The following issues were found
drivers/gpu/drm/i915/gvt/handlers.c
11 issues
Line: 78
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void read_vreg(struct intel_vgpu *vgpu, unsigned int offset,
void *p_data, unsigned int bytes)
{
memcpy(p_data, &vgpu_vreg(vgpu, offset), bytes);
}
static void write_vreg(struct intel_vgpu *vgpu, unsigned int offset,
void *p_data, unsigned int bytes)
{
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void write_vreg(struct intel_vgpu *vgpu, unsigned int offset,
void *p_data, unsigned int bytes)
{
memcpy(&vgpu_vreg(vgpu, offset), p_data, bytes);
}
struct intel_gvt_mmio_info *intel_gvt_find_mmio_info(struct intel_gvt *gvt,
unsigned int offset)
{
Reported by FlawFinder.
Line: 1498
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int send_display_ready_uevent(struct intel_vgpu *vgpu, int ready)
{
struct kobject *kobj = &vgpu->gvt->gt->i915->drm.primary->kdev->kobj;
char *env[3] = {NULL, NULL, NULL};
char vmid_str[20];
char display_ready_str[20];
snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d", ready);
env[0] = display_ready_str;
Reported by FlawFinder.
Line: 1499
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct kobject *kobj = &vgpu->gvt->gt->i915->drm.primary->kdev->kobj;
char *env[3] = {NULL, NULL, NULL};
char vmid_str[20];
char display_ready_str[20];
snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d", ready);
env[0] = display_ready_str;
Reported by FlawFinder.
Line: 1500
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct kobject *kobj = &vgpu->gvt->gt->i915->drm.primary->kdev->kobj;
char *env[3] = {NULL, NULL, NULL};
char vmid_str[20];
char display_ready_str[20];
snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d", ready);
env[0] = display_ready_str;
snprintf(vmid_str, 20, "VMID=%d", vgpu->id);
Reported by FlawFinder.
Line: 3919
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
} else {
/* keep the RO bits in the virtual register */
memcpy(&data, pdata, bytes);
data &= ~ro_mask;
data |= vgpu_vreg(vgpu, offset) & ro_mask;
ret = mmio_info->write(vgpu, offset, &data, bytes);
}
Reported by FlawFinder.
Line: 102
Column: 17
CWE codes:
120
20
static int new_mmio_info(struct intel_gvt *gvt,
u32 offset, u16 flags, u32 size,
u32 addr_mask, u32 ro_mask, u32 device,
gvt_mmio_func read, gvt_mmio_func write)
{
struct intel_gvt_mmio_info *info, *p;
u32 start, end, i;
if (!intel_gvt_match_device(gvt, device))
Reported by FlawFinder.
Line: 137
Column: 16
CWE codes:
120
20
info->ro_mask = ro_mask;
info->device = device;
info->read = read ? read : intel_vgpu_default_mmio_read;
info->write = write ? write : intel_vgpu_default_mmio_write;
gvt->mmio.mmio_attribute[info->offset / 4] = flags;
INIT_HLIST_NODE(&info->node);
hash_add(gvt->mmio.mmio_info_table, &info->node, info->offset);
gvt->mmio.num_tracked_mmio++;
Reported by FlawFinder.
Line: 137
Column: 23
CWE codes:
120
20
info->ro_mask = ro_mask;
info->device = device;
info->read = read ? read : intel_vgpu_default_mmio_read;
info->write = write ? write : intel_vgpu_default_mmio_write;
gvt->mmio.mmio_attribute[info->offset / 4] = flags;
INIT_HLIST_NODE(&info->node);
hash_add(gvt->mmio.mmio_info_table, &info->node, info->offset);
gvt->mmio.num_tracked_mmio++;
Reported by FlawFinder.
Line: 3886
Column: 32
CWE codes:
120
20
*/
mmio_block = find_mmio_block(gvt, offset);
if (mmio_block) {
func = is_read ? mmio_block->read : mmio_block->write;
if (func)
return func(vgpu, offset, pdata, bytes);
goto default_rw;
}
Reported by FlawFinder.
drivers/vfio/pci/vfio_pci_config.c
11 issues
Line: 180
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le32 virt = 0;
memcpy(val, vdev->vconfig + pos, count);
memcpy(&virt, perm->virt + offset, count);
/* Any non-virtualized bits? */
if (cpu_to_le32(~0U >> (32 - (count * 8))) != virt) {
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, vdev->vconfig + pos, count);
memcpy(&virt, perm->virt + offset, count);
/* Any non-virtualized bits? */
if (cpu_to_le32(~0U >> (32 - (count * 8))) != virt) {
struct pci_dev *pdev = vdev->pdev;
__le32 phys_val = 0;
Reported by FlawFinder.
