Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-kernel
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel
found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 17 of 17 defect(s)
** CID 1223332: Unchecked return value (CHECKED_RETURN)
/sys/dev/sequencer.c: 1376 in midiseq_in()
** CID 1223333: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/arch/x86/pci/if_vmx.c: 390 in vmxnet3_dma_init()
** CID 1223334: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/fs/tmpfs/tmpfs_vfsops.c: 143 in tmpfs_mount()
** CID 1223335: Logically dead code (DEADCODE)
/sys/fs/tmpfs/tmpfs_vfsops.c: 144 in tmpfs_mount()
** CID 1223336: Logically dead code (DEADCODE)
/sys/net/if_ppp.c: 1696 in ppp_inproc()
** CID 1223337: Logically dead code (DEADCODE)
/sys/net/if_ppp.c: 1679 in ppp_inproc()
** CID 1223338: Explicit null dereferenced (FORWARD_NULL)
/sys/dev/ic/hd64570.c: 1699 in sca_frame_process()
** CID 1223339: Dereference after null check (FORWARD_NULL)
/sys/net/if_fddisubr.c: 634 in fddi_input()
** CID 1223340: Explicit null dereferenced (FORWARD_NULL)
/sys/net/if_gre.c: 867 in gre_input()
** CID 1223341: Explicit null dereferenced (FORWARD_NULL)
/sys/net/if_loop.c: 342 in looutput()
** CID 1223342: Explicit null dereferenced (FORWARD_NULL)
/sys/net/if_tokensubr.c: 519 in token_input()
** CID 1223343: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/agp_i810.c: 1094 in agp_i810_bind_page()
** CID 1223344: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/agp_i810.c: 1121 in agp_i810_unbind_page()
** CID 1223345: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/fs/cd9660/cd9660_vfsops.c: 788 in cd9660_loadvnode()
** CID 1223346: Dereference before null check (REVERSE_INULL)
/sys/fs/cd9660/cd9660_vfsops.c: 749 in cd9660_loadvnode()
/sys/fs/cd9660/cd9660_vfsops.c: 803 in cd9660_loadvnode()
** CID 1223347: Uninitialized pointer read (UNINIT)
/sys/net/if_ieee1394subr.c: 440 in ieee1394_input()
** CID 1223348: Structurally dead code (UNREACHABLE)
/sys/dev/pci/agp_i810.c: 550 in agp_i810_attach()
________________________________________________________________________________________________________
*** CID 1223332: Unchecked return value (CHECKED_RETURN)
/sys/dev/sequencer.c: 1376 in midiseq_in()
1370 sc = md->seq;
1371
1372 qi.qi_msg[0] = msg[0];
1373 qi.qi_msg[1] = msg[1];
1374 qi.qi_msg[2] = msg[2];
1375 qi.qi_msg[3] = md->unit | 0x80; /* ensure non-zero value of
qi_ptr */
>>> CID 1223332: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "pcq_put(sc->pcq, qi.qi_ptr)".
1376 pcq_put(sc->pcq, qi.qi_ptr);
1377 softint_schedule(sc->sih);
1378 }
1379
1380 static struct midi_dev *
1381 midiseq_open(int unit, int flags)
________________________________________________________________________________________________________
*** CID 1223333: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/arch/x86/pci/if_vmx.c: 390 in vmxnet3_dma_init()
384 ds->nintr = VMXNET3_NINTR;
385 ds->evintr = 0;
386 ds->ictrl = VMXNET3_ICTRL_DISABLE_ALL;
387 for (i = 0; i < VMXNET3_NINTR; i++)
388 ds->modlevel[i] = UPT1_IMOD_ADAPTIVE;
389 WRITE_BAR1(sc, VMXNET3_BAR1_DSL, ds_pa);
>>> CID 1223333: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
>>> "(__uint64_t)ds_pa >> 32" is 0 regardless of the values of its
>>> operands. This occurs as an argument to a function call.
