[SeaBIOS] hw/usb-msc.c: Branch condition evaluates to a garbage value

[Paul Menzel]

Dear SeaBIOS developers,

Building the attached configuration with GCC 5.3.0 and the static 
analyzer scan-build shipped with Clang 3.8, the following error is 
reported in `src/hw/usb-msc.c` in line 110.

The static analyzer seems to think that the struct member is not 
initialized. But I guess it’s done in the line below, and therefore a 
false positive?

```
ret = usb_msc_send(udrive_gf, USB_DIR_IN
                       , MAKE_FLATPTR(GET_SEG(SS), &csw), sizeof(csw));
```


Thanks,

Paul
Title: src/hw/usb-msc.c


























Bug Summary

File:src/hw/usb-msc.c
Location:line 110, column 9
Description:Branch condition evaluates to a garbage value


Annotated Source Code

1// Code for handling USB Mass Storage Controller devices.
2//
3// Copyright (C) 2010  Kevin O'Connor <ke...@koconnor.net>
4//
5// This file may be distributed under the terms of the GNU LGPLv3 license.
6 
7#include "biosvar.h" // GET_GLOBALFLAT
8#include "block.h" // DTYPE_USB
9#include "blockcmd.h" // cdb_read
10#include "config.h" // CONFIG_USB_MSC
11#include "malloc.h" // free
12#include "output.h" // dprintf
13#include "std/disk.h" // DISK_RET_SUCCESS
14#include "string.h" // memset
15#include "usb.h" // struct usb_s
16#include "usb-msc.h" // usb_msc_setup
17#include "util.h" // bootprio_find_usb
18 
19struct usbdrive_s {
20    struct drive_s drive;
21    struct usb_pipe *bulkin, *bulkout;
22    int lun;
23};
24 
25 
26/****************************************************************
27 * Bulk-only drive command processing
28 ****************************************************************/
29 
30#define USB_CDB_SIZE12 12
31 
32#define CBW_SIGNATURE0x43425355 0x43425355 // USBC
33 
34struct cbw_s {
35    u32 dCBWSignature;
36    u32 dCBWTag;
37    u32 dCBWDataTransferLength;
38    u8 bmCBWFlags;
39    u8 bCBWLUN;
40    u8 bCBWCBLength;
41    u8 CBWCB[16];
42} PACKED__attribute__((packed));
43 
44#define CSW_SIGNATURE0x53425355 0x53425355 // USBS
45 
46struct csw_s {
47    u32 dCSWSignature;
48    u32 dCSWTag;
49    u32 dCSWDataResidue;
50    u8 bCSWStatus;
51} PACKED__attribute__((packed));
52 
53static int
54usb_msc_send(struct usbdrive_s *udrive_gf, int dir, void *buf, u32 bytes)
55{
56    struct usb_pipe *pipe;
57    if (dir == USB_DIR_OUT0)
58        pipe = GET_GLOBALFLAT(udrive_gf->bulkout)(*(typeof(&(*(&(udrive_gf->bulkout)))))((void*)&(*(&(udrive_gf->bulkout))) + get_global_offset()));
59    else
60        pipe = GET_GLOBALFLAT(udrive_gf->bulkin)(*(typeof(&(*(&(udrive_gf->bulkin)))))((void*)&(*(&(udrive_gf->bulkin))) + get_global_offset()));
61    return usb_send_bulk(pipe, dir, buf, bytes);
62}
63 
64// Low-level usb command transmit function.
65int
66usb_process_op(struct disk_op_s *op)
67{
68    if (!CONFIG_USB_MSC1)
1Taking false branch→
69        return 0;
70 
71    dprintf(16, "usb_cmd_data id=%p write=%d count=%d buf=%p\n"do { if (8 && (16) <= 8) __dprintf(("usb_cmd_data id=%p write=%d count=%d buf=%p\n") , op->drive_gf, 0, op->count, op->buf_fl ); } while (0)
72            , op->drive_gf, 0, op->count, op->buf_fl)do { if (8 && (16) <= 8) __dprintf(("usb_cmd_data id=%p write=%d count=%d buf=%p\n") , op->drive_gf, 0, op->count, op->buf_fl ); } while (0);