Line: 206
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le32 virt = 0, write = 0;
memcpy(&write, perm->write + offset, count);
if (!write)
return count; /* drop, no writable bits */
memcpy(&virt, perm->virt + offset, count);
Reported by FlawFinder.
Line: 211
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!write)
return count; /* drop, no writable bits */
memcpy(&virt, perm->virt + offset, count);
/* Virtualized and writable bits go to vconfig */
if (write & virt) {
__le32 virt_val = 0;
Reported by FlawFinder.
Line: 217
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (write & virt) {
__le32 virt_val = 0;
memcpy(&virt_val, vdev->vconfig + pos, count);
virt_val &= ~(write & virt);
virt_val |= (val & (write & virt));
memcpy(vdev->vconfig + pos, &virt_val, count);
Reported by FlawFinder.
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
virt_val &= ~(write & virt);
virt_val |= (val & (write & virt));
memcpy(vdev->vconfig + pos, &virt_val, count);
}
/* Non-virtualzed and writable bits go to hardware */
if (write & ~virt) {
struct pci_dev *pdev = vdev->pdev;
Reported by FlawFinder.
Line: 259
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pos >= PCI_CFG_SPACE_SIZE) { /* Extended cap header mangling */
if (offset < 4)
memcpy(val, vdev->vconfig + pos, count);
} else if (pos >= PCI_STD_HEADER_SIZEOF) { /* Std cap mangling */
if (offset == PCI_CAP_LIST_ID && count > 1)
memcpy(val, vdev->vconfig + pos,
min(PCI_CAP_FLAGS, count));
else if (offset == PCI_CAP_LIST_NEXT)
Reported by FlawFinder.
Line: 262
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, vdev->vconfig + pos, count);
} else if (pos >= PCI_STD_HEADER_SIZEOF) { /* Std cap mangling */
if (offset == PCI_CAP_LIST_ID && count > 1)
memcpy(val, vdev->vconfig + pos,
min(PCI_CAP_FLAGS, count));
else if (offset == PCI_CAP_LIST_NEXT)
memcpy(val, vdev->vconfig + pos, 1);
}
Reported by FlawFinder.
Line: 265
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(val, vdev->vconfig + pos,
min(PCI_CAP_FLAGS, count));
else if (offset == PCI_CAP_LIST_NEXT)
memcpy(val, vdev->vconfig + pos, 1);
}
return count;
}
Reported by FlawFinder.
Line: 303
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int count, struct perm_bits *perm,
int offset, __le32 val)
{
memcpy(vdev->vconfig + pos, &val, count);
return count;
}
static int vfio_virt_config_read(struct vfio_pci_device *vdev, int pos,
int count, struct perm_bits *perm,
Reported by FlawFinder.
drivers/net/wireless/broadcom/b43/main.c
11 issues
Line: 5607
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
wl->tx_queue_stopped[queue_num] = false;
}
snprintf(chip_name, ARRAY_SIZE(chip_name),
(dev->chip_id > 0x9999) ? "%d" : "%04X", dev->chip_id);
b43info(wl, "Broadcom %s WLAN found (core revision %u)\n", chip_name,
dev->core_rev);
return wl;
}
Reported by FlawFinder.
Line: 80
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_PARM_DESC(bad_frames_preempt,
"enable(1) / disable(0) Bad Frames Preemption");
static char modparam_fwpostfix[16];
module_param_string(fwpostfix, modparam_fwpostfix, 16, 0444);
MODULE_PARM_DESC(fwpostfix, "Postfix for the .fw files to load.");
static int modparam_hwpctl;
module_param_named(hwpctl, modparam_hwpctl, int, 0444);
Reported by FlawFinder.
Line: 691
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b43_macfilter_set(dev, B43_MACFILTER_BSSID, bssid);
memcpy(mac_bssid, mac, ETH_ALEN);
memcpy(mac_bssid + ETH_ALEN, bssid, ETH_ALEN);
/* Write our MAC address and BSSID to template ram */
for (i = 0; i < ARRAY_SIZE(mac_bssid); i += sizeof(u32)) {
tmp = (u32) (mac_bssid[i + 0]);
Reported by FlawFinder.
Line: 692
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b43_macfilter_set(dev, B43_MACFILTER_BSSID, bssid);
memcpy(mac_bssid, mac, ETH_ALEN);
memcpy(mac_bssid + ETH_ALEN, bssid, ETH_ALEN);
/* Write our MAC address and BSSID to template ram */
for (i = 0; i < ARRAY_SIZE(mac_bssid); i += sizeof(u32)) {
tmp = (u32) (mac_bssid[i + 0]);
tmp |= (u32) (mac_bssid[i + 1]) << 8;
Reported by FlawFinder.
