Hi,
Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan.
49 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. 13 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 49 defect(s)
** CID 457912: Concurrent data access violations (MISSING_LOCK) /services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count()
________________________________________________________________________________________________________ *** CID 457912: Concurrent data access violations (MISSING_LOCK) /services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count() 111 unsigned int j; 112 int count = 0; 113 114 /* Add up reg counts for each mapping. */ 115 for_each_mapping_type(i, mapping) { 116 iterate_mapping(mapping, j, map) {
CID 457912: Concurrent data access violations (MISSING_LOCK) Accessing "map->reg_count" without holding lock "sdei_ev_map.lock". Elsewhere, "sdei_ev_map.reg_count" is written to with "sdei_ev_map.lock" held 2 out of 3 times.
117 count += map->reg_count; 118 } 119 } 120 121 return count;
** CID 457911: Null pointer dereferences (REVERSE_INULL) /plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke()
________________________________________________________________________________________________________ *** CID 457911: Null pointer dereferences (REVERSE_INULL) /plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke() 795 ret = MTK_CPUPM_E_ERR; 796 break; 797 #endif /* CPU_PM_SUSPEND_NOTIFY */ 798 799 #ifdef CPU_PM_PWR_REQ 800 case CPUPM_INVOKE_PWR_REQ_ACTIVE:
CID 457911: Null pointer dereferences (REVERSE_INULL) Null-checking "priv" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
801 if (priv) { 802 if (req->stat.uid == CPUPM_PWR_REQ_UID_MAGIC) 803 req->stat.uid = CPUPM_PWR_STAT_REQ_UID_MAGIC; 804 else 805 ret = MTK_CPUPM_E_ERR; 806 } else
** CID 457910: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtoll.c: 128 in strtoll()
________________________________________________________________________________________________________ *** CID 457910: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtoll.c: 128 in strtoll() 122 any = 1; 123 acc *= base; 124 acc += c; 125 } 126 } 127 if (any < 0) {
CID 457910: Integer handling issues (INTEGER_OVERFLOW) Expression "acc", where "neg ? -9223372036854775808LL : 9223372036854775807LL" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long long".
128 acc = neg ? LLONG_MIN : LLONG_MAX; 129 } else if (neg) 130 acc = -acc; 131 if (endptr != NULL) 132 *endptr = (char *)(any ? s - 1 : nptr); 133 return (acc);
** CID 457909: (INTEGER_OVERFLOW) /drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg() /drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg()
________________________________________________________________________________________________________ *** CID 457909: (INTEGER_OVERFLOW) /drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg() 153 const unsigned int ext_acttopre = picos_to_mclk(clk, 154 pdimm->tras_ps) >> 4U; 155 const unsigned int ext_acttorw = picos_to_mclk(clk, 156 pdimm->trcd_ps) >> 4U; 157 const unsigned int ext_caslat = (2U * cas_latency - 1U) >> 4U; 158 const unsigned int ext_add_lat = additive_latency >> 4U;
CID 457909: (INTEGER_OVERFLOW) Expression "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", where "picos_to_mclk(clk, pdimm->trfc1_ps)" is known to be equal to 0, underflows the type of "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", which is type "unsigned int".
159 const unsigned int ext_refrec = (picos_to_mclk(clk, 160 pdimm->trfc1_ps) - 8U) >> 4U; 161 const unsigned int ext_wrrec = (picos_to_mclk(clk, pdimm->twr_ps) + 162 (popts->otf_burst_chop_en ? 2U : 0U)) >> 4U; 163 const unsigned int rwt_same_cs = 0U; 164 const unsigned int wrt_same_cs = 0U; /drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg() 122 const int acttorw_mclk = picos_to_mclk(clk, pdimm->trcd_ps); 123 const int caslat_ctrl = (cas_latency - 1) << 1; 124 const int trfc1_min = pdimm->die_density >= 0x3 ? 16000 : 125 (pdimm->die_density == 0x4 ? 26000 : 126 (pdimm->die_density == 0x5 ? 35000 : 127 55000));
CID 457909: (INTEGER_OVERFLOW) Expression "refrec_ctrl", where "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U" is known to be equal to 4294967288, overflows the type of "refrec_ctrl", which is type "int const".
128 const int refrec_ctrl = picos_to_mclk(clk, 129 pdimm->trfc1_ps) - 8; 130 int wrrec_mclk = picos_to_mclk(clk, pdimm->twr_ps); 131 const int acttoact_mclk = max(picos_to_mclk(clk, 132 pdimm->trrds_ps), 133 4U);
** CID 457908: (INTEGER_OVERFLOW) /drivers/marvell/amb_adec.c: 70 in amb_check_win() /drivers/marvell/amb_adec.c: 60 in amb_check_win()
________________________________________________________________________________________________________ *** CID 457908: (INTEGER_OVERFLOW) /drivers/marvell/amb_adec.c: 70 in amb_check_win() 64 } 65 66 /* size parameter validity check */ 67 if (!IS_POWER_OF_2(win->win_size)) { 68 WARN("Window %d: window size is not power of 2 (0x%" PRIx64 ")\n", 69 win_num, win->win_size);
CID 457908: (INTEGER_OVERFLOW) Expression "win->win_size - 1UL", where "win->win_size" is known to be equal to 0, underflows the type of "win->win_size - 1UL", which is type "unsigned long".
