The following issues were found
drivers/gpu/drm/i915/gt/intel_engine_cs.c
11 issues
Line: 1398
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t pos;
for (pos = 0; pos < len; pos += rowsize) {
char line[128];
if (prev && !memcmp(prev, buf + pos, rowsize)) {
if (!skip) {
drm_printf(m, "*\n");
skip = true;
Reported by FlawFinder.
Line: 1535
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
execlists_active_lock_bh(execlists);
rcu_read_lock();
for (port = execlists->active; (rq = *port); port++) {
char hdr[160];
int len;
len = scnprintf(hdr, sizeof(hdr),
"\t\tActive[%d]: ccid:%08x%s%s, ",
(int)(port - execlists->active),
Reported by FlawFinder.
Line: 1549
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
i915_request_show(m, rq, hdr, 0);
}
for (port = execlists->pending; (rq = *port); port++) {
char hdr[160];
int len;
len = scnprintf(hdr, sizeof(hdr),
"\t\tPending[%d]: ccid:%08x%s%s, ",
(int)(port - execlists->pending),
Reported by FlawFinder.
Line: 1597
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rq->tail < head) {
len = rq->ring->size - head;
memcpy(ring, vaddr + head, len);
head = 0;
}
memcpy(ring + len, vaddr + head, size - len);
hexdump(m, ring, size);
Reported by FlawFinder.
Line: 1600
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ring, vaddr + head, len);
head = 0;
}
memcpy(ring + len, vaddr + head, size - len);
hexdump(m, ring, size);
kfree(ring);
}
}
Reported by FlawFinder.
Line: 1503
Column: 6
CWE codes:
120
20
&engine->status_page.addr[I915_HWS_CSB_BUF0_INDEX];
const u8 num_entries = execlists->csb_size;
unsigned int idx;
u8 read, write;
drm_printf(m, "\tExeclist tasklet queued? %s (%s), preempt? %s, timeslice? %s\n",
yesno(test_bit(TASKLET_STATE_SCHED,
&engine->execlists.tasklet.state)),
enableddisabled(!atomic_read(&engine->execlists.tasklet.count)),
Reported by FlawFinder.
Line: 1518
Column: 7
CWE codes:
120
20
drm_printf(m, "\tExeclist status: 0x%08x %08x; CSB read:%d, write:%d, entries:%d\n",
ENGINE_READ(engine, RING_EXECLIST_STATUS_LO),
ENGINE_READ(engine, RING_EXECLIST_STATUS_HI),
read, write, num_entries);
if (read >= num_entries)
read = 0;
if (write >= num_entries)
write = 0;
Reported by FlawFinder.
Line: 1520
Column: 7
CWE codes:
120
20
ENGINE_READ(engine, RING_EXECLIST_STATUS_HI),
read, write, num_entries);
if (read >= num_entries)
read = 0;
if (write >= num_entries)
write = 0;
if (read > write)
write += num_entries;
Reported by FlawFinder.
Line: 1524
Column: 7
CWE codes:
120
20
read = 0;
if (write >= num_entries)
write = 0;
if (read > write)
write += num_entries;
while (read < write) {
idx = ++read % num_entries;
drm_printf(m, "\tExeclist CSB[%d]: 0x%08x, context: %d\n",
idx, hws[idx * 2], hws[idx * 2 + 1]);
Reported by FlawFinder.
Line: 1526
Column: 10
CWE codes:
120
20
write = 0;
if (read > write)
write += num_entries;
while (read < write) {
idx = ++read % num_entries;
drm_printf(m, "\tExeclist CSB[%d]: 0x%08x, context: %d\n",
idx, hws[idx * 2], hws[idx * 2 + 1]);
}
Reported by FlawFinder.
drivers/hwmon/hwmon.c
11 issues
Line: 70
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t
name_show(struct device *dev, struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%s\n", to_hwmon_device(dev)->name);
}
static DEVICE_ATTR_RO(name);
static struct attribute *hwmon_dev_attrs[] = {
&dev_attr_name.attr,
Reported by FlawFinder.
Line: 332
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
trace_hwmon_attr_show_string(hattr->index + hwmon_attr_base(type),
hattr->name, s);
return sprintf(buf, "%s\n", s);
}
static ssize_t hwmon_attr_store(struct device *dev,
struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 910
Column: 13
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
{
int id;
if (likely(sscanf(dev_name(dev), HWMON_ID_FORMAT, &id) == 1)) {
device_unregister(dev);
ida_simple_remove(&hwmon_ida, id);
} else
dev_dbg(dev->parent,
"hwmon_device_unregister() failed: bad class ID!\n");
Reported by FlawFinder.
