New Defects reported by Coverity Scan for RTEMS
scan-admin at coverity.com
scan-admin at coverity.com
Fri Oct 3 20:52:36 UTC 2025
Hi,
Please find the latest report on new defect(s) introduced to RTEMS found with Coverity Scan.
6 new defect(s) introduced to RTEMS found with Coverity Scan.
33 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 1666469: Control flow issues (MISSING_BREAK)
/contrib/cpukit/xz-embedded/linux/lib/xz/xz_dec_stream.c: 652 in dec_main()
_____________________________________________________________________________________________
*** CID 1666469: Control flow issues (MISSING_BREAK)
/contrib/cpukit/xz-embedded/linux/lib/xz/xz_dec_stream.c: 652 in dec_main()
646
647 s->sequence = SEQ_BLOCK_UNCOMPRESS;
648 #ifdef __rtems__
649 RTEMS_FALL_THROUGH();
650 #endif
651
>>> CID 1666469: Control flow issues (MISSING_BREAK)
>>> The case for value "SEQ_BLOCK_UNCOMPRESS" is not terminated by a "break" statement.
652 case SEQ_BLOCK_UNCOMPRESS:
653 ret = dec_block(s, b);
654 if (ret != XZ_STREAM_END)
655 return ret;
656
657 s->sequence = SEQ_BLOCK_PADDING;
** CID 1666468: Integer handling issues (INTEGER_OVERFLOW)
/cpukit/libfs/src/jffs2/src/gc.c: 1173 in jffs2_garbage_collect_hole()
_____________________________________________________________________________________________
*** CID 1666468: Integer handling issues (INTEGER_OVERFLOW)
/cpukit/libfs/src/jffs2/src/gc.c: 1173 in jffs2_garbage_collect_hole()
1167 frag; frag = frag_next(frag)) {
1168 if (frag->ofs > fn->size + fn->ofs)
1169 break;
1170 if (frag->node == fn) {
1171 frag->node = new_fn;
1172 new_fn->frags++;
>>> CID 1666468: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "fn->frags--", where "fn->frags" is known to be equal to 0, underflows the type of "fn->frags--", which is type "uint32_t".
1173 fn->frags--;
1174 }
1175 }
1176 if (fn->frags) {
1177 pr_warn("%s(): Old node still has frags!\n", __func__);
1178 BUG();
** CID 1666467: Control flow issues (MISSING_RESTORE)
/cpukit/dev/flash/flashdev.c: 1017 in rtems_flashdev_ioctl_region_sectorinfo_offset()
_____________________________________________________________________________________________
*** CID 1666467: Control flow issues (MISSING_RESTORE)
/cpukit/dev/flash/flashdev.c: 1017 in rtems_flashdev_ioctl_region_sectorinfo_offset()
1011 rtems_set_errno_and_return_minus_one( EINVAL );
1012 }
1013
1014 original_location = sector_info->location;
1015
1016 if (rtems_flashdev_get_abs_addr(flash, iop, 0, §or_info->location) != 0) {
>>> CID 1666467: Control flow issues (MISSING_RESTORE)
>>> Value of non-local "sector_info->location" that was saved in "original_location" is not restored as it was along other paths.
1017 return -1;
1018 }
1019
1020 status = rtems_flashdev_ioctl_sectorinfo_offset(flash, arg);
1021
1022 /* restore region-relative location */
** CID 1666466: (RESOURCE_LEAK)
/bsps/shared/dev/flash/jffs2_flashdev.c: 198 in jffs2_flashdev_mount()
/bsps/shared/dev/flash/jffs2_flashdev.c: 204 in jffs2_flashdev_mount()
/bsps/shared/dev/flash/jffs2_flashdev.c: 212 in jffs2_flashdev_mount()
/bsps/shared/dev/flash/jffs2_flashdev.c: 223 in jffs2_flashdev_mount()
/bsps/shared/dev/flash/jffs2_flashdev.c: 217 in jffs2_flashdev_mount()
_____________________________________________________________________________________________
*** CID 1666466: (RESOURCE_LEAK)
/bsps/shared/dev/flash/jffs2_flashdev.c: 198 in jffs2_flashdev_mount()
192 return RTEMS_NOT_IMPLEMENTED;
193 }
194
195 /* Get JEDEC ID, device_identifier is a 64bit dev_t */
196 status = get_jedec_id(fd, &jedec_id);
197 if ( status != 0 ) {
>>> CID 1666466: (RESOURCE_LEAK)
>>> Variable "file" going out of scope leaks the storage it points to.
