MFC r311160, r311210, r311288, r311292, r311298, r311340

r311160:
misc minor fixes in mpr(4)

sys/dev/mpr/mpr_sas.c
	* Fix a potential null pointer dereference (CID 1305731)
	* Check for overrun of the ccb_scsiio.cdb_io.cdb_bytes buffer (CID
	  1211934)

sys/dev/mpr/mpr_sas_lsi.c
	* Nullify a dangling pointer in mprsas_get_sata_identify
	* Fix a memory leak in mprsas_SSU_to_SATA_devices (CID 1211935)

Reported by:	Coverity (partially)
CID:		1305731 1211934 1211935
Reviewed by:	slm
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp
Differential Revision:	https://reviews.freebsd.org/D8880

r311210:
Quell Coverity for diskinfo(8)

* CID 1198994: Don't run the speed disk on a disk with no sectors
* CID 1011442: Don't call close(2) if open(2) fails
* CID 1011161: Use snprintf instead of sprintf
* CID 1009825: Check the return value of lseek

Reported by:	Coverity
CID:		1198994 1011442 1011161 1009825
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp

r311288:
Delete dead code in chat(8)

It's always been dead, ever since first import in 1994.  It's still dead in
OpenBSD's version, too.

Reported by:	Coverity
CID:		270586
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp

r311292:
Remove dead code in rpc_parse.c

It's been dead ever since it was imported from TI-RPC in 1995.  The dead
code is still present in Illumos today, but was removed from NetBSD in 2006.

Reported by:	Coverity
CID:		270097
Obtained from:	NetBSD
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp

r311298:
Remove dead code in dhclient(8)

The offending code has been dead ever since the import from OpenBSD in
r195805.  OpenBSD later deleted that entire function.

Reported by:	Coverity
CID:		500059
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp

r311340:
Misc Coverity fixes for tail(1)

CID 1006402:	Initialize stack variable
CID 271580:	Don't leak memory when ENOMEM.

Reported by:	Coverity
CID:		271580 1006402
MFC after:	4 weeks
Sponsored by:	Spectra Logic Corp

7 files changed, 32 insertions, 37 deletions

diff --git a/sbin/dhclient/dispatch.c b/sbin/dhclient/dispatch.c
index 3317ceb..d493717 100644
--- a/sbin/dhclient/dispatch.c
+++ b/sbin/dhclient/dispatch.c
@@ -453,16 +453,12 @@ add_protocol(char *name, int fd, void (*handler)(struct protocol *),
 void
 remove_protocol(struct protocol *proto)
 {
-	struct protocol *p, *next, *prev;
+	struct protocol *p, *next;
 
-	prev = NULL;
 	for (p = protocols; p; p = next) {
 		next = p->next;
 		if (p == proto) {
-			if (prev)
-				prev->next = p->next;
-			else
-				protocols = p->next;
+			protocols = p->next;
 			free(p);
 		}
 	}
diff --git a/sys/dev/mpr/mpr_sas.c b/sys/dev/mpr/mpr_sas.c
index d44e502..c9d83d8 100644
--- a/sys/dev/mpr/mpr_sas.c
+++ b/sys/dev/mpr/mpr_sas.c
@@ -1846,8 +1846,12 @@ mprsas_action_scsiio(struct mprsas_softc *sassc, union ccb *ccb)
 
 	if (csio->ccb_h.flags & CAM_CDB_POINTER)
 		bcopy(csio->cdb_io.cdb_ptr, &req->CDB.CDB32[0], csio->cdb_len);
-	else
+	else {
+		KASSERT(csio->cdb_len <= IOCDBLEN,
+		    ("cdb_len %d is greater than IOCDBLEN but CAM_CDB_POINTER is not set",
+		     csio->cdb_len));
 		bcopy(csio->cdb_io.cdb_bytes, &req->CDB.CDB32[0],csio->cdb_len);
+	}
 	req->IoFlags = htole16(csio->cdb_len);
 
 	/*
@@ -2429,6 +2433,7 @@ mprsas_scsiio_complete(struct mpr_softc *sc, struct mpr_command *cm)
 		 * driver is being shutdown.
 		 */
 		if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) &&
+		    (csio->data_ptr != NULL) &&
 		    ((csio->data_ptr[0] & 0x1f) == T_DIRECT) &&
 		    (sc->mapping_table[target_id].device_info &
 		    MPI2_SAS_DEVICE_INFO_SATA_DEVICE) &&
diff --git a/sys/dev/mpr/mpr_sas_lsi.c b/sys/dev/mpr/mpr_sas_lsi.c
index 640338a..aeb9864 100644
--- a/sys/dev/mpr/mpr_sas_lsi.c
+++ b/sys/dev/mpr/mpr_sas_lsi.c
@@ -1056,6 +1056,7 @@ out:
 		mpr_free_command(sc, cm);
 	else if (error == 0)
 		error = EWOULDBLOCK;
+	cm->cm_data = NULL;
 	free(buffer, M_MPR);
 	return (error);
 }
@@ -1196,18 +1197,18 @@ mprsas_SSU_to_SATA_devices(struct mpr_softc *sc)
 			continue;
 		}
 
