Fwd: New Defects reported by Coverity Scan for Das U-Boot
Tom Rini
trini at konsulko.com
Tue Jan 6 21:36:01 CET 2026
Hey all,
This is really just to say that I've now been able to switch Coverity
scan over from "sandbox_defconfig" to "allyesconfig" (which is now also
in CI), so we have a lot more code being scanned. If you have access to
the dashboard already, and areas of interest, it's worth looking again
now. If you're already a project contributor and want to look for things
to work on, please let me know before asking for access to the
dashboard.
I am hopeful this will inspire people to make sure their code builds on
sandbox (and so allyesconfig) so that it can get further static checking
done to it, regularly.
And as a final funny to me note, while this email says 278 issues, the
other email (which just has high level info and I don't bother
forwarding) says 442 issues found.
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Tue, Jan 6, 2026 at 2:18 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 278
- 49 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 20 of 278 defect(s)
Defect Details
** CID 640717: Control flow issues (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data()
_____________________________________________________________________________________________
*** CID 640717: Control flow issues (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data()
119 dev->name, con);
120 return con;
121 }
122
123 priv->variant = con ? VAR_CON : VAR_CPU;
124
>>> CID 640717: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "0" inside this statement: "priv->multichannel = (mc4 ?...".
125 priv->multichannel = mc4 ? 4 : (mc2 ? 2 : (sc ? 1 : 0));
126
127 return 0;
128 }
129
130 /**
** CID 640716: Incorrect expression (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat()
_____________________________________________________________________________________________
*** CID 640716: Incorrect expression (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat()
152 }
153
154 static int iproc_rng200_of_to_plat(struct udevice *dev)
155 {
156 struct iproc_rng200_plat *pdata = dev_get_plat(dev);
157
>>> CID 640716: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "8UL /* sizeof (void *) */" to function "devfdt_map_physmem" which returns a value of type "void *" is suspicious.
158 pdata->base = devfdt_map_physmem(dev, sizeof(void *));
159 if (!pdata->base)
160 return -ENODEV;
161
162 return 0;
163 }
** CID 640715: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640715: (TAINTED_SCALAR)
/drivers/gpio/74x164_gpio.c: 145 in gen_74x164_probe()
139
140 /*
141 * See Linux kernel:
142 * Documentation/devicetree/bindings/gpio/gpio-74x164.txt
143 */
144 priv->nregs = fdtdec_get_int(fdt, node, "registers-number", 1);
>>> CID 640715: (TAINTED_SCALAR)
>>> Passing tainted expression "priv->nregs" to "dlcalloc", which uses it as an offset.
145 priv->buffer = calloc(priv->nregs, sizeof(u8));
146 if (!priv->buffer) {
147 ret = -ENOMEM;
148 goto free_str;
149 }
150
/drivers/gpio/74x164_gpio.c: 151 in gen_74x164_probe()
145 priv->buffer = calloc(priv->nregs, sizeof(u8));
146 if (!priv->buffer) {
147 ret = -ENOMEM;
148 goto free_str;
149 }
150
>>> CID 640715: (TAINTED_SCALAR)
>>> Passing tainted expression "priv->nregs" to "fdtdec_get_byte_array", which uses it as an offset.
151 ret = fdtdec_get_byte_array(fdt, node, "registers-default",
152 priv->buffer, priv->nregs);
153 if (ret)
154 dev_dbg(dev, "No registers-default property\n");
155
156 ret = gpio_request_by_name(dev, "oe-gpios", 0, &priv->oe,
** CID 640714: Control flow issues (DEADCODE)
/drivers/net/ftgmac100.c: 400 in ftgmac100_start()
_____________________________________________________________________________________________
*** CID 640714: Control flow issues (DEADCODE)
/drivers/net/ftgmac100.c: 400 in ftgmac100_start()
394 /* Configure TX/RX decsriptor size
395 * This size is calculated based on cache line.
396 */
397 desc_size = ARCH_DMA_MINALIGN / FTGMAC100_DESC_UNIT;
398 /* The descriptor size is at least 2 descriptor units. */
399 if (desc_size < 2)
>>> CID 640714: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "desc_size = 2U;".