70 win->win_size = ROUND_UP_TO_POW_OF_2(win->win_size); 71 WARN("Rounding size to 0x%" PRIx64 "\n", win->win_size); 72 } 73 } 74 75 static void amb_enable_win(struct addr_map_win *win, uint32_t win_num) /drivers/marvell/amb_adec.c: 60 in amb_check_win() 54 } 55 56 base_addr = win->base_addr << AMB_BASE_OFFSET; 57 /* for AMB The base is always 1M aligned */ 58 /* check if address is aligned to 1M */ 59 if (IS_NOT_ALIGN(base_addr, AMB_WIN_ALIGNMENT_1M)) {
CID 457908: (INTEGER_OVERFLOW) Expression "base_addr + 1048576U", where "base_addr" is known to be equal to 4294901760, overflows the type of "base_addr + 1048576U", which is type "unsigned int".
60 win->base_addr = ALIGN_UP(base_addr, AMB_WIN_ALIGNMENT_1M); 61 WARN("Window %d: base address unaligned to 0x%x\n", 62 win_num, AMB_WIN_ALIGNMENT_1M); 63 WARN("Align up the base address to 0x%" PRIx64 "\n", win->base_addr); 64 } 65
** CID 457907: Control flow issues (DEADCODE) /plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt()
________________________________________________________________________________________________________ *** CID 457907: Control flow issues (DEADCODE) /plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt() 768 /* Enable PCM WDT (normal mode) to start count if needed */ 769 if (en) { 770 mmio_clrsetbits_32(PCM_CON1, REG_PCM_WDT_WAKE_LSB, 771 SPM_REGWR_CFG_KEY); 772 773 if (mmio_read_32(PCM_TIMER_VAL) > PCM_TIMER_MAX)
CID 457907: Control flow issues (DEADCODE) Execution cannot reach this statement: "mmio_write_32(469779860UL, ...".
774 mmio_write_32(PCM_TIMER_VAL, PCM_TIMER_MAX); 775 mmio_write_32(PCM_WDT_VAL, mmio_read_32(PCM_TIMER_VAL) + 776 PCM_WDT_TIMEOUT); 777 mmio_setbits_32(PCM_CON1, SPM_REGWR_CFG_KEY | 778 REG_PCM_WDT_EN_LSB); 779 } else {
** CID 457906: Integer handling issues (INTEGER_OVERFLOW) /plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease()
________________________________________________________________________________________________________ *** CID 457906: Integer handling issues (INTEGER_OVERFLOW) /plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease() 1268 cpurstrelease_status = mmio_read_32(SOCFPGA_RSTMGR(CPURSTRELEASE)); 1269 1270 if ((cpurstrelease_status & RSTMGR_CPUSTRELEASE_CPUx) == cpu_id) { 1271 return RSTMGR_RET_OK; 1272 } 1273 udelay(1000);
CID 457906: Integer handling issues (INTEGER_OVERFLOW) Expression "timeout--", where "timeout" is known to be equal to 0, underflows the type of "timeout--", which is type "unsigned int".
1274 } while (timeout-- > 0); 1275 1276 return RSTMGR_RET_ERROR;
** CID 457905: Parse warnings (PARSE_ERROR) /mbedtls/library/common.h: 23 in ()
________________________________________________________________________________________________________ *** CID 457905: Parse warnings (PARSE_ERROR) /mbedtls/library/common.h: 23 in () 17 #include <assert.h> 18 #include <stddef.h> 19 #include <stdint.h> 20 #include <stddef.h> 21 22 #if defined(__ARM_NEON)
CID 457905: Parse warnings (PARSE_ERROR) cannot open source file "arm_neon.h"
23 #include <arm_neon.h> 24 #define MBEDTLS_HAVE_NEON_INTRINSICS 25 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) 26 #include <arm64_neon.h> 27 #define MBEDTLS_HAVE_NEON_INTRINSICS 28 #endif
** CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate()
________________________________________________________________________________________________________ *** CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate() 511 512 rate64 *= m; 513 rate64 = rate64 / p; 514 515 if (k != 0) { 516 /* fractional mode */
CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "24000000U * k" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
517 uint64_t frac_rate64 = 24000000 * k; 518 519 postdiv = p * 65536; 520 frac_rate64 = frac_rate64 / postdiv; 521 rate64 += frac_rate64; 522 }
** CID 457903: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg()
________________________________________________________________________________________________________ *** CID 457903: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg() 1899 data_low = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2)); 1900 data_high = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2 + 1)); 1901 } 1902 1903 /* odpg mbus dm definition is opposite to ddr4 protocol */ 1904 if (dm_dir == DM_DIR_INVERSE)
CID 457903: Integer handling issues (INTEGER_OVERFLOW) Expression "dm_data", where "~((data_low & 0xfU) | (data_high & 0xf0U))" is known to be equal to 255, overflows the type of "dm_data", which is type "u8".
1905 dm_data = ~((data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK)); 1906 else 1907 dm_data = (data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK); 1908 1909 ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_LOW_REG, data_low, MASK_ALL_BITS); 1910 ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_HIGH_REG, data_high, MASK_ALL_BITS);
** CID 457902: Insecure data handling (INTEGER_OVERFLOW)
________________________________________________________________________________________________________ *** CID 457902: Insecure data handling (INTEGER_OVERFLOW) /lib/libfdt/fdt_rw.c: 495 in fdt_pack() 489 int mem_rsv_size; 490 491 FDT_RW_PROBE(fdt); 492 493 mem_rsv_size = (fdt_num_mem_rsv(fdt)+1) 494 * sizeof(struct fdt_reserve_entry);
CID 457902: Insecure data handling (INTEGER_OVERFLOW) "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_struct), fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
495 fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt_size_dt_struct(fdt), 496 fdt_size_dt_strings(fdt)); 497 fdt_set_totalsize(fdt, fdt_data_size_(fdt)); 498 499 return 0;
** CID 457901: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd()
________________________________________________________________________________________________________ *** CID 457901: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd() 105 ret = pmif_check_idle(arb->mstid); 106 if (ret) 107 goto done; 108 109 /* Send the command. */ 110 offset = arb->regs[PMIF_SWINF_3_ACC];
CID 457901: Integer handling issues (INTEGER_OVERFLOW) Expression "opc << 30", where "opc" is known to be equal to 2, overflows the type of "opc << 30", which is type "int".