-		ccb = xpt_alloc_ccb_nowait();
-		if (ccb == NULL) {
-			mpr_dprint(sc, MPR_FAULT, "Unable to alloc CCB to stop "
-			    "unit.\n");
-			return;
-		}
-
 		/*
 		 * The stop_at_shutdown flag will be set if this device is
 		 * a SATA direct-access end device.
 		 */
 		if (target->stop_at_shutdown) {
+			ccb = xpt_alloc_ccb_nowait();
+			if (ccb == NULL) {
+				mpr_dprint(sc, MPR_FAULT, "Unable to alloc CCB to stop "
+				    "unit.\n");
+				return;
+			}
+
 			if (xpt_create_path(&ccb->ccb_h.path, xpt_periph,
 			    pathid, targetid, CAM_LUN_WILDCARD) !=
 			    CAM_REQ_CMP) {
diff --git a/usr.bin/chat/chat.c b/usr.bin/chat/chat.c
index 107d951..059aa24 100644
--- a/usr.bin/chat/chat.c
+++ b/usr.bin/chat/chat.c
@@ -1173,7 +1173,7 @@ int
 get_string(char *string)
 {
     char temp[STR_LEN];
-    int c, printed = 0;
+    int c;
     size_t len, minlen;
     char *s = temp, *end = s + STR_LEN;
     char *logged = temp;
@@ -1306,13 +1306,6 @@ get_string(char *string)
 
     alarm(0);
     
-    if (verbose && printed) {
-	if (alarmed)
-	    chat_logf(" -- read timed out");
-	else
-	    chat_logf(" -- read failed: %m");
-    }
-
     exit_code = 3;
     alarmed   = 0;
     return (0);
diff --git a/usr.bin/rpcgen/rpc_parse.c b/usr.bin/rpcgen/rpc_parse.c
index 69392b7..9f88033 100644
--- a/usr.bin/rpcgen/rpc_parse.c
+++ b/usr.bin/rpcgen/rpc_parse.c
@@ -290,7 +290,6 @@ def_union(definition *defp)
 	declaration dec;
 	case_list *cases;
 	case_list **tailp;
-	int flag;
 
 	defp->def_kind = DEF_UNION;
 	scan(TOK_IDENT, &tok);
@@ -309,7 +308,6 @@ def_union(definition *defp)
 		cases->case_name = tok.str;
 		scan(TOK_COLON, &tok);
 		/* now peek at next token */
-		flag = 0;
 		if (peekscan(TOK_CASE, &tok)){
 			do {
 				scan2(TOK_IDENT, TOK_CHARCONST, &tok);
@@ -322,14 +320,6 @@ def_union(definition *defp)
 				scan(TOK_COLON, &tok);
 			} while (peekscan(TOK_CASE, &tok));
 		}
-		else
-			if (flag)
-			{
-
-				*tailp = cases;
-				tailp = &cases->next;
-				cases = XALLOC(case_list);
-			}
 
 		get_declaration(&dec, DEF_UNION);
 		cases->case_decl = dec;
diff --git a/usr.bin/tail/reverse.c b/usr.bin/tail/reverse.c
index 511f88c..8726905 100644
--- a/usr.bin/tail/reverse.c
+++ b/usr.bin/tail/reverse.c
@@ -117,6 +117,7 @@ r_reg(FILE *fp, const char *fn, enum STYLE style, off_t off, struct stat *sbp)
 	map.start = NULL;
 	map.mapoff = map.maxoff = size;
 	map.fd = fileno(fp);
+	map.maplen = 0;
 
 	/*
 	 * Last char is special, ignore whether newline or not. Note that
@@ -205,7 +206,13 @@ r_buf(FILE *fp, const char *fn)
 		    (tl->l = malloc(BSZ)) == NULL) {
 			if (!mark)
 				err(1, "malloc");
-			tl = enomem ? tl->next : mark;
+			if (enomem)
+				tl = tl->next;
+			else {
+				if (tl)
+					free(tl);
+				tl = mark;
+			}
 			enomem += tl->len;
 		} else if (mark) {
 			tl->next = mark;
diff --git a/usr.sbin/diskinfo/diskinfo.c b/usr.sbin/diskinfo/diskinfo.c
index 373b3fe..c984f3e 100644
--- a/usr.sbin/diskinfo/diskinfo.c
+++ b/usr.sbin/diskinfo/diskinfo.c
@@ -94,13 +94,12 @@ main(int argc, char **argv)
 	for (i = 0; i < argc; i++) {
 		fd = open(argv[i], O_RDONLY);
 		if (fd < 0 && errno == ENOENT && *argv[i] != '/') {
-			sprintf(buf, "%s%s", _PATH_DEV, argv[i]);
+			snprintf(buf, BUFSIZ, "%s%s", _PATH_DEV, argv[i]);
 			fd = open(buf, O_RDONLY);
 		}
 		if (fd < 0) {
 			warn("%s", argv[i]);
-			exitval = 1;
-			goto out;
+			exit(1);
 		}
 		error = ioctl(fd, DIOCGMEDIASIZE, &mediasize);
 		if (error) {
@@ -186,7 +185,8 @@ rdsect(int fd, off_t blockno, u_int sectorsize)
 {
 	int error;
 
-	lseek(fd, (off_t)blockno * sectorsize, SEEK_SET);
+	if (lseek(fd, (off_t)blockno * sectorsize, SEEK_SET) == -1)
+		err(1, "lseek");
 	error = read(fd, sector, sectorsize);
 	if (error == -1)
 		err(1, "read");
@@ -251,6 +251,9 @@ speeddisk(int fd, off_t mediasize, u_int sectorsize)
 	off_t b0, b1, sectorcount, step;
 
 	sectorcount = mediasize / sectorsize;
+	if (sectorcount <= 0)
+		return;		/* Can't test devices with no sectors */
+
 	step = 1ULL << (flsll(sectorcount / (4 * 200)) - 1);
 	if (step > 16384)
 		step = 16384;