The following issues were found
drivers/hid/intel-ish-hid/ishtp-hid-client.c
8 issues
Line: 48
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"is_response=%02X\n",
recv_msg->hdr.command, client_data->bad_recv_cnt,
(unsigned int)cur_pos,
((unsigned char *)recv_msg)[0], ((unsigned char *)recv_msg)[1],
((unsigned char *)recv_msg)[2], ((unsigned char *)recv_msg)[3],
(unsigned int)payload_len, client_data->multi_packet_cnt,
recv_msg->hdr.command & ~CMD_MASK);
}
Reported by FlawFinder.
Line: 48
Column: 46
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"is_response=%02X\n",
recv_msg->hdr.command, client_data->bad_recv_cnt,
(unsigned int)cur_pos,
((unsigned char *)recv_msg)[0], ((unsigned char *)recv_msg)[1],
((unsigned char *)recv_msg)[2], ((unsigned char *)recv_msg)[3],
(unsigned int)payload_len, client_data->multi_packet_cnt,
recv_msg->hdr.command & ~CMD_MASK);
}
Reported by FlawFinder.
Line: 49
Column: 46
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
recv_msg->hdr.command, client_data->bad_recv_cnt,
(unsigned int)cur_pos,
((unsigned char *)recv_msg)[0], ((unsigned char *)recv_msg)[1],
((unsigned char *)recv_msg)[2], ((unsigned char *)recv_msg)[3],
(unsigned int)payload_len, client_data->multi_packet_cnt,
recv_msg->hdr.command & ~CMD_MASK);
}
/**
Reported by FlawFinder.
Line: 49
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
recv_msg->hdr.command, client_data->bad_recv_cnt,
(unsigned int)cur_pos,
((unsigned char *)recv_msg)[0], ((unsigned char *)recv_msg)[1],
((unsigned char *)recv_msg)[2], ((unsigned char *)recv_msg)[3],
(unsigned int)payload_len, client_data->multi_packet_cnt,
recv_msg->hdr.command & ~CMD_MASK);
}
/**
Reported by FlawFinder.
Line: 151
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_info = (struct device_info *)(payload + 1 +
sizeof(struct device_info) * i);
if (client_data->hid_devices)
memcpy(client_data->hid_devices + i,
dev_info,
sizeof(struct device_info));
}
client_data->enum_devices_done = true;
Reported by FlawFinder.
Line: 176
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
devm_kmalloc(cl_data_to_dev(client_data),
payload_len, GFP_KERNEL);
if (client_data->hid_descr[curr_hid_dev]) {
memcpy(client_data->hid_descr[curr_hid_dev],
payload, payload_len);
client_data->hid_descr_size[curr_hid_dev] =
payload_len;
client_data->hid_descr_done = true;
}
Reported by FlawFinder.
Line: 201
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
devm_kmalloc(cl_data_to_dev(client_data),
payload_len, GFP_KERNEL);
if (client_data->report_descr[curr_hid_dev]) {
memcpy(client_data->report_descr[curr_hid_dev],
payload,
payload_len);
client_data->report_descr_size[curr_hid_dev] =
payload_len;
client_data->report_descr_done = true;
Reported by FlawFinder.
Line: 235
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hid_data->raw_buf_size :
payload_len;
memcpy(hid_data->raw_buf,
payload, raw_len);
} else {
hid_input_report
(hid, report_type,
payload, payload_len,
Reported by FlawFinder.
drivers/leds/led-class-flash.c
8 issues
Line: 212
CWE codes:
628
mask <<= 1;
}
return sprintf(buf, "%s\n", buf);
}
static DEVICE_ATTR_RO(flash_fault);
static struct attribute *led_flash_strobe_attrs[] = {
&dev_attr_flash_strobe.attr,
Reported by Cppcheck.
Line: 205
Column: 14
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < LED_NUM_FLASH_FAULTS; ++i) {
if (fault & mask) {
buf_len = sprintf(pbuf, "%s ",
led_flash_fault_names[i]);
pbuf += buf_len;
}
mask <<= 1;
}
Reported by FlawFinder.
