Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-i386-kernel



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.

57 new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 57 defect(s)


** CID 143119:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 128 in powerctrl_1_shift()


________________________________________________________________________________________________________
*** CID 143119:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 128 in powerctrl_1_shift()
122     	case 0x680520:
123     		shift += 4;
124     	case 0x680508:
125     		shift += 4;
126     	case 0x680504:
127     		shift += 4;
>>>     CID 143119:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
128     	case 0x680500:
129     		shift += 4;
130     	}
131     
132     	/*
133     	 * the shift for vpll regs is only used for nv3x chips with a single

** CID 143120:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 126 in powerctrl_1_shift()


________________________________________________________________________________________________________
*** CID 143120:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 126 in powerctrl_1_shift()
120     
121     	switch (reg) {
122     	case 0x680520:
123     		shift += 4;
124     	case 0x680508:
125     		shift += 4;
>>>     CID 143120:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
126     	case 0x680504:
127     		shift += 4;
128     	case 0x680500:
129     		shift += 4;
130     	}
131     

** CID 143121:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 124 in powerctrl_1_shift()


________________________________________________________________________________________________________
*** CID 143121:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 124 in powerctrl_1_shift()
118     	if (chip_version < 0x17 || chip_version == 0x1a || chip_version == 0x20)
119     		return shift;
120     
121     	switch (reg) {
122     	case 0x680520:
123     		shift += 4;
>>>     CID 143121:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
124     	case 0x680508:
125     		shift += 4;
126     	case 0x680504:
127     		shift += 4;
128     	case 0x680500:
129     		shift += 4;

** CID 143122:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 250 in setPLL_double_highregs()


________________________________________________________________________________________________________
*** CID 143122:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 250 in setPLL_double_highregs()
244     
245     		switch (reg1) {
246     		case 0x680504:
247     			shift_c040 += 2;
248     		case 0x680500:
249     			shift_c040 += 2;
>>>     CID 143122:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
250     		case 0x680520:
251     			shift_c040 += 2;
252     		case 0x680508:
253     			shift_c040 += 2;
254     		}
255     

** CID 143123:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 248 in setPLL_double_highregs()


________________________________________________________________________________________________________
*** CID 143123:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 248 in setPLL_double_highregs()
242     	if (chip_version >= 0x40) {
243     		int shift_c040 = 14;
244     
245     		switch (reg1) {
246     		case 0x680504:
247     			shift_c040 += 2;
>>>     CID 143123:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
248     		case 0x680500:
249     			shift_c040 += 2;
250     		case 0x680520:
251     			shift_c040 += 2;
252     		case 0x680508:
253     			shift_c040 += 2;

** CID 143124:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 252 in setPLL_double_highregs()


________________________________________________________________________________________________________
*** CID 143124:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 252 in setPLL_double_highregs()
246     		case 0x680504:
247     			shift_c040 += 2;
248     		case 0x680500:
249     			shift_c040 += 2;
250     		case 0x680520:
251     			shift_c040 += 2;
>>>     CID 143124:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
252     		case 0x680508:
253     			shift_c040 += 2;
254     		}
255     
256     		savedc040 = nv_rd32(devinit, 0xc040);
257     		if (shift_c040 != 14)

** CID 144988:    (TAINTED_SCALAR)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 825 in nouveau_gem_ioctl_pushbuf()
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 755 in nouveau_gem_ioctl_pushbuf()


________________________________________________________________________________________________________
*** CID 144988:    (TAINTED_SCALAR)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 825 in nouveau_gem_ioctl_pushbuf()
819     		if (ret) {
820     			NV_ERROR(cli, "jmp_space: %d\n", ret);
821     			goto out;
822     		}
823     
824     		for (i = 0; i < req->nr_push; i++) {
>>>     CID 144988:    (TAINTED_SCALAR)
>>>     Assigning: "nvbo" = "(void *)(unsigned long)(bo + (push + i).bo_index).user_priv". Both are now tainted.
825     			struct nouveau_bo *nvbo = (void *)(unsigned long)
826     				bo[push[i].bo_index].user_priv;
827     			uint32_t cmd;
828     
829     			cmd = chan->push.vma.offset + ((chan->dma.cur + 2) << 2);
830     			cmd |= 0x20000000;
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 755 in nouveau_gem_ioctl_pushbuf()
749     	}
750     
751     	push = u_memcpya(req->push, req->nr_push, sizeof(*push));
752     	if (IS_ERR(push))
753     		return nouveau_abi16_put(abi16, PTR_ERR(push));
754     
>>>     CID 144988:    (TAINTED_SCALAR)
>>>     Assigning: "bo" = "u_memcpya", which taints "bo".
755     	bo = u_memcpya(req->buffers, req->nr_buffers, sizeof(*bo));
756     	if (IS_ERR(bo)) {
757     		u_free(push);
758     		return nouveau_abi16_put(abi16, PTR_ERR(bo));
759     	}
760     

