xref: /illumos-gate/usr/src/tools/smatch/src/check_kernel_printf.c (revision 8a2b682e57a046b828f37bcde1776f131ef4629f)
1 /*
2  * Copyright (C) 2015 Rasmus Villemoes.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License
6  * as published by the Free Software Foundation; either version 2
7  * of the License, or (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16  */
17 
18 #include <assert.h>
19 #include <ctype.h>
20 #include <string.h>
21 #include "smatch.h"
22 #include "smatch_slist.h"
23 
24 #define spam(args...) do {			\
25 	if (option_spammy)			\
26 		sm_msg(args);			\
27 	} while (0)
28 
29 static int my_id;
30 
31 /*
32  * Much of this is taken directly from the kernel (mostly vsprintf.c),
33  * with a few modifications here and there.
34  */
35 
36 #define KERN_SOH_ASCII  '\001'
37 
38 typedef unsigned char u8;
39 typedef signed short s16;
40 
41 #define SIGN	1		/* unsigned/signed, must be 1 */
42 #define LEFT	2		/* left justified */
43 #define PLUS	4		/* show plus */
44 #define SPACE	8		/* space if plus */
45 #define ZEROPAD	16		/* pad with zero, must be 16 == '0' - ' ' */
46 #define SMALL	32		/* use lowercase in hex (must be 32 == 0x20) */
47 #define SPECIAL	64		/* prefix hex with "0x", octal with "0" */
48 
49 enum format_type {
50 	FORMAT_TYPE_NONE, /* Just a string part */
51 	FORMAT_TYPE_WIDTH,
52 	FORMAT_TYPE_PRECISION,
53 	FORMAT_TYPE_CHAR,
54 	FORMAT_TYPE_STR,
55 	FORMAT_TYPE_PTR,
56 	FORMAT_TYPE_PERCENT_CHAR,
57 	FORMAT_TYPE_INVALID,
58 	FORMAT_TYPE_LONG_LONG,
59 	FORMAT_TYPE_ULONG,
60 	FORMAT_TYPE_LONG,
61 	FORMAT_TYPE_UBYTE,
62 	FORMAT_TYPE_BYTE,
63 	FORMAT_TYPE_USHORT,
64 	FORMAT_TYPE_SHORT,
65 	FORMAT_TYPE_UINT,
66 	FORMAT_TYPE_INT,
67 	FORMAT_TYPE_SIZE_T,
68 	FORMAT_TYPE_PTRDIFF,
69 	FORMAT_TYPE_NRCHARS, /* Reintroduced for this checker */
70 	FORMAT_TYPE_FLOAT, /* for various floating point formatters */
71 };
72 
73 struct printf_spec {
74 	unsigned int	type:8;		/* format_type enum */
75 	signed int	field_width:24;	/* width of output field */
76 	unsigned int	flags:8;	/* flags to number() */
77 	unsigned int	base:8;		/* number base, 8, 10 or 16 only */
78 	signed int	precision:16;	/* # of digits/chars */
79 } __packed;
80 #define FIELD_WIDTH_MAX ((1 << 23) - 1)
81 #define PRECISION_MAX ((1 << 15) - 1)
82 extern char __check_printf_spec[1-2*(sizeof(struct printf_spec) != 8)];
83 
84 static int
85 skip_atoi(const char **s)
86 {
87 	int i = 0;
88 
89 	while (isdigit(**s))
90 		i = i*10 + *((*s)++) - '0';
91 
92 	return i;
93 }
94 
95 static int
96 format_decode(const char *fmt, struct printf_spec *spec)
97 {
98 	const char *start = fmt;
99 	char qualifier;
100 
101 	/* we finished early by reading the field width */
102 	if (spec->type == FORMAT_TYPE_WIDTH) {
103 		if (spec->field_width < 0) {
104 			spec->field_width = -spec->field_width;
105 			spec->flags |= LEFT;
106 		}
107 		spec->type = FORMAT_TYPE_NONE;
108 		goto precision;
109 	}
110 
111 	/* we finished early by reading the precision */
112 	if (spec->type == FORMAT_TYPE_PRECISION) {
113 		if (spec->precision < 0)
114 			spec->precision = 0;
115 
116 		spec->type = FORMAT_TYPE_NONE;
117 		goto qualifier;
118 	}
119 
120 	/* By default */
121 	spec->type = FORMAT_TYPE_NONE;
122 
123 	for (; *fmt ; ++fmt) {
124 		if (*fmt == '%')
125 			break;
126 	}
127 
128 	/* Return the current non-format string */
129 	if (fmt != start || !*fmt)
130 		return fmt - start;
131 
132 	/* Process flags */
133 	spec->flags = 0;
134 
135 	while (1) { /* this also skips first '%' */
136 		bool found = true;
137 
138 		++fmt;
139 
140 		switch (*fmt) {
141 		case '-': spec->flags |= LEFT;    break;
142 		case '+': spec->flags |= PLUS;    break;
143 		case ' ': spec->flags |= SPACE;   break;
144 		case '#': spec->flags |= SPECIAL; break;
145 		case '0': spec->flags |= ZEROPAD; break;
146 		default:  found = false;
147 		}
148 
149 		if (!found)
150 			break;
151 	}
152 
153 	/* get field width */
154 	spec->field_width = -1;
155 
156 	if (isdigit(*fmt))
157 		spec->field_width = skip_atoi(&fmt);
158 	else if (*fmt == '*') {
159 		/* it's the next argument */
160 		spec->type = FORMAT_TYPE_WIDTH;
161 		return ++fmt - start;
162 	}
163 
164 precision:
165 	/* get the precision */
166 	spec->precision = -1;
167 	if (*fmt == '.') {
168 		++fmt;
169 		if (isdigit(*fmt)) {
170 			spec->precision = skip_atoi(&fmt);
171 			if (spec->precision < 0)
172 				spec->precision = 0;
173 		} else if (*fmt == '*') {
174 			/* it's the next argument */
175 			spec->type = FORMAT_TYPE_PRECISION;
176 			return ++fmt - start;
177 		}
178 	}
179 
180 qualifier:
181 	/* get the conversion qualifier */
182 	qualifier = 0;
183 	if (*fmt == 'h' || _tolower(*fmt) == 'l' ||
184 	    _tolower(*fmt) == 'z' || *fmt == 't') {
185 		qualifier = *fmt++;
186 		if (qualifier == *fmt) {
187 			if (qualifier == 'l') {
188 				qualifier = 'L';
189 				++fmt;
190 			} else if (qualifier == 'h') {
191 				qualifier = 'H';
192 				++fmt;
193 			} else {
194 				sm_warning("invalid repeated qualifier '%c'", *fmt);
195 			}
196 		}
197 	}
198 
199 	/* default base */
200 	spec->base = 10;
201 	switch (*fmt) {
202 	case 'c':
203 		if (qualifier)
204 			sm_warning("qualifier '%c' ignored for %%c specifier", qualifier);
205 
206 		spec->type = FORMAT_TYPE_CHAR;
207 		return ++fmt - start;
208 
209 	case 's':
210 		if (qualifier)
211 			sm_warning("qualifier '%c' ignored for %%s specifier", qualifier);
212 
213 		spec->type = FORMAT_TYPE_STR;
214 		return ++fmt - start;
215 
216 	case 'p':
217 		spec->type = FORMAT_TYPE_PTR;
218 		return ++fmt - start;
219 
220 	case '%':
221 		spec->type = FORMAT_TYPE_PERCENT_CHAR;
222 		return ++fmt - start;
223 
224 	/* integer number formats - set up the flags and "break" */
225 	case 'o':
226 		spec->base = 8;
227 		break;
228 
229 	case 'x':
230 		spec->flags |= SMALL;
231 
232 	case 'X':
233 		spec->base = 16;
234 		break;
235 
236 	case 'd':
237 	case 'i':
238 		spec->flags |= SIGN;
239 	case 'u':
240 		break;
241 
242 	case 'n':
243 		spec->type = FORMAT_TYPE_NRCHARS;
244 		return ++fmt - start;
245 
246 	case 'a': case 'A':
247 	case 'e': case 'E':
248 	case 'f': case 'F':
249 	case 'g': case 'G':
250 		spec->type = FORMAT_TYPE_FLOAT;
251 		return ++fmt - start;
252 
253 	default:
254 		spec->type = FORMAT_TYPE_INVALID;
255 		/* Unlike the kernel code, we 'consume' the invalid
256 		 * character so that it can get included in the
257 		 * report. After that, we bail out. */
258 		return ++fmt - start;
259 	}
260 
261 	if (qualifier == 'L')
262 		spec->type = FORMAT_TYPE_LONG_LONG;
263 	else if (qualifier == 'l') {
264 		if (spec->flags & SIGN)
265 			spec->type = FORMAT_TYPE_LONG;
266 		else
267 			spec->type = FORMAT_TYPE_ULONG;
268 	} else if (_tolower(qualifier) == 'z') {
269 		spec->type = FORMAT_TYPE_SIZE_T;
270 	} else if (qualifier == 't') {
271 		spec->type = FORMAT_TYPE_PTRDIFF;
272 	} else if (qualifier == 'H') {
273 		if (spec->flags & SIGN)
274 			spec->type = FORMAT_TYPE_BYTE;
275 		else
276 			spec->type = FORMAT_TYPE_UBYTE;
277 	} else if (qualifier == 'h') {
278 		if (spec->flags & SIGN)
279 			spec->type = FORMAT_TYPE_SHORT;
280 		else
281 			spec->type = FORMAT_TYPE_USHORT;
282 	} else {
283 		if (spec->flags & SIGN)
284 			spec->type = FORMAT_TYPE_INT;
285 		else
286 			spec->type = FORMAT_TYPE_UINT;
287 	}
288 
289 	return ++fmt - start;
290 }
291 
292 static int is_struct_tag(struct symbol *type, const char *tag)
293 {
294 	return type->type == SYM_STRUCT && type->ident && !strcmp(type->ident->name, tag);
295 }
296 
297 static int has_struct_tag(struct symbol *type, const char *tag)
298 {
299 	struct symbol *tmp;
300 
301 	if (type->type == SYM_STRUCT)
302 		return is_struct_tag(type, tag);
303 	if (type->type == SYM_UNION) {
304 		FOR_EACH_PTR(type->symbol_list, tmp) {
305 			tmp = get_real_base_type(tmp);
306 			if (tmp && is_struct_tag(tmp, tag))
307 				return 1;
308 		} END_FOR_EACH_PTR(tmp);
309 	}
310 	return 0;
311 }
312 
313 static int is_char_type(struct symbol *type)
314 {
315 	return type == &uchar_ctype || type == &char_ctype || type == &schar_ctype;
316 }
317 
318 /*
319  * I have absolutely no idea if this is how one is supposed to get the
320  * symbol representing a typedef, but it seems to work.
