Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-i386-kernel



Hi,


Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel 
found with Coverity Scan.

Defect(s) Reported-by: Coverity Scan
Showing 17 of 17 defect(s)


** CID 1223332:  Unchecked return value  (CHECKED_RETURN)
/sys/dev/sequencer.c: 1376 in midiseq_in()

** CID 1223333:  Operands don't affect result  (CONSTANT_EXPRESSION_RESULT)
/sys/arch/x86/pci/if_vmx.c: 390 in vmxnet3_dma_init()

** CID 1223334:  Operands don't affect result  (CONSTANT_EXPRESSION_RESULT)
/sys/fs/tmpfs/tmpfs_vfsops.c: 143 in tmpfs_mount()

** CID 1223335:  Logically dead code  (DEADCODE)
/sys/fs/tmpfs/tmpfs_vfsops.c: 144 in tmpfs_mount()

** CID 1223336:  Logically dead code  (DEADCODE)
/sys/net/if_ppp.c: 1696 in ppp_inproc()

** CID 1223337:  Logically dead code  (DEADCODE)
/sys/net/if_ppp.c: 1679 in ppp_inproc()

** CID 1223338:  Explicit null dereferenced  (FORWARD_NULL)
/sys/dev/ic/hd64570.c: 1699 in sca_frame_process()

** CID 1223339:  Dereference after null check  (FORWARD_NULL)
/sys/net/if_fddisubr.c: 634 in fddi_input()

** CID 1223340:  Explicit null dereferenced  (FORWARD_NULL)
/sys/net/if_gre.c: 867 in gre_input()

** CID 1223341:  Explicit null dereferenced  (FORWARD_NULL)
/sys/net/if_loop.c: 342 in looutput()

** CID 1223342:  Explicit null dereferenced  (FORWARD_NULL)
/sys/net/if_tokensubr.c: 519 in token_input()

** CID 1223343:  Unintentional integer overflow  (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/agp_i810.c: 1094 in agp_i810_bind_page()

** CID 1223344:  Unintentional integer overflow  (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/agp_i810.c: 1121 in agp_i810_unbind_page()

** CID 1223345:  Unintentional integer overflow  (OVERFLOW_BEFORE_WIDEN)
/sys/fs/cd9660/cd9660_vfsops.c: 788 in cd9660_loadvnode()

** CID 1223346:  Dereference before null check  (REVERSE_INULL)
/sys/fs/cd9660/cd9660_vfsops.c: 749 in cd9660_loadvnode()
/sys/fs/cd9660/cd9660_vfsops.c: 803 in cd9660_loadvnode()

** CID 1223347:  Uninitialized pointer read  (UNINIT)
/sys/net/if_ieee1394subr.c: 440 in ieee1394_input()

** CID 1223348:  Structurally dead code  (UNREACHABLE)
/sys/dev/pci/agp_i810.c: 550 in agp_i810_attach()


________________________________________________________________________________________________________
*** CID 1223332:  Unchecked return value  (CHECKED_RETURN)
/sys/dev/sequencer.c: 1376 in midiseq_in()
1370            sc = md->seq;
1371     
1372            qi.qi_msg[0] = msg[0];
1373            qi.qi_msg[1] = msg[1];
1374            qi.qi_msg[2] = msg[2];
1375            qi.qi_msg[3] = md->unit | 0x80; /* ensure non-zero value of 
qi_ptr */
>>>     CID 1223332:  Unchecked return value  (CHECKED_RETURN)
>>>     No check of the return value of "pcq_put(sc->pcq, qi.qi_ptr)".
1376            pcq_put(sc->pcq, qi.qi_ptr);
1377            softint_schedule(sc->sih);
1378     }
1379     
1380     static struct midi_dev *
1381     midiseq_open(int unit, int flags)

________________________________________________________________________________________________________
*** CID 1223333:  Operands don't affect result  (CONSTANT_EXPRESSION_RESULT)
/sys/arch/x86/pci/if_vmx.c: 390 in vmxnet3_dma_init()
384             ds->nintr = VMXNET3_NINTR;
385             ds->evintr = 0;
386             ds->ictrl = VMXNET3_ICTRL_DISABLE_ALL;
387             for (i = 0; i < VMXNET3_NINTR; i++)
388                     ds->modlevel[i] = UPT1_IMOD_ADAPTIVE;
389             WRITE_BAR1(sc, VMXNET3_BAR1_DSL, ds_pa);
>>>     CID 1223333:  Operands don't affect result  (CONSTANT_EXPRESSION_RESULT)
>>>     "(__uint64_t)ds_pa >> 32" is 0 regardless of the values of its 
>>> operands. This occurs as an argument to a function call.
390             WRITE_BAR1(sc, VMXNET3_BAR1_DSH, (uint64_t)ds_pa >> 32);
391             return 0;
392     }
393     
394     int
395     vmxnet3_alloc_txring(struct vmxnet3_softc *sc, int queue)

