In mc_fixup_dpc_mac_addr noff is assigned the return value from
fdt_add_subnode so that is the variable that should be passed to
fdt_strerror and returned when negative.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/net/fsl-mc/mc.c | 4 ++--
1 file changed, 2
In dpni_exit there is a NULL check for dflt_dpni after it is
dereferenced a number of times. Instead move the NULL check to early in
the function. Also assign NULL to dflt_dpni after free in both dpni_init
and dpni_exit.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
In dpbp_exit there is a NULL check for dflt_dpbp after it is
dereferenced a number of times. Instead move the NULL check to early in
the function. Also assign NULL to dflt_dpbp after free in both dpbp_init
and dpbp_exit.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
.
Signed-off-by: Andrew Goodbody
---
drivers/net/fsl-mc/mc.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/fsl-mc/mc.c b/drivers/net/fsl-mc/mc.c
index 86daf0fb2bb..999a9912e2f 100644
--- a/drivers/net/fsl-mc/mc.c
+++ b/drivers/net/fsl-mc/mc.c
@@ -1178,6
In netc_blk_ctrl_probe the test for failure of the function
clk_prepare_enable should not return PTR_ERR(ipg_clk) as it does not
check IS_ERR(ipg_clk) instead it should return err as that is what is
holding the error code in this case.
This issue was found by Smatch.
Signed-off-by: Andrew
: Andrew Goodbody
---
Andrew Goodbody (5):
net: fsl_enetc: Fix copy/paste error
net: fsl-mc: NULL check dflt_dpio before dereference
net: fsl-mc: NULL check dflt_dpbp before dereference
net: fsl-mc: NULL check dflt_dpni before dereference
net: fsl-mc: Incorrect variable
In memac_wait_until_free and memac_wait_until_done the use of
post-decrement on the test in the while loop for a timeout means that
timeout will be equal to -1 on exit in that case. Adjust the test for
this expected value.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
In fm_eth_bind there is a dereference of dev before it is NULL checked.
Add a NULL check before the first dereference and remove a later NULL
check that is now redundant.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/net/fm/eth.c | 5 -
1 file changed, 4
In bmi_rx_port_disable and bmi_tx_port_disable the use of post-decrement
on the test in the while loop for a timeout means that timeout will be
equal to -1 on exit in that case. Adjust the test for this expected
value.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers
Smatch reports some issues with incorrect tests for timeout and
dereferencing before a NULL check. Fix them.
Signed-off-by: Andrew Goodbody
---
Andrew Goodbody (3):
net: fm: Correct test for timeout
net: fm: NULL check dev before dereference
net: fm: Correct test for timeout
In fecmxc_probe if a timeout is detected when resetting the chip no
error code is set before taking the error exit. This could lead to a
silent failure. Instead set an error code.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/net/fec_mxc.c | 1 +
1 file changed, 1
In do_e1000_spi_checksum a temporary buffer is allocated but never
freed. Add code to free on exit. Also refactor the code to make the exit
code common.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/net/e1000_spi.c | 25 +++--
1 file changed, 15
In dwxgmac_of_get_mac_mode there is a test for mac_mode which will
return if false. After this point mac_mode is guaranteed to be true so
there is no need to test for this. Remove that test.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/net/dwc_eth_xgmac_socfpga.c
In xgmac_probe there is a direct return after the point where unwind
gotos start to be used to undo actions performed by earlier code. Use
the appropriate unwind goto instead.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/net/dwc_eth_xgmac.c | 2 +-
1 file changed
Smatch reported two issues with this driver. Firstly a direct return
instead of using an unwind goto and secondly a test for a condition
guaranteed to be true by an earlier test.
Signed-off-by: Andrew Goodbody
---
Andrew Goodbody (2):
net: dwc_eth_xgmac: Use unwind goto on error
net
effect, since the affected struct members are
uninitialized at that point and overwritten later.
Limit the copied bytes to the VID header size.
