New Defects reported by Coverity Scan for NetBSD-i386-kernel

To: coverity-updates%netbsd.org@localhost
Subject: New Defects reported by Coverity Scan for NetBSD-i386-kernel
From: scan-admin%coverity.com@localhost
Date: 2016年11月30日 17:13:32 -0800
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
11 new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 11 of 11 defect(s)
** CID 1066206: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/arch/x86/pci/if_vmx.c: 1643 in vmxnet3_reinit_shared_data()
________________________________________________________________________________________________________
*** CID 1066206: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/arch/x86/pci/if_vmx.c: 1643 in vmxnet3_reinit_shared_data()
1637 		ds->upt_features |= UPT1_F_RSS;
1638 		vmxnet3_reinit_rss_shared_data(sc);
1639 	}
1640 
1641 	vmxnet3_write_bar1(sc, VMXNET3_BAR1_DSL, sc->vmx_ds_dma.dma_paddr);
1642 	vmxnet3_write_bar1(sc, VMXNET3_BAR1_DSH,
>>> CID 1066206: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "(__uint64_t)sc->vmx_ds_dma.dma_paddr >> 32" is 0 regardless of the values of its operands. This occurs as an argument to a function call.
1643 	 (uint64_t) sc->vmx_ds_dma.dma_paddr >> 32);
1644 }
1645 
1646 int
1647 vmxnet3_alloc_data(struct vmxnet3_softc *sc)
1648 {
** CID 1396598: Null pointer dereferences (FORWARD_NULL)
/sys/netinet6/in6_src.c: 673 in in6_selectroute()
________________________________________________________________________________________________________
*** CID 1396598: Null pointer dereferences (FORWARD_NULL)
/sys/netinet6/in6_src.c: 673 in in6_selectroute()
667 	 * the interface specified by ipi6_ifindex (if specified).
668 	 * Note that loopback interface is always okay.
669 	 * (this may happen when we are sending a packet to one of
670 	 * our own addresses.)
671 	 */
672 	if (opts && opts->ip6po_pktinfo && opts->ip6po_pktinfo->ipi6_ifindex) {
>>> CID 1396598: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "rt".
673 		if (!(rt->rt_ifp->if_flags & IFF_LOOPBACK) &&
674 		 rt->rt_ifp->if_index != opts->ip6po_pktinfo->ipi6_ifindex) {
675 			if (rt != NULL && count_discard)
676 				in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard);
677 			error = EHOSTUNREACH;
678 			rt = NULL;
** CID 1396600: Null pointer dereferences (FORWARD_NULL)
/sys/net/if_spppsubr.c: 4915 in sppp_set_ip_addrs_work()
________________________________________________________________________________________________________
*** CID 1396600: Null pointer dereferences (FORWARD_NULL)
/sys/net/if_spppsubr.c: 4915 in sppp_set_ip_addrs_work()
4909 	else if (dest != NULL)
4910 		hisaddr = ntohl(dest->sin_addr.s_addr);
4911 
4912 	if (si != NULL) {
4913 		int error;
4914 		struct sockaddr_in new_sin = *si;
>>> CID 1396600: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dest".
4915 		struct sockaddr_in new_dst = *dest;
4916 
4917 		if (myaddr != 0)
4918 			new_sin.sin_addr.s_addr = htonl(myaddr);
4919 		if (hisaddr != 0) {
4920 			new_dst.sin_addr.s_addr = htonl(hisaddr);
** CID 1396620: Null pointer dereferences (NULL_RETURNS)
/sys/dev/scsipi/scsiconf.c: 473 in scsidevdetached()
________________________________________________________________________________________________________
*** CID 1396620: Null pointer dereferences (NULL_RETURNS)
/sys/dev/scsipi/scsiconf.c: 473 in scsidevdetached()
467 	target = device_locator(child, SCSIBUSCF_TARGET);
468 	lun = device_locator(child, SCSIBUSCF_LUN);
469 
470 	mutex_enter(chan_mtx(chan));
471 
472 	periph = scsipi_lookup_periph_locked(chan, target, lun);
>>> CID 1396620: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "periph".
