[PATCH 00/22] add support for clang-analyzer with scan-build

[PATCH 00/22] add support for clang-analyzer with scan-build

[Ahmad Fatoum]

With the changes, it's now possible to build barebox for sandbox
with allyesconfig with clang under scan-build with:

  export LLVM=-19 # or whatever your clang suffix is if you've one
  scan-build${LLVM} --use-cc=clang${LLVM} make

For this build to run to completion, a number of things that clang
treats as errors need to be resolved as well, which is included
in this series.

Ahmad Fatoum (22):
  kbuild: add support for clang-analyzer with scan-build
  soc: ti: k3-navss-ringacc: fix COMPILE_TEST link error
  treewide: fix missing headers in sandbox allyesconfig
  drivers: don't cast pointer directly to enum
  firmware: arm_scmi: smc: compile only for ARM
  video: stm32-ltdc: fix printing uninitialized variable
  usb: core: remove unnecessary comparison
  ddr_spd: fix always true sub-condition
  hush: fix make_string behavior on empty strings
  nvmem: fix clang-analyzer false-positive use of uninitialized value
  string: initialize string array in string selftest
  commands: ubsan: hide zero division in test
  crypto: ecc: fix clang-analyzer warning about NULL dereference
  mci_spi: fix possible use of uninitialized variable
  mtd: have mtd_read populate retlen always
  of: fdt: silence possible static analyzer false positive
  ubi: workaround zero division on malformed input in ubi_assert
  video: Rockchip: fix zero division in rk3588_calc_cru_cfg
  lib: scatterlist: don't assert last element for empty sglist
  scripts: omap3-usb-loader: fix clang-analyzer false-positive
  clk: analogbits: wrpll-cln28hpc: bail out before zero division
  watchdog: stm32_iwdg: bail out before zero division

 Makefile                                   |  9 +++++++++
 commands/ubsan.c                           |  2 ++
 common/ddr_spd.c                           |  6 ++----
 common/hush.c                              |  4 ++++
 crypto/ecc.c                               |  2 ++
 drivers/aiodev/lm75.c                      |  2 +-
 drivers/clk/analogbits/wrpll-cln28hpc.c    |  3 +++
 drivers/dma/ti/Kconfig                     |  6 ++++++
 drivers/dma/ti/k3-udma.c                   |  2 +-
 drivers/firmware/arm_scmi/Kconfig          |  1 +
 drivers/mci/mci_spi.c                      |  2 +-
 drivers/mfd/tps65219.c                     |  1 +
 drivers/mtd/core.c                         |  9 ++++-----
 drivers/mtd/ubi/build.c                    |  3 ++-
 drivers/net/ksz8864rmn.c                   |  2 +-
 drivers/nvmem/core.c                       |  2 +-
 drivers/of/fdt.c                           |  3 +++
 drivers/pmdomain/ti/ti-k3.c                |  1 +
 drivers/regulator/fan53555.c               |  2 +-
 drivers/regulator/tps65219-regulator.c     |  1 +
 drivers/soc/Makefile                       |  2 +-
 drivers/soc/ti/Kconfig                     | 11 +++++++++++
 drivers/soc/ti/Makefile                    |  4 +++-
 drivers/soc/ti/k3-navss-ringacc.c          |  1 +
 drivers/usb/core/common.c                  |  2 +-
 drivers/video/rockchip/rockchip_drm_vop2.c |  6 +++---
 drivers/video/stm32_ltdc.c                 |  6 ++----
 drivers/watchdog/stm32_iwdg.c              |  3 +++
 lib/scatterlist.c                          |  2 +-
 scripts/omap3-usb-loader.c                 |  9 ++++++---
 test/self/string.c                         |  2 +-
 31 files changed, 80 insertions(+), 31 deletions(-)

-- 
2.39.5

[PATCH 01/22] kbuild: add support for clang-analyzer with scan-build

[Ahmad Fatoum]

scan-build will set a number of environment variables, including CC and
CCC_ANALYZER_HTML and the build command passed as its argument.

When that build system uses CC as a compiler, scan-build will capture
the arguments used and run clang-analyzer on all these files in addition
to the normal compiler.

This doesn't current work with barebox as barebox' Kbuild ignores the CC
variable in the environment. Fix this by collecting into ENVCC the CC
environment variable and using it to override CC whenever it is set in
addition to CCC_ANALYZER_HTML.

Example usage:

  export LLVM=-19
  scan-build${LLVM} --use-cc=clang${LLVM} make

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 Makefile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Makefile b/Makefile
index f3e5b44d5566..9ef07ba34457 100644
--- a/Makefile
+++ b/Makefile
@@ -410,6 +410,8 @@ KBUILD_HOSTCXXFLAGS := -Wall -O2 $(HOST_LFS_CFLAGS) $(HOSTCXXFLAGS)
 KBUILD_HOSTLDFLAGS  := $(HOST_LFS_LDFLAGS) $(HOSTLDFLAGS)
 KBUILD_HOSTLDLIBS   := $(HOST_LFS_LIBS) $(HOSTLDLIBS)
 
+ENVCC		:= $(CC)
+
 # Make variables (CC, etc...)
 CPP		= $(CC) -E
 ifneq ($(LLVM),)
@@ -574,6 +576,13 @@ ifneq ($(findstring clang,$(CC_VERSION_TEXT)),)
 include $(srctree)/scripts/Makefile.clang
 endif
 
+# allow scan-build to override the used compiler
+ifneq ($(CCC_ANALYZER_HTML),)
+ifneq ($(ENVCC),)
+CC = $(ENVCC)
+endif
+endif
+
 ifdef config-build
 # ===========================================================================
 # *config targets only - make sure prerequisites are updated, and descend
-- 
2.39.5

[PATCH 02/22] soc: ti: k3-navss-ringacc: fix COMPILE_TEST link error

[Ahmad Fatoum]

The TI UDMA driver has a fixed dependency on the K3 RINGACC driver,
which is not necessarily satisfied during COMPILE_TEST as the latter
depends on ARCH_K3 being enabled, which is an ARM-only symbol
unavailable when compile testing on other architectures.

