Hi,
Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan.
49 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. 13 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 49 defect(s)
** CID 457912: Concurrent data access violations (MISSING_LOCK) /services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count()
________________________________________________________________________________________________________ *** CID 457912: Concurrent data access violations (MISSING_LOCK) /services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count() 111 unsigned int j; 112 int count = 0; 113 114 /* Add up reg counts for each mapping. */ 115 for_each_mapping_type(i, mapping) { 116 iterate_mapping(mapping, j, map) {
CID 457912: Concurrent data access violations (MISSING_LOCK) Accessing "map->reg_count" without holding lock "sdei_ev_map.lock". Elsewhere, "sdei_ev_map.reg_count" is written to with "sdei_ev_map.lock" held 2 out of 3 times.
117 count += map->reg_count; 118 } 119 } 120 121 return count;
** CID 457911: Null pointer dereferences (REVERSE_INULL) /plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke()
________________________________________________________________________________________________________ *** CID 457911: Null pointer dereferences (REVERSE_INULL) /plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke() 795 ret = MTK_CPUPM_E_ERR; 796 break; 797 #endif /* CPU_PM_SUSPEND_NOTIFY */ 798 799 #ifdef CPU_PM_PWR_REQ 800 case CPUPM_INVOKE_PWR_REQ_ACTIVE:
CID 457911: Null pointer dereferences (REVERSE_INULL) Null-checking "priv" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
801 if (priv) { 802 if (req->stat.uid == CPUPM_PWR_REQ_UID_MAGIC) 803 req->stat.uid = CPUPM_PWR_STAT_REQ_UID_MAGIC; 804 else 805 ret = MTK_CPUPM_E_ERR; 806 } else
** CID 457910: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtoll.c: 128 in strtoll()
________________________________________________________________________________________________________ *** CID 457910: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtoll.c: 128 in strtoll() 122 any = 1; 123 acc *= base; 124 acc += c; 125 } 126 } 127 if (any < 0) {
CID 457910: Integer handling issues (INTEGER_OVERFLOW) Expression "acc", where "neg ? -9223372036854775808LL : 9223372036854775807LL" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long long".
128 acc = neg ? LLONG_MIN : LLONG_MAX; 129 } else if (neg) 130 acc = -acc; 131 if (endptr != NULL) 132 *endptr = (char *)(any ? s - 1 : nptr); 133 return (acc);
** CID 457909: (INTEGER_OVERFLOW) /drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg() /drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg()
________________________________________________________________________________________________________ *** CID 457909: (INTEGER_OVERFLOW) /drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg() 153 const unsigned int ext_acttopre = picos_to_mclk(clk, 154 pdimm->tras_ps) >> 4U; 155 const unsigned int ext_acttorw = picos_to_mclk(clk, 156 pdimm->trcd_ps) >> 4U; 157 const unsigned int ext_caslat = (2U * cas_latency - 1U) >> 4U; 158 const unsigned int ext_add_lat = additive_latency >> 4U;
CID 457909: (INTEGER_OVERFLOW) Expression "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", where "picos_to_mclk(clk, pdimm->trfc1_ps)" is known to be equal to 0, underflows the type of "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", which is type "unsigned int".
159 const unsigned int ext_refrec = (picos_to_mclk(clk, 160 pdimm->trfc1_ps) - 8U) >> 4U; 161 const unsigned int ext_wrrec = (picos_to_mclk(clk, pdimm->twr_ps) + 162 (popts->otf_burst_chop_en ? 2U : 0U)) >> 4U; 163 const unsigned int rwt_same_cs = 0U; 164 const unsigned int wrt_same_cs = 0U; /drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg() 122 const int acttorw_mclk = picos_to_mclk(clk, pdimm->trcd_ps); 123 const int caslat_ctrl = (cas_latency - 1) << 1; 124 const int trfc1_min = pdimm->die_density >= 0x3 ? 16000 : 125 (pdimm->die_density == 0x4 ? 26000 : 126 (pdimm->die_density == 0x5 ? 35000 : 127 55000));
CID 457909: (INTEGER_OVERFLOW) Expression "refrec_ctrl", where "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U" is known to be equal to 4294967288, overflows the type of "refrec_ctrl", which is type "int const".
