
chdlc_priv_area->common.wanpipe_task.data = dev;
/* Allocate and initialize BH circular buffer */
/* Add 1 to MAX_BH_BUFF so we don't have test with (MAX_BH_BUFF-1) */
Start --->
chdlc_priv_area->bh_head = kmalloc((sizeof(bh_data_t)*(MAX_BH_BUFF+1)),GFP_ATOMIC);
Error --->
memset(chdlc_priv_area->bh_head,0,(sizeof(bh_data_t)*(MAX_BH_BUFF+1)));
atomic_set(&chdlc_priv_area->bh_buff_used, 0);
#endif
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/ide/ide-probe.c:768:init_gendisk: ERROR:NULL:763:768:Passing unknown ptr "(*gd).part"! as arg 0 to call "memset"! set by 'kmalloc':763 [COUNTER=kmalloc:763] [fit=1] [fit_fn=14] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
break;
}
minors = units * (1<<PARTN_BITS);
gd = kmalloc (sizeof(struct gendisk), GFP_KERNEL);
gd->sizes = kmalloc (minors * sizeof(int), GFP_KERNEL);
Start --->
gd->part = kmalloc (minors * sizeof(struct hd_struct), GFP_KERNEL);
bs = kmalloc (minors*sizeof(int), GFP_KERNEL);
max_sect = kmalloc (minors*sizeof(int), GFP_KERNEL);
max_ra = kmalloc (minors*sizeof(int), GFP_KERNEL);
Error --->
memset(gd->part, 0, minors * sizeof(struct hd_struct));
/* cdroms and msdos f/s are examples of non-1024 blocksizes */
blksize_size[hwif->major] = bs;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/usb/catc.c:621:catc_probe: ERROR:NULL:620:621:Passing unknown ptr "catc"! as arg 0 to call "memset"! set by 'kmalloc':620 [COUNTER=kmalloc:620] [fit=1] [fit_fn=15] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
if (usb_set_interface(usbdev, ifnum, 1)) {
err("Can't set altsetting 1.");
return NULL;
}
Start --->
catc = kmalloc(sizeof(struct catc), GFP_KERNEL);
Error --->
memset(catc, 0, sizeof(struct catc));
netdev = init_etherdev(0, 0);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/ide-scsi.c:662:idescsi_kmalloc_bh: ERROR:NULL:660:662:Passing unknown ptr "bh"! as arg 0 to call "memset"! set by 'kmalloc':660 [COUNTER=kmalloc:660] [fit=1] [fit_fn=16] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
static inline struct buffer_head *idescsi_kmalloc_bh (int count)
{
struct buffer_head *bh, *bhp, *first_bh;
Start --->
if ((first_bh = bhp = bh = kmalloc (sizeof(struct buffer_head), GFP_ATOMIC)) == NULL)
goto abort;
Error --->
memset (bh, 0, sizeof (struct buffer_head));
bh->b_reqnext = NULL;
while (--count) {
if ((bh = kmalloc (sizeof(struct buffer_head), GFP_ATOMIC)) == NULL)
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/char/rio/riotable.c:977:RIOReMapPorts: ERROR:NULL:976:977:Passing unknown ptr "(*PortP).TxRingBuffer"! as arg 0 to call "memset"! set by 'kmalloc':976 [COUNTER=kmalloc:976] [fit=1] [fit_fn=17] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
PortP->closes = 0;
PortP->ioctls = 0;
if ( PortP->TxRingBuffer )
bzero( PortP->TxRingBuffer, p->RIOBufferSize );
else if ( p->RIOBufferSize ) {
Start --->
PortP->TxRingBuffer = sysbrk(p->RIOBufferSize);
Error --->
bzero( PortP->TxRingBuffer, p->RIOBufferSize );
}
PortP->TxBufferOut = 0;
PortP->TxBufferIn = 0;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/i2c/i2c-proc.c:122:i2c_create_name: ERROR:NULL:121:122:Passing unknown ptr "*name"! as arg 0 to call "strcpy"! set by 'kmalloc':121 [COUNTER=kmalloc:121] [fit=1] [fit_fn=18] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
else {
if ((id = i2c_adapter_id(adapter)) < 0)
return -ENOENT;
sprintf(name_buffer, "%s-i2c-%d-%02x", prefix, id, addr);
}
Start --->
*name = kmalloc(strlen(name_buffer) + 1, GFP_KERNEL);
Error --->
strcpy(*name, name_buffer);
return 0;
}
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/wan/sdla_fr.c:4197:send_inarp_request: ERROR:NULL:4195:4197:Using ptr "ArpPacket" illegally! set by 'kmalloc':4195 [COUNTER=kmalloc:4195] [fit=1] [fit_fn=19] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
in_dev = dev->ip_ptr;
if(in_dev != NULL ) {
Start --->
ArpPacket = kmalloc(sizeof(arphdr_1490_t) + sizeof(arphdr_fr_t), GFP_ATOMIC);
/* SNAP Header indicating ARP */
Error --->
ArpPacket->control = 0x03;
ArpPacket->pad = 0x00;
ArpPacket->NLPID = 0x80;
ArpPacket->OUI[0] = 0;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/wan/sdla_fr.c:1340:if_open: ERROR:NULL:1339:1340:Passing unknown ptr "(*chan).bh_head"! as arg 0 to call "memset"! set by 'kmalloc':1339 [COUNTER=kmalloc:1339] [fit=1] [fit_fn=21] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
chan->common.wanpipe_task.sync = 0;
chan->common.wanpipe_task.routine = (void *)(void *)fr_bh;
chan->common.wanpipe_task.data = dev;
/* Allocate and initialize BH circular buffer */
Start --->
chan->bh_head = kmalloc((sizeof(bh_data_t)*MAX_BH_BUFF),GFP_ATOMIC);
Error --->
memset(chan->bh_head,0,(sizeof(bh_data_t)*MAX_BH_BUFF));
atomic_set(&chan->bh_buff_used, 0);
#endif
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/sound/btaudio.c:888:btaudio_probe: ERROR:NULL:887:888:Passing unknown ptr "bta"! as arg 0 to call "memset"! set by 'kmalloc':887 [COUNTER=kmalloc:887] [fit=1] [fit_fn=22] [fn_ex=0] [fn_counter=1] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
pci_resource_len(pci_dev,0),
"btaudio")) {
return -EBUSY;
}
Start --->
bta = kmalloc(sizeof(*bta),GFP_ATOMIC);
Error --->
memset(bta,0,sizeof(*bta));
bta->pci = pci_dev;