Line: 212
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mask <<= 1;
}
return sprintf(buf, "%s\n", buf);
}
static DEVICE_ATTR_RO(flash_fault);
static struct attribute *led_flash_strobe_attrs[] = {
&dev_attr_flash_strobe.attr,
Reported by FlawFinder.
Line: 75
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* no lock needed for this */
led_update_flash_brightness(fled_cdev);
return sprintf(buf, "%u\n", fled_cdev->brightness.val);
}
static DEVICE_ATTR_RW(flash_brightness);
static ssize_t max_flash_brightness_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 85
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct led_classdev *led_cdev = dev_get_drvdata(dev);
struct led_classdev_flash *fled_cdev = lcdev_to_flcdev(led_cdev);
return sprintf(buf, "%u\n", fled_cdev->brightness.max);
}
static DEVICE_ATTR_RO(max_flash_brightness);
static ssize_t flash_strobe_store(struct device *dev,
struct device_attribute *attr, const char *buf, size_t size)
Reported by FlawFinder.
Line: 135
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%u\n", state);
}
static DEVICE_ATTR_RW(flash_strobe);
static ssize_t flash_timeout_store(struct device *dev,
struct device_attribute *attr, const char *buf, size_t size)
Reported by FlawFinder.
Line: 174
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct led_classdev *led_cdev = dev_get_drvdata(dev);
struct led_classdev_flash *fled_cdev = lcdev_to_flcdev(led_cdev);
return sprintf(buf, "%u\n", fled_cdev->timeout.val);
}
static DEVICE_ATTR_RW(flash_timeout);
static ssize_t max_flash_timeout_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 184
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct led_classdev *led_cdev = dev_get_drvdata(dev);
struct led_classdev_flash *fled_cdev = lcdev_to_flcdev(led_cdev);
return sprintf(buf, "%u\n", fled_cdev->timeout.max);
}
static DEVICE_ATTR_RO(max_flash_timeout);
static ssize_t flash_fault_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
drivers/gpu/drm/i915/gvt/edid.c
8 issues
Line: 141
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct drm_i915_private *i915 = vgpu->gvt->gt->i915;
int port, pin_select;
memcpy(&vgpu_vreg(vgpu, offset), p_data, bytes);
pin_select = vgpu_vreg(vgpu, offset) & _GMBUS_PIN_SEL_MASK;
intel_vgpu_init_i2c_edid(vgpu);
Reported by FlawFinder.
Line: 299
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Data can only be recevied if previous settings correct */
if (vgpu_vreg_t(vgpu, PCH_GMBUS1) & GMBUS_SLAVE_READ) {
if (byte_left <= 0) {
memcpy(p_data, &vgpu_vreg(vgpu, offset), bytes);
return 0;
}
if (byte_count > 4)
byte_count = 4;
Reported by FlawFinder.
Line: 310
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
reg_data |= (byte_data << (i << 3));
}
memcpy(&vgpu_vreg(vgpu, offset), ®_data, byte_count);
memcpy(p_data, &vgpu_vreg(vgpu, offset), bytes);
if (byte_left <= 4) {
switch (i2c_edid->gmbus.cycle_type) {
case NIDX_STOP:
Reported by FlawFinder.
Line: 311
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(&vgpu_vreg(vgpu, offset), ®_data, byte_count);
memcpy(p_data, &vgpu_vreg(vgpu, offset), bytes);
if (byte_left <= 4) {
switch (i2c_edid->gmbus.cycle_type) {
case NIDX_STOP:
case IDX_STOP:
Reported by FlawFinder.
Line: 332
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* return the latest written value
*/
} else {
memcpy(p_data, &vgpu_vreg(vgpu, offset), bytes);
gvt_vgpu_err("warning: gmbus3 read with nothing returned\n");
}
return 0;
}
Reported by FlawFinder.
Line: 345
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(vgpu_vreg(vgpu, offset) & GMBUS_INUSE))
vgpu_vreg(vgpu, offset) |= GMBUS_INUSE;
memcpy(p_data, (void *)&value, bytes);
return 0;
}
static int gmbus2_mmio_write(struct intel_vgpu *vgpu, unsigned int offset,
void *p_data, unsigned int bytes)
Reported by FlawFinder.