73    struct usbdrive_s *udrive_gf = container_of(({ const typeof( ((struct usbdrive_s *)0)->drive ) *__mptr = (op->drive_gf); (struct usbdrive_s *)( (char *)__mptr - ((size_t) &((struct usbdrive_s *)0)->drive) );})
74        op->drive_gf, struct usbdrive_s, drive)({ const typeof( ((struct usbdrive_s *)0)->drive ) *__mptr = (op->drive_gf); (struct usbdrive_s *)( (char *)__mptr - ((size_t) &((struct usbdrive_s *)0)->drive) );});
75 
76    // Setup command block wrapper.
77    struct cbw_s cbw;
78    memset(&cbw, 0, sizeof(cbw));
79    int blocksize = scsi_fill_cmd(op, cbw.CBWCB, USB_CDB_SIZE12);
80    if (blocksize < 0)
2←Assuming 'blocksize' is >= 0→
3←Taking false branch→
81        return default_process_op(op);
82    u32 bytes = blocksize * op->count;
83    cbw.dCBWSignature = CBW_SIGNATURE0x43425355;
84    cbw.dCBWTag = 999; // XXX
85    cbw.dCBWDataTransferLength = bytes;
86    cbw.bmCBWFlags = scsi_is_read(op) ? USB_DIR_IN0x80 : USB_DIR_OUT0;
4←'?' condition is false→
87    cbw.bCBWLUN = GET_GLOBALFLAT(udrive_gf->lun)(*(typeof(&(*(&(udrive_gf->lun)))))((void*)&(*(&(udrive_gf->lun))) + get_global_offset()));
88    cbw.bCBWCBLength = USB_CDB_SIZE12;
89 
90    // Transfer cbw to device.
91    int ret = usb_msc_send(udrive_gf, USB_DIR_OUT0
92                           , MAKE_FLATPTR(GET_SEG(SS), &cbw)((void*)(((u32)(0)<<4)+(u32)(&cbw))), sizeof(cbw));
93    if (ret)
5←Assuming 'ret' is 0→
6←Taking false branch→
94        goto fail;
95 
96    // Transfer data to/from device.
97    if (bytes) {
7←Assuming 'bytes' is 0→
8←Taking false branch→
98        ret = usb_msc_send(udrive_gf, cbw.bmCBWFlags, op->buf_fl, bytes);
99        if (ret)
100            goto fail;
101    }
102 
103    // Transfer csw info.
104    struct csw_s csw;
105    ret = usb_msc_send(udrive_gf, USB_DIR_IN0x80
106                       , MAKE_FLATPTR(GET_SEG(SS), &csw)((void*)(((u32)(0)<<4)+(u32)(&csw))), sizeof(csw));
107    if (ret)
9←Assuming 'ret' is 0→
10←Taking false branch→
108        goto fail;
109 
110    if (!csw.bCSWStatus)
11←Branch condition evaluates to a garbage value
111        return DISK_RET_SUCCESS0x00;
112    if (csw.bCSWStatus == 2)
113        goto fail;
114 
115    if (blocksize)
116        op->count -= csw.dCSWDataResidue / blocksize;
117    return DISK_RET_EBADTRACK0x0c;
118 
119fail:
120    // XXX - reset connection
121    dprintf(1, "USB transmission failed\n")do { if (8 && (1) <= 8) __dprintf(("USB transmission failed\n") ); } while (0);
122    return DISK_RET_EBADTRACK0x0c;
123}
124 
125static int
126usb_msc_maxlun(struct usb_pipe *pipe)
127{
128    struct usb_ctrlrequest req;
129    req.bRequestType = USB_DIR_IN0x80 | USB_TYPE_CLASS(0x01 << 5) | USB_RECIP_INTERFACE0x01;
130    req.bRequest = 0xfe;
131    req.wValue = 0;
132    req.wIndex = 0;
133    req.wLength = 1;
134    unsigned char maxlun;
135    int ret = usb_send_default_control(pipe, &req, &maxlun);
136    if (ret)
137        return 0;
138    return maxlun;
139}
140 
141static int
142usb_msc_lun_setup(struct usb_pipe *inpipe, struct usb_pipe *outpipe,
143                  struct usbdevice_s *usbdev, int lun)