111 mmio_write_32((uintptr_t)(arb->base + offset), PMIF_RW_CMD_SET(opc, 0, sid, bc, addr)); 112 /* 113 * Wait for Software Interface FSM state to be WFVLDCLR, 114 * read the data and clear the valid flag. 115 */ 116 ret = pmif_check_vldclr(arb->mstid);
** CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /lib/extensions/amu/aarch32/amu.c: 51 in amu_enable()
________________________________________________________________________________________________________ *** CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /lib/extensions/amu/aarch32/amu.c: 51 in amu_enable() 45 /* Enable all architected counters by default */ 46 write_amcntenset0(AMCNTENSET0_Pn_MASK); 47 if (is_feat_amu_aux_supported()) { 48 unsigned int core_pos = plat_my_core_pos(); 49 50 /* Something went wrong if we're trying to write higher bits */
CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "get_amu_aux_enables(core_pos) & 4294901760U /* ~0xffffU */" is always 0 regardless of the values of its operands. This occurs as a value.
51 assert((get_amu_aux_enables(core_pos) & ~AMCNTENSET1_Pn_MASK) == 0); 52 write_amcntenset1(get_amu_aux_enables(core_pos)); 53 } 54 55 /* Bail out if FEAT_AMUv1p1 features are not present. */ 56 if (!is_feat_amuv1p1_supported()) {
** CID 457899: (INTEGER_OVERFLOW) /lib/libfdt/fdt_rw.c: 476 in fdt_open_into()
________________________________________________________________________________________________________ *** CID 457899: (INTEGER_OVERFLOW) /lib/libfdt/fdt_rw.c: 474 in fdt_open_into() 468 /* Try right after the old tree instead */ 469 tmp = (char *)(uintptr_t)fdtend; 470 if ((tmp + newsize) > ((char *)buf + bufsize)) 471 return -FDT_ERR_NOSPACE; 472 } 473
CID 457899: (INTEGER_OVERFLOW) "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
474 fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, 475 fdt_size_dt_strings(fdt)); 476 memmove(buf, tmp, newsize); 477 478 fdt_set_magic(buf, FDT_MAGIC); 479 fdt_set_totalsize(buf, bufsize); /lib/libfdt/fdt_rw.c: 476 in fdt_open_into() 470 if ((tmp + newsize) > ((char *)buf + bufsize)) 471 return -FDT_ERR_NOSPACE; 472 } 473 474 fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, 475 fdt_size_dt_strings(fdt));
CID 457899: (INTEGER_OVERFLOW) "newsize", which might have underflowed, is passed to "memmove(buf, tmp, newsize)". [Note: The source code implementation of the function has been overridden by a builtin model.]
476 memmove(buf, tmp, newsize); 477 478 fdt_set_magic(buf, FDT_MAGIC); 479 fdt_set_totalsize(buf, bufsize); 480 fdt_set_version(buf, 17); 481 fdt_set_last_comp_version(buf, 16);
** CID 457898: Control flow issues (UNREACHABLE) /plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off()
________________________________________________________________________________________________________ *** CID 457898: Control flow issues (UNREACHABLE) /plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off() 136 gpio[1] |= 0x2; /* set high */ 137 dmbst(); 138 139 mdelay(100); 140 } 141
CID 457898: Control flow issues (UNREACHABLE) This code cannot be reached: "wfi();".
142 wfi(); 143 ERROR("SQ System Off: operation not handled.\n"); 144 panic(); 145 #endif 146 } 147
** CID 457897: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training()
________________________________________________________________________________________________________ *** CID 457897: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training() 634 CHECK_STATUS(ddr3_tip_configure_odpg 635 (dev_num, access_type, interface_num, direction, 636 pattern_table[pattern].num_of_phases_tx, tx_burst_size, 637 pattern_table[pattern].num_of_phases_rx, 638 delay_between_burst, rd_mode, effective_cs, STRESS_NONE, 639 DURATION_SINGLE));
CID 457897: Integer handling issues (INTEGER_OVERFLOW) Expression "reg_data", where "(direction == OPER_READ) ? 0 : -1073741824" is known to be equal to -1073741824, overflows the type of "reg_data", which is type "u32".
640 reg_data = (direction == OPER_READ) ? 0 : (0x3 << 30); 641 reg_data |= (direction == OPER_READ) ? 0x60 : 0xfa; 642 CHECK_STATUS(ddr3_tip_if_write 643 (dev_num, access_type, interface_num, 644 ODPG_WR_RD_MODE_ENA_REG, reg_data, 645 MASK_ALL_BITS));
** CID 457896: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra()
________________________________________________________________________________________________________ *** CID 457896: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra() 63 domain_emi_view = domain_emi_view - DOMAIN_11; 64 clr_bit = 0x7 << (domain_emi_view * 3 + 1); 65 set_bit = domain_infra_view << (domain_emi_view * 3 + 1); 66 mmio_clrsetbits_32(base, clr_bit, set_bit); 67 } else { 68 base = DEVAPC_INFRA_DOM_RMP_0;
CID 457896: Integer handling issues (INTEGER_OVERFLOW) Expression "clr_bit", where "3 << domain_emi_view * 3U" is known to be equal to -1073741824, overflows the type of "clr_bit", which is type "uint32_t".