321  */
322 struct typedef_lookup {
323 	const char *name;
324 	struct symbol *sym;
325 	int failed;
326 };
327 
328 static struct symbol *_typedef_lookup(const char *name)
329 {
330 	struct ident *id;
331 	struct symbol *node;
332 
333 	id = built_in_ident(name);
334 	if (!id)
335 		return NULL;
336 	node = lookup_symbol(id, NS_TYPEDEF);
337 	if (!node || node->type != SYM_NODE)
338 		return NULL;
339 	return get_real_base_type(node);
340 }
341 
342 static void typedef_lookup(struct typedef_lookup *tl)
343 {
344 	if (tl->sym || tl->failed)
345 		return;
346 	tl->sym = _typedef_lookup(tl->name);
347 	if (!tl->sym) {
348 		sm_perror(" could not find typedef '%s'", tl->name);
349 		tl->failed = 1;
350 	}
351 }
352 
353 
354 static void ip4(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
355 {
356 	enum { ENDIAN_BIG, ENDIAN_LITTLE, ENDIAN_HOST } endian = ENDIAN_BIG;
357 
358 	assert(fmt[0] == 'i' || fmt[0] == 'I');
359 	assert(fmt[1] == '4');
360 
361 	if (isalnum(fmt[2])) {
362 		switch (fmt[2]) {
363 		case 'h':
364 			endian = ENDIAN_HOST;
365 			break;
366 		case 'l':
367 			endian = ENDIAN_LITTLE;
368 			break;
369 		case 'n':
370 		case 'b':
371 			endian = ENDIAN_BIG;
372 			break;
373 		default:
374 			sm_warning("'%%p%c4' can only be followed by one of [hnbl], not '%c'", fmt[0], fmt[2]);
375 		}
376 		if (isalnum(fmt[3]))
377 			sm_warning("'%%p%c4' can only be followed by precisely one of [hnbl]", fmt[0]);
378 	}
379 
380 
381 	if (type->ctype.modifiers & MOD_NODEREF)
382 		sm_error("passing __user pointer to '%%p%c4'", fmt[0]);
383 
384 	/*
385 	 * If we have a pointer to char/u8/s8, we expect the caller to
386 	 * handle endianness; I don't think there's anything we can
387 	 * do. I'd like to check that if we're passed a pointer to a
388 	 * __bitwise u32 (most likely a __be32), we should have endian
389 	 * == ENDIAN_BIG. But I can't figure out how to get that
390 	 * information (it also seems to require ensuring certain
391 	 * macros are defined). But struct in_addr certainly consists
392 	 * of only a single __be32, so in that case we can do a check.
393 	 */
394 	if (is_char_type(basetype))
395 		return;
396 
397 	if (is_struct_tag(basetype, "in_addr") && endian != ENDIAN_BIG)
398 		sm_warning("passing struct in_addr* to '%%p%c4%c', is the endianness ok?", fmt[0], fmt[2]);
399 
400 	/* ... */
401 }
402 
403 static void ip6(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
404 {
405 	assert(fmt[0] == 'i' || fmt[0] == 'I');
406 	assert(fmt[1] == '6');
407 
408 	if (isalnum(fmt[2])) {
409 		if (fmt[2] != 'c')
410 			sm_warning("'%%p%c6' can only be followed by c", fmt[0]);
411 		else if (fmt[0] == 'i')
412 			sm_warning("'%%pi6' does not allow flag c");
413 		if (isalnum(fmt[3]))
414 			sm_warning("'%%p%c6%c' cannot be followed by other alphanumerics", fmt[0], fmt[2]);
415 	}
416 
417 	if (type->ctype.modifiers & MOD_NODEREF)
418 		sm_error("passing __user pointer to '%%p%c6'", fmt[0]);
419 }
420 
421 static void ipS(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
422 {
423 	const char *f;
424 
425 	assert(tolower(fmt[0]) == 'i');
426 	assert(fmt[1] == 'S');
427 
428 	for (f = fmt+2; isalnum(*f); ++f) {
429 		/* It's probably too anal checking for duplicate flags. */
430 		if (!strchr("pfschnbl", *f))
431 			sm_warning("'%%p%cS' cannot be followed by '%c'", fmt[0], *f);
432 	}
433 
434 	/*
435 	 * XXX: Should we also allow passing a pointer to a union, one
436 	 * member of which is a struct sockaddr? It may be slightly
437 	 * cleaner actually passing &u.raw instead of just &u, though
438 	 * the generated code is of course exactly the same. For now,
439 	 * we do accept struct sockaddr_in and struct sockaddr_in6,
440 	 * since those are easy to handle and rather harmless.
441 	 */
442 	if (!has_struct_tag(basetype, "sockaddr") &&
443 	    !has_struct_tag(basetype, "sockaddr_in") &&
444 	    !has_struct_tag(basetype, "sockaddr_in6") &&
445 	    !has_struct_tag(basetype, "__kernel_sockaddr_storage"))
446 		sm_error("'%%p%cS' expects argument of type struct sockaddr *, "
447 			"argument %d has type '%s'", fmt[0], vaidx, type_to_str(type));
448 }
449 
450 static void hex_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
451 {
452 	assert(fmt[0] == 'h');
453 	if (isalnum(fmt[1])) {
454 		if (!strchr("CDN", fmt[1]))
455 			sm_warning("'%%ph' cannot be followed by '%c'", fmt[1]);
456 		if (isalnum(fmt[2]))
457 			sm_warning("'%%ph' can be followed by at most one of [CDN], and no other alphanumerics");
458 	}
459 	if (type->ctype.modifiers & MOD_NODEREF)
460 		sm_error("passing __user pointer to %%ph");
461 }
462 
463 static void escaped_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
464 {
465 	assert(fmt[0] == 'E');
466 	while (isalnum(*++fmt)) {
467 		if (!strchr("achnops", *fmt))
468 			sm_warning("%%pE can only be followed by a combination of [achnops]");
469 	}
470 	if (type->ctype.modifiers & MOD_NODEREF)
471 		sm_error("passing __user pointer to %%pE");
472 }
473 
474 static void resource_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
475 {
476 	assert(tolower(fmt[0]) == 'r');
477 	if (!is_struct_tag(basetype, "resource")) {
478 		sm_error("'%%p%c' expects argument of type struct resource *, "
479 			"but argument %d has type '%s'", fmt[0], vaidx, type_to_str(type));
480 	}
481 	if (isalnum(fmt[1]))
482 		sm_warning("'%%p%c' cannot be followed by '%c'", fmt[0], fmt[1]);
483 }
484 
485 static void mac_address_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
486 {
487 	assert(tolower(fmt[0]) == 'm');
488 	if (isalnum(fmt[1])) {
489 		if (!(fmt[1] == 'F' || fmt[1] == 'R'))
490 			sm_warning("'%%p%c' cannot be followed by '%c'", fmt[0], fmt[1]);
491 		if (fmt[0] == 'm' && fmt[1] == 'F')
492 			sm_warning("it is pointless to pass flag F to %%pm");
493 		if (isalnum(fmt[2]))
494 			sm_warning("'%%p%c%c' cannot be followed by other alphanumeric", fmt[0], fmt[1]);
495 	}
496 	/* Technically, bdaddr_t is a typedef for an anonymous struct, but this still seems to work. */
497 	if (!is_char_type(basetype) && !is_struct_tag(basetype, "bdaddr_t") && basetype != &void_ctype) {
498 		sm_warning("'%%p%c' expects argument of type u8 * or bdaddr_t *, argument %d has type '%s'",
499 			fmt[0], vaidx, type_to_str(type));
500 	}
501 	if (type->ctype.modifiers & MOD_NODEREF)
502 		sm_error("passing __user pointer to '%%p%c'", fmt[0]);
503 }
504 
505 static void dentry_file(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
506 {
507 	const char *tag;
508 
509 	assert(tolower(fmt[0]) == 'd');
510 	tag = fmt[0] == 'd' ? "dentry" : "file";
511 
512 	if (isalnum(fmt[1])) {
513 		if (!strchr("234", fmt[1]))
514 			sm_warning("'%%p%c' can only be followed by one of [234]", fmt[0]);
515 		if (isalnum(fmt[2]))
516 			sm_warning("'%%p%c%c' cannot be followed by '%c'", fmt[0], fmt[1], fmt[2]);
517 	}
518 
519 	if (!is_struct_tag(basetype, tag))
520 		sm_error("'%%p%c' expects argument of type struct '%s*', argument %d has type '%s'",
521 			fmt[0], tag, vaidx, type_to_str(type));