Signed-off-by: Benedikt Spranger
Reported-by: Andrew Goodbody
---
drivers/mtd/ubispl/ubispl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
In ca_phy_probe when checking for an external phy it uses a field from
the internal phy due to what is assumed to be a copy/paste typo. Make
the obvious fix to use the field from the external phy.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/net/cortina_ni.c | 2
When checking the VID header of a static volume there is an early test
for data_size == 0 so testing for that condition again is guaranteed to
fail. Just remove this piece of code.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mtd/ubi/io.c | 7 +--
1 file
Smatch reports the following error.
drivers/mtd/ubispl/ubispl.c:782 ubi_scan_fastmap() error: memcpy() 'vh'
too small (64 vs 268)
I do not know the code well enough to attempt a fix in this case.
Andrew
Smatch reported some errors with memory being leaked on error paths and
also error paths lacking an error code to be returned.
Signed-off-by: Andrew Goodbody
---
Andrew Goodbody (3):
mtd: nand: pxa3xx: Free memory on error
mtd: rawnand: stm32_fmc2: Ensure to return error code
Add kfree calls on error paths for memory that was allocated. This will
prevent memory leaks.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mtd/nand/raw/sunxi_nand.c | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/nand
In stm32_fmc2_nfc_probe there are 3 error returns that do not set the
error code before returning which could lead to the error being silently
ignored. Just return -EINVAL in each case.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mtd/nand/raw/stm32_fmc2_nand.c
In pxa3xx_nand_probe_dt if the function detects an error after
allocating memory that memory is not freed before exit. Add the
appropriate free.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mtd/nand/raw/pxa3xx_nand.c | 1 +
1 file changed, 1 insertion(+)
diff
In denali_wait_for_irq the code will either return from inside the while
loop or exit with time_left being 0. The following test for time_left
being 0 is guranteed to be true so remove the test and the following
unreachable code.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
Smatch reported some issues with rawnand code.
Firstly detecting allocation failures for cortina.
Secondly an always true test for denali.
Lastly using goto an error path without setting the error code for
return for mxs_nand.
Signed-off-by: Andrew Goodbody
---
Andrew Goodbody (3):
mtd
was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mtd/nand/raw/mxs_nand.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/nand/raw/mxs_nand.c b/drivers/mtd/nand/raw/mxs_nand.c
index ba67466069b..fecf1f5ba91 100644
--- a/drivers/mtd/nand/raw
the more likely scenario. Refactor the code to simplify it and just fail
as soon as either allocation fails.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mtd/nand/raw/cortina_nand.c | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/dr
In nanddev_init mtd and memorg are assigned values that dereference nand
but this happens before a NULL check for nand. Move the assignments
after the NULL check.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mtd/nand/core.c | 7 +--
1 file changed, 5
In rockchip_sdhci_execute_tuning the variable tuning_loop_counter is
tested for being less than 0. Ensure that it is a signed type by
declaring it as s8 instead of char.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mmc/rockchip_sdhci.c | 2 +-
1 file changed, 1
In owl_mmc_prepare_data there is a NULL check for the pointer data but
it happens after data has already been dereferenced. Refactor the code
so that the NULL check happens before any code dereferences data.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mmc
In octeontx_mmc_io_drive_setup drive and slew are tested for being less
than 0 but they are declared as uint fields so this test must always
fail. Just remove the test.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mmc/octeontx_hsmmc.c | 3 ---
1 file changed, 3
The check for no response expected in octeontx_mmc_send_cmd needs parens
adding for proper interpretation.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mmc/octeontx_hsmmc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc
Smatch reported two issues. Firstly that an expression probably needed
parenthesis to be correctly interpreted. Secondly that two unsigned
fields in a struct were both being tested for being less than 0.
Signed-off-by: Andrew Goodbody
---
Andrew Goodbody (2):
mmc: octeontx_hsmmc: Need
In sdhci_iproc_execute_tuning the variable tuning_loop_counter is
unsigned and therefore will always fail the test for it being less than
0. Fix this by changing the variable type to be s8.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mmc/iproc_sdhci.c | 2 +-
1
In mci_send_cmd the pointer 'data' is optional so guard its use with a
NULL check to prevent any attempt to dereference it when not provided.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mmc/gen_atmel_mci.c | 14 --
1 file changed, 8 insert
Remove duplicate checks on status from mci_data_read and mci_data_write
which are guaranteed to be true as exiting the above do..while loop
above requires that to be so.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mmc/gen_atmel_mci.c | 14 ++
1 file
Smatch reported issues with duplicated checks that could be removed.