400 desc_size = 2;
401 dblac = readl(&ftgmac100->dblac) & ~GENMASK(19, 12);
402 dblac |= FTGMAC100_DBLAC_RXDES_SIZE(desc_size) |
FTGMAC100_DBLAC_TXDES_SIZE(desc_size);
403 writel(dblac, &ftgmac100->dblac);
404
405 /* poll receive descriptor automatically */
** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg()
_____________________________________________________________________________________________
*** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg()
115 if (IS_ERR_VALUE(ret)) {
116 debug("SiFive UART clock not defined\n");
117 return 0;
118 }
119 } else {
120 clock = clk_get_rate(&clk);
>>> CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "clock >= 18446744073709547521UL /* (unsigned long)-4095 */" is always false regardless of the values of its operands. This occurs as the logical operand of "!".
121 if (IS_ERR_VALUE(clock)) {
122 debug("SiFive UART clock get rate failed\n");
123 return 0;
124 }
125 }
126 plat->clock = clock;
** CID 640712: (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
_____________________________________________________________________________________________
*** CID 640712: (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config()
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
/drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config()
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
>>> CID 640712: (BAD_SHIFT)
>>> In expression "aperture - 2U << bar * 8", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8", is as little as -8.
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
588 return 0;
589 }
590
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "bar_aperture_mask[bar] + 2 - 2 << bar * 8", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8", is as little as -8.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config()
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
>>> CID 640712: (BAD_SHIFT)
>>> In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config()
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
/drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config()
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
>>> CID 640712: (BAD_SHIFT)
>>> In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
** CID 640711: Memory - corruptions (OVERRUN)
_____________________________________________________________________________________________
*** CID 640711: Memory - corruptions (OVERRUN)
/cmd/ubi.c: 806 in do_ubi()
800 if (!size) {
801 size = (int64_t)ubi->avail_pebs * ubi->leb_size;
802 printf("No size specified -> Using max size (%lld)\n", size);
803 }
804 /* E.g., create volume */
805 if (argc == 3) {
>>> CID 640711: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 129 by passing argument "id" (which evaluates to 256) in call to "ubi_create_vol".
806 return ubi_create_vol(argv[2], size, dynamic, id,
807 skipcheck);
808 }
809 }
810
811 if (strncmp(argv[1], "remove", 6) == 0) {
** CID 640710: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641 in do_tpm_list()
_____________________________________________________________________________________________
*** CID 640710: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641 in do_tpm_list()
635 ptr = buf + 2;
636
637 printf("Resources of type %s (%02x):\n", argv[1], type);
638 if (!res_count) {
639 puts("None\n");
640 } else {
>>> CID 640710: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "res_count" as a loop boundary.
641 for (i = 0; i < res_count; ++i, ptr += 4)
642 printf("Index %d: %08x\n", i, get_unaligned_be32(ptr));
643 }
644
645 return 0;
646 }
** CID 640709: Integer handling issues (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup()
_____________________________________________________________________________________________
*** CID 640709: Integer handling issues (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup()
150 * The formula described in atmel datasheets (section "SMC Setup
151 * Register"):
152 *
153 * ncycles = (128 * xx_SETUP[5]) + xx_SETUP[4:0]
154 */
155 ret = atmel_smc_cs_encode_ncycles(ncycles, 5, 1, 128, &val);
>>> CID 640709: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "0xffffffffffffffffUL << shift", where "shift" is known to be equal to 24, overflows the type of "0xffffffffffffffffUL << shift", which is type "unsigned long".
156 conf->setup &= ~GENMASK(shift + 7, shift);
157 conf->setup |= val << shift;
158
159 return ret;
160 }
161 EXPORT_SYMBOL_GPL(atmel_smc_cs_conf_set_setup);
** CID 640708: Code maintainability issues (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp()
_____________________________________________________________________________________________
*** CID 640708: Code maintainability issues (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp()
186 int ret;
187
188 ep = ofnode_graph_get_endpoint_by_regs(oldi_tx, 0, -1);
189 if (ofnode_valid(ep)) {
190 dss_port = ofnode_graph_get_remote_port(ep);
191 if (!ofnode_valid(dss_port))
>>> CID 640708: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "-19" to "ret" here, but that stored value is overwritten before it can be used.