Line: 991
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (index >= pairwise_keys_start) /* clear it */
rx_tkip_phase1_write(dev, index, 0, NULL);
if (key)
memcpy(buf, key, key_len);
key_write(dev, index, algorithm, buf);
if (index >= pairwise_keys_start)
keymac_write(dev, index, mac_addr);
dev->key[index].algorithm = algorithm;
Reported by FlawFinder.
Line: 3808
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(!dev || (b43_status(dev) < B43_STAT_INITIALIZED)))
goto out_unlock;
memcpy(&(wl->qos_params[queue].p), params, sizeof(*params));
b43_mac_suspend(dev);
b43_qos_params_upload(dev, &(wl->qos_params[queue].p),
b43_qos_shm_offsets[queue]);
b43_mac_enable(dev);
err = 0;
Reported by FlawFinder.
Line: 3827
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct b43_wl *wl = hw_to_b43_wl(hw);
mutex_lock(&wl->mutex);
memcpy(stats, &wl->ieee_stats, sizeof(*stats));
mutex_unlock(&wl->mutex);
return 0;
}
Reported by FlawFinder.
Line: 4115
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (changed & BSS_CHANGED_BSSID) {
if (conf->bssid)
memcpy(wl->bssid, conf->bssid, ETH_ALEN);
else
eth_zero_addr(wl->bssid);
}
if (b43_status(dev) >= B43_STAT_INITIALIZED) {
Reported by FlawFinder.
Line: 4982
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wl->operating = true;
wl->vif = vif;
wl->if_type = vif->type;
memcpy(wl->mac_addr, vif->addr, ETH_ALEN);
b43_adjust_opmode(dev);
b43_set_pretbtt(dev);
b43_set_synth_pu_delay(dev, 0);
b43_upload_card_macaddress(dev);
Reported by FlawFinder.
Line: 5560
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ssb_sprom *sprom = dev->bus_sprom;
struct ieee80211_hw *hw;
struct b43_wl *wl;
char chip_name[6];
int queue_num;
hw = ieee80211_alloc_hw(sizeof(*wl), &b43_hw_ops);
if (!hw) {
b43err(NULL, "Could not allocate ieee80211 device\n");
Reported by FlawFinder.
security/selinux/ss/services.c
11 issues
Line: 1270
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/*
* Copy the user name, role name and type name into the context.
*/
scontextp += sprintf(scontextp, "%s:%s:%s",
sym_name(p, SYM_USERS, context->user - 1),
sym_name(p, SYM_ROLES, context->role - 1),
sym_name(p, SYM_TYPES, context->type - 1));
mls_sid_to_context(p, context, &scontextp);
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *tclass_name;
char *scontext_name = NULL;
char *tcontext_name = NULL;
char *permission_names[32];
int index;
u32 length;
bool need_comma = false;
if (!permissions)
Reported by FlawFinder.
Line: 2050
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* back into s again because string_to_context_struct()
* may have garbled it.
*/
memcpy(s, oldc->str, oldc->len);
context_init(newc);
newc->str = s;
newc->len = oldc->len;
return 0;
}
Reported by FlawFinder.
Line: 2810
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
if (!mysids2)
goto out_unlock;
memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
kfree(mysids);
mysids = mysids2;
mysids[mynel++] = sid;
}
}
Reported by FlawFinder.
Line: 1253
Column: 19
CWE codes:
126
}
/* Compute the size of the context. */
*scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1;
*scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1;
*scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1;
*scontext_len += mls_compute_context_len(p, context);
if (!scontext)
Reported by FlawFinder.
Line: 1254
Column: 19
CWE codes:
126
/* Compute the size of the context. */
*scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1;
*scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1;
*scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1;
*scontext_len += mls_compute_context_len(p, context);
if (!scontext)
return 0;
Reported by FlawFinder.
Line: 1255
Column: 19
CWE codes:
126
/* Compute the size of the context. */
*scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1;
*scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1;
*scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1;
*scontext_len += mls_compute_context_len(p, context);
if (!scontext)
return 0;
Reported by FlawFinder.
Line: 1349
Column: 20
CWE codes:
126
if (!s)
return -EINVAL;
*scontext_len = strlen(s) + 1;
if (!scontext)
return 0;
scontextp = kmemdup(s, *scontext_len, GFP_ATOMIC);
if (!scontextp)
return -ENOMEM;
Reported by FlawFinder.
Line: 1569
Column: 17
CWE codes:
126
&context, def_sid);
if (rc == -EINVAL && force) {
context.str = str;
context.len = strlen(str) + 1;
str = NULL;
} else if (rc)
goto out_unlock;
rc = sidtab_context_to_sid(sidtab, &context, sid);
if (rc == -ESTALE) {
Reported by FlawFinder.