69 clr_bit = 0x3 << (domain_emi_view * 3); 70 set_bit = domain_infra_view << (domain_emi_view * 3); 71 mmio_clrsetbits_32(base, clr_bit, set_bit); 72 73 base = DEVAPC_INFRA_DOM_RMP_1; 74 set_bit = (domain_infra_view & 0x4) >> 2;
** CID 457895: (DEADCODE) /drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val() /drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val() /drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val()
________________________________________________________________________________________________________ *** CID 457895: (DEADCODE) /drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val() 290 } 291 292 tmp = rwmax; 293 c = &cdd[25]; 294 rwmax = findmax(c, 16U); 295 if (tmp > rwmax) {
CID 457895: (DEADCODE) Execution cannot reach this statement: "rwmax = tmp;".
296 rwmax = tmp; 297 } 298 299 wrmax = wwmax; 300 301 break; /drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val() 235 236 switch (rank) { 237 case 1U: 238 tmp = rwmax; 239 rwmax = cdd[40]; 240 if (tmp > rwmax) {
CID 457895: (DEADCODE) Execution cannot reach this statement: "rwmax = tmp;".
241 rwmax = tmp; 242 } 243 244 break; 245 246 case 2U: /drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val() 264 buf[1] = cdd[39]; 265 buf[2] = cdd[36]; 266 buf[3] = cdd[35]; 267 tmp = rwmax; 268 rwmax = findmax(buf, 4U); 269 if (tmp > rwmax) {
CID 457895: (DEADCODE) Execution cannot reach this statement: "rwmax = tmp;".
270 rwmax = tmp; 271 } 272 273 wrmax = wwmax; 274 275 break;
** CID 457894: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtol.c: 127 in strtol()
________________________________________________________________________________________________________ *** CID 457894: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtol.c: 127 in strtol() 121 any = 1; 122 acc *= base; 123 acc += c; 124 } 125 } 126 if (any < 0) {
CID 457894: Integer handling issues (INTEGER_OVERFLOW) Expression "acc", where "neg ? -9223372036854775808L : 9223372036854775807L" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long".
127 acc = neg ? LONG_MIN : LONG_MAX; 128 } else if (neg) 129 acc = -acc; 130 if (endptr != NULL) 131 *endptr = (char *)(any ? s - 1 : nptr); 132 return (acc);
** CID 457893: (INTEGER_OVERFLOW) /plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1() /plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1()
________________________________________________________________________________________________________ *** CID 457893: (INTEGER_OVERFLOW) /plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1() 967 tmp = 0; 968 else if (tmp1 < 5) 969 tmp = tmp1 - 1; 970 else 971 tmp = tmp1 - 5; 972 } else {
CID 457893: (INTEGER_OVERFLOW) Expression "tmp1 - 2U", where "tmp1" is known to be equal to 0, underflows the type of "tmp1 - 2U", which is type "unsigned int".
973 tmp = tmp1 - 2; 974 } 975 976 mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24); 977 978 /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */ /plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1() 970 else 971 tmp = tmp1 - 5; 972 } else { 973 tmp = tmp1 - 2; 974 } 975
CID 457893: (INTEGER_OVERFLOW) Expression "tmp << 24", where "tmp" is known to be equal to 4294967294, overflows the type of "tmp << 24", which is type "uint32_t".
976 mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24); 977 978 /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */ 979 if ((timing_config->freq <= TDFI_LAT_THRESHOLD_FREQ) && 980 (pdram_timing->cl >= 5)) 981 tmp = pdram_timing->cl - 5;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/arm-software-arm-trusted-firmware?tab=ove...
Apologies the Coverity scan was failing in the CI since late January but the issue has been addressed. The below is the results of a manual run so the large number of new issues are for changes between late January and today.
Please review if you have submitted and had merged patches during that period.
As mentioned below this is run on https://scan.coverity.com/projects/arm-software-arm-trusted-firmware?tab=ove... which is a service offered to opensource projects like TF-A. Unfortunately we only have a limited number of runs each week and we have configured the OpenCI to run daily which does mean its a test run after the patched merged that day. We would of course like to have run while in review state but the limited number of runs mean we cannot do that.
Joanna
From: scan-admin--- via TF-A tf-a@lists.trustedfirmware.org Date: Thursday, 20 March 2025 at 00:08 To: tf-a@lists.trustedfirmware.org tf-a@lists.trustedfirmware.org Subject: [TF-A] New Defects reported by Coverity Scan for ARM-software/arm-trusted-firmware
Hi,
Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan.
49 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. 13 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 49 defect(s)
** CID 457912: Concurrent data access violations (MISSING_LOCK) /services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count()
________________________________________________________________________________________________________ *** CID 457912: Concurrent data access violations (MISSING_LOCK) /services/std_svc/sdei/sdei_event.c: 117 in sdei_get_registered_event_count() 111 unsigned int j; 112 int count = 0; 113 114 /* Add up reg counts for each mapping. */ 115 for_each_mapping_type(i, mapping) { 116 iterate_mapping(mapping, j, map) {
CID 457912: Concurrent data access violations (MISSING_LOCK) Accessing "map->reg_count" without holding lock "sdei_ev_map.lock". Elsewhere, "sdei_ev_map.reg_count" is written to with "sdei_ev_map.lock" held 2 out of 3 times.
