Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-amd64-user



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.

902 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
47 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 902 defect(s)


** CID 141373:  Buffer not null terminated  (BUFFER_SIZE_WARNING)
/sys/external/bsd/drm2/dist/drm/i915/intel_tv.c: 1415 in intel_tv_get_modes()

** CID 141381:  Unchecked return value  (CHECKED_RETURN)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2928 in intel_sdvo_create_enhance_property()

** CID 141432:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2275 in intel_sdvo_guess_ddc_bus()

** CID 141433:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2269 in intel_sdvo_guess_ddc_bus()

** CID 141434:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2273 in intel_sdvo_guess_ddc_bus()

** CID 141435:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2277 in intel_sdvo_guess_ddc_bus()

** CID 141436:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2271 in intel_sdvo_guess_ddc_bus()

** CID 200527:  Inferred misuse of enum  (MIXED_ENUMS)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 10658 in intel_crtc_init()

** CID 741133:  Logically dead code  (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_drv.h: 2410 in i915_gem_object_pin_fence()

** CID 741134:  Logically dead code  (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3901 in i915_gem_object_get_fence()

** CID 741135:  Logically dead code  (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3814 in i915_gem_object_put_fence()

** CID 741235:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/i915_gpu_error.c: 1288 in i915_get_extra_instdone()

** CID 741246:  Negative array index read  (NEGATIVE_RETURNS)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3469 in i915_gem_object_sync()

** CID 976668:  Argument cannot be negative  (NEGATIVE_RETURNS)
/crypto/external/bsd/heimdal/dist/lib/roken/resolve.c: 561 in dns_lookup_int()

** CID 976987:  Dereference null return value  (NULL_RETURNS)
/sys/ufs/chfs/chfs_readinode.c: 767 in chfs_add_full_dnode_to_inode()

** CID 980099:  Unchecked return value  (CHECKED_RETURN)
/sys/external/bsd/drm/dist/bsd-core/drm_bufs.c: 329 in drm_rmmap_user()

** CID 989071:  Unintended sign extension  (SIGN_EXTENSION)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem_gtt.c: 2609 in gen6_get_stolen_size()

** CID 1007806:  Out-of-bounds access  (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 1909 in intel_sdvo_get_tv_modes()

** CID 1056510:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 7217 in haswell_get_pipe_config()

** CID 1056511:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 1257 in intel_sdvo_mode_set()


________________________________________________________________________________________________________
*** CID 141373:  Buffer not null terminated  (BUFFER_SIZE_WARNING)
/sys/external/bsd/drm2/dist/drm/i915/intel_tv.c: 1415 in intel_tv_get_modes()
1409     					&& !tv_mode->component_only))
1410     			continue;
1411     
1412     		mode_ptr = drm_mode_create(connector->dev);
1413     		if (!mode_ptr)
1414     			continue;
>>>     CID 141373:  Buffer not null terminated  (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 32 bytes on destination array "mode_ptr->name" of size 32 bytes might leave the destination string unterminated.
1415     		strncpy(mode_ptr->name, input->name, DRM_DISPLAY_MODE_LEN);
1416     
1417     		mode_ptr->hdisplay = hactive_s;
1418     		mode_ptr->hsync_start = hactive_s + 1;
1419     		mode_ptr->hsync_end = hactive_s + 64;
1420     		if (mode_ptr->hsync_end <= mode_ptr->hsync_start)

________________________________________________________________________________________________________
*** CID 141381:  Unchecked return value  (CHECKED_RETURN)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2928 in intel_sdvo_create_enhance_property()
2922     		uint16_t response;
2923     	} enhancements;
2924     
2925     	BUILD_BUG_ON(sizeof(enhancements) != 2);
2926     
2927     	enhancements.response = 0;
>>>     CID 141381:  Unchecked return value  (CHECKED_RETURN)
>>>     No check of the return value of "intel_sdvo_get_value(intel_sdvo, 132, &enhancements, 2)".
2928     	intel_sdvo_get_value(intel_sdvo,
2929     			     SDVO_CMD_GET_SUPPORTED_ENHANCEMENTS,
2930     			     &enhancements, sizeof(enhancements));
2931     	if (enhancements.response == 0) {
2932     		DRM_DEBUG_KMS("No enhancement is supported\n");
2933     		return true;