Fix this by selecting the code as needed.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/dma/ti/Kconfig  |  6 ++++++
 drivers/soc/Makefile    |  2 +-
 drivers/soc/ti/Kconfig  | 11 +++++++++++
 drivers/soc/ti/Makefile |  4 +++-
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/drivers/dma/ti/Kconfig b/drivers/dma/ti/Kconfig
index 78755bb33a45..df705a23bff7 100644
--- a/drivers/dma/ti/Kconfig
+++ b/drivers/dma/ti/Kconfig
@@ -1,6 +1,12 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Texas Instruments DMA drivers
+#
+
 config TI_K3_UDMA
         tristate "Texas Instruments UDMA support"
         depends on ARCH_K3 || COMPILE_TEST
+        select TI_K3_RINGACC
         help
           Enable support for the TI UDMA (Unified DMA) controller. This
           DMA engine is used in AM65x and j721e.
diff --git a/drivers/soc/Makefile b/drivers/soc/Makefile
index 5b6ebe53c39d..975304cd50b4 100644
--- a/drivers/soc/Makefile
+++ b/drivers/soc/Makefile
@@ -5,4 +5,4 @@ obj-$(CONFIG_KVX)		+= kvx/
 obj-$(CONFIG_ARCH_ROCKCHIP)	+= rockchip/
 obj-$(CONFIG_CPU_SIFIVE)	+= sifive/
 obj-$(CONFIG_SOC_STARFIVE)	+= starfive/
-obj-$(CONFIG_ARCH_K3)		+= ti/
+obj-y				+= ti/
diff --git a/drivers/soc/ti/Kconfig b/drivers/soc/ti/Kconfig
index 8d2dd86f3fe6..d0aadbce10c3 100644
--- a/drivers/soc/ti/Kconfig
+++ b/drivers/soc/ti/Kconfig
@@ -2,3 +2,14 @@ config K3_ESM
 	bool
 	depends on ARCH_K3 && MACH_K3_CORTEX_R5
 	default y
+
+config TI_K3_RINGACC
+	tristate "K3 Ring accelerator Sub System"
+	depends on ARCH_K3 || COMPILE_TEST
+	help
+	  Say y here to support the K3 Ring accelerator module.
+	  The Ring Accelerator (RINGACC or RA)  provides hardware acceleration
+	  to enable straightforward passing of work between a producer
+	  and a consumer. There is one RINGACC module per NAVSS on TI AM65x SoCs
+	  If unsure, say N.
+
diff --git a/drivers/soc/ti/Makefile b/drivers/soc/ti/Makefile
index 3109a4e9675c..6d6ff4dd2aaf 100644
--- a/drivers/soc/ti/Makefile
+++ b/drivers/soc/ti/Makefile
@@ -1,2 +1,4 @@
-obj-y += k3-navss-ringacc.o
+# SPDX-License-Identifier: GPL-2.0-only
+
+obj-$(CONFIG_TI_K3_RINGACC) += k3-navss-ringacc.o
 obj-$(CONFIG_K3_ESM) += k3-esm.o
-- 
2.39.5

[PATCH 03/22] treewide: fix missing headers in sandbox allyesconfig

[Ahmad Fatoum]

Building these drivers fails because of missing includes that are
transitively included on ARM, but no on sandbox.

Add the relevant includes directly to address this.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/dma/ti/k3-udma.c               | 2 +-
 drivers/mfd/tps65219.c                 | 1 +
 drivers/pmdomain/ti/ti-k3.c            | 1 +
 drivers/regulator/tps65219-regulator.c | 1 +
 drivers/soc/ti/k3-navss-ringacc.c      | 1 +
 5 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c
index 761898867d4e..e17b99de47c4 100644
--- a/drivers/dma/ti/k3-udma.c
+++ b/drivers/dma/ti/k3-udma.c
@@ -5,9 +5,9 @@
  */
 #define pr_fmt(fmt) "udma: " fmt
 
-#include <asm/cache.h>
 #include <io.h>
 #include <malloc.h>
+#include <stdio.h>
 #include <linux/bitops.h>
 #include <linux/sizes.h>
 #include <linux/printk.h>
diff --git a/drivers/mfd/tps65219.c b/drivers/mfd/tps65219.c
index 854210537fa3..132dab7cdeec 100644
--- a/drivers/mfd/tps65219.c
+++ b/drivers/mfd/tps65219.c
@@ -12,6 +12,7 @@
 #include <linux/regmap.h>
 #include <linux/mfd/tps65219.h>
 #include <linux/device.h>
+#include <linux/kernel.h>
 
 static const struct mfd_cell tps65219_cells[] = {
 	{ .name = "tps65219-regulator", },
diff --git a/drivers/pmdomain/ti/ti-k3.c b/drivers/pmdomain/ti/ti-k3.c
index 33bffeaca001..1616e90b6230 100644
--- a/drivers/pmdomain/ti/ti-k3.c
+++ b/drivers/pmdomain/ti/ti-k3.c
@@ -9,6 +9,7 @@
 #define pr_fmt(fmt)     "ti-k3-pm-domain: " fmt
 