Line: 50
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum hwmon_sensor_types type;
u32 attr;
int index;
char name[MAX_SYSFS_ATTR_NAME_LENGTH];
};
#define to_hwmon_attr(d) \
container_of(d, struct hwmon_device_attribute, dev_attr)
#define to_dev_attr(a) container_of(a, struct device_attribute, attr)
Reported by FlawFinder.
Line: 312
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
trace_hwmon_attr_show(hattr->index + hwmon_attr_base(hattr->type),
hattr->name, val);
return sprintf(buf, "%ld\n", val);
}
static ssize_t hwmon_attr_show_string(struct device *dev,
struct device_attribute *devattr,
char *buf)
Reported by FlawFinder.
Line: 626
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int hwmon_notify_event(struct device *dev, enum hwmon_sensor_types type,
u32 attr, int channel)
{
char sattr[MAX_SYSFS_ATTR_NAME_LENGTH];
const char * const *templates;
const char *template;
int base;
if (type >= ARRAY_SIZE(__templates))
Reported by FlawFinder.
Line: 304
Column: 20
CWE codes:
120
20
long val;
int ret;
ret = hattr->ops->read(dev, hattr->type, hattr->attr, hattr->index,
&val);
if (ret < 0)
return ret;
trace_hwmon_attr_show(hattr->index + hwmon_attr_base(hattr->type),
Reported by FlawFinder.
Line: 392
Column: 27
CWE codes:
120
20
return ERR_PTR(-ENOENT);
if ((mode & 0444) && ((is_string && !ops->read_string) ||
(!is_string && !ops->read)))
return ERR_PTR(-EINVAL);
if ((mode & 0222) && !ops->write)
return ERR_PTR(-EINVAL);
hattr = kzalloc(sizeof(*hattr), GFP_KERNEL);
Reported by FlawFinder.
Line: 740
Column: 16
CWE codes:
126
int i, err, id;
/* Complain about invalid characters in hwmon name attribute */
if (name && (!strlen(name) || strpbrk(name, "-* \t\n")))
dev_warn(dev,
"hwmon: '%s' is not a valid name attribute, please fix\n",
name);
id = ida_simple_get(&hwmon_ida, 0, 0, GFP_KERNEL);
Reported by FlawFinder.
drivers/input/joystick/gamecon.c
11 issues
Line: 70
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gc_pad {
struct input_dev *dev;
enum gc_type type;
char phys[32];
};
struct gc {
struct pardevice *pd;
struct gc_pad pads[GC_MAX_DEVICES];
Reported by FlawFinder.
Line: 207
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void gc_n64_process_packet(struct gc *gc)
{
unsigned char data[GC_N64_LENGTH];
struct input_dev *dev;
int i, j, s;
signed char x, y;
gc_n64_read_packet(gc, data);
Reported by FlawFinder.
Line: 360
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void gc_nes_process_packet(struct gc *gc)
{
unsigned char data[GC_SNESMOUSE_LENGTH];
struct gc_pad *pad;
struct input_dev *dev;
int i, j, s, len;
char x_rel, y_rel;
Reported by FlawFinder.
Line: 472
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void gc_multi_process_packet(struct gc *gc)
{
unsigned char data[GC_MULTI2_LENGTH];
int data_len = gc->pad_count[GC_MULTI2] ? GC_MULTI2_LENGTH : GC_MULTI_LENGTH;
struct gc_pad *pad;
struct input_dev *dev;
int i, s;
Reported by FlawFinder.
Line: 582
Column: 20
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static void gc_psx_read_packet(struct gc *gc,
unsigned char data[GC_MAX_DEVICES][GC_PSX_BYTES],
unsigned char id[GC_MAX_DEVICES])
{
int i, j, max_len = 0;
unsigned long flags;
unsigned char data2[GC_MAX_DEVICES];
Reported by FlawFinder.
Line: 583
Column: 20
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void gc_psx_read_packet(struct gc *gc,
unsigned char data[GC_MAX_DEVICES][GC_PSX_BYTES],
unsigned char id[GC_MAX_DEVICES])
{
int i, j, max_len = 0;
unsigned long flags;
unsigned char data2[GC_MAX_DEVICES];
Reported by FlawFinder.
Line: 587
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i, j, max_len = 0;
unsigned long flags;
unsigned char data2[GC_MAX_DEVICES];
/* Select pad */
parport_write_data(gc->pd->port, GC_PSX_CLOCK | GC_PSX_SELECT | GC_PSX_POWER);
udelay(gc_psx_delay);
/* Deselect, begin command */
Reported by FlawFinder.
Line: 712
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void gc_psx_process_packet(struct gc *gc)
{
unsigned char data[GC_MAX_DEVICES][GC_PSX_BYTES];
unsigned char id[GC_MAX_DEVICES];
struct gc_pad *pad;
int i;
gc_psx_read_packet(gc, data, id);
Reported by FlawFinder.