Smatch also reported an issue where a variable was dereferenced without
a NULL check despite being an optional parameter.
Signed-off-by: Andrew Goodbody
---
Andrew Goodbody (2):
mmc: gen_atmel_mci: Remove duplicate checks
eturn 0;
+ return -EILSEQ;
}
if (cmd) {
---
base-commit: 182cb30084516c3085d2ca5dde3f105f7625d774
change-id: 20250729-mmc_bcm2835-c97e9597c25c
Best regards,
--
Andrew Goodbody
In socfpga_dtreg_probe it is possible that if mask is 0 then reg will
not be assigned to before first use. Refactor the code slightly to
ensure that reg is always assigned to and remove a piece of duplicated
code.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/misc
Smatch reports the following error.
drivers/misc/imx_ele/fuse.c:218 fuse_sense() error: buffer overflow
'data' 4 <= 7
Looking at the code I can see that at line 198, word is checked to be
less than 8. Later at line 203 data is declared as a 4 element array.
Then at line 218 word is used to i
In sc_seco_secvio_dgo_config there is a check for data being NULL but
this occurs after data has already been dereferenced. All callers of the
function provide a valid pointer for data so no need for the NULL check.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers
Smatch reports this error
drivers/misc/gsc.c:330 gsc_hwmon() error: uninitialized symbol 'offset'.
It is not clear to me how to fix this problem. Could you please take a look?
Thanks,
Andrew
If the test in the for loop is never matched then the variable 'match'
will never be assigned to. Provide an initial value so this cannot be a
problem.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mfd/atmel-smc.c | 2 +-
1 file changed, 1 insertion(+),
Use resource_size to correctly calculate the size to pass to
devm_ioremap and avoid the off by 1 errors previously present.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/mailbox/zynqmp-ipi.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git
In rcar_iic_xfer if nmsgs == 0 the ret will not be assigned to. As ret
will always be 0 if the for loop is entered, may as well just return 0.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/i2c/rcar_iic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
Cannot test an unsigned variable to be less than 0, it will always fail.
Signed-off-by: Andrew Goodbody
---
drivers/ddr/marvell/a38x/mv_ddr4_training_calibration.c | 13 +++--
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/ddr/marvell/a38x
On 25/07/2025 14:02, Stefan Roese wrote:
Hi Andrew,
On 24.07.25 18:01, Andrew Goodbody wrote:
Hi Stefan,
Smatch reports the following issues
drivers/ddr/marvell/a38x/mv_ddr4_training_calibration.c:1029
mv_ddr4_center_of_mass_calc() warn: unsigned 'd_min' is never less
than zer
On 25/07/2025 13:22, Heinrich Schuchardt wrote:
On 25.07.25 13:09, Andrew Goodbody wrote:
Smatch reports this issue
drivers/fpga/socfpga_gen5.c:135 fpgamgr_program_poll_cd() warn:
duplicate check 'reg & mask' (previous on line 129)
Looking at the code I am not sure that i
The for loop in fpgamgr_program_poll_cd will always terminate after a
single pass and so is not necessary. Remove it and all related code and
leave only the code that is effective.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/fpga/socfpga_gen5.c | 25
7/2025 10:59, Andrew Goodbody wrote:
ping?
On 26/06/2025 15:12, Andrew Goodbody wrote:
The local variable size is not assigned to before it is used
for the first time. Correct this.
This issue was found by Smatch.
