From: Stephen Hemminger <stephen@networkplumber.org>
To: dev@dpdk.org
Subject: [dpdk-dev] Fw: New Defects reported by Coverity Scan for DPDK Data Plane Development Kit
Date: Wed, 4 Nov 2015 09:46:40 -0800 [thread overview]
Message-ID: <20151104094640.1829452d@xeon-e3> (raw)
Begin forwarded message:
Date: Wed, 04 Nov 2015 08:08:51 -0800
From: scan-admin@coverity.com
To: stephen@networkplumber.org
Subject: New Defects reported by Coverity Scan for DPDK Data Plane Development Kit
Hi,
Please find the latest report on new defect(s) introduced to DPDK Data Plane Development Kit found with Coverity Scan.
17 new defect(s) introduced to DPDK Data Plane Development Kit found with Coverity Scan.
20 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 17 of 17 defect(s)
** CID 119270: Integer handling issues (SIGN_EXTENSION)
/drivers/net/fm10k/fm10k_rxtx_vec.c: 652 in vtx1()
________________________________________________________________________________________________________
*** CID 119270: Integer handling issues (SIGN_EXTENSION)
/drivers/net/fm10k/fm10k_rxtx_vec.c: 652 in vtx1()
646
647 static inline void
648 vtx1(volatile struct fm10k_tx_desc *txdp,
649 struct rte_mbuf *pkt, uint64_t flags)
650 {
651 __m128i descriptor = _mm_set_epi64x(flags << 56 |
>>> CID 119270: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "pkt->vlan_tci" with type "unsigned short" (16 bits, unsigned) is promoted in "pkt->vlan_tci << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "pkt->vlan_tci << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
652 pkt->vlan_tci << 16 | pkt->data_len,
653 MBUF_DMA_ADDR(pkt));
654 _mm_store_si128((__m128i *)txdp, descriptor);
655 }
656
657 static inline void
** CID 119269: Integer handling issues (SIGN_EXTENSION)
/drivers/net/virtio/virtio_rxtx.c: 355 in virtio_dev_vring_start()
________________________________________________________________________________________________________
*** CID 119269: Integer handling issues (SIGN_EXTENSION)
/drivers/net/virtio/virtio_rxtx.c: 355 in virtio_dev_vring_start()
349 int mid_idx = vq->vq_nentries >> 1;
350 for (i = 0; i < mid_idx; i++) {
351 vq->vq_ring.avail->ring[i] = i + mid_idx;
352 vq->vq_ring.desc[i + mid_idx].next = i;
353 vq->vq_ring.desc[i + mid_idx].addr =
354 vq->virtio_net_hdr_mem +
>>> CID 119269: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "vq->hw->vtnet_hdr_size" with type "unsigned short" (16 bits, unsigned) is promoted in "mid_idx * vq->hw->vtnet_hdr_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "mid_idx * vq->hw->vtnet_hdr_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
355 mid_idx * vq->hw->vtnet_hdr_size;
356 vq->vq_ring.desc[i + mid_idx].len =
357 vq->hw->vtnet_hdr_size;
358 vq->vq_ring.desc[i + mid_idx].flags =
359 VRING_DESC_F_NEXT;
360 vq->vq_ring.desc[i].flags = 0;
** CID 119268: Integer handling issues (SIGN_EXTENSION)
/drivers/net/i40e/i40e_fdir.c: 1097 in i40e_fdir_filter_programming()
________________________________________________________________________________________________________
*** CID 119268: Integer handling issues (SIGN_EXTENSION)
/drivers/net/i40e/i40e_fdir.c: 1097 in i40e_fdir_filter_programming()
1091 if (filter->input.flow_ext.is_vf)
1092 vsi_id = pf->vfs[filter->input.flow_ext.dst_id].vsi->vsi_id;
1093 else
1094 /* Use LAN VSI Id by default */
1095 vsi_id = pf->main_vsi->vsi_id;
1096 fdirdp->qindex_flex_ptype_vsi |=
