New Defects reported by Coverity Scan for Das U-Boot
Maniyam, Dinesh
dinesh.maniyam at altera.com
Thu Aug 7 03:50:56 CEST 2025
Hi Tom
> -----Original Message-----
> From: Tom Rini <trini at konsulko.com>
> Sent: Thursday, 7 August 2025 2:36 am
> To: u-boot at lists.denx.de; Heiko Schocher <hs at denx.de>; Maniyam, Dinesh
> <dinesh.maniyam at altera.com>
> Subject: Fwd: New Defects reported by Coverity Scan for Das U-Boot
>
> Here's the latest report. Lets get these new issues addressed ASAP please,
> thanks.
I will work on resolving the issues.
Thanks!
>
> ---------- Forwarded message ---------
> From: <scan-admin at coverity.com>
> Date: Wed, Aug 6, 2025 at 12:23 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini at gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot* found
> with Coverity Scan.
>
> - *New Defects Found:* 8
> - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 8 of 8 defect(s)
>
> Defect Details
>
> ** CID 583812: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
>
>
> _________________________________________________________________
> ____________________________
> *** CID 583812: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
> 995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> 996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
> 997
> 998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> 999 master->datstartaddr = ret;
> 1000 master->maxdevs = ret >> 16;
> >>> CID 583812: Integer handling issues (BAD_SHIFT)
> >>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right
> shifting by more than 63 bits has undefined behavior. The shift amount, "63 -
> (master->maxdevs - 1)", is 64.
> 1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
> 1002
> 1003 ret = i3c_master_register(&master->base, dev,
> 1004 &dw_mipi_i3c_ops, false);
> 1005 if (ret)
> 1006 goto err_assert_rst;
>
> ** CID 583811: (RESOURCE_LEAK)
> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
>
>
> _________________________________________________________________
> ____________________________
> *** CID 583811: (RESOURCE_LEAK)
> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> 1604 }
> 1605
> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> 1607
> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
> 1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
> >>> CID 583811: (RESOURCE_LEAK)
> >>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1610 return -EINVAL;
> 1611
> 1612 boardinfo->init_dyn_addr = init_dyn_addr;
> 1613 boardinfo->of_node = node;
> 1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
> 1615
> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> 1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
> 1581 if (!boardinfo)
> 1582 return -ENOMEM;
> 1583
> 1584 if (reg[0]) {
> 1585 if (reg[0] > I3C_MAX_ADDR)
> >>> CID 583811: (RESOURCE_LEAK)
> >>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1586 return -EINVAL;
> 1587
> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1589 reg[0]);
> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> 1591 return -EINVAL;
> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> 1585 if (reg[0] > I3C_MAX_ADDR)
> 1586 return -EINVAL;
> 1587
> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1589 reg[0]);
> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> >>> CID 583811: (RESOURCE_LEAK)
> >>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1591 return -EINVAL;
> 1592 }
> 1593
> 1594 boardinfo->static_addr = reg[0];
> 1595
> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> 1592 }
> 1593
> 1594 boardinfo->static_addr = reg[0];
> 1595
> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> >>> CID 583811: (RESOURCE_LEAK)
> >>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1598 return -EINVAL;
> 1599
> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1601 init_dyn_addr);
> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> 1603 return -EINVAL;
> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> 1598 return -EINVAL;
> 1599
> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1601 init_dyn_addr);
> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> >>> CID 583811: (RESOURCE_LEAK)
> >>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1603 return -EINVAL;
> 1604 }
> 1605
> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> 1607
> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
>
> ** CID 298388: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
>
>
> _________________________________________________________________
> ____________________________
> *** CID 298388: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
> 573 return -ENOMEM;
> 574
> 575 cmd = xfer->cmds;
> 576 cmd->rx_buf = ccc->dests[0].payload.data;
> 577 cmd->rx_len = ccc->dests[0].payload.len;
> 578
> >>> CID 298388: Integer handling issues (SIGN_EXTENSION)
> >>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
> upper bits of the result will all be 1.
