* New Defect(s) reported by Coverity Scan
@ 2013-01-29 20:00 Scan Subscription
0 siblings, 0 replies; 14+ messages in thread
From: Scan Subscription @ 2013-01-29 20:00 UTC (permalink / raw)
To: linux-kernel; +Cc: John W. Linville
Hi,
Please find the latest report on new defect(s) that have been introduced to the Linux Kernel found with Coverity SCAN.
Defect(s) Reported-by: Coverity Scan:
___________________________________________________________________________
** CID 967920: Allocation too small for type (SIZECHECK)
/drivers/net/wireless/ath/wil6210/pcie_bus.c: 146
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=967920
###########################################################################
Defect Details:
___________________________________________________________________________
CID 967920: Allocation too small for type (SIZECHECK)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=967920
/drivers/net/wireless/ath/wil6210/pcie_bus.c: 146 ( buffer_alloc)
143 /* rollback to err_iounmap */
144 dev_info(&pdev->dev, "CSR at %pR -> %p\n", &pdev->resource[0], csr);
145
>>> "wil_if_alloc(dev, csr)" allocates memory.
146 wil = wil_if_alloc(dev, csr);
147 if (IS_ERR(wil)) {
148 rc = (int)PTR_ERR(wil);
149 dev_err(dev, "wil_if_alloc failed: %d\n", rc);
150 goto err_iounmap;
/drivers/net/wireless/ath/wil6210/pcie_bus.c: 146 ( size_error)
143 /* rollback to err_iounmap */
144 dev_info(&pdev->dev, "CSR at %pR -> %p\n", &pdev->resource[0], csr);
145
>>> CID 967920: Allocation too small for type (SIZECHECK) Allocating 920
>>> bytes to pointer of type struct wil6210_priv, which needs at least 2304 bytes.
146 wil = wil_if_alloc(dev, csr);
147 if (IS_ERR(wil)) {
148 rc = (int)PTR_ERR(wil);
149 dev_err(dev, "wil_if_alloc failed: %d\n", rc);
150 goto err_iounmap;
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan5.coverity.com:8080.
Your username should be the first part of your email address. If you don't have a username, you can request one by emailing: scan-admin at coverity.com
Thank you,
Dakshesh Vyas
Coverity SCAN-ADMIN
scan-admin at coverity.com
http://scan.coverity.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: New Defect(s) reported by Coverity Scan
2013-04-01 22:34 Scan Subscription
2013-04-01 22:53 ` David Miller
@ 2013-04-08 18:33 ` Steven Rostedt
1 sibling, 0 replies; 14+ messages in thread
From: Steven Rostedt @ 2013-04-08 18:33 UTC (permalink / raw)
To: Scan Subscription; +Cc: linux-kernel
Removed other's Cc'd.
On Mon, 2013-04-01 at 22:34 +0000, Scan Subscription wrote:
> http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=102438
>
> /kernel/trace/trace.c: 2431 ( var_compare_op)
> 2428 int ret;
> 2429
> 2430 if (iter->ent == NULL) {
> >>> Comparing "iter->tr" to null implies that "iter->tr" might be null.
> 2431 if (iter->tr) {
The only bug here is the unnecessary check of iter->tr. It will never be
NULL here. I'll fix this when I get around to it, but it is really low
on the priority list.
-- Steve
> 2432 seq_printf(m, "# tracer: %s\n", iter->trace->name);
> 2433 seq_puts(m, "#\n");
> 2434 test_ftrace_alive(m);
> 2435 }
> >>> CID 102438: Dereference after null check (FORWARD_NULL) Passing
> >>> "iter" to function "trace_empty(struct trace_iterator *)", which dereferences null "iter->tr".
> 2436 if (iter->snapshot && trace_empty(iter))
> 2437 print_snapshot_help(m, iter);
> 2438 else if (iter->trace && iter->trace->print_header)
> 2439 iter->trace->print_header(m);
> 2440 else
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* New Defect(s) reported by Coverity Scan
@ 2013-04-05 15:32 Scan Subscription
0 siblings, 0 replies; 14+ messages in thread
From: Scan Subscription @ 2013-04-05 15:32 UTC (permalink / raw)
To: linux-kernel
Hi,
Please find the latest report on new defect(s) that have been introduced to the Linux Kernel found with Coverity SCAN.
Defect(s) Reported-by: Coverity Scan:
___________________________________________________________________________
** CID 996157: Logically dead code (DEADCODE)
/net/mac80211/sta_info.c: 808
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=996157
###########################################################################
Defect Details:
___________________________________________________________________________
CID 996157: Logically dead code (DEADCODE)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=996157
/net/mac80211/sta_info.c: 803 ( assignment)
797 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
798 __ieee80211_key_free(key_mtx_dereference(local, sta->gtk[i]));
>>> Assigning: "have_key" = "true".
799 have_key = true;
800 }
801 if (sta->ptk) {
802 __ieee80211_key_free(key_mtx_dereference(local, sta->ptk));
>>> Assigning: "have_key" = "true".
803 have_key = true;
804 }
805 mutex_unlock(&local->key_mtx);
806
>>> At condition "have_key", the value of "have_key" must be equal to 1.
>>> The condition "!have_key" cannot be true.
807 if (!have_key)
>>> CID 996157: Logically dead code (DEADCODE) Execution cannot reach
>>> this statement "synchronize_net();".
808 synchronize_net();
809
810 sta->dead = true;
811
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan5.coverity.com:8080.
If you don't have a username, you can register at http://scan.coverity.com/
Thank you,
Dakshesh Vyas
Coverity SCAN-ADMIN
scan-admin at coverity.com
http://scan.coverity.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: New Defect(s) reported by Coverity Scan
2013-04-01 22:34 Scan Subscription
@ 2013-04-01 22:53 ` David Miller
2013-04-08 18:33 ` Steven Rostedt
1 sibling, 0 replies; 14+ messages in thread
From: David Miller @ 2013-04-01 22:53 UTC (permalink / raw)
To: scan-subscription; +Cc: linux-kernel, linville, airlied, rostedt
Please take me off of the CC list for these reports.
Thank you.
