[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Fri Nov 11 18:17:59 CET 2016
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
240 new defect(s) introduced to coreboot found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 240 defect(s)
** CID 1365731: Null pointer dereferences (NULL_RETURNS)
/src/drivers/intel/fsp2_0/hand_off_block.c: 109 in save_hob_list()
________________________________________________________________________________________________________
*** CID 1365731: Null pointer dereferences (NULL_RETURNS)
/src/drivers/intel/fsp2_0/hand_off_block.c: 109 in save_hob_list()
103 static void *fsp_hob_list_ptr CAR_GLOBAL;
104
105 static void save_hob_list(int is_recovery)
106 {
107 uint32_t *cbmem_loc;
108 cbmem_loc = cbmem_add(CBMEM_ID_FSP_RUNTIME, sizeof(*cbmem_loc));
>>> CID 1365731: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "cbmem_loc".
109 *cbmem_loc = (uintptr_t)fsp_get_hob_list();
110 }
111
112 ROMSTAGE_CBMEM_INIT_HOOK(save_hob_list);
113
114 const void *fsp_get_hob_list(void)
** CID 1365730: (BUFFER_SIZE)
/src/mainboard/google/eve/romstage.c: 41 in mainboard_memory_init_params()
/src/mainboard/google/eve/romstage.c: 42 in mainboard_memory_init_params()
________________________________________________________________________________________________________
*** CID 1365730: (BUFFER_SIZE)
/src/mainboard/google/eve/romstage.c: 41 in mainboard_memory_init_params()
35 { 1, 0, 4, 5, 3, 2, 7, 6 } };
36 /* Rcomp resistor */
37 const u16 rcomp_resistor[] = { 200, 81, 162 };
38 /* Rcomp target */
39 const u16 rcomp_target[] = { 100, 40, 40, 23, 40 };
40
>>> CID 1365730: (BUFFER_SIZE)
>>> You might overrun the 12 byte destination string "mem_cfg->DqByteMapCh0" by writing the maximum 24 bytes from "dq_map".
41 memcpy(&mem_cfg->DqByteMapCh0, dq_map, sizeof(dq_map));
42 memcpy(&mem_cfg->DqsMapCpu2DramCh0, dqs_map, sizeof(dqs_map));
43 memcpy(&mem_cfg->RcompResistor, rcomp_resistor, sizeof(rcomp_resistor));
44 memcpy(&mem_cfg->RcompTarget, rcomp_target, sizeof(rcomp_target));
45
46 mem_cfg->MemorySpdPtr00 = mainboard_get_spd_data();
47 mem_cfg->MemorySpdPtr10 = mem_cfg->MemorySpdPtr00;
48 mem_cfg->MemorySpdDataLen = SPD_LEN;
/src/mainboard/google/eve/romstage.c: 42 in mainboard_memory_init_params()
36 /* Rcomp resistor */
37 const u16 rcomp_resistor[] = { 200, 81, 162 };
38 /* Rcomp target */
39 const u16 rcomp_target[] = { 100, 40, 40, 23, 40 };
40
41 memcpy(&mem_cfg->DqByteMapCh0, dq_map, sizeof(dq_map));
>>> CID 1365730: (BUFFER_SIZE)
>>> You might overrun the 8 byte destination string "mem_cfg->DqsMapCpu2DramCh0" by writing the maximum 16 bytes from "dqs_map".
