The following issues were found
drivers/input/touchscreen/stmfts.c
7 issues
Line: 411
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct stmfts_data *sdata = dev_get_drvdata(dev);
return sprintf(buf, "%#x\n", sdata->chip_id);
}
static ssize_t stmfts_sysfs_chip_version(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 419
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct stmfts_data *sdata = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", sdata->chip_ver);
}
static ssize_t stmfts_sysfs_fw_ver(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 427
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct stmfts_data *sdata = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", sdata->fw_ver);
}
static ssize_t stmfts_sysfs_config_id(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 435
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct stmfts_data *sdata = dev_get_drvdata(dev);
return sprintf(buf, "%#x\n", sdata->config_id);
}
static ssize_t stmfts_sysfs_config_version(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 443
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct stmfts_data *sdata = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", sdata->config_ver);
}
static ssize_t stmfts_sysfs_read_status(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 458
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return err;
return sprintf(buf, "%#02x\n", status[0]);
}
static ssize_t stmfts_sysfs_hover_enable_read(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 466
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct stmfts_data *sdata = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", sdata->hover_enabled);
}
static ssize_t stmfts_sysfs_hover_enable_write(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t len)
Reported by FlawFinder.
drivers/infiniband/core/addr.c
7 issues
Line: 113
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nla_for_each_attr(curr, head, len, rem) {
if (curr->nla_type == LS_NLA_TYPE_DGID)
memcpy(&gid, nla_data(curr), nla_len(curr));
}
spin_lock_bh(&lock);
list_for_each_entry(req, &req_list, list) {
if (nlh->nlmsg_seq != req->seq)
Reported by FlawFinder.
Line: 240
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const struct net_device *dev)
{
dev_addr->dev_type = dev->type;
memcpy(dev_addr->src_dev_addr, dev->dev_addr, MAX_ADDR_LEN);
memcpy(dev_addr->broadcast, dev->broadcast, MAX_ADDR_LEN);
dev_addr->bound_dev_if = dev->ifindex;
}
EXPORT_SYMBOL(rdma_copy_src_l2_addr);
Reported by FlawFinder.
Line: 241
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
dev_addr->dev_type = dev->type;
memcpy(dev_addr->src_dev_addr, dev->dev_addr, MAX_ADDR_LEN);
memcpy(dev_addr->broadcast, dev->broadcast, MAX_ADDR_LEN);
dev_addr->bound_dev_if = dev->ifindex;
}
EXPORT_SYMBOL(rdma_copy_src_l2_addr);
static struct net_device *
Reported by FlawFinder.
Line: 465
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int ret = 0;
if (ndev_flags & IFF_LOOPBACK) {
memcpy(addr->dst_dev_addr, addr->src_dev_addr, MAX_ADDR_LEN);
} else {
if (!(ndev_flags & IFF_NOARP)) {
/* If the device doesn't do ARP internally */
ret = fetch_ha(dst, addr, dst_in, seq);
}
Reported by FlawFinder.
Line: 687
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err;
}
memcpy(src_in, src_addr, rdma_addr_size(src_addr));
} else {
src_in->sa_family = dst_addr->sa_family;
}
memcpy(dst_in, dst_addr, rdma_addr_size(dst_addr));
Reported by FlawFinder.
Line: 692
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src_in->sa_family = dst_addr->sa_family;
}
memcpy(dst_in, dst_addr, rdma_addr_size(dst_addr));
req->addr = addr;
req->callback = callback;
req->context = context;
req->resolve_by_gid_attr = resolve_by_gid_attr;
INIT_DELAYED_WORK(&req->work, process_one_req);
Reported by FlawFinder.