^ permalink raw reply [flat|nested] 14+ messages in thread
* New Defect(s) reported by Coverity Scan
@ 2013-04-01 22:34 Scan Subscription
2013-04-01 22:53 ` David Miller
2013-04-08 18:33 ` Steven Rostedt
0 siblings, 2 replies; 14+ messages in thread
From: Scan Subscription @ 2013-04-01 22:34 UTC (permalink / raw)
To: linux-kernel; +Cc: davem, linville, airlied, rostedt
Hi,
Please find the latest report on new defect(s) that have been introduced to the Linux Kernel found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan:
___________________________________________________________________________
** CID 993740: Copy-paste error (COPY_PASTE_ERROR)
/net/l2tp/l2tp_core.c: 1780
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=993740
** CID 990693: Out-of-bounds access (OVERRUN)
/drivers/net/wireless/iwlwifi/pcie/tx.c: 1653
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=990693
** CID 990226: Structurally dead code (UNREACHABLE)
/drivers/gpu/drm/nouveau/nv50_display.c: 484
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=990226
** CID 989738: Array compared against 0 (NO_EFFECT)
/drivers/net/wireless/iwlwifi/pcie/tx.c: 1267
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=989738
** CID 989735: Unchecked return value (CHECKED_RETURN)
/drivers/net/usb/ax88179_178a.c: 1180
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=989735
** CID 989734: Unchecked return value (CHECKED_RETURN)
/drivers/net/usb/ax88179_178a.c: 388
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=989734
** CID 102438: Dereference after null check (FORWARD_NULL)
/kernel/trace/trace.c: 2436
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=102438
###########################################################################
Defect Details:
___________________________________________________________________________
CID 993740: Copy-paste error (COPY_PASTE_ERROR)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=993740
/net/l2tp/l2tp_core.c: 1774 ( original)
1771 int l2tp_session_delete(struct l2tp_session *session)
1772 {
1773 if (session->ref)
>>> "*session->ref" looks like the original copy.
1774 (*session->ref)(session);
1775 __l2tp_session_unhash(session);
1776 l2tp_session_queue_purge(session);
1777 if (session->session_close != NULL)
1778 (*session->session_close)(session);
1779 if (session->deref)
>>> CID 993740: Copy-paste error (COPY_PASTE_ERROR) "ref" in
>>> "*session->ref" looks like a copy-paste error. Should it say "deref" instead?
1780 (*session->ref)(session);
1781 l2tp_session_dec_refcount(session);
1782 return 0;
1783 }
1784 EXPORT_SYMBOL_GPL(l2tp_session_delete);
________________________________________________________________________
CID 990693: Out-of-bounds access (OVERRUN)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=990693
/drivers/net/wireless/iwlwifi/pcie/tx.c: 1653 ( overrun-buffer-arg)
1650 tx_cmd->tx_flags |= TX_CMD_FLG_MH_PAD_MSK;
1651
1652 /* The first TB points to the scratchbuf data - min_copy bytes */
>>> CID 990693: Out-of-bounds access (OVERRUN) Overrunning struct type
>>> iwl_cmd_header of 4 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL".
1653 memcpy(&txq->scratchbufs[q->write_ptr], &dev_cmd->hdr,
1654 IWL_HCMD_SCRATCHBUF_SIZE);
1655 iwl_pcie_txq_build_tfd(trans, txq, tb0_phys,
1656 IWL_HCMD_SCRATCHBUF_SIZE, 1);
1657
________________________________________________________________________
CID 990226: Structurally dead code (UNREACHABLE)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=990226
/drivers/gpu/drm/nouveau/nv50_display.c: 484 ( unreachable)
481 if (nouveau_bo_rd32(flip->disp->sync, flip->chan->addr / 4) ==
482 flip->chan->data);
483 return true;
>>> CID 990226: Structurally dead code (UNREACHABLE) This code cannot be
>>> reached: "usleep_range(1UL, 2UL);".
484 usleep_range(1, 2);
485 return false;
486 }
487
488 void
________________________________________________________________________
CID 989738: Array compared against 0 (NO_EFFECT)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=989738
/drivers/net/wireless/iwlwifi/pcie/tx.c: 1267 ( array_null)
1264 for (i = 0; i < IWL_MAX_CMD_TBS_PER_TFD; i++) {
1265 int copy = 0;
1266
>>> CID 989738: Array compared against 0 (NO_EFFECT) Comparing an array
>>> to null is not useful: "!cmd->len".
1267 if (!cmd->len)
1268 continue;
1269
1270 /* need at least IWL_HCMD_SCRATCHBUF_SIZE copied */
1271 if (copy_size < IWL_HCMD_SCRATCHBUF_SIZE) {
________________________________________________________________________
CID 989735: Unchecked return value (CHECKED_RETURN)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=989735
/drivers/net/usb/ax88179_178a.c: 1180 ( check_return)
1177 if (((skb->len + 8) % frame_size) == 0)
1178 tx_hdr2 |= 0x80008000; /* Enable padding */
1179
>>> CID 989735: Unchecked return value (CHECKED_RETURN) Calling function
>>> "skb_linearize(struct sk_buff *)" without checking return value (as is done elsewhere 39 out of 45 times).
>>> No check of the return value of "skb_linearize(skb)".
1180 skb_linearize(skb);
1181 headroom = skb_headroom(skb);
1182 tailroom = skb_tailroom(skb);
1183
1184 if (!skb_header_cloned(skb) &&
________________________________________________________________________
CID 989734: Unchecked return value (CHECKED_RETURN)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=989734
/drivers/net/usb/ax88179_178a.c: 388 ( check_return)
385 u16 tmp16;
386 u8 tmp8;
387
>>> CID 989734: Unchecked return value (CHECKED_RETURN) Calling function
>>> "usbnet_suspend(struct usb_interface *, pm_message_t)" without checking return value (as is done elsewhere 4 out of 5 times).
>>> No check of the return value of "usbnet_suspend(intf, message)".
388 usbnet_suspend(intf, message);
389
390 /* Disable RX path */
391 ax88179_read_cmd_nopm(dev, AX_ACCESS_MAC, AX_MEDIUM_STATUS_MODE,
392 2, 2, &tmp16);
________________________________________________________________________
CID 102438: Dereference after null check (FORWARD_NULL)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=102438
/kernel/trace/trace.c: 2431 ( var_compare_op)
2428 int ret;
2429
2430 if (iter->ent == NULL) {
>>> Comparing "iter->tr" to null implies that "iter->tr" might be null.
