From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Subject: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Tue, 6 Jan 2026 14:36:01 -0600 [thread overview]
Message-ID: <20260106203601.GK3416603@bill-the-cat> (raw)
[-- Attachment #1: Type: text/plain, Size: 29243 bytes --]
Hey all,
This is really just to say that I've now been able to switch Coverity
scan over from "sandbox_defconfig" to "allyesconfig" (which is now also
in CI), so we have a lot more code being scanned. If you have access to
the dashboard already, and areas of interest, it's worth looking again
now. If you're already a project contributor and want to look for things
to work on, please let me know before asking for access to the
dashboard.
I am hopeful this will inspire people to make sure their code builds on
sandbox (and so allyesconfig) so that it can get further static checking
done to it, regularly.
And as a final funny to me note, while this email says 278 issues, the
other email (which just has high level info and I don't bother
forwarding) says 442 issues found.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Jan 6, 2026 at 2:18 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 278
- 49 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 20 of 278 defect(s)
Defect Details
** CID 640717: Control flow issues (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data()
_____________________________________________________________________________________________
*** CID 640717: Control flow issues (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data()
119 dev->name, con);
120 return con;
121 }
122
123 priv->variant = con ? VAR_CON : VAR_CPU;
124
>>> CID 640717: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "0" inside this statement: "priv->multichannel = (mc4 ?...".
125 priv->multichannel = mc4 ? 4 : (mc2 ? 2 : (sc ? 1 : 0));
126
127 return 0;
128 }
129
130 /**
** CID 640716: Incorrect expression (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat()
_____________________________________________________________________________________________
*** CID 640716: Incorrect expression (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat()
152 }
153
154 static int iproc_rng200_of_to_plat(struct udevice *dev)
155 {
156 struct iproc_rng200_plat *pdata = dev_get_plat(dev);
157
>>> CID 640716: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "8UL /* sizeof (void *) */" to function "devfdt_map_physmem" which returns a value of type "void *" is suspicious.
158 pdata->base = devfdt_map_physmem(dev, sizeof(void *));
159 if (!pdata->base)
160 return -ENODEV;
161
162 return 0;
163 }
** CID 640715: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640715: (TAINTED_SCALAR)
/drivers/gpio/74x164_gpio.c: 145 in gen_74x164_probe()
139
140 /*
141 * See Linux kernel:
142 * Documentation/devicetree/bindings/gpio/gpio-74x164.txt
143 */
144 priv->nregs = fdtdec_get_int(fdt, node, "registers-number", 1);
>>> CID 640715: (TAINTED_SCALAR)
>>> Passing tainted expression "priv->nregs" to "dlcalloc", which uses it as an offset.
145 priv->buffer = calloc(priv->nregs, sizeof(u8));
146 if (!priv->buffer) {
147 ret = -ENOMEM;
148 goto free_str;
149 }
150
/drivers/gpio/74x164_gpio.c: 151 in gen_74x164_probe()
145 priv->buffer = calloc(priv->nregs, sizeof(u8));
146 if (!priv->buffer) {
147 ret = -ENOMEM;
148 goto free_str;
149 }
150
>>> CID 640715: (TAINTED_SCALAR)
>>> Passing tainted expression "priv->nregs" to "fdtdec_get_byte_array", which uses it as an offset.
151 ret = fdtdec_get_byte_array(fdt, node, "registers-default",
152 priv->buffer, priv->nregs);
153 if (ret)
154 dev_dbg(dev, "No registers-default property\n");
155
156 ret = gpio_request_by_name(dev, "oe-gpios", 0, &priv->oe,
** CID 640714: Control flow issues (DEADCODE)
/drivers/net/ftgmac100.c: 400 in ftgmac100_start()
_____________________________________________________________________________________________
*** CID 640714: Control flow issues (DEADCODE)
/drivers/net/ftgmac100.c: 400 in ftgmac100_start()
394 /* Configure TX/RX decsriptor size
395 * This size is calculated based on cache line.
396 */
397 desc_size = ARCH_DMA_MINALIGN / FTGMAC100_DESC_UNIT;
398 /* The descriptor size is at least 2 descriptor units. */
399 if (desc_size < 2)
>>> CID 640714: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "desc_size = 2U;".