Line: 713
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void gc_psx_process_packet(struct gc *gc)
{
unsigned char data[GC_MAX_DEVICES][GC_PSX_BYTES];
unsigned char id[GC_MAX_DEVICES];
struct gc_pad *pad;
int i;
gc_psx_read_packet(gc, data, id);
Reported by FlawFinder.
Line: 553
Column: 17
CWE codes:
120
20
static void gc_psx_command(struct gc *gc, int b, unsigned char *data)
{
struct parport *port = gc->pd->port;
int i, j, cmd, read;
memset(data, 0, GC_MAX_DEVICES);
for (i = 0; i < GC_PSX_LENGTH; i++, b >>= 1) {
cmd = (b & 1) ? GC_PSX_COMMAND : 0;
Reported by FlawFinder.
drivers/infiniband/hw/mlx4/mcg.c
10 issues
Line: 116
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ib_sa_mad response_sa_mad;
__be64 last_req_tid;
char name[33]; /* MGID string */
struct device_attribute dentry;
/* refcount is the reference count for the following:
1. Each queued request
2. Each invocation of the worker thread
Reported by FlawFinder.
Line: 259
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret;
/* we rely on a mad request as arrived from a VF */
memcpy(&mad, sa_mad, sizeof mad);
/* fix port GID to be the real one (slave 0) */
sa_mad_data->port_gid.global.interface_id = group->demux->guid_cache[0];
/* assign our own TID */
Reported by FlawFinder.
Line: 346
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* reconstruct VF's requested join_state and port_gid */
sa_data->scope_join_state &= 0xf0;
sa_data->scope_join_state |= (group->func[slave].join_state & 0x0f);
memcpy(&sa_data->port_gid, &req_sa_data->port_gid, sizeof req_sa_data->port_gid);
ret = send_mad_to_slave(slave, group->demux, (struct ib_mad *)&mad);
return ret;
}
Reported by FlawFinder.
Line: 702
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
--rc;
} else if (!resp_join_state)
++rc;
memcpy(&group->rec, group->response_sa_mad.data, sizeof group->rec);
}
group->state = MCAST_IDLE;
}
process_requests:
Reported by FlawFinder.
Line: 759
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (group->last_req_tid == tid) {
if (memcmp(new_mgid, &mgid0, sizeof mgid0)) {
group->rec.mgid = *new_mgid;
sprintf(group->name, "%016llx%016llx",
be64_to_cpu(group->rec.mgid.global.subnet_prefix),
be64_to_cpu(group->rec.mgid.global.interface_id));
list_del_init(&group->mgid0_list);
cur_group = mcast_insert(ctx, group);
if (cur_group) {
Reported by FlawFinder.
Line: 840
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
INIT_WORK(&group->work, mlx4_ib_mcg_work_handler);
INIT_DELAYED_WORK(&group->timeout_work, mlx4_ib_mcg_timeout_handler);
mutex_init(&group->lock);
sprintf(group->name, "%016llx%016llx",
be64_to_cpu(group->rec.mgid.global.subnet_prefix),
be64_to_cpu(group->rec.mgid.global.interface_id));
sysfs_attr_init(&group->dentry.attr);
group->dentry.show = sysfs_show_group;
group->dentry.store = NULL;
Reported by FlawFinder.
Line: 996
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mcast_group *group =
container_of(attr, struct mcast_group, dentry);
struct mcast_req *req = NULL;
char state_str[40];
char pending_str[40];
int len;
int i;
u32 hoplimit;
Reported by FlawFinder.
Line: 997
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
container_of(attr, struct mcast_group, dentry);
struct mcast_req *req = NULL;
char state_str[40];
char pending_str[40];
int len;
int i;
u32 hoplimit;
if (group->state == MCAST_IDLE)
Reported by FlawFinder.
Line: 1054
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int mlx4_ib_mcg_port_init(struct mlx4_ib_demux_ctx *ctx)
{
char name[20];
atomic_set(&ctx->tid, 0);
sprintf(name, "mlx4_ib_mcg%d", ctx->port);
ctx->mcg_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM);
if (!ctx->mcg_wq)
Reported by FlawFinder.
Line: 1057
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char name[20];
atomic_set(&ctx->tid, 0);
sprintf(name, "mlx4_ib_mcg%d", ctx->port);
ctx->mcg_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM);
if (!ctx->mcg_wq)
return -ENOMEM;
mutex_init(&ctx->mcg_table_lock);
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nouveau_svm.c
10 issues
Line: 62
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
u32 engine;
u8 gpc;
u8 hub;
u8 access;
u8 client;
u8 fault;
struct nouveau_svmm *svmm;
} **fault;
int fault_nr;
Reported by FlawFinder.
