* New Defect found by Coverity Scan based on code change in last 1.5 week
@ 2012-07-06 17:32 Scan Subscription
2012-07-07 1:28 ` Cong Wang
0 siblings, 1 reply; 2+ messages in thread
From: Scan Subscription @ 2012-07-06 17:32 UTC (permalink / raw)
To: linux-kernel; +Cc: axboe, axboe, roland, viro, jkosina
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="us-ascii", Size: 7210 bytes --]
New Defect found by Coverity Scan based on code change in last 1.5 week
Defect Summary
________________________________________________________________________
** CID 200075: Free of array-typed value (BAD_FREE.array)
/linux/fs/splice.c: 317
Alexander Viro
** CID 709210: Self assignment (NO_EFFECT.self_assign)
/linux/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c: 100
Roland Dreier
** CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 442
Jiri Kosina
** CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 459
Jiri Kosina
** CID 709551: Logically dead code (DEADCODE.none)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2660
Jens Axboe
** CID 709552: Logically dead code (DEADCODE.none)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2588
Jens Axboe
________________________________________________________________________
Defect Details:
________________________________________________________________________
CID 200075: Free of array-typed value (BAD_FREE.array)
/linux/fs/splice.c: 317 ( array_assign)
311 struct page *pages[PIPE_DEF_BUFFERS];
312 struct partial_page partial[PIPE_DEF_BUFFERS];
...
316 int error, page_nr;
>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>> Assigning: "spd.pages" = "pages".
317 struct splice_pipe_desc spd = {
318 .pages = pages,
319 .partial = partial,
320 .nr_pages_max = PIPE_DEF_BUFFERS,
321 .flags = flags,
/linux/fs/splice.c: 503 ( incorrect_free)
500 if (spd.nr_pages)
501 error = splice_to_pipe(pipe, &spd);
502
>>> "splice_shrink_spd" frees incorrect pointer "spd.pages".
503 splice_shrink_spd(&spd);
504 return error;
505 }
506
507 /**
/linux/fs/splice.c: 317 ( array_assign)
311 struct page *pages[PIPE_DEF_BUFFERS];
312 struct partial_page partial[PIPE_DEF_BUFFERS];
...
316 int error, page_nr;
>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>> Assigning: "spd.partial" = "partial".
317 struct splice_pipe_desc spd = {
318 .pages = pages,
319 .partial = partial,
320 .nr_pages_max = PIPE_DEF_BUFFERS,
321 .flags = flags,
/linux/fs/splice.c: 503 ( incorrect_free)
500 if (spd.nr_pages)
501 error = splice_to_pipe(pipe, &spd);
502
>>> "splice_shrink_spd" frees incorrect pointer "spd.partial".
503 splice_shrink_spd(&spd);
504 return error;
505 }
506
507 /**
________________________________________________________________________
CID 709210: Self assignment (NO_EFFECT.self_assign)
/linux/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c: 100 ( self_assign)
97 min(dev->attr.max_ord_per_qp, dev->attr.max_ird_per_qp);
98 attr->max_qp_init_rd_atom = dev->attr.max_ord_per_qp;
99 attr->max_srq = (dev->attr.max_qp - 1);
>>> CID 709210: Self assignment (NO_EFFECT.self_assign) Assignment
>>> operation "attr->max_srq_sge = attr->max_srq_sge" has no effect.
100 attr->max_srq_sge = attr->max_srq_sge;
101 attr->max_srq_wr = dev->attr.max_rqe;
102 attr->local_ca_ack_delay = dev->attr.local_ca_ack_delay;
103 attr->max_fast_reg_page_list_len = 0;
104 attr->max_pkeys = 1;
________________________________________________________________________
CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 442 ( suspicious_sizeof)
439 struct dj_report *dj_report;
440 int retval;
441
>>> CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
>>> Passing argument "8UL /* sizeof (dj_report) */" to function "kzalloc" and then casting the return value to "struct dj_report *" is suspicious.
>>> Did you intend to use "sizeof(*dj_report)" instead of "sizeof (dj_report)" ?
442 dj_report = kzalloc(sizeof(dj_report), GFP_KERNEL);
443 if (!dj_report)
444 return -ENOMEM;
445 dj_report->report_id = REPORT_ID_DJ_SHORT;
446 dj_report->device_index = 0xFF;
________________________________________________________________________
CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 459 (suspicious_sizeof)
456 struct dj_report *dj_report;
457 int retval;
458
>>> CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
>>> Passing argument "8UL /* sizeof (dj_report) */" to function "kzalloc" and then casting the return value to "struct dj_report *" is suspicious.