________________________________________________________________________________________________________
*** CID 141432:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2275 in intel_sdvo_guess_ddc_bus()
2269     	case SDVO_OUTPUT_LVDS0:
2270     		mask |= SDVO_OUTPUT_LVDS0;
2271     	case SDVO_OUTPUT_TMDS1:
2272     		mask |= SDVO_OUTPUT_TMDS1;
2273     	case SDVO_OUTPUT_TMDS0:
2274     		mask |= SDVO_OUTPUT_TMDS0;
>>>     CID 141432:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
2275     	case SDVO_OUTPUT_RGB1:
2276     		mask |= SDVO_OUTPUT_RGB1;
2277     	case SDVO_OUTPUT_RGB0:
2278     		mask |= SDVO_OUTPUT_RGB0;
2279     		break;
2280     	}

________________________________________________________________________________________________________
*** CID 141433:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2269 in intel_sdvo_guess_ddc_bus()
2263     	/* Make a mask of outputs less than or equal to our own priority in the
2264     	 * list.
2265     	 */
2266     	switch (sdvo->controlled_output) {
2267     	case SDVO_OUTPUT_LVDS1:
2268     		mask |= SDVO_OUTPUT_LVDS1;
>>>     CID 141433:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
2269     	case SDVO_OUTPUT_LVDS0:
2270     		mask |= SDVO_OUTPUT_LVDS0;
2271     	case SDVO_OUTPUT_TMDS1:
2272     		mask |= SDVO_OUTPUT_TMDS1;
2273     	case SDVO_OUTPUT_TMDS0:
2274     		mask |= SDVO_OUTPUT_TMDS0;

________________________________________________________________________________________________________
*** CID 141434:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2273 in intel_sdvo_guess_ddc_bus()
2267     	case SDVO_OUTPUT_LVDS1:
2268     		mask |= SDVO_OUTPUT_LVDS1;
2269     	case SDVO_OUTPUT_LVDS0:
2270     		mask |= SDVO_OUTPUT_LVDS0;
2271     	case SDVO_OUTPUT_TMDS1:
2272     		mask |= SDVO_OUTPUT_TMDS1;
>>>     CID 141434:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
2273     	case SDVO_OUTPUT_TMDS0:
2274     		mask |= SDVO_OUTPUT_TMDS0;
2275     	case SDVO_OUTPUT_RGB1:
2276     		mask |= SDVO_OUTPUT_RGB1;
2277     	case SDVO_OUTPUT_RGB0:
2278     		mask |= SDVO_OUTPUT_RGB0;

________________________________________________________________________________________________________
*** CID 141435:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2277 in intel_sdvo_guess_ddc_bus()
2271     	case SDVO_OUTPUT_TMDS1:
2272     		mask |= SDVO_OUTPUT_TMDS1;
2273     	case SDVO_OUTPUT_TMDS0:
2274     		mask |= SDVO_OUTPUT_TMDS0;
2275     	case SDVO_OUTPUT_RGB1:
2276     		mask |= SDVO_OUTPUT_RGB1;
>>>     CID 141435:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
2277     	case SDVO_OUTPUT_RGB0:
2278     		mask |= SDVO_OUTPUT_RGB0;
2279     		break;
2280     	}
2281     
2282     	/* Count bits to find what number we are in the priority list. */

