Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
56 new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 56 defect(s)
** CID 143119: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 128 in powerctrl_1_shift()
________________________________________________________________________________________________________
*** CID 143119: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 128 in powerctrl_1_shift()
122 case 0x680520:
123 shift += 4;
124 case 0x680508:
125 shift += 4;
126 case 0x680504:
127 shift += 4;
>>> CID 143119: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
128 case 0x680500:
129 shift += 4;
130 }
131
132 /*
133 * the shift for vpll regs is only used for nv3x chips with a single
** CID 143120: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 126 in powerctrl_1_shift()
________________________________________________________________________________________________________
*** CID 143120: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 126 in powerctrl_1_shift()
120
121 switch (reg) {
122 case 0x680520:
123 shift += 4;
124 case 0x680508:
125 shift += 4;
>>> CID 143120: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
126 case 0x680504:
127 shift += 4;
128 case 0x680500:
129 shift += 4;
130 }
131
** CID 143121: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 124 in powerctrl_1_shift()
________________________________________________________________________________________________________
*** CID 143121: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 124 in powerctrl_1_shift()
118 if (chip_version < 0x17 || chip_version == 0x1a || chip_version == 0x20)
119 return shift;
120
121 switch (reg) {
122 case 0x680520:
123 shift += 4;
>>> CID 143121: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
124 case 0x680508:
125 shift += 4;
126 case 0x680504:
127 shift += 4;
128 case 0x680500:
129 shift += 4;
** CID 143122: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 250 in setPLL_double_highregs()
________________________________________________________________________________________________________
*** CID 143122: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 250 in setPLL_double_highregs()
244
245 switch (reg1) {
246 case 0x680504:
247 shift_c040 += 2;
248 case 0x680500:
249 shift_c040 += 2;
>>> CID 143122: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
250 case 0x680520:
251 shift_c040 += 2;
252 case 0x680508:
253 shift_c040 += 2;
254 }
255
** CID 143123: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 248 in setPLL_double_highregs()
________________________________________________________________________________________________________
*** CID 143123: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 248 in setPLL_double_highregs()
242 if (chip_version >= 0x40) {
243 int shift_c040 = 14;
244
245 switch (reg1) {
246 case 0x680504:
247 shift_c040 += 2;
>>> CID 143123: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
248 case 0x680500:
249 shift_c040 += 2;
250 case 0x680520:
251 shift_c040 += 2;
252 case 0x680508:
253 shift_c040 += 2;
** CID 143124: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 252 in setPLL_double_highregs()
________________________________________________________________________________________________________
*** CID 143124: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/devinit/nouveau_subdev_devinit_nv04.c: 252 in setPLL_double_highregs()
246 case 0x680504:
247 shift_c040 += 2;
248 case 0x680500:
249 shift_c040 += 2;
250 case 0x680520:
251 shift_c040 += 2;
>>> CID 143124: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
252 case 0x680508:
253 shift_c040 += 2;
254 }
255
256 savedc040 = nv_rd32(devinit, 0xc040);
257 if (shift_c040 != 14)
** CID 144988: (TAINTED_SCALAR)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 825 in nouveau_gem_ioctl_pushbuf()
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 755 in nouveau_gem_ioctl_pushbuf()
________________________________________________________________________________________________________
*** CID 144988: (TAINTED_SCALAR)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 825 in nouveau_gem_ioctl_pushbuf()
819 if (ret) {
820 NV_ERROR(cli, "jmp_space: %d\n", ret);
821 goto out;
822 }
823
824 for (i = 0; i < req->nr_push; i++) {
>>> CID 144988: (TAINTED_SCALAR)
>>> Assigning: "nvbo" = "(void *)(unsigned long)(bo + (push + i).bo_index).user_priv". Both are now tainted.