Line: 445
Column: 40
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return ret;
if ((ret = (s64)fa->addr - fb->addr))
return ret;
return nouveau_svm_fault_priority(fa->access) -
nouveau_svm_fault_priority(fb->access);
}
static void
nouveau_svm_fault_cache(struct nouveau_svm *svm,
Reported by FlawFinder.
Line: 446
Column: 34
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if ((ret = (s64)fa->addr - fb->addr))
return ret;
return nouveau_svm_fault_priority(fa->access) -
nouveau_svm_fault_priority(fb->access);
}
static void
nouveau_svm_fault_cache(struct nouveau_svm *svm,
struct nouveau_svm_fault_buffer *buffer, u32 offset)
Reported by FlawFinder.
Line: 495
Column: 36
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
fault->fault = (info & 0x0000001f);
SVM_DBG(svm, "fault %016llx %016llx %02x",
fault->inst, fault->addr, fault->access);
}
struct svm_notifier {
struct mmu_interval_notifier notifier;
struct nouveau_svmm *svmm;
Reported by FlawFinder.
Line: 807
Column: 30
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* Determine required permissions based on GPU fault
* access flags.
*/
switch (buffer->fault[fi]->access) {
case 0: /* READ. */
hmm_flags = HMM_PFN_REQ_FAULT;
break;
case 2: /* ATOMIC. */
atomic = true;
Reported by FlawFinder.
Line: 854
Column: 28
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
buffer->fault[fn]->addr >= limit ||
(buffer->fault[fi]->access == FAULT_ACCESS_READ &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_V)) ||
(buffer->fault[fi]->access != FAULT_ACCESS_READ &&
buffer->fault[fi]->access != FAULT_ACCESS_PREFETCH &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_W)) ||
(buffer->fault[fi]->access != FAULT_ACCESS_READ &&
buffer->fault[fi]->access != FAULT_ACCESS_WRITE &&
buffer->fault[fi]->access != FAULT_ACCESS_PREFETCH &&
Reported by FlawFinder.
Line: 855
Column: 28
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
(buffer->fault[fi]->access == FAULT_ACCESS_READ &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_V)) ||
(buffer->fault[fi]->access != FAULT_ACCESS_READ &&
buffer->fault[fi]->access != FAULT_ACCESS_PREFETCH &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_W)) ||
(buffer->fault[fi]->access != FAULT_ACCESS_READ &&
buffer->fault[fi]->access != FAULT_ACCESS_WRITE &&
buffer->fault[fi]->access != FAULT_ACCESS_PREFETCH &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_A)))
Reported by FlawFinder.
Line: 857
Column: 28
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
(buffer->fault[fi]->access != FAULT_ACCESS_READ &&
buffer->fault[fi]->access != FAULT_ACCESS_PREFETCH &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_W)) ||
(buffer->fault[fi]->access != FAULT_ACCESS_READ &&
buffer->fault[fi]->access != FAULT_ACCESS_WRITE &&
buffer->fault[fi]->access != FAULT_ACCESS_PREFETCH &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_A)))
break;
}
Reported by FlawFinder.
Line: 858
Column: 28
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
buffer->fault[fi]->access != FAULT_ACCESS_PREFETCH &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_W)) ||
(buffer->fault[fi]->access != FAULT_ACCESS_READ &&
buffer->fault[fi]->access != FAULT_ACCESS_WRITE &&
buffer->fault[fi]->access != FAULT_ACCESS_PREFETCH &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_A)))
break;
}
Reported by FlawFinder.
Line: 859
Column: 28
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_W)) ||
(buffer->fault[fi]->access != FAULT_ACCESS_READ &&
buffer->fault[fi]->access != FAULT_ACCESS_WRITE &&
buffer->fault[fi]->access != FAULT_ACCESS_PREFETCH &&
!(args.phys[0] & NVIF_VMM_PFNMAP_V0_A)))
break;
}
/* If handling failed completely, cancel all faults. */
Reported by FlawFinder.
drivers/hwmon/f75375s.c
10 issues
Line: 358
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int nr = to_sensor_dev_attr(attr)->index;
struct f75375_data *data = f75375_update_device(dev);
return sprintf(buf, "%d\n", data->pwm_enable[nr]);
}
static int set_pwm_enable_direct(struct i2c_client *client, int nr, int val)
{
struct f75375_data *data = i2c_get_clientdata(client);
Reported by FlawFinder.
Line: 493
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int nr = to_sensor_dev_attr(attr)->index;
struct f75375_data *data = f75375_update_device(dev);
return sprintf(buf, "%d\n", data->pwm[nr]);
}
static ssize_t show_pwm_mode(struct device *dev, struct device_attribute
*attr, char *buf)
{
Reported by FlawFinder.