117 count += map->reg_count; 118 } 119 } 120 121 return count;
** CID 457911: Null pointer dereferences (REVERSE_INULL) /plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke()
________________________________________________________________________________________________________ *** CID 457911: Null pointer dereferences (REVERSE_INULL) /plat/mediatek/drivers/cpu_pm/cpcv5_4/mt_cpu_pm.c: 801 in cpupm_invoke() 795 ret = MTK_CPUPM_E_ERR; 796 break; 797 #endif /* CPU_PM_SUSPEND_NOTIFY */ 798 799 #ifdef CPU_PM_PWR_REQ 800 case CPUPM_INVOKE_PWR_REQ_ACTIVE:
CID 457911: Null pointer dereferences (REVERSE_INULL) Null-checking "priv" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
801 if (priv) { 802 if (req->stat.uid == CPUPM_PWR_REQ_UID_MAGIC) 803 req->stat.uid = CPUPM_PWR_STAT_REQ_UID_MAGIC; 804 else 805 ret = MTK_CPUPM_E_ERR; 806 } else
** CID 457910: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtoll.c: 128 in strtoll()
________________________________________________________________________________________________________ *** CID 457910: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtoll.c: 128 in strtoll() 122 any = 1; 123 acc *= base; 124 acc += c; 125 } 126 } 127 if (any < 0) {
CID 457910: Integer handling issues (INTEGER_OVERFLOW) Expression "acc", where "neg ? -9223372036854775808LL : 9223372036854775807LL" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long long".
128 acc = neg ? LLONG_MIN : LLONG_MAX; 129 } else if (neg) 130 acc = -acc; 131 if (endptr != NULL) 132 *endptr = (char *)(any ? s - 1 : nptr); 133 return (acc);
** CID 457909: (INTEGER_OVERFLOW) /drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg() /drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg()
________________________________________________________________________________________________________ *** CID 457909: (INTEGER_OVERFLOW) /drivers/nxp/ddr/nxp-ddr/regs.c: 159 in cal_timing_cfg() 153 const unsigned int ext_acttopre = picos_to_mclk(clk, 154 pdimm->tras_ps) >> 4U; 155 const unsigned int ext_acttorw = picos_to_mclk(clk, 156 pdimm->trcd_ps) >> 4U; 157 const unsigned int ext_caslat = (2U * cas_latency - 1U) >> 4U; 158 const unsigned int ext_add_lat = additive_latency >> 4U;
CID 457909: (INTEGER_OVERFLOW) Expression "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", where "picos_to_mclk(clk, pdimm->trfc1_ps)" is known to be equal to 0, underflows the type of "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U", which is type "unsigned int".
159 const unsigned int ext_refrec = (picos_to_mclk(clk, 160 pdimm->trfc1_ps) - 8U) >> 4U; 161 const unsigned int ext_wrrec = (picos_to_mclk(clk, pdimm->twr_ps) + 162 (popts->otf_burst_chop_en ? 2U : 0U)) >> 4U; 163 const unsigned int rwt_same_cs = 0U; 164 const unsigned int wrt_same_cs = 0U; /drivers/nxp/ddr/nxp-ddr/regs.c: 128 in cal_timing_cfg() 122 const int acttorw_mclk = picos_to_mclk(clk, pdimm->trcd_ps); 123 const int caslat_ctrl = (cas_latency - 1) << 1; 124 const int trfc1_min = pdimm->die_density >= 0x3 ? 16000 : 125 (pdimm->die_density == 0x4 ? 26000 : 126 (pdimm->die_density == 0x5 ? 35000 : 127 55000));
CID 457909: (INTEGER_OVERFLOW) Expression "refrec_ctrl", where "picos_to_mclk(clk, pdimm->trfc1_ps) - 8U" is known to be equal to 4294967288, overflows the type of "refrec_ctrl", which is type "int const".
128 const int refrec_ctrl = picos_to_mclk(clk, 129 pdimm->trfc1_ps) - 8; 130 int wrrec_mclk = picos_to_mclk(clk, pdimm->twr_ps); 131 const int acttoact_mclk = max(picos_to_mclk(clk, 132 pdimm->trrds_ps), 133 4U);
** CID 457908: (INTEGER_OVERFLOW) /drivers/marvell/amb_adec.c: 70 in amb_check_win() /drivers/marvell/amb_adec.c: 60 in amb_check_win()
________________________________________________________________________________________________________ *** CID 457908: (INTEGER_OVERFLOW) /drivers/marvell/amb_adec.c: 70 in amb_check_win() 64 } 65 66 /* size parameter validity check */ 67 if (!IS_POWER_OF_2(win->win_size)) { 68 WARN("Window %d: window size is not power of 2 (0x%" PRIx64 ")\n", 69 win_num, win->win_size);
CID 457908: (INTEGER_OVERFLOW) Expression "win->win_size - 1UL", where "win->win_size" is known to be equal to 0, underflows the type of "win->win_size - 1UL", which is type "unsigned long".
70 win->win_size = ROUND_UP_TO_POW_OF_2(win->win_size); 71 WARN("Rounding size to 0x%" PRIx64 "\n", win->win_size); 72 } 73 } 74 75 static void amb_enable_win(struct addr_map_win *win, uint32_t win_num) /drivers/marvell/amb_adec.c: 60 in amb_check_win() 54 } 55 56 base_addr = win->base_addr << AMB_BASE_OFFSET; 57 /* for AMB The base is always 1M aligned */ 58 /* check if address is aligned to 1M */ 59 if (IS_NOT_ALIGN(base_addr, AMB_WIN_ALIGNMENT_1M)) {
CID 457908: (INTEGER_OVERFLOW) Expression "base_addr + 1048576U", where "base_addr" is known to be equal to 4294901760, overflows the type of "base_addr + 1048576U", which is type "unsigned int".
