Hey all, This is really just to say that I've now been able to switch Coverity scan over from "sandbox_defconfig" to "allyesconfig" (which is now also in CI), so we have a lot more code being scanned. If you have access to the dashboard already, and areas of interest, it's worth looking again now. If you're already a project contributor and want to look for things to work on, please let me know before asking for access to the dashboard.
I am hopeful this will inspire people to make sure their code builds on sandbox (and so allyesconfig) so that it can get further static checking done to it, regularly. And as a final funny to me note, while this email says 278 issues, the other email (which just has high level info and I don't bother forwarding) says 442 issues found. ---------- Forwarded message --------- From: <[email protected]> Date: Tue, Jan 6, 2026 at 2:18 PM Subject: New Defects reported by Coverity Scan for Das U-Boot To: <[email protected]> Hi, Please find the latest report on new defect(s) introduced to *Das U-Boot* found with Coverity Scan. - *New Defects Found:* 278 - 49 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. - *Defects Shown:* Showing 20 of 278 defect(s) Defect Details ** CID 640717: Control flow issues (DEADCODE) /drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data() _____________________________________________________________________________________________ *** CID 640717: Control flow issues (DEADCODE) /drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data() 119 dev->name, con); 120 return con; 121 } 122 123 priv->variant = con ? VAR_CON : VAR_CPU; 124 >>> CID 640717: Control flow issues (DEADCODE) >>> Execution cannot reach the expression "0" inside this statement: >>> "priv->multichannel = (mc4 ?...". 125 priv->multichannel = mc4 ? 4 : (mc2 ? 2 : (sc ? 1 : 0)); 126 127 return 0; 128 } 129 130 /** ** CID 640716: Incorrect expression (SIZEOF_MISMATCH) /drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat() _____________________________________________________________________________________________ *** CID 640716: Incorrect expression (SIZEOF_MISMATCH) /drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat() 152 } 153 154 static int iproc_rng200_of_to_plat(struct udevice *dev) 155 { 156 struct iproc_rng200_plat *pdata = dev_get_plat(dev); 157 >>> CID 640716: Incorrect expression (SIZEOF_MISMATCH) >>> Passing argument "8UL /* sizeof (void *) */" to function >>> "devfdt_map_physmem" which returns a value of type "void *" is suspicious. 158 pdata->base = devfdt_map_physmem(dev, sizeof(void *)); 159 if (!pdata->base) 160 return -ENODEV; 161 162 return 0; 163 } ** CID 640715: (TAINTED_SCALAR) _____________________________________________________________________________________________ *** CID 640715: (TAINTED_SCALAR) /drivers/gpio/74x164_gpio.c: 145 in gen_74x164_probe() 139 140 /* 141 * See Linux kernel: 142 * Documentation/devicetree/bindings/gpio/gpio-74x164.txt 143 */ 144 priv->nregs = fdtdec_get_int(fdt, node, "registers-number", 1); >>> CID 640715: (TAINTED_SCALAR) >>> Passing tainted expression "priv->nregs" to "dlcalloc", which uses it >>> as an offset. 145 priv->buffer = calloc(priv->nregs, sizeof(u8)); 146 if (!priv->buffer) { 147 ret = -ENOMEM; 148 goto free_str; 149 } 150 /drivers/gpio/74x164_gpio.c: 151 in gen_74x164_probe() 145 priv->buffer = calloc(priv->nregs, sizeof(u8)); 146 if (!priv->buffer) { 147 ret = -ENOMEM; 148 goto free_str; 149 } 150 >>> CID 640715: (TAINTED_SCALAR) >>> Passing tainted expression "priv->nregs" to "fdtdec_get_byte_array", >>> which uses it as an offset. 151 ret = fdtdec_get_byte_array(fdt, node, "registers-default", 152 priv->buffer, priv->nregs); 153 if (ret) 154 dev_dbg(dev, "No registers-default property\n"); 155 156 ret = gpio_request_by_name(dev, "oe-gpios", 0, &priv->oe, ** CID 640714: Control flow issues (DEADCODE) /drivers/net/ftgmac100.c: 400 in ftgmac100_start() _____________________________________________________________________________________________ *** CID 640714: Control flow issues (DEADCODE) /drivers/net/ftgmac100.c: 400 in ftgmac100_start() 394 /* Configure TX/RX decsriptor size 395 * This size is calculated based on cache line. 396 */ 397 desc_size = ARCH_DMA_MINALIGN / FTGMAC100_DESC_UNIT; 398 /* The descriptor size is at least 2 descriptor units. */ 399 if (desc_size < 2) >>> CID 640714: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "desc_size = 2U;". 400 desc_size = 2; 401 dblac = readl(&ftgmac100->dblac) & ~GENMASK(19, 12); 402 dblac |= FTGMAC100_DBLAC_RXDES_SIZE(desc_size) | FTGMAC100_DBLAC_TXDES_SIZE(desc_size); 403 writel(dblac, &ftgmac100->dblac); 404 405 /* poll receive descriptor automatically */ ** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg() _____________________________________________________________________________________________ *** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg() 115 if (IS_ERR_VALUE(ret)) { 116 debug("SiFive UART clock not defined\n"); 117 return 0; 118 } 119 } else { 120 clock = clk_get_rate(&clk); >>> CID 640713: Integer handling issues >>> (CONSTANT_EXPRESSION_RESULT) >>> "clock >= 18446744073709547521UL /* (unsigned long)-4095 */" is always >>> false regardless of the values of its operands. This occurs as the logical >>> operand of "!". 