________________________________________________________________________________________________________
*** CID 141436:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2271 in intel_sdvo_guess_ddc_bus()
2265     	 */
2266     	switch (sdvo->controlled_output) {
2267     	case SDVO_OUTPUT_LVDS1:
2268     		mask |= SDVO_OUTPUT_LVDS1;
2269     	case SDVO_OUTPUT_LVDS0:
2270     		mask |= SDVO_OUTPUT_LVDS0;
>>>     CID 141436:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
2271     	case SDVO_OUTPUT_TMDS1:
2272     		mask |= SDVO_OUTPUT_TMDS1;
2273     	case SDVO_OUTPUT_TMDS0:
2274     		mask |= SDVO_OUTPUT_TMDS0;
2275     	case SDVO_OUTPUT_RGB1:
2276     		mask |= SDVO_OUTPUT_RGB1;

________________________________________________________________________________________________________
*** CID 200527:  Inferred misuse of enum  (MIXED_ENUMS)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 10658 in intel_crtc_init()
10652     
10653     	/*
10654     	 * On gen2/3 only plane A can do fbc, but the panel fitter and lvds port
10655     	 * is hooked to plane B. Hence we want plane A feeding pipe B.
10656     	 */
10657     	intel_crtc->pipe = pipe;
>>>     CID 200527:  Inferred misuse of enum  (MIXED_ENUMS)
>>>     Mixing enum types enum i915_pipe and enum plane for "pipe".
10658     	intel_crtc->plane = pipe;
10659     	if (HAS_FBC(dev) && INTEL_INFO(dev)->gen < 4) {
10660     		DRM_DEBUG_KMS("swapping pipes & planes for FBC\n");
10661     		intel_crtc->plane = !pipe;
10662     	}
10663     

________________________________________________________________________________________________________
*** CID 741133:  Logically dead code  (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_drv.h: 2410 in i915_gem_object_pin_fence()
2404     {
2405     	if (obj->fence_reg != I915_FENCE_REG_NONE) {
2406     		struct drm_i915_private *dev_priv = obj->base.dev->dev_private;
2407     		dev_priv->fence_regs[obj->fence_reg].pin_count++;
2408     		return true;
2409     	} else
>>>     CID 741133:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "return false;".
2410     		return false;
2411     }
2412     
2413     static inline void
2414     i915_gem_object_unpin_fence(struct drm_i915_gem_object *obj)
2415     {

________________________________________________________________________________________________________
*** CID 741134:  Logically dead code  (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3901 in i915_gem_object_get_fence()
3895     		reg = &dev_priv->fence_regs[obj->fence_reg];
3896     		if (!obj->fence_dirty) {
3897     			list_move_tail(&reg->lru_list,
3898     				       &dev_priv->mm.fence_list);
3899     			return 0;
3900     		}
>>>     CID 741134:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "if (enable){
  reg = i915_f...".
3901     	} else if (enable) {
3902     		reg = i915_find_fence_reg(dev);
3903     		if (IS_ERR(reg))
3904     			return PTR_ERR(reg);
3905     
3906     		if (reg->obj) {

________________________________________________________________________________________________________
*** CID 741135:  Logically dead code  (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3814 in i915_gem_object_put_fence()
3808     
3809     	ret = i915_gem_object_wait_fence(obj);
3810     	if (ret)
3811     		return ret;
3812     
3813     	if (obj->fence_reg == I915_FENCE_REG_NONE)
>>>     CID 741135:  Logically dead code  (DEADCODE)
>>>     Execution cannot reach this statement "return 0;".
3814     		return 0;
3815     
3816     	fence = &dev_priv->fence_regs[obj->fence_reg];
3817     
3818     	i915_gem_object_fence_lost(obj);
3819     	i915_gem_object_update_fence(obj, fence, false);

________________________________________________________________________________________________________
*** CID 741235:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/i915_gpu_error.c: 1288 in i915_get_extra_instdone()
1282     	case 6:
1283     		instdone[0] = I915_READ(INSTDONE_I965);
1284     		instdone[1] = I915_READ(INSTDONE1);
1285     		break;
1286     	default:
1287     		WARN_ONCE(1, "Unsupported platform\n");
>>>     CID 741235:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
1288     	case 7:
1289     	case 8:
1290     		instdone[0] = I915_READ(GEN7_INSTDONE_1);
1291     		instdone[1] = I915_READ(GEN7_SC_INSTDONE);
1292     		instdone[2] = I915_READ(GEN7_SAMPLER_INSTDONE);
1293     		instdone[3] = I915_READ(GEN7_ROW_INSTDONE);
1294     		break;
1295     	}