Line: 386
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (offset == i915_mmio_reg_offset(PCH_GMBUS3))
return gmbus3_mmio_read(vgpu, offset, p_data, bytes);
memcpy(p_data, &vgpu_vreg(vgpu, offset), bytes);
return 0;
}
/**
* intel_gvt_i2c_handle_gmbus_write - emulate gmbus register mmio write
Reported by FlawFinder.
Line: 420
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (offset == i915_mmio_reg_offset(PCH_GMBUS3))
return gmbus3_mmio_write(vgpu, offset, p_data, bytes);
memcpy(&vgpu_vreg(vgpu, offset), p_data, bytes);
return 0;
}
enum {
AUX_CH_CTL = 0,
Reported by FlawFinder.
drivers/hid/wacom_sys.c
8 issues
Line: 169
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (wacom_wac_pen_serial_enforce(hdev, report, raw_data, size))
return -1;
memcpy(wacom->wacom_wac.data, raw_data, size);
wacom_wac_irq(&wacom->wacom_wac, size);
return 0;
}
Reported by FlawFinder.
Line: 1017
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[1] = button_id & 0x07;
for (i = 0; i < 4; i++) {
buf[2] = i;
memcpy(buf + 3, img + i * chunk_len, chunk_len);
retval = wacom_set_report(wacom->hdev, HID_FEATURE_REPORT,
buf, chunk_len + 3, WAC_CMD_RETRIES);
if (retval < 0)
break;
Reported by FlawFinder.
Line: 1781
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
bat_desc->properties = wacom_battery_props;
bat_desc->num_properties = ARRAY_SIZE(wacom_battery_props);
bat_desc->get_property = wacom_battery_get_property;
sprintf(battery->bat_name, "wacom_battery_%ld", n);
bat_desc->name = battery->bat_name;
bat_desc->type = POWER_SUPPLY_TYPE_USB;
bat_desc->use_for_apm = 0;
ps_bat = devm_power_supply_register(dev, bat_desc, &psy_cfg);
Reported by FlawFinder.
Line: 1864
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
u8 mode;
mode = wacom->led.groups[index].select;
return sprintf(buf, "%d\n", mode < 3 ? mode : -1);
}
#define DEVICE_EKR_ATTR_GROUP(SET_ID) \
static ssize_t wacom_show_remote##SET_ID##_mode(struct kobject *kobj, \
struct kobj_attribute *kattr, char *buf) \
Reported by FlawFinder.
Line: 2214
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct wacom_wac *wacom_wac = &wacom->wacom_wac;
struct wacom_features *features = &wacom_wac->features;
char name[WACOM_NAME_MAX - 20]; /* Leave some room for suffixes */
/* Generic devices name unspecified */
if ((features->type == HID_GENERIC) && !strcmp("Wacom HID", features->name)) {
char *product_name = wacom->hdev->name;
Reported by FlawFinder.
Line: 2243
Column: 24
CWE codes:
126
if (gap == NULL)
break;
/* shift everything including the terminator */
memmove(gap, gap+1, strlen(gap));
}
/* get rid of trailing whitespace */
if (name[strlen(name)-1] == ' ')
name[strlen(name)-1] = '\0';
Reported by FlawFinder.
Line: 2247
Column: 12
CWE codes:
126
}
/* get rid of trailing whitespace */
if (name[strlen(name)-1] == ' ')
name[strlen(name)-1] = '\0';
} else {
strlcpy(name, features->name, sizeof(name));
}
Reported by FlawFinder.
Line: 2248
Column: 9
CWE codes:
126
/* get rid of trailing whitespace */
if (name[strlen(name)-1] == ' ')
name[strlen(name)-1] = '\0';
} else {
strlcpy(name, features->name, sizeof(name));
}
snprintf(wacom_wac->name, sizeof(wacom_wac->name), "%s%s",
Reported by FlawFinder.
drivers/gpu/drm/imx/imx-ldb.c
8 issues
Line: 240
CWE codes:
476
else if (imx_ldb_ch == &ldb->channel[1])
lvds_mux = &ldb->lvds_mux[1];
regmap_update_bits(ldb->regmap, lvds_mux->reg, lvds_mux->mask,
mux << lvds_mux->shift);
}
regmap_write(ldb->regmap, IOMUXC_GPR2, ldb->ldb_ctrl);
Reported by Cppcheck.