Line: 847
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(dmac, dev_addr.dst_dev_addr, ETH_ALEN);
*hoplimit = dev_addr.hoplimit;
return 0;
}
static int netevent_callback(struct notifier_block *self, unsigned long event,
Reported by FlawFinder.
drivers/hid/hid-hyperv.c
7 issues
Line: 495
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
hid_dev->version = input_dev->hid_dev_info.version;
input_dev->hid_device = hid_dev;
sprintf(hid_dev->name, "%s", "Microsoft Vmbus HID-compliant Mouse");
hid_set_drvdata(hid_dev, device);
ret = hid_add_device(hid_dev);
if (ret)
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct synthhid_msg {
struct synthhid_msg_hdr header;
char data[1]; /* Enclosed message */
};
union synthhid_version {
struct {
u16 minor_version;
Reported by FlawFinder.
Line: 102
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct synthhid_input_report {
struct synthhid_msg_hdr header;
char buffer[1];
};
#pragma pack(pop)
#define INPUTVSC_SEND_RING_BUFFER_SIZE VMBUS_RING_SIZE(36 * 1024)
Reported by FlawFinder.
Line: 121
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pipe_prt_msg {
enum pipe_prot_msg_type type;
u32 size;
char data[1];
};
struct mousevsc_prt_msg {
enum pipe_prot_msg_type type;
u32 size;
Reported by FlawFinder.
Line: 218
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto cleanup;
}
memcpy(input_device->report_desc,
((unsigned char *)desc) + desc->bLength,
desc->desc[0].wDescriptorLength);
/* Send the ack */
memset(&ack, 0, sizeof(struct mousevsc_prt_msg));
Reported by FlawFinder.
Line: 280
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(&input_dev->protocol_resp, pipe_msg,
pipe_msg->size + sizeof(struct pipe_prt_msg) -
sizeof(unsigned char));
complete(&input_dev->wait_event);
break;
Reported by FlawFinder.
Line: 304
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = min(input_report->header.size,
(u32)sizeof(input_dev->input_buf));
memcpy(input_dev->input_buf, input_report->buffer, len);
hid_input_report(input_dev->hid_device, HID_INPUT_REPORT,
input_dev->input_buf, len, 1);
pm_wakeup_hard_event(&input_dev->device->device);
Reported by FlawFinder.
drivers/infiniband/hw/bnxt_re/qplib_sp.c
7 issues
Line: 224
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
index, sgid_tbl->max);
return -EINVAL;
}
memcpy(gid, &sgid_tbl->tbl[index].gid, sizeof(*gid));
return 0;
}
int bnxt_qplib_del_sgid(struct bnxt_qplib_sgid_tbl *sgid_tbl,
struct bnxt_qplib_gid *gid, u16 vlan_id, bool update)
Reported by FlawFinder.
Line: 274
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc)
return rc;
}
memcpy(&sgid_tbl->tbl[index].gid, &bnxt_qplib_gid_zero,
sizeof(bnxt_qplib_gid_zero));
sgid_tbl->tbl[index].vlan_id = 0xFFFF;
sgid_tbl->vlan[index] = 0;
sgid_tbl->active--;
dev_dbg(&res->pdev->dev,
Reported by FlawFinder.
Line: 364
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sgid_tbl->hw_id[free_idx] = le32_to_cpu(resp.xid);
}
/* Add GID to the sgid_tbl */
memcpy(&sgid_tbl->tbl[free_idx], gid, sizeof(*gid));
sgid_tbl->tbl[free_idx].vlan_id = vlan_id;
sgid_tbl->active++;
if (vlan_id != 0xFFFF)
sgid_tbl->vlan[free_idx] = 1;
Reported by FlawFinder.
Line: 431
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
index, pkey_tbl->max);
return -EINVAL;
}
memcpy(pkey, &pkey_tbl->tbl[index], sizeof(*pkey));
return 0;
}
int bnxt_qplib_del_pkey(struct bnxt_qplib_res *res,
struct bnxt_qplib_pkey_tbl *pkey_tbl, u16 *pkey,
Reported by FlawFinder.
Line: 496
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
/* Add PKEY to the pkey_tbl */
memcpy(&pkey_tbl->tbl[free_idx], pkey, sizeof(*pkey));
pkey_tbl->active++;
/* unlock */
return rc;
}
Reported by FlawFinder.
