Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-kernel
- To: undisclosed-recipients:;
- Subject: New Defects reported by Coverity Scan for NetBSD-i386-kernel
- From: scan-admin%coverity.com@localhost
- Date: Thu, 17 Apr 2014 08:19:10 -0700
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel
found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 20 of 20 defect(s)
** CID 140077: Missing break in switch (MISSING_BREAK)
/sys/dev/pci/ixgbe/ixgbe_82599.c: 1680 in ixgbe_fdir_add_perfect_filter_82599()
** CID 141398: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/dev/pci/ixgbe/ixgbe_common.c: 2183 in ixgbe_fc_autoneg_fiber()
** CID 744275: Logically dead code (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe_phy.c: 1452 in ixgbe_write_i2c_byte_generic()
** CID 1008347: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/ixgbe/ixgbe.c: 4652 in ixgbe_rxeof()
** CID 1008348: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/ixgbe/ixgbe.c: 1381 in ixgbe_enable_queue()
** CID 1008349: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/ixgbe/ixgbe.c: 1401 in ixgbe_disable_queue()
** CID 1203186: Unchecked return value (CHECKED_RETURN)
/sys/dev/pci/ixgbe/ixgbe.c: 5023 in ixgbe_handle_link()
** CID 1203187: Logically dead code (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 4019 in ixgbe_setup_receive_ring()
** CID 1203188: Logically dead code (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 4790 in ixgbe_setup_vlan_hw_support()
** CID 1203189: Null pointer dereference (FORWARD_NULL)
/sys/dev/ic/mpt_netbsd.c: 773 in mpt_done()
/sys/dev/ic/mpt_netbsd.c: 773 in mpt_done()
** CID 1203190: Dereference after null check (FORWARD_NULL)
/sys/ufs/lfs/lfs_syscalls.c: 757 in lfs_bmapv()
** CID 1203191: Out-of-bounds read (OVERRUN)
/sys/arch/x86/acpi/acpi_cpu_md.c: 1153 in acpicpu_md_pstate_sysctl_all()
** CID 1203192: Out-of-bounds read (OVERRUN)
/sys/dev/ic/aic79xx.c: 8611 in ahd_print_register()
** CID 1203193: Out-of-bounds read (OVERRUN)
/sys/dev/ic/aic7xxx.c: 6561 in ahc_print_register()
** CID 1203194: Out-of-bounds read (OVERRUN)
/sys/dev/ic/mpt_debug.c: 204 in mpt_ioc_diag()
** CID 1203195: Out-of-bounds read (OVERRUN)
/sys/dev/ic/mpt_debug.c: 251 in mpt_scsi_state()
** CID 1203196: Out-of-bounds access (OVERRUN)
/sys/kern/uipc_domain.c: 432 in sysctl_dounpcb()
** CID 1203197: Dereference before null check (REVERSE_INULL)
/sys/dev/ic/mpt_netbsd.c: 522 in mpt_done()
/sys/dev/ic/mpt_netbsd.c: 773 in mpt_done()
** CID 1203198: Uninitialized scalar variable (UNINIT)
/sys/dev/pci/ixgbe/ixgbe.c: 2731 in ixgbe_config_link()
** CID 1203199: Uninitialized scalar variable (UNINIT)
/sys/dev/pci/ixgbe/ixgbe.c: 5071 in ixgbe_handle_msf()
________________________________________________________________________________________________________
*** CID 140077: Missing break in switch (MISSING_BREAK)
/sys/dev/pci/ixgbe/ixgbe_82599.c: 1680 in ixgbe_fdir_add_perfect_filter_82599()
1674 * if there's a configuration issue
1675 */
1676 switch (input->formatted.flow_type) {
1677 case IXGBE_ATR_FLOW_TYPE_IPV4:
1678 /* use the L4 protocol mask for raw IPv4/IPv6 traffic */
1679 fdirm |= IXGBE_FDIRM_L4P;
>>> CID 140077: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
1680 case IXGBE_ATR_FLOW_TYPE_SCTPV4:
1681 if (input_masks->dst_port_mask ||
input_masks->src_port_mask) {
1682 DEBUGOUT(" Error on src/dst port mask\n");
1683 return IXGBE_ERR_CONFIG;
1684 }
1685 case IXGBE_ATR_FLOW_TYPE_TCPV4:
________________________________________________________________________________________________________
*** CID 141398: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/dev/pci/ixgbe/ixgbe_common.c: 2183 in ixgbe_fc_autoneg_fiber()
2177 * On multispeed fiber at 1g, bail out if
2178 * - link is up but AN did not complete, or if
2179 * - link is up and AN completed but timed out
2180 */
2181
2182 linkstat = IXGBE_READ_REG(hw, IXGBE_PCS1GLSTA);
>>> CID 141398: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
>>> "(linkstat & 262144) == 1" is always false regardless of the values of
>>> its operands. This occurs as the logical second operand of '||'.