2431 if (iter->tr) {
2432 seq_printf(m, "# tracer: %s\n", iter->trace->name);
2433 seq_puts(m, "#\n");
2434 test_ftrace_alive(m);
2435 }
>>> CID 102438: Dereference after null check (FORWARD_NULL) Passing
>>> "iter" to function "trace_empty(struct trace_iterator *)", which dereferences null "iter->tr".
2436 if (iter->snapshot && trace_empty(iter))
2437 print_snapshot_help(m, iter);
2438 else if (iter->trace && iter->trace->print_header)
2439 iter->trace->print_header(m);
2440 else
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan5.coverity.com:8080.
If you don't have a username, you can register at http://scan.coverity.com/user_register.html
Thank you,
Dakshesh Vyas
Coverity Scan-Admin
scan-admin at coverity.com
http://scan.coverity.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: New Defect(s) reported by Coverity Scan
2013-02-13 23:22 ` Borislav Petkov
@ 2013-02-13 23:24 ` H. Peter Anvin
0 siblings, 0 replies; 14+ messages in thread
From: H. Peter Anvin @ 2013-02-13 23:24 UTC (permalink / raw)
To: Borislav Petkov, Scan Subscription, linux-kernel, David Woodhouse
On 02/13/2013 03:22 PM, Borislav Petkov wrote:
> On Wed, Feb 13, 2013 at 03:15:26PM -0800, H. Peter Anvin wrote:
>> Not really, since exit() does that. We might want it for clarity's
>> sake, though.
>
> Well, I would add a comment only then and teach the tool when parsing
> exit() to know that - no need for fixing perfectly good code only for a
> tool's sake.
>
No, but clarity is good. It isn't just the tool that might get annoyed.
-hpa
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: New Defect(s) reported by Coverity Scan
2013-02-13 23:15 ` H. Peter Anvin
@ 2013-02-13 23:22 ` Borislav Petkov
2013-02-13 23:24 ` H. Peter Anvin
0 siblings, 1 reply; 14+ messages in thread
From: Borislav Petkov @ 2013-02-13 23:22 UTC (permalink / raw)
To: H. Peter Anvin; +Cc: Scan Subscription, linux-kernel, David Woodhouse
On Wed, Feb 13, 2013 at 03:15:26PM -0800, H. Peter Anvin wrote:
> Not really, since exit() does that. We might want it for clarity's
> sake, though.
Well, I would add a comment only then and teach the tool when parsing
exit() to know that - no need for fixing perfectly good code only for a
tool's sake.
--
Regards/Gruss,
Boris.
Sent from a fat crate under my desk. Formatting is fine.
--
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: New Defect(s) reported by Coverity Scan
2013-02-13 19:13 ` Borislav Petkov
@ 2013-02-13 23:15 ` H. Peter Anvin
2013-02-13 23:22 ` Borislav Petkov
0 siblings, 1 reply; 14+ messages in thread
From: H. Peter Anvin @ 2013-02-13 23:15 UTC (permalink / raw)
To: Borislav Petkov, Scan Subscription, linux-kernel, David Woodhouse
On 02/13/2013 11:13 AM, Borislav Petkov wrote:
>
> and it might really need fclose() there for correctness' sake.
>
Not really, since exit() does that. We might want it for clarity's
sake, though.
-hpa
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: New Defect(s) reported by Coverity Scan
2013-02-13 18:55 ` Scan Subscription
@ 2013-02-13 19:13 ` Borislav Petkov
2013-02-13 23:15 ` H. Peter Anvin
0 siblings, 1 reply; 14+ messages in thread
From: Borislav Petkov @ 2013-02-13 19:13 UTC (permalink / raw)
To: Scan Subscription; +Cc: linux-kernel, hpa, David Woodhouse
On Wed, Feb 13, 2013 at 06:55:03PM +0000, Scan Subscription wrote:
> Hi Boris
>
> There is no fclose(file) call in parse_zoffset() function
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob_plain;f=arch/x86/boot/tools/build.c;hb=HEAD
>
> There is only one flcose call in this file and it is in the main() function
> Let us know if I am missing anything
Right, I was staring at older sources, sorry.
This parse_zoffset() thing has come in just recently with
commit 99f857db8857aff691c51302f93648263ed07eb1
Author: David Woodhouse <David.Woodhouse@intel.com>
Date: Thu Jan 10 14:31:59 2013 +0000
x86, build: Dynamically find entry points in compressed startup code
and it might really need fclose() there for correctness' sake.
--
Regards/Gruss,
Boris.
Sent from a fat crate under my desk. Formatting is fine.
--
^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: New Defect(s) reported by Coverity Scan
2013-02-13 18:38 ` Borislav Petkov
@ 2013-02-13 18:55 ` Scan Subscription
2013-02-13 19:13 ` Borislav Petkov
0 siblings, 1 reply; 14+ messages in thread
From: Scan Subscription @ 2013-02-13 18:55 UTC (permalink / raw)
To: Borislav Petkov; +Cc: linux-kernel, hpa
Hi Boris
There is no fclose(file) call in parse_zoffset() function
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob_plain;f=arch/x86/boot/tools/build.c;hb=HEAD
There is only one flcose call in this file and it is in the main() function
Let us know if I am missing anything
Thanks
Dakshesh Vyas
Coverity SCAN-ADMIN
scan-admin at coverity.com
http://scan.coverity.com
________________________________________
From: Borislav Petkov [bp@alien8.de]
Sent: Wednesday, February 13, 2013 10:38 AM
To: Scan Subscription
Cc: linux-kernel@vger.kernel.org; hpa@zytor.com
Subject: Re: New Defect(s) reported by Coverity Scan
On Wed, Feb 13, 2013 at 05:40:11PM +0000, Scan Subscription wrote:
> Hi,
>
> Please find the latest report on new defect(s) that have been introduced to the Linux Kernel found with Coverity SCAN.