>>> CID 119268: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "vsi_id" with type "unsigned short" (16 bits, unsigned) is promoted in "vsi_id << 23" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "vsi_id << 23" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1097 rte_cpu_to_le_32((vsi_id <<
1098 I40E_TXD_FLTR_QW0_DEST_VSI_SHIFT) &
1099 I40E_TXD_FLTR_QW0_DEST_VSI_MASK);
1100
1101 fdirdp->dtype_cmd_cntindex =
1102 rte_cpu_to_le_32(I40E_TX_DESC_DTYPE_FILTER_PROG);
** CID 119267: Null pointer dereferences (REVERSE_INULL)
/drivers/net/i40e/i40e_rxtx.c: 2596 in i40e_rx_queue_release_mbufs()
________________________________________________________________________________________________________
*** CID 119267: Null pointer dereferences (REVERSE_INULL)
/drivers/net/i40e/i40e_rxtx.c: 2596 in i40e_rx_queue_release_mbufs()
2590 /* SSE Vector driver has a different way of releasing mbufs. */
2591 if (rxq->rx_using_sse) {
2592 i40e_rx_queue_release_mbufs_vec(rxq);
2593 return;
2594 }
2595
>>> CID 119267: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "rxq" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
2596 if (!rxq || !rxq->sw_ring) {
2597 PMD_DRV_LOG(DEBUG, "Pointer to rxq or sw_ring is NULL");
2598 return;
2599 }
2600
2601 for (i = 0; i < rxq->nb_rx_desc; i++) {
** CID 119266: Null pointer dereferences (REVERSE_INULL)
/drivers/net/i40e/i40e_ethdev_vf.c: 2090 in i40evf_set_rss_lut()
________________________________________________________________________________________________________
*** CID 119266: Null pointer dereferences (REVERSE_INULL)
/drivers/net/i40e/i40e_ethdev_vf.c: 2090 in i40evf_set_rss_lut()
2084 i40evf_set_rss_lut(struct i40e_vsi *vsi, uint8_t *lut, uint16_t lut_size)
2085 {
2086 struct i40e_vf *vf = I40E_VSI_TO_VF(vsi);
2087 struct i40e_hw *hw = I40E_VSI_TO_HW(vsi);
2088 int ret;
2089
>>> CID 119266: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "vsi" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
2090 if (!vsi || !lut)
2091 return -EINVAL;
2092
2093 if (vf->flags & I40E_FLAG_RSS_AQ_CAPABLE) {
2094 ret = i40e_aq_set_rss_lut(hw, vsi->vsi_id, FALSE,
2095 lut, lut_size);
** CID 119265: Null pointer dereferences (REVERSE_INULL)
/drivers/net/i40e/i40e_ethdev.c: 2796 in i40e_set_rss_lut()
________________________________________________________________________________________________________
*** CID 119265: Null pointer dereferences (REVERSE_INULL)
/drivers/net/i40e/i40e_ethdev.c: 2796 in i40e_set_rss_lut()
2790 i40e_set_rss_lut(struct i40e_vsi *vsi, uint8_t *lut, uint16_t lut_size)
2791 {
2792 struct i40e_pf *pf = I40E_VSI_TO_PF(vsi);
2793 struct i40e_hw *hw = I40E_VSI_TO_HW(vsi);
2794 int ret;
2795
>>> CID 119265: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "vsi" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
2796 if (!vsi || !lut)
2797 return -EINVAL;
2798
2799 if (pf->flags & I40E_FLAG_RSS_AQ_CAPABLE) {
2800 ret = i40e_aq_set_rss_lut(hw, vsi->vsi_id, TRUE,
2801 lut, lut_size);
** CID 119264: Memory - corruptions (OVERRUN)
/app/test-pmd/testpmd.c: 541 in init_config()
________________________________________________________________________________________________________
*** CID 119264: Memory - corruptions (OVERRUN)
/app/test-pmd/testpmd.c: 541 in init_config()
535 else {
536 uint32_t socket_id = rte_eth_dev_socket_id(pid);
537
538 /* if socket_id is invalid, set to 0 */
539 if (check_socket_id(socket_id) < 0)
540 socket_id = 0;
>>> CID 119264: Memory - corruptions (OVERRUN)
>>> Overrunning array "port_per_socket" of 8 bytes at byte offset 4294967295 using index "socket_id" (which evaluates to 4294967295).