42 memcpy(&mem_cfg->DqsMapCpu2DramCh0, dqs_map, sizeof(dqs_map));
43 memcpy(&mem_cfg->RcompResistor, rcomp_resistor, sizeof(rcomp_resistor));
44 memcpy(&mem_cfg->RcompTarget, rcomp_target, sizeof(rcomp_target));
45
46 mem_cfg->MemorySpdPtr00 = mainboard_get_spd_data();
47 mem_cfg->MemorySpdPtr10 = mem_cfg->MemorySpdPtr00;
48 mem_cfg->MemorySpdDataLen = SPD_LEN;
** CID 1365389: (OVERRUN)
/src/mainboard/google/eve/romstage.c: 41 in mainboard_memory_init_params()
________________________________________________________________________________________________________
*** CID 1365389: (OVERRUN)
/src/mainboard/google/eve/romstage.c: 41 in mainboard_memory_init_params()
35 { 1, 0, 4, 5, 3, 2, 7, 6 } };
36 /* Rcomp resistor */
37 const u16 rcomp_resistor[] = { 200, 81, 162 };
38 /* Rcomp target */
39 const u16 rcomp_target[] = { 100, 40, 40, 23, 40 };
40
>>> CID 1365389: (OVERRUN)
>>> Overrunning array "mem_cfg->DqByteMapCh0" of 12 bytes by passing it to a function which accesses it at byte offset 23 using argument "24UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
41 memcpy(&mem_cfg->DqByteMapCh0, dq_map, sizeof(dq_map));
42 memcpy(&mem_cfg->DqsMapCpu2DramCh0, dqs_map, sizeof(dqs_map));
43 memcpy(&mem_cfg->RcompResistor, rcomp_resistor, sizeof(rcomp_resistor));
44 memcpy(&mem_cfg->RcompTarget, rcomp_target, sizeof(rcomp_target));
45
46 mem_cfg->MemorySpdPtr00 = mainboard_get_spd_data();
47 mem_cfg->MemorySpdPtr10 = mem_cfg->MemorySpdPtr00;
48 mem_cfg->MemorySpdDataLen = SPD_LEN;
/src/mainboard/intel/kblrvp/romstage.c: 32 in mainboard_memory_init_params()
26
27 void mainboard_memory_init_params(FSPM_UPD *mupd)
28 {
29 FSP_M_CONFIG *mem_cfg;
30 mem_cfg = &mupd->FspmConfig;
31
>>> CID 1365389: (OVERRUN)
>>> Overrunning array "mem_cfg->DqByteMapCh0" of 12 bytes by passing it to a function which accesses it at byte offset 23.
32 mainboard_fill_dq_map_data(&mem_cfg->DqByteMapCh0);
33 mainboard_fill_dqs_map_data(&mem_cfg->DqsMapCpu2DramCh0);
34 mainboard_fill_rcomp_res_data(&mem_cfg->RcompResistor);
35 mainboard_fill_rcomp_strength_data(&mem_cfg->RcompTarget);
36
37 mem_cfg->DqPinsInterleaved = 0;
** CID 1365388: (OVERRUN)
/src/mainboard/google/eve/romstage.c: 42 in mainboard_memory_init_params()
________________________________________________________________________________________________________
*** CID 1365388: (OVERRUN)
/src/mainboard/google/eve/romstage.c: 42 in mainboard_memory_init_params()
36 /* Rcomp resistor */
37 const u16 rcomp_resistor[] = { 200, 81, 162 };
38 /* Rcomp target */
39 const u16 rcomp_target[] = { 100, 40, 40, 23, 40 };
40
41 memcpy(&mem_cfg->DqByteMapCh0, dq_map, sizeof(dq_map));
>>> CID 1365388: (OVERRUN)
>>> Overrunning array "mem_cfg->DqsMapCpu2DramCh0" of 8 bytes by passing it to a function which accesses it at byte offset 15 using argument "16UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
42 memcpy(&mem_cfg->DqsMapCpu2DramCh0, dqs_map, sizeof(dqs_map));
43 memcpy(&mem_cfg->RcompResistor, rcomp_resistor, sizeof(rcomp_resistor));
44 memcpy(&mem_cfg->RcompTarget, rcomp_target, sizeof(rcomp_target));
45
46 mem_cfg->MemorySpdPtr00 = mainboard_get_spd_data();
47 mem_cfg->MemorySpdPtr10 = mem_cfg->MemorySpdPtr00;
48 mem_cfg->MemorySpdDataLen = SPD_LEN;
/src/mainboard/intel/kblrvp/romstage.c: 33 in mainboard_memory_init_params()
27 void mainboard_memory_init_params(FSPM_UPD *mupd)
28 {
29 FSP_M_CONFIG *mem_cfg;
30 mem_cfg = &mupd->FspmConfig;
31
32 mainboard_fill_dq_map_data(&mem_cfg->DqByteMapCh0);
>>> CID 1365388: (OVERRUN)
>>> Overrunning array "mem_cfg->DqsMapCpu2DramCh0" of 8 bytes by passing it to a function which accesses it at byte offset 15.