825 struct nouveau_bo *nvbo = (void *)(unsigned long)
826 bo[push[i].bo_index].user_priv;
827 uint32_t cmd;
828
829 cmd = chan->push.vma.offset + ((chan->dma.cur + 2) << 2);
830 cmd |= 0x20000000;
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 755 in nouveau_gem_ioctl_pushbuf()
749 }
750
751 push = u_memcpya(req->push, req->nr_push, sizeof(*push));
752 if (IS_ERR(push))
753 return nouveau_abi16_put(abi16, PTR_ERR(push));
754
>>> CID 144988: (TAINTED_SCALAR)
>>> Assigning: "bo" = "u_memcpya", which taints "bo".
755 bo = u_memcpya(req->buffers, req->nr_buffers, sizeof(*bo));
756 if (IS_ERR(bo)) {
757 u_free(push);
758 return nouveau_abi16_put(abi16, PTR_ERR(bo));
759 }
760
** CID 145720: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_connector.c: 310 in nouveau_connector_detect()
________________________________________________________________________________________________________
*** CID 145720: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_connector.c: 310 in nouveau_connector_detect()
304 nv_partner->dcb->type == DCB_OUTPUT_ANALOG))) {
305 if (nv_connector->edid->input & DRM_EDID_INPUT_DIGITAL)
306 type = DCB_OUTPUT_TMDS;
307 else
308 type = DCB_OUTPUT_ANALOG;
309
>>> CID 145720: Null pointer dereferences (NULL_RETURNS)
>>> Assigning: "nv_encoder" = null return value from "find_encoder".
310 nv_encoder = find_encoder(connector, type);
311 }
312
313 nouveau_connector_set_encoder(connector, nv_encoder);
314 conn_status = connector_status_connected;
315 goto out;
** CID 200513: (INTEGER_OVERFLOW)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 758 in nouveau_gem_ioctl_pushbuf()
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 753 in nouveau_gem_ioctl_pushbuf()
________________________________________________________________________________________________________
*** CID 200513: (INTEGER_OVERFLOW)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 758 in nouveau_gem_ioctl_pushbuf()
752 if (IS_ERR(push))
753 return nouveau_abi16_put(abi16, PTR_ERR(push));
754
755 bo = u_memcpya(req->buffers, req->nr_buffers, sizeof(*bo));
756 if (IS_ERR(bo)) {
757 u_free(push);
>>> CID 200513: (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "nouveau_abi16_put(abi16, PTR_ERR(bo))" used as return value.
758 return nouveau_abi16_put(abi16, PTR_ERR(bo));
759 }
760
761 /* Ensure all push buffers are on validate list */
762 for (i = 0; i < req->nr_push; i++) {
763 if (push[i].bo_index >= req->nr_buffers) {
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 753 in nouveau_gem_ioctl_pushbuf()
747 req->nr_relocs, NOUVEAU_GEM_MAX_RELOCS);
748 return nouveau_abi16_put(abi16, -EINVAL);
749 }
750
751 push = u_memcpya(req->push, req->nr_push, sizeof(*push));
752 if (IS_ERR(push))
>>> CID 200513: (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "nouveau_abi16_put(abi16, PTR_ERR(push))" used as return value.
753 return nouveau_abi16_put(abi16, PTR_ERR(push));
754
755 bo = u_memcpya(req->buffers, req->nr_buffers, sizeof(*bo));
756 if (IS_ERR(bo)) {
757 u_free(push);
758 return nouveau_abi16_put(abi16, PTR_ERR(bo));
** CID 200514: Insecure data handling (INTEGER_OVERFLOW)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 627 in nouveau_gem_pushbuf_reloc_apply()
________________________________________________________________________________________________________
*** CID 200514: Insecure data handling (INTEGER_OVERFLOW)
/sys/external/bsd/drm2/dist/drm/nouveau/nouveau_gem.c: 627 in nouveau_gem_pushbuf_reloc_apply()
621 struct drm_nouveau_gem_pushbuf_reloc *reloc = NULL;
622 int ret = 0;
623 unsigned i;
624
625 reloc = u_memcpya(req->relocs, req->nr_relocs, sizeof(*reloc));
626 if (IS_ERR(reloc))
>>> CID 200514: Insecure data handling (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "PTR_ERR(reloc)" used as return value.