 #include <io.h>
+#include <stdio.h>
 #include <of_device.h>
 #include <malloc.h>
 #include <init.h>
diff --git a/drivers/regulator/tps65219-regulator.c b/drivers/regulator/tps65219-regulator.c
index da329660d688..9ec54ed77908 100644
--- a/drivers/regulator/tps65219-regulator.c
+++ b/drivers/regulator/tps65219-regulator.c
@@ -10,6 +10,7 @@
 // "J Keerthy <j-keerthy@ti.com>"
 //
 
+#include <linux/kernel.h>
 #include <linux/mfd/tps65219.h>
 #include <of_device.h>
 #include <linux/regmap.h>
diff --git a/drivers/soc/ti/k3-navss-ringacc.c b/drivers/soc/ti/k3-navss-ringacc.c
index 933e03018398..f19a37dde064 100644
--- a/drivers/soc/ti/k3-navss-ringacc.c
+++ b/drivers/soc/ti/k3-navss-ringacc.c
@@ -5,6 +5,7 @@
  * Copyright (C) 2018 Texas Instruments Incorporated - https://www.ti.com
  */
 
+#include <linux/kernel.h>
 #include <driver.h>
 #include <xfuncs.h>
 #include <soc/ti/k3-navss-ringacc.h>
-- 
2.39.5

[PATCH 04/22] drivers: don't cast pointer directly to enum

[Ahmad Fatoum]

64-bit Sandbox builds with clang don't like the direct cast of
a 64-bit pointer to a 32-bit enum value. Add an uintptr_t in between
to loosen up the atmosphere.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/aiodev/lm75.c        | 2 +-
 drivers/net/ksz8864rmn.c     | 2 +-
 drivers/regulator/fan53555.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/aiodev/lm75.c b/drivers/aiodev/lm75.c
index 13b7ac4710c2..86eac091d8d3 100644
--- a/drivers/aiodev/lm75.c
+++ b/drivers/aiodev/lm75.c
@@ -110,7 +110,7 @@ static int lm75_probe(struct device *dev)
 	int new, ret;
 	enum lm75_type kind;
 
-	kind = (enum lm75_type)device_get_match_data(dev);
+	kind = (enum lm75_type)(uintptr_t)device_get_match_data(dev);
 	if (kind == unknown)
 		return -ENODEV;
 
diff --git a/drivers/net/ksz8864rmn.c b/drivers/net/ksz8864rmn.c
index c4c30377af83..8cec0bb02678 100644
--- a/drivers/net/ksz8864rmn.c
+++ b/drivers/net/ksz8864rmn.c
@@ -126,7 +126,7 @@ static int micrel_switch_probe(struct device *dev)
 {
 	struct micrel_switch_priv *priv;
 	int ret = 0;
-	enum ksz_type kind = (enum ksz_type)device_get_match_data(dev);
+	enum ksz_type kind = (enum ksz_type)(uintptr_t)device_get_match_data(dev);
 	uint8_t id;
 
 	if (kind == unknown)
diff --git a/drivers/regulator/fan53555.c b/drivers/regulator/fan53555.c
index f73511b36b20..2df0d2410a03 100644
--- a/drivers/regulator/fan53555.c
+++ b/drivers/regulator/fan53555.c
@@ -384,7 +384,7 @@ static int fan53555_regulator_probe(struct device *dev)
 
 	di = xzalloc(sizeof(*di));
 
-	di->vendor = (enum fan53555_vendor)device_get_match_data(dev);
+	di->vendor = (enum fan53555_vendor)(uintptr_t)device_get_match_data(dev);
 
 	di->rdev.desc = &di->rdesc;
 	di->rdev.dev = dev;
-- 
2.39.5

[PATCH 05/22] firmware: arm_scmi: smc: compile only for ARM

[Ahmad Fatoum]

The SMC transport driver references ARM register names in C code via the
register asm syntax and thus fails to build on other architectures.

Mark it ARM-only to reflect this. The remainder of the ARM SCMI support
can built with COMPILE_TEST normally.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/firmware/arm_scmi/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/firmware/arm_scmi/Kconfig b/drivers/firmware/arm_scmi/Kconfig
index 29b0152901ad..3405c6b3e9e3 100644
--- a/drivers/firmware/arm_scmi/Kconfig
+++ b/drivers/firmware/arm_scmi/Kconfig
@@ -58,6 +58,7 @@ config ARM_SCMI_TRANSPORT_OPTEE
 
 config ARM_SCMI_TRANSPORT_SMC
 	bool "SCMI transport based on SMC"
+	depends on ARM
 	select ARM_SMCCC
 	select ARM_SCMI_HAVE_TRANSPORT
 	select ARM_SCMI_HAVE_SHMEM
-- 
2.39.5