Line: 241
CWE codes:
476
lvds_mux = &ldb->lvds_mux[1];
regmap_update_bits(ldb->regmap, lvds_mux->reg, lvds_mux->mask,
mux << lvds_mux->shift);
}
regmap_write(ldb->regmap, IOMUXC_GPR2, ldb->ldb_ctrl);
drm_panel_enable(imx_ldb_ch->panel);
Reported by Cppcheck.
Line: 345
CWE codes:
476
else if (imx_ldb_ch == &ldb->channel[1])
lvds_mux = &ldb->lvds_mux[1];
regmap_read(ldb->regmap, lvds_mux->reg, &mux);
mux &= lvds_mux->mask;
mux >>= lvds_mux->shift;
} else {
mux = (imx_ldb_ch == &ldb->channel[0]) ? 0 : 1;
}
Reported by Cppcheck.
Line: 346
CWE codes:
476
lvds_mux = &ldb->lvds_mux[1];
regmap_read(ldb->regmap, lvds_mux->reg, &mux);
mux &= lvds_mux->mask;
mux >>= lvds_mux->shift;
} else {
mux = (imx_ldb_ch == &ldb->channel[0]) ? 0 : 1;
}
Reported by Cppcheck.
Line: 347
CWE codes:
476
regmap_read(ldb->regmap, lvds_mux->reg, &mux);
mux &= lvds_mux->mask;
mux >>= lvds_mux->shift;
} else {
mux = (imx_ldb_ch == &ldb->channel[0]) ? 0 : 1;
}
/* set display clock mux back to original input clock */
Reported by Cppcheck.
Line: 419
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int imx_ldb_get_clk(struct imx_ldb *ldb, int chno)
{
char clkname[16];
snprintf(clkname, sizeof(clkname), "di%d", chno);
ldb->clk[chno] = devm_clk_get(ldb->dev, clkname);
if (IS_ERR(ldb->clk[chno]))
return PTR_ERR(ldb->clk[chno]);
Reported by FlawFinder.
Line: 656
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Map them all to di0_sel...di3_sel.
*/
for (i = 0; i < 4; i++) {
char clkname[16];
sprintf(clkname, "di%d_sel", i);
imx_ldb->clk_sel[i] = devm_clk_get(imx_ldb->dev, clkname);
if (IS_ERR(imx_ldb->clk_sel[i])) {
ret = PTR_ERR(imx_ldb->clk_sel[i]);
Reported by FlawFinder.
Line: 658
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < 4; i++) {
char clkname[16];
sprintf(clkname, "di%d_sel", i);
imx_ldb->clk_sel[i] = devm_clk_get(imx_ldb->dev, clkname);
if (IS_ERR(imx_ldb->clk_sel[i])) {
ret = PTR_ERR(imx_ldb->clk_sel[i]);
imx_ldb->clk_sel[i] = NULL;
break;
Reported by FlawFinder.
drivers/hwmon/smsc47m1.c
8 issues
Line: 448
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct smsc47m1_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", data->name);
}
static DEVICE_ATTR_RO(name);
static struct attribute *smsc47m1_attributes_fan1[] = {
&sensor_dev_attr_fan1_input.dev_attr.attr,
Reported by FlawFinder.
Line: 213
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
FAN_FROM_REG(data->fan[nr],
DIV_FROM_REG(data->fan_div[nr]),
data->fan_preload[nr]);
return sprintf(buf, "%d\n", rpm);
}
static ssize_t fan_min_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 224
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int nr = attr->index;
int rpm = MIN_FROM_REG(data->fan_preload[nr],
DIV_FROM_REG(data->fan_div[nr]));
return sprintf(buf, "%d\n", rpm);
}
static ssize_t fan_div_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 232
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct smsc47m1_data *data = smsc47m1_update_device(dev, 0);
return sprintf(buf, "%d\n", DIV_FROM_REG(data->fan_div[attr->index]));
}
static ssize_t fan_alarm_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 240
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
int bitnr = to_sensor_dev_attr(devattr)->index;
struct smsc47m1_data *data = smsc47m1_update_device(dev, 0);
return sprintf(buf, "%u\n", (data->alarms >> bitnr) & 1);
}
static ssize_t pwm_show(struct device *dev, struct device_attribute *devattr,
char *buf)
{
Reported by FlawFinder.