60 win->base_addr = ALIGN_UP(base_addr, AMB_WIN_ALIGNMENT_1M); 61 WARN("Window %d: base address unaligned to 0x%x\n", 62 win_num, AMB_WIN_ALIGNMENT_1M); 63 WARN("Align up the base address to 0x%" PRIx64 "\n", win->base_addr); 64 } 65
** CID 457907: Control flow issues (DEADCODE) /plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt()
________________________________________________________________________________________________________ *** CID 457907: Control flow issues (DEADCODE) /plat/mediatek/drivers/spm/mt8196/mt_spm_internal.c: 774 in __spm_set_pcm_wdt() 768 /* Enable PCM WDT (normal mode) to start count if needed */ 769 if (en) { 770 mmio_clrsetbits_32(PCM_CON1, REG_PCM_WDT_WAKE_LSB, 771 SPM_REGWR_CFG_KEY); 772 773 if (mmio_read_32(PCM_TIMER_VAL) > PCM_TIMER_MAX)
CID 457907: Control flow issues (DEADCODE) Execution cannot reach this statement: "mmio_write_32(469779860UL, ...".
774 mmio_write_32(PCM_TIMER_VAL, PCM_TIMER_MAX); 775 mmio_write_32(PCM_WDT_VAL, mmio_read_32(PCM_TIMER_VAL) + 776 PCM_WDT_TIMEOUT); 777 mmio_setbits_32(PCM_CON1, SPM_REGWR_CFG_KEY | 778 REG_PCM_WDT_EN_LSB); 779 } else {
** CID 457906: Integer handling issues (INTEGER_OVERFLOW) /plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease()
________________________________________________________________________________________________________ *** CID 457906: Integer handling issues (INTEGER_OVERFLOW) /plat/intel/soc/common/soc/socfpga_reset_manager.c: 1274 in socfpga_cpurstrelease() 1268 cpurstrelease_status = mmio_read_32(SOCFPGA_RSTMGR(CPURSTRELEASE)); 1269 1270 if ((cpurstrelease_status & RSTMGR_CPUSTRELEASE_CPUx) == cpu_id) { 1271 return RSTMGR_RET_OK; 1272 } 1273 udelay(1000);
CID 457906: Integer handling issues (INTEGER_OVERFLOW) Expression "timeout--", where "timeout" is known to be equal to 0, underflows the type of "timeout--", which is type "unsigned int".
1274 } while (timeout-- > 0); 1275 1276 return RSTMGR_RET_ERROR;
** CID 457905: Parse warnings (PARSE_ERROR) /mbedtls/library/common.h: 23 in ()
________________________________________________________________________________________________________ *** CID 457905: Parse warnings (PARSE_ERROR) /mbedtls/library/common.h: 23 in () 17 #include <assert.h> 18 #include <stddef.h> 19 #include <stdint.h> 20 #include <stddef.h> 21 22 #if defined(__ARM_NEON)
CID 457905: Parse warnings (PARSE_ERROR) cannot open source file "arm_neon.h"
23 #include <arm_neon.h> 24 #define MBEDTLS_HAVE_NEON_INTRINSICS 25 #elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) 26 #include <arm64_neon.h> 27 #define MBEDTLS_HAVE_NEON_INTRINSICS 28 #endif
** CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate()
________________________________________________________________________________________________________ *** CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /plat/rockchip/rk3576/scmi/rk3576_clk.c: 517 in rk3576_lpll_get_rate() 511 512 rate64 *= m; 513 rate64 = rate64 / p; 514 515 if (k != 0) { 516 /* fractional mode */
CID 457904: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "24000000U * k" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
517 uint64_t frac_rate64 = 24000000 * k; 518 519 postdiv = p * 65536; 520 frac_rate64 = frac_rate64 / postdiv; 521 rate64 += frac_rate64; 522 }
** CID 457903: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg()
________________________________________________________________________________________________________ *** CID 457903: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 1905 in mv_ddr_load_dm_pattern_to_odpg() 1899 data_low = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2)); 1900 data_high = pattern_table_get_word(0, pattern, (u8)(pattern_len * 2 + 1)); 1901 } 1902 1903 /* odpg mbus dm definition is opposite to ddr4 protocol */ 1904 if (dm_dir == DM_DIR_INVERSE)
CID 457903: Integer handling issues (INTEGER_OVERFLOW) Expression "dm_data", where "~((data_low & 0xfU) | (data_high & 0xf0U))" is known to be equal to 255, overflows the type of "dm_data", which is type "u8".
1905 dm_data = ~((data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK)); 1906 else 1907 dm_data = (data_low & LOW_NIBBLE_BYTE_MASK) | (data_high & HIGH_NIBBLE_BYTE_MASK); 1908 1909 ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_LOW_REG, data_low, MASK_ALL_BITS); 1910 ddr3_tip_if_write(0, access_type, 0, ODPG_DATA_WR_DATA_HIGH_REG, data_high, MASK_ALL_BITS);
** CID 457902: Insecure data handling (INTEGER_OVERFLOW)
________________________________________________________________________________________________________ *** CID 457902: Insecure data handling (INTEGER_OVERFLOW) /lib/libfdt/fdt_rw.c: 495 in fdt_pack() 489 int mem_rsv_size; 490 491 FDT_RW_PROBE(fdt); 492 493 mem_rsv_size = (fdt_num_mem_rsv(fdt)+1) 494 * sizeof(struct fdt_reserve_entry);
CID 457902: Insecure data handling (INTEGER_OVERFLOW) "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_struct), fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
495 fdt_packblocks_(fdt, fdt, mem_rsv_size, fdt_size_dt_struct(fdt), 496 fdt_size_dt_strings(fdt)); 497 fdt_set_totalsize(fdt, fdt_data_size_(fdt)); 498 499 return 0;
** CID 457901: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd()
________________________________________________________________________________________________________ *** CID 457901: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/drivers/spmi/pmif_common.c: 111 in pmif_spmi_read_cmd() 105 ret = pmif_check_idle(arb->mstid); 106 if (ret) 107 goto done; 108 109 /* Send the command. */ 110 offset = arb->regs[PMIF_SWINF_3_ACC];
CID 457901: Integer handling issues (INTEGER_OVERFLOW) Expression "opc << 30", where "opc" is known to be equal to 2, overflows the type of "opc << 30", which is type "int".
