From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f49.google.com (mail-pa0-f49.google.com [209.85.220.49]) by dpdk.org (Postfix) with ESMTP id 6166F8E9C for ; Wed, 4 Nov 2015 18:46:30 +0100 (CET) Received: by pasz6 with SMTP id z6so60774097pas.2 for ; Wed, 04 Nov 2015 09:46:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber_org.20150623.gappssmtp.com; s=20150623; h=date:from:to:subject:message-id:mime-version:content-type :content-transfer-encoding; bh=x9L5KbxiY0DRtn4Pz+Qrr/FtSSuweeob+vctEe0jY/A=; b=J8MdHK0uqKa/WUcxQHT0+qoBy15oWLTojGM/uTTrzyJ9ohjDhFRsQ3lBhnDtKq2ThN gSAETJPGgXTt7Q37tVB5D6Wt49mU2q5KyEsNUWvbb+l/PPmHeYpLLm6xHBOe/PILeLZz bjRLjG3UWDZH/pExNEas+x7OEeZLaCiwvooqdNGHh70EZDBuXeLtIPT+Giz2Xdv6XmeB erdVREvUrqlSLAmRnDkd7MtrFdKvb1+ZqOfEo9qGEc4rMLdef4ylBkdkqN9mrT2xR0/Q SG6lc/aASWpmcTv3u+JAoriKHtio5WqlyZ9tc54IfiLPtpPThK0j5RNkaEdw/APDKwhI z6YA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-type:content-transfer-encoding; bh=x9L5KbxiY0DRtn4Pz+Qrr/FtSSuweeob+vctEe0jY/A=; b=f8Vfy7Gx9WbdSwKPEDlZTwwESgOwEHu3w8N3oAHDQWTcuyy+fekbGVFXUxKFUmNW9E IMqrme9yxlO7EFFWlLRPHYjv8D0AEPAHfEoCzhmhvRK9fxcoHB6Kwr40EOtoE/kiY+AA LSDHjxvTrpVwdK1V373kFTwg850bnFbDDI3a33d/6f8ZmGA8n/sOpUsCULhDCLNuPTjo wJbNOYmeJKC2PKUdaCz8IqIJyt51sfItnbAZG7PhT3ZQJkTt8F/PPfFeAuXKiRBSw1B7 fFlgRvp/qIL2Mv/BpK3nuC2mDV81BRr7RkfNbg8aqOaKkmFTGvTC8NmCZVRV/ZuOzhk2 OWzw== X-Gm-Message-State: ALoCoQkLi1AM8nj7jvuwjwYlCX+rKn1ZflSdT89qNZHnzznibALHV45WUoyxYfdGdk386BSPUreB X-Received: by 10.67.13.206 with SMTP id fa14mr3308999pad.143.1446659189534; Wed, 04 Nov 2015 09:46:29 -0800 (PST) Received: from xeon-e3 (static-50-53-82-155.bvtn.or.frontiernet.net. [50.53.82.155]) by smtp.gmail.com with ESMTPSA id ws6sm3218290pbc.33.2015.11.04.09.46.29 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Nov 2015 09:46:29 -0800 (PST) Date: Wed, 4 Nov 2015 09:46:40 -0800 From: Stephen Hemminger To: dev@dpdk.org Message-ID: <20151104094640.1829452d@xeon-e3> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: [dpdk-dev] Fw: New Defects reported by Coverity Scan for DPDK Data Plane Development Kit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 17:46:30 -0000 Begin forwarded message: Date: Wed, 04 Nov 2015 08:08:51 -0800 From: scan-admin@coverity.com To: stephen@networkplumber.org Subject: New Defects reported by Coverity Scan for DPDK Data Plane Development Kit Hi, Please find the latest report on new defect(s) introduced to DPDK Data Plane Development Kit found with Coverity Scan. 17 new defect(s) introduced to DPDK Data Plane Development Kit found with Coverity Scan. 20 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 17 of 17 defect(s) ** CID 119270: Integer handling issues (SIGN_EXTENSION) /drivers/net/fm10k/fm10k_rxtx_vec.c: 652 in vtx1() ________________________________________________________________________________________________________ *** CID 119270: Integer handling issues (SIGN_EXTENSION) /drivers/net/fm10k/fm10k_rxtx_vec.c: 652 in vtx1() 646 647 static inline void 648 vtx1(volatile struct fm10k_tx_desc *txdp, 649 struct rte_mbuf *pkt, uint64_t flags) 650 { 651 __m128i descriptor = _mm_set_epi64x(flags << 56 | >>> CID 119270: Integer handling issues (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "pkt->vlan_tci" with type "unsigned short" (16 bits, unsigned) is promoted in "pkt->vlan_tci << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "pkt->vlan_tci << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. 