[PATCH 06/22] video: stm32-ltdc: fix printing uninitialized variable

[Ahmad Fatoum]

ret is not initialized on failure to get the clock.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/video/stm32_ltdc.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/video/stm32_ltdc.c b/drivers/video/stm32_ltdc.c
index 6b91ee18b962..7ebd24d6d908 100644
--- a/drivers/video/stm32_ltdc.c
+++ b/drivers/video/stm32_ltdc.c
@@ -269,10 +269,8 @@ static int ltdc_probe(struct device *dev)
 	hw->regs = IOMEM(iores->start);
 
 	hw->pclk = clk_get(dev, NULL);
-	if (IS_ERR(hw->pclk)) {
-		dev_err(dev, "peripheral clock get error %d\n", ret);
-		return PTR_ERR(hw->pclk);
-	}
+	if (IS_ERR(hw->pclk))
+		return dev_errp_probe(dev, hw->pclk, "peripheral clock get\n");
 
 	for_each_available_child_of_node(dev->of_node, np) {
 		struct ltdc_fb *priv;
-- 
2.39.5

[PATCH 07/22] usb: core: remove unnecessary comparison

[Ahmad Fatoum]

The GCC default is to treat enums without negative values in the
enumerations as an unsigned int. clang seems to follow suit and
clang-analyzer warns that speed < 0 can never happen.

Therefore, drop this superfluous check.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/usb/core/common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/core/common.c b/drivers/usb/core/common.c
index 61ccc130244b..f255f97cdd4d 100644
--- a/drivers/usb/core/common.c
+++ b/drivers/usb/core/common.c
@@ -13,7 +13,7 @@ static const char *const speed_names[] = {
 
 const char *usb_speed_string(enum usb_device_speed speed)
 {
-	if (speed < 0 || speed >= ARRAY_SIZE(speed_names))
+	if (speed >= ARRAY_SIZE(speed_names))
 		speed = USB_SPEED_UNKNOWN;
 	return speed_names[speed];
 }
-- 
2.39.5

[PATCH 08/22] ddr_spd: fix always true sub-condition

[Ahmad Fatoum]

The last subcondition is always true, because it compares the left-hand
side against two different values and ORs the result.

I think the intention of the code is to avoid printing bogus serial
numbers that are either all zeroes or all ones, so let's check for that.

This is a debug print, so there is no fallout expected if the guess
turns out wrong..

Cc: Denis Orlov <denorl2009@gmail.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/ddr_spd.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/common/ddr_spd.c b/common/ddr_spd.c
index b7693f3fd25c..7ca8e9887a55 100644
--- a/common/ddr_spd.c
+++ b/common/ddr_spd.c
@@ -927,10 +927,8 @@ static void ddr3_spd_print(uint8_t *record)
 	    && !((s->mdate[0] == 0x0) && (s->mdate[1] == 0x0)))
 		spd_print_manufacturing_date(s->mdate[0], s->mdate[1]);
 
-	if ((s->sernum[0] != s->sernum[1])
-	    && (s->sernum[0] != s->sernum[2])
-	    && (s->sernum[1] != s->sernum[3])
-	    && ((s->sernum[0] != 0xff) || (s->sernum[0] != 0x0)))
+	if (memcmp(s->sernum, "\xFF\xFF\xFF\xFF", 4) &&
+	    memcmp(s->sernum, "\x00\x00\x00\x00", 4))
 		printf("%-48s 0x%02X%02X%02X%02X\n", "Assembly Serial Number",
 		       s->sernum[0], s->sernum[1], s->sernum[2], s->sernum[3]);
 
-- 
2.39.5

[PATCH 09/22] hush: fix make_string behavior on empty strings

[Ahmad Fatoum]

clang-analyzer believes that an empty string could be passed here,
leading to a NULL dereference.

Avoid this situation by allocating a len (2 byte) string instead
to hold "\n" as value in that case.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/hush.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/common/hush.c b/common/hush.c
index 608c0e4937c1..3a213fc54591 100644
--- a/common/hush.c
+++ b/common/hush.c
@@ -1885,6 +1885,10 @@ static char * make_string(char ** inp)
 		if (p != inp[n])
 			free(p);
 	}
+
+	if (!str)
+		str = xzalloc(len);
+
 	len = strlen(str);
 	*(str + len) = '\n';
 	*(str + len + 1) = '\0';
-- 
2.39.5

[PATCH 10/22] nvmem: fix clang-analyzer false-positive use of uninitialized value

[Ahmad Fatoum]

clang-analyzer believes len can be returned uninitialized, but reading
the code this seems impossible. Anyways, let's initialize it by zero to
be able to focus on the more reports.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/nvmem/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
index 4e69b3fa582b..38dfb2cf2d1f 100644
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -692,7 +692,7 @@ ssize_t nvmem_device_cell_read(struct nvmem_device *nvmem,
 {
 	struct nvmem_cell cell;
 	int rc;
-	ssize_t len;
+	ssize_t len = 0;
 
 	if (!nvmem)
 		return -EINVAL;
-- 
2.39.5

[PATCH 11/22] string: initialize string array in string selftest

[Ahmad Fatoum]

The array members in tokens are passed to strverscmp, which doesn't do a
NULL-check, which is prone to happen with malformed test input.

