Hi > -----Original Message----- > From: Heiko Schocher <h...@nabladev.com> > Sent: Thursday, 7 August 2025 5:17 pm > To: u-boot@lists.denx.de; Maniyam, Dinesh <dinesh.mani...@altera.com> > Cc: Tom Rini <tr...@konsulko.com>; Heiko Schocher <h...@denx.de> > Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot > > [CAUTION: This email is from outside your organization. Unless you trust the > sender, do not click on links or open attachments as it may be a fraudulent > email > attempting to steal your information and/or compromise your computer.] > > Hello Dinesh, > > On 06.08.25 20:35, Tom Rini wrote: > > Here's the latest report. Lets get these new issues addressed ASAP > > please, thanks. > > > > ---------- Forwarded message --------- > > From: <scan-ad...@coverity.com> > > Date: Wed, Aug 6, 2025 at 12:23 PM > > Subject: New Defects reported by Coverity Scan for Das U-Boot > > To: <tom.r...@gmail.com> > > > > > > Hi, > > > > Please find the latest report on new defect(s) introduced to *Das > > U-Boot* found with Coverity Scan. > > > > - *New Defects Found:* 8 > > - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in > > the recent build analyzed by Coverity Scan. > > - *Defects Shown:* Showing 8 of 8 defect(s) > > > > Defect Details > > > > ** CID 583812: Integer handling issues (BAD_SHIFT) > > /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe() > > Could you please look at the issues on i3c parts, as I go on vacation, thanks! >
Yes, I am working on it, give me just a couple of days! Thanks Dinesh > @Tom: Feel free to pick up fixes, thanks! > > bye, > Heiko > > > > > > > _________________________________________________________________ > ____________________________ > > *** CID 583812: Integer handling issues (BAD_SHIFT) > > /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe() > > 995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL); > > 996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret); > > 997 > > 998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER); > > 999 master->datstartaddr = ret; > > 1000 master->maxdevs = ret >> 16; > >>>> CID 583812: Integer handling issues (BAD_SHIFT) > >>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", > >>>> right > shifting by more than 63 bits has undefined behavior. The shift amount, "63 - > (master->maxdevs - 1)", is 64. > > 1001 master->free_pos = GENMASK(master->maxdevs - 1, 0); > > 1002 > > 1003 ret = i3c_master_register(&master->base, dev, > > 1004 &dw_mipi_i3c_ops, false); > > 1005 if (ret) > > 1006 goto err_assert_rst; > > > > ** CID 583811: (RESOURCE_LEAK) > > /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo() > > /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo() > > /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo() > > /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo() > > /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo() > > > > > > > _________________________________________________________________ > ____________________________ > > *** CID 583811: (RESOURCE_LEAK) > > /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo() > > 1604 } > > 1605 > > 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2]; > > 1607 > > 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) || > > 1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid)) > >>>> CID 583811: (RESOURCE_LEAK) > >>>> Variable "boardinfo" going out of scope leaks the storage it points > >>>> to. > > 1610 return -EINVAL; > > 1611 > > 1612 boardinfo->init_dyn_addr = init_dyn_addr; > > 1613 boardinfo->of_node = node; > > 1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c); > > 1615 > > /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo() > > 1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL); > > 1581 if (!boardinfo) > > 1582 return -ENOMEM; > > 1583 > > 1584 if (reg[0]) { > > 1585 if (reg[0] > I3C_MAX_ADDR) > >>>> CID 583811: (RESOURCE_LEAK) > >>>> Variable "boardinfo" going out of scope leaks the storage it points > >>>> to. > > 1586 return -EINVAL; > > 1587 > > 1588 addrstatus = > > i3c_bus_get_addr_slot_status(&master->bus, > > 1589 reg[0]); > > 1590 if (addrstatus != I3C_ADDR_SLOT_FREE) > > 1591 return -EINVAL; > > /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo() > > 1585 if (reg[0] > I3C_MAX_ADDR) > > 1586 return -EINVAL; > > 1587 > > 1588 addrstatus = > > i3c_bus_get_addr_slot_status(&master->bus, > > 1589 reg[0]); > > 1590 if (addrstatus != I3C_ADDR_SLOT_FREE) > >>>> CID 583811: (RESOURCE_LEAK) > >>>> Variable "boardinfo" going out of scope leaks the storage it points > >>>> to. > > 1591 return -EINVAL; > > 1592 } > > 1593 > > 1594 