Fixes: 86d462c05d57 (cmd: add a fetch utility)
Signed-off-by: Andrew Goodbody
---
instead.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/gpio/intel_gpio.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/gpio/intel_gpio.c b/drivers/gpio/intel_gpio.c
index 0ab6e8a90bc..ac2fb8bc2cc 100644
--- a/drive
In gpio_dwapb_bind plat is used to reference memory allocated by
devm_kcalloc but it is attempted to be freed using kfree. Instead free
this memory using the correct devm_kfree function.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/gpio/dwapb_gpio.c | 2 +-
1 file
Smatch reports this issue
drivers/fpga/socfpga_gen5.c:135 fpgamgr_program_poll_cd() warn:
duplicate check 'reg & mask' (previous on line 129)
Looking at the code I am not sure that it will work as intended. There
are two if statements within the for loop that test for opposite
conditions so
an
error code separately from writing the value into the passed pointer.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
Changes in v2:
- Instead of removing the always true test use the non-default version
of dev_read_u32 which can return an error while writing to a u32.
- Link
On 23/07/2025 18:03, Quentin Schulz wrote:
Hi Andrew,
On 7/23/25 5:17 PM, Andrew Goodbody wrote:
The function dev_read_u32_default does not return an error and the
variable 'val' is unsigned so testing for >= 0 will always be true so
remove this test.
This issue was found by Sm
Smatch is reporting this issue
drivers/fpga/socfpga_arria10.c:536 get_rbf_image_info() warn: ignoring
unreachable code.
Looking at the code, that for loop is a bit strange and I am not sure
what was intended here. Could you please take a look?
Thanks,
Andrew
Hi Stefan,
Smatch reports the following issues
drivers/ddr/marvell/a38x/mv_ddr4_training_calibration.c:1029
mv_ddr4_center_of_mass_calc() warn: unsigned 'd_min' is never less than
zero.
drivers/ddr/marvell/a38x/mv_ddr4_training_calibration.c:2192
mv_ddr4_dm_tuning() warn: unsigned 'reg_val' i
In the case of !zq_en zqcs_init is never assigned to although its value
is used. Correct by initialising zqcs_init to 0.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/ddr/fsl/ctrl_regs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers
The function socfpga_get_handoff_size returns an int so make the struct
fields used to accept the return value also an int so that testing for
less than 0 is then valid.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/ddr/altera/sdram_n5x.c | 8
1 file
Add setting default temperatures to the weak version of
get_cpu_temp_grade so these values will not be used uninitialised.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/cpu/imx8_cpu.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/cpu/imx8_cpu.c b
In bcm_cpu_probe the test on the return value from clk_enable is
incorrect and will not work as intended. Change the || to && in order to
achieve the desired effect.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/cpu/bcm283x_cpu.c | 2 +-
1 file changed, 1 i
Smatch reported a warning about a shift macro being used as a mask. Make
the obvious changes to make this register read calculation work the same
as the previous ones.
Signed-off-by: Andrew Goodbody
---
This fix is somewhat speculative as it is being made without
reference to any manual
cted. Also remove initial values from 'value' and 'div' as they are
not needed.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/clk/renesas/rcar-cpg-lib.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/renesas
ping?
On 03/07/2025 15:40, Andrew Goodbody wrote:
In clk_set_default_get_by_id ret is passed to ERR_PTR but nothing is
done with the value that this calculates which is obviously not the
intention of the code. This is confirmed by the code around where this
function is called.
Instead return
ping?
On 03/07/2025 12:53, Andrew Goodbody wrote:
In regulator_list_autoset there is a test for ret being non-zero and
error being zero but it uses the binary '&' instead of the logical '&&'
which could well lead to unexpected results. Correct this to use the
l
ping?
On 03/07/2025 12:31, Andrew Goodbody wrote:
The for loop in se_desc uses i as the loop index and also to cause the
loop to end if the passed in name is not found. However i is not
incremented which could cause the loop to continue indefinitely and
access out of bounds memory.
Add an
ping?
On 26/06/2025 15:12, Andrew Goodbody wrote:
The local variable size is not assigned to before it is used
for the first time. Correct this.
This issue was found by Smatch.
Fixes: 86d462c05d57 (cmd: add a fetch utility)
Signed-off-by: Andrew Goodbody
---
cmd/ufetch.c | 2 +-
1 file
ping?