Line: 501
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int nr = to_sensor_dev_attr(attr)->index;
struct f75375_data *data = f75375_update_device(dev);
return sprintf(buf, "%d\n", data->pwm_mode[nr]);
}
#define VOLT_FROM_REG(val) ((val) * 8)
#define VOLT_TO_REG(val) ((val) / 8)
Reported by FlawFinder.
Line: 512
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int nr = to_sensor_dev_attr(attr)->index;
struct f75375_data *data = f75375_update_device(dev);
return sprintf(buf, "%d\n", VOLT_FROM_REG(data->in[nr]));
}
static ssize_t show_in_max(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 520
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int nr = to_sensor_dev_attr(attr)->index;
struct f75375_data *data = f75375_update_device(dev);
return sprintf(buf, "%d\n", VOLT_FROM_REG(data->in_max[nr]));
}
static ssize_t show_in_min(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 528
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int nr = to_sensor_dev_attr(attr)->index;
struct f75375_data *data = f75375_update_device(dev);
return sprintf(buf, "%d\n", VOLT_FROM_REG(data->in_min[nr]));
}
static ssize_t set_in_max(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 581
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int nr = to_sensor_dev_attr(attr)->index;
struct f75375_data *data = f75375_update_device(dev);
return sprintf(buf, "%d\n", TEMP11_FROM_REG(data->temp11[nr]));
}
static ssize_t show_temp_max(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 589
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int nr = to_sensor_dev_attr(attr)->index;
struct f75375_data *data = f75375_update_device(dev);
return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp_high[nr]));
}
static ssize_t show_temp_max_hyst(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 597
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int nr = to_sensor_dev_attr(attr)->index;
struct f75375_data *data = f75375_update_device(dev);
return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp_max_hyst[nr]));
}
static ssize_t set_temp_max(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 649
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{\
int nr = to_sensor_dev_attr(attr)->index;\
struct f75375_data *data = f75375_update_device(dev); \
return sprintf(buf, "%d\n", rpm_from_reg(data->thing[nr])); \
}
show_fan(fan);
show_fan(fan_min);
show_fan(fan_max);
Reported by FlawFinder.
drivers/infiniband/hw/bnxt_re/qplib_fp.c
10 issues
Line: 1252
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
req.network_type_en_sqd_async_notify_new_state |= qp->nw_type;
if (bmask & CMDQ_MODIFY_QP_MODIFY_MASK_ACCESS)
req.access = qp->access;
if (bmask & CMDQ_MODIFY_QP_MODIFY_MASK_PKEY) {
if (!bnxt_qplib_get_pkey(res, &res->pkey_tbl,
qp->pkey_index, &pkey))
req.pkey = cpu_to_le16(pkey);
Reported by FlawFinder.
Line: 1362
Column: 19
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
qp->en_sqd_async_notify = sb->en_sqd_async_notify_state &
CREQ_QUERY_QP_RESP_SB_EN_SQD_ASYNC_NOTIFY ?
true : false;
qp->access = sb->access;
qp->pkey_index = le16_to_cpu(sb->pkey);
qp->qkey = le32_to_cpu(sb->qkey);
temp32[0] = le32_to_cpu(sb->dgid[0]);
temp32[1] = le32_to_cpu(sb->dgid[1]);
Reported by FlawFinder.
Line: 1263
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req.qkey = cpu_to_le32(qp->qkey);
if (bmask & CMDQ_MODIFY_QP_MODIFY_MASK_DGID) {
memcpy(temp32, qp->ah.dgid.data, sizeof(struct bnxt_qplib_gid));
req.dgid[0] = cpu_to_le32(temp32[0]);
req.dgid[1] = cpu_to_le32(temp32[1]);
req.dgid[2] = cpu_to_le32(temp32[2]);
req.dgid[3] = cpu_to_le32(temp32[3]);
}
Reported by FlawFinder.
Line: 1283
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req.traffic_class = qp->ah.traffic_class;
if (bmask & CMDQ_MODIFY_QP_MODIFY_MASK_DEST_MAC)
memcpy(req.dest_mac, qp->ah.dmac, 6);
if (bmask & CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU)
req.path_mtu = qp->path_mtu;
if (bmask & CMDQ_MODIFY_QP_MODIFY_MASK_TIMEOUT)
Reported by FlawFinder.
