Line: 1726 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	int r;
	struct dm_bufio_client *c;
	unsigned i;
	char slab_name[27];

	if (!block_size || block_size & ((1 << SECTOR_SHIFT) - 1)) {
		DMERR("%s: block size not specified or is not multiple of 512b", __func__);
		r = -EINVAL;
		goto bad_client;

            

Line: 152

              base507c_ntfy_wait_begun(struct nouveau_bo *bo, u32 offset,
			 struct nvif_device *device)
{
	s64 time = nvif_msec(device, 2000ULL,
		if (NVBO_TD32(bo, offset, NV_DISP_BASE_NOTIFIER_1, _0, STATUS, ==, BEGUN))
			break;
		usleep_range(1, 2);
	);
	return time < 0 ? time : 0;

            

Line: 88 Column: 14 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              #define to_tv_enc(x) container_of(nouveau_encoder(x),		\
				  struct nv17_tv_encoder, base)

extern const char * const nv17_tv_norm_names[NUM_TV_NORMS];

extern struct nv17_tv_norm_params {
	enum {
		TV_ENC_MODE,
		CTV_ENC_MODE,

            

Line: 34 Column: 7 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              #include "hw.h"
#include "tvnv17.h"

const char * const nv17_tv_norm_names[NUM_TV_NORMS] = {
	[TV_NORM_PAL] = "PAL",
	[TV_NORM_PAL_M] = "PAL-M",
	[TV_NORM_PAL_N] = "PAL-N",
	[TV_NORM_PAL_NC] = "PAL-Nc",
	[TV_NORM_NTSC_M] = "NTSC-M",

            

Line: 750

              		if (drm->client.device.info.family < NV_DEVICE_INFO_V0_KELVIN) {
			/* Not waiting for vertical retrace before modifying
			   CRE_53/CRE_54 causes lockups. */
			nvif_msec(&drm->client.device, 650,
				if ( (nvif_rd32(device, NV_PRMCIO_INP0__COLOR) & 8))
					break;
			);
			nvif_msec(&drm->client.device, 650,
				if (!(nvif_rd32(device, NV_PRMCIO_INP0__COLOR) & 8))

            

Line: 28 Column: 11 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	uint8_t Sequencer[5];
	uint8_t Graphics[9];
	uint8_t Attribute[21];
	unsigned char DAC[768];

	/* PCRTC regs */
	uint32_t fb_start;
	uint32_t crtc_cfg;
	uint32_t cursor_cfg;

            

Line: 642 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              
	page_store[0] = ETP_I2C_IAP_REG_L;
	page_store[1] = ETP_I2C_IAP_REG_H;
	memcpy(&page_store[2], page, fw_page_size);
	/* recode checksum at last two bytes */
	put_unaligned_le16(checksum, &page_store[fw_page_size + 2]);

	ret = i2c_master_send(client, page_store, fw_page_size + 4);
	if (ret != fw_page_size + 4) {

            

Line: 127 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	if (error < 0)
		return error;

	memcpy(val, buf, ETP_CALIBRATE_MAX_LEN);
	return 0;
}

static int elan_smbus_get_baseline_data(struct i2c_client *client,
					bool max_baseline, u8 *value)

            

Line: 83

              		 * use a 10ms timeout (guards against crtc being inactive, in
		 * which case blank state would never change)
		 */
		if (nvif_msec(&drm->client.device, 10,
			if (!(nvif_rd32(device, NV_PRMCIO_INP0__COLOR) & 1))
				break;
		) < 0)
			return -EBUSY;


            

Line: 14 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              		void *memptrs, uint64_t memptrs_iova)
{
	struct msm_ringbuffer *ring;
	char name[32];
	int ret;

	/* We assume everwhere that MSM_GPU_RINGBUFFER_SZ is a power of 2 */
	BUILD_BUG_ON(!is_power_of_2(MSM_GPU_RINGBUFFER_SZ));