Eric Lee / smarc-fsl-linux-kernel

12 Nov, 2016

1 commit

  • a76bcf557   Kbuild: enable -Wmaybe-uninitialized warning for "make W=1" ... Browse Code »

    Traditionally, we have always had warnings about uninitialized variables
    enabled, as this is part of -Wall, and generally a good idea [1], but it
    also always produced false positives, mainly because this is a variation
    of the halting problem and provably impossible to get right in all cases
    [2].

    Various people have identified cases that are particularly bad for false
    positives, and in commit e74fc973b6e5 ("Turn off -Wmaybe-uninitialized
    when building with -Os"), I turned off the warning for any build that
    was done with CC_OPTIMIZE_FOR_SIZE. This drastically reduced the number
    of false positive warnings in the default build but unfortunately had
    the side effect of turning the warning off completely in 'allmodconfig'
    builds, which in turn led to a lot of warnings (both actual bugs, and
    remaining false positives) to go in unnoticed.

    With commit 877417e6ffb9 ("Kbuild: change CC_OPTIMIZE_FOR_SIZE
    definition") enabled the warning again for allmodconfig builds in v4.7
    and in v4.8-rc1, I had finally managed to address all warnings I get in
    an ARM allmodconfig build and most other maybe-uninitialized warnings
    for ARM randconfig builds.

    However, commit 6e8d666e9253 ("Disable "maybe-uninitialized" warning
    globally") was merged at the same time and disabled it completely for
    all configurations, because of false-positive warnings on x86 that I had
    not addressed until then. This caused a lot of actual bugs to get
    merged into mainline, and I sent several dozen patches for these during
    the v4.9 development cycle. Most of these are actual bugs, some are for
    correct code that is safe because it is only called under external
    constraints that make it impossible to run into the case that gcc sees,
    and in a few cases gcc is just stupid and finds something that can
    obviously never happen.

    I have now done a few thousand randconfig builds on x86 and collected
    all patches that I needed to address every single warning I got (I can
    provide the combined patch for the other warnings if anyone is
    interested), so I hope we can get the warning back and let people catch
    the actual bugs earlier.

    This reverts the change to disable the warning completely and for now
    brings it back at the "make W=1" level, so we can get it merged into
    mainline without introducing false positives. A follow-up patch enables
    it on all levels unless some configuration option turns it off because
    of false-positives.

    Link: https://rusty.ozlabs.org/?p=232 [1]
    Link: https://gcc.gnu.org/wiki/Better_Uninitialized_Warnings [2]
    Signed-off-by: Arnd Bergmann
    Signed-off-by: Linus Torvalds

    Arnd Bergmann
     

20 Sep, 2016

1 commit

  • 725c4d22b   ubsan: allow to disable the null sanitizer ... Browse Code »

    Some architectures use a hardware defined structure at address zero.
    Checking for a null pointer will result in many ubsan reports.
    Allow users to disable the null sanitizer.

    Signed-off-by: Christian Borntraeger
    Acked-by: Andrey Ryabinin
    Signed-off-by: Heiko Carstens
    Signed-off-by: Martin Schwidefsky

    Christian Borntraeger
     

28 Jul, 2016

1 commit

  • 6e8d666e9   Disable "maybe-uninitialized" warning globally ... Browse Code »

    Several build configurations had already disabled this warning because
    it generates a lot of false positives. But some had not, and it was
    still enabled for "allmodconfig" builds, for example.

    Looking at the warnings produced, every single one I looked at was a
    false positive, and the warnings are frequent enough (and big enough)
    that they can easily hide real problems that you don't notice in the
    noise generated by -Wmaybe-uninitialized.

    The warning is good in theory, but this is a classic case of a warning
    that causes more problems than the warning can solve.

    If gcc gets better at avoiding false positives, we may be able to
    re-enable this warning. But as is, we're better off without it, and I
    want to be able to see the *real* warnings.

    Signed-off-by: Linus Torvalds

    Linus Torvalds
     

23 Mar, 2016

1 commit

  • dde5cf39d   ubsan: fix tree-wide -Wmaybe-uninitialized false positives ... Browse Code »

    -fsanitize=* options makes GCC less smart than usual and increase number
    of 'maybe-uninitialized' false-positives. So this patch does two things:

    * Add -Wno-maybe-uninitialized to CFLAGS_UBSAN which will disable all
    such warnings for instrumented files.

    * Remove CONFIG_UBSAN_SANITIZE_ALL from all[yes|mod]config builds. So
    the all[yes|mod]config build goes without -fsanitize=* and still with
    -Wmaybe-uninitialized.

    Signed-off-by: Andrey Ryabinin
    Reported-by: Fengguang Wu
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Andrey Ryabinin
     

21 Jan, 2016

1 commit

  • c6d308534   UBSAN: run-time undefined behavior sanity checker ... Browse Code »

    UBSAN uses compile-time instrumentation to catch undefined behavior
    (UB). Compiler inserts code that perform certain kinds of checks before
    operations that could cause UB. If check fails (i.e. UB detected)
    __ubsan_handle_* function called to print error message.

    So the most of the work is done by compiler. This patch just implements
    ubsan handlers printing errors.

    GCC has this capability since 4.9.x [1] (see -fsanitize=undefined
    option and its suboptions).
    However GCC 5.x has more checkers implemented [2].
    Article [3] has a bit more details about UBSAN in the GCC.

    [1] - https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Debugging-Options.html
    [2] - https://gcc.gnu.org/onlinedocs/gcc/Debugging-Options.html
    [3] - http://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/

    Issues which UBSAN has found thus far are:

    Found bugs:

    * out-of-bounds access - 97840cb67ff5 ("netfilter: nfnetlink: fix
    insufficient validation in nfnetlink_bind")

    undefined shifts:

    * d48458d4a768 ("jbd2: use a better hash function for the revoke
    table")

    * 10632008b9e1 ("clockevents: Prevent shift out of bounds")

    * 'x << -1' shift in ext4 -
    http://lkml.kernel.org/r/

    * undefined rol32(0) -
    http://lkml.kernel.org/r/

    * undefined dirty_ratelimit calculation -
    http://lkml.kernel.org/r/

    * undefined roundown_pow_of_two(0) -
    http://lkml.kernel.org/r/

    * [WONTFIX] undefined shift in __bpf_prog_run -
    http://lkml.kernel.org/r/

    WONTFIX here because it should be fixed in bpf program, not in kernel.

    signed overflows:

    * 32a8df4e0b33f ("sched: Fix odd values in effective_load()
    calculations")

    * mul overflow in ntp -
    http://lkml.kernel.org/r/

    * incorrect conversion into rtc_time in rtc_time64_to_tm() -
    http://lkml.kernel.org/r/

    * unvalidated timespec in io_getevents() -
    http://lkml.kernel.org/r/

    * [NOTABUG] signed overflow in ktime_add_safe() -
    http://lkml.kernel.org/r/

    [akpm@linux-foundation.org: fix unused local warning]
    [akpm@linux-foundation.org: fix __int128 build woes]
    Signed-off-by: Andrey Ryabinin
    Cc: Peter Zijlstra
    Cc: Sasha Levin
    Cc: Randy Dunlap
    Cc: Rasmus Villemoes
    Cc: Jonathan Corbet
    Cc: Michal Marek
    Cc: Thomas Gleixner
    Cc: Ingo Molnar
    Cc: "H. Peter Anvin"
    Cc: Yury Gribov
    Cc: Dmitry Vyukov
    Cc: Konstantin Khlebnikov
    Cc: Kostya Serebryany
    Cc: Johannes Berg
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Andrey Ryabinin