________________________________________________________________________________________________________
*** CID 1223334:  Operands don't affect result  (CONSTANT_EXPRESSION_RESULT)
/sys/fs/tmpfs/tmpfs_vfsops.c: 143 in tmpfs_mount()
137     
138             /* Check for invalid uid and gid arguments */
139             if (args->ta_root_uid == VNOVAL || args->ta_root_gid == VNOVAL)
140                     return EINVAL;
141     
142             /* This can never happen? */
>>>     CID 1223334:  Operands don't affect result  (CONSTANT_EXPRESSION_RESULT)
>>>     "(args->ta_root_mode & (4095U /* ((((0x800 | 0x400) | 0x200) | 0x1c0) | 
>>> 0x38) | 7 */)) == -1" is always false regardless of the values of its 
>>> operands. This occurs as the logical operand of if.
143             if ((args->ta_root_mode & ALLPERMS) == VNOVAL)
144                     return EINVAL;
145     
146             /* Get the memory usage limit for this file-system. */
147             if (args->ta_size_max < PAGE_SIZE) {
148                     memlimit = UINT64_MAX;

________________________________________________________________________________________________________
*** CID 1223335:  Logically dead code  (DEADCODE)
/sys/fs/tmpfs/tmpfs_vfsops.c: 144 in tmpfs_mount()
138             /* Check for invalid uid and gid arguments */
139             if (args->ta_root_uid == VNOVAL || args->ta_root_gid == VNOVAL)
140                     return EINVAL;
141     
142             /* This can never happen? */
143             if ((args->ta_root_mode & ALLPERMS) == VNOVAL)
>>>     CID 1223335:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "return 22;".
144                     return EINVAL;
145     
146             /* Get the memory usage limit for this file-system. */
147             if (args->ta_size_max < PAGE_SIZE) {
148                     memlimit = UINT64_MAX;
149             } else {

________________________________________________________________________________________________________
*** CID 1223336:  Logically dead code  (DEADCODE)
/sys/net/if_ppp.c: 1696 in ppp_inproc()
1690                printf("%s: input queue full\n", ifp->if_xname);
1691            ifp->if_iqdrops++;
1692            goto bad;
1693         }
1694         IF_ENQUEUE(inq, m);
1695         if (__predict_true(isr)) {
>>>     CID 1223336:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "schednetisr(isr);".
1696             schednetisr(isr);
1697         }
1698         splx(s);
1699         ifp->if_ipackets++;
1700         ifp->if_ibytes += ilen;
1701     

________________________________________________________________________________________________________
*** CID 1223337:  Logically dead code  (DEADCODE)
/sys/net/if_ppp.c: 1679 in ppp_inproc()
1673                goto bad;
1674            }
1675            ifp->if_ipackets++;
1676            ifp->if_ibytes += ilen;
1677            splx(s);
1678            if (rv)
>>>     CID 1223337:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "(*sc->sc_ctlp)(sc);".
1679                (*sc->sc_ctlp)(sc);
1680            return;
1681         }
1682     
1683         if (!inq) {
1684            goto bad;

________________________________________________________________________________________________________
*** CID 1223338:  Explicit null dereferenced  (FORWARD_NULL)
/sys/dev/ic/hd64570.c: 1699 in sca_frame_process()
1693                    if (__predict_false(!pktq_enqueue(pktq, m, 0))) {
1694                            scp->sp_if.if_iqdrops++;
1695                            goto dropit;
1696                    }
1697                    return;
1698            }
>>>     CID 1223338:  Explicit null dereferenced  (FORWARD_NULL)
>>>     Dereferencing null pointer "ifq".
1699            if (!IF_QFULL(ifq)) {
1700                    IF_ENQUEUE(ifq, m);
1701                    schednetisr(isr);
1702            } else {
1703                    IF_DROP(ifq);
1704                    scp->sp_if.if_iqdrops++;