652 pkt->vlan_tci << 16 | pkt->data_len, 653 MBUF_DMA_ADDR(pkt)); 654 _mm_store_si128((__m128i *)txdp, descriptor); 655 } 656 657 static inline void ** CID 119269: Integer handling issues (SIGN_EXTENSION) /drivers/net/virtio/virtio_rxtx.c: 355 in virtio_dev_vring_start() ________________________________________________________________________________________________________ *** CID 119269: Integer handling issues (SIGN_EXTENSION) /drivers/net/virtio/virtio_rxtx.c: 355 in virtio_dev_vring_start() 349 int mid_idx = vq->vq_nentries >> 1; 350 for (i = 0; i < mid_idx; i++) { 351 vq->vq_ring.avail->ring[i] = i + mid_idx; 352 vq->vq_ring.desc[i + mid_idx].next = i; 353 vq->vq_ring.desc[i + mid_idx].addr = 354 vq->virtio_net_hdr_mem + >>> CID 119269: Integer handling issues (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "vq->hw->vtnet_hdr_size" with type "unsigned short" (16 bits, unsigned) is promoted in "mid_idx * vq->hw->vtnet_hdr_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "mid_idx * vq->hw->vtnet_hdr_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. 355 mid_idx * vq->hw->vtnet_hdr_size; 356 vq->vq_ring.desc[i + mid_idx].len = 357 vq->hw->vtnet_hdr_size; 358 vq->vq_ring.desc[i + mid_idx].flags = 359 VRING_DESC_F_NEXT; 360 vq->vq_ring.desc[i].flags = 0; ** CID 119268: Integer handling issues (SIGN_EXTENSION) /drivers/net/i40e/i40e_fdir.c: 1097 in i40e_fdir_filter_programming() ________________________________________________________________________________________________________ *** CID 119268: Integer handling issues (SIGN_EXTENSION) /drivers/net/i40e/i40e_fdir.c: 1097 in i40e_fdir_filter_programming() 1091 if (filter->input.flow_ext.is_vf) 1092 vsi_id = pf->vfs[filter->input.flow_ext.dst_id].vsi->vsi_id; 1093 else 1094 /* Use LAN VSI Id by default */ 1095 vsi_id = pf->main_vsi->vsi_id; 1096 fdirdp->qindex_flex_ptype_vsi |= >>> CID 119268: Integer handling issues (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "vsi_id" with type "unsigned short" (16 bits, unsigned) is promoted in "vsi_id << 23" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "vsi_id << 23" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1. 1097 rte_cpu_to_le_32((vsi_id << 1098 I40E_TXD_FLTR_QW0_DEST_VSI_SHIFT) & 1099 I40E_TXD_FLTR_QW0_DEST_VSI_MASK); 1100 1101 fdirdp->dtype_cmd_cntindex = 1102 rte_cpu_to_le_32(I40E_TX_DESC_DTYPE_FILTER_PROG); ** CID 119267: Null pointer dereferences (REVERSE_INULL) /drivers/net/i40e/i40e_rxtx.c: 2596 in i40e_rx_queue_release_mbufs() ________________________________________________________________________________________________________ *** CID 119267: Null pointer dereferences (REVERSE_INULL) /drivers/net/i40e/i40e_rxtx.c: 