Static analysis warns about this, so initialize it to empty strings.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/self/string.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/self/string.c b/test/self/string.c
index d33e2d7918ca..542277a09797 100644
--- a/test/self/string.c
+++ b/test/self/string.c
@@ -37,7 +37,7 @@ static int strverscmp_assert_one(const char *lhs, const char *rhs, int expect)
 
 static int __strverscmp_assert(char *expr)
 {
-	const char *token, *tokens[3];
+	const char *token, *tokens[3] = { "", "", "" };
 	int expect = -42;
 	int i = 0;
 
-- 
2.39.5

[PATCH 12/22] commands: ubsan: hide zero division in test

[Ahmad Fatoum]

clang-analyzer pierces the volatile veil and complains that
test_ubsan_divrem_overflow() does a division by zero.

The division is intentional to exercise UBSAN runtime detection of the
condition, so let's hide the fact that val2 is zero using
OPTIMIZER_HIDE_VAR.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 commands/ubsan.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/commands/ubsan.c b/commands/ubsan.c
index 4a9716139c4b..634ab2bc60b2 100644
--- a/commands/ubsan.c
+++ b/commands/ubsan.c
@@ -43,6 +43,8 @@ static void test_ubsan_divrem_overflow(void)
 	volatile int val = 16;
 	volatile int val2 = 0;
 
+	OPTIMIZER_HIDE_VAR(&val2);
+
 	val /= val2;
 }
 
-- 
2.39.5

[PATCH 13/22] crypto: ecc: fix clang-analyzer warning about NULL dereference

[Ahmad Fatoum]

clang-analyzer believes that point->x can dereference a NULL pointer.
I suspect that's not possible, because of the arguments the function is
called with, but let's play it safe and assert that point is non-NULL
before dereferencing.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 crypto/ecc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/ecc.c b/crypto/ecc.c
index a0ab962262ca..d91948bddbde 100644
--- a/crypto/ecc.c
+++ b/crypto/ecc.c
@@ -1434,6 +1434,8 @@ void ecc_point_mult_shamir(const struct ecc_point *result,
 	idx |= (!!vli_test_bit(u2, i)) << 1;
 	point = points[idx];
 
+	BUG_ON(!point);
+
 	vli_set(rx, point->x, ndigits);
 	vli_set(ry, point->y, ndigits);
 	vli_clear(z + 1, ndigits - 1);
-- 
2.39.5

[PATCH 14/22] mci_spi: fix possible use of uninitialized variable

[Ahmad Fatoum]

When called with a zero bcnt, r1 is used uninitialized.
Initialize it to an error in that case.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/mci/mci_spi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mci/mci_spi.c b/drivers/mci/mci_spi.c
index 41d8c25e2736..657ce9e42ee0 100644
--- a/drivers/mci/mci_spi.c
+++ b/drivers/mci/mci_spi.c
@@ -137,7 +137,7 @@ static uint mmc_spi_readdata(struct mmc_spi_host *host, void *xbuf,
 				uint32_t bcnt, uint32_t bsize)
 {
 	uint8_t *buf = xbuf;
-	uint8_t r1;
+	uint8_t r1 = R1_SPI_ERROR;
 	uint16_t crc;
 	int i;
 
-- 
2.39.5

[PATCH 15/22] mtd: have mtd_read populate retlen always

[Ahmad Fatoum]

We currently populate retlen only on successful reads of more than zero
bytes, while Linux function with the same name populates it
unconditionally.

Mimic the Linux API for compatibility.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/mtd/core.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/mtd/core.c b/drivers/mtd/core.c
index 562443275fe6..c75c52dcb3a5 100644
--- a/drivers/mtd/core.c
+++ b/drivers/mtd/core.c
@@ -375,16 +375,15 @@ int mtd_read(struct mtd_info *mtd, loff_t from, size_t len, size_t *retlen,
 		.len = len,
 		.datbuf = buf,
 	};
-	int ret;
+	int ret = 0;
 
 	if (from < 0 || from >= mtd->size || len > mtd->size - from)
 		return -EINVAL;
-	if (!len)
-		return 0;
 
-	ret = mtd_read_oob(mtd, from, &ops);
+	if (len)
+		ret = mtd_read_oob(mtd, from, &ops);
+
 	*retlen = ops.retlen;
-
 	return ret;
 }
 
-- 
2.39.5

[PATCH 16/22] of: fdt: silence possible static analyzer false positive

[Ahmad Fatoum]

clang-analyzer warns that aligning up newsize may end up causing an
overflow. Let's stop well before that by bailing out if the unaligned
size itself wouldn't fit into a malloc allocation anyway.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/of/fdt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 6c554af61f6f..43bb73b7a2df 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -378,6 +378,9 @@ static void *memalign_realloc(void *orig, size_t oldsize, size_t newsize)
 	int align;
 	void *newbuf;
 
+	if (newsize > MALLOC_MAX_SIZE)
+		return NULL;
+
 	/*
 	 * ARM Linux uses a single 1MiB section (with 1MiB alignment)
 	 * for mapping the devicetree, so we are not allowed to cross
-- 
2.39.5

[PATCH 17/22] ubi: workaround zero division on malformed input in ubi_assert

[Ahmad Fatoum]

A zero hdrs_min_io_size is a bug and will trigger a ubi_assert.
These are critical events, but don't panic the system.

