From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Cc: Kory Maincent <kory.maincent@bootlin.com>,
Dan Carpenter <dan.carpenter@linaro.org>,
Varadarajan Narayanan <varadarajan.narayanan@oss.qualcomm.com>,
Bo-Chen Chen <rex-bc.chen@mediatek.com>,
David Lechner <dlechner@baylibre.com>,
Raymond Mao <raymondmaoca@gmail.com>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>
Subject: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Mon, 6 Apr 2026 13:12:15 -0600 [thread overview]
Message-ID: <20260406191215.GY41863@bill-the-cat> (raw)
[-- Attachment #1: Type: text/plain, Size: 12726 bytes --]
Here's the latest report, now that I've merged next to master, locally
at least.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 6, 2026 at 12:40 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 11
- 15 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 11 of 11 defect(s)
Defect Details
** CID 645496: (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94 in parse_config()
/tools/fwumdata_src/fwumdata.c: 101 in parse_config()
_____________________________________________________________________________________________
*** CID 645496: (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94 in parse_config()
88 &devname,
89 &devices[i].devoff,
90 &devices[i].mdata_size,
91 &devices[i].erase_size);
92
93 if (rc < 3) {
>>> CID 645496: (USE_AFTER_FREE)
>>> Calling "free" frees pointer "devname" which has already been freed.
94 free(devname);
95 continue;
96 }
97
98 if (rc < 4)
99 devices[i].erase_size = devices[i].mdata_size;
/tools/fwumdata_src/fwumdata.c: 101 in parse_config()
95 continue;
96 }
97
98 if (rc < 4)
99 devices[i].erase_size = devices[i].mdata_size;
100
>>> CID 645496: (USE_AFTER_FREE)
>>> Using freed pointer "devname".
101 devices[i].devname = devname;
102 i++;
103 }
104
105 free(line);
106 fclose(fp);
** CID 645495: Uninitialized variables (UNINIT)
/fs/fat/fat.c: 175 in disk_rw()
_____________________________________________________________________________________________
*** CID 645495: Uninitialized variables (UNINIT)
/fs/fat/fat.c: 175 in disk_rw()
169 }
170 }
171 exit:
172 if (block)
173 free(block);
174
>>> CID 645495: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
175 return (ret == -1) ? -1 : nr_sect;
176 }
177
178 static int disk_read(__u32 sect, __u32 nr_sect, void *buf)
179 {
180 return disk_rw(sect, nr_sect, buf, true);
** CID 645494: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287 in
mt6359_get_voltage_sel()
_____________________________________________________________________________________________
*** CID 645494: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287 in
mt6359_get_voltage_sel()
281
282 selector = pmic_reg_read(dev->parent, info->desc.vsel_reg);
283 if (selector < 0)
284 return selector;
285
286 selector &= info->desc.vsel_mask;
>>> CID 645494: Integer handling issues (BAD_SHIFT)
>>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
287 selector >>= ffs(info->desc.vsel_mask) - 1;
288
289 return selector;
290 }
291
292 static int mt6359p_vemc_get_voltage_sel(struct udevice *dev,
struct mt6359_regulator_info *info)
** CID 645493: Control flow issues (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206 in
scmi_pinctrl_settings_get_one()
_____________________________________________________________________________________________
*** CID 645493: Control flow issues (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206 in
scmi_pinctrl_settings_get_one()
200
201 msg.out_msg = (u8 *)out;
202 msg.out_msg_sz = out_sz;
203 in.id = selector;
204 in.attr = 0;
205 if (config_type == SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
>>> CID 645493: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "in.attr" inside this statement: "in.attr = ({
({
do {...".
206 in.attr = FIELD_PREP(GENMASK(19, 18), 2);
207 in.attr |= FIELD_PREP(GENMASK(17, 16), select_type);
208 if (config_type != SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
209 in.attr |= FIELD_PREP(GENMASK(7, 0), config_type);
210
211 ret = devm_scmi_process_msg(dev, &msg);
** CID 645492: (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
/drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
_____________________________________________________________________________________________
*** CID 645492: (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
167 }
168
169 /* Get the offset of primary and secondary mdata */
170 ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 0, &label);
171 if (ret)
172 return ret;
>>> CID 645492: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->pri_label" of size 50 bytes might leave the destination string unterminated.
173 strncpy(mtd_priv->pri_label, label, 50);
174
175 ret = flash_partition_offset(mtd_dev, mtd_priv->pri_label, &offset);
176 if (ret <= 0)
177 return ret;
178 mtd_priv->pri_offset = offset;
/drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
177 return ret;
178 mtd_priv->pri_offset = offset;
179
180 ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 1, &label);
181 if (ret)
182 return ret;
>>> CID 645492: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->sec_label" of size 50 bytes might leave the destination string unterminated.
183 strncpy(mtd_priv->sec_label, label, 50);
184
185 ret = flash_partition_offset(mtd_dev, mtd_priv->sec_label, &offset);
186 if (ret <= 0)
187 return ret;
188 mtd_priv->sec_offset = offset;
** CID 645491: Security best practices violations (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
_____________________________________________________________________________________________
*** CID 645491: Security best practices violations (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
238 ofnode_read_u32(image, "size", &image_size);
239
240 mtd_images[off_img].start = bank_offset + image_offset;
241 mtd_images[off_img].size = image_size;
242 mtd_images[off_img].bank_num = bank_num;
243 mtd_images[off_img].image_num = image_num;
>>> CID 645491: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 37-character fixed-size string "mtd_images[off_img].uuidbuf" by copying "uuid" without checking the length.