522 }
523 
524 static void time_and_date(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
525 {
526 	assert(tolower(fmt[0]) == 't');
527 
528 	if (fmt[1] == 'R' && !is_struct_tag(basetype, "rtc_time"))
529 		sm_error("'%%ptR' expects argument of type struct 'rtc_time', argument %d has type '%s'",
530 			 vaidx, type_to_str(type));
531 }
532 
533 static void check_clock(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
534 {
535 	assert(fmt[0] == 'C');
536 	if (isalnum(fmt[1])) {
537 		if (!strchr("nr", fmt[1]))
538 			sm_warning("'%%pC' can only be followed by one of [nr]");
539 		if (isalnum(fmt[2]))
540 			sm_warning("'%%pC%c' cannot be followed by '%c'", fmt[1], fmt[2]);
541 	}
542 	if (!is_struct_tag(basetype, "clk"))
543 		sm_error("'%%pC' expects argument of type 'struct clk*', argument %d has type '%s'",
544 		       vaidx, type_to_str(type));
545 }
546 
547 static void va_format(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
548 {
549 	assert(fmt[0] == 'V');
550 	if (isalnum(fmt[1]))
551 		sm_warning("%%pV cannot be followed by any alphanumerics");
552 	if (!is_struct_tag(basetype, "va_format"))
553 		sm_error("%%pV expects argument of type struct va_format*, argument %d has type '%s'", vaidx, type_to_str(type));
554 }
555 
556 static void netdev_feature(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
557 {
558 	static struct typedef_lookup netdev = { .name = "netdev_features_t" };
559 
560 	assert(fmt[0] == 'N');
561 	if (fmt[1] != 'F') {
562 		sm_error("%%pN must be followed by 'F'");
563 		return;
564 	}
565 	if (isalnum(fmt[2]))
566 		sm_warning("%%pNF cannot be followed by '%c'", fmt[2]);
567 
568 	typedef_lookup(&netdev);
569 	if (!netdev.sym)
570 		return;
571 	if (basetype != netdev.sym)
572 		sm_error("%%pNF expects argument of type netdev_features_t*, argument %d has type '%s'",
573 			vaidx, type_to_str(type));
574 
575 }
576 static void address_val(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
577 {
578 	static struct typedef_lookup dma = { .name = "dma_addr_t" };
579 	static struct typedef_lookup phys = { .name = "phys_addr_t" };
580 	struct typedef_lookup *which = &phys;
581 	const char *suf = "";
582 	assert(fmt[0] == 'a');
583 
584 	if (isalnum(fmt[1])) {
585 		switch (fmt[1]) {
586 		case 'd':
587 			which = &dma;
588 			suf = "d";
589 			break;
590 		case 'p':
591 			suf = "p";
592 			break;
593 		default:
594 			sm_error("'%%pa' can only be followed by one of [dp]");
595 		}
596 		if (isalnum(fmt[2]))
597 			sm_error("'%%pa%c' cannot be followed by '%c'", fmt[1], fmt[2]);
598 	}
599 
600 	typedef_lookup(which);
601 	if (!which->sym)
602 		return;
603 	if (basetype != which->sym) {
604 		sm_error("'%%pa%s' expects argument of type '%s*', argument %d has type '%s'",
605 			suf, which->name, vaidx, type_to_str(type));
606 	}
607 }
608 
609 static void block_device(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
610 {
611 	const char *tag = "block_device";
612 
613 	assert(fmt[0] == 'g');
614 	if (isalnum(fmt[1])) {
615 		sm_warning("%%pg cannot be followed by '%c'", fmt[1]);
616 	}
617 	if (!is_struct_tag(basetype, tag))
618 		sm_error("'%%p%c' expects argument of type struct '%s*', argument %d has type '%s'",
619 			fmt[0], tag, vaidx, type_to_str(type));
620 }
621 
622 static void flag_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
623 {
624 	static struct typedef_lookup gfp = { .name = "gfp_t" };
625 
626 	assert(fmt[0] == 'G');
627 	if (!isalnum(fmt[1])) {
628 		sm_error("%%pG must be followed by one of [gpv]");
629 		return;
630 	}
631 	switch (fmt[1]) {
632 	case 'p':
633 	case 'v':
634 		if (basetype != &ulong_ctype)
635 			sm_error("'%%pG%c' expects argument of type 'unsigned long *', argument %d has type '%s'",
636 				fmt[1], vaidx, type_to_str(type));
637 		break;
638 	case 'g':
639 		typedef_lookup(&gfp);
640 		if (basetype != gfp.sym)
641 			sm_error("'%%pGg' expects argument of type 'gfp_t *', argument %d has type '%s'",
642 				vaidx, type_to_str(type));
643 		break;
644 	default:
645 		sm_error("'%%pG' must be followed by one of [gpv]");
646 	}
647 }
648 
649 static void device_node_string(const char *fmt, struct symbol *type, struct symbol *basetype, int vaidx)
650 {
651 	if (fmt[1] != 'F') {
652 		sm_error("%%pO can only be followed by 'F'");
653 		return;
654 	}
655 	if (!is_struct_tag(basetype, "device_node"))
656 		sm_error("'%%pOF' expects argument of type 'struct device_node*', argument %d has type '%s'",
657 		       vaidx, type_to_str(type));
658 }
659 
660 static void
661 pointer(const char *fmt, struct expression *arg, int vaidx)
662 {
663 	struct symbol *type, *basetype;
664 
665 	type = get_type(arg);
666 	if (!type) {
667 		sm_warning("could not determine type of argument %d", vaidx);
668 		return;
669 	}
670 	if (!is_ptr_type(type)) {
671 		sm_error("%%p expects pointer argument, but argument %d has type '%s'",
672 			vaidx, type_to_str(type));
673 		return;
674 	}
675 	/* Just plain %p, nothing to check. */
676 	if (!isalnum(*fmt))
677 		return;
678 
679 	basetype = get_real_base_type(type);
680 	if (is_void_type(basetype))
681 		return;
682 	/*
683 	 * Passing a pointer-to-array is harmless, but most likely one
684 	 * meant to pass pointer-to-first-element. If basetype is
685 	 * array type, we issue a notice and "dereference" the types
686 	 * once more.
687 	 */
688 	if (basetype->type == SYM_ARRAY) {
689 		spam("note: passing pointer-to-array; is the address-of redundant?");
690 		type = basetype;
691 		basetype = get_real_base_type(type);
692 	}
693 
694 	/*
695 	 * We pass both the type and the basetype to the helpers. If,
696 	 * for example, the pointer is really a decayed array which is
697 	 * passed to %pI4, we might want to check that it is in fact
698 	 * an array of four bytes. But most are probably only
699 	 * interested in whether the basetype makes sense. Also, the
700 	 * pointer may carry some annotation such as __user which
701 	 * might be worth checking in the handlers which actually
702 	 * dereference the pointer.
703 	 */
704 
705 	switch (*fmt) {
706 	case 'b':
707 	case 'F':
708 	case 'f':
709 	case 'S':
710 	case 's':
711 	case 'B':
712 		/* Can we do anything sensible? Check that the arg is a function pointer, for example? */
713 		break;
714 
715 	case 'R':
716 	case 'r':
717 		resource_string(fmt, type, basetype, vaidx);
718 		break;
719 	case 'M':
720 	case 'm':
721 		mac_address_string(fmt, type, basetype, vaidx);
722 		break;
723 	case 'I':
724 	case 'i':
725 		switch (fmt[1]) {
726 		case '4':
727 			ip4(fmt, type, basetype, vaidx);
728 			break;
729 		case '6':
730 			ip6(fmt, type, basetype, vaidx);
731 			break;
732 		case 'S':
733 			ipS(fmt, type, basetype, vaidx);
734 			break;
735 		default:
736 			sm_warning("'%%p%c' must be followed by one of [46S]", fmt[0]);
737 			break;
738 		}
739 		break;
740        /*
741 	* %pE and %ph can handle any valid pointer. We still check
742 	* whether all the subsequent alphanumerics are valid for the
743 	* particular %pX conversion.