________________________________________________________________________________________________________
*** CID 1223339:  Dereference after null check  (FORWARD_NULL)
/sys/net/if_fddisubr.c: 634 in fddi_input()
628     #endif
629     #if defined(NS) || defined(DECNET) || defined(IPX) || defined(NETATALK)
630             if (!inq) {
631                     m_freem(m);
632             }
633             s = splnet();
>>>     CID 1223339:  Dereference after null check  (FORWARD_NULL)
>>>     Dereferencing null pointer "inq".
634             if (IF_QFULL(inq)) {
635                     IF_DROP(inq);
636                     m_freem(m);
637             } else {
638                     IF_ENQUEUE(inq, m);
639                     schednetisr(isr);

________________________________________________________________________________________________________
*** CID 1223340:  Explicit null dereferenced  (FORWARD_NULL)
/sys/net/if_gre.c: 867 in gre_input()
861                             m_freem(m);
862                     }
863                     return 1;
864             }
865     
866             s = splnet();
>>>     CID 1223340:  Explicit null dereferenced  (FORWARD_NULL)
>>>     Dereferencing null pointer "ifq".
867             if (IF_QFULL(ifq)) {
868                     IF_DROP(ifq);
869                     m_freem(m);
870             } else {
871                     IF_ENQUEUE(ifq, m);
872             }

________________________________________________________________________________________________________
*** CID 1223341:  Explicit null dereferenced  (FORWARD_NULL)
/sys/net/if_loop.c: 342 in looutput()
336                             m_freem(m);
337                             error = ENOBUFS;
338                     }
339                     splx(s);
340                     return error;
341             }
>>>     CID 1223341:  Explicit null dereferenced  (FORWARD_NULL)
>>>     Dereferencing null pointer "ifq".
342             if (IF_QFULL(ifq)) {
343                     IF_DROP(ifq);
344                     m_freem(m);
345                     splx(s);
346                     return (ENOBUFS);
347             }

________________________________________________________________________________________________________
*** CID 1223342:  Explicit null dereferenced  (FORWARD_NULL)
/sys/net/if_tokensubr.c: 519 in token_input()
513                             m_freem(m);
514                     }
515                     return;
516             }
517     
518             s = splnet();
>>>     CID 1223342:  Explicit null dereferenced  (FORWARD_NULL)
>>>     Dereferencing null pointer "inq".
519             if (IF_QFULL(inq)) {
520                     IF_DROP(inq);
521                     m_freem(m);
522             } else {
523                     IF_ENQUEUE(inq, m);
524                     schednetisr(isr);

________________________________________________________________________________________________________
*** CID 1223343:  Unintentional integer overflow  (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/agp_i810.c: 1094 in agp_i810_bind_page()
1088     
1089     static int
1090     agp_i810_bind_page(struct agp_softc *sc, off_t offset, bus_addr_t 
physical)
1091     {
1092            struct agp_i810_softc *isc = sc->as_chipc;
1093     
>>>     CID 1223343:  Unintentional integer overflow  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "isc->gtt_size / 4U << 12" with type 
>>> "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic  
>>> before being used in a context which expects an expression of type 
>>> "__off_t" (64 bits, signed).  To avoid overflow, cast the left operand to 
>>> "__off_t" before performing the left shift.
1094            if (offset < 0 || offset >= ((isc->gtt_size/4) << 
AGP_PAGE_SHIFT)) {
1095     #ifdef AGP_DEBUG
1096                    printf("%s: failed: offset 0x%08x, shift %d, entries 
%d\n",
1097                        device_xname(sc->as_dev), (int)offset, 
AGP_PAGE_SHIFT,
1098                        isc->gtt_size/4);
1099     #endif

________________________________________________________________________________________________________
*** CID 1223344:  Unintentional integer overflow  (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/agp_i810.c: 1121 in agp_i810_unbind_page()
1115     
1116     static int
1117     agp_i810_unbind_page(struct agp_softc *sc, off_t offset)
1118     {
1119            struct agp_i810_softc *isc = sc->as_chipc;
1120     
>>>     CID 1223344:  Unintentional integer overflow  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "isc->gtt_size / 4U << 12" with type 
>>> "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic  
>>> before being used in a context which expects an expression of type 
>>> "__off_t" (64 bits, signed).  To avoid overflow, cast the left operand to 
>>> "__off_t" before performing the left shift.
1121            if (offset < 0 || offset >= ((isc->gtt_size/4) << 
AGP_PAGE_SHIFT))
1122                    return EINVAL;
1123     
1124            if (isc->chiptype != CHIP_I810 ) {
1125                    if ((offset >> AGP_PAGE_SHIFT) < isc->stolen) {
1126     #ifdef AGP_DEBUG

