Coverity-updates archive
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index][
Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
910 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
47 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 910 defect(s)
** CID 141373: Buffer not null terminated (BUFFER_SIZE_WARNING)
/sys/external/bsd/drm2/dist/drm/i915/intel_tv.c: 1415 in intel_tv_get_modes()
** CID 141381: Unchecked return value (CHECKED_RETURN)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2928 in intel_sdvo_create_enhance_property()
** CID 141432: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2275 in intel_sdvo_guess_ddc_bus()
** CID 141433: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2269 in intel_sdvo_guess_ddc_bus()
** CID 141434: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2273 in intel_sdvo_guess_ddc_bus()
** CID 141435: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2277 in intel_sdvo_guess_ddc_bus()
** CID 141436: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2271 in intel_sdvo_guess_ddc_bus()
** CID 200527: Inferred misuse of enum (MIXED_ENUMS)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 10658 in intel_crtc_init()
** CID 741133: Logically dead code (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_drv.h: 2410 in i915_gem_object_pin_fence()
** CID 741134: Logically dead code (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3901 in i915_gem_object_get_fence()
** CID 741135: Logically dead code (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3814 in i915_gem_object_put_fence()
** CID 741235: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/i915_gpu_error.c: 1288 in i915_get_extra_instdone()
** CID 741246: Negative array index read (NEGATIVE_RETURNS)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3469 in i915_gem_object_sync()
** CID 976668: Argument cannot be negative (NEGATIVE_RETURNS)
/crypto/external/bsd/heimdal/dist/lib/roken/resolve.c: 561 in dns_lookup_int()
** CID 976987: Dereference null return value (NULL_RETURNS)
/sys/ufs/chfs/chfs_readinode.c: 767 in chfs_add_full_dnode_to_inode()
** CID 980099: Unchecked return value (CHECKED_RETURN)
/sys/external/bsd/drm/dist/bsd-core/drm_bufs.c: 329 in drm_rmmap_user()
** CID 980100: Unchecked return value (CHECKED_RETURN)
/sys/external/bsd/drm/dist/bsd-core/via_dmablit.c: 242 in via_lock_all_dma_pages()
** CID 1007806: Out-of-bounds access (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 1909 in intel_sdvo_get_tv_modes()
** CID 1009048: Missing parentheses (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/drm2/dist/drm/i915/i915_dma.c: 116 in i915_write_hws_pga()
** CID 1056510: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 7217 in haswell_get_pipe_config()
________________________________________________________________________________________________________
*** CID 141373: Buffer not null terminated (BUFFER_SIZE_WARNING)
/sys/external/bsd/drm2/dist/drm/i915/intel_tv.c: 1415 in intel_tv_get_modes()
1409 && !tv_mode->component_only))
1410 continue;
1411
1412 mode_ptr = drm_mode_create(connector->dev);
1413 if (!mode_ptr)
1414 continue;
>>> CID 141373: Buffer not null terminated (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 32 bytes on destination array "mode_ptr->name" of size 32 bytes might leave the destination string unterminated.
1415 strncpy(mode_ptr->name, input->name, DRM_DISPLAY_MODE_LEN);
1416
1417 mode_ptr->hdisplay = hactive_s;
1418 mode_ptr->hsync_start = hactive_s + 1;
1419 mode_ptr->hsync_end = hactive_s + 64;
1420 if (mode_ptr->hsync_end <= mode_ptr->hsync_start)
________________________________________________________________________________________________________
*** CID 141381: Unchecked return value (CHECKED_RETURN)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2928 in intel_sdvo_create_enhance_property()
2922 uint16_t response;
2923 } enhancements;
2924
2925 BUILD_BUG_ON(sizeof(enhancements) != 2);
2926
2927 enhancements.response = 0;
>>> CID 141381: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "intel_sdvo_get_value(intel_sdvo, 132, &enhancements, 2)".
2928 intel_sdvo_get_value(intel_sdvo,
2929 SDVO_CMD_GET_SUPPORTED_ENHANCEMENTS,
2930 &enhancements, sizeof(enhancements));
2931 if (enhancements.response == 0) {
2932 DRM_DEBUG_KMS("No enhancement is supported\n");
2933 return true;
________________________________________________________________________________________________________
*** CID 141432: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2275 in intel_sdvo_guess_ddc_bus()
2269 case SDVO_OUTPUT_LVDS0:
2270 mask |= SDVO_OUTPUT_LVDS0;
2271 case SDVO_OUTPUT_TMDS1:
2272 mask |= SDVO_OUTPUT_TMDS1;
2273 case SDVO_OUTPUT_TMDS0:
2274 mask |= SDVO_OUTPUT_TMDS0;
>>> CID 141432: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
2275 case SDVO_OUTPUT_RGB1:
2276 mask |= SDVO_OUTPUT_RGB1;
2277 case SDVO_OUTPUT_RGB0:
2278 mask |= SDVO_OUTPUT_RGB0;
2279 break;
2280 }
________________________________________________________________________________________________________
*** CID 141433: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2269 in intel_sdvo_guess_ddc_bus()
2263 /* Make a mask of outputs less than or equal to our own priority in the
2264 * list.