2596 in i40e_rx_queue_release_mbufs() 2590 /* SSE Vector driver has a different way of releasing mbufs. */ 2591 if (rxq->rx_using_sse) { 2592 i40e_rx_queue_release_mbufs_vec(rxq); 2593 return; 2594 } 2595 >>> CID 119267: Null pointer dereferences (REVERSE_INULL) >>> Null-checking "rxq" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 2596 if (!rxq || !rxq->sw_ring) { 2597 PMD_DRV_LOG(DEBUG, "Pointer to rxq or sw_ring is NULL"); 2598 return; 2599 } 2600 2601 for (i = 0; i < rxq->nb_rx_desc; i++) { ** CID 119266: Null pointer dereferences (REVERSE_INULL) /drivers/net/i40e/i40e_ethdev_vf.c: 2090 in i40evf_set_rss_lut() ________________________________________________________________________________________________________ *** CID 119266: Null pointer dereferences (REVERSE_INULL) /drivers/net/i40e/i40e_ethdev_vf.c: 2090 in i40evf_set_rss_lut() 2084 i40evf_set_rss_lut(struct i40e_vsi *vsi, uint8_t *lut, uint16_t lut_size) 2085 { 2086 struct i40e_vf *vf = I40E_VSI_TO_VF(vsi); 2087 struct i40e_hw *hw = I40E_VSI_TO_HW(vsi); 2088 int ret; 2089 >>> CID 119266: Null pointer dereferences (REVERSE_INULL) >>> Null-checking "vsi" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 2090 if (!vsi || !lut) 2091 return -EINVAL; 2092 2093 if (vf->flags & I40E_FLAG_RSS_AQ_CAPABLE) { 2094 ret = i40e_aq_set_rss_lut(hw, vsi->vsi_id, FALSE, 2095 lut, lut_size); ** CID 119265: Null pointer dereferences (REVERSE_INULL) /drivers/net/i40e/i40e_ethdev.c: 2796 in i40e_set_rss_lut() ________________________________________________________________________________________________________ *** CID 119265: Null pointer dereferences (REVERSE_INULL) /drivers/net/i40e/i40e_ethdev.c: 2796 in i40e_set_rss_lut() 2790 i40e_set_rss_lut(struct i40e_vsi *vsi, uint8_t *lut, uint16_t lut_size) 2791 { 2792 struct i40e_pf *pf = I40E_VSI_TO_PF(vsi); 2793 struct i40e_hw *hw = I40E_VSI_TO_HW(vsi); 2794 int ret; 2795 >>> CID 119265: Null pointer dereferences (REVERSE_INULL) >>> Null-checking "vsi" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 2796 if (!vsi || !lut) 2797 return -EINVAL; 2798 2799 if (pf->flags & I40E_FLAG_RSS_AQ_CAPABLE) { 2800 ret = i40e_aq_set_rss_lut(hw, vsi->vsi_id, TRUE, 2801 lut, lut_size); ** CID 119264: Memory - corruptions (OVERRUN) /app/test-pmd/testpmd.c: 541 in init_config() ________________________________________________________________________________________________________ *** CID 119264: Memory - corruptions (OVERRUN) /app/test-pmd/testpmd.c: 541 in init_config() 535 else { 536 uint32_t socket_id = rte_eth_dev_socket_id(pid); 537 538 /* if socket_id is invalid, set to 0 */ 539 if (check_socket_id(socket_id) < 0) 540 socket_id = 0; >>> CID 119264: Memory - corruptions (OVERRUN) >>> Overrunning array "port_per_socket" of 8 bytes at byte offset 4294967295 using index "socket_id" (which evaluates to 4294967295). 