Line: 248
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct smsc47m1_data *data = smsc47m1_update_device(dev, 0);
return sprintf(buf, "%d\n", PWM_FROM_REG(data->pwm[attr->index]));
}
static ssize_t pwm_en_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 256
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct smsc47m1_data *data = smsc47m1_update_device(dev, 0);
return sprintf(buf, "%d\n", PWM_EN_FROM_REG(data->pwm[attr->index]));
}
static ssize_t alarms_show(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 263
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *devattr, char *buf)
{
struct smsc47m1_data *data = smsc47m1_update_device(dev, 0);
return sprintf(buf, "%d\n", data->alarms);
}
static ssize_t fan_min_store(struct device *dev,
struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvkm/engine/fifo/gk104.c
8 issues
Line: 159
(target << 28));
nvkm_wr32(device, 0x002274, (runl << 20) | nr);
if (nvkm_msec(device, 2000,
if (!(nvkm_rd32(device, 0x002284 + (runl * 0x08)) & 0x00100000))
break;
) < 0)
nvkm_error(subdev, "runlist %d update timeout\n", runl);
}
Reported by Cppcheck.
Line: 500
Column: 40
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
ec = nvkm_enum_find(fifo->func->fault.gpcclient, info->client);
snprintf(ct, sizeof(ct), "GPC%d/", info->gpc);
}
ea = nvkm_enum_find(fifo->func->fault.access, info->access);
if (ee && ee->data2) {
switch (ee->data2) {
case NVKM_SUBDEV_BAR:
nvkm_bar_bar1_reset(device);
Reported by FlawFinder.
Line: 500
Column: 54
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
ec = nvkm_enum_find(fifo->func->fault.gpcclient, info->client);
snprintf(ct, sizeof(ct), "GPC%d/", info->gpc);
}
ea = nvkm_enum_find(fifo->func->fault.access, info->access);
if (ee && ee->data2) {
switch (ee->data2) {
case NVKM_SUBDEV_BAR:
nvkm_bar_bar1_reset(device);
Reported by FlawFinder.
Line: 536
Column: 12
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
nvkm_error(subdev,
"fault %02x [%s] at %016llx engine %02x [%s] client %02x "
"[%s%s] reason %02x [%s] on channel %d [%010llx %s]\n",
info->access, ea ? ea->name : "", info->addr,
info->engine, ee ? ee->name : en,
info->client, ct, ec ? ec->name : "",
info->reason, er ? er->name : "", chan ? chan->chid : -1,
info->inst, chan ? chan->object.client->name : "unknown");
Reported by FlawFinder.
Line: 490
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nvkm_fifo_chan *chan;
unsigned long flags;
const char *en = "";
char ct[8] = "HUB/";
er = nvkm_enum_find(fifo->func->fault.reason, info->reason);
ee = nvkm_enum_find(fifo->func->fault.engine, info->engine);
if (info->hub) {
ec = nvkm_enum_find(fifo->func->fault.hubclient, info->client);
Reported by FlawFinder.
Line: 709
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 show = stat;
struct nvkm_fifo_chan *chan;
unsigned long flags;
char msg[128];
if (stat & 0x00800000) {
if (device->sw) {
if (nvkm_sw_mthd(device->sw, chid, subc, mthd, data))
show &= ~0x00800000;
Reported by FlawFinder.
Line: 751
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 mask = nvkm_rd32(device, 0x04014c + (unit * 0x2000));
u32 stat = nvkm_rd32(device, 0x040148 + (unit * 0x2000)) & mask;
u32 chid = nvkm_rd32(device, 0x040120 + (unit * 0x2000)) & 0xfff;
char msg[128];
if (stat) {
nvkm_snprintbf(msg, sizeof(msg), gk104_fifo_pbdma_intr_1, stat);
nvkm_error(subdev, "PBDMA%d: %08x [%s] ch %d %08x %08x\n",
unit, stat, msg, chid,
Reported by FlawFinder.