744 	*/
745 	case 'E':
746 		escaped_string(fmt, type, basetype, vaidx);
747 		break;
748 	case 'h':
749 		hex_string(fmt, type, basetype, vaidx);
750 		break;
751 	case 'U': /* TODO */
752 		break;
753 	case 'V':
754 		va_format(fmt, type, basetype, vaidx);
755 		break;
756 	case 'K': /* TODO */
757 		break;
758 	case 'N':
759 		netdev_feature(fmt, type, basetype, vaidx);
760 		break;
761 	case 'a':
762 		address_val(fmt, type, basetype, vaidx);
763 		break;
764 	case 'D':
765 	case 'd':
766 		dentry_file(fmt, type, basetype, vaidx);
767 		break;
768 	case 't':
769 		time_and_date(fmt, type, basetype, vaidx);
770 		break;
771 	case 'C':
772 		check_clock(fmt, type, basetype, vaidx);
773 		break;
774 	case 'g':
775 		block_device(fmt, type, basetype, vaidx);
776 		break;
777 	case 'G':
778 		flag_string(fmt, type, basetype, vaidx);
779 		break;
780 	case 'O':
781 		device_node_string(fmt, type, basetype, vaidx);
782 		break;
783 	case 'x':
784 		/* 'x' is for an unhashed pointer */
785 		break;
786 	default:
787 		sm_error("unrecognized %%p extension '%c', treated as normal %%p", *fmt);
788 	}
789 }
790 
791 /*
792  * A common error is to pass a "char" or "signed char" to %02x (or
793  * %.2X or some other variant). This can actually be a security
794  * problem, because a lot of code expects this to produce exactly two
795  * characters of output. Unfortunately this also produces false
796  * positives, since we're sometimes in arch-specific code on an arch
797  * where char is always unsigned.
798  */
799 static void
800 hexbyte(const char *fmt, int fmt_len, struct expression *arg, int vaidx, struct printf_spec spec)
801 {
802 	struct symbol *type;
803 
804 	/*
805 	 * For now, just check the most common and obvious, which is
806 	 * roughly %[.0]2[xX].
807 	 */
808 	if (spec.field_width != 2 && spec.precision != 2)
809 		return;
810 	if (spec.base != 16)
811 		return;
812 
813 	type = get_type(arg);
814 	if (!type) {
815 		sm_warning("could not determine type of argument %d", vaidx);
816 		return;
817 	}
818 	if (type == &char_ctype || type == &schar_ctype)
819 		sm_warning("argument %d to %.*s specifier has type '%s'",
820 		       vaidx, fmt_len, fmt, type_to_str(type));
821 }
822 
823 static int
824 check_format_string(const char *fmt, const char *caller)
825 {
826 	const char *f;
827 
828 	for (f = fmt; *f; ++f) {
829 		unsigned char c = *f;
830 		switch (c) {
831 		case KERN_SOH_ASCII:
832 			/*
833 			 * This typically arises from bad conversion
834 			 * to pr_*, e.g. pr_warn(KERN_WARNING "something").
835 			 */
836 			if (f != fmt)
837 				sm_warning("KERN_* level not at start of string");
838 			/*
839 			 * In a very few cases, the level is actually
840 			 * computed and passed via %c, as in KERN_SOH
841 			 * "%c...". printk explicitly supports
842 			 * this.
843 			 */
844 			if (!(('0' <= f[1] && f[1] <= '7') ||
845 			      f[1] == 'd' || /* KERN_DEFAULT */
846 			      f[1] == 'c' || /* KERN_CONT */
847 			      (f[1] == '%' && f[2] == 'c')))
848 				sm_warning("invalid KERN_* level: KERN_SOH_ASCII followed by '\\x%02x'", (unsigned char)f[1]);
849 			break;
850 		case '\t':
851 		case '\n':
852 		case '\r':
853 		case 0x20 ... 0x7e:
854 			break;
855 		case 0x80 ... 0xff:
856 			sm_warning("format string contains non-ascii character '\\x%02x'", c);
857 			break;
858 		case 0x08:
859 			if (f == fmt)
860 				break;
861 			/* fall through */
862 		default:
863 			sm_warning("format string contains unusual character '\\x%02x'", c);
864 			break;
865 		}
866 	}
867 
868 	f = strstr(fmt, caller);
869 	if (f && strstr(f+1, caller))
870 		sm_warning("format string contains name of enclosing function '%s' twice", caller);
871 
872 	return f != NULL;
873 }
874 
875 static int arg_is___func__(struct expression *arg)
876 {
877 	if (arg->type != EXPR_SYMBOL)
878 		return 0;
879 	return !strcmp(arg->symbol_name->name, "__func__") ||
880 	       !strcmp(arg->symbol_name->name, "__FUNCTION__") ||
881 	       !strcmp(arg->symbol_name->name, "__PRETTY_FUNCTION__");
882 }
883 static int arg_contains_caller(struct expression *arg, const char *caller)
884 {
885 	if (arg->type != EXPR_STRING)
886 		return 0;
887 	return strstr(arg->string->data, caller) != NULL;
888 }
889 
890 static int is_array_of_const_char(struct symbol *sym)
891 {
892 	struct symbol *base = sym->ctype.base_type;
893 	if (base->type != SYM_ARRAY)
894 		return 0;
895 	if (!(base->ctype.modifiers & MOD_CONST))
896 		return 0;
897 	if (!is_char_type(base->ctype.base_type)) {
898 		spam("weird: format argument is array of const '%s'", type_to_str(base->ctype.base_type));
899 		return 0;
900 	}
901 	return 1;
902 }
903 
904 static int is_const_pointer_to_const_char(struct symbol *sym)
905 {
906 	struct symbol *base = sym->ctype.base_type;
907 	if (!(sym->ctype.modifiers & MOD_CONST))
908 		return 0;
909 	if (base->type != SYM_PTR)
910 		return 0;
911 	if (!(base->ctype.modifiers & MOD_CONST))
912 		return 0;
913 	if (!is_char_type(base->ctype.base_type)) {
914 		spam("weird: format argument is pointer to const '%s'", type_to_str(base->ctype.base_type));
915 		return 0;
916 	}
917 	return 1;
918 }
919 
920 static int unknown_format(struct expression *expr)
921 {
922 	struct state_list *slist;
923 
924 	slist = get_strings(expr);
925 	if (!slist)
926 		return 1;
927 	if (slist_has_state(slist, &undefined))
928 		return 1;
929 	free_slist(&slist);
930 	return 0;
931 }
932 
933 static bool has_hex_prefix(const char *orig_fmt, const char *old_fmt)
934 {
935 	return old_fmt >= orig_fmt + 2 &&
936 		old_fmt[-2] == '0' && _tolower(old_fmt[-1]) == 'x';
937 }
938 
939 static bool is_integer_specifier(int type)
940 {
941 	switch (type) {
942 	case FORMAT_TYPE_LONG_LONG:
943 	case FORMAT_TYPE_ULONG:
944 	case FORMAT_TYPE_LONG:
945 	case FORMAT_TYPE_UBYTE:
946 	case FORMAT_TYPE_BYTE:
947 	case FORMAT_TYPE_USHORT:
948 	case FORMAT_TYPE_SHORT:
949 	case FORMAT_TYPE_UINT:
950 	case FORMAT_TYPE_INT:
951 	case FORMAT_TYPE_SIZE_T:
952 	case FORMAT_TYPE_PTRDIFF:
953 		return true;
954 	default:
955 		return false;
956 	}
957 }
958 
959 static int
960 is_cast_expr(struct expression *expr)
961 {
962 	if (!expr)
963 		return 0;
964 
965 	switch (expr->type) {
966 	case EXPR_CAST:
967 	case EXPR_FORCE_CAST:
968 		/* not EXPR_IMPLIED_CAST for our purposes */
969 		return 1;
970 	default:
971 		return 0;
972 	}
973 }
974 
975 static void
976 check_cast_from_pointer(const char *fmt, int len, struct expression *arg, int va_idx)
977 {
978 	/*
979 	 * This can easily be fooled by passing 0+(long)ptr or doing
980 	 * "long local_var = (long)ptr" and passing local_var to
981 	 * %lx. Tough.
982 	 */
983 	if (!is_cast_expr(arg))
984 		return;
985 	while (is_cast_expr(arg))
986 		arg = arg->cast_expression;
987 	if (is_ptr_type(get_final_type(arg)))
988 		sm_warning("argument %d to %.*s specifier is cast from pointer",
989 			va_idx, len, fmt);
990 }
991 
992 static void
993 do_check_printf_call(const char *caller, const char *name, struct expression *callexpr, struct expression *fmtexpr, int vaidx)
994 {
995 	struct printf_spec spec = {0};
996 	const char *fmt, *orig_fmt;
997 	int caller_in_fmt;
998 
999 	fmtexpr = strip_parens(fmtexpr);
1000 	if (fmtexpr->type == EXPR_CONDITIONAL) {
1001 		do_check_printf_call(caller, name, callexpr, fmtexpr->cond_true ? : fmtexpr->conditional, vaidx);
1002 		do_check_printf_call(caller, name, callexpr, fmtexpr->cond_false, vaidx);
1003 		return;
1004 	}
1005 	if (fmtexpr->type == EXPR_SYMBOL) {
1006 		/*
1007 		 * If the symbol has an initializer, we can handle
1008 		 *
1009 		 *   const char foo[] = "abc";         and
1010 		 *   const char * const foo = "abc";
1011 		 *
1012 		 * We simply replace fmtexpr with the initializer
1013 		 * expression. If foo is not one of the above, or if
1014 		 * the initializer expression is somehow not a string
1015 		 * literal, fmtexpr->type != EXPR_STRING will trigger
1016 		 * below and we'll spam+return.