Line: 1616
Column: 50
CWE codes:
126
int security_context_str_to_sid(struct selinux_state *state,
const char *scontext, u32 *sid, gfp_t gfp)
{
return security_context_to_sid(state, scontext, strlen(scontext),
sid, gfp);
}
/**
* security_context_to_sid_default - Obtain a SID for a given security context,
Reported by FlawFinder.
tools/perf/tests/api-io.c
11 issues
Line: 41
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ssize_t contents_len = strlen(contents);
int fd;
strcpy(path, TEMPL);
fd = mkstemp(path);
if (fd < 0) {
pr_debug("mkstemp failed");
return -1;
}
Reported by FlawFinder.
Line: 36
Column: 27
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} \
} while (0)
static int make_test_file(char path[PATH_MAX], const char *contents)
{
ssize_t contents_len = strlen(contents);
int fd;
strcpy(path, TEMPL);
Reported by FlawFinder.
Line: 42
Column: 7
CWE codes:
377
int fd;
strcpy(path, TEMPL);
fd = mkstemp(path);
if (fd < 0) {
pr_debug("mkstemp failed");
return -1;
}
if (write(fd, contents, contents_len) < contents_len) {
Reported by FlawFinder.
Line: 57
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static int setup_test(char path[PATH_MAX], const char *contents,
size_t buf_size, struct io *io)
{
if (make_test_file(path, contents))
return -1;
Reported by FlawFinder.
Line: 63
Column: 11
CWE codes:
362
if (make_test_file(path, contents))
return -1;
io->fd = open(path, O_RDONLY);
if (io->fd < 0) {
pr_debug("Failed to open '%s'\n", path);
unlink(path);
return -1;
}
Reported by FlawFinder.
Line: 80
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return 0;
}
static void cleanup_test(char path[PATH_MAX], struct io *io)
{
free(io->buf);
close(io->fd);
unlink(path);
}
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int do_test_get_char(const char *test_string, size_t buf_size)
{
char path[PATH_MAX];
struct io io;
int ch, ret = 0;
size_t i;
if (setup_test(path, test_string, buf_size, &io))
Reported by FlawFinder.
Line: 136
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 val3, int ch3,
bool end_eof)
{
char path[PATH_MAX];
struct io io;
int ch, ret = 0;
__u64 hex;
if (setup_test(path, test_string, 4, &io))
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 val3, int ch3,
bool end_eof)
{
char path[PATH_MAX];
struct io io;
int ch, ret = 0;
__u64 dec;
if (setup_test(path, test_string, 4, &io))
Reported by FlawFinder.
Line: 38
Column: 25
CWE codes:
126
static int make_test_file(char path[PATH_MAX], const char *contents)
{
ssize_t contents_len = strlen(contents);
int fd;
strcpy(path, TEMPL);
fd = mkstemp(path);
if (fd < 0) {
Reported by FlawFinder.
drivers/gpu/drm/i915/gt/intel_engine_cs.c
11 issues
Line: 1398
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t pos;
for (pos = 0; pos < len; pos += rowsize) {
char line[128];
if (prev && !memcmp(prev, buf + pos, rowsize)) {
if (!skip) {
drm_printf(m, "*\n");
skip = true;
Reported by FlawFinder.
Line: 1535
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
execlists_active_lock_bh(execlists);
rcu_read_lock();
for (port = execlists->active; (rq = *port); port++) {
char hdr[160];
int len;
len = scnprintf(hdr, sizeof(hdr),
"\t\tActive[%d]: ccid:%08x%s%s, ",
(int)(port - execlists->active),
Reported by FlawFinder.
Line: 1549
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
i915_request_show(m, rq, hdr, 0);
}
for (port = execlists->pending; (rq = *port); port++) {
char hdr[160];
int len;
len = scnprintf(hdr, sizeof(hdr),
"\t\tPending[%d]: ccid:%08x%s%s, ",
(int)(port - execlists->pending),
Reported by FlawFinder.
Line: 1597
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rq->tail < head) {
len = rq->ring->size - head;
memcpy(ring, vaddr + head, len);
head = 0;
}
memcpy(ring + len, vaddr + head, size - len);
hexdump(m, ring, size);
Reported by FlawFinder.
Line: 1600
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ring, vaddr + head, len);
head = 0;
}
memcpy(ring + len, vaddr + head, size - len);
hexdump(m, ring, size);
kfree(ring);
}
}
Reported by FlawFinder.