400 desc_size = 2;
401 dblac = readl(&ftgmac100->dblac) & ~GENMASK(19, 12);
402 dblac |= FTGMAC100_DBLAC_RXDES_SIZE(desc_size) |
FTGMAC100_DBLAC_TXDES_SIZE(desc_size);
403 writel(dblac, &ftgmac100->dblac);
404
405 /* poll receive descriptor automatically */
** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg()
_____________________________________________________________________________________________
*** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg()
115 if (IS_ERR_VALUE(ret)) {
116 debug("SiFive UART clock not defined\n");
117 return 0;
118 }
119 } else {
120 clock = clk_get_rate(&clk);
>>> CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "clock >= 18446744073709547521UL /* (unsigned long)-4095 */" is always false regardless of the values of its operands. This occurs as the logical operand of "!".
121 if (IS_ERR_VALUE(clock)) {
122 debug("SiFive UART clock get rate failed\n");
123 return 0;
124 }
125 }
126 plat->clock = clock;
** CID 640712: (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
_____________________________________________________________________________________________
*** CID 640712: (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config()
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
/drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config()
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
>>> CID 640712: (BAD_SHIFT)
>>> In expression "aperture - 2U << bar * 8", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8", is as little as -8.
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
588 return 0;
589 }
590
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "bar_aperture_mask[bar] + 2 - 2 << bar * 8", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8", is as little as -8.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config()
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
>>> CID 640712: (BAD_SHIFT)
>>> In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config()
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
/drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config()
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
>>> CID 640712: (BAD_SHIFT)
>>> In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
** CID 640711: Memory - corruptions (OVERRUN)
_____________________________________________________________________________________________
*** CID 640711: Memory - corruptions (OVERRUN)
/cmd/ubi.c: 806 in do_ubi()
800 if (!size) {
801 size = (int64_t)ubi->avail_pebs * ubi->leb_size;
802 printf("No size specified -> Using max size (%lld)\n", size);
803 }
804 /* E.g., create volume */
805 if (argc == 3) {
>>> CID 640711: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 129 by passing argument "id" (which evaluates to 256) in call to "ubi_create_vol".
806 return ubi_create_vol(argv[2], size, dynamic, id,
807 skipcheck);
808 }
809 }
810
811 if (strncmp(argv[1], "remove", 6) == 0) {
** CID 640710: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641 in do_tpm_list()
_____________________________________________________________________________________________
*** CID 640710: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641 in do_tpm_list()
635 ptr = buf + 2;
636
637 printf("Resources of type %s (%02x):\n", argv[1], type);
638 if (!res_count) {
639 puts("None\n");
640 } else {
>>> CID 640710: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "res_count" as a loop boundary.
641 for (i = 0; i < res_count; ++i, ptr += 4)
642 printf("Index %d: %08x\n", i, get_unaligned_be32(ptr));
643 }
644
645 return 0;
646 }
** CID 640709: Integer handling issues (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup()
_____________________________________________________________________________________________
*** CID 640709: Integer handling issues (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup()
150 * The formula described in atmel datasheets (section "SMC Setup
151 * Register"):
152 *
153 * ncycles = (128 * xx_SETUP[5]) + xx_SETUP[4:0]
154 */
155 ret = atmel_smc_cs_encode_ncycles(ncycles, 5, 1, 128, &val);
>>> CID 640709: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "0xffffffffffffffffUL << shift", where "shift" is known to be equal to 24, overflows the type of "0xffffffffffffffffUL << shift", which is type "unsigned long".
156 conf->setup &= ~GENMASK(shift + 7, shift);
157 conf->setup |= val << shift;
158
159 return ret;
160 }
161 EXPORT_SYMBOL_GPL(atmel_smc_cs_conf_set_setup);
** CID 640708: Code maintainability issues (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp()
_____________________________________________________________________________________________
*** CID 640708: Code maintainability issues (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp()
186 int ret;
187
188 ep = ofnode_graph_get_endpoint_by_regs(oldi_tx, 0, -1);
189 if (ofnode_valid(ep)) {
190 dss_port = ofnode_graph_get_remote_port(ep);
191 if (!ofnode_valid(dss_port))
>>> CID 640708: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "-19" to "ret" here, but that stored value is overwritten before it can be used.