627 return PTR_ERR(reloc);
628
629 for (i = 0; i < req->nr_relocs; i++) {
630 struct drm_nouveau_gem_pushbuf_reloc *r = &reloc[i];
631 struct drm_nouveau_gem_pushbuf_bo *b;
632 struct nouveau_bo *nvbo;
** CID 201378: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/mxm/nouveau_subdev_mxm_nv50.c: 173 in mxm_dcb_sanitise_entry()
________________________________________________________________________________________________________
*** CID 201378: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/mxm/nouveau_subdev_mxm_nv50.c: 173 in mxm_dcb_sanitise_entry()
167 break;
168 case 0x03: /* DVI-D */
169 type = DCB_CONNECTOR_DVI_D;
170 break;
171 case 0x0e: /* eDP, falls through to DPint */
172 ctx.outp[1] |= 0x00010000;
>>> CID 201378: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
173 case 0x07: /* DP internal, wtf is this?? HP8670w */
174 ctx.outp[1] |= 0x00000004; /* use_power_scripts? */
175 type = DCB_CONNECTOR_eDP;
176 break;
177 default:
178 break;
** CID 703385: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/fifo/nouveau_engine_fifo_nv40.c: 318 in nv40_fifo_init()
________________________________________________________________________________________________________
*** CID 703385: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/fifo/nouveau_engine_fifo_nv40.c: 318 in nv40_fifo_init()
312
313 switch (nv_device(priv)->chipset) {
314 case 0x47:
315 case 0x49:
316 case 0x4b:
317 nv_wr32(priv, 0x002230, 0x00000001);
>>> CID 703385: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
318 case 0x40:
319 case 0x41:
320 case 0x42:
321 case 0x43:
322 case 0x45:
323 case 0x48:
** CID 709895: Null pointer dereferences (FORWARD_NULL)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/mxm/nouveau_subdev_mxm_mxms.c: 177 in mxms_foreach()
________________________________________________________________________________________________________
*** CID 709895: Null pointer dereferences (FORWARD_NULL)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/mxm/nouveau_subdev_mxm_mxms.c: 177 in mxms_foreach()
171 pr_cont("%02x", dump[j]);
172 pr_cont("\n");
173 }
174 }
175
176 if (types & (1 << type)) {
>>> CID 709895: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "exec".
177 if (!exec(mxm, desc, info))
178 return false;
179 }
180
181 desc += headerlen + (entries * recordlen);
182 }
** CID 731484: Program hangs (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 128 in nouveau_namedb_get()
________________________________________________________________________________________________________
*** CID 731484: Program hangs (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 128 in nouveau_namedb_get()
122 {
123 struct nouveau_handle *handle;
124 read_lock(&namedb->lock);
125 handle = nouveau_namedb_lookup(namedb, name);
126 if (handle == NULL)
127 read_unlock(&namedb->lock);
>>> CID 731484: Program hangs (LOCK)
>>> Returning without unlocking "namedb->lock".
128 return handle;
129 }
130
131 struct nouveau_handle *
132 nouveau_namedb_get_class(struct nouveau_namedb *namedb, u16 oclass)
133 {
** CID 731485: Program hangs (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 161 in nouveau_namedb_get_cinst()
________________________________________________________________________________________________________
*** CID 731485: Program hangs (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 161 in nouveau_namedb_get_cinst()
155 {
156 struct nouveau_handle *handle;
157 read_lock(&namedb->lock);
158 handle = nouveau_namedb_lookup_cinst(namedb, cinst);
159 if (handle == NULL)
160 read_unlock(&namedb->lock);
>>> CID 731485: Program hangs (LOCK)
>>> Returning without unlocking "namedb->lock".
161 return handle;
162 }
163
164 void
165 nouveau_namedb_put(struct nouveau_handle *handle)
166 {
** CID 731486: Program hangs (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 139 in nouveau_namedb_get_class()
________________________________________________________________________________________________________
*** CID 731486: Program hangs (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 139 in nouveau_namedb_get_class()
133 {
134 struct nouveau_handle *handle;
135 read_lock(&namedb->lock);
136 handle = nouveau_namedb_lookup_class(namedb, oclass);
137 if (handle == NULL)
138 read_unlock(&namedb->lock);
>>> CID 731486: Program hangs (LOCK)
>>> Returning without unlocking "namedb->lock".