33 mainboard_fill_dqs_map_data(&mem_cfg->DqsMapCpu2DramCh0);
34 mainboard_fill_rcomp_res_data(&mem_cfg->RcompResistor);
35 mainboard_fill_rcomp_strength_data(&mem_cfg->RcompTarget);
36
37 mem_cfg->DqPinsInterleaved = 0;
38 mem_cfg->MemorySpdPtr00 = mainboard_get_spd_data();
39 if (mainboard_has_dual_channel_mem())
40 mem_cfg->MemorySpdPtr10 = mem_cfg->MemorySpdPtr00;
41 mem_cfg->MemorySpdDataLen = SPD_LEN;
** CID 1364082: Integer handling issues (NO_EFFECT)
/src/soc/rockchip/common/spi.c: 170 in rockchip_spi_set_sample_delay()
________________________________________________________________________________________________________
*** CID 1364082: Integer handling issues (NO_EFFECT)
/src/soc/rockchip/common/spi.c: 170 in rockchip_spi_set_sample_delay()
164 assert(bus >= 0 && bus < ARRAY_SIZE(rockchip_spi_slaves));
165 struct rockchip_spi *regs = rockchip_spi_slaves[bus].regs;
166 unsigned int rsd;
167
168 /* Rxd Sample Delay */
169 rsd = DIV_ROUND_CLOSEST(delay_ns * (SPI_SRCCLK_HZ >> 8), 1*GHz >> 8);
>>> CID 1364082: Integer handling issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "rsd >= 0U".
170 assert(rsd >= 0 && rsd <= 3);
171 clrsetbits_le32(®s->ctrlr0, SPI_RXDSD_MASK << SPI_RXDSD_OFFSET,
172 rsd << SPI_RXDSD_OFFSET);
173 }
174
175 int spi_claim_bus(struct spi_slave *slave)
** CID 1363355: (SIZEOF_MISMATCH)
/src/drivers/intel/fsp2_0/upd_display.c: 37 in fspm_display_arch_params()
/src/drivers/intel/fsp2_0/upd_display.c: 40 in fspm_display_arch_params()
________________________________________________________________________________________________________
*** CID 1363355: (SIZEOF_MISMATCH)
/src/drivers/intel/fsp2_0/upd_display.c: 37 in fspm_display_arch_params()
31 {
32 /* Display the architectural parameters for MemoryInit */
33 printk(BIOS_SPEW, "Architectural UPD values for MemoryInit at: 0x%p\n",
34 new);
35 fsp_display_upd_value("Revision", sizeof(old->Revision),
36 old->Revision, new->Revision);
>>> CID 1363355: (SIZEOF_MISMATCH)
>>> Passing argument "old->NvsBufferPtr" of type "void * const" and argument "4UL /* sizeof (old->NvsBufferPtr) */" to function "fsp_display_upd_value" is suspicious.
37 fsp_display_upd_value("NvsBufferPtr", sizeof(old->NvsBufferPtr),
38 (uintptr_t)old->NvsBufferPtr,
39 (uintptr_t)new->NvsBufferPtr);
40 fsp_display_upd_value("StackBase", sizeof(old->StackBase),
41 (uintptr_t)old->StackBase,
42 (uintptr_t)new->StackBase);
/src/drivers/intel/fsp2_0/upd_display.c: 40 in fspm_display_arch_params()
34 new);
35 fsp_display_upd_value("Revision", sizeof(old->Revision),
36 old->Revision, new->Revision);
37 fsp_display_upd_value("NvsBufferPtr", sizeof(old->NvsBufferPtr),
38 (uintptr_t)old->NvsBufferPtr,
39 (uintptr_t)new->NvsBufferPtr);
>>> CID 1363355: (SIZEOF_MISMATCH)
>>> Passing argument "old->StackBase" of type "void * const" and argument "4UL /* sizeof (old->StackBase) */" to function "fsp_display_upd_value" is suspicious.
