All of lore.kernel.org
 help / color / mirror / Atom feed
* New Defect found by Coverity Scan based on code change in last 1.5 week
@ 2012-07-06 17:32 Scan Subscription
  2012-07-07  1:28 ` Cong Wang
  0 siblings, 1 reply; 2+ messages in thread
From: Scan Subscription @ 2012-07-06 17:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: axboe, axboe, roland, viro, jkosina

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="us-ascii", Size: 7210 bytes --]

New Defect found by Coverity Scan based on code change in last 1.5 week

Defect Summary
________________________________________________________________________
** CID 200075: Free of array-typed value (BAD_FREE.array)
/linux/fs/splice.c: 317
Alexander Viro 

** CID 709210: Self assignment (NO_EFFECT.self_assign)
/linux/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c: 100
Roland Dreier 

** CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 442
Jiri Kosina 

** CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 459
Jiri Kosina

** CID 709551: Logically dead code (DEADCODE.none)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2660
Jens Axboe 

** CID 709552: Logically dead code (DEADCODE.none)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2588
Jens Axboe 

________________________________________________________________________
Defect Details:
________________________________________________________________________
CID 200075: Free of array-typed value (BAD_FREE.array)

/linux/fs/splice.c: 317 ( array_assign)
   311     struct page *pages[PIPE_DEF_BUFFERS];
   312     struct partial_page partial[PIPE_DEF_BUFFERS];
...
   316     int error, page_nr;
>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>> Assigning: "spd.pages" = "pages".
   317     struct splice_pipe_desc spd = {
   318      .pages = pages,
   319      .partial = partial,
   320      .nr_pages_max = PIPE_DEF_BUFFERS,
   321      .flags = flags,
  
/linux/fs/splice.c: 503 ( incorrect_free)
   500     if (spd.nr_pages)
   501      error = splice_to_pipe(pipe, &spd);
   502    
>>> "splice_shrink_spd" frees incorrect pointer "spd.pages".
   503     splice_shrink_spd(&spd);
   504     return error;
   505    }
   506    
   507    /**
  
/linux/fs/splice.c: 317 ( array_assign)
   311     struct page *pages[PIPE_DEF_BUFFERS];
   312     struct partial_page partial[PIPE_DEF_BUFFERS];
...
   316     int error, page_nr;
>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>> Assigning: "spd.partial" = "partial".
   317     struct splice_pipe_desc spd = {
   318      .pages = pages,
   319      .partial = partial,
   320      .nr_pages_max = PIPE_DEF_BUFFERS,
   321      .flags = flags,
  
/linux/fs/splice.c: 503 ( incorrect_free)
   500     if (spd.nr_pages)
   501      error = splice_to_pipe(pipe, &spd);
   502    
>>> "splice_shrink_spd" frees incorrect pointer "spd.partial".
   503     splice_shrink_spd(&spd);
   504     return error;
   505    }
   506    
   507    /**
  
________________________________________________________________________
CID 709210: Self assignment (NO_EFFECT.self_assign)

/linux/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c: 100 ( self_assign)
   97         min(dev->attr.max_ord_per_qp, dev->attr.max_ird_per_qp);
   98     attr->max_qp_init_rd_atom = dev->attr.max_ord_per_qp;
   99     attr->max_srq = (dev->attr.max_qp - 1);
>>> CID 709210: Self assignment (NO_EFFECT.self_assign) Assignment 
>>> operation "attr->max_srq_sge = attr->max_srq_sge" has no effect.
   100     attr->max_srq_sge = attr->max_srq_sge;
   101     attr->max_srq_wr = dev->attr.max_rqe;
   102     attr->local_ca_ack_delay = dev->attr.local_ca_ack_delay;
   103     attr->max_fast_reg_page_list_len = 0;
   104     attr->max_pkeys = 1;
  
________________________________________________________________________
CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)

/linux/drivers/hid/hid-logitech-dj.c: 442 ( suspicious_sizeof)
   439     struct dj_report *dj_report;
   440     int retval;
   441    
>>> CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof) 
>>> Passing argument "8UL /* sizeof (dj_report) */" to function "kzalloc" and then casting the return value to "struct dj_report *" is suspicious.  
>>> Did you intend to use "sizeof(*dj_report)" instead of "sizeof (dj_report)" ?
   442     dj_report = kzalloc(sizeof(dj_report), GFP_KERNEL);
   443     if (!dj_report)
   444      return -ENOMEM;
   445     dj_report->report_id = REPORT_ID_DJ_SHORT;
   446     dj_report->device_index = 0xFF;
  
________________________________________________________________________
CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)