192 ret = -ENODEV;
193
194 ret = ofnode_read_u32(dss_port, "reg", parent_vp);
195 if (ret)
196 return -ENODEV;
197 return 0;
** CID 640707: Control flow issues (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302 in
max77663_ldo_val()
_____________________________________________________________________________________________
*** CID 640707: Control flow issues (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302 in
max77663_ldo_val()
296
297 if (op == PMIC_OP_GET) {
298 *uV = 0;
299
300 ret = max77663_ldo_hex2volt(idx, val & LDO_VOLT_MASK);
301 if (ret < 0)
>>> CID 640707: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return ret;".
302 return ret;
303
304 *uV = ret;
305 return 0;
306 }
307
** CID 640706: (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe()
/drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe()
_____________________________________________________________________________________________
*** CID 640706: (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe()
271 static int aspeed_gpio_probe(struct udevice *dev)
272 {
273 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
274 struct aspeed_gpio_priv *priv = dev_get_priv(dev);
275
276 uc_priv->bank_name = dev->name;
>>> CID 640706: (CHECKED_RETURN)
>>> Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
277 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
278 priv->regs = devfdt_get_addr_ptr(dev);
279
280 return 0;
281 }
282
/drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe()
127 static int aspeed_gpio_probe(struct udevice *dev)
128 {
129 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
130 struct aspeed_gpio_priv *priv = dev_get_priv(dev);
131
132 uc_priv->bank_name = dev->name;
>>> CID 640706: (CHECKED_RETURN)
>>> Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
133 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
134 priv->regs = devfdt_get_addr_ptr(dev);
135
136 return 0;
137 }
138
** CID 640705: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v1.c: 863 in tpm1_find_key_sha1()
_____________________________________________________________________________________________
*** CID 640705: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v1.c: 863 in tpm1_find_key_sha1()
857 err = tpm1_get_capability(dev, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
858 sizeof(buf));
859 if (err)
860 return -1;
861 key_count = get_unaligned_be16(buf);
862 ptr = buf + 2;
>>> CID 640705: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "key_count" as a loop boundary.
863 for (i = 0; i < key_count; ++i, ptr += 4)
864 key_handles[i] = get_unaligned_be32(ptr);
865
866 /* now search a(/ the) key which we can access with the given auth */
867 for (i = 0; i < key_count; ++i) {
868 buf_len = sizeof(buf);
** CID 640704: Uninitialized variables (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll()
_____________________________________________________________________________________________
*** CID 640704: Uninitialized variables (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll()
193 /* After reset, wait until HRS09.PHY_INIT_COMPLETE is set to
1 within 3000us*/
194 if (!reset) {
195 ret = readl_poll_timeout(reg, tmp, (tmp &
SDHCI_CDNS_HRS09_PHY_INIT_COMPLETE),
196 3000);
197 }
198
>>> CID 640704: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
199 return ret;
200 }
201
202 int sdhci_cdns6_phy_adj(struct udevice *dev, struct
sdhci_cdns_plat *plat, u32 mode)
203 {
204 struct sdhci_cdns6_phy_cfg *sdhci_cdns6_phy_cfgs;
** CID 640703: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat()
_____________________________________________________________________________________________
*** CID 640703: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat()
661 fdt_size_t size;
662 void *paddr;
663
664 ut_assertok(uclass_find_device_by_seq(UCLASS_TEST_DUMMY, 0, &dev));
665
666 addr = devfdt_get_addr_size_index(dev, 0, &size);
>>> CID 640703: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "addr" is known to be equal to 18446744073709551615, overflows the type of "_val2", which is type "unsigned int".