473 	KASSERT(periph->periph_dev == child);
474 
475 	scsipi_remove_periph(chan, periph);
476 	scsipi_free_periph(periph);
477 
478 	mutex_exit(chan_mtx(chan));
** CID 1396634: Null pointer dereferences (REVERSE_INULL)
/sys/netinet6/in6_src.c: 675 in in6_selectroute()
________________________________________________________________________________________________________
*** CID 1396634: Null pointer dereferences (REVERSE_INULL)
/sys/netinet6/in6_src.c: 675 in in6_selectroute()
669 	 * (this may happen when we are sending a packet to one of
670 	 * our own addresses.)
671 	 */
672 	if (opts && opts->ip6po_pktinfo && opts->ip6po_pktinfo->ipi6_ifindex) {
673 		if (!(rt->rt_ifp->if_flags & IFF_LOOPBACK) &&
674 		 rt->rt_ifp->if_index != opts->ip6po_pktinfo->ipi6_ifindex) {
>>> CID 1396634: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "rt" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
675 			if (rt != NULL && count_discard)
676 				in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard);
677 			error = EHOSTUNREACH;
678 			rt = NULL;
679 		}
680 	}
** CID 1396646: Integer handling issues (BAD_SHIFT)
/sys/arch/x86/pci/if_vmx.c: 1642 in vmxnet3_reinit_shared_data()
________________________________________________________________________________________________________
*** CID 1396646: Integer handling issues (BAD_SHIFT)
/sys/arch/x86/pci/if_vmx.c: 1642 in vmxnet3_reinit_shared_data()
1636 	if (sc->vmx_flags & VMXNET3_FLAG_RSS) {
1637 		ds->upt_features |= UPT1_F_RSS;
1638 		vmxnet3_reinit_rss_shared_data(sc);
1639 	}
1640 
1641 	vmxnet3_write_bar1(sc, VMXNET3_BAR1_DSL, sc->vmx_ds_dma.dma_paddr);
>>> CID 1396646: Integer handling issues (BAD_SHIFT)
>>> In expression "(__uint64_t)sc->vmx_ds_dma.dma_paddr >> 32", right shifting "sc->vmx_ds_dma.dma_paddr" by more than 31 bits always yields zero. The shift amount is 32.
1642 	vmxnet3_write_bar1(sc, VMXNET3_BAR1_DSH,
1643 	 (uint64_t) sc->vmx_ds_dma.dma_paddr >> 32);
1644 }
1645 
1646 int
1647 vmxnet3_alloc_data(struct vmxnet3_softc *sc)
** CID 1396647: Error handling issues (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2320 in vmxnet3_stop_locked()
________________________________________________________________________________________________________
*** CID 1396647: Error handling issues (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2320 in vmxnet3_stop_locked()
2314 vmxnet3_stop_locked(struct vmxnet3_softc *sc)
2315 {
2316 	struct ifnet *ifp;
2317 	int q;
2318 
2319 	ifp = &sc->vmx_ethercom.ec_if;
>>> CID 1396647: Error handling issues (CHECKED_RETURN)
>>> Calling "mutex_owned" without checking return value (as is done elsewhere 1001 out of 1007 times).
2320 	VMXNET3_CORE_LOCK_ASSERT(sc);
2321 
2322 	ifp->if_flags &= ~IFF_RUNNING;
2323 	sc->vmx_link_active = 0;
2324 	callout_stop(&sc->vmx_tick);
2325 
** CID 1396648: Error handling issues (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2018 in vmxnet3_rxq_eof()
________________________________________________________________________________________________________
*** CID 1396648: Error handling issues (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2018 in vmxnet3_rxq_eof()
2012 	int idx, length;
2013 
2014 	sc = rxq->vxrxq_sc;
2015 	ifp = &sc->vmx_ethercom.ec_if;
2016 	rxc = &rxq->vxrxq_comp_ring;
2017 
>>> CID 1396648: Error handling issues (CHECKED_RETURN)
>>> Calling "mutex_owned" without checking return value (as is done elsewhere 1001 out of 1007 times).
2018 	VMXNET3_RXQ_LOCK_ASSERT(rxq);
2019 
2020 	if ((ifp->if_flags & IFF_RUNNING) == 0)
2021 		return;
2022 
2023 	m_head = rxq->vxrxq_mhead;
** CID 1396649: Error handling issues (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2750 in vmxnet3_start_locked()
________________________________________________________________________________________________________
*** CID 1396649: Error handling issues (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 2750 in vmxnet3_start_locked()
2744 
2745 	sc = ifp->if_softc;
2746 	txq = &sc->vmx_txq[0];
2747 	txr = &txq->vxtxq_cmd_ring;
2748 	tx = 0;
2749 
>>> CID 1396649: Error handling issues (CHECKED_RETURN)
>>> Calling "mutex_owned" without checking return value (as is done elsewhere 1001 out of 1007 times).