40 fsp_display_upd_value("StackBase", sizeof(old->StackBase),
41 (uintptr_t)old->StackBase,
42 (uintptr_t)new->StackBase);
43 fsp_display_upd_value("StackSize", sizeof(old->StackSize),
44 old->StackSize, new->StackSize);
45 fsp_display_upd_value("BootLoaderTolumSize",
** CID 1362811: Resource leaks (RESOURCE_LEAK)
/src/southbridge/amd/sr5650/sr5650.c: 804 in add_ivrs_device_entries()
________________________________________________________________________________________________________
*** CID 1362811: Resource leaks (RESOURCE_LEAK)
/src/southbridge/amd/sr5650/sr5650.c: 804 in add_ivrs_device_entries()
798 sibling = sibling->sibling)
799 add_ivrs_device_entries(dev, sibling, depth + 1,
800 depth, root_level, current, length);
801
802 if (depth == 0)
803 free(root_level);
>>> CID 1362811: Resource leaks (RESOURCE_LEAK)
>>> Returning without freeing "root_level" leaks the storage that it points to.
804 }
805
806 unsigned long acpi_fill_mcfg(unsigned long current)
807 {
808 struct resource *res;
809 resource_t mmconf_base = EXT_CONF_BASE_ADDRESS;
** CID 1362809: Null pointer dereferences (FORWARD_NULL)
/src/soc/marvell/mvmap2315/load_validate.c: 97 in load_and_validate()
________________________________________________________________________________________________________
*** CID 1362809: Null pointer dereferences (FORWARD_NULL)
/src/soc/marvell/mvmap2315/load_validate.c: 97 in load_and_validate()
91 = (void *)read32(
92 &mvmap2315_mcu_secconfig->boot_callback_pointer);
93 u8 image_digest[32];
94
95 image_info = find_bdb_image(bdb_info, image_type);
96
>>> CID 1362809: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "image_info" to null implies that "image_info" might be null.
97 if (!image_info)
98 image_failure();
99
100 set_flash_parameters(&flash_info, image_info);
101
102 if (flash_init(bootrom_info->flash_media, MVMAP2315_MMC_CLK_MHZ))
** CID 1362808: (CONSTANT_EXPRESSION_RESULT)
/src/soc/marvell/mvmap2315/mcu.c: 34 in mvmap2315_calc_checksum()
/src/soc/marvell/mvmap2315/mcu.c: 34 in mvmap2315_calc_checksum()
________________________________________________________________________________________________________
*** CID 1362808: (CONSTANT_EXPRESSION_RESULT)
/src/soc/marvell/mvmap2315/mcu.c: 34 in mvmap2315_calc_checksum()
28 const u8 *bytes = data;
29 int i;
30
31 for (i = csum = 0; i < size; i++)
32 csum += bytes[i];
33
>>> CID 1362808: (CONSTANT_EXPRESSION_RESULT)
>>> The expression "~csum && 255" is suspicious because it performs a Boolean operation on a constant other than 0 or 1.
34 return (~csum) && 0xFF;
35 }
36
37 void mcu_irq(void)
38 {
39 printk(BIOS_DEBUG, "waiting for MCU msg...\n");
/src/soc/marvell/mvmap2315/mcu.c: 34 in mvmap2315_calc_checksum()
28 const u8 *bytes = data;
29 int i;
30
31 for (i = csum = 0; i < size; i++)
32 csum += bytes[i];
33
>>> CID 1362808: (CONSTANT_EXPRESSION_RESULT)
>>> "~csum" is always 1/true regardless of the values of its operand. This occurs as the logical first operand of "&&".