Line: 959
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Determine runlist configuration from topology device info. */
list_for_each_entry(tdev, &device->top->device, head) {
const int engn = tdev->engine;
char _en[16], *en;
if (engn < 0)
continue;
/* Determine which PBDMA handles requests for this engine. */
Reported by FlawFinder.
drivers/gpu/drm/radeon/atombios_dp.c
8 issues
Line: 65
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 align_num_bytes = ALIGN(num_bytes, 4);
if (to_le) {
memcpy(src_tmp, src, num_bytes);
for (i = 0; i < align_num_bytes / 4; i++)
dst_tmp[i] = cpu_to_le32(src_tmp[i]);
memcpy(dst, dst_tmp, align_num_bytes);
} else {
memcpy(src_tmp, src, align_num_bytes);
Reported by FlawFinder.
Line: 68
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(src_tmp, src, num_bytes);
for (i = 0; i < align_num_bytes / 4; i++)
dst_tmp[i] = cpu_to_le32(src_tmp[i]);
memcpy(dst, dst_tmp, align_num_bytes);
} else {
memcpy(src_tmp, src, align_num_bytes);
for (i = 0; i < align_num_bytes / 4; i++)
dst_tmp[i] = le32_to_cpu(src_tmp[i]);
memcpy(dst, dst_tmp, num_bytes);
Reported by FlawFinder.
Line: 70
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst_tmp[i] = cpu_to_le32(src_tmp[i]);
memcpy(dst, dst_tmp, align_num_bytes);
} else {
memcpy(src_tmp, src, align_num_bytes);
for (i = 0; i < align_num_bytes / 4; i++)
dst_tmp[i] = le32_to_cpu(src_tmp[i]);
memcpy(dst, dst_tmp, num_bytes);
}
#else
Reported by FlawFinder.
Line: 73
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(src_tmp, src, align_num_bytes);
for (i = 0; i < align_num_bytes / 4; i++)
dst_tmp[i] = le32_to_cpu(src_tmp[i]);
memcpy(dst, dst_tmp, num_bytes);
}
#else
memcpy(dst, src, num_bytes);
#endif
}
Reported by FlawFinder.
Line: 76
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst, dst_tmp, num_bytes);
}
#else
memcpy(dst, src, num_bytes);
#endif
}
union aux_channel_transaction {
PROCESS_AUX_CHANNEL_TRANSACTION_PS_ALLOCATION v1;
Reported by FlawFinder.
Line: 196
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tx_buf[3] |= BARE_ADDRESS_SIZE << 4;
else
tx_buf[3] |= tx_size << 4;
memcpy(tx_buf + HEADER_SIZE, msg->buffer, msg->size);
ret = radeon_process_aux_ch(chan,
tx_buf, tx_size, NULL, 0, delay, &ack);
if (ret >= 0)
/* Return payload size. */
ret = msg->size;
Reported by FlawFinder.
Line: 396
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = drm_dp_dpcd_read(&radeon_connector->ddc_bus->aux, DP_DPCD_REV, msg,
DP_DPCD_SIZE);
if (ret == DP_DPCD_SIZE) {
memcpy(dig_connector->dpcd, msg, DP_DPCD_SIZE);
DRM_DEBUG_KMS("DPCD: %*ph\n", (int)sizeof(dig_connector->dpcd),
dig_connector->dpcd);
radeon_dp_probe_oui(radeon_connector);
Reported by FlawFinder.
Line: 841
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dp_info.tp3_supported = false;
}
memcpy(dp_info.dpcd, dig_connector->dpcd, DP_RECEIVER_CAP_SIZE);
dp_info.rdev = rdev;
dp_info.encoder = encoder;
dp_info.connector = connector;
dp_info.dp_lane_count = dig_connector->dp_lane_count;
dp_info.dp_clock = dig_connector->dp_clock;
Reported by FlawFinder.
drivers/leds/leds-88pm860x.c
8 issues
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *i2c;
struct pm860x_chip *chip;
struct mutex lock;
char name[MFD_NAME_SIZE];
int port;
int iset;
unsigned char brightness;
unsigned char current_brightness;
Reported by FlawFinder.