1017 		 */
1018 		struct symbol *sym = fmtexpr->symbol;
1019 		if (sym && sym->initializer &&
1020 		    (is_array_of_const_char(sym) ||
1021 		     is_const_pointer_to_const_char(sym))) {
1022 			fmtexpr = strip_parens(sym->initializer);
1023 		}
1024 	}
1025 
1026 	if (fmtexpr->type != EXPR_STRING) {
1027 		if (!unknown_format(fmtexpr))
1028 			return;
1029 		/*
1030 		 * Since we're now handling both ?: and static const
1031 		 * char[] arguments, we don't get as much noise. It's
1032 		 * still spammy, though.
1033 		 */
1034 		spam("warn: call of '%s' with non-constant format argument", name);
1035 		return;
1036 	}
1037 
1038 	orig_fmt = fmt = fmtexpr->string->data;
1039 	caller_in_fmt = check_format_string(fmt, caller);
1040 
1041 	while (*fmt) {
1042 		const char *old_fmt = fmt;
1043 		int read = format_decode(fmt, &spec);
1044 		struct expression *arg;
1045 
1046 		fmt += read;
1047 		if (spec.type == FORMAT_TYPE_NONE ||
1048 		    spec.type == FORMAT_TYPE_PERCENT_CHAR)
1049 			continue;
1050 
1051 		/*
1052 		 * vaidx is currently the correct 0-based index for
1053 		 * get_argument_from_call_expr. We post-increment it
1054 		 * here so that it is the correct 1-based index for
1055 		 * all the handlers below. This of course requires
1056 		 * that we handle all FORMAT_TYPE_* things not taking
1057 		 * an argument above.
1058 		 */
1059 		arg = get_argument_from_call_expr(callexpr->args, vaidx++);
1060 
1061 		if (spec.flags & SPECIAL && has_hex_prefix(orig_fmt, old_fmt))
1062 			sm_warning("'%.2s' prefix is redundant when # flag is used", old_fmt-2);
1063 		if (is_integer_specifier(spec.type)) {
1064 			if (spec.base != 16 && has_hex_prefix(orig_fmt, old_fmt))
1065 				sm_warning("'%.2s' prefix is confusing together with '%.*s' specifier",
1066 				       old_fmt-2, (int)(fmt-old_fmt), old_fmt);
1067 
1068 			check_cast_from_pointer(old_fmt, read, arg, vaidx);
1069 		}
1070 
1071 		switch (spec.type) {
1072 		/* case FORMAT_TYPE_NONE: */
1073 		/* case FORMAT_TYPE_PERCENT_CHAR: */
1074 		/* 	break; */
1075 
1076 		case FORMAT_TYPE_INVALID:
1077 			sm_error("format specifier '%.*s' invalid", read, old_fmt);
1078 			return;
1079 
1080 		case FORMAT_TYPE_FLOAT:
1081 			sm_error("no floats in the kernel; invalid format specifier '%.*s'", read, old_fmt);
1082 			return;
1083 
1084 		case FORMAT_TYPE_NRCHARS:
1085 			sm_error("%%n not supported in kernel");
1086 			return;
1087 
1088 		case FORMAT_TYPE_WIDTH:
1089 		case FORMAT_TYPE_PRECISION:
1090 			/* check int argument */
1091 			break;
1092 
1093 		case FORMAT_TYPE_STR:
1094 			/*
1095 			 * If the format string already contains the
1096 			 * function name, it probably doesn't make
1097 			 * sense to pass __func__ as well (or rather
1098 			 * vice versa: If pr_fmt(fmt) has been defined
1099 			 * to '"%s: " fmt, __func__', it doesn't make
1100 			 * sense to use a format string containing the
1101 			 * function name).
1102 			 *
1103 			 * This produces a lot of hits. They are not
1104 			 * false positives, but it is easier to handle
1105 			 * the things which don't occur that often
1106 			 * first, so we use spam().
1107 			 */
1108 			if (caller_in_fmt) {
1109 				if (arg_is___func__(arg))
1110 					spam("warn: passing __func__ while the format string already contains the name of the function '%s'",
1111 					     caller);
1112 				else if (arg_contains_caller(arg, caller))
1113 					sm_warning("passing string constant '%s' containing '%s' which is already part of the format string",
1114 					       arg->string->data, caller);
1115 			}
1116 			break;
1117 
1118 		case FORMAT_TYPE_PTR:
1119 			/* This is the most important part: Checking %p extensions. */
1120 			pointer(fmt, arg, vaidx);
1121 			while (isalnum(*fmt))
1122 				fmt++;
1123 			break;
1124 
1125 		case FORMAT_TYPE_CHAR:
1126 
1127 		case FORMAT_TYPE_UBYTE:
1128 		case FORMAT_TYPE_BYTE:
1129 		case FORMAT_TYPE_USHORT:
1130 		case FORMAT_TYPE_SHORT:
1131 		case FORMAT_TYPE_INT:
1132 			/* argument should have integer type of width <= sizeof(int) */
1133 			break;
1134 
1135 		case FORMAT_TYPE_UINT:
1136 			hexbyte(old_fmt, fmt-old_fmt, arg, vaidx, spec);
1137 		case FORMAT_TYPE_LONG:
1138 		case FORMAT_TYPE_ULONG:
1139 		case FORMAT_TYPE_LONG_LONG:
1140 		case FORMAT_TYPE_PTRDIFF:
1141 		case FORMAT_TYPE_SIZE_T:
1142 			break;
1143 		}
1144 
1145 
1146 	}
1147 
1148 	if (get_argument_from_call_expr(callexpr->args, vaidx))
1149 		sm_warning("excess argument passed to '%s'", name);
1150 
1151 
1152 }
1153 
1154 static void
1155 check_printf_call(const char *name, struct expression *callexpr, void *_info)
1156 {
1157 	/*
1158 	 * Note: attribute(printf) uses 1-based indexing, but
1159 	 * get_argument_from_call_expr() uses 0-based indexing.
1160 	 */
1161 	int info = PTR_INT(_info);
1162 	int fmtidx = (info & 0xff) - 1;
1163 	int vaidx = ((info >> 8) & 0xff) - 1;
1164 	struct expression *fmtexpr;
1165 	const char *caller = get_function();
1166 
1167 	if (!caller)
1168 		return;
1169 
1170 	/*
1171 	 * Calling a v*printf function with a literal format arg is
1172 	 * extremely rare, so we don't bother doing the only checking
1173 	 * we could do, namely checking that the format string is
1174 	 * valid.
1175 	 */
1176 	if (vaidx < 0)
1177 		return;
1178 
1179 	/*
1180 	 * For the things we use the name of the calling function for,
1181 	 * it is more appropriate to skip a potential SyS_ prefix; the
1182 	 * same goes for leading underscores.