Line: 1503
Column: 6
CWE codes:
120
20
&engine->status_page.addr[I915_HWS_CSB_BUF0_INDEX];
const u8 num_entries = execlists->csb_size;
unsigned int idx;
u8 read, write;
drm_printf(m, "\tExeclist tasklet queued? %s (%s), preempt? %s, timeslice? %s\n",
yesno(test_bit(TASKLET_STATE_SCHED,
&engine->execlists.tasklet.state)),
enableddisabled(!atomic_read(&engine->execlists.tasklet.count)),
Reported by FlawFinder.
Line: 1518
Column: 7
CWE codes:
120
20
drm_printf(m, "\tExeclist status: 0x%08x %08x; CSB read:%d, write:%d, entries:%d\n",
ENGINE_READ(engine, RING_EXECLIST_STATUS_LO),
ENGINE_READ(engine, RING_EXECLIST_STATUS_HI),
read, write, num_entries);
if (read >= num_entries)
read = 0;
if (write >= num_entries)
write = 0;
Reported by FlawFinder.
Line: 1520
Column: 7
CWE codes:
120
20
ENGINE_READ(engine, RING_EXECLIST_STATUS_HI),
read, write, num_entries);
if (read >= num_entries)
read = 0;
if (write >= num_entries)
write = 0;
if (read > write)
write += num_entries;
Reported by FlawFinder.
Line: 1524
Column: 7
CWE codes:
120
20
read = 0;
if (write >= num_entries)
write = 0;
if (read > write)
write += num_entries;
while (read < write) {
idx = ++read % num_entries;
drm_printf(m, "\tExeclist CSB[%d]: 0x%08x, context: %d\n",
idx, hws[idx * 2], hws[idx * 2 + 1]);
Reported by FlawFinder.
Line: 1526
Column: 10
CWE codes:
120
20
write = 0;
if (read > write)
write += num_entries;
while (read < write) {
idx = ++read % num_entries;
drm_printf(m, "\tExeclist CSB[%d]: 0x%08x, context: %d\n",
idx, hws[idx * 2], hws[idx * 2 + 1]);
}
Reported by FlawFinder.
drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
11 issues
Line: 182
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vf = &bp->pf.vf[vf_id];
if (is_valid_ether_addr(vf->mac_addr))
memcpy(&ivi->mac, vf->mac_addr, ETH_ALEN);
else
memcpy(&ivi->mac, vf->vf_mac_addr, ETH_ALEN);
ivi->max_tx_rate = vf->max_tx_rate;
ivi->min_tx_rate = vf->min_tx_rate;
ivi->vlan = vf->vlan;
Reported by FlawFinder.
Line: 184
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_valid_ether_addr(vf->mac_addr))
memcpy(&ivi->mac, vf->mac_addr, ETH_ALEN);
else
memcpy(&ivi->mac, vf->vf_mac_addr, ETH_ALEN);
ivi->max_tx_rate = vf->max_tx_rate;
ivi->min_tx_rate = vf->min_tx_rate;
ivi->vlan = vf->vlan;
if (vf->flags & BNXT_VF_QOS)
ivi->qos = vf->vlan >> VLAN_PRIO_SHIFT;
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
vf = &bp->pf.vf[vf_id];
memcpy(vf->mac_addr, mac, ETH_ALEN);
bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
req.fid = cpu_to_le16(vf->fw_fid);
req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR);
memcpy(req.dflt_mac_addr, mac, ETH_ALEN);
return hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
Reported by FlawFinder.
Line: 227
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
req.fid = cpu_to_le16(vf->fw_fid);
req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR);
memcpy(req.dflt_mac_addr, mac, ETH_ALEN);
return hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
}
int bnxt_set_vf_vlan(struct net_device *dev, int vf_id, u16 vlan_id, u8 qos,
__be16 vlan_proto)
Reported by FlawFinder.
Line: 476
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_valid_ether_addr(vf->mac_addr)) {
req.enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR);
memcpy(req.dflt_mac_addr, vf->mac_addr, ETH_ALEN);
}
if (vf->vlan) {
req.enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_VLAN);
req.dflt_vlan = cpu_to_le16(vf->vlan);
}
Reported by FlawFinder.
Line: 910
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req.encap_resp_len = cpu_to_le16(msg_size);
req.encap_resp_addr = encap_resp_addr;
req.encap_resp_cmpl_ring = encap_resp_cpr;
memcpy(req.encap_resp, encap_resp, msg_size);
rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
if (rc)
netdev_err(bp->dev, "hwrm_fwd_resp failed. rc:%d\n", rc);
return rc;
Reported by FlawFinder.
Line: 931
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Set the new target id */
req.target_id = cpu_to_le16(vf->fw_fid);
req.encap_resp_target_id = cpu_to_le16(vf->fw_fid);
memcpy(req.encap_request, vf->hwrm_cmd_req_addr, msg_size);
rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
if (rc)
netdev_err(bp->dev, "hwrm_fwd_err_resp failed. rc:%d\n", rc);
return rc;
Reported by FlawFinder.