On 26/06/2025 11:49, Andrew Goodbody wrote:
ret maybe used uninitialised in some cases so instead
initialise it first to prevent this.
This issue was found by Smatch.
Fixes: 9671243e8d10 (cmd: mtd: Use the subcmd infrastructure to declare mtd
sub-commands)
Signed-off-by: Andrew
ping?
On 01/07/2025 17:12, Andrew Goodbody wrote:
In nand_wait_ready there is a loop that includes a NULL check for
chip->dev_ready before it is dereferenced. Use a NULL check once the
loop is exited as well to cover the case where it exits due to a timeout
and it is therefore not known if c
ytes")
Reported-by: Andrew Goodbody
Signed-off-by: Ye Li
Reviewed-by: Peng Fan
Signed-off-by: Fabio Estevam
---
common/spl/spl_imx_container.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/common/spl/spl_imx_container.c b/common/spl/spl_imx_container.c
index b35
A second return following the first return is unreachable code so remove
it.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/clk/meson/g12a.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
index 5d7faaa3eab
For an unknown pll type the error path neglects to free the memory just
allocated. Add the free.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/clk/imx/clk-pll14xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clk/imx/clk-pll14xx.c b/drivers/clk/imx
ing ret as an 'int' so that the test for the error
condition is valid.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/clk/exynos/clk-exynos7420.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/exynos/clk-exynos7420.c
b/dr
In versaclock_probe vc5->pin_xin may be an error pointer so need to
check with IS_ERR before attempting to dereference it.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/clk/clk_versaclock.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --gi
.
Signed-off-by: Andrew Goodbody
---
drivers/clk/clk_versaclock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/clk_versaclock.c b/drivers/clk/clk_versaclock.c
index 9ccaf13d242..790ea4dbe82 100644
--- a/drivers/clk/clk_versaclock.c
+++ b/drivers/clk
Should return value calculated by ERR_PTR as calling code attempts to
check for it.
Also do not dereference a pointer that could be an error pointer before
checking it with IS_ERR.
Signed-off-by: Andrew Goodbody
---
Andrew Goodbody (2):
clk: versaclock: return value calculated by ERR_PTR
The function dev_read_u32_default does not return an error and the
variable 'val' is unsigned so testing for >= 0 will always be true so
remove this test.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/clk/clk-cdce9xx.c | 3 +--
1 file changed, 1 in
e
array so decrement it in the subsequent error path to prevent an out of
bounds access occurring.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/clk/at91/sckc.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/at91/sckc.c b/drivers/clk
#x27; to be an
int so that the error condition can be detected.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/clk/at91/clk-main.c | 3 ++-
drivers/clk/at91/clk-master.c | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/at91/clk-main.c
Unsigned variables will always fail tests that check for being negative.
Use signed variables instead.
Signed-off-by: Andrew Goodbody
---
Andrew Goodbody (2):
clk: at91: Fix testing of unsigned variable to be negative
clk: at91: Fix use of unsigned loop index
drivers/clk/at91/clk
: Andrew Goodbody
---
drivers/clk/altera/clk-n5x.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/altera/clk-n5x.c b/drivers/clk/altera/clk-n5x.c
index 09db250ab6d..9e4e7a1d908 100644
--- a/drivers/clk/altera/clk-n5x.c
+++ b/drivers/clk/altera/clk-n5x.c
@@ -386,8
The pointer 'label' is declared and later dereferenced without ever
having a value assigned to it. Add an assignment to this pointer so it
will be valid later when dereferenced.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/button/button-qcom-pmic.c | 3 +
The xorl macro lacked surrounding parens which meant that it could have
unexpected results when used in expressions. Fix this by adding the
surrounding parens to make its use predictable.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/bios_emulator/x86emu/ops2.c | 2
Using strcpy to copy a 4 character string into a 4 byte field in a
structure will overflow that field as it writes the terminating \0 into
the following field. Correct this by using memcpy instead.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/bios_emulator
Smatch found two issues in bios_emulator, a buffer overflow and missing
parens for a macro. Fix them both.