144{
145    // Allocate drive structure.
146    struct usbdrive_s *drive = malloc_fseg(sizeof(*drive));
147    if (!drive) {
148        warn_noalloc()__warn_noalloc(148, __func__);
149        return -1;
150    }
151    memset(drive, 0, sizeof(*drive));
152    if (usb_32bit_pipe(inpipe))
153        drive->drive.type = DTYPE_USB_320x71;
154    else
155        drive->drive.type = DTYPE_USB0x70;
156    drive->bulkin = inpipe;
157    drive->bulkout = outpipe;
158    drive->lun = lun;
159 
160    int prio = bootprio_find_usb(usbdev, lun);
161    int ret = scsi_drive_setup(&drive->drive, "USB MSC", prio);
162    if (ret) {
163        dprintf(1, "Unable to configure USB MSC drive.\n")do { if (8 && (1) <= 8) __dprintf(("Unable to configure USB MSC drive.\n") ); } while (0);
164        free(drive);
165        return -1;
166    }
167    return 0;
168}
169 
170/****************************************************************
171 * Setup
172 ****************************************************************/
173 
174// Configure a usb msc device.
175int
176usb_msc_setup(struct usbdevice_s *usbdev)
177{
178    if (!CONFIG_USB_MSC1)
179        return -1;
180 
181    // Verify right kind of device
182    struct usb_interface_descriptor *iface = usbdev->iface;
183    if ((iface->bInterfaceSubClass != US_SC_SCSI0x06 &&
184         iface->bInterfaceSubClass != US_SC_ATAPI_80700x05 &&
185         iface->bInterfaceSubClass != US_SC_ATAPI_80200x02)
186        || iface->bInterfaceProtocol != US_PR_BULK0x50) {
187        dprintf(1, "Unsupported MSC USB device (subclass=%02x proto=%02x)\n"do { if (8 && (1) <= 8) __dprintf(("Unsupported MSC USB device (subclass=%02x proto=%02x)\n") , iface->bInterfaceSubClass, iface->bInterfaceProtocol ); } while (0)
188                , iface->bInterfaceSubClass, iface->bInterfaceProtocol)do { if (8 && (1) <= 8) __dprintf(("Unsupported MSC USB device (subclass=%02x proto=%02x)\n") , iface->bInterfaceSubClass, iface->bInterfaceProtocol ); } while (0);
189        return -1;
190    }
191 
192    // Find bulk in and bulk out endpoints.
193    struct usb_pipe *inpipe = NULL((void*)0), *outpipe = NULL((void*)0);
194    struct usb_endpoint_descriptor *indesc = usb_find_desc(
195        usbdev, USB_ENDPOINT_XFER_BULK2, USB_DIR_IN0x80);
196    struct usb_endpoint_descriptor *outdesc = usb_find_desc(
197        usbdev, USB_ENDPOINT_XFER_BULK2, USB_DIR_OUT0);
198    if (!indesc || !outdesc)
199        goto fail;
200    inpipe = usb_alloc_pipe(usbdev, indesc);
201    outpipe = usb_alloc_pipe(usbdev, outdesc);
202    if (!inpipe || !outpipe)
203        goto fail;
204 
205    int maxlun = usb_msc_maxlun(usbdev->defpipe);
206    int lun, pipesused = 0;
207    for (lun = 0; lun < maxlun + 1; lun++) {
208        int ret = usb_msc_lun_setup(inpipe, outpipe, usbdev, lun);
209        if (!ret)
210            pipesused = 1;
211    }
212 
213    if (!pipesused)
214        goto fail;
215 
216    return 0;
217fail:
218    dprintf(1, "Unable to configure USB MSC device.\n")do { if (8 && (1) <= 8) __dprintf(("Unable to configure USB MSC device.\n") ); } while (0);
219    usb_free_pipe(usbdev, inpipe);
220    usb_free_pipe(usbdev, outpipe);
221    return -1;
222}