34 return (~csum) && 0xFF;
35 }
36
37 void mcu_irq(void)
38 {
39 printk(BIOS_DEBUG, "waiting for MCU msg...\n");
** CID 1362592: Null pointer dereferences (NULL_RETURNS)
________________________________________________________________________________________________________
*** CID 1362592: Null pointer dereferences (NULL_RETURNS)
/src/drivers/generic/max98357a/max98357a.c: 41 in max98357a_fill_ssdt()
35 struct acpi_dp *dp;
36
37 if (!dev->enabled || !config)
38 return;
39
40 /* Device */
>>> CID 1362592: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be null "acpi_device_scope(dev)" when calling "acpigen_write_scope".
41 acpigen_write_scope(acpi_device_scope(dev));
42 acpigen_write_device(acpi_device_name(dev));
43 acpigen_write_name_string("_HID", MAX98357A_ACPI_HID);
44 acpigen_write_name_integer("_UID", 0);
45 acpigen_write_name_string("_DDN", dev->chip_ops->name);
46 acpigen_write_STA(ACPI_STATUS_DEVICE_ALL_ON);
** CID 1357458: Insecure data handling (TAINTED_SCALAR)
/payloads/libpayload/libcbfs/cbfs_core.c: 258 in cbfs_get_contents()
________________________________________________________________________________________________________
*** CID 1357458: Insecure data handling (TAINTED_SCALAR)
/payloads/libpayload/libcbfs/cbfs_core.c: 258 in cbfs_get_contents()
252
253 void *data = m->map(m, handle->media_offset + handle->content_offset,
254 on_media_size);
255 if (data == CBFS_MEDIA_INVALID_MAP_ADDRESS)
256 return NULL;
257
>>> CID 1357458: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "*size" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
258 ret = malloc(*size);
259 if (ret != NULL && !cbfs_decompress(algo, data, ret, *size)) {
260 free(ret);
261 ret = NULL;
262 }
263
** CID 1357457: Resource leaks (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 742 in acpi_dp_add_integer_array()
________________________________________________________________________________________________________
*** CID 1357457: Resource leaks (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 742 in acpi_dp_add_integer_array()
736 return NULL;
737
738 for (i = 0; i < len; i++)
739 if (!acpi_dp_add_integer(dp_array, NULL, array[i]))
740 break;
741
>>> CID 1357457: Resource leaks (RESOURCE_LEAK)
>>> Ignoring storage allocated by "acpi_dp_add_array(dp, dp_array)" leaks it.
742 acpi_dp_add_array(dp, dp_array);
743
744 return dp_array;
745 }
746
747 struct acpi_dp *acpi_dp_add_gpio(struct acpi_dp *dp, const char *name,
** CID 1357456: Resource leaks (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 768 in acpi_dp_add_gpio()
________________________________________________________________________________________________________
*** CID 1357456: Resource leaks (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 768 in acpi_dp_add_gpio()
762 /* Pin in the GPIO resource, typically zero */
763 acpi_dp_add_integer(gpio, NULL, pin);
764
765 /* Set if pin is active low */
766 acpi_dp_add_integer(gpio, NULL, active_low);
767
>>> CID 1357456: Resource leaks (RESOURCE_LEAK)
>>> Ignoring storage allocated by "acpi_dp_add_array(dp, gpio)" leaks it.