The last ubi_assert will trigger a division by zero. Add a zero check
into it, so it doesn't overlap with the first assert.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/mtd/ubi/build.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 94b4231aadc4..8bb1f0cbb901 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -320,7 +320,8 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024)
 
 	ubi_assert(ubi->hdrs_min_io_size > 0);
 	ubi_assert(ubi->hdrs_min_io_size <= ubi->min_io_size);
-	ubi_assert(ubi->min_io_size % ubi->hdrs_min_io_size == 0);
+	ubi_assert(ubi->hdrs_min_io_size &&
+		   ubi->min_io_size % ubi->hdrs_min_io_size == 0);
 
 	ubi->max_write_size = ubi->mtd->writebufsize;
 	/*
-- 
2.39.5

[PATCH 18/22] video: Rockchip: fix zero division in rk3588_calc_cru_cfg

[Ahmad Fatoum]

This was detected by clang-analyzer and I don't understand how that
function could have ever worked, because it's running into the zero
division in the "successful" code path.

Peeking at rk3568_set_intf_mux, the CRTC clock is passed by the caller
in barebox, so let's do the same for rk3588_calc_cru_cfg.

Fixes: c8c0833beb77 ("video: Rockchip: Add VOP2 driver")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/video/rockchip/rockchip_drm_vop2.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/video/rockchip/rockchip_drm_vop2.c b/drivers/video/rockchip/rockchip_drm_vop2.c
index 3a1c951ec7e4..f15ef1b57bf5 100644
--- a/drivers/video/rockchip/rockchip_drm_vop2.c
+++ b/drivers/video/rockchip/rockchip_drm_vop2.c
@@ -743,10 +743,10 @@ static unsigned long rk3588_calc_dclk(unsigned long child_clk, unsigned long max
  */
 static unsigned long rk3588_calc_cru_cfg(struct vop2_video_port *vp, int id,
 					 int *dclk_core_div, int *dclk_out_div,
-					 int *if_pixclk_div, int *if_dclk_div)
+					 int *if_pixclk_div, int *if_dclk_div,
+					 u32 crtc_clock)
 {
 	struct vop2 *vop2 = vp->vop2;
-	u32 crtc_clock = 0;
 	unsigned long v_pixclk = crtc_clock * 1000LL; /* video timing pixclk */
 	unsigned long dclk_core_rate = v_pixclk >> 2;
 	unsigned long dclk_rate = v_pixclk;
@@ -856,7 +856,7 @@ static unsigned long rk3588_set_intf_mux(struct vop2_video_port *vp, int id, u32
 	u32 die, dip, div, vp_clk_div, val;
 
 	clock = rk3588_calc_cru_cfg(vp, id, &dclk_core_div, &dclk_out_div,
-				    &if_pixclk_div, &if_dclk_div);
+				    &if_pixclk_div, &if_dclk_div, clock);
 	if (!clock)
 		return 0;
 
-- 
2.39.5

[PATCH] fixup! video: Rockchip: fix zero division in rk3588_calc_cru_cfg

[Ahmad Fatoum]

GCC in CI detects that a number of arguments to rk3588_calc_cru_cfg()
may be passed to ilog2() uninitialized. This issue also exists in the
kernel:

 - if_pixclk_div, if_dclk_div are seemingly unused by rk3588_set_intf_mux
   in cases where an uninitialized value is passed to ilog2

 - dclk_out_div is used unconditionally, but is uninitialized in the
   case of eDP and HDMI.

This will be reported upstream, but until it's resolved, initialize the
values to zero (ilog2(0) == 0 in Linux/barebox).

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/video/rockchip/rockchip_drm_vop2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/rockchip/rockchip_drm_vop2.c b/drivers/video/rockchip/rockchip_drm_vop2.c
index f15ef1b57bf5..e45492360d6f 100644
--- a/drivers/video/rockchip/rockchip_drm_vop2.c
+++ b/drivers/video/rockchip/rockchip_drm_vop2.c
@@ -852,7 +852,7 @@ static unsigned long rk3588_set_intf_mux(struct vop2_video_port *vp, int id, u32
 					 unsigned int clock)
 {
 	struct vop2 *vop2 = vp->vop2;
-	int dclk_core_div, dclk_out_div, if_pixclk_div, if_dclk_div;
+	int dclk_core_div, dclk_out_div = 0, if_pixclk_div = 0, if_dclk_div = 0;
 	u32 die, dip, div, vp_clk_div, val;
 
 	clock = rk3588_calc_cru_cfg(vp, id, &dclk_core_div, &dclk_out_div,
-- 
2.39.5

Re: [PATCH 18/22] video: Rockchip: fix zero division in rk3588_calc_cru_cfg

[Sascha Hauer]

On Thu, Mar 13, 2025 at 08:34:41AM +0100, Ahmad Fatoum wrote:
> This was detected by clang-analyzer and I don't understand how that
> function could have ever worked, because it's running into the zero
> division in the "successful" code path.

