Fwd: New Defects reported by Coverity Scan for Das U-Boot
Tom Rini
trini at konsulko.com
Wed Aug 6 20:35:43 CEST 2025
Here's the latest report. Lets get these new issues addressed ASAP
please, thanks.
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Wed, Aug 6, 2025 at 12:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 8
- 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 8 of 8 defect(s)
Defect Details
** CID 583812: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
_____________________________________________________________________________________________
*** CID 583812: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
997
998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
999 master->datstartaddr = ret;
1000 master->maxdevs = ret >> 16;
>>> CID 583812: Integer handling issues (BAD_SHIFT)
>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right shifting by more than 63 bits has undefined behavior. The shift amount, "63 - (master->maxdevs - 1)", is 64.
1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
1002
1003 ret = i3c_master_register(&master->base, dev,
1004 &dw_mipi_i3c_ops, false);
1005 if (ret)
1006 goto err_assert_rst;
** CID 583811: (RESOURCE_LEAK)
/drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
_____________________________________________________________________________________________
*** CID 583811: (RESOURCE_LEAK)
/drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
1604 }
1605
1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
1607
1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1610 return -EINVAL;
1611
1612 boardinfo->init_dyn_addr = init_dyn_addr;
1613 boardinfo->of_node = node;
1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
1615
/drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
1581 if (!boardinfo)
1582 return -ENOMEM;
1583
1584 if (reg[0]) {
1585 if (reg[0] > I3C_MAX_ADDR)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1586 return -EINVAL;
1587
1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1589 reg[0]);
1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
1591 return -EINVAL;
/drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
1585 if (reg[0] > I3C_MAX_ADDR)
1586 return -EINVAL;
1587
1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1589 reg[0]);
1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1591 return -EINVAL;
1592 }
1593
1594 boardinfo->static_addr = reg[0];
1595
1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
/drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
1592 }
1593
1594 boardinfo->static_addr = reg[0];
1595
1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
1597 if (init_dyn_addr > I3C_MAX_ADDR)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1598 return -EINVAL;
1599
1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1601 init_dyn_addr);
1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
1603 return -EINVAL;
/drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
1597 if (init_dyn_addr > I3C_MAX_ADDR)
1598 return -EINVAL;
1599
1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1601 init_dyn_addr);
1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1603 return -EINVAL;
1604 }
1605
1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
1607
1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
** CID 298388: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
_____________________________________________________________________________________________
*** CID 298388: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
573 return -ENOMEM;
574
575 cmd = xfer->cmds;
576 cmd->rx_buf = ccc->dests[0].payload.data;
577 cmd->rx_len = ccc->dests[0].payload.len;
578
>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
580 COMMAND_PORT_TRANSFER_ARG;
581
582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
583 COMMAND_PORT_CP |
584 COMMAND_PORT_DEV_INDEX(pos) |
** CID 298037: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
_____________________________________________________________________________________________
*** CID 298037: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
369 scl_timing = SCL_EXT_LCNT_1(lcnt);
370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned) is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
377
378 return 0;
379 }
380
** CID 296053: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
_____________________________________________________________________________________________
*** CID 296053: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
529 return -ENOMEM;
530
531 cmd = xfer->cmds;
532 cmd->tx_buf = ccc->dests[0].payload.data;
533 cmd->tx_len = ccc->dests[0].payload.len;
534
>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
536 COMMAND_PORT_TRANSFER_ARG;
537
538 cmd->cmd_lo = COMMAND_PORT_CP |
539 COMMAND_PORT_DEV_INDEX(pos) |
540 COMMAND_PORT_CMD(ccc->id) |
** CID 295976: (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
/drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
_____________________________________________________________________________________________
*** CID 295976: (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
389 return -EINVAL;
390
391 core_period = DIV_ROUND_UP(1000000000, core_rate);
392
393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS, core_period);
394 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
>>> CID 295976: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
398
399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
/drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
398
399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
>>> CID 295976: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
402 SCL_I2C_FM_TIMING_LCNT(lcnt);
403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
404
405 writel(BUS_I3C_MST_FREE(lcnt), master->regs + BUS_FREE_TIMING);
406 writel(readl(master->regs + DEVICE_CTRL) | DEV_CTRL_I2C_SLAVE_PRESENT,
** CID 294913: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
_____________________________________________________________________________________________
*** CID 294913: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 724 in
dw_i3c_master_priv_xfers()
718 if (!xfer)
719 return -ENOMEM;
720
721 for (i = 0; i < i3c_nxfers; i++) {
722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
723
>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16 bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
724 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
725 COMMAND_PORT_TRANSFER_ARG;
726
727 if (i3c_xfers[i].rnw) {
728 cmd->rx_buf = i3c_xfers[i].data.in;
729 cmd->rx_len = i3c_xfers[i].len;
** CID 294627: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
_____________________________________________________________________________________________
*** CID 294627: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
175 int status, bitpos = addr * 2;
176
177 if (addr > I2C_MAX_ADDR)
178 return I3C_ADDR_SLOT_RSVD;
179
180 status = bus->addrslots[bitpos / BITS_PER_LONG];
>>> CID 294627: Integer handling issues (BAD_SHIFT)
>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
181 status >>= bitpos % BITS_PER_LONG;
182
183 return status & I3C_ADDR_SLOT_STATUS_MASK;
184 }
185
186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250806/0da9a018/attachment.sig>
More information about the U-Boot
mailing list