2265 */
2266 switch (sdvo->controlled_output) {
2267 case SDVO_OUTPUT_LVDS1:
2268 mask |= SDVO_OUTPUT_LVDS1;
>>> CID 141433: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
2269 case SDVO_OUTPUT_LVDS0:
2270 mask |= SDVO_OUTPUT_LVDS0;
2271 case SDVO_OUTPUT_TMDS1:
2272 mask |= SDVO_OUTPUT_TMDS1;
2273 case SDVO_OUTPUT_TMDS0:
2274 mask |= SDVO_OUTPUT_TMDS0;
________________________________________________________________________________________________________
*** CID 141434: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2273 in intel_sdvo_guess_ddc_bus()
2267 case SDVO_OUTPUT_LVDS1:
2268 mask |= SDVO_OUTPUT_LVDS1;
2269 case SDVO_OUTPUT_LVDS0:
2270 mask |= SDVO_OUTPUT_LVDS0;
2271 case SDVO_OUTPUT_TMDS1:
2272 mask |= SDVO_OUTPUT_TMDS1;
>>> CID 141434: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
2273 case SDVO_OUTPUT_TMDS0:
2274 mask |= SDVO_OUTPUT_TMDS0;
2275 case SDVO_OUTPUT_RGB1:
2276 mask |= SDVO_OUTPUT_RGB1;
2277 case SDVO_OUTPUT_RGB0:
2278 mask |= SDVO_OUTPUT_RGB0;
________________________________________________________________________________________________________
*** CID 141435: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2277 in intel_sdvo_guess_ddc_bus()
2271 case SDVO_OUTPUT_TMDS1:
2272 mask |= SDVO_OUTPUT_TMDS1;
2273 case SDVO_OUTPUT_TMDS0:
2274 mask |= SDVO_OUTPUT_TMDS0;
2275 case SDVO_OUTPUT_RGB1:
2276 mask |= SDVO_OUTPUT_RGB1;
>>> CID 141435: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
2277 case SDVO_OUTPUT_RGB0:
2278 mask |= SDVO_OUTPUT_RGB0;
2279 break;
2280 }
2281
2282 /* Count bits to find what number we are in the priority list. */
________________________________________________________________________________________________________
*** CID 141436: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 2271 in intel_sdvo_guess_ddc_bus()
2265 */
2266 switch (sdvo->controlled_output) {
2267 case SDVO_OUTPUT_LVDS1:
2268 mask |= SDVO_OUTPUT_LVDS1;
2269 case SDVO_OUTPUT_LVDS0:
2270 mask |= SDVO_OUTPUT_LVDS0;
>>> CID 141436: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
2271 case SDVO_OUTPUT_TMDS1:
2272 mask |= SDVO_OUTPUT_TMDS1;
2273 case SDVO_OUTPUT_TMDS0:
2274 mask |= SDVO_OUTPUT_TMDS0;
2275 case SDVO_OUTPUT_RGB1:
2276 mask |= SDVO_OUTPUT_RGB1;
________________________________________________________________________________________________________
*** CID 200527: Inferred misuse of enum (MIXED_ENUMS)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 10658 in intel_crtc_init()
10652
10653 /*
10654 * On gen2/3 only plane A can do fbc, but the panel fitter and lvds port
10655 * is hooked to plane B. Hence we want plane A feeding pipe B.
10656 */
10657 intel_crtc->pipe = pipe;
>>> CID 200527: Inferred misuse of enum (MIXED_ENUMS)
>>> Mixing enum types enum i915_pipe and enum plane for "pipe".
10658 intel_crtc->plane = pipe;
10659 if (HAS_FBC(dev) && INTEL_INFO(dev)->gen < 4) {
10660 DRM_DEBUG_KMS("swapping pipes & planes for FBC\n");
10661 intel_crtc->plane = !pipe;
10662 }
10663
________________________________________________________________________________________________________
*** CID 741133: Logically dead code (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_drv.h: 2410 in i915_gem_object_pin_fence()
2404 {
2405 if (obj->fence_reg != I915_FENCE_REG_NONE) {
2406 struct drm_i915_private *dev_priv = obj->base.dev->dev_private;
2407 dev_priv->fence_regs[obj->fence_reg].pin_count++;
2408 return true;
2409 } else
>>> CID 741133: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "return false;".