2183 if (((linkstat & IXGBE_PCS1GLSTA_AN_COMPLETE) == 0) ||
2184 ((linkstat & IXGBE_PCS1GLSTA_AN_TIMED_OUT) == 1)) {
2185 ret_val = IXGBE_ERR_FC_NOT_NEGOTIATED;
2186 goto out;
2187 }
2188
________________________________________________________________________________________________________
*** CID 744275: Logically dead code (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe_phy.c: 1452 in ixgbe_write_i2c_byte_generic()
1446 break;
1447
1448 fail:
1449 ixgbe_i2c_bus_clear(hw);
1450 retry++;
1451 if (retry < max_retry)
>>> CID 744275: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "do {
}
while (0);".
1452 DEBUGOUT("I2C byte write error - Retrying.\n");
1453 else
1454 DEBUGOUT("I2C byte write error.\n");
1455 } while (retry < max_retry);
1456
1457 ixgbe_release_swfw_sync(hw, swfw_mask);
________________________________________________________________________________________________________
*** CID 1008347: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/ixgbe/ixgbe.c: 4652 in ixgbe_rxeof()
4646
4647 /*
4648 ** We still have cleaning to do?
4649 ** Schedule another interrupt if so.
4650 */
4651 if ((staterr & IXGBE_RXD_STAT_DD) != 0) {
>>> CID 1008347: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "1 << que->msix" with type "int" (32
>>> bits, signed) is evaluated using 32-bit arithmetic before being used in a
>>> context which expects an expression of type "u64" (64 bits, unsigned). To
>>> avoid overflow, cast the left operand to "u64" before performing the left
>>> shift.
4652 ixgbe_rearm_queues(adapter, (u64)(1 << que->msix));
4653 return true;
4654 }
4655
4656 return false;
4657 }
________________________________________________________________________________________________________
*** CID 1008348: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/ixgbe/ixgbe.c: 1381 in ixgbe_enable_queue()
1375 */
1376
1377 static inline void
1378 ixgbe_enable_queue(struct adapter *adapter, u32 vector)
1379 {
1380 struct ixgbe_hw *hw = &adapter->hw;
>>> CID 1008348: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "1 << vector" with type "int" (32
>>> bits, signed) is evaluated using 32-bit arithmetic before being used in a
>>> context which expects an expression of type "u64" (64 bits, unsigned). To
>>> avoid overflow, cast the left operand to "u64" before performing the left
>>> shift.
1381 u64 queue = (u64)(1 << vector);
1382 u32 mask;
1383
1384 if (hw->mac.type == ixgbe_mac_82598EB) {
1385 mask = (IXGBE_EIMS_RTX_QUEUE & queue);
1386 IXGBE_WRITE_REG(hw, IXGBE_EIMS, mask);
________________________________________________________________________________________________________
*** CID 1008349: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/ixgbe/ixgbe.c: 1401 in ixgbe_disable_queue()
1395 }
1396
1397 __unused static inline void
1398 ixgbe_disable_queue(struct adapter *adapter, u32 vector)
1399 {
1400 struct ixgbe_hw *hw = &adapter->hw;
>>> CID 1008349: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "1 << vector" with type "int" (32
>>> bits, signed) is evaluated using 32-bit arithmetic before being used in a
>>> context which expects an expression of type "u64" (64 bits, unsigned). To
>>> avoid overflow, cast the left operand to "u64" before performing the left
>>> shift.
1401 u64 queue = (u64)(1 << vector);
1402 u32 mask;
1403
1404 if (hw->mac.type == ixgbe_mac_82598EB) {
1405 mask = (IXGBE_EIMS_RTX_QUEUE & queue);
1406 IXGBE_WRITE_REG(hw, IXGBE_EIMC, mask);
________________________________________________________________________________________________________
*** CID 1203186: Unchecked return value (CHECKED_RETURN)
/sys/dev/pci/ixgbe/ixgbe.c: 5023 in ixgbe_handle_link()
5017 */
5018 static void
5019 ixgbe_handle_link(void *context)
5020 {
5021 struct adapter *adapter = context;
5022
>>> CID 1203186: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "ixgbe_check_link(&adapter->hw,
>>> &adapter->link_speed, &adapter->link_up, false)".