111 mmio_write_32((uintptr_t)(arb->base + offset), PMIF_RW_CMD_SET(opc, 0, sid, bc, addr)); 112 /* 113 * Wait for Software Interface FSM state to be WFVLDCLR, 114 * read the data and clear the valid flag. 115 */ 116 ret = pmif_check_vldclr(arb->mstid);
** CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /lib/extensions/amu/aarch32/amu.c: 51 in amu_enable()
________________________________________________________________________________________________________ *** CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /lib/extensions/amu/aarch32/amu.c: 51 in amu_enable() 45 /* Enable all architected counters by default */ 46 write_amcntenset0(AMCNTENSET0_Pn_MASK); 47 if (is_feat_amu_aux_supported()) { 48 unsigned int core_pos = plat_my_core_pos(); 49 50 /* Something went wrong if we're trying to write higher bits */
CID 457900: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "get_amu_aux_enables(core_pos) & 4294901760U /* ~0xffffU */" is always 0 regardless of the values of its operands. This occurs as a value.
51 assert((get_amu_aux_enables(core_pos) & ~AMCNTENSET1_Pn_MASK) == 0); 52 write_amcntenset1(get_amu_aux_enables(core_pos)); 53 } 54 55 /* Bail out if FEAT_AMUv1p1 features are not present. */ 56 if (!is_feat_amuv1p1_supported()) {
** CID 457899: (INTEGER_OVERFLOW) /lib/libfdt/fdt_rw.c: 476 in fdt_open_into()
________________________________________________________________________________________________________ *** CID 457899: (INTEGER_OVERFLOW) /lib/libfdt/fdt_rw.c: 474 in fdt_open_into() 468 /* Try right after the old tree instead */ 469 tmp = (char *)(uintptr_t)fdtend; 470 if ((tmp + newsize) > ((char *)buf + bufsize)) 471 return -FDT_ERR_NOSPACE; 472 } 473
CID 457899: (INTEGER_OVERFLOW) "mem_rsv_size", which might have overflowed, is passed to "fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, fdt32_ld(&((struct fdt_header const *)fdt)->size_dt_strings))".
474 fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, 475 fdt_size_dt_strings(fdt)); 476 memmove(buf, tmp, newsize); 477 478 fdt_set_magic(buf, FDT_MAGIC); 479 fdt_set_totalsize(buf, bufsize); /lib/libfdt/fdt_rw.c: 476 in fdt_open_into() 470 if ((tmp + newsize) > ((char *)buf + bufsize)) 471 return -FDT_ERR_NOSPACE; 472 } 473 474 fdt_packblocks_(fdt, tmp, mem_rsv_size, struct_size, 475 fdt_size_dt_strings(fdt));
CID 457899: (INTEGER_OVERFLOW) "newsize", which might have underflowed, is passed to "memmove(buf, tmp, newsize)". [Note: The source code implementation of the function has been overridden by a builtin model.]
476 memmove(buf, tmp, newsize); 477 478 fdt_set_magic(buf, FDT_MAGIC); 479 fdt_set_totalsize(buf, bufsize); 480 fdt_set_version(buf, 17); 481 fdt_set_last_comp_version(buf, 16);
** CID 457898: Control flow issues (UNREACHABLE) /plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off()
________________________________________________________________________________________________________ *** CID 457898: Control flow issues (UNREACHABLE) /plat/socionext/synquacer/sq_psci.c: 142 in sq_system_off() 136 gpio[1] |= 0x2; /* set high */ 137 dmbst(); 138 139 mdelay(100); 140 } 141
CID 457898: Control flow issues (UNREACHABLE) This code cannot be reached: "wfi();".
142 wfi(); 143 ERROR("SQ System Off: operation not handled.\n"); 144 panic(); 145 #endif 146 } 147
** CID 457897: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training()
________________________________________________________________________________________________________ *** CID 457897: Integer handling issues (INTEGER_OVERFLOW) /drivers/marvell/mv_ddr/ddr3_training_ip_engine.c: 640 in ddr3_tip_ip_training() 634 CHECK_STATUS(ddr3_tip_configure_odpg 635 (dev_num, access_type, interface_num, direction, 636 pattern_table[pattern].num_of_phases_tx, tx_burst_size, 637 pattern_table[pattern].num_of_phases_rx, 638 delay_between_burst, rd_mode, effective_cs, STRESS_NONE, 639 DURATION_SINGLE));
CID 457897: Integer handling issues (INTEGER_OVERFLOW) Expression "reg_data", where "(direction == OPER_READ) ? 0 : -1073741824" is known to be equal to -1073741824, overflows the type of "reg_data", which is type "u32".