2410 return false;
2411 }
2412
2413 static inline void
2414 i915_gem_object_unpin_fence(struct drm_i915_gem_object *obj)
2415 {
________________________________________________________________________________________________________
*** CID 741134: Logically dead code (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3901 in i915_gem_object_get_fence()
3895 reg = &dev_priv->fence_regs[obj->fence_reg];
3896 if (!obj->fence_dirty) {
3897 list_move_tail(®->lru_list,
3898 &dev_priv->mm.fence_list);
3899 return 0;
3900 }
>>> CID 741134: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "if (enable){
reg = i915_f...".
3901 } else if (enable) {
3902 reg = i915_find_fence_reg(dev);
3903 if (IS_ERR(reg))
3904 return PTR_ERR(reg);
3905
3906 if (reg->obj) {
________________________________________________________________________________________________________
*** CID 741135: Logically dead code (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3814 in i915_gem_object_put_fence()
3808
3809 ret = i915_gem_object_wait_fence(obj);
3810 if (ret)
3811 return ret;
3812
3813 if (obj->fence_reg == I915_FENCE_REG_NONE)
>>> CID 741135: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "return 0;".
3814 return 0;
3815
3816 fence = &dev_priv->fence_regs[obj->fence_reg];
3817
3818 i915_gem_object_fence_lost(obj);
3819 i915_gem_object_update_fence(obj, fence, false);
________________________________________________________________________________________________________
*** CID 741235: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/i915_gpu_error.c: 1288 in i915_get_extra_instdone()
1282 case 6:
1283 instdone[0] = I915_READ(INSTDONE_I965);
1284 instdone[1] = I915_READ(INSTDONE1);
1285 break;
1286 default:
1287 WARN_ONCE(1, "Unsupported platform\n");
>>> CID 741235: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
1288 case 7:
1289 case 8:
1290 instdone[0] = I915_READ(GEN7_INSTDONE_1);
1291 instdone[1] = I915_READ(GEN7_SC_INSTDONE);
1292 instdone[2] = I915_READ(GEN7_SAMPLER_INSTDONE);
1293 instdone[3] = I915_READ(GEN7_ROW_INSTDONE);
1294 break;
1295 }
________________________________________________________________________________________________________
*** CID 741246: Negative array index read (NEGATIVE_RETURNS)
/sys/external/bsd/drm2/dist/drm/i915/i915_gem.c: 3469 in i915_gem_object_sync()
3463 if (to == NULL || !i915_semaphore_is_enabled(obj->base.dev))
3464 return i915_gem_object_wait_rendering(obj, false);
3465
3466 idx = intel_ring_sync_index(from, to);
3467
3468 seqno = obj->last_read_seqno;
>>> CID 741246: Negative array index read (NEGATIVE_RETURNS)
>>> Using variable "idx" as an index to array "from->sync_seqno".
3469 if (seqno <= from->sync_seqno[idx])
3470 return 0;
3471
3472 ret = i915_gem_check_olr(obj->ring, seqno);
3473 if (ret)
3474 return ret;
________________________________________________________________________________________________________
*** CID 976668: Argument cannot be negative (NEGATIVE_RETURNS)
/crypto/external/bsd/heimdal/dist/lib/roken/resolve.c: 561 in dns_lookup_int()
555 #elif defined(HAVE_RES_NSEARCH)
556 state.options |= RES_DEBUG;
557 #endif
558 fprintf(stderr, "dns_lookup(%s, %d, %s), buffer size %d\n", domain,
559 rr_class, rk_dns_type_to_string(rr_type), len);
560 }
>>> CID 976668: Argument cannot be negative (NEGATIVE_RETURNS)
>>> "len" is passed to a parameter that cannot be negative.
561 reply = malloc(len);
562 if (reply == NULL) {
563 resolve_free_handle(handle);
564 return NULL;
565 }
566
________________________________________________________________________________________________________
*** CID 976987: Dereference null return value (NULL_RETURNS)
/sys/ufs/chfs/chfs_readinode.c: 767 in chfs_add_full_dnode_to_inode()
761
762 /* Check previous fragment. */
763 if (newfrag->ofs & (PAGE_SIZE - 1)) {
764 struct chfs_node_frag *prev = frag_prev(&ip->fragtree, newfrag);
765
766 CHFS_MARK_REF_NORMAL(fd->nref);
>>> CID 976987: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a null pointer "prev".