5023 ixgbe_check_link(&adapter->hw,
5024 &adapter->link_speed, &adapter->link_up, 0);
5025 ixgbe_update_link_status(adapter);
5026 }
5027
5028 /*
________________________________________________________________________________________________________
*** CID 1203187: Logically dead code (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 4019 in ixgbe_setup_receive_ring()
4013 ** 82598 uses software LRO, the
4014 ** 82599 uses a hardware assist.
4015 */
4016 if ((adapter->hw.mac.type != ixgbe_mac_82598EB) &&
4017 (ifp->if_capenable & IFCAP_RXCSUM) &&
4018 (ifp->if_capenable & IFCAP_LRO))
>>> CID 1203187: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "ixgbe_setup_hw_rsc(rxr);".
4019 ixgbe_setup_hw_rsc(rxr);
4020 #ifdef LRO
4021 else if (ifp->if_capenable & IFCAP_LRO) {
4022 device_t dev = adapter->dev;
4023 int err = tcp_lro_init(lro);
4024 if (err) {
________________________________________________________________________________________________________
*** CID 1203188: Logically dead code (DEADCODE)
/sys/dev/pci/ixgbe/ixgbe.c: 4790 in ixgbe_setup_vlan_hw_support()
4784 IXGBE_WRITE_REG(hw, IXGBE_VFTA(i),
4785 adapter->shadow_vfta[i]);
4786
4787 ctrl = IXGBE_READ_REG(hw, IXGBE_VLNCTRL);
4788 /* Enable the Filter Table if enabled */
4789 if (ec->ec_capenable & ETHERCAP_VLAN_HWFILTER) {
>>> CID 1203188: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "ctrl &= 0xdfffffffU;".
4790 ctrl &= ~IXGBE_VLNCTRL_CFIEN;
4791 ctrl |= IXGBE_VLNCTRL_VFE;
4792 }
4793 if (hw->mac.type == ixgbe_mac_82598EB)
4794 ctrl |= IXGBE_VLNCTRL_VME;
4795 IXGBE_WRITE_REG(hw, IXGBE_VLNCTRL, ctrl);
________________________________________________________________________________________________________
*** CID 1203189: Null pointer dereference (FORWARD_NULL)
/sys/dev/ic/mpt_netbsd.c: 773 in mpt_done()
767 */
768 if (xs->status == SCSI_CHECK)
769 xs->error = XS_BUSY;
770 }
771
772 done:
>>> CID 1203189: Null pointer dereference (FORWARD_NULL)
>>> Dereferencing null pointer "mpt_reply".
773 if (le16toh(mpt_reply->IOCStatus) &
774 MPI_IOCSTATUS_FLAG_LOG_INFO_AVAILABLE) {
775 mpt_prt(mpt,"mpt_done: IOC has error - logging...\n");
776 mpt_ctlop(mpt, mpt_reply, reply);
777 }
778
/sys/dev/ic/mpt_netbsd.c: 773 in mpt_done()
767 */
768 if (xs->status == SCSI_CHECK)
769 xs->error = XS_BUSY;
770 }
771
772 done:
>>> CID 1203189: Null pointer dereference (FORWARD_NULL)
>>> Dereferencing null pointer "mpt_reply".
773 if (le16toh(mpt_reply->IOCStatus) &
774 MPI_IOCSTATUS_FLAG_LOG_INFO_AVAILABLE) {
775 mpt_prt(mpt,"mpt_done: IOC has error - logging...\n");
776 mpt_ctlop(mpt, mpt_reply, reply);
777 }
778
________________________________________________________________________________________________________
*** CID 1203190: Dereference after null check (FORWARD_NULL)
/sys/ufs/lfs/lfs_syscalls.c: 757 in lfs_bmapv()
751 if (lfs_vref(vp)) {
752 v_daddr = LFS_UNUSED_DADDR;
753 continue;
754 }
755 numrefed++;
756 } else {
>>> CID 1203190: Dereference after null check (FORWARD_NULL)
>>> Dereferencing null pointer "vp".