128 const int refrec_ctrl = picos_to_mclk(clk, 129 pdimm->trfc1_ps) - 8; 130 int wrrec_mclk = picos_to_mclk(clk, pdimm->twr_ps); 131 const int acttoact_mclk = max(picos_to_mclk(clk, 132 pdimm->trrds_ps), 133 4U);
** CID 457908: (INTEGER_OVERFLOW) /drivers/marvell/amb_adec.c: 70 in amb_check_win() /drivers/marvell/amb_adec.c: 60 in amb_check_win()
________________________________________________________________________________________________________ *** CID 457908: (INTEGER_OVERFLOW) /drivers/marvell/amb_adec.c: 70 in amb_check_win() 64 } 65 66 /* size parameter validity check */ 67 if (!IS_POWER_OF_2(win->win_size)) { 68 WARN("Window %d: window size is not power of 2 (0x%" PRIx64 ")\n", 69 win_num, win->win_size);
CID 457908: (INTEGER_OVERFLOW) Expression "win->win_size - 1UL", where "win->win_size" is known to be equal to 0, underflows the type of "win->win_size - 1UL", which is type "unsigned long".
70 win->win_size = ROUND_UP_TO_POW_OF_2(win->win_size); 71 WARN("Rounding size to 0x%" PRIx64 "\n", win->win_size); 72 } 73 } 74 75 static void amb_enable_win(struct addr_map_win *win, uint32_t win_num) /drivers/marvell/amb_adec.c: 60 in amb_check_win() 54 } 55 56 base_addr = win->base_addr << AMB_BASE_OFFSET; 57 /* for AMB The base is always 1M aligned */ 58 /* check if address is aligned to 1M */ 59 if (IS_NOT_ALIGN(base_addr, AMB_WIN_ALIGNMENT_1M)) {
CID 457908: (INTEGER_OVERFLOW) Expression "base_addr + 1048576U", where "base_addr" is known to be equal to 4294901760, overflows the type of "base_addr + 1048576U", which is type "unsigned int".
60 win->base_addr = ALIGN_UP(base_addr, AMB_WIN_ALIGNMENT_1M); 61 WARN("Window %d: base address unaligned to 0x%x\n", 62 win_num, AMB_WIN_ALIGNMENT_1M); 63 WARN("Align up the base address to 0x%" PRIx64 "\n", win->base_addr); 64 } 65
** CID 457907: Control flow issues (DEADCODE) /plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt()
________________________________________________________________________________________________________ *** CID 457907: Control flow issues (DEADCODE) /plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt() 768 /* Enable PCM WDT (normal mode) to start count if needed */ 769 if (en) { 770 mmio_clrsetbits_32(PCM_CON1, REG_PCM_WDT_WAKE_LSB, 771 SPM_REGWR_CFG_KEY); 772 773 if (mmio_read_32(PCM_TIMER_VAL) > PCM_TIMER_MAX)
CID 457907: Control flow issues (DEADCODE) Execution cannot reach this statement: "mmio_write_32(469779860UL, ...".
774 mmio_write_32(PCM_TIMER_VAL, PCM_TIMER_MAX); 775 mmio_write_32(PCM_WDT_VAL, mmio_read_32(PCM_TIMER_VAL) + 776 PCM_WDT_TIMEOUT); 777 mmio_setbits_32(PCM_CON1, SPM_REGWR_CFG_KEY | 778 REG_PCM_WDT_EN_LSB); 779 } else {
** CID 457906: Integer handling issues (INTEGER_OVERFLOW) /plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease()
________________________________________________________________________________________________________ *** CID 457906: Integer handling issues (INTEGER_OVERFLOW) /plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease() 1268 cpurstrelease_status = mmio_read_32(SOCFPGA_RSTMGR(CPURSTRELEASE)); 1269 1270 if ((cpurstrelease_status & RSTMGR_CPUSTRELEASE_CPUx) == cpu_id) { 1271 return RSTMGR_RET_OK; 1272 } 1273 udelay(1000);
CID 457906: Integer handling issues (INTEGER_OVERFLOW) Expression "timeout--", where "timeout" is known to be equal to 0, underflows the type of "timeout--", which is type "unsigned int".