541 port_per_socket[socket_id]++;
542 }
543 }
544
545 /* set flag to initialize port/queue */
546 port->need_reconfig = 1;
** CID 119263: Memory - corruptions (OVERRUN)
/lib/librte_hash/rte_cuckoo_hash.c: 807 in remove_entry()
________________________________________________________________________________________________________
*** CID 119263: Memory - corruptions (OVERRUN)
/lib/librte_hash/rte_cuckoo_hash.c: 807 in remove_entry()
801 n_slots = rte_ring_mp_enqueue_burst(h->free_slots,
802 cached_free_slots->objs,
803 LCORE_CACHE_SIZE);
804 cached_free_slots->len -= n_slots;
805 }
806 /* Put index of new free slot in cache. */
>>> CID 119263: Memory - corruptions (OVERRUN)
>>> Overrunning array "cached_free_slots->objs" of 8 8-byte elements at element index 8 (byte offset 64) using index "cached_free_slots->len" (which evaluates to 8).
807 cached_free_slots->objs[cached_free_slots->len] =
808 (void *)((uintptr_t)bkt->key_idx[i]);
809 cached_free_slots->len++;
810 } else {
811 rte_ring_sp_enqueue(h->free_slots,
812 (void *)((uintptr_t)bkt->key_idx[i]));
** CID 119262: Null pointer dereferences (NULL_RETURNS)
/lib/librte_vhost/vhost_user/virtio-net-user.c: 332 in user_set_vring_enable()
________________________________________________________________________________________________________
*** CID 119262: Null pointer dereferences (NULL_RETURNS)
/lib/librte_vhost/vhost_user/virtio-net-user.c: 332 in user_set_vring_enable()
326
327 if (notify_ops->vring_state_changed) {
328 notify_ops->vring_state_changed(dev, base_idx / VIRTIO_QNUM,
329 enable);
330 }
331
>>> CID 119262: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "dev".
332 dev->virtqueue[base_idx + VIRTIO_RXQ]->enabled = enable;
333 dev->virtqueue[base_idx + VIRTIO_TXQ]->enabled = enable;
334
335 return 0;
336 }
337
** CID 119260: Control flow issues (NESTING_INDENT_MISMATCH)
/drivers/net/e1000/em_ethdev.c: 642 in eth_em_start()
________________________________________________________________________________________________________
*** CID 119260: Control flow issues (NESTING_INDENT_MISMATCH)
/drivers/net/e1000/em_ethdev.c: 642 in eth_em_start()
636 e1000_setup_link(hw);
637
638 if (rte_intr_allow_others(intr_handle)) {
639 /* check if lsc interrupt is enabled */
640 if (dev->data->dev_conf.intr_conf.lsc != 0)
641 ret = eth_em_interrupt_setup(dev);
>>> CID 119260: Control flow issues (NESTING_INDENT_MISMATCH)
>>> This 'if' statement is indented to column 25, as if it were nested within the preceding parent statement, but it is not.
642 if (ret) {
643 PMD_INIT_LOG(ERR, "Unable to setup interrupts");
644 em_dev_clear_queues(dev);
645 return ret;
646 }
647 } else {
** CID 119259: Memory - corruptions (NEGATIVE_RETURNS)
/app/test-pmd/testpmd.c: 541 in init_config()
________________________________________________________________________________________________________
*** CID 119259: Memory - corruptions (NEGATIVE_RETURNS)
/app/test-pmd/testpmd.c: 541 in init_config()
535 else {
536 uint32_t socket_id = rte_eth_dev_socket_id(pid);
537
538 /* if socket_id is invalid, set to 0 */
539 if (check_socket_id(socket_id) < 0)
540 socket_id = 0;
>>> CID 119259: Memory - corruptions (NEGATIVE_RETURNS)
>>> Using variable "socket_id" as an index to array "port_per_socket".