757 mutex_exit(vp->v_interlock);
758 mutex_exit(&ulfs_ihash_lock);
759 /*
760 * Don't VFS_VGET if we're being
unmounted,
761 * since we hold vfs_busy().
762 */
________________________________________________________________________________________________________
*** CID 1203191: Out-of-bounds read (OVERRUN)
/sys/arch/x86/acpi/acpi_cpu_md.c: 1153 in acpicpu_md_pstate_sysctl_all()
1147
1148 for (len = 0, i = sc->sc_pstate_max; i < sc->sc_pstate_count;
i++) {
1149
1150 if (sc->sc_pstate[i].ps_freq == 0)
1151 continue;
1152
>>> CID 1203191: Out-of-bounds read (OVERRUN)
>>> Overrunning array of 1024 bytes at byte offset 1024 by dereferencing
>>> pointer "&buf[len]".
1153 len += snprintf(buf + len, sizeof(buf) - len, "%u%s",
1154 sc->sc_pstate[i].ps_freq,
1155 i < (sc->sc_pstate_count - 1) ? " " : "");
1156 if (len > sizeof(buf))
1157 break;
1158 }
________________________________________________________________________________________________________
*** CID 1203192: Out-of-bounds read (OVERRUN)
/sys/dev/ic/aic79xx.c: 8611 in ahd_print_register()
8605 *cur_column = 0;
8606 }
8607 printed = snprintf(line, sizeof(line), "%s[0x%x]", name, value);
8608 if (printed > sizeof(line))
8609 printed = sizeof(line);
8610 if (table == NULL) {
>>> CID 1203192: Out-of-bounds read (OVERRUN)
>>> Overrunning array of 1024 bytes at byte offset 1024 by dereferencing
>>> pointer "&line[printed]".
8611 printed += snprintf(&line[printed], (sizeof line) -
printed,
8612 " ");
8613 if (printed > sizeof(line))
8614 printed = sizeof(line);
8615 printf("%s", line);
8616 if (cur_column != NULL)
________________________________________________________________________________________________________
*** CID 1203193: Out-of-bounds read (OVERRUN)
/sys/dev/ic/aic7xxx.c: 6561 in ahc_print_register()
6555 *cur_column = 0;
6556 }
6557 printed = snprintf(line, sizeof(line), "%s[0x%x]", name, value);
6558 if (printed > sizeof(line))
6559 printed = sizeof(line);
6560 if (table == NULL) {
>>> CID 1203193: Out-of-bounds read (OVERRUN)
>>> Overrunning array of 1024 bytes at byte offset 1024 by dereferencing
>>> pointer "&line[printed]".
6561 printed += snprintf(&line[printed], (sizeof line) -
printed,
6562 " ");
6563 if (printed > sizeof(line))
6564 printed = sizeof(line);
6565 printf("%s", line);
6566 if (cur_column != NULL)
________________________________________________________________________________________________________
*** CID 1203194: Out-of-bounds read (OVERRUN)
/sys/dev/ic/mpt_debug.c: 204 in mpt_ioc_diag()
198 size_t len;
199 len = snprintf(tbuf, sizeof(tbuf), "(0x%08x)", code);
200 if (len > sizeof(tbuf))
201 return tbuf;
202 while (status->Error_Code >= 0) {
203 if ((status->Error_Code & code) != 0) {
>>> CID 1203194: Out-of-bounds read (OVERRUN)
>>> Overrunning array of 128 bytes at byte offset 128 by dereferencing
>>> pointer "&tbuf[len]".
204 len += snprintf(tbuf + len, sizeof(tbuf) - len,
"%s ",
205 status->Error_String);
206 if (len > sizeof(tbuf))
207 return tbuf;
208 }
209 status++;
________________________________________________________________________________________________________
*** CID 1203195: Out-of-bounds read (OVERRUN)
/sys/dev/ic/mpt_debug.c: 251 in mpt_scsi_state()
245 size_t len;
246 len = snprintf(tbuf, sizeof(tbuf), "(0x%08x)", code);
247 if (len > sizeof(tbuf))
248 return tbuf;
249 while (status->Error_Code >= 0) {
250 if ((status->Error_Code & code) != 0) {
>>> CID 1203195: Out-of-bounds read (OVERRUN)
>>> Overrunning array of 128 bytes at byte offset 128 by dereferencing
>>> pointer "&tbuf[len]".