** CID 145720:  Null pointer dereferences  (NULL_RETURNS)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_connector.c: 310 in nouveau_connector_detect()


________________________________________________________________________________________________________
*** CID 145720:  Null pointer dereferences  (NULL_RETURNS)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_connector.c: 310 in nouveau_connector_detect()
304     				    nv_partner->dcb->type == DCB_OUTPUT_ANALOG))) {
305     			if (nv_connector->edid->input & DRM_EDID_INPUT_DIGITAL)
306     				type = DCB_OUTPUT_TMDS;
307     			else
308     				type = DCB_OUTPUT_ANALOG;
309     
>>>     CID 145720:  Null pointer dereferences  (NULL_RETURNS)
>>>     Assigning: "nv_encoder" = null return value from "find_encoder".
310     			nv_encoder = find_encoder(connector, type);
311     		}
312     
313     		nouveau_connector_set_encoder(connector, nv_encoder);
314     		conn_status = connector_status_connected;
315     		goto out;

** CID 201378:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/mxm/nouveau_subdev_mxm_nv50.c: 173 in mxm_dcb_sanitise_entry()


________________________________________________________________________________________________________
*** CID 201378:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/mxm/nouveau_subdev_mxm_nv50.c: 173 in mxm_dcb_sanitise_entry()
167     		break;
168     	case 0x03: /* DVI-D */
169     		type = DCB_CONNECTOR_DVI_D;
170     		break;
171     	case 0x0e: /* eDP, falls through to DPint */
172     		ctx.outp[1] |= 0x00010000;
>>>     CID 201378:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
173     	case 0x07: /* DP internal, wtf is this?? HP8670w */
174     		ctx.outp[1] |= 0x00000004; /* use_power_scripts? */
175     		type = DCB_CONNECTOR_eDP;
176     		break;
177     	default:
178     		break;

** CID 703385:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/fifo/nouveau_engine_fifo_nv40.c: 318 in nv40_fifo_init()


________________________________________________________________________________________________________
*** CID 703385:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/fifo/nouveau_engine_fifo_nv40.c: 318 in nv40_fifo_init()
312     
313     	switch (nv_device(priv)->chipset) {
314     	case 0x47:
315     	case 0x49:
316     	case 0x4b:
317     		nv_wr32(priv, 0x002230, 0x00000001);
>>>     CID 703385:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
318     	case 0x40:
319     	case 0x41:
320     	case 0x42:
321     	case 0x43:
322     	case 0x45:
323     	case 0x48:

** CID 709895:  Null pointer dereferences  (FORWARD_NULL)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/mxm/nouveau_subdev_mxm_mxms.c: 177 in mxms_foreach()


________________________________________________________________________________________________________
*** CID 709895:  Null pointer dereferences  (FORWARD_NULL)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/mxm/nouveau_subdev_mxm_mxms.c: 177 in mxms_foreach()
171     					pr_cont("%02x", dump[j]);
172     				pr_cont("\n");
173     			}
174     		}
175     
176     		if (types & (1 << type)) {
>>>     CID 709895:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "exec".
177     			if (!exec(mxm, desc, info))
178     				return false;
179     		}
180     
181     		desc += headerlen + (entries * recordlen);
182     	}