Line: 71
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct pm860x_led *led = container_of(cdev, struct pm860x_led, cdev);
struct pm860x_chip *chip;
unsigned char buf[3];
int ret;
chip = led->chip;
mutex_lock(&led->lock);
led->brightness = value >> 3;
Reported by FlawFinder.
Line: 171
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (pdev->id) {
case 0:
data->blink_mask = LED1_BLINK_EN;
sprintf(data->name, "led0-red");
break;
case 1:
data->blink_mask = LED1_BLINK_EN;
sprintf(data->name, "led0-green");
break;
Reported by FlawFinder.
Line: 175
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
case 1:
data->blink_mask = LED1_BLINK_EN;
sprintf(data->name, "led0-green");
break;
case 2:
data->blink_mask = LED1_BLINK_EN;
sprintf(data->name, "led0-blue");
break;
Reported by FlawFinder.
Line: 179
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
case 2:
data->blink_mask = LED1_BLINK_EN;
sprintf(data->name, "led0-blue");
break;
case 3:
data->blink_mask = LED2_BLINK_EN;
sprintf(data->name, "led1-red");
break;
Reported by FlawFinder.
Line: 183
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
case 3:
data->blink_mask = LED2_BLINK_EN;
sprintf(data->name, "led1-red");
break;
case 4:
data->blink_mask = LED2_BLINK_EN;
sprintf(data->name, "led1-green");
break;
Reported by FlawFinder.
Line: 187
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
case 4:
data->blink_mask = LED2_BLINK_EN;
sprintf(data->name, "led1-green");
break;
case 5:
data->blink_mask = LED2_BLINK_EN;
sprintf(data->name, "led1-blue");
break;
Reported by FlawFinder.
Line: 191
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
case 5:
data->blink_mask = LED2_BLINK_EN;
sprintf(data->name, "led1-blue");
break;
}
data->chip = chip;
data->i2c = (chip->id == CHIP_PM8606) ? chip->client : chip->companion;
data->port = pdev->id;
Reported by FlawFinder.
drivers/hwmon/coretemp.c
8 issues
Line: 84
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool is_pkg_data;
bool valid;
struct sensor_device_attribute sd_attrs[TOTAL_ATTRS];
char attr_name[TOTAL_ATTRS][CORETEMP_NAME_LENGTH];
struct attribute *attrs[TOTAL_ATTRS + 1];
struct attribute_group attr_group;
struct mutex update_lock;
};
Reported by FlawFinder.
Line: 112
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct temp_data *tdata = pdata->core_data[attr->index];
if (tdata->is_pkg_data)
return sprintf(buf, "Package id %u\n", pdata->pkg_id);
return sprintf(buf, "Core %u\n", tdata->cpu_core_id);
}
static ssize_t show_crit_alarm(struct device *dev,
Reported by FlawFinder.
Line: 114
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (tdata->is_pkg_data)
return sprintf(buf, "Package id %u\n", pdata->pkg_id);
return sprintf(buf, "Core %u\n", tdata->cpu_core_id);
}
static ssize_t show_crit_alarm(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 129
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
rdmsr_on_cpu(tdata->cpu, tdata->status_reg, &eax, &edx);
mutex_unlock(&tdata->update_lock);
return sprintf(buf, "%d\n", (eax >> 5) & 1);
}
static ssize_t show_tjmax(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 138
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct platform_data *pdata = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", pdata->core_data[attr->index]->tjmax);
}
static ssize_t show_ttarget(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 147
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct platform_data *pdata = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", pdata->core_data[attr->index]->ttarget);
}
static ssize_t show_temp(struct device *dev,
struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 175
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
mutex_unlock(&tdata->update_lock);
return sprintf(buf, "%d\n", tdata->temp);
}
struct tjmax_pci {
unsigned int device;
int tjmax;
Reported by FlawFinder.
Line: 388
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_attribute *devattr, char *buf) = {
show_label, show_crit_alarm, show_temp, show_tjmax,
show_ttarget };
static const char *const suffixes[TOTAL_ATTRS] = {
"label", "crit_alarm", "input", "crit", "max"
};
for (i = 0; i < tdata->attr_size; i++) {
snprintf(tdata->attr_name[i], CORETEMP_NAME_LENGTH,
Reported by FlawFinder.