Line: 517
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
RCFW_CMD_PREP(req, CREATE_AH, cmd_flags);
memcpy(temp32, ah->dgid.data, sizeof(struct bnxt_qplib_gid));
req.dgid[0] = cpu_to_le32(temp32[0]);
req.dgid[1] = cpu_to_le32(temp32[1]);
req.dgid[2] = cpu_to_le32(temp32[2]);
req.dgid[3] = cpu_to_le32(temp32[3]);
Reported by FlawFinder.
Line: 533
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req.traffic_class = ah->traffic_class;
/* MAC in network format */
memcpy(temp16, ah->dmac, 6);
req.dest_mac[0] = cpu_to_le16(temp16[0]);
req.dest_mac[1] = cpu_to_le16(temp16[1]);
req.dest_mac[2] = cpu_to_le16(temp16[2]);
rc = bnxt_qplib_rcfw_send_message(rcfw, (void *)&req, (void *)&resp,
Reported by FlawFinder.
drivers/iio/industrialio-buffer.c
7 issues
Line: 1335
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!attrs)
return -ENOMEM;
memcpy(attrs, buffer_attrs, buffer_attrcount * sizeof(*attrs));
group = &iio_dev_opaque->legacy_buffer_group;
group->attrs = attrs;
group->name = "buffer";
Reported by FlawFinder.
Line: 1351
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error_free_buffer_attrs;
}
memcpy(attrs, &buffer_attrs[buffer_attrcount],
scan_el_attrcount * sizeof(*attrs));
group = &iio_dev_opaque->legacy_scan_el_group;
group->attrs = attrs;
group->name = "scan_elements";
Reported by FlawFinder.
Line: 1521
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error_free_scan_mask;
}
memcpy(attr, iio_buffer_attrs, sizeof(iio_buffer_attrs));
if (!buffer->access->set_length)
attr[0] = &dev_attr_length_ro.attr;
if (buffer->access->flags & INDIO_BUFFER_FLAG_FIXED_WATERMARK)
attr[2] = &dev_attr_watermark_ro.attr;
Reported by FlawFinder.
Line: 1529
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
attr[2] = &dev_attr_watermark_ro.attr;
if (buffer->attrs)
memcpy(&attr[ARRAY_SIZE(iio_buffer_attrs)], buffer->attrs,
sizeof(struct attribute *) * buffer_attrcount);
buffer_attrcount += ARRAY_SIZE(iio_buffer_attrs);
for (i = 0; i < buffer_attrcount; i++) {
Reported by FlawFinder.
Line: 1689
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (list_empty(&buffer->demux_list))
return datain;
list_for_each_entry(t, &buffer->demux_list, l)
memcpy(buffer->demux_bounce + t->to,
datain + t->from, t->length);
return buffer->demux_bounce;
}
Reported by FlawFinder.
Line: 155
Column: 21
CWE codes:
120
20
continue;
}
ret = rb->access->read(rb, n, buf);
if (ret == 0 && (filp->f_flags & O_NONBLOCK))
ret = -EAGAIN;
} while (ret == 0);
remove_wait_queue(&rb->pollq, &wait);
Reported by FlawFinder.
drivers/hid/hid-mcp2221.c
7 issues
Line: 379
CWE codes:
476
data_len = 5;
break;
case 1:
mcp->txbuf[5] = buf[0];
data_len = 6;
break;
case 2:
mcp->txbuf[5] = buf[0];
mcp->txbuf[6] = buf[1];
Reported by Cppcheck.
Line: 383
CWE codes:
476
data_len = 6;
break;
case 2:
mcp->txbuf[5] = buf[0];
mcp->txbuf[6] = buf[1];
data_len = 7;
break;
default:
memcpy(&mcp->txbuf[5], buf, len);
Reported by Cppcheck.
Line: 384
CWE codes:
476
break;
case 2:
mcp->txbuf[5] = buf[0];
mcp->txbuf[6] = buf[1];
data_len = 7;
break;
default:
memcpy(&mcp->txbuf[5], buf, len);
data_len = len + 5;
Reported by Cppcheck.