Signed-off-by: Andrew Goodbody
---
Andrew Goodbody (2):
bios_emulator: Fix buffer overflow
bios_emulator: Add parens to xorl macro
drivers/bios_emulator/atibios.c | 2
of block counts in those functions always use lbaint_t.
Signed-off-by: Andrew Goodbody
---
drivers/ata/sata_mv.c | 43 ---
1 file changed, 16 insertions(+), 27 deletions(-)
diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c
index ac78760a
timeout is declared as a uint but then tested for being less than zero
which must always fail. Change the while loop for a pre-decrement on
timeout and test timeout for being zero.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/adc/meson-saradc.c | 8
1
Local variable ret is declared as unsigned but is used to receive the
return value of functions that return int. ret is then tested for being
negative which must always fail. Change ret to be an int.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/adc/imx93-adc.c | 4
The commit 73c40fcb7367f5a spl: Refactor spl_load_info->read to use
units of bytes by Sean Anderson on 2023-11-08
16:48:40 introduced the variable 'overhead' in the function
read_auth_image and it is referenced only once where its value is
attempted to be used in that function but it is never
In do_bootvx the environment variable 'bootdev' is fetched and copied
into a buffer without confirming that it will not overflow that buffer.
Use strlcpy to ensure that the buffer will not be overflowed.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
cmd/elf.c | 6
In boot_from_devices the variable loader is not NULL checked after
assignment and before first use but later code does check it for NULL.
Add a NULL check before first use.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody
---
common/spl/spl.c | 2 +-
1 file changed, 1 insertion
On 17/07/2025 17:57, Martin Husemann wrote:
On Thu, Jul 17, 2025 at 04:38:50PM +0100, Andrew Goodbody wrote:
The original use of strcpy suggests that the string must be \0 terminated. I
will admit that I do not know the code well, is dir->itr.name guaranteed to
be a known fixed size?
You
On 17/07/2025 15:58, Martin Husemann wrote:
On Thu, Jul 17, 2025 at 03:54:37PM +0100, Andrew Goodbody wrote:
memset(dent, 0, sizeof(*dent));
- strcpy(dent->name, dir->itr.name);
+ strlcpy(dent->name, dir->itr.name, FS_DIRENT_NAME_LEN);
Shouldn't that be
Smatch reported a possible buffer overflow in exfat_set_label but it
turns out that this code is unused so just guard the function with
'#ifndef __UBOOT__' as well as exfat_get_label that is also unused and
the helper static find_label.
Signed-off-by: Andrew Goodbody
---
Changes in v2:
On 17/07/2025 15:46, Tom Rini wrote:
On Thu, Jul 17, 2025 at 01:04:58PM +0100, Andrew Goodbody wrote:
Smatch reported a possible buffer overflow in exfat_set_label but it
turns out that this code is unused so just remove the function as well
as exfat_get_label that is also unused and the
Instead of strcpy which is unbounded use strlcpy to ensure that the
receiving buffer cannot be overflowed.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody
---
fs/fat/fat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/fat/fat.c b/fs/fat/fat.c
index
Smatch reported a possible buffer overflow in exfat_set_label but it
turns out that this code is unused so just remove the function as well
as exfat_get_label that is also unused and the helper static find_label.
Signed-off-by: Andrew Goodbody
---
fs/exfat/exfat.h | 2 --
fs/exfat/node.c | 54
/
+ /* The test device tree has two fixed and one removable block device(s)
*/
found = 0;
blk_foreach_probe(BLKF_BOTH, dev)
found |= 1 << dectoul(&dev->name[3], NULL);
Reviewed-by: Andrew Goodbody
Instead of strcpy which is unbounded use strlcpy to ensure that the
receiving buffer cannot be overflowed.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/net/sandbox-raw-bus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/sandbox-raw
strlen only reports length of string not including terminating 0 byte
but this has to be included in length of receiving buffer on copy so
adjust length check to be correct.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody
---
drivers/fastboot/fb_command.c | 2 +-
1 file changed, 1
1 - 100 of 233 matches
Mail list logo