>
>
> Defect(s) Reported-by: Coverity Scan:
> ___________________________________________________________________________
> ** CID 971353: Resource leak (RESOURCE_LEAK)
> /arch/x86/boot/tools/build.c: 259
> http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=971353
>
>
> ###########################################################################
> Defect Details:
> ___________________________________________________________________________
> CID 971353: Resource leak (RESOURCE_LEAK)
> http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=971353
>
> /arch/x86/boot/tools/build.c: 240 ( alloc_fn)
>
> 234 static void parse_zoffset(char *fname)
> 235 {
> 236 FILE *file;
> 237 char *p;
> 238 int c;
> 239
> >>> Storage is returned from allocation function "fopen(char const * restrict, char const * restrict)".
> >>> Assigning: "file" = storage returned from "fopen(fname, "r")".
> 240 file = fopen(fname, "r");
> 241 if (!file)
> 242 die("Unable to open `%s': %m", fname);
> >>> Resource "file" is not freed or pointed-to in function "fread(void * restrict, size_t, size_t, FILE * restrict)".
> 243 c = fread(buf, 1, sizeof(buf) - 1, file);
> >>> Resource "file" is not freed or pointed-to in function "ferror(FILE *)".
> 244 if (ferror(file))
> 245 die("read-error on `zoffset.h'");
> 246 buf[c] = 0;
> 247
>
>
> /arch/x86/boot/tools/build.c: 259 ( leaked_storage)
> 256 while (p && (*p == '\r' || *p == '\n'))
> 257 p++;
> 258 }
> >>> CID 971353: Resource leak (RESOURCE_LEAK) Variable "file" going out
> >>> of scope leaks the storage it points to.
Well, we do
fclose(file)
a couple of lines later in the same function.
The only problem I can see is that we don't fclose the file when ferror
returns non-NULL but that shouldn't matter because we die() then and all
resources are automatically freed.
--
Regards/Gruss,
Boris.
Sent from a fat crate under my desk. Formatting is fine.
--
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: New Defect(s) reported by Coverity Scan
2013-02-13 17:40 Scan Subscription
@ 2013-02-13 18:38 ` Borislav Petkov
2013-02-13 18:55 ` Scan Subscription
0 siblings, 1 reply; 14+ messages in thread
From: Borislav Petkov @ 2013-02-13 18:38 UTC (permalink / raw)
To: Scan Subscription; +Cc: linux-kernel, hpa
On Wed, Feb 13, 2013 at 05:40:11PM +0000, Scan Subscription wrote:
> Hi,
>
> Please find the latest report on new defect(s) that have been introduced to the Linux Kernel found with Coverity SCAN.
>
>
> Defect(s) Reported-by: Coverity Scan:
> ___________________________________________________________________________
> ** CID 971353: Resource leak (RESOURCE_LEAK)
> /arch/x86/boot/tools/build.c: 259
> http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=971353
>
>
> ###########################################################################
> Defect Details:
> ___________________________________________________________________________
> CID 971353: Resource leak (RESOURCE_LEAK)
> http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=971353
>
> /arch/x86/boot/tools/build.c: 240 ( alloc_fn)
>
> 234 static void parse_zoffset(char *fname)
> 235 {
> 236 FILE *file;
> 237 char *p;
> 238 int c;
> 239
> >>> Storage is returned from allocation function "fopen(char const * restrict, char const * restrict)".
> >>> Assigning: "file" = storage returned from "fopen(fname, "r")".
> 240 file = fopen(fname, "r");
> 241 if (!file)
> 242 die("Unable to open `%s': %m", fname);
> >>> Resource "file" is not freed or pointed-to in function "fread(void * restrict, size_t, size_t, FILE * restrict)".
> 243 c = fread(buf, 1, sizeof(buf) - 1, file);
> >>> Resource "file" is not freed or pointed-to in function "ferror(FILE *)".
> 244 if (ferror(file))
> 245 die("read-error on `zoffset.h'");
> 246 buf[c] = 0;
> 247
>
>
> /arch/x86/boot/tools/build.c: 259 ( leaked_storage)
> 256 while (p && (*p == '\r' || *p == '\n'))
> 257 p++;
> 258 }
> >>> CID 971353: Resource leak (RESOURCE_LEAK) Variable "file" going out
> >>> of scope leaks the storage it points to.
Well, we do
fclose(file)
a couple of lines later in the same function.
The only problem I can see is that we don't fclose the file when ferror
returns non-NULL but that shouldn't matter because we die() then and all
resources are automatically freed.
--
Regards/Gruss,
Boris.
Sent from a fat crate under my desk. Formatting is fine.
--
^ permalink raw reply [flat|nested] 14+ messages in thread
* New Defect(s) reported by Coverity Scan
@ 2013-02-13 17:40 Scan Subscription
2013-02-13 18:38 ` Borislav Petkov
0 siblings, 1 reply; 14+ messages in thread
From: Scan Subscription @ 2013-02-13 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: hpa
Hi,
Please find the latest report on new defect(s) that have been introduced to the Linux Kernel found with Coverity SCAN.
Defect(s) Reported-by: Coverity Scan:
___________________________________________________________________________
** CID 971353: Resource leak (RESOURCE_LEAK)
/arch/x86/boot/tools/build.c: 259
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=971353
###########################################################################
Defect Details:
___________________________________________________________________________
CID 971353: Resource leak (RESOURCE_LEAK)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=971353
/arch/x86/boot/tools/build.c: 240 ( alloc_fn)
234 static void parse_zoffset(char *fname)
235 {
236 FILE *file;
237 char *p;
238 int c;
239
>>> Storage is returned from allocation function "fopen(char const * restrict, char const * restrict)".
>>> Assigning: "file" = storage returned from "fopen(fname, "r")".
240 file = fopen(fname, "r");
241 if (!file)
242 die("Unable to open `%s': %m", fname);
>>> Resource "file" is not freed or pointed-to in function "fread(void * restrict, size_t, size_t, FILE * restrict)".
243 c = fread(buf, 1, sizeof(buf) - 1, file);
>>> Resource "file" is not freed or pointed-to in function "ferror(FILE *)".
244 if (ferror(file))
245 die("read-error on `zoffset.h'");
246 buf[c] = 0;
247
/arch/x86/boot/tools/build.c: 259 ( leaked_storage)
256 while (p && (*p == '\r' || *p == '\n'))
257 p++;
258 }
>>> CID 971353: Resource leak (RESOURCE_LEAK) Variable "file" going out
>>> of scope leaks the storage it points to.