541 port_per_socket[socket_id]++;
542 }
543 }
544
545 /* set flag to initialize port/queue */
546 port->need_reconfig = 1;
** CID 119258: (FORWARD_NULL)
/drivers/net/ring/rte_eth_ring.c: 366 in rte_eth_from_rings()
/drivers/net/ring/rte_eth_ring.c: 366 in rte_eth_from_rings()
________________________________________________________________________________________________________
*** CID 119258: (FORWARD_NULL)
/drivers/net/ring/rte_eth_ring.c: 366 in rte_eth_from_rings()
360 eth_dev->rx_pkt_burst = eth_ring_rx;
361 eth_dev->tx_pkt_burst = eth_ring_tx;
362
363 return data->port_id;
364
365 error:
>>> CID 119258: (FORWARD_NULL)
>>> Dereferencing null pointer "data".
366 rte_free(data->rx_queues);
367 rte_free(data->tx_queues);
368 rte_free(data);
369 rte_free(internals);
370
371 return -1;
/drivers/net/ring/rte_eth_ring.c: 366 in rte_eth_from_rings()
360 eth_dev->rx_pkt_burst = eth_ring_rx;
361 eth_dev->tx_pkt_burst = eth_ring_tx;
362
363 return data->port_id;
364
365 error:
>>> CID 119258: (FORWARD_NULL)
>>> Dereferencing null pointer "data".
366 rte_free(data->rx_queues);
367 rte_free(data->tx_queues);
368 rte_free(data);
369 rte_free(internals);
370
371 return -1;
** CID 119257: Null pointer dereferences (FORWARD_NULL)
/lib/librte_ether/rte_ethdev.c: 3254 in rte_eth_copy_pci_info()
________________________________________________________________________________________________________
*** CID 119257: Null pointer dereferences (FORWARD_NULL)
/lib/librte_ether/rte_ethdev.c: 3254 in rte_eth_copy_pci_info()
3248 if ((eth_dev == NULL) || (pci_dev == NULL)) {
3249 PMD_DEBUG_TRACE("NULL pointer eth_dev=%p pci_dev=%p\n",
3250 eth_dev, pci_dev);
3251 }
3252
3253 eth_dev->data->dev_flags = 0;
>>> CID 119257: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "pci_dev".
3254 if (pci_dev->driver->drv_flags & RTE_PCI_DRV_INTR_LSC)
3255 eth_dev->data->dev_flags |= RTE_ETH_DEV_INTR_LSC;
3256 if (pci_dev->driver->drv_flags & RTE_PCI_DRV_DETACHABLE)
3257 eth_dev->data->dev_flags |= RTE_ETH_DEV_DETACHABLE;
3258
3259 eth_dev->data->kdrv = pci_dev->kdrv;
3260 eth_dev->data->numa_node = pci_dev->numa_node;
3261 eth_dev->data->drv_name = pci_dev->driver->name;
** CID 119256: Null pointer dereferences (FORWARD_NULL)
/lib/librte_ether/rte_ethdev.c: 3253 in rte_eth_copy_pci_info()
________________________________________________________________________________________________________
*** CID 119256: Null pointer dereferences (FORWARD_NULL)
/lib/librte_ether/rte_ethdev.c: 3253 in rte_eth_copy_pci_info()
3247 {
3248 if ((eth_dev == NULL) || (pci_dev == NULL)) {
3249 PMD_DEBUG_TRACE("NULL pointer eth_dev=%p pci_dev=%p\n",
3250 eth_dev, pci_dev);
3251 }
3252
>>> CID 119256: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "eth_dev".