boardinfo->static_addr = reg[0]; > > 1595 > > 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) { > > /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo() > > 1592 } > > 1593 > > 1594 boardinfo->static_addr = reg[0]; > > 1595 > > 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) { > > 1597 if (init_dyn_addr > I3C_MAX_ADDR) > >>>> CID 583811: (RESOURCE_LEAK) > >>>> Variable "boardinfo" going out of scope leaks the storage it points > >>>> to. > > 1598 return -EINVAL; > > 1599 > > 1600 addrstatus = > > i3c_bus_get_addr_slot_status(&master->bus, > > 1601 > > init_dyn_addr); > > 1602 if (addrstatus != I3C_ADDR_SLOT_FREE) > > 1603 return -EINVAL; > > /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo() > > 1597 if (init_dyn_addr > I3C_MAX_ADDR) > > 1598 return -EINVAL; > > 1599 > > 1600 addrstatus = > > i3c_bus_get_addr_slot_status(&master->bus, > > 1601 > > init_dyn_addr); > > 1602 if (addrstatus != I3C_ADDR_SLOT_FREE) > >>>> CID 583811: (RESOURCE_LEAK) > >>>> Variable "boardinfo" going out of scope leaks the storage it points > >>>> to. > > 1603 return -EINVAL; > > 1604 } > > 1605 > > 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2]; > > 1607 > > 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) || > > > > ** CID 298388: Integer handling issues (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get() > > > > > > > _________________________________________________________________ > ____________________________ > > *** CID 298388: Integer handling issues (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get() > > 573 return -ENOMEM; > > 574 > > 575 cmd = xfer->cmds; > > 576 cmd->rx_buf = ccc->dests[0].payload.data; > > 577 cmd->rx_len = ccc->dests[0].payload.len; > > 578 > >>>> CID 298388: Integer handling issues (SIGN_EXTENSION) > >>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" > >>>> with type > "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to > type > "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, > unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, > the > upper bits of the result will all be 1. > > 579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc- > >dests[0].payload.len) | > > 580 COMMAND_PORT_TRANSFER_ARG; > > 581 > > 582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER | > > 583 COMMAND_PORT_CP | > > 584 COMMAND_PORT_DEV_INDEX(pos) | > > > > ** CID 298037: Integer handling issues (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg() > > > > > > > _________________________________________________________________ > ____________________________ > > *** CID 298037: Integer handling issues (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg() > > 369 scl_timing = SCL_EXT_LCNT_1(lcnt); > > 370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt; > > 371 scl_timing |= SCL_EXT_LCNT_2(lcnt); > > 372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt; > > 373 scl_timing |= SCL_EXT_LCNT_3(lcnt); > > 374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt; > >>>> CID 298037: Integer handling issues (SIGN_EXTENSION) > >>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, > >>>> unsigned) > is promoted in "lcnt << 24" to type "int" (32 bits, signed), then > sign-extended to > type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than > 0x7FFFFFFF, the upper bits of the result will all be 1. > > 375 scl_timing |= SCL_EXT_LCNT_4(lcnt); > > 376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING); > > 377 > > 378 return 0; > > 379 } > > 380 > > > > ** CID 296053: Integer handling issues (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set() > > > > > > > _________________________________________________________________ > ____________________________ > > *** CID 296053: Integer handling issues (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set() > > 529 return -ENOMEM; > > 530 > > 531 cmd = xfer->cmds; > > 532 cmd->tx_buf = ccc->dests[0].payload.data; > > 533 cmd->tx_len = ccc->dests[0].payload.len; > > 534 > >>>> CID 296053: Integer handling issues (SIGN_EXTENSION) > >>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" > >>>> with type > "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to > type > "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, > unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, > the > upper bits of the result will all be 1. > > 535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc- > >dests[0].payload.len) | > > 536 COMMAND_PORT_TRANSFER_ARG; > > 537 > > 538 cmd->cmd_lo = COMMAND_PORT_CP | > > 539 COMMAND_PORT_DEV_INDEX(pos) | > > 540 COMMAND_PORT_CMD(ccc->id) | > > > > ** CID 295976: (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg() > > /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg() > > > > > > > _________________________________________________________________ > ____________________________ > > *** CID 295976: (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg() > > 389 return -EINVAL; > > 390 > > 391 core_period = DIV_ROUND_UP(1000000000, core_rate); > > 392 > > 393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS, > core_period); > > 394 hcnt = DIV_ROUND_UP(core_rate, > I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt; > >>>> CID 295976: (SIGN_EXTENSION) > >>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, > unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then > sign- > extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is > greater > than 0x7FFFFFFF, the upper bits of the result will all be 1. > > 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) | > > 396 SCL_I2C_FMP_TIMING_LCNT(lcnt); > > 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING); > > 398 > > 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, > core_period); > > 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - > lcnt; > > /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg() > > 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) | > > 396 SCL_I2C_FMP_TIMING_LCNT(lcnt); > > 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING); > > 398 > > 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, > core_period); > > 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - > lcnt; > >>>> CID 295976: (SIGN_EXTENSION) > >>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, > unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then > sign- > extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is > greater > than 0x7FFFFFFF, the upper bits of the result will all be 1. > > 401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) | > > 402 SCL_I2C_FM_TIMING_LCNT(lcnt); > > 403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING); > > 404 > > 405 writel(BUS_I3C_MST_FREE(lcnt), master->regs + > BUS_FREE_TIMING); > > 406 writel(readl(master->regs + DEVICE_CTRL) | > DEV_CTRL_I2C_SLAVE_PRESENT, > > > > ** CID 294913: Integer handling issues (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 724 in > > dw_i3c_master_priv_xfers() > > > > > > > _________________________________________________________________ > ____________________________ > > *** CID 294913: Integer handling issues (SIGN_EXTENSION) > > /drivers/i3c/master/dw-i3c-master.c: 724 in > > dw_i3c_master_priv_xfers() > > 718 if (!xfer) > > 719 return -ENOMEM; > > 720 > > 721 for (i = 0; i < i3c_nxfers; i++) { > > 722 struct dw_i3c_cmd *cmd = &xfer->cmds[i]; > > 723 > >>>> CID 294913: Integer handling issues (SIGN_EXTENSION) > >>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type > >>>> "u16" (16 > bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 > bits, > signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If > "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the > result will > all be 1. > > 724 cmd->cmd_hi = > COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) | > > 725 COMMAND_PORT_TRANSFER_ARG; > > 726 > > 727 if (i3c_xfers[i].rnw) { > > 728 cmd->rx_buf = i3c_xfers[i].data.in; > > 729 cmd->rx_len = i3c_xfers[i].len; > > > > ** CID 294627: Integer handling issues (BAD_SHIFT) > > /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status() > > > > > > > _________________________________________________________________ > ____________________________ > > *** CID 294627: Integer handling issues (BAD_SHIFT) > > /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status() > > 175 int status, bitpos = addr * 2; > > 176 > > 177 if (addr > I2C_MAX_ADDR) > > 178 return I3C_ADDR_SLOT_RSVD; > > 179 > > 180 status = bus->addrslots[bitpos / BITS_PER_LONG]; > >>>> CID 294627: Integer handling issues (BAD_SHIFT) > >>>> In expression "status >>= bitpos % 64", right shifting by more than > >>>> 31 bits > has undefined behavior. The shift amount, "bitpos % 64", is as much as 63. > > 181 status >>= bitpos % BITS_PER_LONG; > > 182 > > 183 return status & I3C_ADDR_SLOT_STATUS_MASK; > > 184 } > > 185 > > 186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 > > addr, > > > > > > > > View Defects in Coverity Scan > > <https://scan.coverity.com/projects/das-u-boot?tab=overview> > > > > Best regards, > > > > The Coverity Scan Admin Team > > > > ----- End forwarded message ----- > > > > -- > Nabla Software Engineering > HRB 40522 Augsburg > Phone: +49 821 45592596 > E-Mail: off...@nabladev.com > Geschäftsführer : Stefano Babic