/linux/drivers/hid/hid-logitech-dj.c: 459 (suspicious_sizeof)
   456     struct dj_report *dj_report;
   457     int retval;
   458    
>>> CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof) 
>>> Passing argument "8UL /* sizeof (dj_report) */" to function "kzalloc" and then casting the return value to "struct dj_report *" is suspicious.  
>>> Did you intend to use "sizeof(*dj_report)" instead of "sizeof (dj_report)" ?
   459     dj_report = kzalloc(sizeof(dj_report), GFP_KERNEL);
   460     if (!dj_report)
   461      return -ENOMEM;
   462     dj_report->report_id = REPORT_ID_DJ_SHORT;
   463     dj_report->device_index = 0xFF;
  
________________________________________________________________________
CID 709551: Logically dead code (DEADCODE)

/linux/drivers/block/mtip32xx/mtip32xx.c: 2660 
   2657     char buf[MTIP_DFS_MAX_BUF_SIZE];
   2658     int size = *offset;
   2659    
>>> CID 709551: Logically dead code (DEADCODE.none) After this line, the 
>>> value of "size" is equal to 0.
>>> Noticing condition "size".
   2660     if (!len || size)
   2661      return 0;
   2662    
>>> On this path, the condition "size < 0" cannot be true.
   2663     if (size < 0)
>>> Execution cannot reach this statement "return -22L;".
   2664      return -EINVAL;
   2665    
   2666     size += sprintf(&buf[size], "Flag-port : [ %08lX ]\n",
   2667           dd->port->flags);
   2668     size += sprintf(&buf[size], "Flag-dd   : [ %08lX ]\n",
  
________________________________________________________________________
CID 709552: Logically dead code (DEADCODE)

/linux/drivers/block/mtip32xx/mtip32xx.c: 2588 
   2585     int size = *offset;
   2586     int n;
   2587    
>>> CID 709552: Logically dead code (DEADCODE.none) After this line, the 
>>> value of "size" is equal to 0.
>>> Noticing condition "size".
   2588     if (!len || size)
   2589      return 0;
   2590    
>>> On this path, the condition "size < 0" cannot be true.
   2591     if (size < 0)
>>> Execution cannot reach this statement "return -22L;".
   2592      return -EINVAL;
   2593    
   2594     size += sprintf(&buf[size], "H/ S ACTive      : [ 0x");
   2595    
   2596     for (n = dd->slot_groups-1; n >= 0; n--)
  
________________________________________________________________________

Above code snippet provide you details information to know more about the defects.
You can also view the defect in Coverity Scan by visiting, http://scan5.coverity.com:8080  
Your username is usually your first part of your email address.
If you don't have a username, you can request one by emailing:  scan-admin@coverity.com
________________________________________________________________________

Thanks
SCAN-ADMIN 
Scan-admin@coverity.com
http://scan.coverity.comÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: New Defect found by Coverity Scan based on code change in last 1.5 week
  2012-07-06 17:32 New Defect found by Coverity Scan based on code change in last 1.5 week Scan Subscription
@ 2012-07-07  1:28 ` Cong Wang
  0 siblings, 0 replies; 2+ messages in thread
From: Cong Wang @ 2012-07-07  1:28 UTC (permalink / raw)
  To: Scan Subscription; +Cc: linux-kernel, axboe, roland, viro, jkosina

On Sat, Jul 7, 2012 at 1:32 AM, Scan Subscription
<scan-subscription@coverity.com> wrote:
> ________________________________________________________________________
> CID 200075: Free of array-typed value (BAD_FREE.array)
>
> /linux/fs/splice.c: 317 ( array_assign)
>    311     struct page *pages[PIPE_DEF_BUFFERS];
>    312     struct partial_page partial[PIPE_DEF_BUFFERS];
> ...
>    316     int error, page_nr;
>>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>>> Assigning: "spd.pages" = "pages".
>    317     struct splice_pipe_desc spd = {
>    318      .pages = pages,
>    319      .partial = partial,
>    320      .nr_pages_max = PIPE_DEF_BUFFERS,
>    321      .flags = flags,
>
> /linux/fs/splice.c: 503 ( incorrect_free)
>    500     if (spd.nr_pages)
>    501      error = splice_to_pipe(pipe, &spd);
>    502
>>>> "splice_shrink_spd" frees incorrect pointer "spd.pages".
>    503     splice_shrink_spd(&spd);
>    504     return error;
>    505    }
>    506
>    507    /**

This one should be bogus, splice_shrink_spd() only
frees it when spd->nr_pages_max > PIPE_DEF_BUFFERS
because splice_grow_spd() only allocates memory
in that case. Otherwise, the array allocated on stack is
used.

Thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-07-07  1:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-06 17:32 New Defect found by Coverity Scan based on code change in last 1.5 week Scan Subscription
2012-07-07  1:28 ` Cong Wang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.