New Defects reported by Coverity Scan for NetBSD-i386-kernel

To: coverity-updates%netbsd.org@localhost
Subject: New Defects reported by Coverity Scan for NetBSD-i386-kernel
From: scan-admin%coverity.com@localhost
Date: Wed, 30 Nov 2016 17:13:32 -0800
Hi,

Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.

11 new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 11 of 11 defect(s)


** CID 1066206:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/arch/x86/pci/if_vmx.c: 1643 in vmxnet3_reinit_shared_data()


________________________________________________________________________________________________________
*** CID 1066206:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/arch/x86/pci/if_vmx.c: 1643 in vmxnet3_reinit_shared_data()
1637     		ds->upt_features |= UPT1_F_RSS;
1638     		vmxnet3_reinit_rss_shared_data(sc);
1639     	}
1640     
1641     	vmxnet3_write_bar1(sc, VMXNET3_BAR1_DSL, sc->vmx_ds_dma.dma_paddr);
1642     	vmxnet3_write_bar1(sc, VMXNET3_BAR1_DSH,
>>>     CID 1066206:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "(__uint64_t)sc->vmx_ds_dma.dma_paddr >> 32" is 0 regardless of the values of its operands. This occurs as an argument to a function call.
1643     	    (uint64_t) sc->vmx_ds_dma.dma_paddr >> 32);
1644     }
1645     
1646     int
1647     vmxnet3_alloc_data(struct vmxnet3_softc *sc)
1648     {

** CID 1396598:  Null pointer dereferences  (FORWARD_NULL)
/sys/netinet6/in6_src.c: 673 in in6_selectroute()


________________________________________________________________________________________________________
*** CID 1396598:  Null pointer dereferences  (FORWARD_NULL)
/sys/netinet6/in6_src.c: 673 in in6_selectroute()
667     	 * the interface specified by ipi6_ifindex (if specified).
668     	 * Note that loopback interface is always okay.
669     	 * (this may happen when we are sending a packet to one of
670     	 *  our own addresses.)
671     	 */
672     	if (opts && opts->ip6po_pktinfo && opts->ip6po_pktinfo->ipi6_ifindex) {
>>>     CID 1396598:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "rt".
673     		if (!(rt->rt_ifp->if_flags & IFF_LOOPBACK) &&
674     		    rt->rt_ifp->if_index != opts->ip6po_pktinfo->ipi6_ifindex) {
675     			if (rt != NULL && count_discard)
676     				in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard);
677     			error = EHOSTUNREACH;
678     			rt = NULL;

** CID 1396600:  Null pointer dereferences  (FORWARD_NULL)
/sys/net/if_spppsubr.c: 4915 in sppp_set_ip_addrs_work()


________________________________________________________________________________________________________
*** CID 1396600:  Null pointer dereferences  (FORWARD_NULL)
/sys/net/if_spppsubr.c: 4915 in sppp_set_ip_addrs_work()
4909     	else if (dest != NULL)
4910     		hisaddr = ntohl(dest->sin_addr.s_addr);
4911     
4912     	if (si != NULL) {
4913     		int error;
4914     		struct sockaddr_in new_sin = *si;
>>>     CID 1396600:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "dest".
4915     		struct sockaddr_in new_dst = *dest;
4916     
4917     		if (myaddr != 0)
4918     			new_sin.sin_addr.s_addr = htonl(myaddr);
4919     		if (hisaddr != 0) {
4920     			new_dst.sin_addr.s_addr = htonl(hisaddr);

** CID 1396620:  Null pointer dereferences  (NULL_RETURNS)
/sys/dev/scsipi/scsiconf.c: 473 in scsidevdetached()


________________________________________________________________________________________________________
*** CID 1396620:  Null pointer dereferences  (NULL_RETURNS)
/sys/dev/scsipi/scsiconf.c: 473 in scsidevdetached()
467     	target = device_locator(child, SCSIBUSCF_TARGET);
468     	lun = device_locator(child, SCSIBUSCF_LUN);
469     
470     	mutex_enter(chan_mtx(chan));
471     
472     	periph = scsipi_lookup_periph_locked(chan, target, lun);
>>>     CID 1396620:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a null pointer "periph".
473     	KASSERT(periph->periph_dev == child);
474     
475     	scsipi_remove_periph(chan, periph);
476     	scsipi_free_periph(periph);
477     
478     	mutex_exit(chan_mtx(chan));