bta->irq = pci_dev->irq;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/char/drm/sis_ds.c:54:setInit: ERROR:NULL:52:54:Using ptr "set" illegally! set by 'kmalloc':52 [COUNTER=kmalloc:52] [fit=1] [fit_fn=23] [fn_ex=0] [fn_counter=2] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -6.16441400296897]
set_t *setInit(void)
{
int i;
set_t *set;
Start --->
set = (set_t *)MALLOC(sizeof(set_t));
for(i = 0; i < SET_SIZE; i++){
Error --->
set->list[i].free_next = i+1;
set->list[i].alloc_next = -1;
}
set->list[SET_SIZE-1].free_next = -1;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/char/drm/sis_ds.c:57:setInit: ERROR:NULL:52:57:Using ptr "set" illegally! set by 'kmalloc':52 [COUNTER=kmalloc:52] [fit=1] [fit_fn=23] [fn_ex=0] [fn_counter=2] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -6.16441400296897]
set_t *setInit(void)
{
int i;
set_t *set;
Start --->
set = (set_t *)MALLOC(sizeof(set_t));
for(i = 0; i < SET_SIZE; i++){
set->list[i].free_next = i+1;
set->list[i].alloc_next = -1;
}
Error --->
set->list[SET_SIZE-1].free_next = -1;
set->free = 0;
set->alloc = -1;
set->trace = -1;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/hosts.c:178:scsi_register: ERROR:NULL:176:178:Passing unknown ptr "(*shn).name"! as arg 0 to call "strncpy"! set by 'kmalloc':176 [COUNTER=kmalloc:176] [fit=1] [fit_fn=24] [fn_ex=0] [fn_counter=2] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -6.16441400296897]
if (!shn) {
kfree(retval);
printk(KERN_ERR "scsi: out of memory(2) in scsi_register.\n");
return NULL;
}
Start --->
shn->name = kmalloc(hname_len + 1, GFP_ATOMIC);
if (hname_len > 0)
Error --->
strncpy(shn->name, hname, hname_len);
shn->name[hname_len] = 0;
shn->host_no = max_scsi_hosts++;
shn->host_registered = 1;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/hosts.c:179:scsi_register: ERROR:NULL:176:179:Using ptr "(*shn).name" illegally! set by 'kmalloc':176 [COUNTER=kmalloc:176] [fit=1] [fit_fn=24] [fn_ex=0] [fn_counter=2] [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -6.16441400296897]
if (!shn) {
kfree(retval);
printk(KERN_ERR "scsi: out of memory(2) in scsi_register.\n");
return NULL;
}
Start --->
shn->name = kmalloc(hname_len + 1, GFP_ATOMIC);
if (hname_len > 0)
strncpy(shn->name, hname, hname_len);
Error --->
shn->name[hname_len] = 0;
shn->host_no = max_scsi_hosts++;
shn->host_registered = 1;
shn->loaded_as_module = 1;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/fs/intermezzo/dcache.c:94:presto_set_dd: ERROR:NULL:93:94:Passing unknown ptr "(*dentry).d_fsdata"! as arg 0 to call "memset"! set by 'kmem_cache_alloc':93 [COUNTER=kmem_cache_alloc:93] [fit=3] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=75] [counter=2] [z = 0.967340923389605] [fn-z = -4.35889894354067]
return;
}
if (dentry->d_inode == NULL) {
dentry->d_fsdata = kmem_cache_alloc(presto_dentry_slab,
Start --->
SLAB_KERNEL);
Error --->
memset(dentry->d_fsdata, 0, sizeof(struct presto_dentry_data));
presto_d2d(dentry)->dd_count = 1;
EXIT;
return;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/fs/intermezzo/dcache.c:119:presto_set_dd: ERROR:NULL:118:119:Passing unknown ptr "(*dentry).d_fsdata"! as arg 0 to call "memset"! set by 'kmem_cache_alloc':118 [COUNTER=kmem_cache_alloc:118] [fit=3] [fit_fn=2] [fn_ex=0] [fn_counter=1] [ex=75] [counter=2] [z = 0.967340923389605] [fn-z = -4.35889894354067]
presto_d2d(dentry)->dd_count++;
EXIT;
return;
}
Start --->
dentry->d_fsdata = kmem_cache_alloc(presto_dentry_slab, SLAB_KERNEL);
Error --->
memset(dentry->d_fsdata, 0, sizeof(struct presto_dentry_data));
presto_d2d(dentry)->dd_count = 1;
EXIT;
return;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/aacraid/linit.c:196:aac_detect: ERROR:NULL:191:196:Using ptr "host_ptr" illegally! set by 'scsi_register':191 [COUNTER=scsi_register:191] [fit=5] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=51] [counter=2] [z = 0.409664769581117] [fn-z = -4.35889894354067]
* will need to make two Scsi_Host entries, but there will be only
* one Scsi_Host_Template entry. The second argument to scsi_register()
* specifies the size of the extra memory we want to hold any device
* specific information.
*/
Start --->
host_ptr = scsi_register( template, sizeof(struct aac_dev) );
/*
* These three parameters can be used to allow for wide SCSI
* and for host adapters that support multiple buses.
*/
Error --->
host_ptr->max_id = 17;
host_ptr->max_lun = 8;
host_ptr->max_channel = 1;
host_ptr->irq = dev->irq; /* Adapter IRQ number */
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/pci2220i.c:2652:Pci2220i_Detect: ERROR:NULL:2651:2652:Using ptr "pshost" illegally! set by 'scsi_register':2651 [COUNTER=scsi_register:2651] [fit=5] [fit_fn=2] [fn_ex=0] [fn_counter=1] [ex=51] [counter=2] [z = 0.409664769581117] [fn-z = -4.35889894354067]
scsi_unregister (pshost);
}
while ( (pcidev = pci_find_device (VENDOR_PSI, DEVICE_BIGD_1, pcidev)) != NULL )
{
Start --->
pshost = scsi_register (tpnt, sizeof(ADAPTER2220I));
Error --->
padapter = HOSTDATA(pshost);
if ( GetRegs (pshost, TRUE, pcidev) )
goto unregister1;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/hotplug/cpqphp_proc.c:156:cpqhp_proc_create_ctrl: ERROR:NULL:155:156:Using ptr "(*ctrl).proc_entry" illegally! set by 'create_proc_entry':155 [COUNTER=create_proc_entry:155] [fit=7] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=88] [counter=4] [z = 0.287018923940967] [fn-z = -4.35889894354067]
int cpqhp_proc_create_ctrl (struct controller *ctrl)