** CID 731484:  Program hangs  (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 128 in nouveau_namedb_get()


________________________________________________________________________________________________________
*** CID 731484:  Program hangs  (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 128 in nouveau_namedb_get()
122     {
123     	struct nouveau_handle *handle;
124     	read_lock(&namedb->lock);
125     	handle = nouveau_namedb_lookup(namedb, name);
126     	if (handle == NULL)
127     		read_unlock(&namedb->lock);
>>>     CID 731484:  Program hangs  (LOCK)
>>>     Returning without unlocking "namedb->lock".
128     	return handle;
129     }
130     
131     struct nouveau_handle *
132     nouveau_namedb_get_class(struct nouveau_namedb *namedb, u16 oclass)
133     {

** CID 731485:  Program hangs  (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 161 in nouveau_namedb_get_cinst()


________________________________________________________________________________________________________
*** CID 731485:  Program hangs  (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 161 in nouveau_namedb_get_cinst()
155     {
156     	struct nouveau_handle *handle;
157     	read_lock(&namedb->lock);
158     	handle = nouveau_namedb_lookup_cinst(namedb, cinst);
159     	if (handle == NULL)
160     		read_unlock(&namedb->lock);
>>>     CID 731485:  Program hangs  (LOCK)
>>>     Returning without unlocking "namedb->lock".
161     	return handle;
162     }
163     
164     void
165     nouveau_namedb_put(struct nouveau_handle *handle)
166     {

** CID 731486:  Program hangs  (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 139 in nouveau_namedb_get_class()


________________________________________________________________________________________________________
*** CID 731486:  Program hangs  (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 139 in nouveau_namedb_get_class()
133     {
134     	struct nouveau_handle *handle;
135     	read_lock(&namedb->lock);
136     	handle = nouveau_namedb_lookup_class(namedb, oclass);
137     	if (handle == NULL)
138     		read_unlock(&namedb->lock);
>>>     CID 731486:  Program hangs  (LOCK)
>>>     Returning without unlocking "namedb->lock".
139     	return handle;
140     }
141     
142     struct nouveau_handle *
143     nouveau_namedb_get_vinst(struct nouveau_namedb *namedb, u64 vinst)
144     {

** CID 731487:  Program hangs  (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 150 in nouveau_namedb_get_vinst()


________________________________________________________________________________________________________
*** CID 731487:  Program hangs  (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 150 in nouveau_namedb_get_vinst()
144     {
145     	struct nouveau_handle *handle;
146     	read_lock(&namedb->lock);
147     	handle = nouveau_namedb_lookup_vinst(namedb, vinst);
148     	if (handle == NULL)
149     		read_unlock(&namedb->lock);
>>>     CID 731487:  Program hangs  (LOCK)
>>>     Returning without unlocking "namedb->lock".
150     	return handle;
151     }
152     
153     struct nouveau_handle *
154     nouveau_namedb_get_cinst(struct nouveau_namedb *namedb, u32 cinst)
155     {

** CID 731489:  Incorrect expression  (NO_EFFECT)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_i2c.c: 53 in dcb_i2c_table()


________________________________________________________________________________________________________
*** CID 731489:  Incorrect expression  (NO_EFFECT)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_i2c.c: 53 in dcb_i2c_table()
47     	if (i2c && *ver >= 0x30) {
48     		*ver = nv_ro08(bios, i2c + 0);
49     		*hdr = nv_ro08(bios, i2c + 1);
50     		*cnt = nv_ro08(bios, i2c + 2);
51     		*len = nv_ro08(bios, i2c + 3);
52     	} else {
>>>     CID 731489:  Incorrect expression  (NO_EFFECT)
>>>     Assignment operation "*ver = *ver" has no effect.
53     		*ver = *ver; /* use DCB version */
54     		*hdr = 0;
55     		*cnt = 16;
56     		*len = 4;
57     	}
58     

** CID 731510:    (USE_AFTER_FREE)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_base.c: 414 in nouveau_bios_shadow()
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_base.c: 422 in nouveau_bios_shadow()


________________________________________________________________________________________________________
*** CID 731510:    (USE_AFTER_FREE)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_base.c: 414 in nouveau_bios_shadow()
408     	} while (mthd->score != 3 && (++mthd)->shadow);
409     
410     	mthd = shadow_methods;
411     	best = mthd;
412     	do {
413     		if (mthd->score > best->score) {
>>>     CID 731510:    (USE_AFTER_FREE)
>>>     Calling "kfree" frees pointer "best->data" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
414     			kfree(best->data);
415     			best = mthd;
416     		}
417     	} while ((++mthd)->shadow);
418     
419     	if (best->score) {
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_base.c: 422 in nouveau_bios_shadow()
416     		}
417     	} while ((++mthd)->shadow);
418     
419     	if (best->score) {
420     		nv_info(bios, "using image from %s\n", best->desc);
421     		bios->size = best->size;
>>>     CID 731510:    (USE_AFTER_FREE)
>>>     Using freed pointer "best->data".
422     		bios->data = best->data;
423     		return 0;
424     	}
425     
426     	nv_error(bios, "unable to locate usable image\n");
427     	return -EINVAL;