259 }
260
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan5.coverity.com:8080.
Your username should be the first part of your email address. If you don't have a username, you can request one by emailing: scan-admin at coverity.com
Thank you,
Dakshesh Vyas
Coverity SCAN-ADMIN
scan-admin at coverity.com
http://scan.coverity.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* New Defect(s) reported by Coverity Scan
@ 2013-01-01 0:13 Scan Subscription
0 siblings, 0 replies; 14+ messages in thread
From: Scan Subscription @ 2013-01-01 0:13 UTC (permalink / raw)
To: linux-kernel
Hi,
Please find the latest report on new defect(s) that have been introduced to the Linux Kernel found with Coverity SCAN.
Defect(s) Reported-by: Coverity Scan:
___________________________________________________________________________
** CID 753114: Use after free (USE_AFTER_FREE)
/drivers/block/rbd.c: 3662
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753114
** CID 753112: Uninitialized scalar variable (UNINIT)
/fs/f2fs/node.c: 713
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753112
** CID 753111: Uninitialized scalar variable (UNINIT)
/drivers/block/rbd.c: 2641
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753111
** CID 753110: Use of untrusted scalar value (TAINTED_SCALAR)
/fs/nfsd/fault_inject.c: 138
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753110
** CID 753109: Dereference null return value (NULL_RETURNS)
/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c: 1109
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753109
** CID 753108: Dereference null return value (NULL_RETURNS)
/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c: 1207
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753108
** CID 753107: Dereference null return value (NULL_RETURNS)
/drivers/infiniband/hw/cxgb4/cm.c: 2910
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753107
** CID 753106: Dereference null return value (NULL_RETURNS)
/drivers/infiniband/hw/cxgb4/cm.c: 1463
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753106
** CID 753105: Data race condition (MISSING_LOCK)
/fs/f2fs/node.h: 68
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753105
** CID 753104: Data race condition (MISSING_LOCK)
/fs/f2fs/node.h: 67
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753104
** CID 753103: Explicit null dereferenced (FORWARD_NULL)
/fs/f2fs/acl.c: 200
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753103
** CID 753102: Unchecked return value (CHECKED_RETURN)
/fs/f2fs/recovery.c: 70
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753102
** CID 753101: Unchecked return value (CHECKED_RETURN)
/drivers/vfio/pci/vfio_pci.c: 59
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753101
###########################################################################
Defect Details:
___________________________________________________________________________
CID 753114: Use after free (USE_AFTER_FREE)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753114
/drivers/block/rbd.c: 3627 ( freed_arg)
3624 if (rc < 0)
3625 goto err_out_module;
3626
>>> "rbd_get_client(struct ceph_options *)" frees "ceph_opts".
3627 rbdc = rbd_get_client(ceph_opts);
3628 if (IS_ERR(rbdc)) {
3629 rc = PTR_ERR(rbdc);
3630 goto err_out_args;
3631 }
/drivers/block/rbd.c: 3662 ( deref_arg)
3659 rbd_put_client(rbdc);
3660 err_out_args:
3661 if (ceph_opts)
>>> CID 753114: Use after free (USE_AFTER_FREE) Calling
>>> "ceph_destroy_options(struct ceph_options *)" dereferences freed pointer "ceph_opts".
3662 ceph_destroy_options(ceph_opts);
3663 kfree(rbd_opts);
3664 rbd_spec_put(spec);
3665 err_out_module:
3666 module_put(THIS_MODULE);
________________________________________________________________________
CID 753112: Uninitialized scalar variable (UNINIT)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753112
/fs/f2fs/node.c: 663 ( var_decl)
660 int level, offset[4], noffset[4];
661 unsigned int nofs;
662 struct f2fs_node *rn;
>>> Declaring variable "dn" without initializer.
663 struct dnode_of_data dn;
664 struct page *page;
665
666 level = get_node_path(from, offset, noffset);
667
/fs/f2fs/node.c: 713 ( uninit_use_in_call)
710
711 case NODE_IND1_BLOCK:
712 case NODE_IND2_BLOCK:
>>> CID 753112: Uninitialized scalar variable (UNINIT) Using
>>> uninitialized value "dn": field "dn"."data_blkaddr" is uninitialized when calling "truncate_nodes(struct dnode_of_data *, unsigned int, int, int)".
713 err = truncate_nodes(&dn, nofs, offset[1], 2);
714 break;
715
716 case NODE_DIND_BLOCK:
717 err = truncate_nodes(&dn, nofs, offset[1], 3);
________________________________________________________________________
CID 753111: Uninitialized scalar variable (UNINIT)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753111
/drivers/block/rbd.c: 2596 ( var_decl)
2593 struct ceph_osd_client *osdc;
2594 const char *name;
2595 void *reply_buf = NULL;
>>> Declaring variable "ret" without initializer.
2596 int ret;
2597
2598 if (rbd_dev->spec->pool_name)
2599 return 0; /* Already have the names */
2600
/drivers/block/rbd.c: 2641 ( uninit_use)
2638 kfree(rbd_dev->spec->pool_name);
2639 rbd_dev->spec->pool_name = NULL;
2640
>>> CID 753111: Uninitialized scalar variable (UNINIT) Using
>>> uninitialized value "ret".
2641 return ret;
2642 }
2643
2644 static int rbd_dev_v2_snap_context(struct rbd_device *rbd_dev, u64 *ver)
2645 {
________________________________________________________________________
CID 753110: Use of untrusted scalar value (TAINTED_SCALAR)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753110
/fs/nfsd/fault_inject.c: 130 ( tainted_data_argument)
127 struct sockaddr_storage sa;
128 u64 val;
129
>>> Calling function "copy_from_user(void *, void const *, unsigned long)" taints argument "write_buf".
130 if (copy_from_user(write_buf, buf, size))
131 return -EFAULT;
132 write_buf[size] = '\0';
133
134 size = rpc_pton(net, write_buf, size, (struct sockaddr *)&sa, sizeof(sa));
/fs/nfsd/fault_inject.c: 138 ( tainted_data)
135 if (size > 0)
136 nfsd_inject_set_client(file->f_dentry->d_inode->i_private, &sa, size);
137 else {
>>> CID 753110: Use of untrusted scalar value (TAINTED_SCALAR) Passing
>>> tainted variable "write_buf" to a tainted sink.