Line: 388
CWE codes:
476
data_len = 7;
break;
default:
memcpy(&mcp->txbuf[5], buf, len);
data_len = len + 5;
}
ret = mcp_send_data_req_status(mcp, mcp->txbuf, data_len);
if (ret)
Reported by Cppcheck.
Line: 217
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mcp->txbuf[2] = msg->len >> 8;
mcp->txbuf[3] = (u8)(msg->addr << 1);
memcpy(&mcp->txbuf[4], &msg->buf[idx], len);
ret = mcp_send_data_req_status(mcp, mcp->txbuf, len + 4);
if (ret)
return ret;
Reported by FlawFinder.
Line: 388
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data_len = 7;
break;
default:
memcpy(&mcp->txbuf[5], buf, len);
data_len = len + 5;
}
ret = mcp_send_data_req_status(mcp, mcp->txbuf, data_len);
if (ret)
Reported by FlawFinder.
Line: 770
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (data[2] == MCP2221_I2C_READ_COMPL) {
buf = mcp->rxbuf;
memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];
mcp->status = 0;
break;
}
mcp->status = -EIO;
Reported by FlawFinder.
drivers/infiniband/hw/qib/qib_fs.c
7 issues
Line: 363
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int add_cntr_files(struct super_block *sb, struct qib_devdata *dd)
{
struct dentry *dir, *tmp;
char unit[10];
int ret, i;
/* create the per-unit directory */
snprintf(unit, sizeof(unit), "%u", dd->unit);
ret = create_file(unit, S_IFDIR|S_IRUGO|S_IXUGO, sb->s_root, &dir,
Reported by FlawFinder.
Line: 398
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
goto bail;
}
for (i = 1; i <= dd->num_pports; i++) {
char fname[24];
sprintf(fname, "port%dcounters", i);
/* create the files in the new directory */
ret = create_file(fname, S_IFREG|S_IRUGO, dir, &tmp,
&portcntr_ops[i], dd);
Reported by FlawFinder.
Line: 400
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 1; i <= dd->num_pports; i++) {
char fname[24];
sprintf(fname, "port%dcounters", i);
/* create the files in the new directory */
ret = create_file(fname, S_IFREG|S_IRUGO, dir, &tmp,
&portcntr_ops[i], dd);
if (ret) {
pr_err("create_file(%s/%s) failed: %d\n",
Reported by FlawFinder.
Line: 411
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (!(dd->flags & QIB_HAS_QSFP))
continue;
sprintf(fname, "qsfp%d", i);
ret = create_file(fname, S_IFREG|S_IRUGO, dir, &tmp,
&qsfp_ops[i - 1], dd);
if (ret) {
pr_err("create_file(%s/%s) failed: %d\n",
unit, fname, ret);
Reported by FlawFinder.
Line: 434
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct qib_devdata *dd)
{
struct dentry *dir;
char unit[10];
snprintf(unit, sizeof(unit), "%u", dd->unit);
dir = lookup_one_len_unlocked(unit, sb->s_root, strlen(unit));
if (IS_ERR(dir)) {
Reported by FlawFinder.
Line: 94
Column: 41
CWE codes:
126
int error;
inode_lock(d_inode(parent));
*dentry = lookup_one_len(name, parent, strlen(name));
if (!IS_ERR(*dentry))
error = qibfs_mknod(d_inode(parent), *dentry,
mode, fops, data);
else
error = PTR_ERR(*dentry);
Reported by FlawFinder.
Line: 437
Column: 50
CWE codes:
126
char unit[10];
snprintf(unit, sizeof(unit), "%u", dd->unit);
dir = lookup_one_len_unlocked(unit, sb->s_root, strlen(unit));
if (IS_ERR(dir)) {
pr_err("Lookup of %s failed\n", unit);
return PTR_ERR(dir);
}
Reported by FlawFinder.
drivers/infiniband/core/lag.c
7 issues
Line: 52
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iph->ihl = 0x5;
iph->tot_len = htons(sizeof(struct udphdr) + sizeof(struct
iphdr));
memcpy(&iph->saddr, ah_attr->grh.sgid_attr->gid.raw + 12,
sizeof(struct in_addr));
memcpy(&iph->daddr, ah_attr->grh.dgid.raw + 12,
sizeof(struct in_addr));
} else {
skb_push(skb, sizeof(struct ipv6hdr));
Reported by FlawFinder.