1183 	 */
1184 	if (!strncmp(caller, "SyS_", 4))
1185 		caller += 4;
1186 	while (*caller == '_')
1187 		++caller;
1188 
1189 	/* Lack of format argument is a bug. */
1190 	fmtexpr = get_argument_from_call_expr(callexpr->args, fmtidx);
1191 	if (!fmtexpr) {
1192 		sm_error("call of '%s' with no format argument", name);
1193 		return;
1194 	}
1195 
1196 	do_check_printf_call(caller, name, callexpr, fmtexpr, vaidx);
1197 }
1198 
1199 
1200 void check_kernel_printf(int id)
1201 {
1202 	if (option_project != PROJ_KERNEL)
1203 		return;
1204 
1205 	my_id = id;
1206 
1207 #define printf_hook(func, fmt, first_to_check)	\
1208 	add_function_hook(#func, check_printf_call, INT_PTR(fmt + (first_to_check << 8)))
1209 
1210 	/* Extracted using stupid perl script. */
1211 
1212 #if 0
1213 	printf_hook(srm_printk, 1, 2);                    /* arch/alpha/include/asm/console.h */
1214 	printf_hook(die_if_kernel, 1, 2);                 /* arch/frv/include/asm/bug.h */
1215 	printf_hook(ia64_mca_printk, 1, 2);               /* arch/ia64/include/asm/mca.h */
1216 	printf_hook(nfprint, 1, 2);                       /* arch/m68k/include/asm/natfeat.h */
1217 	printf_hook(gdbstub_printk, 1, 2);                /* arch/mn10300/include/asm/gdb-stub.h */
1218 	printf_hook(DBG, 1, 2);                           /* arch/powerpc/boot/ps3.c */
1219 	printf_hook(printf, 1, 2);                        /* arch/powerpc/boot/stdio.h */
1220 	printf_hook(udbg_printf, 1, 2);                   /* arch/powerpc/include/asm/udbg.h */
1221 	printf_hook(__debug_sprintf_event, 3, 4);         /* arch/s390/include/asm/debug.h */
1222 	printf_hook(__debug_sprintf_exception, 3, 4);     /* arch/s390/include/asm/debug.h */
1223 	printf_hook(prom_printf, 1, 2);                   /* arch/sparc/include/asm/oplib_32.h */
1224 
1225 	printf_hook(fail, 1, 2);                          /* arch/x86/vdso/vdso2c.c */
1226 #endif
1227 
1228 	printf_hook(_ldm_printk, 3, 4);                   /* block/partitions/ldm.c */
1229 	printf_hook(rbd_warn, 2, 3);                      /* drivers/block/rbd.c */
1230 	printf_hook(fw_err, 2, 3);                        /* drivers/firewire/core.h */
1231 	printf_hook(fw_notice, 2, 3);                     /* drivers/firewire/core.h */
1232 	printf_hook(i915_error_printf, 2, 3);             /* drivers/gpu/drm/i915/i915_drv.h */
1233 	printf_hook(i915_handle_error, 3, 4);             /* drivers/gpu/drm/i915/i915_drv.h */
1234 	printf_hook(nv_printk_, 3, 4);                    /* drivers/gpu/drm/nouveau/core/include/core/printk.h */
1235 	printf_hook(host1x_debug_output, 2, 3);           /* drivers/gpu/host1x/debug.h */
1236 	printf_hook(callc_debug, 2, 3);                   /* drivers/isdn/hisax/callc.c */
1237 	printf_hook(link_debug, 3, 4);                    /* drivers/isdn/hisax/callc.c */
1238 	printf_hook(HiSax_putstatus, 3, 4);               /* drivers/isdn/hisax/hisax.h */
1239 	printf_hook(VHiSax_putstatus, 3, 0);              /* drivers/isdn/hisax/hisax.h */
1240 	printf_hook(debugl1, 2, 3);                       /* drivers/isdn/hisax/isdnl1.h */
1241 	printf_hook(l3m_debug, 2, 3);                     /* drivers/isdn/hisax/isdnl3.c */
1242 	printf_hook(dout_debug, 2, 3);                    /* drivers/isdn/hisax/st5481_d.c */
1243 	printf_hook(l1m_debug, 2, 3);                     /* drivers/isdn/hisax/st5481_d.c */
1244 	printf_hook(bch_cache_set_error, 2, 3);           /* drivers/md/bcache/bcache.h */
1245 	printf_hook(_tda_printk, 4, 5);                   /* drivers/media/tuners/tda18271-priv.h */
1246 	printf_hook(i40evf_debug_d, 3, 4);                /* drivers/net/ethernet/intel/i40evf/i40e_osdep.h */
1247 	printf_hook(en_print, 3, 4);                      /* drivers/net/ethernet/mellanox/mlx4/mlx4_en.h */
1248 	printf_hook(_ath_dbg, 3, 4);                      /* drivers/net/wireless/ath/ath.h */
1249 	printf_hook(ath_printk, 3, 4);                    /* drivers/net/wireless/ath/ath.h */
1250 	printf_hook(ath10k_dbg, 3, 4);                    /* drivers/net/wireless/ath/ath10k/debug.h */
1251 	printf_hook(ath10k_err, 2, 3);                    /* drivers/net/wireless/ath/ath10k/debug.h */
1252 	printf_hook(ath10k_info, 2, 3);                   /* drivers/net/wireless/ath/ath10k/debug.h */
1253 	printf_hook(ath10k_warn, 2, 3);                   /* drivers/net/wireless/ath/ath10k/debug.h */
1254 	printf_hook(_ath5k_printk, 3, 4);                 /* drivers/net/wireless/ath/ath5k/ath5k.h */
1255 	printf_hook(ATH5K_DBG, 3, 4);                     /* drivers/net/wireless/ath/ath5k/debug.h */
1256 	printf_hook(ATH5K_DBG_UNLIMIT, 3, 4);             /* drivers/net/wireless/ath/ath5k/debug.h */
1257 	printf_hook(ath6kl_printk, 2, 3);                 /* drivers/net/wireless/ath/ath6kl/common.h */
1258 	printf_hook(ath6kl_err, 1, 2);                    /* drivers/net/wireless/ath/ath6kl/debug.h */
1259 	printf_hook(ath6kl_info, 1, 2);                   /* drivers/net/wireless/ath/ath6kl/debug.h */
1260 	printf_hook(ath6kl_warn, 1, 2);                   /* drivers/net/wireless/ath/ath6kl/debug.h */
1261 	printf_hook(wil_dbg_trace, 2, 3);                 /* drivers/net/wireless/ath/wil6210/wil6210.h */
1262 	printf_hook(wil_err, 2, 3);                       /* drivers/net/wireless/ath/wil6210/wil6210.h */
1263 	printf_hook(wil_err_ratelimited, 2, 3);           /* drivers/net/wireless/ath/wil6210/wil6210.h */
1264 	printf_hook(wil_info, 2, 3);                      /* drivers/net/wireless/ath/wil6210/wil6210.h */
1265 	printf_hook(b43dbg, 2, 3);                        /* drivers/net/wireless/b43/b43.h */
1266 	printf_hook(b43err, 2, 3);                        /* drivers/net/wireless/b43/b43.h */
1267 	printf_hook(b43info, 2, 3);                       /* drivers/net/wireless/b43/b43.h */
1268 	printf_hook(b43warn, 2, 3);                       /* drivers/net/wireless/b43/b43.h */
1269 	printf_hook(b43legacydbg, 2, 3);                  /* drivers/net/wireless/b43legacy/b43legacy.h */
1270 	printf_hook(b43legacyerr, 2, 3);                  /* drivers/net/wireless/b43legacy/b43legacy.h */
1271 	printf_hook(b43legacyinfo, 2, 3);                 /* drivers/net/wireless/b43legacy/b43legacy.h */
1272 	printf_hook(b43legacywarn, 2, 3);                 /* drivers/net/wireless/b43legacy/b43legacy.h */
1273 	printf_hook(__brcmf_dbg, 3, 4);                   /* drivers/net/wireless/brcm80211/brcmfmac/debug.h */
1274 	printf_hook(__brcmf_err, 2, 3);                   /* drivers/net/wireless/brcm80211/brcmfmac/debug.h */
1275 	printf_hook(__brcms_crit, 2, 3);                  /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1276 	printf_hook(__brcms_dbg, 4, 5);                   /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1277 	printf_hook(__brcms_err, 2, 3);                   /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1278 	printf_hook(__brcms_info, 2, 3);                  /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1279 	printf_hook(__brcms_warn, 2, 3);                  /* drivers/net/wireless/brcm80211/brcmsmac/debug.h */
1280 	printf_hook(brcmu_dbg_hex_dump, 3, 4);            /* drivers/net/wireless/brcm80211/include/brcmu_utils.h */
1281 	printf_hook(__iwl_crit, 2, 3);                    /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1282 	printf_hook(__iwl_dbg, 5, 6);                     /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1283 	printf_hook(__iwl_err, 4, 5);                     /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1284 	printf_hook(__iwl_info, 2, 3);                    /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1285 	printf_hook(__iwl_warn, 2, 3);                    /* drivers/net/wireless/iwlwifi/iwl-debug.h */
1286 	printf_hook(rsi_dbg, 2, 3);                       /* drivers/net/wireless/rsi/rsi_main.h */
1287 	printf_hook(RTPRINT, 4, 5);                       /* drivers/net/wireless/rtlwifi/debug.h */
1288 	printf_hook(RT_ASSERT, 2, 3);                     /* drivers/net/wireless/rtlwifi/debug.h */
1289 	printf_hook(RT_TRACE, 4, 5);                      /* drivers/net/wireless/rtlwifi/debug.h */