138 val = simple_strtoll(write_buf, NULL, 0);
139 nfsd_inject_set(file->f_dentry->d_inode->i_private, val);
140 }
141 return len; /* on success, claim we got the whole input */
142 }
________________________________________________________________________
CID 753109: Dereference null return value (NULL_RETURNS)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753109
/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c: 1108 ( returned_null)
1105
1106 ftid = adapter->tids.ftid_base + fidx;
1107
>>> Function "alloc_skb(unsigned int, gfp_t)" returns null (checked 379 out of 403 times).
1108 skb = alloc_skb(sizeof(*fwr), GFP_KERNEL | __GFP_NOFAIL);
1109 fwr = (struct fw_filter_wr *)__skb_put(skb, sizeof(*fwr));
1110 memset(fwr, 0, sizeof(*fwr));
1111
1112 /* It would be nice to put most of the following in t4_hw.c but most
/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c: 1108 ( var_assigned)
1105
1106 ftid = adapter->tids.ftid_base + fidx;
1107
>>> Assigning: "skb" = null return value from "alloc_skb(unsigned int, gfp_t)".
1108 skb = alloc_skb(sizeof(*fwr), GFP_KERNEL | __GFP_NOFAIL);
1109 fwr = (struct fw_filter_wr *)__skb_put(skb, sizeof(*fwr));
1110 memset(fwr, 0, sizeof(*fwr));
1111
1112 /* It would be nice to put most of the following in t4_hw.c but most
/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c: 1109 ( dereference)
1106 ftid = adapter->tids.ftid_base + fidx;
1107
1108 skb = alloc_skb(sizeof(*fwr), GFP_KERNEL | __GFP_NOFAIL);
>>> CID 753109: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a pointer that might be null "skb" when calling "__skb_put(struct sk_buff *, unsigned int)".
1109 fwr = (struct fw_filter_wr *)__skb_put(skb, sizeof(*fwr));
1110 memset(fwr, 0, sizeof(*fwr));
1111
1112 /* It would be nice to put most of the following in t4_hw.c but most
1113 * of the work is translating the cxgbtool ch_filter_specification
________________________________________________________________________
CID 753108: Dereference null return value (NULL_RETURNS)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753108
/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c: 1206 ( returned_null)
1203 len = sizeof(*fwr);
1204 ftid = adapter->tids.ftid_base + fidx;
1205
>>> Function "alloc_skb(unsigned int, gfp_t)" returns null (checked 379 out of 403 times).
1206 skb = alloc_skb(len, GFP_KERNEL | __GFP_NOFAIL);
1207 fwr = (struct fw_filter_wr *)__skb_put(skb, len);
1208 t4_mk_filtdelwr(ftid, fwr, adapter->sge.fw_evtq.abs_id);
1209
1210 /* Mark the filter as "pending" and ship off the Filter Work Request.
/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c: 1206 ( var_assigned)
1203 len = sizeof(*fwr);
1204 ftid = adapter->tids.ftid_base + fidx;
1205
>>> Assigning: "skb" = null return value from "alloc_skb(unsigned int, gfp_t)".
1206 skb = alloc_skb(len, GFP_KERNEL | __GFP_NOFAIL);
1207 fwr = (struct fw_filter_wr *)__skb_put(skb, len);
1208 t4_mk_filtdelwr(ftid, fwr, adapter->sge.fw_evtq.abs_id);
1209
1210 /* Mark the filter as "pending" and ship off the Filter Work Request.
/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c: 1207 ( dereference)
1204 ftid = adapter->tids.ftid_base + fidx;
1205
1206 skb = alloc_skb(len, GFP_KERNEL | __GFP_NOFAIL);
>>> CID 753108: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a pointer that might be null "skb" when calling "__skb_put(struct sk_buff *, unsigned int)".
1207 fwr = (struct fw_filter_wr *)__skb_put(skb, len);
1208 t4_mk_filtdelwr(ftid, fwr, adapter->sge.fw_evtq.abs_id);
1209
1210 /* Mark the filter as "pending" and ship off the Filter Work Request.
1211 * When we get the Work Request Reply we'll clear the pending status.
________________________________________________________________________
CID 753107: Dereference null return value (NULL_RETURNS)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753107
/drivers/infiniband/hw/cxgb4/cm.c: 2909 ( returned_null)
2906 struct fw_ofld_connection_wr *req;
2907 struct cpl_pass_accept_req *cpl = cplhdr(skb);
2908
>>> Function "alloc_skb(unsigned int, gfp_t)" returns null (checked 379 out of 403 times).
2909 req_skb = alloc_skb(sizeof(struct fw_ofld_connection_wr), GFP_KERNEL);
2910 req = (struct fw_ofld_connection_wr *)__skb_put(req_skb, sizeof(*req));
2911 memset(req, 0, sizeof(*req));
2912 req->op_compl = htonl(V_WR_OP(FW_OFLD_CONNECTION_WR) | FW_WR_COMPL(1));
2913 req->len16_pkd = htonl(FW_WR_LEN16(DIV_ROUND_UP(sizeof(*req), 16)));
/drivers/infiniband/hw/cxgb4/cm.c: 2909 ( var_assigned)
2906 struct fw_ofld_connection_wr *req;
2907 struct cpl_pass_accept_req *cpl = cplhdr(skb);
2908
>>> Assigning: "req_skb" = null return value from "alloc_skb(unsigned int, gfp_t)".
2909 req_skb = alloc_skb(sizeof(struct fw_ofld_connection_wr), GFP_KERNEL);
2910 req = (struct fw_ofld_connection_wr *)__skb_put(req_skb, sizeof(*req));
2911 memset(req, 0, sizeof(*req));
2912 req->op_compl = htonl(V_WR_OP(FW_OFLD_CONNECTION_WR) | FW_WR_COMPL(1));
2913 req->len16_pkd = htonl(FW_WR_LEN16(DIV_ROUND_UP(sizeof(*req), 16)));
/drivers/infiniband/hw/cxgb4/cm.c: 2910 ( dereference)
2907 struct cpl_pass_accept_req *cpl = cplhdr(skb);
2908
2909 req_skb = alloc_skb(sizeof(struct fw_ofld_connection_wr), GFP_KERNEL);
>>> CID 753107: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a pointer that might be null "req_skb" when calling "__skb_put(struct sk_buff *, unsigned int)".