** CID 1396634:  Null pointer dereferences  (REVERSE_INULL)
/sys/netinet6/in6_src.c: 675 in in6_selectroute()


________________________________________________________________________________________________________
*** CID 1396634:  Null pointer dereferences  (REVERSE_INULL)
/sys/netinet6/in6_src.c: 675 in in6_selectroute()
669     	 * (this may happen when we are sending a packet to one of
670     	 *  our own addresses.)
671     	 */
672     	if (opts && opts->ip6po_pktinfo && opts->ip6po_pktinfo->ipi6_ifindex) {
673     		if (!(rt->rt_ifp->if_flags & IFF_LOOPBACK) &&
674     		    rt->rt_ifp->if_index != opts->ip6po_pktinfo->ipi6_ifindex) {
>>>     CID 1396634:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "rt" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
675     			if (rt != NULL && count_discard)
676     				in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard);
677     			error = EHOSTUNREACH;
678     			rt = NULL;
679     		}
680     	}

** CID 1396646:  Integer handling issues  (BAD_SHIFT)
/sys/arch/x86/pci/if_vmx.c: 1642 in vmxnet3_reinit_shared_data()


________________________________________________________________________________________________________
*** CID 1396646:  Integer handling issues  (BAD_SHIFT)
/sys/arch/x86/pci/if_vmx.c: 1642 in vmxnet3_reinit_shared_data()
1636     	if (sc->vmx_flags & VMXNET3_FLAG_RSS) {
1637     		ds->upt_features |= UPT1_F_RSS;
1638     		vmxnet3_reinit_rss_shared_data(sc);
1639     	}
1640     
1641     	vmxnet3_write_bar1(sc, VMXNET3_BAR1_DSL, sc->vmx_ds_dma.dma_paddr);
>>>     CID 1396646:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "(__uint64_t)sc->vmx_ds_dma.dma_paddr >> 32", right shifting "sc->vmx_ds_dma.dma_paddr" by more than 31 bits always yields zero.  The shift amount is 32.
1642     	vmxnet3_write_bar1(sc, VMXNET3_BAR1_DSH,
1643     	    (uint64_t) sc->vmx_ds_dma.dma_paddr >> 32);
1644     }
1645     
1646     int
1647     vmxnet3_alloc_data(struct vmxnet3_softc *sc)

** CID 1396647:  Error handling issues  (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2320 in vmxnet3_stop_locked()


________________________________________________________________________________________________________
*** CID 1396647:  Error handling issues  (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2320 in vmxnet3_stop_locked()
2314     vmxnet3_stop_locked(struct vmxnet3_softc *sc)
2315     {
2316     	struct ifnet *ifp;
2317     	int q;
2318     
2319     	ifp = &sc->vmx_ethercom.ec_if;
>>>     CID 1396647:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "mutex_owned" without checking return value (as is done elsewhere 1001 out of 1007 times).
2320     	VMXNET3_CORE_LOCK_ASSERT(sc);
2321     
2322     	ifp->if_flags &= ~IFF_RUNNING;
2323     	sc->vmx_link_active = 0;
2324     	callout_stop(&sc->vmx_tick);
2325     

** CID 1396648:  Error handling issues  (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2018 in vmxnet3_rxq_eof()


________________________________________________________________________________________________________
*** CID 1396648:  Error handling issues  (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2018 in vmxnet3_rxq_eof()
2012     	int idx, length;
2013     
2014     	sc = rxq->vxrxq_sc;
2015     	ifp = &sc->vmx_ethercom.ec_if;
2016     	rxc = &rxq->vxrxq_comp_ring;
2017     
>>>     CID 1396648:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "mutex_owned" without checking return value (as is done elsewhere 1001 out of 1007 times).
2018     	VMXNET3_RXQ_LOCK_ASSERT(rxq);
2019     
2020     	if ((ifp->if_flags & IFF_RUNNING) == 0)
2021     		return;
2022     
2023     	m_head = rxq->vxrxq_mhead;

** CID 1396649:  Error handling issues  (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2750 in vmxnet3_start_locked()