640 reg_data = (direction == OPER_READ) ? 0 : (0x3 << 30); 641 reg_data |= (direction == OPER_READ) ? 0x60 : 0xfa; 642 CHECK_STATUS(ddr3_tip_if_write 643 (dev_num, access_type, interface_num, 644 ODPG_WR_RD_MODE_ENA_REG, reg_data, 645 MASK_ALL_BITS));
** CID 457896: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra()
________________________________________________________________________________________________________ *** CID 457896: Integer handling issues (INTEGER_OVERFLOW) /plat/mediatek/mt8183/drivers/devapc/devapc.c: 69 in set_master_domain_remap_infra() 63 domain_emi_view = domain_emi_view - DOMAIN_11; 64 clr_bit = 0x7 << (domain_emi_view * 3 + 1); 65 set_bit = domain_infra_view << (domain_emi_view * 3 + 1); 66 mmio_clrsetbits_32(base, clr_bit, set_bit); 67 } else { 68 base = DEVAPC_INFRA_DOM_RMP_0;
CID 457896: Integer handling issues (INTEGER_OVERFLOW) Expression "clr_bit", where "3 << domain_emi_view * 3U" is known to be equal to -1073741824, overflows the type of "clr_bit", which is type "uint32_t".
69 clr_bit = 0x3 << (domain_emi_view * 3); 70 set_bit = domain_infra_view << (domain_emi_view * 3); 71 mmio_clrsetbits_32(base, clr_bit, set_bit); 72 73 base = DEVAPC_INFRA_DOM_RMP_1; 74 set_bit = (domain_infra_view & 0x4) >> 2;
** CID 457895: (DEADCODE) /drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val() /drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val() /drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val()
________________________________________________________________________________________________________ *** CID 457895: (DEADCODE) /drivers/nxp/ddr/phy-gen2/phy.c: 296 in get_cdd_val() 290 } 291 292 tmp = rwmax; 293 c = &cdd[25]; 294 rwmax = findmax(c, 16U); 295 if (tmp > rwmax) {
CID 457895: (DEADCODE) Execution cannot reach this statement: "rwmax = tmp;".
296 rwmax = tmp; 297 } 298 299 wrmax = wwmax; 300 301 break; /drivers/nxp/ddr/phy-gen2/phy.c: 241 in get_cdd_val() 235 236 switch (rank) { 237 case 1U: 238 tmp = rwmax; 239 rwmax = cdd[40]; 240 if (tmp > rwmax) {
CID 457895: (DEADCODE) Execution cannot reach this statement: "rwmax = tmp;".
241 rwmax = tmp; 242 } 243 244 break; 245 246 case 2U: /drivers/nxp/ddr/phy-gen2/phy.c: 270 in get_cdd_val() 264 buf[1] = cdd[39]; 265 buf[2] = cdd[36]; 266 buf[3] = cdd[35]; 267 tmp = rwmax; 268 rwmax = findmax(buf, 4U); 269 if (tmp > rwmax) {
CID 457895: (DEADCODE) Execution cannot reach this statement: "rwmax = tmp;".
270 rwmax = tmp; 271 } 272 273 wrmax = wwmax; 274 275 break;
** CID 457894: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtol.c: 127 in strtol()
________________________________________________________________________________________________________ *** CID 457894: Integer handling issues (INTEGER_OVERFLOW) /lib/libc/strtol.c: 127 in strtol() 121 any = 1; 122 acc *= base; 123 acc += c; 124 } 125 } 126 if (any < 0) {
CID 457894: Integer handling issues (INTEGER_OVERFLOW) Expression "acc", where "neg ? -9223372036854775808L : 9223372036854775807L" is known to be equal to -9223372036854775808, underflows the type of "acc", which is type "unsigned long".
127 acc = neg ? LONG_MIN : LONG_MAX; 128 } else if (neg) 129 acc = -acc; 130 if (endptr != NULL) 131 *endptr = (char *)(any ? s - 1 : nptr); 132 return (acc);
** CID 457893: (INTEGER_OVERFLOW) /plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1() /plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1()
________________________________________________________________________________________________________ *** CID 457893: (INTEGER_OVERFLOW) /plat/rockchip/rk3399/drivers/dram/dfs.c: 973 in gen_rk3399_ctl_params_f1() 967 tmp = 0; 968 else if (tmp1 < 5) 969 tmp = tmp1 - 1; 970 else 971 tmp = tmp1 - 5; 972 } else {
CID 457893: (INTEGER_OVERFLOW) Expression "tmp1 - 2U", where "tmp1" is known to be equal to 0, underflows the type of "tmp1 - 2U", which is type "unsigned int".
973 tmp = tmp1 - 2; 974 } 975 976 mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24); 977 978 /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */ /plat/rockchip/rk3399/drivers/dram/dfs.c: 976 in gen_rk3399_ctl_params_f1() 970 else 971 tmp = tmp1 - 5; 972 } else { 973 tmp = tmp1 - 2; 974 } 975
CID 457893: (INTEGER_OVERFLOW) Expression "tmp << 24", where "tmp" is known to be equal to 4294967294, overflows the type of "tmp << 24", which is type "uint32_t".
976 mmio_clrsetbits_32(CTL_REG(i, 314), 0xffu << 24, tmp << 24); 977 978 /* CTL_314 TDFI_RDCSLAT_F1:RW:16:8 */ 979 if ((timing_config->freq <= TDFI_LAT_THRESHOLD_FREQ) && 980 (pdram_timing->cl >= 5)) 981 tmp = pdram_timing->cl - 5;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/arm-software-arm-trusted-firmware?tab=ove...
-- TF-A mailing list -- tf-a@lists.trustedfirmware.org To unsubscribe send an email to tf-a-leave@lists.trustedfirmware.org
tf-a@lists.trustedfirmware.org
-
Joanna Farley -
scan-admin@coverity.com