________________________________________________________________________________________________________
*** CID 741246:  Negative array index read  (NEGATIVE_RETURNS)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3469 in i915_gem_object_sync()
3463     	if (to == NULL || !i915_semaphore_is_enabled(obj->base.dev))
3464     		return i915_gem_object_wait_rendering(obj, false);
3465     
3466     	idx = intel_ring_sync_index(from, to);
3467     
3468     	seqno = obj->last_read_seqno;
>>>     CID 741246:  Negative array index read  (NEGATIVE_RETURNS)
>>>     Using variable "idx" as an index to array "from->sync_seqno".
3469     	if (seqno <= from->sync_seqno[idx])
3470     		return 0;
3471     
3472     	ret = i915_gem_check_olr(obj->ring, seqno);
3473     	if (ret)
3474     		return ret;

________________________________________________________________________________________________________
*** CID 976668:  Argument cannot be negative  (NEGATIVE_RETURNS)
/crypto/external/bsd/heimdal/dist/lib/roken/resolve.c: 561 in dns_lookup_int()
555     #elif defined(HAVE_RES_NSEARCH)
556     	    state.options |= RES_DEBUG;
557     #endif
558     	    fprintf(stderr, "dns_lookup(%s, %d, %s), buffer size %d\n", domain,
559     		    rr_class, rk_dns_type_to_string(rr_type), len);
560     	}
>>>     CID 976668:  Argument cannot be negative  (NEGATIVE_RETURNS)
>>>     "len" is passed to a parameter that cannot be negative.
561     	reply = malloc(len);
562     	if (reply == NULL) {
563     	    resolve_free_handle(handle);
564     	    return NULL;
565     	}
566     

________________________________________________________________________________________________________
*** CID 976987:  Dereference null return value  (NULL_RETURNS)
/sys/ufs/chfs/chfs_readinode.c: 767 in chfs_add_full_dnode_to_inode()
761     
762     	/* Check previous fragment. */
763     	if (newfrag->ofs & (PAGE_SIZE - 1)) {
764     		struct chfs_node_frag *prev = frag_prev(&ip->fragtree, newfrag);
765     
766     		CHFS_MARK_REF_NORMAL(fd->nref);
>>>     CID 976987:  Dereference null return value  (NULL_RETURNS)
>>>     Dereferencing a null pointer "prev".
767     		if (prev->node)
768     			CHFS_MARK_REF_NORMAL(prev->node->nref);
769     	}
770     
771     	/* Check next fragment. */
772     	if ((newfrag->ofs+newfrag->size) & (PAGE_SIZE - 1)) {

________________________________________________________________________________________________________
*** CID 980099:  Unchecked return value  (CHECKED_RETURN)
/sys/external/bsd/drm/dist/bsd-core/drm_bufs.c: 329 in drm_rmmap_user()
323     	paddr_t pa;
324     	struct vm_page *pg;
325     
326     	va = (vaddr_t)addr;
327     	eva = va + size;
328     	for (; va < eva; va += PAGE_SIZE) {
>>>     CID 980099:  Unchecked return value  (CHECKED_RETURN)
>>>     No check of the return value of "pmap_extract(kernel_pmap_ptr, va, &pa)".
329     		pmap_extract(pmap_kernel(), va, &pa);
330     		pg = PHYS_TO_VM_PAGE(pa);
331     		pmap_page_protect(pg, VM_PROT_NONE);
332     	}
333     }
334     

