Feeding kernel 2.2.17 through `gcc -W' has shown a number of bugs. I have attached here a proposed patch which fixes a small number of these, but for the rest I would ask those on the "To:" list to let me know how they would prefer that these be addressed. I shall then cut a final patch. Thanks. acenic.c:973: warning: unsigned value < 0 is always 0 acenic.c:983: warning: unsigned value < 0 is always 0 Error returns from read_eeprom_byte() are not recognised. This buglet is also present in the 2.4 driver. No patch provided here - I'll assume that Jes will be sending one through when he updates the 2.4 driver. hmm.. acenic doesn't have the other fixes applied yet: The precedence error in ace_timer (5/2*HZ). dev->priv should be zeroed after allocation (there was a crash codepath without this). del_timer_sync() for 2.4. af_ax25.c:519: warning: unsigned value < 0 is always 0 af_ax25.c:525: warning: unsigned value < 0 is always 0 Bounds checking on ioctl args. Probably not worth fixing. b1.c:601: warning: unsigned value >= 0 is always 1 b1.c:612: warning: unsigned value >= 0 is always 1 b1dma.c:556: warning: unsigned value >= 0 is always 1 b1dma.c:567: warning: unsigned value >= 0 is always 1 c4.c:659: warning: unsigned value >= 0 is always 1 c4.c:670: warning: unsigned value >= 0 is always 1 t1isa.c:283: warning: unsigned value >= 0 is always 1 t1isa.c:294: warning: unsigned value >= 0 is always 1 Potentially nasty - underindexing of card->MsgBuf[]. Patched here. br.c:2261: warning: unsigned value < 0 is always 0 br.c:2279: warning: unsigned value < 0 is always 0 br.c:2302: warning: unsigned value < 0 is always 0 br.c:2313: warning: unsigned value < 0 is always 0 Nasty - can result in underindexing of port_info[]. Unprivileged users can possibly crash the machine. Patched here. cs46xx.c:2215: warning: unsigned value >= 0 is always 1 cs46xx.c:2246: warning: unsigned value >= 0 is always 1 These are potentially nasty. A hardware-bit-testing loop which is supposed to have a timeout is in fact potentially infinite. No patch here because it would be behaviour-altering and I can't test it. The fix is to make `end_time' signed. Should use time_after(). epca.c:3836: warning: ordered comparison of pointer with integer zero epca.c:3848: warning: ordered comparison of pointer with integer zero I'm not sure what `pointer <= 0' does... But this is a simple fix to the input parameter validation and I've patched it here. drivers/video/fbmem.c:478 if (con2fb.console < 0 || con2fb.console > MAX_NR_CONSOLES) return -EINVAL; I think this is an off-by-one. Should it be `>= MAX_NR_CONSOLES'? hp100.c:2920: warning: comparison of promoted ~unsigned with constant This code: do { if (~(hp100_inb( VG_LAN_CFG_1 )& HP100_LINK_UP_ST) ) break; } while (time_after(time, jiffies)); Is clearly bogus (the `~'). But a fix is behaviour-altering and I can't test it. ./ip2/i2lib.c:1261: warning: comparisons like X<=Y<=Z do not have their mathematical meaning It looks like this code flukes correctness. iph5526.c:3778: warning: comparisons like X<=Y<=Z do not have their mathematical meaning Ditto. ixj.c:3029: warning: empty body in an if-statement if (ixj[board].play_mode != -1 && ixj[board].rec_mode != -1); { ixj_WriteDSPCommand(0xB002, board); // AEC Stop } See the semicolon? This has to be a bug, but a fix is behaviour-altering and I can't test it. ll_rw_blk.c:761: warning: unsigned value < 0 is always 0 Here's the code: /* Can we add it to the end of this request? */ if (req->sector + req->nr_sectors == sector) { if (latency - req->nr_segments < 0) break; The inner test is a no-op. I think we decided it could simply be removed in the 2.4 case. Is that true here as well? drivers/sound/emu10k1/main.c:653: warning: unsigned value < 0 is always 0 drivers/sound/emu10k1/main.c:658: warning: unsigned value < 0 is always 0 drivers/sound/emu10k1/main.c:663: warning: unsigned value < 0 is always 0 drivers/sound/emu10k1/main.c:668: warning: unsigned value < 0 is always 0 Four ineffective attempts to check return values. mm/memory.c:395: warning: unsigned value < 0 is always 0 Here's the code: if (mm->rss > 0) { mm->rss -= freed; if (mm->rss < 0) mm->rss = 0; } The check for RSS underflow is ineffective because it's unsigned. What are we actually trying to do here? net/netrom/nr_route.c:625 if (nr_route.ndigis < 0 || nr_route.ndigis > AX25_MAX_DIGIS) return -EINVAL; Is this an off-by-one error? Should it be `>= AX25_MAX_DIGIS'? old_tulip.c:2732: warning: unsigned value >= 0 is always 1 hmmm.. In 2.4 this was a bug because `dummy' was initialised to -1. Here it's initialised to zero and the logic is subtly different. Jeff, is this driver broken? drivers/net/sbni.c:1379: warning: control reaches end of non-void function This looks broken. Why is the (required) `return crc' commented out? mm/slab.c:717: if (offset < 0 || offset > size) { printk("%sOffset weird %d - %s\n", func_nm, (int) offset, name); offset = 0; } The first part of the comparison is ineffective when size_t is unsigned. The second part of the comparison seems to be an off-by-one. Should it be `offset >= size'? fs/ntfs/support.c:301: warning: `ch' might be used uninitialized in this function fs/ntfs/support.c:301: warning: `cl' might be used uninitialized in this function The warning is correct. This code looks buggy. fs/coda/upcall.c:741: warning: unsigned value < 0 is always 0 Ineffective attempt to check an error code.