> 579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
> >dests[0].payload.len) |
> 580 COMMAND_PORT_TRANSFER_ARG;
> 581
> 582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
> 583 COMMAND_PORT_CP |
> 584 COMMAND_PORT_DEV_INDEX(pos) |
>
> ** CID 298037: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
>
>
> _________________________________________________________________
> ____________________________
> *** CID 298037: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
> 369 scl_timing = SCL_EXT_LCNT_1(lcnt);
> 370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
> 371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
> 372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
> 373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
> 374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
> >>> CID 298037: Integer handling issues (SIGN_EXTENSION)
> >>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned) is
> promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to type
> "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than 0x7FFFFFFF, the
> upper bits of the result will all be 1.
> 375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
> 376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
> 377
> 378 return 0;
> 379 }
> 380
>
> ** CID 296053: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
>
>
> _________________________________________________________________
> ____________________________
> *** CID 296053: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
> 529 return -ENOMEM;
> 530
> 531 cmd = xfer->cmds;
> 532 cmd->tx_buf = ccc->dests[0].payload.data;
> 533 cmd->tx_len = ccc->dests[0].payload.len;
> 534
> >>> CID 296053: Integer handling issues (SIGN_EXTENSION)
> >>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
> upper bits of the result will all be 1.
> 535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
> >dests[0].payload.len) |
> 536 COMMAND_PORT_TRANSFER_ARG;
> 537
> 538 cmd->cmd_lo = COMMAND_PORT_CP |
> 539 COMMAND_PORT_DEV_INDEX(pos) |
> 540 COMMAND_PORT_CMD(ccc->id) |
>
> ** CID 295976: (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
>
>
> _________________________________________________________________
> ____________________________
> *** CID 295976: (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> 389 return -EINVAL;
> 390
> 391 core_period = DIV_ROUND_UP(1000000000, core_rate);
> 392
> 393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS,
> core_period);
> 394 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_PLUS_SCL_RATE) -
> lcnt;
> >>> CID 295976: (SIGN_EXTENSION)
> >>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
> than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> 398
> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> 398
> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
> >>> CID 295976: (SIGN_EXTENSION)
> >>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
> than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
> 402 SCL_I2C_FM_TIMING_LCNT(lcnt);
> 403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
> 404
> 405 writel(BUS_I3C_MST_FREE(lcnt), master->regs + BUS_FREE_TIMING);
> 406 writel(readl(master->regs + DEVICE_CTRL) |
> DEV_CTRL_I2C_SLAVE_PRESENT,
>
> ** CID 294913: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
>
>
> _________________________________________________________________
> ____________________________
> *** CID 294913: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 724 in
> dw_i3c_master_priv_xfers()
> 718 if (!xfer)
> 719 return -ENOMEM;
> 720
> 721 for (i = 0; i < i3c_nxfers; i++) {
> 722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
> 723
> >>> CID 294913: Integer handling issues (SIGN_EXTENSION)
> >>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16
> bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits,
> signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If
> "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will
> all be 1.
> 724 cmd->cmd_hi =
> COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
> 725 COMMAND_PORT_TRANSFER_ARG;
> 726
> 727 if (i3c_xfers[i].rnw) {
> 728 cmd->rx_buf = i3c_xfers[i].data.in;
> 729 cmd->rx_len = i3c_xfers[i].len;
>
> ** CID 294627: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
>
>
> _________________________________________________________________
> ____________________________
> *** CID 294627: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
> 175 int status, bitpos = addr * 2;
> 176
> 177 if (addr > I2C_MAX_ADDR)
> 178 return I3C_ADDR_SLOT_RSVD;
> 179
> 180 status = bus->addrslots[bitpos / BITS_PER_LONG];
> >>> CID 294627: Integer handling issues (BAD_SHIFT)
> >>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits
> has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
> 181 status >>= bitpos % BITS_PER_LONG;
> 182
> 183 return status & I3C_ADDR_SLOT_STATUS_MASK;
> 184 }
> 185
> 186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
> --
> Tom
More information about the U-Boot
mailing list