{
strcpy(ctrl->proc_name, "hpca");
ctrl->proc_name[3] = 'a' + ctrl->bus;
Start --->
ctrl->proc_entry = create_proc_entry(ctrl->proc_name, S_IFREG | S_IRUGO, ctrl_proc_root);
Error --->
ctrl->proc_entry->data = ctrl;
ctrl->proc_entry->read_proc = &read_ctrl;
strcpy(ctrl->proc_name2, "slot_a");
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/hotplug/cpqphp_proc.c:162:cpqhp_proc_create_ctrl: ERROR:NULL:161:162:Using ptr "(*ctrl).proc_entry2" illegally! set by 'create_proc_entry':161 [COUNTER=create_proc_entry:161] [fit=7] [fit_fn=2] [fn_ex=0] [fn_counter=1] [ex=88] [counter=4] [z = 0.287018923940967] [fn-z = -4.35889894354067]
ctrl->proc_entry->data = ctrl;
ctrl->proc_entry->read_proc = &read_ctrl;
strcpy(ctrl->proc_name2, "slot_a");
ctrl->proc_name2[5] = 'a' + ctrl->bus;
Start --->
ctrl->proc_entry2 = create_proc_entry(ctrl->proc_name2, S_IFREG | S_IRUGO, ctrl_proc_root);
Error --->
ctrl->proc_entry2->data = ctrl;
ctrl->proc_entry2->read_proc = &read_dev;
return 0;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/sk98lin/skge.c:490:skge_probe: ERROR:NULL:489:490:Using ptr "pProcFile" illegally! set by 'create_proc_entry':489 [COUNTER=create_proc_entry:489] [fit=7] [fit_fn=3] [fn_ex=0] [fn_counter=1] [ex=88] [counter=4] [z = 0.287018923940967] [fn-z = -4.35889894354067]
dev->set_mac_address = &SkGeSetMacAddr;
dev->do_ioctl = &SkGeIoctl;
dev->change_mtu = &SkGeChangeMtu;
pProcFile = create_proc_entry(dev->name,
Start --->
S_IFREG | 0444, pSkRootDir);
Error --->
pProcFile->read_proc = proc_read;
pProcFile->write_proc = NULL;
pProcFile->nlink = 1;
pProcFile->size = sizeof(dev->name+1);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/sk98lin/skge.c:435:skge_probe: ERROR:NULL:433:435:Using ptr "pSkRootDir" illegally! set by 'create_proc_entry':433 [COUNTER=create_proc_entry:433] [fit=7] [fit_fn=4] [fn_ex=0] [fn_counter=1] [ex=88] [counter=4] [z = 0.287018923940967] [fn-z = -4.35889894354067]
if (!pci_present()) /* is PCI support present? */
return -ENODEV;
pSkRootDir = create_proc_entry("sk98lin",
Start --->
S_IFDIR | S_IWUSR | S_IRUGO | S_IXUGO, proc_net);
Error --->
pSkRootDir->owner = THIS_MODULE;
while((pdev = pci_find_device(PCI_VENDOR_ID_SYSKONNECT,
PCI_DEVICE_ID_SYSKONNECT_GE, pdev)) != NULL) {
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/pppoe.c:893:__pppoe_xmit: ERROR:NULL:888:893:Using ptr "skb2" illegally! set by 'skb_clone':888 [COUNTER=skb_clone:888] [fit=8] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=25] [counter=1] [z = 0.26995276239951] [fn-z = -4.35889894354067]
memcpy(skb_put(skb2, skb->len), skb->data, skb->len);
} else {
/* Make a clone so as to not disturb the original skb,
* give dev_queue_xmit something it can free.
*/
Start --->
skb2 = skb_clone(skb, GFP_ATOMIC);
}
ph = (struct pppoe_hdr *) skb_push(skb2, sizeof(struct pppoe_hdr));
memcpy(ph, &hdr, sizeof(struct pppoe_hdr));
Error --->
skb2->protocol = __constant_htons(ETH_P_PPP_SES);
skb2->nh.raw = skb2->data;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/char/drm/drm_context.h:559:gamma_alloc_queue: ERROR:NULL:558:559:Passing unknown ptr "queue"! as arg 0 to call "memset"! set by 'gamma_alloc':558 [COUNTER=gamma_alloc:558] [fit=9] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=17] [counter=1] [z = -0.108147614087175] [fn-z = -4.35889894354067]
atomic_dec(&dev->queuelist[i]->use_count);
}
/* Allocate a new queue */
down(&dev->struct_sem);
Start --->
queue = gamma_alloc(sizeof(*queue), DRM_MEM_QUEUES);
Error --->
memset(queue, 0, sizeof(*queue));
atomic_set(&queue->use_count, 1);
++dev->queue_count;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/cpqfcTScontrol.c:119:CpqTsCreateTachLiteQues: ERROR:NULL:117:119:Passing unknown ptr "(*cpqfcHBAdata).fcLQ"! as arg 0 to call "memset"! set by 'pci_alloc_consistent':117 [COUNTER=pci_alloc_consistent:117] [fit=11] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=31] [counter=2] [z = -0.279553072340802] [fn-z = -4.35889894354067]
memset( fcChip->Exchanges, 0, sizeof( FC_EXCHANGES));
printk("Allocating %u for LinkQ ", (ULONG)sizeof(FC_LINK_QUE));
cpqfcHBAdata->fcLQ = pci_alloc_consistent(cpqfcHBAdata->PciDev,
Start --->
sizeof( FC_LINK_QUE), &cpqfcHBAdata->fcLQ_dma_handle);
printk("@ %p (%u elements)\n", cpqfcHBAdata->fcLQ, FC_LINKQ_DEPTH);
Error --->
memset( cpqfcHBAdata->fcLQ, 0, sizeof( FC_LINK_QUE));
if( cpqfcHBAdata->fcLQ == NULL ) // fatal error!!
{
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/skfp/skfddi.c:710:skfp_driver_init: ERROR:NULL:696:710:Passing unknown ptr "(*bp).SharedMemAddr"! as arg 0 to call "memset"! set by 'pci_alloc_consistent':696 [COUNTER=pci_alloc_consistent:696] [fit=11] [fit_fn=2] [fn_ex=0] [fn_counter=1] [ex=31] [counter=2] [z = -0.279553072340802] [fn-z = -4.35889894354067]
if (bp->SharedMemSize > 0) {
bp->SharedMemSize += 16; // for descriptor alignment
bp->SharedMemAddr = pci_alloc_consistent(&bp->pdev,
bp->SharedMemSize,
Start --->
&bp->SharedMemDMA);
if (!bp->SharedMemSize) {
printk("could not allocate mem for ");
printk("hardware module: %ld byte\n",
bp->SharedMemSize);
goto fail;
}
bp->SharedMemHeap = 0; // Nothing used yet.
} else {
bp->SharedMemAddr = NULL;
bp->SharedMemHeap = 0;
} // SharedMemSize > 0
Error --->
memset(bp->SharedMemAddr, 0, bp->SharedMemSize);
card_stop(smc); // Reset adapter.