1274 } while (timeout-- > 0); 1275 1276 return RSTMGR_RET_ERROR;
** CID 457905: Parse warnings (PARSE_ERROR) /mbedtls/library/common.h: 23 in ()
________________________________________________________________________________________________________ *** CID 457905: Parse warnings (PARSE_ERROR) /mbedtls/library/common.h: 23 in () 17 #include <assert.h> 18 #include <stddef.h> 19 #include <stdint.h> 20 #include <stddef.h> 21 22 #if defined(__ARM_NEON)
CID 457905: Parse warnings (PARSE_ERROR) cannot open source file "arm_neon.h"
23 #include <arm_neon.h> 24 #define MBEDTLS_HAVE_NEON_INTRINSICS 25 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) 26 #include <arm64_neon.h> 27 #define MBEDTLS_HAVE_NEON_INTRINSICS 28 #endif
** CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate()
________________________________________________________________________________________________________ *** CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate() 511 512 rate64 *= m; 513 rate64 = rate64 / p; 514 515 if (k != 0) { 516 /* fractional mode */
CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "24000000U * k" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
517 uint64_t frac_rate64 = 24000000 * k; 518 519 postdiv = p * 65536; 520 frac_rate64 = frac_rate64 / postdiv; 521 rate64 += frac_rate64; 522 }
** CID 457903: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg()
________________________________________________________________________________________________________ *** CID 457903: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg() 1899 data_low = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2)); 1900 data_high = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2 + 1)); 1901 } 1902 1903 /* odpg mbus dm definition is opposite to ddr4 protocol */ 1904 if (dm_dir == DM_DIR_INVERSE)
CID 457903: Integer handling issues (INTEGER_OVERFLOW) Expression "dm_data", where "~((data_low & 0xfU) | (data_high & 0xf0U))" is known to be equal to 255, overflows the type of "dm_data", which is type "u8".
1905 dm_data = ~((data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK)); 1906 else 1907 dm_data = (data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK); 1908 1909 ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_LOW_REG, data_low, MASK_ALL_BITS); 1910 ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_HIGH_REG, data_high, MASK_ALL_BITS);
** CID 457902: Insecure data handling (INTEGER_OVERFLOW)
________________________________________________________________________________________________________ *** CID 457902: Insecure data handling (INTEGER_OVERFLOW) /lib/libfdt/fdt_rw.c: 495 in fdt_pack() 489 int mem_rsv_size; 490 491 FDT_RW_PROBE(fdt); 492 493 mem_rsv_size = (fdt_num_mem_rsv(fdt)+1) 494 * sizeof(struct fdt_reserve_entry);
CID 457902: Insecure data handling (INTEGER_OVERFLOW) "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_struct), fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
495 fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt_size_dt_struct(fdt), 496 fdt_size_dt_strings(fdt)); 497 fdt_set_totalsize(fdt, fdt_data_size_(fdt)); 498 499 return 0;
** CID 457901: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd()
________________________________________________________________________________________________________ *** CID 457901: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd() 105 ret = pmif_check_idle(arb->mstid); 106 if (ret) 107 goto done; 108 109 /* Send the command. */ 110 offset = arb->regs[PMIF_SWINF_3_ACC];
CID 457901: Integer handling issues (INTEGER_OVERFLOW) Expression "opc << 30", where "opc" is known to be equal to 2, overflows the type of "opc << 30", which is type "int".
111 mmio_write_32((uintptr_t)(arb->base + offset), PMIF_RW_CMD_SET(opc, 0, sid, bc, addr)); 112 /* 113 * Wait for Software Interface FSM state to be WFVLDCLR, 114 * read the data and clear the valid flag. 115 */ 116 ret = pmif_check_vldclr(arb->mstid);
** CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /lib/extensions/amu/aarch32/amu.c: 51 in amu_enable()
________________________________________________________________________________________________________ *** CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /lib/extensions/amu/aarch32/amu.c: 51 in amu_enable() 45 /* Enable all architected counters by default */ 46 write_amcntenset0(AMCNTENSET0_Pn_MASK); 47 if (is_feat_amu_aux_supported()) { 48 unsigned int core_pos = plat_my_core_pos(); 49 50 /* Something went wrong if we're trying to write higher bits */
CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "get_amu_aux_enables(core_pos) & 4294901760U /* ~0xffffU */" is always 0 regardless of the values of its operands. This occurs as a value.