Line: 952
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Set the new target id */
req.target_id = cpu_to_le16(vf->fw_fid);
req.encap_resp_target_id = cpu_to_le16(vf->fw_fid);
memcpy(req.encap_request, vf->hwrm_cmd_req_addr, msg_size);
rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
if (rc)
netdev_err(bp->dev, "hwrm_exec_fw_resp failed. rc:%d\n", rc);
return rc;
Reported by FlawFinder.
Line: 1134
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_VF_CFG, -1, -1);
req.enables = cpu_to_le32(FUNC_VF_CFG_REQ_ENABLES_DFLT_MAC_ADDR);
memcpy(req.dflt_mac_addr, mac, ETH_ALEN);
rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
mac_done:
if (rc && strict) {
rc = -EADDRNOTAVAIL;
netdev_warn(bp->dev, "VF MAC address %pM not approved by the PF\n",
Reported by FlawFinder.
Line: 1167
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* the random MAC address using ndo_set_mac_address() if he wants.
*/
if (!ether_addr_equal(resp->mac_address, bp->vf.mac_addr)) {
memcpy(bp->vf.mac_addr, resp->mac_address, ETH_ALEN);
/* This means we are now using our own MAC address, let
* the PF know about this MAC address.
*/
if (!is_valid_ether_addr(bp->vf.mac_addr))
inform_pf = true;
Reported by FlawFinder.
arch/x86/events/intel/pt.c
11 issues
Line: 701
CWE codes:
786
BUG_ON(last->last != TENTS_PER_PAGE - 1);
TOPA_ENTRY(last, -1)->base = topa_pfn(topa);
TOPA_ENTRY(last, -1)->end = 1;
}
/**
* topa_table_full() - check if a ToPA table is filled up
Reported by Cppcheck.
Line: 702
CWE codes:
786
BUG_ON(last->last != TENTS_PER_PAGE - 1);
TOPA_ENTRY(last, -1)->base = topa_pfn(topa);
TOPA_ENTRY(last, -1)->end = 1;
}
/**
* topa_table_full() - check if a ToPA table is filled up
* @topa: ToPA table.
Reported by Cppcheck.
Line: 751
CWE codes:
786
topa->z_count++;
}
TOPA_ENTRY(topa, -1)->base = page_to_phys(p) >> TOPA_SHIFT;
TOPA_ENTRY(topa, -1)->size = order;
if (!buf->snapshot &&
!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) {
TOPA_ENTRY(topa, -1)->intr = 1;
TOPA_ENTRY(topa, -1)->stop = 1;
Reported by Cppcheck.
Line: 752
CWE codes:
786
}
TOPA_ENTRY(topa, -1)->base = page_to_phys(p) >> TOPA_SHIFT;
TOPA_ENTRY(topa, -1)->size = order;
if (!buf->snapshot &&
!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) {
TOPA_ENTRY(topa, -1)->intr = 1;
TOPA_ENTRY(topa, -1)->stop = 1;
}
Reported by Cppcheck.
Line: 755
CWE codes:
786
TOPA_ENTRY(topa, -1)->size = order;
if (!buf->snapshot &&
!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) {
TOPA_ENTRY(topa, -1)->intr = 1;
TOPA_ENTRY(topa, -1)->stop = 1;
}
topa->last++;
topa->size += sizes(order);
Reported by Cppcheck.
Line: 756
CWE codes:
786
if (!buf->snapshot &&
!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) {
TOPA_ENTRY(topa, -1)->intr = 1;
TOPA_ENTRY(topa, -1)->stop = 1;
}
topa->last++;
topa->size += sizes(order);
Reported by Cppcheck.
Line: 1216
CWE codes:
786
/* link last table to the first one, unless we're double buffering */
if (intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) {
TOPA_ENTRY(buf->last, -1)->base = topa_pfn(buf->first);
TOPA_ENTRY(buf->last, -1)->end = 1;
}
pt_topa_dump(buf);
return 0;
Reported by Cppcheck.
Line: 1217
CWE codes:
786
/* link last table to the first one, unless we're double buffering */
if (intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) {
TOPA_ENTRY(buf->last, -1)->base = topa_pfn(buf->first);
TOPA_ENTRY(buf->last, -1)->end = 1;
}
pt_topa_dump(buf);
return 0;
}
Reported by Cppcheck.
Line: 145
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (pmu_attr->id) {
case 0:
return sprintf(page, "%lu\n", pt_pmu.max_nonturbo_ratio);
case 1:
return sprintf(page, "%u:%u\n",
pt_pmu.tsc_art_num,
pt_pmu.tsc_art_den);
default:
Reported by FlawFinder.