Line: 1386
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qp->ah.hop_limit = sb->hop_limit;
qp->ah.traffic_class = sb->traffic_class;
memcpy(qp->ah.dmac, sb->dest_mac, 6);
qp->ah.vlan_id = (le16_to_cpu(sb->path_mtu_dest_vlan_id) &
CREQ_QUERY_QP_RESP_SB_VLAN_ID_MASK) >>
CREQ_QUERY_QP_RESP_SB_VLAN_ID_SFT;
qp->path_mtu = (le16_to_cpu(sb->path_mtu_dest_vlan_id) &
CREQ_QUERY_QP_RESP_SB_PATH_MTU_MASK) >>
Reported by FlawFinder.
Line: 1408
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qp->rq.max_sge = le16_to_cpu(sb->rq_sge);
qp->max_inline_data = le32_to_cpu(sb->max_inline_data);
qp->dest_qpn = le32_to_cpu(sb->dest_qp_id);
memcpy(qp->smac, sb->src_mac, 6);
qp->vlan_id = le16_to_cpu(sb->vlan_pcp_vlan_dei_vlan_id);
bail:
bnxt_qplib_rcfw_free_sbuf(rcfw, sbuf);
return rc;
}
Reported by FlawFinder.
Line: 1613
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cplen = min_t(int, len, sizeof(struct sq_sge));
cplen = min_t(int, cplen,
(sizeof(struct sq_sge) - offt));
memcpy(il_dst, il_src, cplen);
t_cplen += cplen;
il_src += cplen;
il_dst += cplen;
offt += cplen;
len -= cplen;
Reported by FlawFinder.
Line: 1882
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(wqe->frmr.zero_based ? SQ_FR_PMR_ZERO_BASED : 0);
sqe->l_key = cpu_to_le32(wqe->frmr.l_key);
temp32 = cpu_to_le32(wqe->frmr.length);
memcpy(sqe->length, &temp32, sizeof(wqe->frmr.length));
sqe->numlevels_pbl_page_size_log =
((wqe->frmr.pbl_pg_sz_log <<
SQ_FR_PMR_PBL_PAGE_SIZE_LOG_SFT) &
SQ_FR_PMR_PBL_PAGE_SIZE_LOG_MASK) |
((wqe->frmr.levels << SQ_FR_PMR_NUMLEVELS_SFT) &
Reported by FlawFinder.
Line: 2542
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cqe->status = hwcqe->status;
cqe->qp_handle = (u64)(unsigned long)qp;
/*FIXME: Endianness fix needed for smace */
memcpy(cqe->smac, hwcqe->src_mac, ETH_ALEN);
wr_id_idx = le32_to_cpu(hwcqe->src_qp_high_srq_or_rq_wr_id)
& CQ_RES_UD_SRQ_OR_RQ_WR_ID_MASK;
cqe->src_qp = le16_to_cpu(hwcqe->src_qp_low) |
((le32_to_cpu(
hwcqe->src_qp_high_srq_or_rq_wr_id) &
Reported by FlawFinder.
Line: 2650
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cqe->length = le16_to_cpu(hwcqe->length);
}
cqe->pkey_index = qp->pkey_index;
memcpy(cqe->smac, qp->smac, 6);
cqe->raweth_qp1_flags = le16_to_cpu(hwcqe->raweth_qp1_flags);
cqe->raweth_qp1_flags2 = le32_to_cpu(hwcqe->raweth_qp1_flags2);
cqe->raweth_qp1_metadata = le32_to_cpu(hwcqe->raweth_qp1_metadata);
Reported by FlawFinder.
drivers/macintosh/smu.c
10 issues
Line: 130
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Fill the SMU command buffer */
smu->cmd_buf->cmd = cmd->cmd;
smu->cmd_buf->length = cmd->data_len;
memcpy(smu->cmd_buf->data, cmd->data_buf, cmd->data_len);
/* Flush command and data to RAM */
faddr = (unsigned long)smu->cmd_buf;
fend = faddr + smu->cmd_buf->length + 2;
flush_dcache_range(faddr, fend);
Reported by FlawFinder.
Line: 216
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
cmd->reply_len = reply_len;
if (cmd->reply_buf && reply_len)
memcpy(cmd->reply_buf, smu->cmd_buf->data, reply_len);
}
/* Now complete the command. Write status last in order as we lost
* ownership of the command structure as soon as it's no longer -1
*/
Reported by FlawFinder.
Line: 718
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cmd->pdata[0] < 1)
fail = 1;
else
memcpy(cmd->info.data, &cmd->pdata[1],
cmd->info.datalen);
}
DPRINTK("SMU: completing, success: %d\n", !fail);
Reported by FlawFinder.
Line: 985
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return NULL;
hdr = (struct smu_sdbp_header *)(prop + 1);
prop->name = ((char *)prop) + tlen - 18;
sprintf(prop->name, "sdb-partition-%02x", id);
prop->length = len;
prop->value = hdr;
prop->next = NULL;
/* Read the datablock */
Reported by FlawFinder.