121 if (IS_ERR_VALUE(clock)) { 122 debug("SiFive UART clock get rate failed\n"); 123 return 0; 124 } 125 } 126 plat->clock = clock; ** CID 640712: (BAD_SHIFT) /drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config() /drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config() /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() /drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config() /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() /drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config() /drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config() /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() _____________________________________________________________________________________________ *** CID 640712: (BAD_SHIFT) /drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config() 576 if (!(flags & IORESOURCE_PREFETCH)) 577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar); 578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar); 579 } else { 580 if (!(flags & IORESOURCE_PREFETCH)) 581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar); >>> CID 640712: (BAD_SHIFT) >>> In expression "5 << bar * 8 + 6", shifting by a negative amount has >>> undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2. 582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar); 583 } 584 585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture); 586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value); 587 /drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config() 579 } else { 580 if (!(flags & IORESOURCE_PREFETCH)) 581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar); 582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar); 583 } 584 >>> CID 640712: (BAD_SHIFT) >>> In expression "aperture - 2U << bar * 8", shifting by a negative amount >>> has undefined behavior. The shift amount, "bar * 8", is as little as -8. 585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture); 586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value); 587 588 return 0; 589 } 590 /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() 564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1); 565 566 if (bar == RP_NO_BAR) 567 return 0; 568 569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG); >>> CID 640712: (BAD_SHIFT) >>> In expression "bar_aperture_mask[bar] + 2 - 2 << bar * 8", shifting by >>> a negative amount has undefined behavior. The shift amount, "bar * 8", is >>> as little as -8. 570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) | 571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) | 572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) | 573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) | 574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2)); 575 if (size + cpu_addr >= SZ_4G) { /drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config() 571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) | 572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) | 573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) | 574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2)); 575 if (size + cpu_addr >= SZ_4G) { 576 if (!(flags & IORESOURCE_PREFETCH)) >>> CID 640712: (BAD_SHIFT) >>> In expression "6 << bar * 8 + 6", shifting by a negative amount has >>> undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2. 577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar); 578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar); 579 } else { 580 if (!(flags & IORESOURCE_PREFETCH)) 581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar); 582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar); /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() 564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1); 565 566 if (bar == RP_NO_BAR) 567 return 0; 568 569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG); >>> CID 640712: (BAD_SHIFT) >>> In expression "7 << bar * 8 + 6", shifting by a negative amount has >>> undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2. 570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) | 571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) | 572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) | 573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) | 574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2)); 575 if (size + cpu_addr >= SZ_4G) { /drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config() 572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) | 573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) | 574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2)); 575 if (size + cpu_addr >= SZ_4G) { 576 if (!