1290 	printf_hook(__of_node_dup, 2, 3);                 /* drivers/of/of_private.h */
1291 	printf_hook(BNX2FC_HBA_DBG, 2, 3);                /* drivers/scsi/bnx2fc/bnx2fc_debug.h */
1292 	printf_hook(BNX2FC_IO_DBG, 2, 3);                 /* drivers/scsi/bnx2fc/bnx2fc_debug.h */
1293 	printf_hook(BNX2FC_TGT_DBG, 2, 3);                /* drivers/scsi/bnx2fc/bnx2fc_debug.h */
1294 	printf_hook(ql_dbg, 4, 5);                        /* drivers/scsi/qla2xxx/qla_dbg.h */
1295 	printf_hook(ql_dbg_pci, 4, 5);                    /* drivers/scsi/qla2xxx/qla_dbg.h */
1296 	printf_hook(ql_log, 4, 5);                        /* drivers/scsi/qla2xxx/qla_dbg.h */
1297 	printf_hook(ql_log_pci, 4, 5);                    /* drivers/scsi/qla2xxx/qla_dbg.h */
1298 	printf_hook(libcfs_debug_msg, 2, 3);              /* drivers/staging/lustre/include/linux/libcfs/libcfs_debug.h */
1299 	printf_hook(libcfs_debug_vmsg2, 4, 5);            /* drivers/staging/lustre/include/linux/libcfs/libcfs_debug.h */
1300 	printf_hook(_ldlm_lock_debug, 3, 4);              /* drivers/staging/lustre/lustre/include/lustre_dlm.h */
1301 	printf_hook(_debug_req, 3, 4);                    /* drivers/staging/lustre/lustre/include/lustre_net.h */
1302 	printf_hook(iscsi_change_param_sprintf, 2, 3);    /* drivers/target/iscsi/iscsi_target_login.c */
1303 	printf_hook(dbg, 1, 2);                           /* drivers/tty/serial/samsung.c */
1304 	printf_hook(_usb_stor_dbg, 2, 3);                 /* drivers/usb/storage/debug.h */
1305 	printf_hook(usb_stor_dbg, 2, 3);                  /* drivers/usb/storage/debug.h */
1306 	printf_hook(vringh_bad, 1, 2);                    /* drivers/vhost/vringh.c */
1307 	printf_hook(__adfs_error, 3, 4);                  /* fs/adfs/adfs.h */
1308 	printf_hook(affs_error, 3, 4);                    /* fs/affs/affs.h */
1309 	printf_hook(affs_warning, 3, 4);                  /* fs/affs/affs.h */
1310 	printf_hook(befs_debug, 2, 3);                    /* fs/befs/befs.h */
1311 	printf_hook(befs_error, 2, 3);                    /* fs/befs/befs.h */
1312 	printf_hook(befs_warning, 2, 3);                  /* fs/befs/befs.h */
1313 	printf_hook(__btrfs_panic, 5, 6);                 /* fs/btrfs/ctree.h */
1314 	printf_hook(__btrfs_std_error, 5, 6);             /* fs/btrfs/ctree.h */
1315 	printf_hook(btrfs_printk, 2, 3);                  /* fs/btrfs/ctree.h */
1316 	printf_hook(cifs_vfs_err, 1, 2);                  /* fs/cifs/cifs_debug.h */
1317 	printf_hook(__ecryptfs_printk, 1, 2);             /* fs/ecryptfs/ecryptfs_kernel.h */
1318 	printf_hook(ext2_error, 3, 4);                    /* fs/ext2/ext2.h */
1319 	printf_hook(ext2_msg, 3, 4);                      /* fs/ext2/ext2.h */
1320 	printf_hook(ext3_abort, 3, 4);                    /* fs/ext3/ext3.h */
1321 	printf_hook(ext3_error, 3, 4);                    /* fs/ext3/ext3.h */
1322 	printf_hook(ext3_msg, 3, 4);                      /* fs/ext3/ext3.h */
1323 	printf_hook(ext3_warning, 3, 4);                  /* fs/ext3/ext3.h */
1324 	printf_hook(__ext4_abort, 4, 5);                  /* fs/ext4/ext4.h */
1325 	printf_hook(__ext4_error, 4, 5);                  /* fs/ext4/ext4.h */
1326 	printf_hook(__ext4_error_file, 5, 6);             /* fs/ext4/ext4.h */
1327 	printf_hook(__ext4_error_inode, 5, 6);            /* fs/ext4/ext4.h */
1328 	printf_hook(__ext4_grp_locked_error, 7, 8);       /* fs/ext4/ext4.h */
1329 	printf_hook(__ext4_msg, 3, 4);                    /* fs/ext4/ext4.h */
1330 	printf_hook(__ext4_warning, 4, 5);                /* fs/ext4/ext4.h */
1331 	printf_hook(f2fs_msg, 3, 4);                      /* fs/f2fs/f2fs.h */
1332 	printf_hook(__fat_fs_error, 3, 4);                /* fs/fat/fat.h */
1333 	printf_hook(fat_msg, 3, 4);                       /* fs/fat/fat.h */
1334 	printf_hook(gfs2_print_dbg, 2, 3);                /* fs/gfs2/glock.h */
1335 	printf_hook(gfs2_lm_withdraw, 2, 3);              /* fs/gfs2/util.h */
1336 	printf_hook(hpfs_error, 2, 3);                    /* fs/hpfs/hpfs_fn.h */
1337 	printf_hook(jfs_error, 2, 3);                     /* fs/jfs/jfs_superblock.h */
1338 	printf_hook(nilfs_error, 3, 4);                   /* fs/nilfs2/nilfs.h */
1339 	printf_hook(nilfs_warning, 3, 4);                 /* fs/nilfs2/nilfs.h */
1340 	printf_hook(__ntfs_debug, 4, 5);                  /* fs/ntfs/debug.h */
1341 	printf_hook(__ntfs_error, 3, 4);                  /* fs/ntfs/debug.h */
1342 	printf_hook(__ntfs_warning, 3, 4);                /* fs/ntfs/debug.h */
1343 	printf_hook(__ocfs2_abort, 3, 4);                 /* fs/ocfs2/super.h */
1344 	printf_hook(__ocfs2_error, 3, 4);                 /* fs/ocfs2/super.h */
1345 	printf_hook(_udf_err, 3, 4);                      /* fs/udf/udfdecl.h */
1346 	printf_hook(_udf_warn, 3, 4);                     /* fs/udf/udfdecl.h */
1347 	printf_hook(ufs_error, 3, 4);                     /* fs/ufs/ufs.h */
1348 	printf_hook(ufs_panic, 3, 4);                     /* fs/ufs/ufs.h */
1349 	printf_hook(ufs_warning, 3, 4);                   /* fs/ufs/ufs.h */
1350 	printf_hook(xfs_alert, 2, 3);                     /* fs/xfs/xfs_message.h */
1351 	printf_hook(xfs_alert_tag, 3, 4);                 /* fs/xfs/xfs_message.h */
1352 	printf_hook(xfs_crit, 2, 3);                      /* fs/xfs/xfs_message.h */
1353 	printf_hook(xfs_debug, 2, 3);                     /* fs/xfs/xfs_message.h */
1354 	printf_hook(xfs_emerg, 2, 3);                     /* fs/xfs/xfs_message.h */
1355 	printf_hook(xfs_err, 2, 3);                       /* fs/xfs/xfs_message.h */
1356 	printf_hook(xfs_info, 2, 3);                      /* fs/xfs/xfs_message.h */
1357 	printf_hook(xfs_notice, 2, 3);                    /* fs/xfs/xfs_message.h */
1358 	printf_hook(xfs_warn, 2, 3);                      /* fs/xfs/xfs_message.h */
1359 	printf_hook(warn_slowpath_fmt, 3, 4);             /* include/asm-generic/bug.h */
1360 	printf_hook(warn_slowpath_fmt_taint, 4, 5);       /* include/asm-generic/bug.h */
1361 	printf_hook(drm_err, 1, 2);                       /* include/drm/drmP.h */
1362 	printf_hook(drm_ut_debug_printk, 2, 3);           /* include/drm/drmP.h */
1363 	printf_hook(__acpi_handle_debug, 3, 4);           /* include/linux/acpi.h */
1364 	printf_hook(acpi_handle_printk, 3, 4);            /* include/linux/acpi.h */
1365 	printf_hook(audit_log, 4, 5);                     /* include/linux/audit.h */
1366 	printf_hook(audit_log_format, 2, 3);              /* include/linux/audit.h */
1367 	printf_hook(bdi_register, 3, 4);                  /* include/linux/backing-dev.h */
1368 	printf_hook(__trace_note_message, 2, 3);          /* include/linux/blktrace_api.h */
1369 	printf_hook(_dev_info, 2, 3);                     /* include/linux/device.h */
1370 	printf_hook(dev_alert, 2, 3);                     /* include/linux/device.h */
1371 	printf_hook(dev_crit, 2, 3);                      /* include/linux/device.h */
1372 	printf_hook(dev_emerg, 2, 3);                     /* include/linux/device.h */
1373 	printf_hook(dev_err, 2, 3);                       /* include/linux/device.h */
1374 	printf_hook(dev_notice, 2, 3);                    /* include/linux/device.h */
1375 	printf_hook(dev_printk, 3, 4);                    /* include/linux/device.h */
1376 	printf_hook(dev_printk_emit, 3, 4);               /* include/linux/device.h */
1377 	printf_hook(dev_set_name, 2, 3);                  /* include/linux/device.h */
1378 	printf_hook(dev_vprintk_emit, 3, 0);              /* include/linux/device.h */
1379 	printf_hook(dev_warn, 2, 3);                      /* include/linux/device.h */
1380 	printf_hook(device_create, 5, 6);                 /* include/linux/device.h */
1381 	printf_hook(device_create_with_groups, 6, 7);     /* include/linux/device.h */
1382 	printf_hook(devm_kasprintf, 3, 4);                /* include/linux/device.h */
1383 	printf_hook(__dynamic_dev_dbg, 3, 4);             /* include/linux/dynamic_debug.h */
1384 	printf_hook(__dynamic_netdev_dbg, 3, 4);          /* include/linux/dynamic_debug.h */