768 acpi_dp_add_array(dp, gpio);
769
770 return gpio;
** CID 1357454: Memory - illegal accesses (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/LN/mnln.c: 255 in MemConstructNBBlockLN()
________________________________________________________________________________________________________
*** CID 1357454: Memory - illegal accesses (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/LN/mnln.c: 255 in MemConstructNBBlockLN()
249 NBPtr->BeforeDqsTraining = MemNBeforeDQSTrainingLN;
250 NBPtr->AfterDqsTraining = MemNAfterDQSTrainingLN;
251 NBPtr->OtherTiming = MemNOtherTimingLN;
252 NBPtr->GetSocketRelativeChannel = MemNGetSocketRelativeChannelNb;
253 NBPtr->TechBlockSwitch = MemNTechBlockSwitchLN;
254 NBPtr->SetEccSymbolSize = (VOID (*) (MEM_NB_BLOCK *)) memDefRet;
>>> CID 1357454: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
255 NBPtr->TrainingFlow = (VOID (*) (MEM_NB_BLOCK *))(memNTrainFlowControl[DDR3_TRAIN_FLOW]);
256 NBPtr->MinDataEyeWidth = MemNMinDataEyeWidthNb;
257 NBPtr->ChangeNbFrequencyWrap = MemNChangeNbFrequencyWrapLN;
258 NBPtr->AllocateC6Storage = MemNAllocateC6StorageClientNb;
259
260 MemNInitNBDataNb (NBPtr);
** CID 1357453: Memory - illegal accesses (OVERRUN)
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/ON/mnon.c: 254 in MemConstructNBBlockON()
________________________________________________________________________________________________________
*** CID 1357453: Memory - illegal accesses (OVERRUN)
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/ON/mnon.c: 254 in MemConstructNBBlockON()
248 NBPtr->BeforeDqsTraining = MemNBeforeDQSTrainingON;
249 NBPtr->AfterDqsTraining = MemNAfterDQSTrainingON;
250 NBPtr->OtherTiming = MemNOtherTimingON;
251 NBPtr->GetSocketRelativeChannel = MemNGetSocketRelativeChannelNb;
252 NBPtr->TechBlockSwitch = MemNTechBlockSwitchON;
253 NBPtr->SetEccSymbolSize = (VOID (*) (MEM_NB_BLOCK *)) memDefRet;
>>> CID 1357453: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
254 NBPtr->TrainingFlow = (VOID (*) (MEM_NB_BLOCK *)) memNTrainFlowControl[DDR3_TRAIN_FLOW];
255 NBPtr->MinDataEyeWidth = MemNMinDataEyeWidthNb;
256 NBPtr->PollBitField = MemNPollBitFieldNb;
257 NBPtr->BrdcstCheck = MemNBrdcstCheckON;
258 NBPtr->BrdcstSet = MemNSetBitFieldNb;
259 NBPtr->GetTrainDly = MemNGetTrainDlyNb;
** CID 1357452: (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 497 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 499 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 502 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f16kb/Proc/Mem/NB/mn.c: 579 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 495 in MemNTrainingFlowUnb()
________________________________________________________________________________________________________
*** CID 1357452: (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 497 in MemNTrainingFlowUnb()
491 */
492 BOOLEAN
493 MemNTrainingFlowUnb (
494 IN OUT MEM_NB_BLOCK *NBPtr
495 )
496 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
497 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
498 return TRUE;
499 }
500 /*----------------------------------------------------------------------------
501 * LOCAL FUNCTIONS
502 *
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 499 in MemNTrainingFlowUnb()
493 */
494 BOOLEAN
495 MemNTrainingFlowUnb (
496 IN OUT MEM_NB_BLOCK *NBPtr
497 )
498 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
499 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
500 return TRUE;
501 }
502 /*----------------------------------------------------------------------------
503 * LOCAL FUNCTIONS
504 *
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 502 in MemNTrainingFlowUnb()
496 */
497 BOOLEAN
498 MemNTrainingFlowUnb (
499 IN OUT MEM_NB_BLOCK *NBPtr
500 )
501 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
502 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
503 return TRUE;
504 }
505 /*----------------------------------------------------------------------------
506 * LOCAL FUNCTIONS
507 *
/src/vendorcode/amd/agesa/f16kb/Proc/Mem/NB/mn.c: 579 in MemNTrainingFlowUnb()
573 */
574 BOOLEAN
575 MemNTrainingFlowUnb (
576 IN OUT MEM_NB_BLOCK *NBPtr
577 )
578 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
579 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
580 return TRUE;
581 }
582
583 /* -----------------------------------------------------------------------------*/
584 /**
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 495 in MemNTrainingFlowUnb()
489 */
490 VOID
491 MemNTrainingFlowUnb (
492 IN OUT MEM_NB_BLOCK *NBPtr
493 )
494 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
495 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
496 return;
497 }
498 /*----------------------------------------------------------------------------
499 * LOCAL FUNCTIONS
500 *
501 *----------------------------------------------------------------------------
** CID 1357451: (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 304 in MemNTrainingFlowNb()
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 306 in MemNTrainingFlowNb()
