Hi,
Static analysis on linux-next with Coverity has detected an issue in
drivers/scsi/sg.c with the following recent commit:
commit b32ac463cb59e758b4560260fd168a2b4ea6e81a
Author: Douglas Gilbert <dgilbert@xxxxxxxxxxxx>
Date: Fri Feb 19 21:00:54 2021 -0500
scsi: sg: NO_DXFER move to/from kernel buffers
The analysis is as follows:
2973 sg_rq_map_kern(struct sg_request *srp, struct request_queue *q,
struct request *rqq, int rw_ind)
2974 {
2975 struct sg_scatter_hold *schp = &srp->sgat_h;
2976 struct bio *bio;
1. var_decl: Declaring variable k without initializer.
2977 int k, ln;
2978 int op_flags = 0;
2979 int num_sgat = schp->num_sgat;
2980 int dlen = schp->dlen;
2981 int pg_sz = 1 << (PAGE_SHIFT + schp->page_order);
2982 int num_segs = (1 << schp->page_order) * num_sgat;
2983 int res = 0;
2984
2. Condition _sdp, taking true branch.
3. Condition _sdp->disk, taking true branch.
4. Condition !!(_sdp && _sdp->disk), taking true branch.
5. Condition !!(((scsi_logging_level >> 3) & 7U /* (1 << 3) - 1 */)
> 4), taking true branch.
6. Condition !!(((scsi_logging_level >> 3) & 7U /* (1 << 3) - 1 */)
> 4), taking true branch.
7. Falling through to end of if statement.
2985 SG_LOG(4, srp->parentfp, "%s: dlen=%d, pg_sz=%d\n",
__func__, dlen, pg_sz);
8. Condition num_sgat <= 0, taking false branch.
2986 if (num_sgat <= 0)
2987 return 0;
9. Condition rw_ind == 1, taking true branch.
2988 if (rw_ind == WRITE)
2989 op_flags = REQ_SYNC | REQ_IDLE;
Uninitialized scalar variable
10. uninit_use: Using uninitialized value k.
2990 bio = sg_mk_kern_bio(num_sgat - k);
2991 if (!bio)
Variable k is not initialized, however it is being read when it contains
a garbage value.
Colin