251 len += snprintf(tbuf + len, sizeof(tbuf) - len,
"%s ",
252 status->Error_String);
253 if (len > sizeof(tbuf))
254 return tbuf;
255 }
256 status++;
________________________________________________________________________________________________________
*** CID 1203196: Out-of-bounds access (OVERRUN)
/sys/kern/uipc_domain.c: 432 in sysctl_dounpcb()
426 if (unp->unp_addr != NULL) {
427 /*
428 * We've added one to sun_len when allocating to
429 * hold terminating NUL which we want here. See
430 * makeun().
431 */
>>> CID 1203196: Out-of-bounds access (OVERRUN)
>>> Overrunning struct type sockaddr of 16 bytes by passing it to a
>>> function which accesses it at byte offset 263 using argument "min(264U,
>>> unp->unp_addr->sun_len + 1)" (which evaluates to 264).
432 memcpy(un, unp->unp_addr,
433 min(sizeof(pcb->ki_s), unp->unp_addr->sun_len + 1));
434 }
435 else {
436 un->sun_len = offsetof(struct sockaddr_un, sun_path);
437 un->sun_family = pcb->ki_family;
________________________________________________________________________________________________________
*** CID 1203197: Dereference before null check (REVERSE_INULL)
/sys/dev/ic/mpt_netbsd.c: 522 in mpt_done()
516
517 /* XXX BUS_DMASYNC_POSTREAD XXX */
518 mpt_reply = MPT_REPLY_PTOV(mpt, reply);
519 if (mpt->verbose > 1) {
520 uint32_t *pReply = (uint32_t *) mpt_reply;
521
>>> CID 1203197: Dereference before null check (REVERSE_INULL)
>>> Directly dereferencing pointer "mpt_reply".
522 mpt_prt(mpt, "Address Reply (index %u):",
523 le32toh(mpt_reply->MsgContext) & 0xffff);
524 mpt_prt(mpt, "%08x %08x %08x %08x",
525 pReply[0], pReply[1], pReply[2], pReply[3]);
526 mpt_prt(mpt, "%08x %08x %08x %08x",
527 pReply[4], pReply[5], pReply[6], pReply[7]);
/sys/dev/ic/mpt_netbsd.c: 773 in mpt_done()
767 */
768 if (xs->status == SCSI_CHECK)
769 xs->error = XS_BUSY;
770 }
771
772 done:
>>> CID 1203197: Dereference before null check (REVERSE_INULL)
>>> Directly dereferencing pointer "mpt_reply".
773 if (le16toh(mpt_reply->IOCStatus) &
774 MPI_IOCSTATUS_FLAG_LOG_INFO_AVAILABLE) {
775 mpt_prt(mpt,"mpt_done: IOC has error - logging...\n");
776 mpt_ctlop(mpt, mpt_reply, reply);
777 }
778
________________________________________________________________________________________________________
*** CID 1203198: Uninitialized scalar variable (UNINIT)
/sys/dev/pci/ixgbe/ixgbe.c: 2731 in ixgbe_config_link()
2725 if ((!autoneg) && (hw->mac.ops.get_link_capabilities))
2726 err = hw->mac.ops.get_link_capabilities(hw,
2727 &autoneg, &negotiate);
2728 if (err)
2729 goto out;
2730 if (hw->mac.ops.setup_link)
>>> CID 1203198: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "negotiate" when calling
>>> "*hw->mac.ops.setup_link".
2731 err = hw->mac.ops.setup_link(hw, autoneg,
2732 negotiate, adapter->link_up);
2733 }
2734 out:
2735 return;
2736 }
________________________________________________________________________________________________________
*** CID 1203199: Uninitialized scalar variable (UNINIT)
/sys/dev/pci/ixgbe/ixgbe.c: 5071 in ixgbe_handle_msf()
5065 bool negotiate;
5066
5067 autoneg = hw->phy.autoneg_advertised;
5068 if ((!autoneg) && (hw->mac.ops.get_link_capabilities))
5069 hw->mac.ops.get_link_capabilities(hw, &autoneg,
&negotiate);
5070 if (hw->mac.ops.setup_link)
>>> CID 1203199: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "negotiate" when calling
>>> "*hw->mac.ops.setup_link".
5071 hw->mac.ops.setup_link(hw, autoneg, negotiate, TRUE);
5072 return;
5073 }
5074
5075 #ifdef IXGBE_FDIR
5076 /*
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/1450?tab=Overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index