#
# Automatically generated file; DO NOT EDIT.
# SeaBIOS Configuration
#

#
# General Features
#
CONFIG_COREBOOT=y
# CONFIG_QEMU is not set
# CONFIG_CSM is not set
# CONFIG_QEMU_HARDWARE is not set
CONFIG_THREADS=y
CONFIG_RELOCATE_INIT=y
CONFIG_BOOTMENU=y
CONFIG_BOOTSPLASH=y
CONFIG_BOOTORDER=y
CONFIG_COREBOOT_FLASH=y
CONFIG_LZMA=y
CONFIG_CBFS_LOCATION=0
CONFIG_MULTIBOOT=y
CONFIG_ENTRY_EXTRASTACK=y
CONFIG_MALLOC_UPPERMEMORY=y
CONFIG_ROM_SIZE=0

#
# Hardware support
#
CONFIG_ATA=y
# CONFIG_ATA_DMA is not set
# CONFIG_ATA_PIO32 is not set
CONFIG_AHCI=y
CONFIG_SDCARD=y
CONFIG_MEGASAS=y
CONFIG_FLOPPY=y
CONFIG_FLASH_FLOPPY=y
CONFIG_PS2PORT=y
CONFIG_USB=y
CONFIG_USB_UHCI=y
CONFIG_USB_OHCI=y
CONFIG_USB_EHCI=y
CONFIG_USB_XHCI=y
CONFIG_USB_MSC=y
CONFIG_USB_UAS=y
CONFIG_USB_HUB=y
CONFIG_USB_KEYBOARD=y
CONFIG_USB_MOUSE=y
CONFIG_SERIAL=y
CONFIG_LPT=y
CONFIG_RTC_TIMER=y
CONFIG_HARDWARE_IRQ=y
CONFIG_PMTIMER=y
CONFIG_TSC_TIMER=y

#
# BIOS interfaces
#
CONFIG_DRIVES=y
CONFIG_CDROM_BOOT=y
CONFIG_CDROM_EMU=y
CONFIG_PCIBIOS=y
CONFIG_APMBIOS=y
CONFIG_PNPBIOS=y
CONFIG_OPTIONROMS=y
CONFIG_PMM=y
CONFIG_BOOT=y
CONFIG_KEYBOARD=y
CONFIG_KBD_CALL_INT15_4F=y
CONFIG_MOUSE=y
CONFIG_S3_RESUME=y
CONFIG_VGAHOOKS=y
# CONFIG_DISABLE_A20 is not set
CONFIG_TCGBIOS=y

#
# VGA ROM
#
CONFIG_NO_VGABIOS=y
# CONFIG_VGA_GEODEGX2 is not set
# CONFIG_VGA_GEODELX is not set
# CONFIG_VGA_COREBOOT is not set
# CONFIG_BUILD_VGABIOS is not set
CONFIG_VGA_EXTRA_STACK_SIZE=512

#
# Debugging
#
CONFIG_DEBUG_LEVEL=8
# CONFIG_DEBUG_SERIAL is not set
CONFIG_DEBUG_COREBOOT=y
_______________________________________________
SeaBIOS mailing list
SeaBIOS@seabios.org
https://www.coreboot.org/mailman/listinfo/seabios