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 309 in MemNTrainingFlowNb()
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 302 in MemNTrainingFlowNb()
________________________________________________________________________________________________________
*** CID 1357451: (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 304 in MemNTrainingFlowNb()
298 BOOLEAN
299 MemNTrainingFlowNb (
300 IN OUT MEM_NB_BLOCK *NBPtr
301 )
302 {
303 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>> CID 1357451: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
304 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
305 } else {
306 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
307 }
308 return TRUE;
309 }
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 306 in MemNTrainingFlowNb()
300 BOOLEAN
301 MemNTrainingFlowNb (
302 IN OUT MEM_NB_BLOCK *NBPtr
303 )
304 {
305 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>> CID 1357451: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
306 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
307 } else {
308 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
309 }
310 return TRUE;
311 }
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 309 in MemNTrainingFlowNb()
303 BOOLEAN
304 MemNTrainingFlowNb (
305 IN OUT MEM_NB_BLOCK *NBPtr
306 )
307 {
308 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>> CID 1357451: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
309 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
310 } else {
311 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
312 }
313 return TRUE;
314 }
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 302 in MemNTrainingFlowNb()
296 BOOLEAN
297 MemNTrainingFlowNb (
298 IN OUT MEM_NB_BLOCK *NBPtr
299 )
300 {
301 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>> CID 1357451: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
302 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
303 } else {
304 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
305 }
306 return TRUE;
307 }
** CID 1357446: Control flow issues (DEADCODE)
/src/northbridge/intel/x4x/raminit.c: 374 in sdram_detect_ram_speed()
________________________________________________________________________________________________________
*** CID 1357446: Control flow issues (DEADCODE)
/src/northbridge/intel/x4x/raminit.c: 374 in sdram_detect_ram_speed()
368 } else { // DDR3
369 // Limit frequency for MCH
370 maxfreq = (s->max_ddr2_mhz == 800) ? MEM_CLOCK_800MHz : MEM_CLOCK_667MHz;
371 maxfreq >>= 3;
372 freq = MEM_CLOCK_1333MHz;
373 if (maxfreq) {
>>> CID 1357446: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "freq = maxfreq + 2;".
374 freq = maxfreq + 2;
375 }
376 if (freq > MEM_CLOCK_1333MHz) {
377 freq = MEM_CLOCK_1333MHz;
378 }
379
** CID 1355168: (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 595 in rkclk_configure_spi()
/src/soc/rockchip/rk3399/clock.c: 610 in rkclk_configure_spi()
/src/soc/rockchip/rk3399/clock.c: 614 in rkclk_configure_spi()
________________________________________________________________________________________________________
*** CID 1355168: (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 595 in rkclk_configure_spi()
589 case 0:
590 write32(&cru_ptr->clksel_con[59],
591 SPI_CLK_REG_VALUE(0, src_clk_div));
592 break;
593 case 1:
594 write32(&cru_ptr->clksel_con[59],
>>> CID 1355168: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI1_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI1_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI1_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI1_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of "|".
595 SPI_CLK_REG_VALUE(1, src_clk_div));
596 break;
597 case 2:
598 write32(&cru_ptr->clksel_con[60],
599 SPI_CLK_REG_VALUE(2, src_clk_div));
600 break;
/src/soc/rockchip/rk3399/clock.c: 610 in rkclk_configure_spi()
604 SPI3_DIV_CON_MASK << SPI3_DIV_CON_SHIFT,
605 SPI3_PLL_SEL_PPLL << SPI3_PLL_SEL_SHIFT |
606 (src_clk_div - 1) << SPI3_DIV_CON_SHIFT));
607 break;
608 case 4:
609 write32(&cru_ptr->clksel_con[60],
>>> CID 1355168: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI4_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI4_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI4_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI4_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of "|".
610 SPI_CLK_REG_VALUE(4, src_clk_div));
611 break;
612 case 5:
613 write32(&cru_ptr->clksel_con[58],
614 SPI_CLK_REG_VALUE(5, src_clk_div));
615 break;
/src/soc/rockchip/rk3399/clock.c: 614 in rkclk_configure_spi()
608 case 4:
609 write32(&cru_ptr->clksel_con[60],
610 SPI_CLK_REG_VALUE(4, src_clk_div));
611 break;
612 case 5:
613 write32(&cru_ptr->clksel_con[58],
>>> CID 1355168: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI5_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI5_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI5_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI5_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of "|".