390 WRITE_BAR1(sc, VMXNET3_BAR1_DSH, (uint64_t)ds_pa >> 32);
391 return 0;
392 }
393
394 int
395 vmxnet3_alloc_txring(struct vmxnet3_softc *sc, int queue)
________________________________________________________________________________________________________
*** CID 1223334: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/fs/tmpfs/tmpfs_vfsops.c: 143 in tmpfs_mount()
137
138 /* Check for invalid uid and gid arguments */
139 if (args->ta_root_uid == VNOVAL || args->ta_root_gid == VNOVAL)
140 return EINVAL;
141
142 /* This can never happen? */
>>> CID 1223334: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
>>> "(args->ta_root_mode & (4095U /* ((((0x800 | 0x400) | 0x200) | 0x1c0) |
>>> 0x38) | 7 */)) == -1" is always false regardless of the values of its
>>> operands. This occurs as the logical operand of if.
143 if ((args->ta_root_mode & ALLPERMS) == VNOVAL)
144 return EINVAL;
145
146 /* Get the memory usage limit for this file-system. */
147 if (args->ta_size_max < PAGE_SIZE) {
148 memlimit = UINT64_MAX;
________________________________________________________________________________________________________
*** CID 1223335: Logically dead code (DEADCODE)
/sys/fs/tmpfs/tmpfs_vfsops.c: 144 in tmpfs_mount()
138 /* Check for invalid uid and gid arguments */
139 if (args->ta_root_uid == VNOVAL || args->ta_root_gid == VNOVAL)
140 return EINVAL;
141
142 /* This can never happen? */
143 if ((args->ta_root_mode & ALLPERMS) == VNOVAL)
>>> CID 1223335: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "return 22;".
144 return EINVAL;
145
146 /* Get the memory usage limit for this file-system. */
147 if (args->ta_size_max < PAGE_SIZE) {
148 memlimit = UINT64_MAX;
149 } else {
________________________________________________________________________________________________________
*** CID 1223336: Logically dead code (DEADCODE)
/sys/net/if_ppp.c: 1696 in ppp_inproc()
1690 printf("%s: input queue full\n", ifp->if_xname);
1691 ifp->if_iqdrops++;
1692 goto bad;
1693 }
1694 IF_ENQUEUE(inq, m);
1695 if (__predict_true(isr)) {
>>> CID 1223336: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "schednetisr(isr);".
1696 schednetisr(isr);
1697 }
1698 splx(s);
1699 ifp->if_ipackets++;
1700 ifp->if_ibytes += ilen;
1701
________________________________________________________________________________________________________
*** CID 1223337: Logically dead code (DEADCODE)
/sys/net/if_ppp.c: 1679 in ppp_inproc()
1673 goto bad;
1674 }
1675 ifp->if_ipackets++;
1676 ifp->if_ibytes += ilen;
1677 splx(s);
1678 if (rv)
>>> CID 1223337: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "(*sc->sc_ctlp)(sc);".
1679 (*sc->sc_ctlp)(sc);
1680 return;
1681 }
1682
1683 if (!inq) {
1684 goto bad;
________________________________________________________________________________________________________
*** CID 1223338: Explicit null dereferenced (FORWARD_NULL)
/sys/dev/ic/hd64570.c: 1699 in sca_frame_process()
1693 if (__predict_false(!pktq_enqueue(pktq, m, 0))) {
1694 scp->sp_if.if_iqdrops++;
1695 goto dropit;
1696 }
1697 return;
1698 }
>>> CID 1223338: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "ifq".