667 ut_asserteq(0x8000, addr);
668 ut_asserteq(0x1000, size);
669
670 paddr = map_physmem(addr, 0, MAP_NOCACHE);
671 ut_assertnonnull(paddr);
672 ut_asserteq_ptr(paddr, devfdt_remap_addr_index(dev, 0));
** CID 640702: Uninitialized variables (UNINIT)
/drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat()
_____________________________________________________________________________________________
*** CID 640702: Uninitialized variables (UNINIT)
/drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat()
79
80 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 1, -1, &priv->lvds1);
81 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 2, -1, &priv->lvds2);
82 if (!priv->lvds1 && !priv->lvds2) {
83 debug("ldb: No remote panel for '%s' (ret=%d)\n",
84 dev_read_name(dev), ret);
>>> CID 640702: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
85 return ret;
86 }
87
88 return 0;
89 }
90
** CID 640701: Uninitialized variables (UNINIT)
/drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op()
_____________________________________________________________________________________________
*** CID 640701: Uninitialized variables (UNINIT)
/drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op()
371 if (ret)
372 goto done;
373 }
374 done:
375 spi_cs_deactivate(spi->dev);
376
>>> CID 640701: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
377 return ret;
378 }
379
380 static int xilinx_qspi_check_buswidth(struct spi_slave *slave, u8 width)
381 {
382 u32 mode = slave->mode;
** CID 640700: Integer handling issues (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43 in xilinxgmiitorgmii_config()
_____________________________________________________________________________________________
*** CID 640700: Integer handling issues (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43 in
xilinxgmiitorgmii_config()
37 ret = ofnode_parse_phandle_with_args(node, "phy-handle",
38 NULL, 0, 0, &phandle);
39 if (ret)
40 return ret;
41
42 ext_phyaddr = ofnode_read_u32_default(phandle.node, "reg", -1);
>>> CID 640700: Integer handling issues (BAD_SHIFT)
>>> In expression "1 << ext_phyaddr", shifting by a negative amount has undefined behavior. The shift amount, "ext_phyaddr", is -1.
43 ext_phydev = phy_find_by_mask(phydev->bus,
44 1 << ext_phyaddr);
45 if (!ext_phydev) {
46 printf("%s, No external phy device found\n", __func__);
47 return -EINVAL;
48 }
** CID 640699: Control flow issues (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer()
_____________________________________________________________________________________________
*** CID 640699: Control flow issues (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer()
256
257 if ((event & RXFVE_MASK) && (data_in)) {
258 rf_cnt = ((event & RXFVE_MASK)>> RXFVE_OFFSET);
259 if (rf_cnt >= CHUNK_SIZE)
260 rx_bytes = CHUNK_SIZE;
261 else if (num_blks == 1 && rf_cnt == num_bytes)
>>> CID 640699: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "rx_bytes = num_bytes;".
262 rx_bytes = num_bytes;
263 else
264 continue;
265
266 if (__nspi_espi_rx(ns, din, rx_bytes) == rx_bytes) {
267 num_blks -= CHUNK_SIZE;
** CID 640698: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640698: Insecure data handling (TAINTED_SCALAR)
/drivers/net/bnxt/bnxt.c: 446 in bnxt_hwrm_ver_get()
440 req = (struct hwrm_ver_get_input *)bp->hwrm_addr_req;
441 resp = (struct hwrm_ver_get_output *)bp->hwrm_addr_resp;
442 hwrm_init(bp, (void *)req, (u16)HWRM_VER_GET, cmd_len);
443 req->hwrm_intf_maj = HWRM_VERSION_MAJOR;
444 req->hwrm_intf_min = HWRM_VERSION_MINOR;
445 req->hwrm_intf_upd = HWRM_VERSION_UPDATE;
>>> CID 640698: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*bp->hwrm_addr_resp" to "wait_resp", which uses it as an offset.
446 rc = wait_resp(bp, HWRM_CMD_DEFAULT_TIMEOUT, cmd_len, __func__);
447 if (rc)
448 return STATUS_FAILURE;
449
450 bp->hwrm_spec_code =
451 resp->hwrm_intf_maj_8b << 16 |
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next reply other threads:[~2026-01-06 20:36 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 20:36 Tom Rini [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-05-11 22:35 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
2026-05-08 23:42 Tom Rini
2026-05-14 15:39 ` Lucien.Jheng
2026-04-28 14:04 Tom Rini
2026-04-29 6:31 ` Michal Simek
2026-05-01 22:51 ` Raymond Mao
2026-05-12 8:44 ` Christian Pötzsch
2026-05-12 18:38 ` Tom Rini
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260106203601.GK3416603@bill-the-cat \
--to=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.