>>> Did you intend to use "sizeof(*dj_report)" instead of "sizeof (dj_report)" ?
459 dj_report = kzalloc(sizeof(dj_report), GFP_KERNEL);
460 if (!dj_report)
461 return -ENOMEM;
462 dj_report->report_id = REPORT_ID_DJ_SHORT;
463 dj_report->device_index = 0xFF;
________________________________________________________________________
CID 709551: Logically dead code (DEADCODE)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2660
2657 char buf[MTIP_DFS_MAX_BUF_SIZE];
2658 int size = *offset;
2659
>>> CID 709551: Logically dead code (DEADCODE.none) After this line, the
>>> value of "size" is equal to 0.
>>> Noticing condition "size".
2660 if (!len || size)
2661 return 0;
2662
>>> On this path, the condition "size < 0" cannot be true.
2663 if (size < 0)
>>> Execution cannot reach this statement "return -22L;".
2664 return -EINVAL;
2665
2666 size += sprintf(&buf[size], "Flag-port : [ %08lX ]\n",
2667 dd->port->flags);
2668 size += sprintf(&buf[size], "Flag-dd : [ %08lX ]\n",
________________________________________________________________________
CID 709552: Logically dead code (DEADCODE)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2588
2585 int size = *offset;
2586 int n;
2587
>>> CID 709552: Logically dead code (DEADCODE.none) After this line, the
>>> value of "size" is equal to 0.
>>> Noticing condition "size".
2588 if (!len || size)
2589 return 0;
2590
>>> On this path, the condition "size < 0" cannot be true.
2591 if (size < 0)
>>> Execution cannot reach this statement "return -22L;".
2592 return -EINVAL;
2593
2594 size += sprintf(&buf[size], "H/ S ACTive : [ 0x");
2595
2596 for (n = dd->slot_groups-1; n >= 0; n--)
________________________________________________________________________
Above code snippet provide you details information to know more about the defects.
You can also view the defect in Coverity Scan by visiting, http://scan5.coverity.com:8080
Your username is usually your first part of your email address.
If you don't have a username, you can request one by emailing: scan-admin@coverity.com
________________________________________________________________________
Thanks
SCAN-ADMIN
Scan-admin@coverity.com
http://scan.coverity.comÿôèº{.nÇ+·®+%Ëÿ±éݶ\x17¥wÿº{.nÇ+·¥{±þG«éÿ{ayº\x1dÊÚë,j\a¢f£¢·hïêÿêçz_è®\x03(éÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?¨èÚ&£ø§~á¶iOæ¬z·vØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?I¥
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: New Defect found by Coverity Scan based on code change in last 1.5 week
2012-07-06 17:32 New Defect found by Coverity Scan based on code change in last 1.5 week Scan Subscription
@ 2012-07-07 1:28 ` Cong Wang
0 siblings, 0 replies; 2+ messages in thread
From: Cong Wang @ 2012-07-07 1:28 UTC (permalink / raw)
To: Scan Subscription; +Cc: linux-kernel, axboe, roland, viro, jkosina
On Sat, Jul 7, 2012 at 1:32 AM, Scan Subscription
<scan-subscription@coverity.com> wrote:
> ________________________________________________________________________
> CID 200075: Free of array-typed value (BAD_FREE.array)
>
> /linux/fs/splice.c: 317 ( array_assign)
> 311 struct page *pages[PIPE_DEF_BUFFERS];
> 312 struct partial_page partial[PIPE_DEF_BUFFERS];
> ...
> 316 int error, page_nr;
>>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>>> Assigning: "spd.pages" = "pages".
> 317 struct splice_pipe_desc spd = {
> 318 .pages = pages,
> 319 .partial = partial,
> 320 .nr_pages_max = PIPE_DEF_BUFFERS,
> 321 .flags = flags,
>
> /linux/fs/splice.c: 503 ( incorrect_free)
> 500 if (spd.nr_pages)
> 501 error = splice_to_pipe(pipe, &spd);
> 502
>>>> "splice_shrink_spd" frees incorrect pointer "spd.pages".
> 503 splice_shrink_spd(&spd);
> 504 return error;
> 505 }
> 506
> 507 /**
This one should be bogus, splice_shrink_spd() only
frees it when spd->nr_pages_max > PIPE_DEF_BUFFERS
because splice_grow_spd() only allocates memory
in that case. Otherwise, the array allocated on stack is
used.
Thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-07-07 1:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-06 17:32 New Defect found by Coverity Scan based on code change in last 1.5 week Scan Subscription
2012-07-07 1:28 ` Cong Wang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.