Line: 54
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iphdr));
memcpy(&iph->saddr, ah_attr->grh.sgid_attr->gid.raw + 12,
sizeof(struct in_addr));
memcpy(&iph->daddr, ah_attr->grh.dgid.raw + 12,
sizeof(struct in_addr));
} else {
skb_push(skb, sizeof(struct ipv6hdr));
skb_reset_network_header(skb);
ip6h = ipv6_hdr(skb);
Reported by FlawFinder.
Line: 62
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ip6h = ipv6_hdr(skb);
ip6h->version = 6;
ip6h->nexthdr = IPPROTO_UDP;
memcpy(&ip6h->flow_lbl, &ah_attr->grh.flow_label,
sizeof(*ip6h->flow_lbl));
memcpy(&ip6h->saddr, ah_attr->grh.sgid_attr->gid.raw,
sizeof(struct in6_addr));
memcpy(&ip6h->daddr, ah_attr->grh.dgid.raw,
sizeof(struct in6_addr));
Reported by FlawFinder.
Line: 64
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ip6h->nexthdr = IPPROTO_UDP;
memcpy(&ip6h->flow_lbl, &ah_attr->grh.flow_label,
sizeof(*ip6h->flow_lbl));
memcpy(&ip6h->saddr, ah_attr->grh.sgid_attr->gid.raw,
sizeof(struct in6_addr));
memcpy(&ip6h->daddr, ah_attr->grh.dgid.raw,
sizeof(struct in6_addr));
}
Reported by FlawFinder.
Line: 66
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(*ip6h->flow_lbl));
memcpy(&ip6h->saddr, ah_attr->grh.sgid_attr->gid.raw,
sizeof(struct in6_addr));
memcpy(&ip6h->daddr, ah_attr->grh.dgid.raw,
sizeof(struct in6_addr));
}
skb_push(skb, sizeof(struct ethhdr));
skb_reset_mac_header(skb);
Reported by FlawFinder.
Line: 75
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eth = eth_hdr(skb);
skb->protocol = eth->h_proto = htons(is_ipv4 ? ETH_P_IP : ETH_P_IPV6);
rdma_read_gid_l2_fields(ah_attr->grh.sgid_attr, NULL, smac);
memcpy(eth->h_source, smac, ETH_ALEN);
memcpy(eth->h_dest, ah_attr->roce.dmac, ETH_ALEN);
return skb;
}
Reported by FlawFinder.
Line: 76
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb->protocol = eth->h_proto = htons(is_ipv4 ? ETH_P_IP : ETH_P_IPV6);
rdma_read_gid_l2_fields(ah_attr->grh.sgid_attr, NULL, smac);
memcpy(eth->h_source, smac, ETH_ALEN);
memcpy(eth->h_dest, ah_attr->roce.dmac, ETH_ALEN);
return skb;
}
static struct net_device *rdma_get_xmit_slave_udp(struct ib_device *device,
Reported by FlawFinder.
drivers/gpu/drm/i915/display/intel_display_debugfs.c
7 issues
Line: 809
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
to_intel_plane_state(plane->base.state);
const struct drm_framebuffer *fb = plane_state->uapi.fb;
struct drm_rect src, dst;
char rot_str[48];
src = drm_plane_state_src(&plane_state->uapi);
dst = drm_plane_state_dest(&plane_state->uapi);
plane_rotation(rot_str, sizeof(rot_str),
Reported by FlawFinder.
Line: 839
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct intel_plane_state *plane_state =
to_intel_plane_state(plane->base.state);
const struct drm_framebuffer *fb = plane_state->hw.fb;
char rot_str[48];
if (!fb)
return;
plane_rotation(rot_str, sizeof(rot_str),
Reported by FlawFinder.