(flags & IORESOURCE_PREFETCH)) 577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar); >>> CID 640712: (BAD_SHIFT) >>> In expression "7 << bar * 8 + 6", shifting by a negative amount has >>> undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2. 578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar); 579 } else { 580 if (!(flags & IORESOURCE_PREFETCH)) 581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar); 582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar); 583 } /drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config() 575 if (size + cpu_addr >= SZ_4G) { 576 if (!(flags & IORESOURCE_PREFETCH)) 577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar); 578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar); 579 } else { 580 if (!(flags & IORESOURCE_PREFETCH)) >>> CID 640712: (BAD_SHIFT) >>> In expression "4 << bar * 8 + 6", shifting by a negative amount has >>> undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2. 581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar); 582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar); 583 } 584 585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture); 586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value); /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() 564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1); 565 566 if (bar == RP_NO_BAR) 567 return 0; 568 569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG); >>> CID 640712: (BAD_SHIFT) >>> In expression "5 << bar * 8 + 6", shifting by a negative amount has >>> undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2. 570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) | 571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) | 572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) | 573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) | 574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2)); 575 if (size + cpu_addr >= SZ_4G) { /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() 564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1); 565 566 if (bar == RP_NO_BAR) 567 return 0; 568 569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG); >>> CID 640712: (BAD_SHIFT) >>> In expression "4 << bar * 8 + 6", shifting by a negative amount has >>> undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2. 570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) | 571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) | 572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) | 573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) | 574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2)); 575 if (size + cpu_addr >= SZ_4G) { /drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config() 564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1); 565 566 if (bar == RP_NO_BAR) 567 return 0; 568 569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG); >>> CID 640712: (BAD_SHIFT) >>> In expression "6 << bar * 8 + 6", shifting by a negative amount has >>> undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2. 570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) | 571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) | 572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) | 573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) | 574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2)); 575 if (size + cpu_addr >= SZ_4G) { ** CID 640711: Memory - corruptions (OVERRUN) _____________________________________________________________________________________________ *** CID 640711: Memory - corruptions (OVERRUN) /cmd/ubi.c: 806 in do_ubi() 800 if (!size) { 801 size = (int64_t)ubi->avail_pebs * ubi->leb_size; 802 printf("No size specified -> Using max size (%lld)\n", size); 803 } 804 /* E.g., create volume */ 805 if (argc == 3) { >>> CID 640711: Memory - corruptions (OVERRUN) >>> Overrunning callee's array of size 129 by passing argument "id" (which >>> evaluates to 256) in call to "ubi_create_vol". 806 return ubi_create_vol(argv[2], size, dynamic, id, 807 skipcheck); 808 } 809 } 810 811 if (strncmp(argv[1], "remove", 6) == 0) { ** CID 640710: Insecure data handling (TAINTED_SCALAR) /cmd/tpm-v1.c: 641 in do_tpm_list() _____________________________________________________________________________________________ *** CID 640710: Insecure data handling (TAINTED_SCALAR) /cmd/tpm-v1.c: 641 in do_tpm_list() 635 ptr = buf + 2; 636 637 printf("Resources of type %s (%02x):\n", argv[1], type); 638 if (!res_count) { 639 puts("None\n"); 640 } else { >>> CID 640710: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "res_count" as a loop boundary. 