541 port_per_socket[socket_id]++; 542 } 543 } 544 545 /* set flag to initialize port/queue */ 546 port->need_reconfig = 1; ** CID 119263: Memory - corruptions (OVERRUN) /lib/librte_hash/rte_cuckoo_hash.c: 807 in remove_entry() ________________________________________________________________________________________________________ *** CID 119263: Memory - corruptions (OVERRUN) /lib/librte_hash/rte_cuckoo_hash.c: 807 in remove_entry() 801 n_slots = rte_ring_mp_enqueue_burst(h->free_slots, 802 cached_free_slots->objs, 803 LCORE_CACHE_SIZE); 804 cached_free_slots->len -= n_slots; 805 } 806 /* Put index of new free slot in cache. */ >>> CID 119263: Memory - corruptions (OVERRUN) >>> Overrunning array "cached_free_slots->objs" of 8 8-byte elements at element index 8 (byte offset 64) using index "cached_free_slots->len" (which evaluates to 8). 807 cached_free_slots->objs[cached_free_slots->len] = 808 (void *)((uintptr_t)bkt->key_idx[i]); 809 cached_free_slots->len++; 810 } else { 811 rte_ring_sp_enqueue(h->free_slots, 812 (void *)((uintptr_t)bkt->key_idx[i])); ** CID 119262: Null pointer dereferences (NULL_RETURNS) /lib/librte_vhost/vhost_user/virtio-net-user.c: 332 in user_set_vring_enable() ________________________________________________________________________________________________________ *** CID 119262: Null pointer dereferences (NULL_RETURNS) /lib/librte_vhost/vhost_user/virtio-net-user.c: 332 in user_set_vring_enable() 326 327 if (notify_ops->vring_state_changed) { 328 notify_ops->vring_state_changed(dev, base_idx / VIRTIO_QNUM, 329 enable); 330 } 331 >>> CID 119262: Null pointer dereferences (NULL_RETURNS) >>> Dereferencing a null pointer "dev". 332 dev->virtqueue[base_idx + VIRTIO_RXQ]->enabled = enable; 333 dev->virtqueue[base_idx + VIRTIO_TXQ]->enabled = enable; 334 335 return 0; 336 } 337 ** CID 119260: Control flow issues (NESTING_INDENT_MISMATCH) /drivers/net/e1000/em_ethdev.c: 642 in eth_em_start() ________________________________________________________________________________________________________ *** CID 119260: Control flow issues (NESTING_INDENT_MISMATCH) /drivers/net/e1000/em_ethdev.c: 642 in eth_em_start() 636 e1000_setup_link(hw); 637 638 if (rte_intr_allow_others(intr_handle)) { 639 /* check if lsc interrupt is enabled */ 640 if (dev->data->dev_conf.intr_conf.lsc != 0) 641 ret = eth_em_interrupt_setup(dev); >>> CID 119260: Control flow issues (NESTING_INDENT_MISMATCH) >>> This 'if' statement is indented to column 25, as if it were nested within the preceding parent statement, but it is not. 642 if (ret) { 643 PMD_INIT_LOG(ERR, "Unable to setup interrupts"); 644 em_dev_clear_queues(dev); 645 return ret; 646 } 647 } else { ** CID 119259: Memory - corruptions (NEGATIVE_RETURNS) /app/test-pmd/testpmd.c: 541 in init_config() ________________________________________________________________________________________________________ *** CID 119259: Memory - corruptions (NEGATIVE_RETURNS) /app/test-pmd/testpmd.c: 541 in init_config() 535 else { 536 uint32_t socket_id = rte_eth_dev_socket_id(pid); 537 538 /* if socket_id is invalid, set to 0 */ 539 if (check_socket_id(socket_id) < 0) 540 socket_id = 0; >>> CID 119259: Memory - corruptions (NEGATIVE_RETURNS) >>> Using variable "socket_id" as an index to array "port_per_socket". 