________________________________________________________________________________________________________
*** CID 989071:  Unintended sign extension  (SIGN_EXTENSION)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem_gtt.c: 2609 in gen6_get_stolen_size()
2603     }
2604     
2605     static inline size_t gen6_get_stolen_size(u16 snb_gmch_ctl)
2606     {
2607     	snb_gmch_ctl >>= SNB_GMCH_GMS_SHIFT;
2608     	snb_gmch_ctl &= SNB_GMCH_GMS_MASK;
>>>     CID 989071:  Unintended sign extension  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "snb_gmch_ctl" with type "unsigned short" (16 bits, unsigned) is promoted in "snb_gmch_ctl << 25" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "snb_gmch_ctl << 25" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
2609     	return snb_gmch_ctl << 25; /* 32 MB units */
2610     }
2611     
2612     static inline size_t gen8_get_stolen_size(u16 bdw_gmch_ctl)
2613     {
2614     	bdw_gmch_ctl >>= BDW_GMCH_GMS_SHIFT;

________________________________________________________________________________________________________
*** CID 1007806:  Out-of-bounds access  (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 1909 in intel_sdvo_get_tv_modes()
1903     		      connector->base.id, drm_get_connector_name(connector));
1904     
1905     	/* Read the list of supported input resolutions for the selected TV
1906     	 * format.
1907     	 */
1908     	format_map = 1 << intel_sdvo->tv_format_index;
>>>     CID 1007806:  Out-of-bounds access  (OVERRUN)
>>>     Overrunning struct type intel_sdvo_sdtv_resolution_request of 3 bytes by passing it to a function which accesses it at byte offset 3 using argument "min(4U, 3U)" (which evaluates to 4).
1909     	memcpy(&tv_res, &format_map,
1910     	       min(sizeof(format_map), sizeof(struct intel_sdvo_sdtv_resolution_request)));
1911     
1912     	if (!intel_sdvo_set_target_output(intel_sdvo, intel_sdvo->attached_output))
1913     		return;
1914     

________________________________________________________________________________________________________
*** CID 1056510:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 7217 in haswell_get_pipe_config()
7211     	tmp = I915_READ(TRANS_DDI_FUNC_CTL(TRANSCODER_EDP));
7212     	if (tmp & TRANS_DDI_FUNC_ENABLE) {
7213     		enum i915_pipe trans_edp_pipe;
7214     		switch (tmp & TRANS_DDI_EDP_INPUT_MASK) {
7215     		default:
7216     			WARN(1, "unknown pipe linked to edp transcoder\n");
>>>     CID 1056510:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
7217     		case TRANS_DDI_EDP_INPUT_A_ONOFF:
7218     		case TRANS_DDI_EDP_INPUT_A_ON:
7219     			trans_edp_pipe = PIPE_A;
7220     			break;
7221     		case TRANS_DDI_EDP_INPUT_B_ONOFF:
7222     			trans_edp_pipe = PIPE_B;

________________________________________________________________________________________________________
*** CID 1056511:  Missing break in switch  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 1257 in intel_sdvo_mode_set()
1251     		DRM_INFO("Setting input timings on %s failed\n",
1252     			 SDVO_NAME(intel_sdvo));
1253     
1254     	switch (crtc->config.pixel_multiplier) {
1255     	default:
1256     		WARN(1, "unknown pixel mutlipler specified\n");
>>>     CID 1056511:  Missing break in switch  (MISSING_BREAK)
>>>     The above case falls through to this one.
1257     	case 1: rate = SDVO_CLOCK_RATE_MULT_1X; break;
1258     	case 2: rate = SDVO_CLOCK_RATE_MULT_2X; break;
1259     	case 4: rate = SDVO_CLOCK_RATE_MULT_4X; break;
1260     	}
1261     	if (!intel_sdvo_set_clock_rate_mult(intel_sdvo, rate))
1262     		return;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com/projects/1449?tab=overview

To unsubscribe from the email notification for new defects, http://scan5.coverity.com/cgi-bin/unsubscribe.py




Home | Main Index | Thread Index | Old Index