1699 if (!IF_QFULL(ifq)) {
1700 IF_ENQUEUE(ifq, m);
1701 schednetisr(isr);
1702 } else {
1703 IF_DROP(ifq);
1704 scp->sp_if.if_iqdrops++;
________________________________________________________________________________________________________
*** CID 1223339: Dereference after null check (FORWARD_NULL)
/sys/net/if_fddisubr.c: 634 in fddi_input()
628 #endif
629 #if defined(NS) || defined(DECNET) || defined(IPX) || defined(NETATALK)
630 if (!inq) {
631 m_freem(m);
632 }
633 s = splnet();
>>> CID 1223339: Dereference after null check (FORWARD_NULL)
>>> Dereferencing null pointer "inq".
634 if (IF_QFULL(inq)) {
635 IF_DROP(inq);
636 m_freem(m);
637 } else {
638 IF_ENQUEUE(inq, m);
639 schednetisr(isr);
________________________________________________________________________________________________________
*** CID 1223340: Explicit null dereferenced (FORWARD_NULL)
/sys/net/if_gre.c: 867 in gre_input()
861 m_freem(m);
862 }
863 return 1;
864 }
865
866 s = splnet();
>>> CID 1223340: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "ifq".
867 if (IF_QFULL(ifq)) {
868 IF_DROP(ifq);
869 m_freem(m);
870 } else {
871 IF_ENQUEUE(ifq, m);
872 }
________________________________________________________________________________________________________
*** CID 1223341: Explicit null dereferenced (FORWARD_NULL)
/sys/net/if_loop.c: 342 in looutput()
336 m_freem(m);
337 error = ENOBUFS;
338 }
339 splx(s);
340 return error;
341 }
>>> CID 1223341: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "ifq".
342 if (IF_QFULL(ifq)) {
343 IF_DROP(ifq);
344 m_freem(m);
345 splx(s);
346 return (ENOBUFS);
347 }
________________________________________________________________________________________________________
*** CID 1223342: Explicit null dereferenced (FORWARD_NULL)
/sys/net/if_tokensubr.c: 519 in token_input()
513 m_freem(m);
514 }
515 return;
516 }
517
518 s = splnet();
>>> CID 1223342: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "inq".
519 if (IF_QFULL(inq)) {
520 IF_DROP(inq);
521 m_freem(m);
522 } else {
523 IF_ENQUEUE(inq, m);
524 schednetisr(isr);
________________________________________________________________________________________________________
*** CID 1223343: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/agp_i810.c: 1094 in agp_i810_bind_page()
1088
1089 static int
1090 agp_i810_bind_page(struct agp_softc *sc, off_t offset, bus_addr_t
physical)
1091 {
1092 struct agp_i810_softc *isc = sc->as_chipc;
1093
>>> CID 1223343: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "isc->gtt_size / 4U << 12" with type
>>> "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic
>>> before being used in a context which expects an expression of type
>>> "__off_t" (64 bits, signed). To avoid overflow, cast the left operand to
>>> "__off_t" before performing the left shift.
1094 if (offset < 0 || offset >= ((isc->gtt_size/4) <<
AGP_PAGE_SHIFT)) {
1095 #ifdef AGP_DEBUG
1096 printf("%s: failed: offset 0x%08x, shift %d, entries
%d\n",
1097 device_xname(sc->as_dev), (int)offset,
AGP_PAGE_SHIFT,
1098 isc->gtt_size/4);
1099 #endif
________________________________________________________________________________________________________
*** CID 1223344: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/dev/pci/agp_i810.c: 1121 in agp_i810_unbind_page()
1115
1116 static int
1117 agp_i810_unbind_page(struct agp_softc *sc, off_t offset)
1118 {
1119 struct agp_i810_softc *isc = sc->as_chipc;
1120
>>> CID 1223344: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "isc->gtt_size / 4U << 12" with type
>>> "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic
>>> before being used in a context which expects an expression of type
>>> "__off_t" (64 bits, signed). To avoid overflow, cast the left operand to
>>> "__off_t" before performing the left shift.