244 strcpy(mtd_images[off_img].uuidbuf, uuid);
245 log_debug("\tImage%d: %s @0x%x\n\n",
246 image_num, uuid, bank_offset + image_offset);
247 off_img++;
248 }
249 }
** CID 645490: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245 in
mt6359p_vemc_set_voltage_sel()
_____________________________________________________________________________________________
*** CID 645490: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245 in
mt6359p_vemc_set_voltage_sel()
239
240 static int mt6359p_vemc_set_voltage_sel(struct udevice *dev,
241 struct mt6359_regulator_info *info, unsigned int sel)
242 {
243 int ret;
244
>>> CID 645490: Integer handling issues (BAD_SHIFT)
>>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
245 sel <<= ffs(info->desc.vsel_mask) - 1;
246 ret = pmic_reg_write(dev->parent, MT6359P_TMA_KEY_ADDR,
MT6359P_TMA_KEY);
247 if (ret)
248 return ret;
249
250 ret = pmic_reg_read(dev->parent, MT6359P_VM_MODE_ADDR);
** CID 645489: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234 in
mt6359_set_voltage_sel_regmap()
_____________________________________________________________________________________________
*** CID 645489: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234 in
mt6359_set_voltage_sel_regmap()
228 };
229
230 static int mt6359_set_voltage_sel_regmap(struct udevice *dev,
231 struct mt6359_regulator_info *info,
232 unsigned int sel)
233 {
>>> CID 645489: Integer handling issues (BAD_SHIFT)
>>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
234 sel <<= ffs(info->desc.vsel_mask) - 1;
235
236 return pmic_clrsetbits(dev->parent, info->desc.vsel_reg,
237 info->desc.vsel_mask, sel);
238 }
239
** CID 645488: Error handling issues (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189 in read_device()
_____________________________________________________________________________________________
*** CID 645488: Error handling issues (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189 in read_device()
183 {
184 if (lseek(dev->fd, dev->devoff, SEEK_SET) < 0) {
185 fprintf(stderr, "Seek failed: %s\n", strerror(errno));
186 return -errno;
187 }
188
>>> CID 645488: Error handling issues (CHECKED_RETURN)
>>> "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
189 if (read(dev->fd, buf, count) < 0) {
190 fprintf(stderr, "Read failed: %s\n", strerror(errno));
191 return -errno;
192 }
193
194 return 0;
** CID 645487: Insecure data handling (TAINTED_SCALAR)
/lib/smbios.c: 1099 in smbios_write_type9_1slot()
_____________________________________________________________________________________________
*** CID 645487: Insecure data handling (TAINTED_SCALAR)
/lib/smbios.c: 1099 in smbios_write_type9_1slot()
1093 * TODO:
1094 * peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
1095 */
1096 len += pgroups_size;
1097
1098 t = map_sysmem(*current, len);
>>> CID 645487: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "len" to "memset", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1099 memset(t, 0, len);
1100
1101 fill_smbios_header(t, SMBIOS_SYSTEM_SLOTS, len, handle);
1102
1103 /* eos is at the end of the structure */
1104 eos_addr = (u8 *)t + len - sizeof(t->eos);
** CID 645486: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312 in
mt6359p_vemc_get_voltage_sel()
_____________________________________________________________________________________________
*** CID 645486: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312 in
mt6359p_vemc_get_voltage_sel()
306 return -EINVAL;
307 }
308 if (selector < 0)
309 return selector;
310
311 selector &= info->desc.vsel_mask;
>>> CID 645486: Integer handling issues (BAD_SHIFT)
>>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
312 selector >>= ffs(info->desc.vsel_mask) - 1;
313
314 return selector;
315 }
316
317 static int mt6359_get_enable(struct udevice *dev)
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next reply other threads:[~2026-04-06 19:12 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-06 19:12 Tom Rini [this message]
2026-04-07 20:44 ` New Defects reported by Coverity Scan for Das U-Boot Raymond Mao
-- strict thread matches above, loose matches on Subject: below --
2026-05-11 22:35 Fwd: " Tom Rini
2026-05-08 23:42 Tom Rini
2026-05-14 15:39 ` Lucien.Jheng
2026-04-28 14:04 Tom Rini
2026-04-29 6:31 ` Michal Simek
2026-05-01 22:51 ` Raymond Mao
2026-05-12 8:44 ` Christian Pötzsch
2026-05-12 18:38 ` Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260406191215.GY41863@bill-the-cat \
--to=trini@konsulko.com \
--cc=dan.carpenter@linaro.org \
--cc=dlechner@baylibre.com \
--cc=ilias.apalodimas@linaro.org \
--cc=kory.maincent@bootlin.com \
--cc=raymondmaoca@gmail.com \
--cc=rex-bc.chen@mediatek.com \
--cc=u-boot@lists.denx.de \
--cc=varadarajan.narayanan@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.