192 ret = -ENODEV;
193
194 ret = ofnode_read_u32(dss_port, "reg", parent_vp);
195 if (ret)
196 return -ENODEV;
197 return 0;
** CID 640707: Control flow issues (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302 in
max77663_ldo_val()
_____________________________________________________________________________________________
*** CID 640707: Control flow issues (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302 in
max77663_ldo_val()
296
297 if (op == PMIC_OP_GET) {
298 *uV = 0;
299
300 ret = max77663_ldo_hex2volt(idx, val & LDO_VOLT_MASK);
301 if (ret < 0)
>>> CID 640707: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return ret;".
302 return ret;
303
304 *uV = ret;
305 return 0;
306 }
307
** CID 640706: (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe()
/drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe()
_____________________________________________________________________________________________
*** CID 640706: (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe()
271 static int aspeed_gpio_probe(struct udevice *dev)
272 {
273 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
274 struct aspeed_gpio_priv *priv = dev_get_priv(dev);
275
276 uc_priv->bank_name = dev->name;
>>> CID 640706: (CHECKED_RETURN)
>>> Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
277 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
278 priv->regs = devfdt_get_addr_ptr(dev);
279
280 return 0;
281 }
282
/drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe()
127 static int aspeed_gpio_probe(struct udevice *dev)
128 {
129 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
130 struct aspeed_gpio_priv *priv = dev_get_priv(dev);
131
132 uc_priv->bank_name = dev->name;
>>> CID 640706: (CHECKED_RETURN)
>>> Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
133 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
134 priv->regs = devfdt_get_addr_ptr(dev);
135
136 return 0;
137 }
138
** CID 640705: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v1.c: 863 in tpm1_find_key_sha1()
_____________________________________________________________________________________________
*** CID 640705: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v1.c: 863 in tpm1_find_key_sha1()
857 err = tpm1_get_capability(dev, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
858 sizeof(buf));
859 if (err)
860 return -1;
861 key_count = get_unaligned_be16(buf);
862 ptr = buf + 2;
>>> CID 640705: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "key_count" as a loop boundary.
863 for (i = 0; i < key_count; ++i, ptr += 4)
864 key_handles[i] = get_unaligned_be32(ptr);
865
866 /* now search a(/ the) key which we can access with the given auth */
867 for (i = 0; i < key_count; ++i) {
868 buf_len = sizeof(buf);
** CID 640704: Uninitialized variables (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll()
_____________________________________________________________________________________________
*** CID 640704: Uninitialized variables (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll()
193 /* After reset, wait until HRS09.PHY_INIT_COMPLETE is set to
1 within 3000us*/
194 if (!reset) {
195 ret = readl_poll_timeout(reg, tmp, (tmp &
SDHCI_CDNS_HRS09_PHY_INIT_COMPLETE),
196 3000);
197 }
198
>>> CID 640704: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
199 return ret;
200 }
201
202 int sdhci_cdns6_phy_adj(struct udevice *dev, struct
sdhci_cdns_plat *plat, u32 mode)
203 {
204 struct sdhci_cdns6_phy_cfg *sdhci_cdns6_phy_cfgs;
** CID 640703: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat()
_____________________________________________________________________________________________
*** CID 640703: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat()
661 fdt_size_t size;
662 void *paddr;
663
664 ut_assertok(uclass_find_device_by_seq(UCLASS_TEST_DUMMY, 0, &dev));
665
666 addr = devfdt_get_addr_size_index(dev, 0, &size);
>>> CID 640703: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "addr" is known to be equal to 18446744073709551615, overflows the type of "_val2", which is type "unsigned int".