641 for (i = 0; i < res_count; ++i, ptr += 4) 642 printf("Index %d: %08x\n", i, get_unaligned_be32(ptr)); 643 } 644 645 return 0; 646 } ** CID 640709: Integer handling issues (INTEGER_OVERFLOW) /drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup() _____________________________________________________________________________________________ *** CID 640709: Integer handling issues (INTEGER_OVERFLOW) /drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup() 150 * The formula described in atmel datasheets (section "SMC Setup 151 * Register"): 152 * 153 * ncycles = (128 * xx_SETUP[5]) + xx_SETUP[4:0] 154 */ 155 ret = atmel_smc_cs_encode_ncycles(ncycles, 5, 1, 128, &val); >>> CID 640709: Integer handling issues (INTEGER_OVERFLOW) >>> Expression "0xffffffffffffffffUL << shift", where "shift" is known to >>> be equal to 24, overflows the type of "0xffffffffffffffffUL << shift", >>> which is type "unsigned long". 156 conf->setup &= ~GENMASK(shift + 7, shift); 157 conf->setup |= val << shift; 158 159 return ret; 160 } 161 EXPORT_SYMBOL_GPL(atmel_smc_cs_conf_set_setup); ** CID 640708: Code maintainability issues (UNUSED_VALUE) /drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp() _____________________________________________________________________________________________ *** CID 640708: Code maintainability issues (UNUSED_VALUE) /drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp() 186 int ret; 187 188 ep = ofnode_graph_get_endpoint_by_regs(oldi_tx, 0, -1); 189 if (ofnode_valid(ep)) { 190 dss_port = ofnode_graph_get_remote_port(ep); 191 if (!ofnode_valid(dss_port)) >>> CID 640708: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "-19" to "ret" here, but that stored value is >>> overwritten before it can be used. 192 ret = -ENODEV; 193 194 ret = ofnode_read_u32(dss_port, "reg", parent_vp); 195 if (ret) 196 return -ENODEV; 197 return 0; ** CID 640707: Control flow issues (DEADCODE) /drivers/power/regulator/max77663_regulator.c: 302 in max77663_ldo_val() _____________________________________________________________________________________________ *** CID 640707: Control flow issues (DEADCODE) /drivers/power/regulator/max77663_regulator.c: 302 in max77663_ldo_val() 296 297 if (op == PMIC_OP_GET) { 298 *uV = 0; 299 300 ret = max77663_ldo_hex2volt(idx, val & LDO_VOLT_MASK); 301 if (ret < 0) >>> CID 640707: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return ret;". 302 return ret; 303 304 *uV = ret; 305 return 0; 306 } 307 ** CID 640706: (CHECKED_RETURN) /drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe() /drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe() _____________________________________________________________________________________________ *** CID 640706: (CHECKED_RETURN) /drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe() 271 static int aspeed_gpio_probe(struct udevice *dev) 272 { 273 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev); 274 struct aspeed_gpio_priv *priv = dev_get_priv(dev); 275 276 uc_priv->bank_name = dev->name; >>> CID 640706: (CHECKED_RETURN) >>> Calling "ofnode_read_u32" without checking return value (as is done >>> elsewhere 101 out of 125 times). 277 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count); 278 priv->regs = devfdt_get_addr_ptr(dev); 279 280 return 0; 281 } 282 /drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe() 127 static int aspeed_gpio_probe(struct udevice *dev) 128 { 129 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev); 130 struct aspeed_gpio_priv *priv = dev_get_priv(dev); 131 132 uc_priv->bank_name = dev->name; >>> CID 640706: (CHECKED_RETURN) >>> Calling "ofnode_read_u32" without checking return value (as is done >>> elsewhere 101 out of 125 times). 133 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count); 134 priv->regs = devfdt_get_addr_ptr(dev); 135 136 return 0; 137 } 138 ** CID 640705: Insecure data handling (TAINTED_SCALAR) /lib/tpm-v1.c: 863 in tpm1_find_key_sha1() _____________________________________________________________________________________________ *** CID 640705: Insecure data handling (TAINTED_SCALAR) /lib/tpm-v1.c: 863 in tpm1_find_key_sha1() 857 err = tpm1_get_capability(dev, TPM_CAP_HANDLE, TPM_RT_KEY, buf, 858 sizeof(buf)); 859 if (err) 860 return -1; 861 key_count = get_unaligned_be16(buf); 862 ptr = buf + 2; >>> CID 640705: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "key_count" as a loop boundary. 863 for (i = 0; i < key_count; ++i, ptr += 4) 864 key_handles[i] = get_unaligned_be32(ptr); 865 866 /* now search a(/ the) key which we can access with the given auth */ 867 for (i = 0; i < key_count; ++i) { 868 buf_len = sizeof(buf); ** CID 640704: Uninitialized variables (UNINIT) /drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll() _____________________________________________________________________________________________ *** CID 640704: Uninitialized variables (UNINIT) /drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll() 193 /* After reset, wait until HRS09.PHY_INIT_COMPLETE is set to 1 within 3000us*/ 194 if (!reset) { 195 ret = readl_poll_timeout(reg, tmp, (tmp & SDHCI_CDNS_HRS09_PHY_INIT_COMPLETE), 196 3000); 197 } 198 >>> CID 640704: Uninitialized variables (UNINIT) >>> Using uninitialized value "ret". 