Line: 147
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case 0:
return sprintf(page, "%lu\n", pt_pmu.max_nonturbo_ratio);
case 1:
return sprintf(page, "%u:%u\n",
pt_pmu.tsc_art_num,
pt_pmu.tsc_art_den);
default:
break;
}
Reported by FlawFinder.
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
11 issues
Line: 624
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* traverse list */
list_for_each_entry(pos, &o->head, link) {
if (counter < n) {
memcpy(next, &pos->u, size);
counter++;
DP(BNX2X_MSG_SP, "copied element number %d to address %p element was:\n",
counter, next);
next += stride + size;
}
Reported by FlawFinder.
Line: 1254
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*ppos = NULL;
/* Prepare a 'user_req' */
memcpy(&p->user_req.u, &pos->u, sizeof(pos->u));
/* Set the command */
p->user_req.cmd = BNX2X_VLAN_MAC_ADD;
/* Set vlan_mac_flags */
Reported by FlawFinder.
Line: 1925
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Fill the object specific info */
memcpy(&elem->cmd_data.vlan_mac, &p->user_req, sizeof(p->user_req));
/* Try to add a new command to the pending list */
return bnx2x_exe_queue_add(bp, &o->exe_queue, elem, restore);
}
Reported by FlawFinder.
Line: 2077
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (BNX2X_VLAN_MAC_CMP_FLAGS(flags) ==
BNX2X_VLAN_MAC_CMP_FLAGS(*vlan_mac_flags)) {
p.user_req.vlan_mac_flags = pos->vlan_mac_flags;
memcpy(&p.user_req.u, &pos->u, sizeof(pos->u));
rc = bnx2x_config_vlan_mac(bp, &p);
if (rc < 0) {
BNX2X_ERR("Failed to add a new DEL command\n");
bnx2x_vlan_mac_h_read_unlock(bp, o);
return rc;
Reported by FlawFinder.
Line: 2732
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mcast_group_link);
list_for_each_entry(pos, &p->mcast_list, link) {
mac_elem = &elem_group->mcast_elems[offset].mac_elem;
memcpy(mac_elem->mac, pos->mac, ETH_ALEN);
/* Push the MACs of the current command into the pending
* command MACs list: FIFO
*/
list_add_tail(&mac_elem->link,
&new_cmd->data.macs_head);
Reported by FlawFinder.
Line: 3026
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int cnt = 0, mac_cnt = 0, offset = 0, i;
memset(req, 0, sizeof(u64) * BNX2X_MCAST_VEC_SZ);
memcpy(cur, o->registry.aprox_match.vec,
sizeof(u64) * BNX2X_MCAST_VEC_SZ);
/* Fill `current' with the required set of bins to configure */
list_for_each_entry_safe(pmac_pos, pmac_pos_n, &cmd_pos->data.macs_head,
link) {
Reported by FlawFinder.
Line: 4566
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DP(BNX2X_MSG_SP, "rss_engine_id=%d\n", data->rss_engine_id);
/* Indirection table */
memcpy(data->indirection_table, p->ind_table,
T_ETH_INDIRECTION_TABLE_SIZE);
/* Remember the last configuration */
memcpy(o->ind_table, p->ind_table, T_ETH_INDIRECTION_TABLE_SIZE);
Reported by FlawFinder.
Line: 4570
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
T_ETH_INDIRECTION_TABLE_SIZE);
/* Remember the last configuration */
memcpy(o->ind_table, p->ind_table, T_ETH_INDIRECTION_TABLE_SIZE);
/* Print the indirection table */
if (netif_msg_ifup(bp))
bnx2x_debug_print_ind_table(bp, p);
Reported by FlawFinder.
Line: 4598
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void bnx2x_get_rss_ind_table(struct bnx2x_rss_config_obj *rss_obj,
u8 *ind_table)
{
memcpy(ind_table, rss_obj->ind_table, sizeof(rss_obj->ind_table));
}
int bnx2x_config_rss(struct bnx2x *bp,
struct bnx2x_config_rss_params *p)
{
Reported by FlawFinder.
Line: 5671
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* We support only BNX2X_MULTI_TX_COS Tx CoS at the moment */
BUG_ON(BNX2X_MULTI_TX_COS < cid_cnt);
memcpy(obj->cids, cids, sizeof(obj->cids[0]) * cid_cnt);
obj->max_cos = cid_cnt;
obj->cl_id = cl_id;
obj->func_id = func_id;
obj->rdata = rdata;
obj->rdata_mapping = rdata_mapping;
Reported by FlawFinder.