51 assert((get_amu_aux_enables(core_pos) & ~AMCNTENSET1_Pn_MASK) == 0); 52 write_amcntenset1(get_amu_aux_enables(core_pos)); 53 } 54 55 /* Bail out if FEAT_AMUv1p1 features are not present. */ 56 if (!is_feat_amuv1p1_supported()) {
** CID 457899: (INTEGER_OVERFLOW) /lib/libfdt/fdt_rw.c: 476 in fdt_open_into()
________________________________________________________________________________________________________ *** CID 457899: (INTEGER_OVERFLOW) /lib/libfdt/fdt_rw.c: 474 in fdt_open_into() 468 /* Try right after the old tree instead */ 469 tmp = (char *)(uintptr_t)fdtend; 470 if ((tmp + newsize) > ((char *)buf + bufsize)) 471 return -FDT_ERR_NOSPACE; 472 } 473
CID 457899: (INTEGER_OVERFLOW) "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
474 fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, 475 fdt_size_dt_strings(fdt)); 476 memmove(buf, tmp, newsize); 477 478 fdt_set_magic(buf, FDT_MAGIC); 479 fdt_set_totalsize(buf, bufsize); /lib/libfdt/fdt_rw.c: 476 in fdt_open_into() 470 if ((tmp + newsize) > ((char *)buf + bufsize)) 471 return -FDT_ERR_NOSPACE; 472 } 473 474 fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, 475 fdt_size_dt_strings(fdt));
CID 457899: (INTEGER_OVERFLOW) "newsize", which might have underflowed, is passed to "memmove(buf, tmp, newsize)". [Note: The source code implementation of the function has been overridden by a builtin model.]
476 memmove(buf, tmp, newsize); 477 478 fdt_set_magic(buf, FDT_MAGIC); 479 fdt_set_totalsize(buf, bufsize); 480 fdt_set_version(buf, 17); 481 fdt_set_last_comp_version(buf, 16);
** CID 457898: Control flow issues (UNREACHABLE) /plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off()
________________________________________________________________________________________________________ *** CID 457898: Control flow issues (UNREACHABLE) /plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off() 136 gpio[1] |= 0x2; /* set high */ 137 dmbst(); 138 139 mdelay(100); 140 } 141
CID 457898: Control flow issues (UNREACHABLE) This code cannot be reached: "wfi();".
142 wfi(); 143 ERROR("SQ System Off: operation not handled.\n"); 144 panic(); 145 #endif 146 } 147
** CID 457897: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training()
________________________________________________________________________________________________________ *** CID 457897: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training() 634 CHECK_STATUS(ddr3_tip_configure_odpg 635 (dev_num, access_type, interface_num, direction, 636 pattern_table[pattern].num_of_phases_tx, tx_burst_size, 637 pattern_table[pattern].num_of_phases_rx, 638 delay_between_burst, rd_mode, effective_cs, STRESS_NONE, 639 DURATION_SINGLE));
CID 457897: Integer handling issues (INTEGER_OVERFLOW) Expression "reg_data", where "(direction == OPER_READ) ? 0 : -1073741824" is known to be equal to -1073741824, overflows the type of "reg_data", which is type "u32".
640 reg_data = (direction == OPER_READ) ? 0 : (0x3 << 30); 641 reg_data |= (direction == OPER_READ) ? 0x60 : 0xfa; 642 CHECK_STATUS(ddr3_tip_if_write 643 (dev_num, access_type, interface_num, 644 ODPG_WR_RD_MODE_ENA_REG, reg_data, 645 MASK_ALL_BITS));
** CID 457896: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra()
________________________________________________________________________________________________________ *** CID 457896: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra() 63 domain_emi_view = domain_emi_view - DOMAIN_11; 64 clr_bit = 0x7 << (domain_emi_view * 3 + 1); 65 set_bit = domain_infra_view << (domain_emi_view * 3 + 1); 66 mmio_clrsetbits_32(base, clr_bit, set_bit); 67 } else { 68 base = DEVAPC_INFRA_DOM_RMP_0;
CID 457896: Integer handling issues (INTEGER_OVERFLOW) Expression "clr_bit", where "3 << domain_emi_view * 3U" is known to be equal to -1073741824, overflows the type of "clr_bit", which is type "uint32_t".