199 return ret; 200 } 201 202 int sdhci_cdns6_phy_adj(struct udevice *dev, struct sdhci_cdns_plat *plat, u32 mode) 203 { 204 struct sdhci_cdns6_phy_cfg *sdhci_cdns6_phy_cfgs; ** CID 640703: Integer handling issues (INTEGER_OVERFLOW) /test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat() _____________________________________________________________________________________________ *** CID 640703: Integer handling issues (INTEGER_OVERFLOW) /test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat() 661 fdt_size_t size; 662 void *paddr; 663 664 ut_assertok(uclass_find_device_by_seq(UCLASS_TEST_DUMMY, 0, &dev)); 665 666 addr = devfdt_get_addr_size_index(dev, 0, &size); >>> CID 640703: Integer handling issues (INTEGER_OVERFLOW) >>> Expression "_val2", where "addr" is known to be equal to >>> 18446744073709551615, overflows the type of "_val2", which is type >>> "unsigned int". 667 ut_asserteq(0x8000, addr); 668 ut_asserteq(0x1000, size); 669 670 paddr = map_physmem(addr, 0, MAP_NOCACHE); 671 ut_assertnonnull(paddr); 672 ut_asserteq_ptr(paddr, devfdt_remap_addr_index(dev, 0)); ** CID 640702: Uninitialized variables (UNINIT) /drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat() _____________________________________________________________________________________________ *** CID 640702: Uninitialized variables (UNINIT) /drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat() 79 80 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 1, -1, &priv->lvds1); 81 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 2, -1, &priv->lvds2); 82 if (!priv->lvds1 && !priv->lvds2) { 83 debug("ldb: No remote panel for '%s' (ret=%d)\n", 84 dev_read_name(dev), ret); >>> CID 640702: Uninitialized variables (UNINIT) >>> Using uninitialized value "ret". 85 return ret; 86 } 87 88 return 0; 89 } 90 ** CID 640701: Uninitialized variables (UNINIT) /drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op() _____________________________________________________________________________________________ *** CID 640701: Uninitialized variables (UNINIT) /drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op() 371 if (ret) 372 goto done; 373 } 374 done: 375 spi_cs_deactivate(spi->dev); 376 >>> CID 640701: Uninitialized variables (UNINIT) >>> Using uninitialized value "ret". 377 return ret; 378 } 379 380 static int xilinx_qspi_check_buswidth(struct spi_slave *slave, u8 width) 381 { 382 u32 mode = slave->mode; ** CID 640700: Integer handling issues (BAD_SHIFT) /drivers/net/phy/xilinx_gmii2rgmii.c: 43 in xilinxgmiitorgmii_config() _____________________________________________________________________________________________ *** CID 640700: Integer handling issues (BAD_SHIFT) /drivers/net/phy/xilinx_gmii2rgmii.c: 43 in xilinxgmiitorgmii_config() 37 ret = ofnode_parse_phandle_with_args(node, "phy-handle", 38 NULL, 0, 0, &phandle); 39 if (ret) 40 return ret; 41 42 ext_phyaddr = ofnode_read_u32_default(phandle.node, "reg", -1); >>> CID 640700: Integer handling issues (BAD_SHIFT) >>> In expression "1 << ext_phyaddr", shifting by a negative amount has >>> undefined behavior. The shift amount, "ext_phyaddr", is -1. 43 ext_phydev = phy_find_by_mask(phydev->bus, 44 1 << ext_phyaddr); 45 if (!ext_phydev) { 46 printf("%s, No external phy device found\n", __func__); 47 return -EINVAL; 48 } ** CID 640699: Control flow issues (DEADCODE) /drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer() _____________________________________________________________________________________________ *** CID 640699: Control flow issues (DEADCODE) /drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer() 256 257 if ((event & RXFVE_MASK) && (data_in)) { 258 rf_cnt = ((event & RXFVE_MASK)>> RXFVE_OFFSET); 259 if (rf_cnt >= CHUNK_SIZE) 260 rx_bytes = CHUNK_SIZE; 261 else if (num_blks == 1 && rf_cnt == num_bytes) >>> CID 640699: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "rx_bytes = num_bytes;". 262 rx_bytes = num_bytes; 263 else 264 continue; 265 266 if (__nspi_espi_rx(ns, din, rx_bytes) == rx_bytes) { 267 num_blks -= CHUNK_SIZE; ** CID 640698: Insecure data handling (TAINTED_SCALAR) _____________________________________________________________________________________________ *** CID 640698: Insecure data handling (TAINTED_SCALAR) /drivers/net/bnxt/bnxt.c: 446 in bnxt_hwrm_ver_get() 440 req = (struct hwrm_ver_get_input *)bp->hwrm_addr_req; 441 resp = (struct hwrm_ver_get_output *)bp->hwrm_addr_resp; 442 hwrm_init(bp, (void *)req, (u16)HWRM_VER_GET, cmd_len); 443 req->hwrm_intf_maj = HWRM_VERSION_MAJOR; 444 req->hwrm_intf_min = HWRM_VERSION_MINOR; 445 req->hwrm_intf_upd = HWRM_VERSION_UPDATE; >>> CID 640698: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "*bp->hwrm_addr_resp" to "wait_resp", which >>> uses it as an offset. 446 rc = wait_resp(bp, HWRM_CMD_DEFAULT_TIMEOUT, cmd_len, __func__); 447 if (rc) 448 return STATUS_FAILURE; 449 450 bp->hwrm_spec_code = 451 resp->hwrm_intf_maj_8b << 16 | View Defects in Coverity Scan <https://scan.coverity.com/projects/das-u-boot?tab=overview> Best regards, The Coverity Scan Admin Team ----- End forwarded message ----- -- Tom
signature.asc
Description: PGP signature