139 return handle;
140 }
141
142 struct nouveau_handle *
143 nouveau_namedb_get_vinst(struct nouveau_namedb *namedb, u64 vinst)
144 {
** CID 731487: Program hangs (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 150 in nouveau_namedb_get_vinst()
________________________________________________________________________________________________________
*** CID 731487: Program hangs (LOCK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/core/nouveau_core_namedb.c: 150 in nouveau_namedb_get_vinst()
144 {
145 struct nouveau_handle *handle;
146 read_lock(&namedb->lock);
147 handle = nouveau_namedb_lookup_vinst(namedb, vinst);
148 if (handle == NULL)
149 read_unlock(&namedb->lock);
>>> CID 731487: Program hangs (LOCK)
>>> Returning without unlocking "namedb->lock".
150 return handle;
151 }
152
153 struct nouveau_handle *
154 nouveau_namedb_get_cinst(struct nouveau_namedb *namedb, u32 cinst)
155 {
** CID 731489: Incorrect expression (NO_EFFECT)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_i2c.c: 53 in dcb_i2c_table()
________________________________________________________________________________________________________
*** CID 731489: Incorrect expression (NO_EFFECT)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_i2c.c: 53 in dcb_i2c_table()
47 if (i2c && *ver >= 0x30) {
48 *ver = nv_ro08(bios, i2c + 0);
49 *hdr = nv_ro08(bios, i2c + 1);
50 *cnt = nv_ro08(bios, i2c + 2);
51 *len = nv_ro08(bios, i2c + 3);
52 } else {
>>> CID 731489: Incorrect expression (NO_EFFECT)
>>> Assignment operation "*ver = *ver" has no effect.
53 *ver = *ver; /* use DCB version */
54 *hdr = 0;
55 *cnt = 16;
56 *len = 4;
57 }
58
** CID 731510: (USE_AFTER_FREE)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_base.c: 414 in nouveau_bios_shadow()
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_base.c: 422 in nouveau_bios_shadow()
________________________________________________________________________________________________________
*** CID 731510: (USE_AFTER_FREE)
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_base.c: 414 in nouveau_bios_shadow()
408 } while (mthd->score != 3 && (++mthd)->shadow);
409
410 mthd = shadow_methods;
411 best = mthd;
412 do {
413 if (mthd->score > best->score) {
>>> CID 731510: (USE_AFTER_FREE)
>>> Calling "kfree" frees pointer "best->data" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
414 kfree(best->data);
415 best = mthd;
416 }
417 } while ((++mthd)->shadow);
418
419 if (best->score) {
/sys/external/bsd/drm2/dist/drm/nouveau/core/subdev/bios/nouveau_subdev_bios_base.c: 422 in nouveau_bios_shadow()
416 }
417 } while ((++mthd)->shadow);
418
419 if (best->score) {
420 nv_info(bios, "using image from %s\n", best->desc);
421 bios->size = best->size;
>>> CID 731510: (USE_AFTER_FREE)
>>> Using freed pointer "best->data".
422 bios->data = best->data;
423 return 0;
424 }
425
426 nv_error(bios, "unable to locate usable image\n");
427 return -EINVAL;
** CID 741236: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/dmaobj/nouveau_engine_dmaobj_nv04.c: 102 in nv04_dmaobj_bind()
________________________________________________________________________________________________________
*** CID 741236: Control flow issues (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/nouveau/core/engine/dmaobj/nouveau_engine_dmaobj_nv04.c: 102 in nv04_dmaobj_bind()
96 switch (dmaobj->access) {
97 case NV_MEM_ACCESS_RO:
98 flags0 |= 0x00004000;
99 break;
100 case NV_MEM_ACCESS_WO:
101 flags0 |= 0x00008000;
>>> CID 741236: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
102 case NV_MEM_ACCESS_RW:
103 flags2 |= 0x00000002;
104 break;
105 default:
106 return -EINVAL;
107 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-kernel?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index