The driver is only tested on rk3568, so this code path likely never
executed.

sascha

> 
> Peeking at rk3568_set_intf_mux, the CRTC clock is passed by the caller
> in barebox, so let's do the same for rk3588_calc_cru_cfg.
> 
> Fixes: c8c0833beb77 ("video: Rockchip: Add VOP2 driver")
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
>  drivers/video/rockchip/rockchip_drm_vop2.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/video/rockchip/rockchip_drm_vop2.c b/drivers/video/rockchip/rockchip_drm_vop2.c
> index 3a1c951ec7e4..f15ef1b57bf5 100644
> --- a/drivers/video/rockchip/rockchip_drm_vop2.c
> +++ b/drivers/video/rockchip/rockchip_drm_vop2.c
> @@ -743,10 +743,10 @@ static unsigned long rk3588_calc_dclk(unsigned long child_clk, unsigned long max
>   */
>  static unsigned long rk3588_calc_cru_cfg(struct vop2_video_port *vp, int id,
>  					 int *dclk_core_div, int *dclk_out_div,
> -					 int *if_pixclk_div, int *if_dclk_div)
> +					 int *if_pixclk_div, int *if_dclk_div,
> +					 u32 crtc_clock)
>  {
>  	struct vop2 *vop2 = vp->vop2;
> -	u32 crtc_clock = 0;
>  	unsigned long v_pixclk = crtc_clock * 1000LL; /* video timing pixclk */
>  	unsigned long dclk_core_rate = v_pixclk >> 2;
>  	unsigned long dclk_rate = v_pixclk;
> @@ -856,7 +856,7 @@ static unsigned long rk3588_set_intf_mux(struct vop2_video_port *vp, int id, u32
>  	u32 die, dip, div, vp_clk_div, val;
>  
>  	clock = rk3588_calc_cru_cfg(vp, id, &dclk_core_div, &dclk_out_div,
> -				    &if_pixclk_div, &if_dclk_div);
> +				    &if_pixclk_div, &if_dclk_div, clock);
>  	if (!clock)
>  		return 0;
>  
> -- 
> 2.39.5
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

[PATCH 19/22] lib: scatterlist: don't assert last element for empty sglist

[Ahmad Fatoum]

A BUG_ON in sg_last tries to verify that the last element in a scatter
gather list is indeed marked as such in its flags.

clang-analyzer warns that this would make the function fail for an empty
list, so let's add a NULL-check into the BUG_ON.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 lib/scatterlist.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index f7b06013a552..6a4e1e91f8f1 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -105,7 +105,7 @@ struct scatterlist *sg_last(struct scatterlist *sgl, unsigned int nents)
 	for_each_sg(sgl, sg, nents, i)
 		ret = sg;
 
-	BUG_ON(!sg_is_last(ret));
+	BUG_ON(ret && !sg_is_last(ret));
 	return ret;
 }
 EXPORT_SYMBOL(sg_last);
-- 
2.39.5

[PATCH 20/22] scripts: omap3-usb-loader: fix clang-analyzer false-positive

[Ahmad Fatoum]

clang-analyzer has a heuristic to determine mismatched allocations.
It flags allocating bufsize of chars and assigned it to a pointer
to uint32, although it's ultimately correct.

Let's silence the warning by using the pointee type instead.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 scripts/omap3-usb-loader.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/scripts/omap3-usb-loader.c b/scripts/omap3-usb-loader.c
index 38cdbfac939e..192e42689bb2 100644
--- a/scripts/omap3-usb-loader.c
+++ b/scripts/omap3-usb-loader.c
@@ -424,15 +424,18 @@ static int transfer_first_stage(libusb_device_handle * handle, struct arg_state
 
 static int transfer_other_files(libusb_device_handle *handle, struct arg_state *args)
 {
-	uint32_t *buffer = NULL;
-	int bufsize = 128 * sizeof (*buffer);
+	uint32_t *buffer;
+	int bufsize;
 	int numfailures = 0;	/* build in some reliablity */
 	int maxfailures = 3;
 	int transLen = 0;
 	int curfile = 1;	/* skip the first file */
 	size_t len;
 
-	buffer = calloc(bufsize, sizeof(unsigned char));
+	buffer = calloc(128, sizeof(*buffer));
+	if (!buffer)
+		goto fail;
+	bufsize = 128 * sizeof (*buffer);
 
 	/* handle the state machine for the X-Loader */
 	while (curfile < args->numfiles) {
-- 
2.39.5

[PATCH 21/22] clk: analogbits: wrpll-cln28hpc: bail out before zero division

[Ahmad Fatoum]

clang-analyzer reports that a zero division may be possible while
computing post_divr_freq. Bail out early instead by returning
-ERANGE.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/clk/analogbits/wrpll-cln28hpc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/clk/analogbits/wrpll-cln28hpc.c b/drivers/clk/analogbits/wrpll-cln28hpc.c
index 1aafaf2e6502..a9231fbf8188 100644
--- a/drivers/clk/analogbits/wrpll-cln28hpc.c
+++ b/drivers/clk/analogbits/wrpll-cln28hpc.c
@@ -301,6 +301,9 @@ int wrpll_configure_for_rate(struct wrpll_cfg *c, u32 target_rate,
 	c->divr = best_r - 1;
 	c->divf = best_f - 1;
 
+	if (!best_r)
+		return -ERANGE;
+
 	post_divr_freq = div_u64(parent_rate, best_r);
 
 	/* Pick the best PLL jitter filter */
-- 
2.39.5

[PATCH 22/22] watchdog: stm32_iwdg: bail out before zero division

[Ahmad Fatoum]

clang-analyzer reports that a zero division may be possible while
computing presc. This can only happen if the watchdog is driven by a
non-zero clock rate under 4096Hz. This won't happen in practice, but
clang-analyzer doesn't know that, so just add a check to silence it.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 drivers/watchdog/stm32_iwdg.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/watchdog/stm32_iwdg.c b/drivers/watchdog/stm32_iwdg.c
index 6ac9e7d56e9e..c47a8cac15ec 100644
--- a/drivers/watchdog/stm32_iwdg.c
+++ b/drivers/watchdog/stm32_iwdg.c
@@ -62,6 +62,9 @@ static int stm32_iwdg_start(struct stm32_iwdg *wd, unsigned int timeout)
 