3253 eth_dev->data->dev_flags = 0;
3254 if (pci_dev->driver->drv_flags & RTE_PCI_DRV_INTR_LSC)
3255 eth_dev->data->dev_flags |= RTE_ETH_DEV_INTR_LSC;
3256 if (pci_dev->driver->drv_flags & RTE_PCI_DRV_DETACHABLE)
3257 eth_dev->data->dev_flags |= RTE_ETH_DEV_DETACHABLE;
3258
3259 eth_dev->data->kdrv = pci_dev->kdrv;
3260 eth_dev->data->numa_node = pci_dev->numa_node;
3261 eth_dev->data->drv_name = pci_dev->driver->name;
** CID 119255: Control flow issues (DEADCODE)
/drivers/net/i40e/i40e_ethdev.c: 6797 in i40e_generate_inset_mask_reg()
________________________________________________________________________________________________________
*** CID 119255: Control flow issues (DEADCODE)
/drivers/net/i40e/i40e_ethdev.c: 6797 in i40e_generate_inset_mask_reg()
6791 {I40E_INSET_IPV6_NEXT_HDR, I40E_INSET_IPV6_NEXT_HDR_MASK},
6792 };
6793
6794 if (!inset || !mask || !nb_elem)
6795 return 0;
6796
>>> CID 119255: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "nb_elem >= 2" inside this statement: "if (!inset && nb_elem >= 2)...".
6797 if (!inset && nb_elem >= I40E_INSET_MASK_NUM_REG) {
6798 for (i = 0; i < I40E_INSET_MASK_NUM_REG; i++)
6799 mask[i] = 0;
6800 return I40E_INSET_MASK_NUM_REG;
6801 }
6802
** CID 119254: Control flow issues (DEADCODE)
/app/test-pmd/config.c: 1257 in dcb_fwd_config_setup()
________________________________________________________________________________________________________
*** CID 119254: Control flow issues (DEADCODE)
/app/test-pmd/config.c: 1257 in dcb_fwd_config_setup()
1251 /* reinitialize forwarding streams */
1252 init_fwd_streams();
1253 sm_id = 0;
1254 if ((rxp & 0x1) == 0)
1255 txp = (portid_t) (rxp + 1);
1256 else
>>> CID 119254: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "txp = (portid_t)(rxp - 1);".
1257 txp = (portid_t) (rxp - 1);
1258 /* get the dcb info on the first RX and TX ports */
1259 (void)rte_eth_dev_get_dcb_info(fwd_ports_ids[rxp], &rxp_dcb_info);
1260 (void)rte_eth_dev_get_dcb_info(fwd_ports_ids[txp], &txp_dcb_info);
1261
1262 for (lc_id = 0; lc_id < cur_fwd_config.nb_fwd_lcores; lc_id++) {
** CID 119251: Error handling issues (CHECKED_RETURN)
/app/test-pmd/cmdline.c: 1492 in cmd_config_rss_parsed()
________________________________________________________________________________________________________
*** CID 119251: Error handling issues (CHECKED_RETURN)
/app/test-pmd/cmdline.c: 1492 in cmd_config_rss_parsed()
1486 else {
1487 printf("Unknown parameter\n");
1488 return;
1489 }
1490 rss_conf.rss_key = NULL;
1491 for (i = 0; i < rte_eth_dev_count(); i++)
>>> CID 119251: Error handling issues (CHECKED_RETURN)
>>> Calling "rte_eth_dev_rss_hash_update" without checking return value (as is done elsewhere 5 out of 6 times).
1492 rte_eth_dev_rss_hash_update(i, &rss_conf);
1493 }
1494
1495 cmdline_parse_token_string_t cmd_config_rss_port =
1496 TOKEN_STRING_INITIALIZER(struct cmd_config_rss, port, "port");
1497 cmdline_parse_token_string_t cmd_config_rss_keyword =
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/dpdk-data-plane-development-kit?tab=overview
To manage Coverity Scan email notifications for "stephen@networkplumber.org", click https://scan.coverity.com/subscriptions/edit?email=stephen%40networkplumber.org&token=41b352b884ef3fc73426635eebc294c3
next reply other threads:[~2015-11-04 17:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-04 17:46 Stephen Hemminger [this message]
2017-05-08 15:35 Stephen Hemminger
2017-05-09 13:00 ` Adrien Mazarguil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151104094640.1829452d@xeon-e3 \
--to=stephen@networkplumber.org \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).