767 if (prev->node)
768 CHFS_MARK_REF_NORMAL(prev->node->nref);
769 }
770
771 /* Check next fragment. */
772 if ((newfrag->ofs+newfrag->size) & (PAGE_SIZE - 1)) {
________________________________________________________________________________________________________
*** CID 980099: Unchecked return value (CHECKED_RETURN)
/sys/external/bsd/drm/dist/bsd-core/drm_bufs.c: 329 in drm_rmmap_user()
323 paddr_t pa;
324 struct vm_page *pg;
325
326 va = (vaddr_t)addr;
327 eva = va + size;
328 for (; va < eva; va += PAGE_SIZE) {
>>> CID 980099: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "pmap_extract(kernel_pmap_ptr, va, &pa)".
329 pmap_extract(pmap_kernel(), va, &pa);
330 pg = PHYS_TO_VM_PAGE(pa);
331 pmap_page_protect(pg, VM_PROT_NONE);
332 }
333 }
334
________________________________________________________________________________________________________
*** CID 980100: Unchecked return value (CHECKED_RETURN)
/sys/external/bsd/drm/dist/bsd-core/via_dmablit.c: 242 in via_lock_all_dma_pages()
236
237 if (uvm_vslock(curproc->p_vmspace, xfer->mem_addr,
238 vsg->num_pages * PAGE_SIZE, VM_PROT_READ | VM_PROT_WRITE) != 0)
239 return -EACCES;
240
241 for (i = 0; i < vsg->num_pages; i++) {
>>> CID 980100: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "pmap_extract(x86_curlwp()->l_proc->p_vmspace->vm_map.pmap, (vaddr_t)xfer->mem_addr + i * 4096, &pa)".
242 pmap_extract(vm_map_pmap(&curproc->p_vmspace->vm_map),
243 (vaddr_t)xfer->mem_addr + (i * PAGE_SIZE), &pa);
244 vsg->pages[i] = PHYS_TO_VM_PAGE(pa);
245 if (vsg->pages[i] == NULL)
246 break;
247 }
________________________________________________________________________________________________________
*** CID 1007806: Out-of-bounds access (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/intel_sdvo.c: 1909 in intel_sdvo_get_tv_modes()
1903 connector->base.id, drm_get_connector_name(connector));
1904
1905 /* Read the list of supported input resolutions for the selected TV
1906 * format.
1907 */
1908 format_map = 1 << intel_sdvo->tv_format_index;
>>> CID 1007806: Out-of-bounds access (OVERRUN)
>>> Overrunning struct type intel_sdvo_sdtv_resolution_request of 3 bytes by passing it to a function which accesses it at byte offset 3 using argument "min(4U, 3U)" (which evaluates to 4).
1909 memcpy(&tv_res, &format_map,
1910 min(sizeof(format_map), sizeof(struct intel_sdvo_sdtv_resolution_request)));
1911
1912 if (!intel_sdvo_set_target_output(intel_sdvo, intel_sdvo->attached_output))
1913 return;
1914
________________________________________________________________________________________________________
*** CID 1009048: Missing parentheses (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/drm2/dist/drm/i915/i915_dma.c: 116 in i915_write_hws_pga()
110 {
111 struct drm_i915_private *dev_priv = dev->dev_private;
112 u32 addr;
113
114 addr = dev_priv->status_page_dmah->busaddr;
115 if (INTEL_INFO(dev)->gen >= 4)
>>> CID 1009048: Missing parentheses (CONSTANT_EXPRESSION_RESULT)
>>> "(dev_priv->status_page_dmah->busaddr >> 28) & 240" is always 0 regardless of the values of its operands. This occurs as the bitwise operand of '|='. Did you intend to apply '&' to "28" and "240"? If so, parentheses would be required to force this interpretation.
116 addr |= (dev_priv->status_page_dmah->busaddr >> 28) & 0xf0;
117 I915_WRITE(HWS_PGA, addr);
118 }
119
120 /**
121 * Frees the hardware status page, whether it's a physical address or a virtual
________________________________________________________________________________________________________
*** CID 1056510: Missing break in switch (MISSING_BREAK)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 7217 in haswell_get_pipe_config()
7211 tmp = I915_READ(TRANS_DDI_FUNC_CTL(TRANSCODER_EDP));
7212 if (tmp & TRANS_DDI_FUNC_ENABLE) {
7213 enum i915_pipe trans_edp_pipe;
7214 switch (tmp & TRANS_DDI_EDP_INPUT_MASK) {
7215 default:
7216 WARN(1, "unknown pipe linked to edp transcoder\n");
>>> CID 1056510: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
7217 case TRANS_DDI_EDP_INPUT_A_ONOFF:
7218 case TRANS_DDI_EDP_INPUT_A_ON:
7219 trans_edp_pipe = PIPE_A;
7220 break;
7221 case TRANS_DDI_EDP_INPUT_B_ONOFF:
7222 trans_edp_pipe = PIPE_B;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com/projects/1448?tab=overview
To unsubscribe from the email notification for new defects, http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index