 	/* The prescaler is align on power of 2 and start at 2 ^ PR_SHIFT. */
 	presc = roundup_pow_of_two(presc);
+	if (!presc)
+		return -ERANGE;
+
 	iwdg_pr = presc <= 1 << PR_SHIFT ? 0 : ilog2(presc) - PR_SHIFT;
 	iwdg_rlr = ((timeout * wd->rate) / presc) - 1;
 
-- 
2.39.5

Re: [PATCH 00/22] add support for clang-analyzer with scan-build

[Sascha Hauer]

On Thu, 13 Mar 2025 08:34:23 +0100, Ahmad Fatoum wrote:
> With the changes, it's now possible to build barebox for sandbox
> with allyesconfig with clang under scan-build with:
> 
>   export LLVM=-19 # or whatever your clang suffix is if you've one
>   scan-build${LLVM} --use-cc=clang${LLVM} make
> 
> For this build to run to completion, a number of things that clang
> treats as errors need to be resolved as well, which is included
> in this series.
> 
> [...]

Applied, thanks!

[01/22] kbuild: add support for clang-analyzer with scan-build
        https://git.pengutronix.de/cgit/barebox/commit/?id=da3ab7931a95 (link may not be stable)
[02/22] soc: ti: k3-navss-ringacc: fix COMPILE_TEST link error
        https://git.pengutronix.de/cgit/barebox/commit/?id=8644f442f72e (link may not be stable)
[03/22] treewide: fix missing headers in sandbox allyesconfig
        https://git.pengutronix.de/cgit/barebox/commit/?id=38a389121b87 (link may not be stable)
[04/22] drivers: don't cast pointer directly to enum
        https://git.pengutronix.de/cgit/barebox/commit/?id=31fb717b4e27 (link may not be stable)
[05/22] firmware: arm_scmi: smc: compile only for ARM
        https://git.pengutronix.de/cgit/barebox/commit/?id=faf4a5da3f86 (link may not be stable)
[06/22] video: stm32-ltdc: fix printing uninitialized variable
        https://git.pengutronix.de/cgit/barebox/commit/?id=9c0ff56016a2 (link may not be stable)
[07/22] usb: core: remove unnecessary comparison
        https://git.pengutronix.de/cgit/barebox/commit/?id=049e56755631 (link may not be stable)
[08/22] ddr_spd: fix always true sub-condition
        https://git.pengutronix.de/cgit/barebox/commit/?id=2ad7e02e24c9 (link may not be stable)
[09/22] hush: fix make_string behavior on empty strings
        https://git.pengutronix.de/cgit/barebox/commit/?id=c884ea565a51 (link may not be stable)
[10/22] nvmem: fix clang-analyzer false-positive use of uninitialized value
        https://git.pengutronix.de/cgit/barebox/commit/?id=2e02e583f7c7 (link may not be stable)
[11/22] string: initialize string array in string selftest
        https://git.pengutronix.de/cgit/barebox/commit/?id=c807c954e141 (link may not be stable)
[12/22] commands: ubsan: hide zero division in test
        https://git.pengutronix.de/cgit/barebox/commit/?id=cb7953532da2 (link may not be stable)
[13/22] crypto: ecc: fix clang-analyzer warning about NULL dereference
        https://git.pengutronix.de/cgit/barebox/commit/?id=c7a1df25a191 (link may not be stable)
[14/22] mci_spi: fix possible use of uninitialized variable
        https://git.pengutronix.de/cgit/barebox/commit/?id=8a8f51a2f8a4 (link may not be stable)
[15/22] mtd: have mtd_read populate retlen always
        https://git.pengutronix.de/cgit/barebox/commit/?id=9d7580eb87bc (link may not be stable)
[16/22] of: fdt: silence possible static analyzer false positive
        https://git.pengutronix.de/cgit/barebox/commit/?id=44377ec41732 (link may not be stable)
[17/22] ubi: workaround zero division on malformed input in ubi_assert
        https://git.pengutronix.de/cgit/barebox/commit/?id=9e52dd5668eb (link may not be stable)
[18/22] video: Rockchip: fix zero division in rk3588_calc_cru_cfg
        https://git.pengutronix.de/cgit/barebox/commit/?id=fdd1c5bac55f (link may not be stable)
[19/22] lib: scatterlist: don't assert last element for empty sglist
        https://git.pengutronix.de/cgit/barebox/commit/?id=5a7f10a4b865 (link may not be stable)
[20/22] scripts: omap3-usb-loader: fix clang-analyzer false-positive
        https://git.pengutronix.de/cgit/barebox/commit/?id=06e3e7f29b98 (link may not be stable)
[21/22] clk: analogbits: wrpll-cln28hpc: bail out before zero division
        https://git.pengutronix.de/cgit/barebox/commit/?id=66daf4f16210 (link may not be stable)
[22/22] watchdog: stm32_iwdg: bail out before zero division
        https://git.pengutronix.de/cgit/barebox/commit/?id=8a4768c4ed82 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>