________________________________________________________________________________________________________
*** CID 1223345:  Unintentional integer overflow  (OVERFLOW_BEFORE_WIDEN)
/sys/fs/cd9660/cd9660_vfsops.c: 788 in cd9660_loadvnode()
782             switch (imp->iso_ftype) {
783             default:        /* ISO_FTYPE_9660 */
784                 {
785                     struct buf *bp2;
786                     if ((imp->im_flags & ISOFSMNT_EXTATT)
787                         && (off = isonum_711(isodir->ext_attr_length)))
>>>     CID 1223345:  Unintentional integer overflow  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "off << imp->im_bshift" with type 
>>> "int" (32 bits, signed) is evaluated using 32-bit arithmetic  before being 
>>> used in a context which expects an expression of type "__off_t" (64 bits, 
>>> signed).  To avoid overflow, cast the left operand to "__off_t" before 
>>> performing the left shift.
788                             cd9660_blkatoff(vp, (off_t)-(off << 
imp->im_bshift),
789                                 NULL, &bp2);
790                     else
791                             bp2 = NULL;
792                     cd9660_defattr(isodir, ip, bp2);
793                     cd9660_deftstamp(isodir, ip, bp2);

________________________________________________________________________________________________________
*** CID 1223346:  Dereference before null check  (REVERSE_INULL)
/sys/fs/cd9660/cd9660_vfsops.c: 749 in cd9660_loadvnode()
743                     return (error);
744             }
745             isodir = (struct iso_directory_record *)((char *)bp->b_data + 
off);
746     
747             if (off + isonum_711(isodir->length) > imp->logical_block_size) 
{
748                     pool_put(&cd9660_node_pool, ip);
>>>     CID 1223346:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "bp" suggests that it may be null, but it has already 
>>> been dereferenced on all paths leading to the check.
749                     if (bp != 0)
750                             brelse(bp, 0);
751                     printf("fhtovp: directory crosses block boundary 
%d[off=%d/len=%d]\n",
752                         off +isonum_711(isodir->length), off,
753                         isonum_711(isodir->length));
754                     return (ESTALE);
/sys/fs/cd9660/cd9660_vfsops.c: 803 in cd9660_loadvnode()
797                 }
798             case ISO_FTYPE_RRIP:
799                     cd9660_rrip_analyze(isodir, ip, imp);
800                     break;
801             }
802     
>>>     CID 1223346:  Dereference before null check  (REVERSE_INULL)
>>>     Null-checking "bp" suggests that it may be null, but it has already 
>>> been dereferenced on all paths leading to the check.
803             if (bp != 0)
804                     brelse(bp, 0);
805     
806             /*
807              * Initialize the associated vnode
808              */

________________________________________________________________________________________________________
*** CID 1223347:  Uninitialized pointer read  (UNINIT)
/sys/net/if_ieee1394subr.c: 440 in ieee1394_input()
434                             m_freem(m);
435                     }
436                     return;
437             }
438     
439             s = splnet();
>>>     CID 1223347:  Uninitialized pointer read  (UNINIT)
>>>     Using uninitialized value "inq".
440             if (IF_QFULL(inq)) {
441                     IF_DROP(inq);
442                     m_freem(m);
443             } else {
444                     IF_ENQUEUE(inq, m);
445                     schednetisr(isr);

________________________________________________________________________________________________________
*** CID 1223348:  Structurally dead code  (UNREACHABLE)
/sys/dev/pci/agp_i810.c: 550 in agp_i810_attach()
544             /* Match the generic AGP code's autoconf output format.  */
545             aprint_normal("%s", device_xname(self));
546     
547             /* Success!  */
548             return 0;
549     
>>>     CID 1223348:  Structurally dead code  (UNREACHABLE)
>>>     This code cannot be reached: "fail5:
pmf_device_deregiste...".
550     fail5: __unused
551             pmf_device_deregister(self);
552             if ((gtt_bar != 0) || (isc->size < gtt_off))
553                     bus_space_unmap(isc->gtt_bst, isc->gtt_bsh, 
isc->gtt_size);
554             isc->gtt_size = 0;
555     fail4:


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, 
http://scan.coverity.com/projects/1450?tab=overview

To unsubscribe from the email notification for new defects, 
http://scan5.coverity.com/cgi-bin/unsubscribe.py




Home | Main Index | Thread Index | Old Index