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/fs/hfs/binsert.c:423:binsert: ERROR:NULL:379:423:Passing unknown ptr "tmpkey"! as arg 0 to call "memcpy"! set by 'hfs_malloc':379 [COUNTER=hfs_malloc:379] [fit=15] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=9] [counter=1] [z = -0.72547625011001] [fn-z = -4.35889894354067]
{
struct hfs_bnode_ref left, right, other;
struct hfs_btree *tree = brec->tree;
struct hfs_belem *belem = brec->bottom;
int tmpsize = 1 + tree->bthKeyLen;
Start --->
struct hfs_bkey *tmpkey = hfs_malloc(tmpsize);
... DELETED 38 lines ...
data = &node;
datasize = sizeof(node);
node = htonl(right.bn->node);
key = tmpkey;
keysize = tree->bthKeyLen;
Error --->
memcpy(tmpkey, bnode_key(right.bn, 1), keysize+1);
hfs_bnode_relse(&other);
--belem;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/fs/intermezzo/sysctl.c:327:init_intermezzo_sysctl: ERROR:NULL:326:327:Using ptr "proc_fs_intermezzo" illegally! set by 'proc_mkdir':326 [COUNTER=proc_mkdir:326] [fit=18] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=7] [counter=1] [z = -0.973328526784574] [fn-z = -4.35889894354067]
if ( !intermezzo_table_header )
intermezzo_table_header =
register_sysctl_table(intermezzo_table, 0);
#endif
#ifdef CONFIG_PROC_FS
Start --->
proc_fs_intermezzo = proc_mkdir("intermezzo", proc_root_fs);
Error --->
proc_fs_intermezzo->owner = THIS_MODULE;
create_proc_info_entry("mounts", 0, proc_fs_intermezzo,
intermezzo_mount_get_info);
#endif
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/ide/ide-tape.c:3491:idetape_onstream_read_back_buffer: ERROR:NULL:3488:3491:Using ptr "stage" illegally! set by '__idetape_kmalloc_stage':3488 [COUNTER=__idetape_kmalloc_stage:3488] [fit=20] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=6] [counter=1] [z = -1.12724296038136] [fn-z = -4.35889894354067]
idetape_update_stats(drive);
frames = tape->cur_frames;
logical_blk_num = ntohl(tape->first_stage->aux->logical_blk_num) - frames;
printk(KERN_INFO "ide-tape: %s: reading back %d frames from the drive's internal buffer\n", tape->name, frames);
for (i = 0; i < frames; i++) {
Start --->
stage = __idetape_kmalloc_stage(tape, 0, 0);
if (!first)
first = stage;
Error --->
aux = stage->aux;
p = stage->bh->b_data;
idetape_queue_rw_tail(drive, IDETAPE_READ_BUFFER_RQ, tape->capabilities.ctl, stage->bh);
#if ONSTREAM_DEBUG
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/fs/jbd/journal.c:441:journal_write_metadata_buffer: ERROR:NULL:438:441:Passing unknown ptr "tmp"! as arg 0 to call "memcpy"! set by '__jbd_kmalloc':438 [COUNTER=__jbd_kmalloc:438] [fit=22] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=5] [counter=1] [z = -1.31122013621437] [fn-z = -4.35889894354067]
* Do we need to do a data copy?
*/
if (need_copy_out && !done_copy_out) {
char *tmp;
Start --->
tmp = jbd_rep_kmalloc(jh2bh(jh_in)->b_size, GFP_NOFS);
jh_in->b_frozen_data = tmp;
Error --->
memcpy (tmp, mapped_data, jh2bh(jh_in)->b_size);
/* If we get to this path, we'll always need the new
address kmapped so that we can clear the escaped
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/block/DAC960.c:6984:DAC960_CreateProcEntries: ERROR:NULL:6983:6984:Using ptr "UserCommandProcEntry" illegally! set by 'create_proc_read_entry':6983 [COUNTER=create_proc_read_entry:6983] [fit=23] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=5] [counter=1] [z = -1.31122013621437] [fn-z = -4.35889894354067]
create_proc_read_entry("current_status", 0, ControllerProcEntry,
DAC960_ProcReadCurrentStatus, Controller);
UserCommandProcEntry =
create_proc_read_entry("user_command", S_IWUSR | S_IRUSR,
ControllerProcEntry, DAC960_ProcReadUserCommand,
Start --->
Controller);
Error --->
UserCommandProcEntry->write_proc = DAC960_ProcWriteUserCommand;
Controller->ControllerProcEntry = ControllerProcEntry;
}
}
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/usb/catc.c:625:catc_probe: ERROR:NULL:623:625:Using ptr "netdev" illegally! set by 'init_etherdev':623 [COUNTER=init_etherdev:623] [fit=32] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=18] [counter=3] [z = -1.95244207985486] [fn-z = -4.35889894354067]
}
catc = kmalloc(sizeof(struct catc), GFP_KERNEL);
memset(catc, 0, sizeof(struct catc));
Start --->
netdev = init_etherdev(0, 0);
Error --->
netdev->open = catc_open;
netdev->hard_start_xmit = catc_hard_start_xmit;
netdev->stop = catc_stop;
netdev->get_stats = catc_get_stats;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/aironet4500_card.c:852:awc_i365_init: ERROR:NULL:847:852:Using ptr "dev" illegally! set by 'init_etherdev':847 [COUNTER=init_etherdev:847] [fit=32] [fit_fn=2] [fn_ex=0] [fn_counter=1] [ex=18] [counter=3] [z = -1.95244207985486] [fn-z = -4.35889894354067]
struct net_device * dev;
int i;
Start --->
dev = init_etherdev(0, sizeof(struct awc_private) );
// dev->tx_queue_len = tx_queue_len;
ether_setup(dev);
Error --->
dev->hard_start_xmit = &awc_start_xmit;
// dev->set_config = &awc_config_misiganes,aga mitte awc_config;
dev->get_stats = &awc_get_stats;
dev->set_multicast_list = &awc_set_multicast_list;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/wan/cosa.c:567:cosa_probe: ERROR:NULL:566:567:Passing unknown ptr "(*cosa).chan"! as arg 0 to call "memset"! set by 'kmalloc_Rsmp_93d4cfe6':566 [COUNTER=kmalloc_Rsmp_93d4cfe6:566] [fit=46] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=59] [counter=9] [z = -3.11592335081808] [fn-z = -4.35889894354067]
cosa->bouncebuf = kmalloc(COSA_MTU, GFP_KERNEL|GFP_DMA);
sprintf(cosa->name, "cosa%d", cosa->num);
/* Initialize the per-channel data */
cosa->chan = kmalloc(sizeof(struct channel_data)*cosa->nchannels,
Start --->
GFP_KERNEL);
Error --->
memset(cosa->chan, 0, sizeof(struct channel_data)*cosa->nchannels);
for (i=0; i<cosa->nchannels; i++) {
cosa->chan[i].cosa = cosa;
cosa->chan[i].num = i;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/wan/cosa.c:589:sppp_channel_init: ERROR:NULL:588:589:Passing unknown ptr "((*chan).pppdev).dev"! as arg 0 to call "memset"! set by 'kmalloc_Rsmp_93d4cfe6':588 [COUNTER=kmalloc_Rsmp_93d4cfe6:588] [fit=46] [fit_fn=2] [fn_ex=0] [fn_counter=1] [ex=59] [counter=9] [z = -3.11592335081808] [fn-z = -4.35889894354067]
static void sppp_channel_init(struct channel_data *chan)
{
struct net_device *d;
chan->if_ptr = &chan->pppdev;
Start --->
chan->pppdev.dev = kmalloc(sizeof(struct net_device), GFP_KERNEL);
Error --->
memset(chan->pppdev.dev, 0, sizeof(struct net_device));
sppp_attach(&chan->pppdev);
d=chan->pppdev.dev;
strcpy(d->name, chan->name);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/net/wireless/airo_cs.c:247:airo_attach: ERROR:NULL:246:247:Passing unknown ptr "local"! as arg 0 to call "memset"! set by 'kmalloc_Rsmp_93d4cfe6':246 [COUNTER=kmalloc_Rsmp_93d4cfe6:246] [fit=46] [fit_fn=3] [fn_ex=0] [fn_counter=1] [ex=59] [counter=9] [z = -3.11592335081808] [fn-z = -4.35889894354067]