2910 req = (struct fw_ofld_connection_wr *)__skb_put(req_skb, sizeof(*req));
2911 memset(req, 0, sizeof(*req));
2912 req->op_compl = htonl(V_WR_OP(FW_OFLD_CONNECTION_WR) | FW_WR_COMPL(1));
2913 req->len16_pkd = htonl(FW_WR_LEN16(DIV_ROUND_UP(sizeof(*req), 16)));
2914 req->le.version_cpl = htonl(F_FW_OFLD_CONNECTION_WR_CPL);
________________________________________________________________________
CID 753106: Dereference null return value (NULL_RETURNS)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753106
/drivers/infiniband/hw/cxgb4/cm.c: 1462 ( returned_null)
1459 unsigned int mtu_idx;
1460 int wscale;
1461
>>> Function "get_skb(struct sk_buff *, int, gfp_t)" returns null (checked 10 out of 12 times).
1462 skb = get_skb(NULL, sizeof(*req), GFP_KERNEL);
1463 req = (struct fw_ofld_connection_wr *)__skb_put(skb, sizeof(*req));
1464 memset(req, 0, sizeof(*req));
1465 req->op_compl = htonl(V_WR_OP(FW_OFLD_CONNECTION_WR));
1466 req->len16_pkd = htonl(FW_WR_LEN16(DIV_ROUND_UP(sizeof(*req), 16)));
/drivers/infiniband/hw/cxgb4/cm.c: 1462 ( var_assigned)
1459 unsigned int mtu_idx;
1460 int wscale;
1461
>>> Assigning: "skb" = null return value from "get_skb(struct sk_buff *, int, gfp_t)".
1462 skb = get_skb(NULL, sizeof(*req), GFP_KERNEL);
1463 req = (struct fw_ofld_connection_wr *)__skb_put(skb, sizeof(*req));
1464 memset(req, 0, sizeof(*req));
1465 req->op_compl = htonl(V_WR_OP(FW_OFLD_CONNECTION_WR));
1466 req->len16_pkd = htonl(FW_WR_LEN16(DIV_ROUND_UP(sizeof(*req), 16)));
/drivers/infiniband/hw/cxgb4/cm.c: 1463 ( dereference)
1460 int wscale;
1461
1462 skb = get_skb(NULL, sizeof(*req), GFP_KERNEL);
>>> CID 753106: Dereference null return value (NULL_RETURNS)
>>> Dereferencing a pointer that might be null "skb" when calling "__skb_put(struct sk_buff *, unsigned int)".
1463 req = (struct fw_ofld_connection_wr *)__skb_put(skb, sizeof(*req));
1464 memset(req, 0, sizeof(*req));
1465 req->op_compl = htonl(V_WR_OP(FW_OFLD_CONNECTION_WR));
1466 req->len16_pkd = htonl(FW_WR_LEN16(DIV_ROUND_UP(sizeof(*req), 16)));
1467 req->le.filter = cpu_to_be32(select_ntuple(ep->com.dev, ep->dst,
________________________________________________________________________
CID 753105: Data race condition (MISSING_LOCK)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753105
/fs/f2fs/node.h: 68 ( missing_lock)
65 {
66 ni->ino = le32_to_cpu(raw_ne->ino);
67 ni->blk_addr = le32_to_cpu(raw_ne->block_addr);
>>> CID 753105: Data race condition (MISSING_LOCK) Accessing
>>> "ni->version" without holding lock "f2fs_nm_info.nat_tree_lock". Elsewhere, "ni->version" is accessed with "f2fs_nm_info.nat_tree_lock" held 4 out of 5 times.
68 ni->version = raw_ne->version;
69 }
70
71 /*
72 * For free nid mangement
________________________________________________________________________
CID 753104: Data race condition (MISSING_LOCK)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753104
/fs/f2fs/node.h: 67 ( missing_lock)
64 struct f2fs_nat_entry *raw_ne)
65 {
66 ni->ino = le32_to_cpu(raw_ne->ino);
>>> CID 753104: Data race condition (MISSING_LOCK) Accessing
>>> "ni->blk_addr" without holding lock "f2fs_nm_info.nat_tree_lock". Elsewhere, "ni->blk_addr" is accessed with "f2fs_nm_info.nat_tree_lock" held 4 out of 5 times.
67 ni->blk_addr = le32_to_cpu(raw_ne->block_addr);
68 ni->version = raw_ne->version;
69 }
70
71 /*
________________________________________________________________________
CID 753103: Explicit null dereferenced (FORWARD_NULL)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753103
/fs/f2fs/acl.c: 172 ( assign_zero)
169 {
170 struct f2fs_sb_info *sbi = F2FS_SB(inode->i_sb);
171 int name_index = F2FS_XATTR_INDEX_POSIX_ACL_DEFAULT;
>>> Assigning: "value" = "NULL".
172 void *value = NULL;
173 struct posix_acl *acl;
174 int retval;
175
176 if (!test_opt(sbi, POSIX_ACL))
/fs/f2fs/acl.c: 200 ( var_deref_model)
197 else
198 acl = ERR_PTR(retval);
199 } else {
>>> CID 753103: Explicit null dereferenced (FORWARD_NULL) Passing null
>>> pointer "value" to function "f2fs_acl_from_disk(char const *, size_t)", which dereferences it.
200 acl = f2fs_acl_from_disk(value, retval);
201 }
202 kfree(value);
203 if (!IS_ERR(acl))
204 set_cached_acl(inode, type, acl);
________________________________________________________________________
CID 753102: Unchecked return value (CHECKED_RETURN)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753102
/fs/f2fs/recovery.c: 70 ( check_return)
67 kunmap(page);
68 f2fs_put_page(page, 0);
69 } else {
>>> CID 753102: Unchecked return value (CHECKED_RETURN) Calling function
>>> "f2fs_add_link(struct dentry *, struct inode *)" without checking return value (as is done elsewhere 6 out of 7 times).