Line: 1021
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const struct smu_sdbp_header *__smu_get_sdb_partition(int id,
unsigned int *size, int interruptible)
{
char pname[32];
const struct smu_sdbp_header *part;
if (!smu)
return NULL;
Reported by FlawFinder.
Line: 1027
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!smu)
return NULL;
sprintf(pname, "sdb-partition-%02x", id);
DPRINTK("smu_get_sdb_partition(%02x)\n", id);
if (interruptible) {
int rc;
Reported by FlawFinder.
Line: 714
Column: 20
CWE codes:
120
20
unsigned long flags;
/* Check for read case */
if (!fail && cmd->read) {
if (cmd->pdata[0] < 1)
fail = 1;
else
memcpy(cmd->info.data, &cmd->pdata[1],
cmd->info.datalen);
Reported by FlawFinder.
Line: 781
Column: 16
CWE codes:
120
20
/* Check for possible status */
if (scmd->status < 0)
fail = 1;
else if (cmd->read) {
if (cmd->stage == 0)
fail = cmd->pdata[0] != 0;
else
fail = cmd->pdata[0] >= 0x80;
} else {
Reported by FlawFinder.
Line: 866
Column: 11
CWE codes:
120
20
/* Finish setting up command based on transfer direction
*/
if (cmd->read) {
if (cmd->info.datalen > SMU_I2C_READ_MAX)
return -EINVAL;
memset(cmd->info.data, 0xff, cmd->info.datalen);
cmd->scmd.data_len = 9;
} else {
Reported by FlawFinder.
Line: 879
Column: 8
CWE codes:
120
20
DPRINTK("SMU: i2c enqueuing command\n");
DPRINTK("SMU: %s, len=%d bus=%x addr=%x sub0=%x type=%x\n",
cmd->read ? "read" : "write", cmd->info.datalen,
cmd->info.bus, cmd->info.caddr,
cmd->info.subaddr[0], cmd->info.type);
/* Enqueue command in i2c list, and if empty, enqueue also in
Reported by FlawFinder.
drivers/hwmon/adm1025.c
10 issues
Line: 168
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int index = to_sensor_dev_attr(attr)->index;
struct adm1025_data *data = adm1025_update_device(dev);
return sprintf(buf, "%u\n", IN_FROM_REG(data->in[index],
in_scale[index]));
}
static ssize_t
in_min_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 177
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int index = to_sensor_dev_attr(attr)->index;
struct adm1025_data *data = adm1025_update_device(dev);
return sprintf(buf, "%u\n", IN_FROM_REG(data->in_min[index],
in_scale[index]));
}
static ssize_t
in_max_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 186
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int index = to_sensor_dev_attr(attr)->index;
struct adm1025_data *data = adm1025_update_device(dev);
return sprintf(buf, "%u\n", IN_FROM_REG(data->in_max[index],
in_scale[index]));
}
static ssize_t
temp_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 195
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int index = to_sensor_dev_attr(attr)->index;
struct adm1025_data *data = adm1025_update_device(dev);
return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[index]));
}
static ssize_t
temp_min_show(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 203
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int index = to_sensor_dev_attr(attr)->index;
struct adm1025_data *data = adm1025_update_device(dev);
return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp_min[index]));
}
static ssize_t
temp_max_show(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 211
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int index = to_sensor_dev_attr(attr)->index;
struct adm1025_data *data = adm1025_update_device(dev);
return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp_max[index]));
}
static ssize_t in_min_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 330
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
alarms_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct adm1025_data *data = adm1025_update_device(dev);
return sprintf(buf, "%u\n", data->alarms);
}
static DEVICE_ATTR_RO(alarms);
static ssize_t
alarm_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 339
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int bitnr = to_sensor_dev_attr(attr)->index;
struct adm1025_data *data = adm1025_update_device(dev);
return sprintf(buf, "%u\n", (data->alarms >> bitnr) & 1);
}
static SENSOR_DEVICE_ATTR_RO(in0_alarm, alarm, 0);
static SENSOR_DEVICE_ATTR_RO(in1_alarm, alarm, 1);
static SENSOR_DEVICE_ATTR_RO(in2_alarm, alarm, 2);
static SENSOR_DEVICE_ATTR_RO(in3_alarm, alarm, 3);
Reported by FlawFinder.