link->conf.Attributes = 0;
link->conf.Vcc = 50;
link->conf.IntType = INT_MEMORY_AND_IO;
/* Allocate space for private device-specific data */
Start --->
local = kmalloc(sizeof(local_info_t), GFP_KERNEL);
Error --->
memset(local, 0, sizeof(local_info_t));
link->priv = local;
/* Register with Card Services */
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1430:se401_init: ERROR:NULL:1427:1430:Using ptr "(*se401).width" illegally! set by 'kmalloc_Rsmp_93d4cfe6':1427 [COUNTER=kmalloc_Rsmp_93d4cfe6:1427] [fit=46] [fit_fn=4] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z = -3.11592335081808] [fn-z = -7.54983443527075]
return 1;
}
sprintf (temp, "ExtraFeatures: %d", cp[3]);
se401->sizes=cp[4]+cp[5]*256;
Start --->
se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
for (i=0; i<se401->sizes; i++) {
Error --->
se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
}
sprintf (temp, "%s Sizes:", temp);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1435:se401_init: ERROR:NULL:1427:1435:Using ptr "(*se401).width" illegally! set by 'kmalloc_Rsmp_93d4cfe6':1427 [COUNTER=kmalloc_Rsmp_93d4cfe6:1427] [fit=46] [fit_fn=4] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z = -3.11592335081808] [fn-z = -7.54983443527075]
return 1;
}
sprintf (temp, "ExtraFeatures: %d", cp[3]);
se401->sizes=cp[4]+cp[5]*256;
Start --->
se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
for (i=0; i<se401->sizes; i++) {
se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
}
sprintf (temp, "%s Sizes:", temp);
for (i=0; i<se401->sizes; i++) {
Error --->
sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
}
info("%s", temp);
se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->sizes-1]*3;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1438:se401_init: ERROR:NULL:1427:1438:Using ptr "(*se401).width" illegally! set by 'kmalloc_Rsmp_93d4cfe6':1427 [COUNTER=kmalloc_Rsmp_93d4cfe6:1427] [fit=46] [fit_fn=4] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z = -3.11592335081808] [fn-z = -7.54983443527075]
return 1;
}
sprintf (temp, "ExtraFeatures: %d", cp[3]);
se401->sizes=cp[4]+cp[5]*256;
Start --->
se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
for (i=0; i<se401->sizes; i++) {
se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
}
sprintf (temp, "%s Sizes:", temp);
for (i=0; i<se401->sizes; i++) {
sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
}
info("%s", temp);
Error --->
se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->sizes-1]*3;
rc=se401_sndctrl(0, se401, SE401_REQ_GET_WIDTH, 0, cp, sizeof(cp));
se401->cwidth=cp[0]+cp[1]*256;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1431:se401_init: ERROR:NULL:1428:1431:Using ptr "(*se401).height" illegally! set by 'kmalloc_Rsmp_93d4cfe6':1428 [COUNTER=kmalloc_Rsmp_93d4cfe6:1428] [fit=46] [fit_fn=5] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z = -3.11592335081808] [fn-z = -7.54983443527075]
}
sprintf (temp, "ExtraFeatures: %d", cp[3]);
se401->sizes=cp[4]+cp[5]*256;
se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
Start --->
se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
for (i=0; i<se401->sizes; i++) {
se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
Error --->
se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
}
sprintf (temp, "%s Sizes:", temp);
for (i=0; i<se401->sizes; i++) {
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1435:se401_init: ERROR:NULL:1428:1435:Using ptr "(*se401).height" illegally! set by 'kmalloc_Rsmp_93d4cfe6':1428 [COUNTER=kmalloc_Rsmp_93d4cfe6:1428] [fit=46] [fit_fn=5] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z = -3.11592335081808] [fn-z = -7.54983443527075]
}
sprintf (temp, "ExtraFeatures: %d", cp[3]);
se401->sizes=cp[4]+cp[5]*256;
se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
Start --->
se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
for (i=0; i<se401->sizes; i++) {
se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
}
sprintf (temp, "%s Sizes:", temp);
for (i=0; i<se401->sizes; i++) {
Error --->
sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
}
info("%s", temp);
se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->sizes-1]*3;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1438:se401_init: ERROR:NULL:1428:1438:Using ptr "(*se401).height" illegally! set by 'kmalloc_Rsmp_93d4cfe6':1428 [COUNTER=kmalloc_Rsmp_93d4cfe6:1428] [fit=46] [fit_fn=5] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z = -3.11592335081808] [fn-z = -7.54983443527075]
}
sprintf (temp, "ExtraFeatures: %d", cp[3]);
se401->sizes=cp[4]+cp[5]*256;
se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
Start --->
se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
for (i=0; i<se401->sizes; i++) {
se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
}
sprintf (temp, "%s Sizes:", temp);
for (i=0; i<se401->sizes; i++) {
sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
}
info("%s", temp);
Error --->
se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->sizes-1]*3;
rc=se401_sndctrl(0, se401, SE401_REQ_GET_WIDTH, 0, cp, sizeof(cp));
se401->cwidth=cp[0]+cp[1]*256;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/char/drm/sis_ds.c:253:SliceBlock: ERROR:NULL:252:253:Using ptr "newblock" illegally! set by 'calloc':252 [COUNTER=calloc:252] [fit=49] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.35889894354067]
{
TMemBlock *newblock;
/* break left */
if (startofs > p->ofs) {
Start --->
newblock = (TMemBlock*) calloc(1,sizeof(TMemBlock));
Error --->
newblock->ofs = startofs;
newblock->size = p->size - (startofs - p->ofs);
newblock->free = 1;
newblock->next = p->next;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/char/drm/sis_ds.c:265:SliceBlock: ERROR:NULL:264:265:Using ptr "newblock" illegally! set by 'calloc':264 [COUNTER=calloc:264] [fit=49] [fit_fn=2] [fn_ex=0] [fn_counter=1] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.35889894354067]
p = newblock;
}
/* break right */
if (size < p->size) {
Start --->
newblock = (TMemBlock*) calloc(1,sizeof(TMemBlock));
Error --->
newblock->ofs = startofs + size;
newblock->size = p->size - size;
newblock->free = 1;
newblock->next = p->next;
Dawson Engler wrote:
>
> Enclosed are 54 potential errors where code gets a pointer from a
> possibly-failing routine (kmalloc, etc) and dereferences it without
> checking. Many follow the simple pattern of alloc-memset:
>
> dev->priv = kmalloc(sizeof(struct awc_private),GFP_KERNEL );
> memset(dev->priv,0,sizeof(struct awc_private));
>
> If these kind of errors are useful, let me know --- there are *many*
> others that I didn't inspect.