1385 	printf_hook(__dynamic_pr_debug, 2, 3);            /* include/linux/dynamic_debug.h */
1386 	printf_hook(__simple_attr_check_format, 1, 2);    /* include/linux/fs.h */
1387 	printf_hook(fscache_init_cache, 3, 4);            /* include/linux/fscache-cache.h */
1388 	printf_hook(gameport_set_phys, 2, 3);             /* include/linux/gameport.h */
1389 	printf_hook(iio_trigger_alloc, 1, 2);             /* include/linux/iio/trigger.h */
1390 	printf_hook(__check_printsym_format, 1, 2);       /* include/linux/kallsyms.h */
1391 	printf_hook(kdb_printf, 1, 2);                    /* include/linux/kdb.h */
1392 	printf_hook(vkdb_printf, 1, 0);                   /* include/linux/kdb.h */
1393 	printf_hook(____trace_printk_check_format, 1, 2);  /* include/linux/kernel.h */
1394 	printf_hook(__trace_bprintk, 2, 3);               /* include/linux/kernel.h */
1395 	printf_hook(__trace_printk, 2, 3);                /* include/linux/kernel.h */
1396 	printf_hook(kasprintf, 2, 3);                     /* include/linux/kernel.h */
1397 	printf_hook(panic, 1, 2);                         /* include/linux/kernel.h */
1398 	printf_hook(scnprintf, 3, 4);                     /* include/linux/kernel.h */
1399 	printf_hook(snprintf, 3, 4);                      /* include/linux/kernel.h */
1400 	printf_hook(sprintf, 2, 3);                       /* include/linux/kernel.h */
1401 	printf_hook(trace_printk, 1, 2);                  /* include/linux/kernel.h */
1402 	printf_hook(vscnprintf, 3, 0);                    /* include/linux/kernel.h */
1403 	printf_hook(vsnprintf, 3, 0);                     /* include/linux/kernel.h */
1404 	printf_hook(vsprintf, 2, 0);                      /* include/linux/kernel.h */
1405 	printf_hook(vmcoreinfo_append_str, 1, 2);         /* include/linux/kexec.h */
1406 	printf_hook(__request_module, 2, 3);              /* include/linux/kmod.h */
1407 	printf_hook(add_uevent_var, 2, 3);                /* include/linux/kobject.h */
1408 	printf_hook(kobject_add, 3, 4);                   /* include/linux/kobject.h */
1409 	printf_hook(kobject_init_and_add, 4, 5);          /* include/linux/kobject.h */
1410 	printf_hook(kobject_set_name, 2, 3);              /* include/linux/kobject.h */
1411 	printf_hook(kthread_create_on_node, 4, 5);        /* include/linux/kthread.h */
1412 	printf_hook(__ata_ehi_push_desc, 2, 3);           /* include/linux/libata.h */
1413 	printf_hook(ata_dev_printk, 3, 4);                /* include/linux/libata.h */
1414 	printf_hook(ata_ehi_push_desc, 2, 3);             /* include/linux/libata.h */
1415 	printf_hook(ata_link_printk, 3, 4);               /* include/linux/libata.h */
1416 	printf_hook(ata_port_desc, 2, 3);                 /* include/linux/libata.h */
1417 	printf_hook(ata_port_printk, 3, 4);               /* include/linux/libata.h */
1418 	printf_hook(warn_alloc_failed, 3, 4);             /* include/linux/mm.h */
1419 	printf_hook(mmiotrace_printk, 1, 2);              /* include/linux/mmiotrace.h */
1420 	printf_hook(netdev_alert, 2, 3);                  /* include/linux/netdevice.h */
1421 	printf_hook(netdev_crit, 2, 3);                   /* include/linux/netdevice.h */
1422 	printf_hook(netdev_emerg, 2, 3);                  /* include/linux/netdevice.h */
1423 	printf_hook(netdev_err, 2, 3);                    /* include/linux/netdevice.h */
1424 	printf_hook(netdev_info, 2, 3);                   /* include/linux/netdevice.h */
1425 	printf_hook(netdev_notice, 2, 3);                 /* include/linux/netdevice.h */
1426 	printf_hook(netdev_printk, 3, 4);                 /* include/linux/netdevice.h */
1427 	printf_hook(netdev_warn, 2, 3);                   /* include/linux/netdevice.h */
1428 	printf_hook(early_printk, 1, 2);                  /* include/linux/printk.h */
1429 	printf_hook(no_printk, 1, 2);                     /* include/linux/printk.h */
1430 	printf_hook(printk, 1, 2);                        /* include/linux/printk.h */
1431 	printf_hook(printk_deferred, 1, 2);               /* include/linux/printk.h */
1432 	printf_hook(printk_emit, 5, 6);                   /* include/linux/printk.h */
1433 	printf_hook(vprintk, 1, 0);                       /* include/linux/printk.h */
1434 	printf_hook(vprintk_emit, 5, 0);                  /* include/linux/printk.h */
1435 	printf_hook(__quota_error, 3, 4);                 /* include/linux/quotaops.h */
1436 	printf_hook(seq_buf_printf, 2, 3);                /* include/linux/seq_buf.h */
1437 	printf_hook(seq_buf_vprintf, 2, 0);               /* include/linux/seq_buf.h */
1438 	printf_hook(seq_printf, 2, 3);                    /* include/linux/seq_file.h */
1439 	printf_hook(seq_vprintf, 2, 0);                   /* include/linux/seq_file.h */
1440 	printf_hook(bprintf, 3, 4);                       /* include/linux/string.h */
1441 	printf_hook(trace_seq_printf, 2, 3);              /* include/linux/trace_seq.h */
1442 	printf_hook(trace_seq_vprintf, 2, 0);             /* include/linux/trace_seq.h */
1443 	printf_hook(__alloc_workqueue_key, 1, 6);         /* include/linux/workqueue.h */
1444 	printf_hook(set_worker_desc, 1, 2);               /* include/linux/workqueue.h */
1445 	printf_hook(_p9_debug, 3, 4);                     /* include/net/9p/9p.h */
1446 	printf_hook(bt_err, 1, 2);                        /* include/net/bluetooth/bluetooth.h */
1447 	printf_hook(bt_info, 1, 2);                       /* include/net/bluetooth/bluetooth.h */
1448 	printf_hook(nf_ct_helper_log, 3, 4);              /* include/net/netfilter/nf_conntrack_helper.h */
1449 	printf_hook(nf_log_buf_add, 2, 3);                /* include/net/netfilter/nf_log.h */
1450 	printf_hook(nf_log_packet, 8, 9);                 /* include/net/netfilter/nf_log.h */
1451 	printf_hook(SOCK_DEBUG, 2, 3);                    /* include/net/sock.h */
1452 	printf_hook(__snd_printk, 4, 5);                  /* include/sound/core.h */
1453 	printf_hook(_snd_printd, 2, 3);                   /* include/sound/core.h */
1454 	printf_hook(snd_printd, 1, 2);                    /* include/sound/core.h */
1455 	printf_hook(snd_printdd, 1, 2);                   /* include/sound/core.h */
1456 	printf_hook(snd_iprintf, 2, 3);                   /* include/sound/info.h */
1457 	printf_hook(snd_seq_create_kernel_client, 3, 4);  /* include/sound/seq_kernel.h */
1458 	printf_hook(xen_raw_printk, 1, 2);                /* include/xen/hvc-console.h */
1459 	printf_hook(xenbus_dev_error, 3, 4);              /* include/xen/xenbus.h */
1460 	printf_hook(xenbus_dev_fatal, 3, 4);              /* include/xen/xenbus.h */
1461 	printf_hook(xenbus_printf, 4, 5);                 /* include/xen/xenbus.h */
1462 	printf_hook(xenbus_watch_pathfmt, 4, 5);          /* include/xen/xenbus.h */
1463 	printf_hook(batadv_fdebug_log, 2, 3);             /* net/batman-adv/debugfs.c */
1464 	printf_hook(_batadv_dbg, 4, 5);                   /* net/batman-adv/main.h */
1465 	printf_hook(batadv_debug_log, 2, 3);              /* net/batman-adv/main.h */
1466 	printf_hook(__sdata_dbg, 2, 3);                   /* net/mac80211/debug.h */
1467 	printf_hook(__sdata_err, 1, 2);                   /* net/mac80211/debug.h */
1468 	printf_hook(__sdata_info, 1, 2);                  /* net/mac80211/debug.h */
1469 	printf_hook(__wiphy_dbg, 3, 4);                   /* net/mac80211/debug.h */
1470 	printf_hook(mac80211_format_buffer, 4, 5);        /* net/mac80211/debugfs.h */
1471 	printf_hook(__rds_conn_error, 2, 3);              /* net/rds/rds.h */
1472 	printf_hook(rdsdebug, 1, 2);                      /* net/rds/rds.h */
1473 	printf_hook(printl, 1, 2);                        /* net/sctp/probe.c */
1474 	printf_hook(svc_printk, 2, 3);                    /* net/sunrpc/svc.c */
1475 	printf_hook(tomoyo_io_printf, 2, 3);              /* security/tomoyo/common.c */
1476 	printf_hook(tomoyo_supervisor, 2, 3);             /* security/tomoyo/common.h */
1477 	printf_hook(tomoyo_write_log, 2, 3);              /* security/tomoyo/common.h */
1478 	printf_hook(cmp_error, 2, 3);                     /* sound/firewire/cmp.c */
1479 }
1480