1121 if (offset < 0 || offset >= ((isc->gtt_size/4) <<
AGP_PAGE_SHIFT))
1122 return EINVAL;
1123
1124 if (isc->chiptype != CHIP_I810 ) {
1125 if ((offset >> AGP_PAGE_SHIFT) < isc->stolen) {
1126 #ifdef AGP_DEBUG
________________________________________________________________________________________________________
*** CID 1223345: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/fs/cd9660/cd9660_vfsops.c: 788 in cd9660_loadvnode()
782 switch (imp->iso_ftype) {
783 default: /* ISO_FTYPE_9660 */
784 {
785 struct buf *bp2;
786 if ((imp->im_flags & ISOFSMNT_EXTATT)
787 && (off = isonum_711(isodir->ext_attr_length)))
>>> CID 1223345: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "off << imp->im_bshift" with type
>>> "int" (32 bits, signed) is evaluated using 32-bit arithmetic before being
>>> used in a context which expects an expression of type "__off_t" (64 bits,
>>> signed). To avoid overflow, cast the left operand to "__off_t" before
>>> performing the left shift.
788 cd9660_blkatoff(vp, (off_t)-(off <<
imp->im_bshift),
789 NULL, &bp2);
790 else
791 bp2 = NULL;
792 cd9660_defattr(isodir, ip, bp2);
793 cd9660_deftstamp(isodir, ip, bp2);
________________________________________________________________________________________________________
*** CID 1223346: Dereference before null check (REVERSE_INULL)
/sys/fs/cd9660/cd9660_vfsops.c: 749 in cd9660_loadvnode()
743 return (error);
744 }
745 isodir = (struct iso_directory_record *)((char *)bp->b_data +
off);
746
747 if (off + isonum_711(isodir->length) > imp->logical_block_size)
{
748 pool_put(&cd9660_node_pool, ip);
>>> CID 1223346: Dereference before null check (REVERSE_INULL)
>>> Null-checking "bp" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
749 if (bp != 0)
750 brelse(bp, 0);
751 printf("fhtovp: directory crosses block boundary
%d[off=%d/len=%d]\n",
752 off +isonum_711(isodir->length), off,
753 isonum_711(isodir->length));
754 return (ESTALE);
/sys/fs/cd9660/cd9660_vfsops.c: 803 in cd9660_loadvnode()
797 }
798 case ISO_FTYPE_RRIP:
799 cd9660_rrip_analyze(isodir, ip, imp);
800 break;
801 }
802
>>> CID 1223346: Dereference before null check (REVERSE_INULL)
>>> Null-checking "bp" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
803 if (bp != 0)
804 brelse(bp, 0);
805
806 /*
807 * Initialize the associated vnode
808 */
________________________________________________________________________________________________________
*** CID 1223347: Uninitialized pointer read (UNINIT)
/sys/net/if_ieee1394subr.c: 440 in ieee1394_input()
434 m_freem(m);
435 }
436 return;
437 }
438
439 s = splnet();
>>> CID 1223347: Uninitialized pointer read (UNINIT)
>>> Using uninitialized value "inq".
440 if (IF_QFULL(inq)) {
441 IF_DROP(inq);
442 m_freem(m);
443 } else {
444 IF_ENQUEUE(inq, m);
445 schednetisr(isr);
________________________________________________________________________________________________________
*** CID 1223348: Structurally dead code (UNREACHABLE)
/sys/dev/pci/agp_i810.c: 550 in agp_i810_attach()
544 /* Match the generic AGP code's autoconf output format. */
545 aprint_normal("%s", device_xname(self));
546
547 /* Success! */
548 return 0;
549
>>> CID 1223348: Structurally dead code (UNREACHABLE)
>>> This code cannot be reached: "fail5:
pmf_device_deregiste...".
550 fail5: __unused
551 pmf_device_deregister(self);
552 if ((gtt_bar != 0) || (isc->size < gtt_off))
553 bus_space_unmap(isc->gtt_bst, isc->gtt_bsh,
isc->gtt_size);
554 isc->gtt_size = 0;
555 fail4:
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/1450?tab=overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index