They surely look useful. Catching errors this way is better than having
to experience every one on a production system before they are found.
There are some false positives, but compared to the actual number of
bugs found, that is not a problem.
> [BUG] (synonums aren't working)
> /u2/engler/mc/oses/linux/2.4.17/drivers/net/eexpress.c:1088:eexp_hw_probe:
> ERROR:NULL:1083:1088:Using ptr "lp" illegally! set by 'kmalloc':1083
> [COUNTER=kmalloc:1083] [fit=1] [fit_fn=5] [fn_ex=0] [fn_counter=1]
> [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
> }
>
> buswidth = !((setupval & 0x400) >> 10);
> }
>
> Start --->
> dev->priv = lp = kmalloc(sizeof(struct net_local), GFP_KERNEL);
> if (!dev->priv)
> return -ENOMEM;
>
> memset(dev->priv, 0, sizeof(struct net_local));
> Error --->
> spin_lock_init(&lp->lock);
This one isn't a bug. The pointer to allocated memory is stored in two
variables. Only one of them is verified against NULL, that is enough.
--
Kasper Dupont -- der bruger for meget tid p? usenet.
For sending spam use mailto:[email protected]
On Jun 09, 2002 20:55 -0700, Dawson Engler wrote:
> 2 | /fs/dcache.c
> 1 | /fs/sysctl.c
>
> /u2/engler/mc/oses/linux/2.4.17/fs/intermezzo/dcache.c
> /u2/engler/mc/oses/linux/2.4.17/fs/intermezzo/sysctl.c
It looks like you are dropping part of the path out of the short list.
There is a file fs/dcache.c, but also fs/intermezzo/dcache.c where the
error is shown. I have passed these errors on to the InterMezzo mailing
list.
> /u2/engler/mc/oses/linux/2.4.17/fs/jbd/journal.c
> * Do we need to do a data copy?
> */
>
> if (need_copy_out && !done_copy_out) {
> char *tmp;
> Start --->
> tmp = jbd_rep_kmalloc(jh2bh(jh_in)->b_size, GFP_NOFS);
>
> jh_in->b_frozen_data = tmp;
> Error --->
> memcpy (tmp, mapped_data, jh2bh(jh_in)->b_size);
Note that jbd_rep_kmalloc() is a special case, and will not currently
return NULL. This macro calls __jbd_rep_kmalloc(..., retry=1) which
means "repeat the allocation until it succeeds" so the code path
"if (!retry) return NULL" can never actually happen from this caller.
The logic is somewhat convoluted, so it is not surprising that the
checker didn't distinguish this case (it would have to have done the
"constant" evaluation to drop the NULL return path from the code).
Cheers, Andreas
--
Andreas Dilger
http://www-mddsp.enel.ucalgary.ca/People/adilger/
http://sourceforge.net/projects/ext2resize/
> > [BUG] (synonums aren't working)
> > /u2/engler/mc/oses/linux/2.4.17/drivers/net/eexpress.c:1088:eexp_hw_probe:
> > ERROR:NULL:1083:1088:Using ptr "lp" illegally! set by 'kmalloc':1083
> > [COUNTER=kmalloc:1083] [fit=1] [fit_fn=5] [fn_ex=0] [fn_counter=1]
> > [ex=1399] [counter=26] [z = 5.50002098543802] [fn-z = -4.35889894354067]
> > }
> >
> > buswidth = !((setupval & 0x400) >> 10);
> > }
> >
> > Start --->
> > dev->priv = lp = kmalloc(sizeof(struct net_local), GFP_KERNEL);
> > if (!dev->priv)
> > return -ENOMEM;
> >
> > memset(dev->priv, 0, sizeof(struct net_local));
> > Error --->
> > spin_lock_init(&lp->lock);
>
> This one isn't a bug. The pointer to allocated memory is stored in two
> variables. Only one of them is verified against NULL, that is enough.
Yuck. Sorry about that --- I mislabeled the message. It's a BUG,
but in our system rather than in 2.4.17. Bug finding still tends
to be unfortunately symetrical...
> > /u2/engler/mc/oses/linux/2.4.17/fs/jbd/journal.c
> > * Do we need to do a data copy?
> > */
> >
> > if (need_copy_out && !done_copy_out) {
> > char *tmp;
> > Start --->
> > tmp = jbd_rep_kmalloc(jh2bh(jh_in)->b_size, GFP_NOFS);
> >
> > jh_in->b_frozen_data = tmp;
> > Error --->
> > memcpy (tmp, mapped_data, jh2bh(jh_in)->b_size);
>
> Note that jbd_rep_kmalloc() is a special case, and will not currently
> return NULL. This macro calls __jbd_rep_kmalloc(..., retry=1) which
> means "repeat the allocation until it succeeds" so the code path
> "if (!retry) return NULL" can never actually happen from this caller.
> The logic is somewhat convoluted, so it is not surprising that the
> checker didn't distinguish this case (it would have to have done the
> "constant" evaluation to drop the NULL return path from the code).
Interesting. The checker infers which functions can plausibly return
null by counting, for each function f:
1. how many callsites check f's return value against null
versus
2.how many do not.
In this case the reason we were checking jbd_rep_kmalloc (actually
__jbd_kmalloc) was because five other callers in jbd checked it:
/u2/engler/mc/oses/linux/2.4.17/fs/jbd/journal.c:695:journal_init_common: NOTE:NULL:692:695:[EXAMPLE=__jbd_kmalloc:692]
/u2/engler/mc/oses/linux/2.4.17/fs/jbd/transaction.c:54:get_transaction: NOTE:NULL:50:54:[EXAMPLE=__jbd_kmalloc:50]
/u2/engler/mc/oses/linux/2.4.17/fs/jbd/transaction.c:233:journal_start: NOTE:NULL:230:233:[EXAMPLE=__jbd_kmalloc:230]
/u2/engler/mc/oses/linux/2.4.17/fs/jbd/transaction.c:339:journal_try_start: NOTE:NULL:336:339:[EXAMPLE=__jbd_kmalloc:336]
/u2/engler/mc/oses/linux/2.4.17/fs/jbd/transaction.c:895:journal_get_undo_access: NOTE:NULL:885:895:[EXAMPLE=__jbd_kmalloc:885]
which means there are indeed bugs in jbd, just not the one we flagged ;-)
Dawson
PS this is the meaning of the rather opaque "[ex=5] [counter=1]" in the
error message: 5 checks of __jbd_kmalloc versus 1 use-without-check of it.