** CID 741236:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/dmaobj/nouveau_engine_dmaobj_nv04.c: 102 in nv04_dmaobj_bind()


________________________________________________________________________________________________________
*** CID 741236:  Control flow issues  (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/dmaobj/nouveau_engine_dmaobj_nv04.c: 102 in nv04_dmaobj_bind()
96     	switch (dmaobj->access) {
97     	case NV_MEM_ACCESS_RO:
98     		flags0 |= 0x00004000;
99     		break;
100     	case NV_MEM_ACCESS_WO:
101     		flags0 |= 0x00008000;
>>>     CID 741236:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
102     	case NV_MEM_ACCESS_RW:
103     		flags2 |= 0x00000002;
104     		break;
105     	default:
106     		return -EINVAL;
107     	}

** CID 989067:    (OVERRUN)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/disp/nouveau_engine_disp_nv50.c: 1307 in exec_clkcmp()
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/disp/nouveau_engine_disp_nvd0.c: 1046 in exec_clkcmp()


________________________________________________________________________________________________________
*** CID 989067:    (OVERRUN)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/disp/nouveau_engine_disp_nv50.c: 1307 in exec_clkcmp()
1301     		conf = (ctrl & 0x00000f00) >> 8;
1302     		pclk = pclk / 2;
1303     	}
1304     
1305     	data = nvbios_ocfg_match(bios, data, conf, &ver, &hdr, &cnt, &len, &info2);
1306     	if (data && id < 0xff) {
>>>     CID 989067:    (OVERRUN)
>>>     Overrunning array "info2.clkcmp" of 2 2-byte elements at element index 254 (byte offset 508) using index "id" (which evaluates to 254).
1307     		data = nvbios_oclk_match(bios, info2.clkcmp[id], pclk);
1308     		if (data) {
1309     			struct nvbios_init init = {
1310     				.subdev = nv_subdev(priv),
1311     				.bios = bios,
1312     				.offset = data,
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/disp/nouveau_engine_disp_nvd0.c: 1046 in exec_clkcmp()
1040     		conf = 0x00ff;
1041     		break;
1042     	}
1043     
1044     	data = nvbios_ocfg_match(bios, data, conf, &ver, &hdr, &cnt, &len, &info2);
1045     	if (data && id < 0xff) {
>>>     CID 989067:    (OVERRUN)
>>>     Overrunning array "info2.clkcmp" of 2 2-byte elements at element index 254 (byte offset 508) using index "id" (which evaluates to 254).
1046     		data = nvbios_oclk_match(bios, info2.clkcmp[id], pclk);
1047     		if (data) {
1048     			struct nvbios_init init = {
1049     				.subdev = nv_subdev(priv),
1050     				.bios = bios,
1051     				.offset = data,

** CID 1056793:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/graph/nouveau_engine_graph_ctxnv50.c: 790 in dd_emit()


________________________________________________________________________________________________________
*** CID 1056793:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/graph/nouveau_engine_graph_ctxnv50.c: 790 in dd_emit()
784     
785     static void
786     dd_emit(struct nouveau_grctx *ctx, int num, u32 val) {
787     	int i;
788     	if (val && ctx->mode == NOUVEAU_GRCTX_VALS)
789     		for (i = 0; i < num; i++)
>>>     CID 1056793:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "4U * (ctx->ctxvals_pos + i)" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
790     			nv_wo32(ctx->data, 4 * (ctx->ctxvals_pos + i), val);
791     	ctx->ctxvals_pos += num;
792     }
793     
794     static void
795     nv50_graph_construct_mmio_ddata(struct nouveau_grctx *ctx)


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-i386-kernel?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782



Home | Main Index | Thread Index | Old Index