2750 	VMXNET3_TXQ_LOCK_ASSERT(txq);
2751 
2752 	if ((ifp->if_flags & IFF_RUNNING) == 0 ||
2753 	 sc->vmx_link_active == 0)
2754 		return;
2755 
** CID 1396650: Error handling issues (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 1793 in vmxnet3_txq_eof()
________________________________________________________________________________________________________
*** CID 1396650: Error handling issues (CHECKED_RETURN)
/sys/arch/x86/pci/if_vmx.c: 1793 in vmxnet3_txq_eof()
1787 	u_int sop;
1788 
1789 	sc = txq->vxtxq_sc;
1790 	txr = &txq->vxtxq_cmd_ring;
1791 	txc = &txq->vxtxq_comp_ring;
1792 
>>> CID 1396650: Error handling issues (CHECKED_RETURN)
>>> Calling "mutex_owned" without checking return value (as is done elsewhere 1001 out of 1007 times).
1793 	VMXNET3_TXQ_LOCK_ASSERT(txq);
1794 
1795 	for (;;) {
1796 		txcd = &txc->vxcr_u.txcd[txc->vxcr_next];
1797 		if (txcd->gen != txc->vxcr_gen)
1798 			break;
** CID 1396651: Null pointer dereferences (NULL_RETURNS)
/sys/arch/x86/pci/if_vmx.c: 2568 in vmxnet3_txq_offload_ctx()
________________________________________________________________________________________________________
*** CID 1396651: Null pointer dereferences (NULL_RETURNS)
/sys/arch/x86/pci/if_vmx.c: 2568 in vmxnet3_txq_offload_ctx()
2562 	mp = m_pulldown(m, 0, *csum_start + 2, &offp);
2563 
2564 	if (m->m_pkthdr.csum_flags & (M_CSUM_TSOv4 | M_CSUM_TSOv6)) {
2565 		struct tcphdr *tcp;
2566 
2567 		txq->vxtxq_stats.vmtxs_tso++;
>>> CID 1396651: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "mp".
2568 		tcp = (void *)(mtod(mp, char *) + offp + *start);
2569 
2570 		if (v4) {
2571 			struct ip *ip;
2572 
2573 			ip = (void *)(mtod(mp, char *) + offp + offset);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRb2JZfDAOAZcqzsy8LMBKBjEGdxS-2FDDouPkeZ4HbDca3C30UoLW748TLKQM-2BXRpGRc-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05VHR-2FA39-2FwoDCeZG-2FA5e-2FTI9neGQNNPA-2F1t6qFfLpFeBBeesUscWNmHkYZwXs2-2BVZZtcdeuGXYDE-2BTRidFqADFRC3SD3Vroecua1KLmyZgSDfA3z98NGgnVqtoDq4dp7XBXLpeKczAWGBdvI3xVJ0X4It-2BLUZv8id84eCvlGgc8xjBtUg0k5E-2Bq7yNyZSpzhwM-3D
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4m7U7Yoel-2F6MYPxol7ToiLwYIjoNbVQOCAwEeTNJofEDwTlN0JRhKMyijhpnAObR-2FlLVG-2Fr3EBKWgiICNdX1HPA6Ws0-2F1wHBf2tG9AnMDB8g-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05VHR-2FA39-2FwoDCeZG-2FA5e-2FTI9neGQNNPA-2F1t6qFfLpFeBPc6zyo1iyBwJSATe0a9TGzarHXzbWEPPmrOxHruLn0x4nwZw0kCOQm5ErZUUbLOr2eGQedeAULq2qGXpOquGq366WTStfwYdQ-2FlIo6tax11gcdXsHo0Lq5WwXI2m4c1k8EZASG6tYM9R2sSxWnvln0-3D
Prev by Date: New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Next by Date: New Defects reported by Coverity Scan for NetBSD-i386-user
Previous by Thread: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Next by Thread: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Indexes:
Home | Main Index | Thread Index | Old Index