198 return status;
199 }
200
201 /* Retrieve page size as sector/block size */
202 status = get_sector_size(fd, &block_size);
203 if ( status != 0 ) {
/bsps/shared/dev/flash/jffs2_flashdev.c: 204 in jffs2_flashdev_mount()
198 return status;
199 }
200
201 /* Retrieve page size as sector/block size */
202 status = get_sector_size(fd, &block_size);
203 if ( status != 0 ) {
>>> CID 1666466: (RESOURCE_LEAK)
>>> Variable "file" going out of scope leaks the storage it points to.
204 return status;
205 }
206
207 /* JFFS2 maximum FS size is one block less than 4GB */
208 max_jffs2_size -= block_size;
209
/bsps/shared/dev/flash/jffs2_flashdev.c: 212 in jffs2_flashdev_mount()
206
207 /* JFFS2 maximum FS size is one block less than 4GB */
208 max_jffs2_size -= block_size;
209
210 /* Enforce maximum JFFS2 filesystem size */
211 if (region->size > max_jffs2_size) {
>>> CID 1666466: (RESOURCE_LEAK)
>>> Variable "file" going out of scope leaks the storage it points to.
212 return RTEMS_INVALID_SIZE;
213 }
214
215 status = get_flash_type(fd, &flash_type);
216 if ( status != 0 ) {
217 return status;
/bsps/shared/dev/flash/jffs2_flashdev.c: 223 in jffs2_flashdev_mount()
217 return status;
218 }
219
220 if (flash_type == RTEMS_FLASHDEV_NAND) {
221 status = get_page_size(fd, &write_size);
222 if ( status != 0 ) {
>>> CID 1666466: (RESOURCE_LEAK)
>>> Variable "file" going out of scope leaks the storage it points to.
223 return status;
224 }
225 }
226
227 mount_data = malloc(sizeof(*mount_data));
228 if (mount_data == NULL) {
/bsps/shared/dev/flash/jffs2_flashdev.c: 217 in jffs2_flashdev_mount()
211 if (region->size > max_jffs2_size) {
212 return RTEMS_INVALID_SIZE;
213 }
214
215 status = get_flash_type(fd, &flash_type);
216 if ( status != 0 ) {
>>> CID 1666466: (RESOURCE_LEAK)
>>> Variable "file" going out of scope leaks the storage it points to.
217 return status;
218 }
219
220 if (flash_type == RTEMS_FLASHDEV_NAND) {
221 status = get_page_size(fd, &write_size);
222 if ( status != 0 ) {
** CID 1666465: Control flow issues (MISSING_BREAK)
/contrib/cpukit/xz-embedded/linux/lib/xz/xz_dec_stream.c: 702 in dec_main()
_____________________________________________________________________________________________
*** CID 1666465: Control flow issues (MISSING_BREAK)
/contrib/cpukit/xz-embedded/linux/lib/xz/xz_dec_stream.c: 702 in dec_main()
696 }
697 #endif
698
699 s->sequence = SEQ_BLOCK_START;
700 break;
701
>>> CID 1666465: Control flow issues (MISSING_BREAK)
>>> The case for value "SEQ_INDEX" is not terminated by a "break" statement.
702 case SEQ_INDEX:
703 ret = dec_index(s, b);
704 if (ret != XZ_STREAM_END)
705 return ret;
706
707 s->sequence = SEQ_INDEX_PADDING;
** CID 1666464: Null pointer dereferences (NULL_RETURNS)
_____________________________________________________________________________________________
*** CID 1666464: Null pointer dereferences (NULL_RETURNS)
/cpukit/libfs/src/jffs2/src/wbuf.c: 522 in jffs2_wbuf_recover()
516 }
517 /* We don't lock f->sem. There's a number of ways we could
518 end up in here with it already being locked, and nobody's
519 going to modify it on us anyway because we hold the
520 alloc_sem. We're only changing one ->raw pointer too,
521 which we can get away with without upsetting readers. */
>>> CID 1666464: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "f" when calling "jffs2_incore_replace_raw".
522 adjust_ref = jffs2_incore_replace_raw(c, f, raw,
523 (void *)(buf?:c->wbuf) + (ref_offset(raw) - start));
524 } else if (unlikely(ic->state != INO_STATE_PRESENT &&
525 ic->state != INO_STATE_CHECKEDABSENT &&
526 ic->state != INO_STATE_GC)) {
527 JFFS2_ERROR("Inode #%u is in strange state %d!\n", ic->ino, ic->state);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/rtems?tab=overview
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/build/attachments/20251003/d0b07bea/attachment-0001.htm>
More information about the build
mailing list