541 port_per_socket[socket_id]++; 542 } 543 } 544 545 /* set flag to initialize port/queue */ 546 port->need_reconfig = 1; ** CID 119258: (FORWARD_NULL) /drivers/net/ring/rte_eth_ring.c: 366 in rte_eth_from_rings() /drivers/net/ring/rte_eth_ring.c: 366 in rte_eth_from_rings() ________________________________________________________________________________________________________ *** CID 119258: (FORWARD_NULL) /drivers/net/ring/rte_eth_ring.c: 366 in rte_eth_from_rings() 360 eth_dev->rx_pkt_burst = eth_ring_rx; 361 eth_dev->tx_pkt_burst = eth_ring_tx; 362 363 return data->port_id; 364 365 error: >>> CID 119258: (FORWARD_NULL) >>> Dereferencing null pointer "data". 366 rte_free(data->rx_queues); 367 rte_free(data->tx_queues); 368 rte_free(data); 369 rte_free(internals); 370 371 return -1; /drivers/net/ring/rte_eth_ring.c: 366 in rte_eth_from_rings() 360 eth_dev->rx_pkt_burst = eth_ring_rx; 361 eth_dev->tx_pkt_burst = eth_ring_tx; 362 363 return data->port_id; 364 365 error: >>> CID 119258: (FORWARD_NULL) >>> Dereferencing null pointer "data". 366 rte_free(data->rx_queues); 367 rte_free(data->tx_queues); 368 rte_free(data); 369 rte_free(internals); 370 371 return -1; ** CID 119257: Null pointer dereferences (FORWARD_NULL) /lib/librte_ether/rte_ethdev.c: 3254 in rte_eth_copy_pci_info() ________________________________________________________________________________________________________ *** CID 119257: Null pointer dereferences (FORWARD_NULL) /lib/librte_ether/rte_ethdev.c: 3254 in rte_eth_copy_pci_info() 3248 if ((eth_dev == NULL) || (pci_dev == NULL)) { 3249 PMD_DEBUG_TRACE("NULL pointer eth_dev=%p pci_dev=%p\n", 3250 eth_dev, pci_dev); 3251 } 3252 3253 eth_dev->data->dev_flags = 0; >>> CID 119257: Null pointer dereferences (FORWARD_NULL) >>> Dereferencing null pointer "pci_dev". 3254 if (pci_dev->driver->drv_flags & RTE_PCI_DRV_INTR_LSC) 3255 eth_dev->data->dev_flags |= RTE_ETH_DEV_INTR_LSC; 3256 if (pci_dev->driver->drv_flags & RTE_PCI_DRV_DETACHABLE) 3257 eth_dev->data->dev_flags |= RTE_ETH_DEV_DETACHABLE; 3258 3259 eth_dev->data->kdrv = pci_dev->kdrv; 3260 eth_dev->data->numa_node = pci_dev->numa_node; 3261 eth_dev->data->drv_name = pci_dev->driver->name; ** CID 119256: Null pointer dereferences (FORWARD_NULL) /lib/librte_ether/rte_ethdev.c: 3253 in rte_eth_copy_pci_info() ________________________________________________________________________________________________________ *** CID 119256: Null pointer dereferences (FORWARD_NULL) /lib/librte_ether/rte_ethdev.c: 3253 in rte_eth_copy_pci_info() 3247 { 3248 if ((eth_dev == NULL) || (pci_dev == NULL)) { 3249 PMD_DEBUG_TRACE("NULL pointer eth_dev=%p pci_dev=%p\n", 3250 eth_dev, pci_dev); 3251 } 3252 >>> CID 119256: Null pointer dereferences (FORWARD_NULL) >>> Dereferencing null pointer "eth_dev". 