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
11 issues
Line: 565
CWE codes:
476
if (mc_num) {
INIT_LIST_HEAD(&mcast.mcast_list);
for (i = 0; i < mc_num; i++) {
mc[i].mac = mcasts[i];
list_add_tail(&mc[i].link,
&mcast.mcast_list);
}
/* add new mcasts */
Reported by Cppcheck.
Line: 260
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc)
goto out;
memcpy(&q_params->params.setup, &qctor->prep_qsetup,
sizeof(struct bnx2x_queue_setup_params));
q_params->cmd = BNX2X_Q_CMD_SETUP;
rc = bnx2x_queue_state_change(bp, q_params);
if (rc)
goto out;
Reported by FlawFinder.
Line: 396
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (filter->type == BNX2X_VF_FILTER_VLAN_MAC) {
ramrod.vlan_mac_obj = &bnx2x_vfq(vf, qid, vlan_mac_obj);
ramrod.user_req.u.vlan.vlan = filter->vid;
memcpy(&ramrod.user_req.u.mac.mac, filter->mac, ETH_ALEN);
set_bit(BNX2X_ETH_MAC, &ramrod.user_req.vlan_mac_flags);
} else if (filter->type == BNX2X_VF_FILTER_VLAN) {
ramrod.vlan_mac_obj = &bnx2x_vfq(vf, qid, vlan_obj);
ramrod.user_req.u.vlan.vlan = filter->vid;
} else {
Reported by FlawFinder.
Line: 404
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
set_bit(BNX2X_ETH_MAC, &ramrod.user_req.vlan_mac_flags);
ramrod.vlan_mac_obj = &bnx2x_vfq(vf, qid, mac_obj);
memcpy(&ramrod.user_req.u.mac.mac, filter->mac, ETH_ALEN);
}
ramrod.user_req.cmd = filter->add ? BNX2X_VLAN_MAC_ADD :
BNX2X_VLAN_MAC_DEL;
set_bit(RAMROD_EXEC, &ramrod.ramrod_flags);
Reported by FlawFinder.
Line: 2248
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Set ramrod params */
memset(&qstate, 0, sizeof(struct bnx2x_queue_state_params));
memcpy(&qstate.params.update_tpa, params,
sizeof(struct bnx2x_queue_update_tpa_params));
qstate.cmd = BNX2X_Q_CMD_UPDATE_TPA;
set_bit(RAMROD_COMP_WAIT, &qstate.ramrod_flags);
for (qid = 0; qid < vf_rxq_count(vf); qid++) {
Reported by FlawFinder.
Line: 2640
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* mac */
if (bulletin->valid_bitmap & (1 << MAC_ADDR_VALID))
/* mac configured by ndo so its in bulletin board */
memcpy(&ivi->mac, bulletin->mac, ETH_ALEN);
else
/* function has not been loaded yet. Show mac as 0s */
eth_zero_addr(ivi->mac);
/* vlan */
Reported by FlawFinder.
Line: 2648
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* vlan */
if (bulletin->valid_bitmap & (1 << VLAN_VALID))
/* vlan configured by ndo so its in bulletin board */
memcpy(&ivi->vlan, &bulletin->vlan, VLAN_HLEN);
else
/* function has not been loaded yet. Show vlans as 0s */
memset(&ivi->vlan, 0, VLAN_HLEN);
mutex_unlock(&bp->vfdb->bulletin_mutex);
Reported by FlawFinder.
Line: 2699
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* configuration requests from vf unless match this mac
*/
bulletin->valid_bitmap |= 1 << MAC_ADDR_VALID;
memcpy(bulletin->mac, mac, ETH_ALEN);
/* Post update on VF's bulletin board */
rc = bnx2x_post_vf_bulletin(bp, vfidx);
/* release lock before checking return code */
Reported by FlawFinder.
Line: 3040
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 crc;
/* sample the bulletin board */
memcpy(&bp->shadow_bulletin, bp->pf2vf_bulletin,
sizeof(union pf_vf_bulletin));
crc = bnx2x_crc_vf_bulletin(&bp->shadow_bulletin.content);
if (bp->shadow_bulletin.content.crc == crc)
Reported by FlawFinder.
Line: 3067
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (bulletin->valid_bitmap & 1 << MAC_ADDR_VALID &&
!ether_addr_equal(bulletin->mac, bp->old_bulletin.mac)) {
/* update new mac to net device */
memcpy(bp->dev->dev_addr, bulletin->mac, ETH_ALEN);
}
if (bulletin->valid_bitmap & (1 << LINK_VALID)) {
DP(BNX2X_MSG_IOV, "link update speed %d flags %x\n",
bulletin->link_speed, bulletin->link_flags);
Reported by FlawFinder.