614 SPI_CLK_REG_VALUE(5, src_clk_div));
615 break;
616 default:
617 printk(BIOS_ERR, "do not support this spi bus\n");
618 }
619 }
** CID 1355167: (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 667 in rkclk_configure_i2c()
/src/soc/rockchip/rk3399/clock.c: 671 in rkclk_configure_i2c()
/src/soc/rockchip/rk3399/clock.c: 675 in rkclk_configure_i2c()
________________________________________________________________________________________________________
*** CID 1355167: (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 667 in rkclk_configure_i2c()
661 case 4:
662 write32(&pmucru_ptr->pmucru_clksel[3],
663 PMU_I2C_CLK_REG_VALUE(4, src_clk_div));
664 break;
665 case 5:
666 write32(&cru_ptr->clksel_con[61],
>>> CID 1355167: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C5_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C5_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C5_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C5_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of "|".
667 I2C_CLK_REG_VALUE(5, src_clk_div));
668 break;
669 case 6:
670 write32(&cru_ptr->clksel_con[62],
671 I2C_CLK_REG_VALUE(6, src_clk_div));
672 break;
/src/soc/rockchip/rk3399/clock.c: 671 in rkclk_configure_i2c()
665 case 5:
666 write32(&cru_ptr->clksel_con[61],
667 I2C_CLK_REG_VALUE(5, src_clk_div));
668 break;
669 case 6:
670 write32(&cru_ptr->clksel_con[62],
>>> CID 1355167: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C6_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C6_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C6_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C6_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of "|".
671 I2C_CLK_REG_VALUE(6, src_clk_div));
672 break;
673 case 7:
674 write32(&cru_ptr->clksel_con[63],
675 I2C_CLK_REG_VALUE(7, src_clk_div));
676 break;
/src/soc/rockchip/rk3399/clock.c: 675 in rkclk_configure_i2c()
669 case 6:
670 write32(&cru_ptr->clksel_con[62],
671 I2C_CLK_REG_VALUE(6, src_clk_div));
672 break;
673 case 7:
674 write32(&cru_ptr->clksel_con[63],
>>> CID 1355167: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C7_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C7_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C7_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C7_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of "|".
675 I2C_CLK_REG_VALUE(7, src_clk_div));
676 break;
677 case 8:
678 write32(&pmucru_ptr->pmucru_clksel[2],
679 PMU_I2C_CLK_REG_VALUE(8, src_clk_div));
680 break;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5ZPEYdsCycHu9yQ2Jh-2BSBeVWcWXScp-2BtaPiN3TWq4VmNXIPqlYTTKzdL6pG0W9pyQecoBr3ajSlgjambHuX5VI8HH-2FnI8nQ2SXyNo4whsJpi62yBqBm3IBoJpUf1SDTy-2FKT6Mz-2F44ywi-2BSO7wOyXNUX57hBnN65iwzJ9Oou4FB1Ljn5Mwagm4w3D9ieGwKTHVM-3D
To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4e-2BpBzwOa5gzBZa9dWpDbzfofODnVj1enK2UkK0-2BgCCqyeem8IVKvTxSaOFkteZFcnohwvb2rnYNjswGryEWCURnUk6WHU42sbOmtOjD-2Bx5c-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5ZPEYdsCycHu9yQ2Jh-2BSBeVHKKI1LWXocH4jF3HoC6wjyQKxGqIAzBaOTVKhMInUiLp1wu8p4Xhfye3wuOhHD0wAFGo9kGOYlhxS-2FGERKqKMjVNnPPEfjRRuJCo4F63iYkefGhEcLWO38NVMz0rGBp43xBSwYE3Wna-2FVfeS2i1YLHXTqW9ESnCoj2WRkcgwau0-3D
More information about the coreboot
mailing list