70 f2fs_add_link(&dent, inode);
71 }
72 iput(dir);
73 out:
74 kunmap(ipage);
/fs/f2fs/recovery.c: 70 ( unchecked_value)
67 kunmap(page);
68 f2fs_put_page(page, 0);
69 } else {
>>> No check of the return value of "f2fs_add_link(&dent, inode)".
70 f2fs_add_link(&dent, inode);
71 }
72 iput(dir);
73 out:
74 kunmap(ipage);
________________________________________________________________________
CID 753101: Unchecked return value (CHECKED_RETURN)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=753101
/drivers/vfio/pci/vfio_pci.c: 59 ( check_return)
56
57 ret = vfio_config_init(vdev);
58 if (ret) {
>>> CID 753101: Unchecked return value (CHECKED_RETURN) Calling function
>>> "pci_load_and_free_saved_state(struct pci_dev *, struct pci_saved_state **)" without checking return value (as is done elsewhere 4 out of 5 times).
59 pci_load_and_free_saved_state(pdev, &vdev->pci_saved_state);
60 pci_disable_device(pdev);
61 return ret;
62 }
63
/drivers/vfio/pci/vfio_pci.c: 59 ( unchecked_value)
56
57 ret = vfio_config_init(vdev);
58 if (ret) {
>>> No check of the return value of "pci_load_and_free_saved_state(pdev, &vdev->pci_saved_state)".
59 pci_load_and_free_saved_state(pdev, &vdev->pci_saved_state);
60 pci_disable_device(pdev);
61 return ret;
62 }
63
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan5.coverity.com:8080.
Your username should be the first part of your email address. If you don't have a username, you can request one by emailing: scan-admin at coverity.com
Thank you,
Dakshesh Vyas
Coverity SCAN-ADMIN
scan-admin at coverity.com
http://scan.coverity.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* New Defect(s) reported by Coverity Scan
@ 2012-08-22 22:00 Scan Subscription
0 siblings, 0 replies; 14+ messages in thread
From: Scan Subscription @ 2012-08-22 22:00 UTC (permalink / raw)
To: linux-kernel
Hi,
Please find the latest report on new defect(s) that have been introduced to the Linux Kernel found with Coverity SCAN.
Defect(s) Reported-by: Coverity Scan:
___________________________________________________________________________
** CID 716812: Unchecked return value (CHECKED_RETURN)
/drivers/platform/x86/ideapad-laptop.c: 639
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=716812
** CID 715732: Macro compares unsigned to 0 (NO_EFFECT)
/drivers/gpu/drm/nouveau/nve0_fifo.c: 307
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=715732
** CID 715543: Dereference before null check (REVERSE_INULL)
/drivers/input/touchscreen/eeti_ts.c: 209
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=715543
###########################################################################
Defect Details:
___________________________________________________________________________
CID 716812: Unchecked return value (CHECKED_RETURN)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=716812
/drivers/platform/x86/ideapad-laptop.c: 639 ( check_return)
636 {
637 unsigned long bit, value;
638
>>> CID 716812: Unchecked return value (CHECKED_RETURN) Calling function
>>> "read_ec_data(acpi_handle, int, unsigned long *)" without checking return value (as is done elsewhere 23 out of 25 times).
>>> No check of the return value of "read_ec_data(ideapad_handle, 49, &value)".
639 read_ec_data(ideapad_handle, VPCCMD_R_SPECIAL_BUTTONS, &value);
640
641 for (bit = 0; bit < 16; bit++) {
642 if (test_bit(bit, &value)) {
643 switch (bit) {
________________________________________________________________________
CID 715732: Macro compares unsigned to 0 (NO_EFFECT)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=715732
/drivers/gpu/drm/nouveau/nve0_fifo.c: 307 ( unsigned_compare)
304 int ret = -EINVAL;
305
306 spin_lock_irqsave(&dev_priv->channels.lock, flags);
>>> CID 715732: Macro compares unsigned to 0 (NO_EFFECT) This
>>> greater-than-or-equal-to-zero comparison of an unsigned value is always true. "chid >= 0U".
307 if (likely(chid >= 0 && chid < priv->base.channels)) {
308 chan = dev_priv->channels.ptr[chid];
309 if (likely(chan))
310 ret = nouveau_finish_page_flip(chan, NULL);
311 }
________________________________________________________________________
CID 715543: Dereference before null check (REVERSE_INULL)
http://scan5.coverity.com:8080/sourcebrowser.htm?projectId=10063#mergedDefectId=715543
/drivers/input/touchscreen/eeti_ts.c: 202 ( deref_ptr)
199
200 priv->client = client;
201 priv->input = input;
>>> Directly dereferencing pointer "pdata".
202 priv->irq_gpio = pdata->irq_gpio;
203 priv->irq = gpio_to_irq(pdata->irq_gpio);
204
205 err = gpio_request_one(pdata->irq_gpio, GPIOF_IN, client->name);
206 if (err < 0)
207 goto err1;
208
>>> CID 715543: Dereference before null check (REVERSE_INULL)
>>> Null-checking "pdata" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
209 if (pdata)
210 priv->irq_active_high = pdata->irq_active_high;
211
212 irq_flags = priv->irq_active_high ?
213 IRQF_TRIGGER_RISING : IRQF_TRIGGER_FALLING;
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan5.coverity.com:8080.
Your username should be the first part of your email address. If you don't have a username, you can request one by emailing: scan-admin@coverity.com
Thank you,
Dakshesh Vyas
Coverity SCAN-ADMIN
scan-admin@coverity.com
http://scan.coverity.com
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2013-04-08 18:33 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-01-29 20:00 New Defect(s) reported by Coverity Scan Scan Subscription
-- strict thread matches above, loose matches on Subject: below --
2013-04-05 15:32 Scan Subscription
2013-04-01 22:34 Scan Subscription
2013-04-01 22:53 ` David Miller
2013-04-08 18:33 ` Steven Rostedt
2013-02-13 17:40 Scan Subscription
2013-02-13 18:38 ` Borislav Petkov
2013-02-13 18:55 ` Scan Subscription
2013-02-13 19:13 ` Borislav Petkov
2013-02-13 23:15 ` H. Peter Anvin
2013-02-13 23:22 ` Borislav Petkov
2013-02-13 23:24 ` H. Peter Anvin
2013-01-01 0:13 Scan Subscription
2012-08-22 22:00 Scan Subscription
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).