69 clr_bit = 0x3 << (domain_emi_view * 3); 70 set_bit = domain_infra_view << (domain_emi_view * 3); 71 mmio_clrsetbits_32(base, clr_bit, set_bit); 72 73 base = DEVAPC_INFRA_DOM_RMP_1; 74 set_bit = (domain_infra_view & 0x4) >> 2;
** CID 457895: (DEADCODE) /drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val() /drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val() /drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val()
________________________________________________________________________________________________________ *** CID 457895: (DEADCODE) /drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val() 290 } 291 292 tmp = rwmax; 293 c = &cdd[25]; 294 rwmax = findmax(c, 16U); 295 if (tmp > rwmax) {
CID 457895: (DEADCODE) Execution cannot reach this statement: "rwmax = tmp;".
296 rwmax = tmp; 297 } 298 299 wrmax = wwmax; 300 301 break; /drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val() 235 236 switch (rank) { 237 case 1U: 238 tmp = rwmax; 239 rwmax = cdd[40]; 240 if (tmp > rwmax) {
CID 457895: (DEADCODE) Execution cannot reach this statement: "rwmax = tmp;".
241 rwmax = tmp; 242 } 243 244 break; 245 246 case 2U: /drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val() 264 buf[1] = cdd[39]; 265 buf[2] = cdd[36]; 266 buf[3] = cdd[35]; 267 tmp = rwmax; 268 rwmax = findmax(buf, 4U); 269 if (tmp > rwmax) {
CID 457895: (DEADCODE) Execution cannot reach this statement: "rwmax = tmp;".
270 rwmax = tmp; 271 } 272 273 wrmax = wwmax; 274 275 break;
** CID 457894: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtol.c: 127 in strtol()
________________________________________________________________________________________________________ *** CID 457894: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtol.c: 127 in strtol() 121 any = 1; 122 acc *= base; 123 acc += c; 124 } 125 } 126 if (any < 0) {
CID 457894: Integer handling issues (INTEGER_OVERFLOW) Expression "acc", where "neg ? -9223372036854775808L : 9223372036854775807L" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long".
127 acc = neg ? LONG_MIN : LONG_MAX; 128 } else if (neg) 129 acc = -acc; 130 if (endptr != NULL) 131 *endptr = (char *)(any ? s - 1 : nptr); 132 return (acc);
** CID 457893: (INTEGER_OVERFLOW) /plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1() /plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1()
________________________________________________________________________________________________________ *** CID 457893: (INTEGER_OVERFLOW) /plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1() 967 tmp = 0; 968 else if (tmp1 < 5) 969 tmp = tmp1 - 1; 970 else 971 tmp = tmp1 - 5; 972 } else {
CID 457893: (INTEGER_OVERFLOW) Expression "tmp1 - 2U", where "tmp1" is known to be equal to 0, underflows the type of "tmp1 - 2U", which is type "unsigned int".
973 tmp = tmp1 - 2; 974 } 975 976 mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24); 977 978 /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */ /plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1() 970 else 971 tmp = tmp1 - 5; 972 } else { 973 tmp = tmp1 - 2; 974 } 975
CID 457893: (INTEGER_OVERFLOW) Expression "tmp << 24", where "tmp" is known to be equal to 4294967294, overflows the type of "tmp << 24", which is type "uint32_t".
976 mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24); 977 978 /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */ 979 if ((timing_config->freq <= TDFI_LAT_THRESHOLD_FREQ) && 980 (pdram_timing->cl >= 5)) 981 tmp = pdram_timing->cl - 5;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/arm-software-arm-trusted-firmware?tab=ove...