667 ut_asserteq(0x8000, addr);
668 ut_asserteq(0x1000, size);
669
670 paddr = map_physmem(addr, 0, MAP_NOCACHE);
671 ut_assertnonnull(paddr);
672 ut_asserteq_ptr(paddr, devfdt_remap_addr_index(dev, 0));
** CID 640702: Uninitialized variables (UNINIT)
/drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat()
_____________________________________________________________________________________________
*** CID 640702: Uninitialized variables (UNINIT)
/drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat()
79
80 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 1, -1, &priv->lvds1);
81 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 2, -1, &priv->lvds2);
82 if (!priv->lvds1 && !priv->lvds2) {
83 debug("ldb: No remote panel for '%s' (ret=%d)\n",
84 dev_read_name(dev), ret);
>>> CID 640702: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
85 return ret;
86 }
87
88 return 0;
89 }
90
** CID 640701: Uninitialized variables (UNINIT)
/drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op()
_____________________________________________________________________________________________
*** CID 640701: Uninitialized variables (UNINIT)
/drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op()
371 if (ret)
372 goto done;
373 }
374 done:
375 spi_cs_deactivate(spi->dev);
376
>>> CID 640701: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
377 return ret;
378 }
379
380 static int xilinx_qspi_check_buswidth(struct spi_slave *slave, u8 width)
381 {
382 u32 mode = slave->mode;
** CID 640700: Integer handling issues (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43 in xilinxgmiitorgmii_config()
_____________________________________________________________________________________________
*** CID 640700: Integer handling issues (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43 in
xilinxgmiitorgmii_config()
37 ret = ofnode_parse_phandle_with_args(node, "phy-handle",
38 NULL, 0, 0, &phandle);
39 if (ret)
40 return ret;
41
42 ext_phyaddr = ofnode_read_u32_default(phandle.node, "reg", -1);
>>> CID 640700: Integer handling issues (BAD_SHIFT)
>>> In expression "1 << ext_phyaddr", shifting by a negative amount has undefined behavior. The shift amount, "ext_phyaddr", is -1.
43 ext_phydev = phy_find_by_mask(phydev->bus,
44 1 << ext_phyaddr);
45 if (!ext_phydev) {
46 printf("%s, No external phy device found\n", __func__);
47 return -EINVAL;
48 }
** CID 640699: Control flow issues (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer()
_____________________________________________________________________________________________
*** CID 640699: Control flow issues (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer()
256
257 if ((event & RXFVE_MASK) && (data_in)) {
258 rf_cnt = ((event & RXFVE_MASK)>> RXFVE_OFFSET);
259 if (rf_cnt >= CHUNK_SIZE)
260 rx_bytes = CHUNK_SIZE;
261 else if (num_blks == 1 && rf_cnt == num_bytes)
>>> CID 640699: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "rx_bytes = num_bytes;".
262 rx_bytes = num_bytes;
263 else
264 continue;
265
266 if (__nspi_espi_rx(ns, din, rx_bytes) == rx_bytes) {
267 num_blks -= CHUNK_SIZE;
** CID 640698: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640698: Insecure data handling (TAINTED_SCALAR)
/drivers/net/bnxt/bnxt.c: 446 in bnxt_hwrm_ver_get()
440 req = (struct hwrm_ver_get_input *)bp->hwrm_addr_req;
441 resp = (struct hwrm_ver_get_output *)bp->hwrm_addr_resp;
442 hwrm_init(bp, (void *)req, (u16)HWRM_VER_GET, cmd_len);
443 req->hwrm_intf_maj = HWRM_VERSION_MAJOR;
444 req->hwrm_intf_min = HWRM_VERSION_MINOR;
445 req->hwrm_intf_upd = HWRM_VERSION_UPDATE;
>>> CID 640698: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*bp->hwrm_addr_resp" to "wait_resp", which uses it as an offset.
446 rc = wait_resp(bp, HWRM_CMD_DEFAULT_TIMEOUT, cmd_len, __func__);
447 if (rc)
448 return STATUS_FAILURE;
449
450 bp->hwrm_spec_code =
451 resp->hwrm_intf_maj_8b << 16 |
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260106/83d92e23/attachment.sig>
More information about the U-Boot
mailing list