Fwd: New Defects reported by Coverity Scan for Das U-Boot
Maniyam, Dinesh
dinesh.maniyam at altera.com
Fri Aug 8 05:37:24 CEST 2025
Hi
> -----Original Message-----
> From: Heiko Schocher <hs at nabladev.com>
> Sent: Thursday, 7 August 2025 5:17 pm
> To: u-boot at lists.denx.de; Maniyam, Dinesh <dinesh.maniyam at altera.com>
> Cc: Tom Rini <trini at konsulko.com>; Heiko Schocher <hs at denx.de>
> Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
>
> [CAUTION: This email is from outside your organization. Unless you trust the
> sender, do not click on links or open attachments as it may be a fraudulent email
> attempting to steal your information and/or compromise your computer.]
>
> Hello Dinesh,
>
> On 06.08.25 20:35, Tom Rini wrote:
> > Here's the latest report. Lets get these new issues addressed ASAP
> > please, thanks.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin at coverity.com>
> > Date: Wed, Aug 6, 2025 at 12:23 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini at gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das
> > U-Boot* found with Coverity Scan.
> >
> > - *New Defects Found:* 8
> > - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> > - *Defects Shown:* Showing 8 of 8 defect(s)
> >
> > Defect Details
> >
> > ** CID 583812: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
>
> Could you please look at the issues on i3c parts, as I go on vacation, thanks!
>
Yes, I am working on it, give me just a couple of days!
Thanks
Dinesh
> @Tom: Feel free to pick up fixes, thanks!
>
> bye,
> Heiko
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 583812: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
> > 995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> > 996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
> > 997
> > 998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > 999 master->datstartaddr = ret;
> > 1000 master->maxdevs = ret >> 16;
> >>>> CID 583812: Integer handling issues (BAD_SHIFT)
> >>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right
> shifting by more than 63 bits has undefined behavior. The shift amount, "63 -
> (master->maxdevs - 1)", is 64.
> > 1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > 1002
> > 1003 ret = i3c_master_register(&master->base, dev,
> > 1004 &dw_mipi_i3c_ops, false);
> > 1005 if (ret)
> > 1006 goto err_assert_rst;
> >
> > ** CID 583811: (RESOURCE_LEAK)
> > /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 583811: (RESOURCE_LEAK)
> > /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> > 1604 }
> > 1605
> > 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> > 1607
> > 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
> > 1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1610 return -EINVAL;
> > 1611
> > 1612 boardinfo->init_dyn_addr = init_dyn_addr;
> > 1613 boardinfo->of_node = node;
> > 1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
> > 1615
> > /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> > 1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
> > 1581 if (!boardinfo)
> > 1582 return -ENOMEM;
> > 1583
> > 1584 if (reg[0]) {
> > 1585 if (reg[0] > I3C_MAX_ADDR)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1586 return -EINVAL;
> > 1587
> > 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1589 reg[0]);
> > 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> > 1591 return -EINVAL;
> > /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> > 1585 if (reg[0] > I3C_MAX_ADDR)
> > 1586 return -EINVAL;
> > 1587
> > 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1589 reg[0]);
> > 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1591 return -EINVAL;
> > 1592 }
> > 1593
> > 1594 boardinfo->static_addr = reg[0];
> > 1595
> > 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> > /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> > 1592 }
> > 1593
> > 1594 boardinfo->static_addr = reg[0];
> > 1595
> > 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> > 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1598 return -EINVAL;
> > 1599
> > 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1601 init_dyn_addr);
> > 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> > 1603 return -EINVAL;
> > /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
> > 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> > 1598 return -EINVAL;
> > 1599
> > 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1601 init_dyn_addr);
> > 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1603 return -EINVAL;
> > 1604 }
> > 1605
> > 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> > 1607
> > 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
> >
> > ** CID 298388: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 298388: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
> > 573 return -ENOMEM;
> > 574
> > 575 cmd = xfer->cmds;
> > 576 cmd->rx_buf = ccc->dests[0].payload.data;
> > 577 cmd->rx_len = ccc->dests[0].payload.len;
> > 578
> >>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
> upper bits of the result will all be 1.