--- linux-2.2.17pre14/drivers/isdn/avmb1/b1.c Fri Jun 16 23:47:49 2000 +++ linux-akpm/drivers/isdn/avmb1/b1.c Mon Jul 31 22:28:22 2000 @@ -507,7 +507,7 @@ struct sk_buff *skb; unsigned ApplId; - unsigned MsgLen; + signed MsgLen; unsigned DataB3Len; unsigned NCCI; unsigned WindowSize; --- linux-2.2.17pre14/drivers/isdn/avmb1/b1dma.c Fri Jun 16 23:47:49 2000 +++ linux-akpm/drivers/isdn/avmb1/b1dma.c Mon Jul 31 22:29:48 2000 @@ -462,7 +462,8 @@ struct capi_ctr *ctrl = cinfo->capi_ctrl; struct sk_buff *skb; void *p = dma->recvbuf+4; - __u32 ApplId, MsgLen, DataB3Len, NCCI, WindowSize; + __u32 ApplId, DataB3Len, NCCI, WindowSize; + __s32 MsgLen; __u8 b1cmd = _get_byte(&p); #ifdef CONFIG_B1DMA_DEBUG --- linux-2.2.17pre14/net/bridge/br.c Wed Jan 5 05:12:26 2000 +++ linux-akpm/net/bridge/br.c Mon Jul 31 22:32:14 2000 @@ -2258,7 +2258,7 @@ break; case BRCMD_IF_ENABLE: bcf.arg1 = br_find_port(bcf.arg1); - if (bcf.arg1 < 0) + if ((signed)bcf.arg1 < 0) return(bcf.arg1); case BRCMD_PORT_ENABLE: if (port_info[bcf.arg1].dev == 0) @@ -2276,7 +2276,7 @@ break; case BRCMD_IF_DISABLE: bcf.arg1 = br_find_port(bcf.arg1); - if (bcf.arg1 < 0) + if ((signed)bcf.arg1 < 0) return(bcf.arg1); case BRCMD_PORT_DISABLE: if (port_info[bcf.arg1].dev == 0) @@ -2299,7 +2299,7 @@ break; case BRCMD_SET_IF_PRIORITY: bcf.arg1 = br_find_port(bcf.arg1); - if (bcf.arg1 < 0) + if ((signed)bcf.arg1 < 0) return(bcf.arg1); case BRCMD_SET_PORT_PRIORITY: if((port_info[bcf.arg1].dev == 0) @@ -2310,7 +2310,7 @@ break; case BRCMD_SET_IF_PATH_COST: bcf.arg1 = br_find_port(bcf.arg1); - if (bcf.arg1 < 0) + if ((signed)bcf.arg1 < 0) return(bcf.arg1); case BRCMD_SET_PATH_COST: if (port_info[bcf.arg1].dev == 0) --- linux-2.2.17pre14/drivers/isdn/avmb1/c4.c Fri Jun 16 23:47:49 2000 +++ linux-akpm/drivers/isdn/avmb1/c4.c Mon Jul 31 22:46:01 2000 @@ -535,7 +535,8 @@ avmctrl_info *cinfo; struct sk_buff *skb; void *p = dma->recvbuf; - __u32 ApplId, MsgLen, DataB3Len, NCCI, WindowSize; + __u32 ApplId, DataB3Len, NCCI, WindowSize; + __s32 MsgLen; __u8 b1cmd = _get_byte(&p); __u32 cidx; --- linux-2.2.17pre14/drivers/char/epca.c Fri Jun 16 23:47:49 2000 +++ linux-akpm/drivers/char/epca.c Mon Jul 31 22:56:57 2000 @@ -3833,7 +3833,7 @@ case 5: board.port = (unsigned char *)ints[index]; - if (board.port <= 0) + if ((signed long)board.port <= 0) { printk(KERN_ERR "<Error> - epca_setup: Invalid io port 0x%x\n", (unsigned int)board.port); invalid_lilo_config = 1; @@ -3845,7 +3845,7 @@ case 6: board.membase = (unsigned char *)ints[index]; - if (board.membase <= 0) + if ((signed long)board.membase <= 0) { printk(KERN_ERR "<Error> - epca_setup: Invalid memory base 0x%x\n",(unsigned int)board.membase); invalid_lilo_config = 1; --- linux-2.2.17pre14/drivers/isdn/avmb1/t1isa.c Fri Jun 16 23:47:49 2000 +++ linux-akpm/drivers/isdn/avmb1/t1isa.c Tue Aug 1 00:06:18 2000 @@ -190,7 +190,7 @@ struct sk_buff *skb; unsigned ApplId; - unsigned MsgLen; + signed MsgLen; unsigned DataB3Len; unsigned NCCI; unsigned WindowSize;