3253 eth_dev->data->dev_flags = 0; 3254 if (pci_dev->driver->drv_flags & RTE_PCI_DRV_INTR_LSC) 3255 eth_dev->data->dev_flags |= RTE_ETH_DEV_INTR_LSC; 3256 if (pci_dev->driver->drv_flags & RTE_PCI_DRV_DETACHABLE) 3257 eth_dev->data->dev_flags |= RTE_ETH_DEV_DETACHABLE; 3258 3259 eth_dev->data->kdrv = pci_dev->kdrv; 3260 eth_dev->data->numa_node = pci_dev->numa_node; 3261 eth_dev->data->drv_name = pci_dev->driver->name; ** CID 119255: Control flow issues (DEADCODE) /drivers/net/i40e/i40e_ethdev.c: 6797 in i40e_generate_inset_mask_reg() ________________________________________________________________________________________________________ *** CID 119255: Control flow issues (DEADCODE) /drivers/net/i40e/i40e_ethdev.c: 6797 in i40e_generate_inset_mask_reg() 6791 {I40E_INSET_IPV6_NEXT_HDR, I40E_INSET_IPV6_NEXT_HDR_MASK}, 6792 }; 6793 6794 if (!inset || !mask || !nb_elem) 6795 return 0; 6796 >>> CID 119255: Control flow issues (DEADCODE) >>> Execution cannot reach the expression "nb_elem >= 2" inside this statement: "if (!inset && nb_elem >= 2)...". 6797 if (!inset && nb_elem >= I40E_INSET_MASK_NUM_REG) { 6798 for (i = 0; i < I40E_INSET_MASK_NUM_REG; i++) 6799 mask[i] = 0; 6800 return I40E_INSET_MASK_NUM_REG; 6801 } 6802 ** CID 119254: Control flow issues (DEADCODE) /app/test-pmd/config.c: 1257 in dcb_fwd_config_setup() ________________________________________________________________________________________________________ *** CID 119254: Control flow issues (DEADCODE) /app/test-pmd/config.c: 1257 in dcb_fwd_config_setup() 1251 /* reinitialize forwarding streams */ 1252 init_fwd_streams(); 1253 sm_id = 0; 1254 if ((rxp & 0x1) == 0) 1255 txp = (portid_t) (rxp + 1); 1256 else >>> CID 119254: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "txp = (portid_t)(rxp - 1);". 1257 txp = (portid_t) (rxp - 1); 1258 /* get the dcb info on the first RX and TX ports */ 1259 (void)rte_eth_dev_get_dcb_info(fwd_ports_ids[rxp], &rxp_dcb_info); 1260 (void)rte_eth_dev_get_dcb_info(fwd_ports_ids[txp], &txp_dcb_info); 1261 1262 for (lc_id = 0; lc_id < cur_fwd_config.nb_fwd_lcores; lc_id++) { ** CID 119251: Error handling issues (CHECKED_RETURN) /app/test-pmd/cmdline.c: 1492 in cmd_config_rss_parsed() ________________________________________________________________________________________________________ *** CID 119251: Error handling issues (CHECKED_RETURN) /app/test-pmd/cmdline.c: 1492 in cmd_config_rss_parsed() 1486 else { 1487 printf("Unknown parameter\n"); 1488 return; 1489 } 1490 rss_conf.rss_key = NULL; 1491 for (i = 0; i < rte_eth_dev_count(); i++) >>> CID 119251: Error handling issues (CHECKED_RETURN) >>> Calling "rte_eth_dev_rss_hash_update" without checking return value (as is done elsewhere 5 out of 6 times). 1492 rte_eth_dev_rss_hash_update(i, &rss_conf); 1493 } 1494 1495 cmdline_parse_token_string_t cmd_config_rss_port = 1496 TOKEN_STRING_INITIALIZER(struct cmd_config_rss, port, "port"); 1497 cmdline_parse_token_string_t cmd_config_rss_keyword = ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/dpdk-data-plane-development-kit?tab=overview To manage Coverity Scan email notifications for "stephen@networkplumber.org", click https://scan.coverity.com/subscriptions/edit?email=stephen%40networkplumber.org&token=41b352b884ef3fc73426635eebc294c3