Fwd: New Defects reported by Coverity Scan for Das U-Boot

Mikhail Kshevetskiy mikhail.kshevetskiy at iopsys.eu
Sun Oct 12 16:22:15 CEST 2025 

On 11.10.2025 21:06, Tom Rini wrote:
> I think unfortunately the report email for when I merged in -next was
> lost somewhere / wasn't sent. I may be able to get the details out the
> dashboard.
>
> ---------- Forwarded message ---------
> From: <scan-admin at coverity.com>
> Date: Fri, Oct 10, 2025 at 7:08 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini at gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
>    - *New Defects Found:* 1
>    - *Defects Shown:* Showing 1 of 1 defect(s)
>
> Defect Details
>
> ** CID 537478:       Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
> /drivers/spi/spi-mem.c: 528           in spi_mem_calc_op_duration()
>
>
> _____________________________________________________________________________________________
> *** CID 537478:         Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
> /drivers/spi/spi-mem.c: 528             in spi_mem_calc_op_duration()
> 522     	ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
> (op->addr.dtr ? 2 : 1);
> 523
> 524     	/* Dummy bytes are optional for some SPI flash memory operations */
> 525     	if (op->dummy.nbytes)
> 526     		ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
> (op->dummy.dtr ? 2 : 1);
> 527
>>>>     CID 537478:         Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>>     Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
> 528     	ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
> (op->data.dtr ? 2 : 1);


op->data.nbytes  comes from file drivers/mtd/nand/spi/core.c, function
spinand_select_op_variant().
According to the code the max value of op->data.nbytes is

        nanddev_per_page_oobsize(nand) + nanddev_page_size(nand)

thus it's slightly more than 4Kb (I never seen flashes with page size
large than 4Kb). According to this estimation the overflow will never
happen.

If it make sense, I can try to do something with it

Regards,
Mikhail Kshevetskiy

> 529
> 530     	return ncycles;
> 531     }
> 532     EXPORT_SYMBOL_GPL(spi_mem_calc_op_duration);
> 533
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>

More information about the U-Boot mailing list