/u2/engler/mc/oses/linux/2.4.17/fs/jbd/journal.c:441:journal_write_metadata_buffer: ERROR:NULL:438:441:Passing unknown ptr "tmp"! as arg 0 to call "memcpy"! set by '__jbd_kmalloc':438 [COUNTER=__jbd_kmalloc:438] [fit=22] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=5] [counter=1] [z = -1.31122013621437] [fn-z = -4.35889894354067]
On Jun 09, 2002 23:07 -0700, Dawson Engler wrote:
> > > /u2/engler/mc/oses/linux/2.4.17/fs/jbd/journal.c
> > > * Do we need to do a data copy?
> > > */
> > >
> > > if (need_copy_out && !done_copy_out) {
> > > char *tmp;
> > > Start --->
> > > tmp = jbd_rep_kmalloc(jh2bh(jh_in)->b_size, GFP_NOFS);
> > >
> > > jh_in->b_frozen_data = tmp;
> > > Error --->
> > > memcpy (tmp, mapped_data, jh2bh(jh_in)->b_size);
> >
> > Note that jbd_rep_kmalloc() is a special case, and will not currently
> > return NULL. This macro calls __jbd_rep_kmalloc(..., retry=1) which
> > means "repeat the allocation until it succeeds" so the code path
> > "if (!retry) return NULL" can never actually happen from this caller.
> > The logic is somewhat convoluted, so it is not surprising that the
> > checker didn't distinguish this case (it would have to have done the
> > "constant" evaluation to drop the NULL return path from the code).
>
> Interesting. The checker infers which functions can plausibly return
> null by counting, for each function f:
> 1. how many callsites check f's return value against null
> versus
> 2.how many do not.
> In this case the reason we were checking jbd_rep_kmalloc (actually
> __jbd_kmalloc) was because five other callers in jbd checked it:
>
> linux/2.4.17/fs/jbd/journal.c:695:journal_init_common: NOTE:NULL:692:695:[EXAMPLE=__jbd_kmalloc:692]
> linux/2.4.17/fs/jbd/transaction.c:54:get_transaction: NOTE:NULL:50:54:[EXAMPLE=__jbd_kmalloc:50]
> linux/2.4.17/fs/jbd/transaction.c:233:journal_start: NOTE:NULL:230:233:[EXAMPLE=__jbd_kmalloc:230]
> linux/2.4.17/fs/jbd/transaction.c:339:journal_try_start: NOTE:NULL:336:339:[EXAMPLE=__jbd_kmalloc:336]
> linux/2.4.17/fs/jbd/transaction.c:895:journal_get_undo_access: NOTE:NULL:885:895:[EXAMPLE=__jbd_kmalloc:885]
>
> which means there are indeed bugs in jbd, just not the one we flagged ;-)
Ah, but the checker is still (subtly) wrong in this case. The difference
is that "jbd_kmalloc()" (a macro calling __jbd_kmalloc in the 5 functions
which check the return code) depends on the "journal_oom_retry" variable
to determine whether or not it is "allowed" to return NULL. In contrast,
the one call to "jbd_rep_kmalloc()" flagged above is a macro which
calls __jbd_kmalloc() with "retry = 1" so it is never allowed to fail
and return NULL.
I can agree that this is really tricky to spot via the checker,
because the function itself is allowed to return NULL (depending on
the "retry" parameter), but in the flagged case it will never return
NULL (which is the whole point of the retries inside __jbd_kmalloc()
because it is not allowed to fail the allocation at this point). So,
while the 5 other callers are correct in checking the return value
(because journal_oom_retry might be 0 and the allocations could fail),
the lone caller which does not check the return value is also correct
because retry is always 1 in this case.
Needless to say, I still think the checker tool is the best thing since
sliced bread and I don't mind getting false positives like this because
in most cases the checker is correct. Have you thought about supporting
"checker meta comments" (like lint did) to allow one to flag a piece of
code as being "correct" for a certain check so that it doesn't always
show up on your test runs?
Cheers, Andreas
--
Andreas Dilger
http://www-mddsp.enel.ucalgary.ca/People/adilger/
http://sourceforge.net/projects/ext2resize/
On Mon, 10 Jun 2002 13:55, Dawson Engler wrote:
Thanks for these. Patch for 2.4.19-pre10 to fix catc and se401 bugs currently
compile testing :)
But I think that you have a problem identifying the errors in these cases.
> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1430:se401_init:
> ERROR:NULL:1427:1430:Using ptr "(*se401).width" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1427 [COUNTER=kmalloc_Rsmp_93d4cfe6:1427] [fit=46]
> [fit_fn=4] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] return 1;
> }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> Start --->
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> Error --->
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> ---------------------------------------------------------
bradh: this one is right.
> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1435:se401_init:
> ERROR:NULL:1427:1435:Using ptr "(*se401).width" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1427 [COUNTER=kmalloc_Rsmp_93d4cfe6:1427] [fit=46]
> [fit_fn=4] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] return 1;
> }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> Start --->
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> Error --->
> sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
> }
> info("%s", temp);
> se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->size
>s-1]*3; ---------------------------------------------------------
bradh: this one is wrong. If it didn't oops on the previous one, it won't oops
here :)
> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1438:se401_init:
> ERROR:NULL:1427:1438:Using ptr "(*se401).width" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1427 [COUNTER=kmalloc_Rsmp_93d4cfe6:1427] [fit=46]
> [fit_fn=4] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] return 1;
> }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> Start --->
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
> }
> info("%s", temp);
> Error --->
> se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->size
>s-1]*3;
>
> rc=se401_sndctrl(0, se401, SE401_REQ_GET_WIDTH, 0, cp, sizeof(cp));
> se401->cwidth=cp[0]+cp[1]*256;
> ---------------------------------------------------------
bradh: this can't be the error, see above.
> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1431:se401_init:
> ERROR:NULL:1428:1431:Using ptr "(*se401).height" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1428 [COUNTER=kmalloc_Rsmp_93d4cfe6:1428] [fit=46]
> [fit_fn=5] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> Start --->
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> Error --->
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> ---------------------------------------------------------
This is the true bug.
> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1435:se401_init:
> ERROR:NULL:1428:1435:Using ptr "(*se401).height" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1428 [COUNTER=kmalloc_Rsmp_93d4cfe6:1428] [fit=46]
> [fit_fn=5] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> Start --->
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> Error --->
> sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
> }
> info("%s", temp);
> se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->size
>s-1]*3; ---------------------------------------------------------
This can't be.
> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/usb/se401.c:1438:se401_init:
> ERROR:NULL:1428:1438:Using ptr "(*se401).height" illegally! set by
> 'kmalloc_Rsmp_93d4cfe6':1428 [COUNTER=kmalloc_Rsmp_93d4cfe6:1428] [fit=46]
> [fit_fn=5] [fn_ex=0] [fn_counter=3] [ex=59] [counter=9] [z =
> -3.11592335081808] [fn-z = -7.54983443527075] }
> sprintf (temp, "ExtraFeatures: %d", cp[3]);
>
> se401->sizes=cp[4]+cp[5]*256;
> se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> Start --->
> se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> for (i=0; i<se401->sizes; i++) {
> se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> }
> sprintf (temp, "%s Sizes:", temp);
> for (i=0; i<se401->sizes; i++) {
> sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
> }
> info("%s", temp);
> Error --->
> se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->size
>s-1]*3;
>
> rc=se401_sndctrl(0, se401, SE401_REQ_GET_WIDTH, 0, cp, sizeof(cp));
> se401->cwidth=cp[0]+cp[1]*256;
> ---------------------------------------------------------
This can't be.
> Ah, but the checker is still (subtly) wrong in this case. The difference
> is that "jbd_kmalloc()" (a macro calling __jbd_kmalloc in the 5 functions
> which check the return code) depends on the "journal_oom_retry" variable
> to determine whether or not it is "allowed" to return NULL. In contrast,
> the one call to "jbd_rep_kmalloc()" flagged above is a macro which
> calls __jbd_kmalloc() with "retry = 1" so it is never allowed to fail
> and return NULL.
Ah. Got it. Yeah, we're not doing much inter-procedural false path
pruning. Hopefully within a month or so --- Andy Chou and Yichen Xie
are building an analysis pass that uses a SAT solver to suppress such
things. It discovers some pretty crazy relationships and is actually
pretty fast.
> in most cases the checker is correct.
To be fair, it's the checker + our inspection that is mostly correct
;-) Though the uninspected false pos rate is pretty low.
> Have you thought about supporting
> "checker meta comments" (like lint did) to allow one to flag a piece of
> code as being "correct" for a certain check so that it doesn't always
> show up on your test runs?
I wasn't that optimistic that people would be willing to annotate their
code. It is pretty easy to add such annotations with distinguished
function calls. E.g.,
/* shut up checker null pointer warnings */
mc_no_null_bug(p);
where p is a pointer var --- it can be #define'd to nothing when the
checker isn't being used. Also, the checker can turn the annot into
a sort of checkable comment by warning when the annotation is not
needed.
Instead we use a history-based approach: both false positives and bugs
are stuffed into a file which subsequent runs use to relabel messages
as old false positives or unfixed bugs. The messages are canonicalized
so that most source edits don't make them invalid. E.g., we keep file,
function, variable names and such but strip line numbers and other
things. The advantage is that you don't have to modify your source for
checkers to go over it. Which is good, given the current patch
process.
If you're interested, there are a bunch of papers on this and other things
at
http://www.stanford.edu/~engler
Thanks for your feedback!
Dawson
> Thanks for these. Patch for 2.4.19-pre10 to fix catc and se401 bugs currently
> compile testing :)
Good deal! Thanks for letting us know.
> > se401->width=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> > se401->height=kmalloc(se401->sizes*sizeof(int), GFP_KERNEL);
> > for (i=0; i<se401->sizes; i++) {
> > se401->width[i]=cp[6+i*4+0]+cp[6+i*4+1]*256;
> > se401->height[i]=cp[6+i*4+2]+cp[6+i*4+3]*256;
> > }
> > sprintf (temp, "%s Sizes:", temp);
> > for (i=0; i<se401->sizes; i++) {
> > Error --->
> > sprintf(temp, "%s %dx%d", temp, se401->width[i], se401->height[i]);
> > }
> > info("%s", temp);
> > se401->maxframesize=se401->width[se401->sizes-1]*se401->height[se401->size
> >s-1]*3; ---------------------------------------------------------
> bradh: this one is wrong. If it didn't oops on the previous one, it won't oops
> here :)
Yeah, indeed. The current rewrite doesn't (yet) have false path suppression
back in and I'm getting too old to be reliable. Thanks for pointing it
out.
> which means there are indeed bugs in jbd, just not the one we flagged ;-)
I was wondering what toold you use to catch these bugs... What is jbd ?
Bye.
On Mon, Jun 10, 2002 at 09:19:11AM +0200, Giuliano Pochini wrote:
>
> > which means there are indeed bugs in jbd, just not the one we flagged ;-)
>
> I was wondering what toold you use to catch these bugs... What is jbd ?
journalling block device. part of the kernel, not the checker. the
checker is a hacked up gcc i believe. wonderful stuff.
j.
--
toyota power: http://indigoid.net/
On Sun, Jun 09, 2002 at 08:55:22PM -0700, Dawson Engler wrote:
> ---------------------------------------------------------
> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/hotplug/cpqphp_proc.c:156:cpqhp_proc_create_ctrl: ERROR:NULL:155:156:Using ptr "(*ctrl).proc_entry" illegally! set by 'create_proc_entry':155 [COUNTER=create_proc_entry:155] [fit=7] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=88] [counter=4] [z = 0.287018923940967] [fn-z = -4.35889894354067]
> int cpqhp_proc_create_ctrl (struct controller *ctrl)
> {
> strcpy(ctrl->proc_name, "hpca");
> ctrl->proc_name[3] = 'a' + ctrl->bus;
>
> Start --->
> ctrl->proc_entry = create_proc_entry(ctrl->proc_name, S_IFREG | S_IRUGO, ctrl_proc_root);
> Error --->
> ctrl->proc_entry->data = ctrl;
> ctrl->proc_entry->read_proc = &read_ctrl;
>
> strcpy(ctrl->proc_name2, "slot_a");
> ---------------------------------------------------------
> [BUG]
> /u2/engler/mc/oses/linux/2.4.17/drivers/hotplug/cpqphp_proc.c:162:cpqhp_proc_create_ctrl: ERROR:NULL:161:162:Using ptr "(*ctrl).proc_entry2" illegally! set by 'create_proc_entry':161 [COUNTER=create_proc_entry:161] [fit=7] [fit_fn=2] [fn_ex=0] [fn_counter=1] [ex=88] [counter=4] [z = 0.287018923940967] [fn-z = -4.35889894354067]
> ctrl->proc_entry->data = ctrl;
> ctrl->proc_entry->read_proc = &read_ctrl;
>
> strcpy(ctrl->proc_name2, "slot_a");
> ctrl->proc_name2[5] = 'a' + ctrl->bus;
> Start --->
> ctrl->proc_entry2 = create_proc_entry(ctrl->proc_name2, S_IFREG | S_IRUGO, ctrl_proc_root);
> Error --->
> ctrl->proc_entry2->data = ctrl;
> ctrl->proc_entry2->read_proc = &read_dev;
>
> return 0;
> ---------------------------------------------------------
Ah, good catch, I'll go fix these two.
thanks,
greg k-h