> > 579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
> >dests[0].payload.len) |
> > 580 COMMAND_PORT_TRANSFER_ARG;
> > 581
> > 582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
> > 583 COMMAND_PORT_CP |
> > 584 COMMAND_PORT_DEV_INDEX(pos) |
> >
> > ** CID 298037: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 298037: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
> > 369 scl_timing = SCL_EXT_LCNT_1(lcnt);
> > 370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
> > 371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
> > 372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
> > 373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
> > 374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
> >>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned)
> is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to
> type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than
> 0x7FFFFFFF, the upper bits of the result will all be 1.
> > 375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
> > 376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
> > 377
> > 378 return 0;
> > 379 }
> > 380
> >
> > ** CID 296053: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 296053: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
> > 529 return -ENOMEM;
> > 530
> > 531 cmd = xfer->cmds;
> > 532 cmd->tx_buf = ccc->dests[0].payload.data;
> > 533 cmd->tx_len = ccc->dests[0].payload.len;
> > 534
> >>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
> upper bits of the result will all be 1.
> > 535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
> >dests[0].payload.len) |
> > 536 COMMAND_PORT_TRANSFER_ARG;
> > 537
> > 538 cmd->cmd_lo = COMMAND_PORT_CP |
> > 539 COMMAND_PORT_DEV_INDEX(pos) |
> > 540 COMMAND_PORT_CMD(ccc->id) |
> >
> > ** CID 295976: (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> > /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 295976: (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> > 389 return -EINVAL;
> > 390
> > 391 core_period = DIV_ROUND_UP(1000000000, core_rate);
> > 392
> > 393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS,
> core_period);
> > 394 hcnt = DIV_ROUND_UP(core_rate,
> I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
> >>>> CID 295976: (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
> than 0x7FFFFFFF, the upper bits of the result will all be 1.
> > 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> > 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> > 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> > 398
> > 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
> core_period);
> > 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
> lcnt;
> > /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
> > 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> > 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> > 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> > 398
> > 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
> core_period);
> > 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
> lcnt;
> >>>> CID 295976: (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
> than 0x7FFFFFFF, the upper bits of the result will all be 1.
> > 401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
> > 402 SCL_I2C_FM_TIMING_LCNT(lcnt);
> > 403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
> > 404
> > 405 writel(BUS_I3C_MST_FREE(lcnt), master->regs +
> BUS_FREE_TIMING);
> > 406 writel(readl(master->regs + DEVICE_CTRL) |
> DEV_CTRL_I2C_SLAVE_PRESENT,
> >
> > ** CID 294913: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 294913: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 724 in
> > dw_i3c_master_priv_xfers()
> > 718 if (!xfer)
> > 719 return -ENOMEM;
> > 720
> > 721 for (i = 0; i < i3c_nxfers; i++) {
> > 722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
> > 723
> >>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16
> bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits,
> signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If
> "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will
> all be 1.
> > 724 cmd->cmd_hi =
> COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
> > 725 COMMAND_PORT_TRANSFER_ARG;
> > 726
> > 727 if (i3c_xfers[i].rnw) {
> > 728 cmd->rx_buf = i3c_xfers[i].data.in;
> > 729 cmd->rx_len = i3c_xfers[i].len;
> >
> > ** CID 294627: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 294627: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
> > 175 int status, bitpos = addr * 2;
> > 176
> > 177 if (addr > I2C_MAX_ADDR)
> > 178 return I3C_ADDR_SLOT_RSVD;
> > 179
> > 180 status = bus->addrslots[bitpos / BITS_PER_LONG];
> >>>> CID 294627: Integer handling issues (BAD_SHIFT)
> >>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits
> has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
> > 181 status >>= bitpos % BITS_PER_LONG;
> > 182
> > 183 return status & I3C_ADDR_SLOT_STATUS_MASK;
> > 184 }
> > 185
> > 186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
> >
> >
> >
> > View Defects in Coverity Scan
> > <https://scan.coverity.com/projects/das-u-boot?tab=overview>
> >
> > Best regards,
> >
> > The Coverity Scan Admin Team
> >
> > ----- End forwarded message -----
> >
>
> --
> Nabla Software Engineering
> HRB 40522 Augsburg
> Phone: +49 821 45592596
> E-Mail: office at nabladev.com
> Geschäftsführer : Stefano Babic
More information about the U-Boot
mailing list