________________________________________________________________________________________________________
*** CID 1396649:  Error handling issues  (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2750 in vmxnet3_start_locked()
2744     
2745     	sc = ifp->if_softc;
2746     	txq = &sc->vmx_txq[0];
2747     	txr = &txq->vxtxq_cmd_ring;
2748     	tx = 0;
2749     
>>>     CID 1396649:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "mutex_owned" without checking return value (as is done elsewhere 1001 out of 1007 times).
2750     	VMXNET3_TXQ_LOCK_ASSERT(txq);
2751     
2752     	if ((ifp->if_flags & IFF_RUNNING) == 0 ||
2753     	    sc->vmx_link_active == 0)
2754     		return;
2755     

** CID 1396650:  Error handling issues  (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 1793 in vmxnet3_txq_eof()


________________________________________________________________________________________________________
*** CID 1396650:  Error handling issues  (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 1793 in vmxnet3_txq_eof()
1787     	u_int sop;
1788     
1789     	sc = txq->vxtxq_sc;
1790     	txr = &txq->vxtxq_cmd_ring;
1791     	txc = &txq->vxtxq_comp_ring;
1792     
>>>     CID 1396650:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "mutex_owned" without checking return value (as is done elsewhere 1001 out of 1007 times).
1793     	VMXNET3_TXQ_LOCK_ASSERT(txq);
1794     
1795     	for (;;) {
1796     		txcd = &txc->vxcr_u.txcd[txc->vxcr_next];
1797     		if (txcd->gen != txc->vxcr_gen)
1798     			break;

** CID 1396651:  Null pointer dereferences  (NULL_RETURNS)
/sys/arch/x86/pci/if_vmx.c: 2568 in vmxnet3_txq_offload_ctx()


________________________________________________________________________________________________________
*** CID 1396651:  Null pointer dereferences  (NULL_RETURNS)
/sys/arch/x86/pci/if_vmx.c: 2568 in vmxnet3_txq_offload_ctx()
2562     	mp = m_pulldown(m, 0, *csum_start + 2, &offp);
2563     
2564     	if (m->m_pkthdr.csum_flags & (M_CSUM_TSOv4 | M_CSUM_TSOv6)) {
2565     		struct tcphdr *tcp;
2566     
2567     		txq->vxtxq_stats.vmtxs_tso++;
>>>     CID 1396651:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a null pointer "mp".
2568     		tcp = (void *)(mtod(mp, char *) + offp + *start);
2569     
2570     		if (v4) {
2571     			struct ip *ip;
2572     
2573     			ip = (void *)(mtod(mp, char *) + offp + offset);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRb2JZfDAOAZcqzsy8LMBKBjEGdxS-2FDDouPkeZ4HbDca3C30UoLW748TLKQM-2BXRpGRc-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05VHR-2FA39-2FwoDCeZG-2FA5e-2FTI9neGQNNPA-2F1t6qFfLpFeBBeesUscWNmHkYZwXs2-2BVZZtcdeuGXYDE-2BTRidFqADFRC3SD3Vroecua1KLmyZgSDfA3z98NGgnVqtoDq4dp7XBXLpeKczAWGBdvI3xVJ0X4It-2BLUZv8id84eCvlGgc8xjBtUg0k5E-2Bq7yNyZSpzhwM-3D

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4m7U7Yoel-2F6MYPxol7ToiLwYIjoNbVQOCAwEeTNJofEDwTlN0JRhKMyijhpnAObR-2FlLVG-2Fr3EBKWgiICNdX1HPA6Ws0-2F1wHBf2tG9AnMDB8g-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05VHR-2FA39-2FwoDCeZG-2FA5e-2FTI9neGQNNPA-2F1t6qFfLpFeBPc6zyo1iyBwJSATe0a9TGzarHXzbWEPPmrOxHruLn0x4nwZw0kCOQm5ErZUUbLOr2eGQedeAULq2qGXpOquGq366WTStfwYdQ-2FlIo6tax11gcdXsHo0Lq5WwXI2m4c1k8EZASG6tYM9R2sSxWnvln0-3D
Prev by Date: New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Next by Date: New Defects reported by Coverity Scan for NetBSD-i386-user
Previous by Thread: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Next by Thread: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Indexes:
Home | Main Index | Thread Index | Old Index