Line: 355
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cpu0_vid_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct adm1025_data *data = adm1025_update_device(dev);
return sprintf(buf, "%u\n", vid_from_reg(data->vid, data->vrm));
}
static DEVICE_ATTR_RO(cpu0_vid);
static ssize_t
vrm_show(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 363
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
vrm_show(struct device *dev, struct device_attribute *attr, char *buf)
{
struct adm1025_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", data->vrm);
}
static ssize_t vrm_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
struct adm1025_data *data = dev_get_drvdata(dev);
Reported by FlawFinder.
drivers/infiniband/hw/irdma/trace_cm.h
10 issues
Line: 31
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TP_fast_assign(__entry->iwdev = iwdev;
__entry->lport = cm_info->loc_port;
__entry->ipv4 = cm_info->ipv4;
memcpy(__get_dynamic_array(laddr),
cm_info->loc_addr, 4);
),
TP_printk("iwdev=%p loc: %s",
__entry->iwdev,
__print_ip_addr(__get_dynamic_array(laddr),
Reported by FlawFinder.
Line: 54
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
TP_fast_assign(__entry->iwdev = listener->iwdev;
__entry->lport = listener->loc_port;
__entry->ipv4 = listener->ipv4;
memcpy(__get_dynamic_array(laddr),
listener->loc_addr, 4);
),
TP_printk("iwdev=%p caller=%pS loc: %s",
__entry->iwdev,
__entry->caller,
Reported by FlawFinder.
Line: 81
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->vlan_id = listener->vlan_id;
__entry->ipv4 = listener->ipv4;
__entry->state = listener->listener_state;
memcpy(__get_dynamic_array(laddr),
listener->loc_addr, 4);
),
TP_printk("iwdev=%p vlan=%d loc: %s",
__entry->iwdev,
__entry->vlan_id,
Reported by FlawFinder.
Line: 160
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->lport = listener->loc_port;
__entry->vlan_id = listener->vlan_id;
__entry->ipv4 = listener->ipv4;
memcpy(__get_dynamic_array(laddr),
listener->loc_addr, 4);
ether_addr_copy(__get_dynamic_array(mac),
dev_addr);
),
TP_printk("iwdev=%p vlan=%d MAC=%6phC loc: %s",
Reported by FlawFinder.
Line: 231
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->type = type;
__entry->status = status;
__entry->caller = caller;
memcpy(__get_dynamic_array(laddr),
cm_node->loc_addr, 4);
memcpy(__get_dynamic_array(raddr),
cm_node->rem_addr, 4);
),
TP_printk("iwdev=%p caller=%pS cm_id=%p node=%p refcnt=%d vlan_id=%d accel=%d state=%s event_type=%s status=%d loc: %s rem: %s",
Reported by FlawFinder.
Line: 233
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->caller = caller;
memcpy(__get_dynamic_array(laddr),
cm_node->loc_addr, 4);
memcpy(__get_dynamic_array(raddr),
cm_node->rem_addr, 4);
),
TP_printk("iwdev=%p caller=%pS cm_id=%p node=%p refcnt=%d vlan_id=%d accel=%d state=%s event_type=%s status=%d loc: %s rem: %s",
__entry->iwdev,
__entry->caller,
Reported by FlawFinder.
Line: 305
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->accel = cm_node->accelerated;
__entry->type = type;
__entry->caller = caller;
memcpy(__get_dynamic_array(laddr),
cm_node->loc_addr, 4);
memcpy(__get_dynamic_array(raddr),
cm_node->rem_addr, 4);
),
TP_printk("iwdev=%p caller=%pS node=%p refcnt=%d vlan_id=%d accel=%d state=%s event_type=%s loc: %s rem: %s",
Reported by FlawFinder.
Line: 307
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->caller = caller;
memcpy(__get_dynamic_array(laddr),
cm_node->loc_addr, 4);
memcpy(__get_dynamic_array(raddr),
cm_node->rem_addr, 4);
),
TP_printk("iwdev=%p caller=%pS node=%p refcnt=%d vlan_id=%d accel=%d state=%s event_type=%s loc: %s rem: %s",
__entry->iwdev,
__entry->caller,
Reported by FlawFinder.
Line: 424
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->ipv4 = cm_node->ipv4;
__entry->vlan_id = cm_node->vlan_id;
__entry->accel = cm_node->accelerated;
memcpy(__get_dynamic_array(laddr),
cm_node->loc_addr, 4);
memcpy(__get_dynamic_array(raddr),
cm_node->rem_addr, 4);
),
TP_printk("iwdev=%p node=%p ah=%p refcnt=%d vlan_id=%d accel=%d state=%s loc: %s rem: %s",
Reported by FlawFinder.
Line: 426
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->accel = cm_node->accelerated;
memcpy(__get_dynamic_array(laddr),
cm_node->loc_addr, 4);
memcpy(__get_dynamic_array(raddr),
cm_node->rem_addr, 4);
),
TP_printk("iwdev=%p node=%p ah=%p refcnt=%d vlan_id=%d accel=%d state=%s loc: %s rem: %s",
__entry->iwdev,
__entry->cm_node,
Reported by FlawFinder.