Line: 914
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return;
for (row = 0; row < ARRAY_SIZE(crtc->debug.vbl.times); row++) {
char columns[80] = " |";
unsigned int x;
if (row & 1) {
const char *units;
Reported by FlawFinder.
Line: 1716
Column: 58
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return single_open(file, cur_wm_latency_show, dev_priv);
}
static ssize_t wm_latency_write(struct file *file, const char __user *ubuf,
size_t len, loff_t *offp, u16 wm[8])
{
struct seq_file *m = file->private_data;
struct drm_i915_private *dev_priv = m->private;
struct drm_device *dev = &dev_priv->drm;
Reported by FlawFinder.
Line: 1726
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int num_levels;
int level;
int ret;
char tmp[32];
if (IS_CHERRYVIEW(dev_priv))
num_levels = 3;
else if (IS_VALLEYVIEW(dev_priv))
num_levels = 1;
Reported by FlawFinder.
Line: 1863
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int new_threshold;
int i;
char *newline;
char tmp[16];
if (len >= sizeof(tmp))
return -EINVAL;
if (copy_from_user(tmp, ubuf, len))
Reported by FlawFinder.
Line: 1942
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct drm_i915_private *dev_priv = m->private;
struct i915_hotplug *hotplug = &dev_priv->hotplug;
char *newline;
char tmp[16];
int i;
bool new_state;
if (len >= sizeof(tmp))
return -EINVAL;
Reported by FlawFinder.
drivers/gpu/drm/i915/gvt/mmio.c
7 issues
Line: 84
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset -= gvt->device_info.gtt_start_offset;
pt = vgpu->gtt.ggtt_mm->ggtt_mm.virtual_ggtt + offset;
if (read)
memcpy(p_data, pt, bytes);
else
memcpy(pt, p_data, bytes);
}
mutex_unlock(&vgpu->vgpu_lock);
Reported by FlawFinder.
Line: 86
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (read)
memcpy(p_data, pt, bytes);
else
memcpy(pt, p_data, bytes);
}
mutex_unlock(&vgpu->vgpu_lock);
}
Reported by FlawFinder.
Line: 247
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *mmio = gvt->firmware.mmio;
if (dmlr) {
memcpy(vgpu->mmio.vreg, mmio, info->mmio_size);
vgpu_vreg_t(vgpu, GEN6_GT_THREAD_STATUS_REG) = 0;
/* set the bit 0:2(Core C-State ) to C0 */
vgpu_vreg_t(vgpu, GEN6_GT_CORE_STATUS) = 0;
Reported by FlawFinder.
Line: 295
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* interrupt include DE,display mmio related will not be
* touched
*/
memcpy(vgpu->mmio.vreg, mmio, GVT_GEN8_MMIO_RESET_OFFSET);
}
}
/**
Reported by FlawFinder.
Line: 61
Column: 42
CWE codes:
120
20
&& reg < gvt->device_info.gtt_start_offset + gvt_ggtt_sz(gvt))
static void failsafe_emulate_mmio_rw(struct intel_vgpu *vgpu, u64 pa,
void *p_data, unsigned int bytes, bool read)
{
struct intel_gvt *gvt = NULL;
void *pt = NULL;
unsigned int offset = 0;
Reported by FlawFinder.
Line: 74
Column: 7
CWE codes:
120
20
mutex_lock(&vgpu->vgpu_lock);
offset = intel_vgpu_gpa_to_mmio_offset(vgpu, pa);
if (reg_is_mmio(gvt, offset)) {
if (read)
intel_vgpu_default_mmio_read(vgpu, offset, p_data,
bytes);
else
intel_vgpu_default_mmio_write(vgpu, offset, p_data,
bytes);
Reported by FlawFinder.
Line: 83
Column: 7
CWE codes:
120
20
} else if (reg_is_gtt(gvt, offset)) {
offset -= gvt->device_info.gtt_start_offset;
pt = vgpu->gtt.ggtt_mm->ggtt_mm.virtual_ggtt + offset;
if (read)
memcpy(p_data, pt, bytes);
else
memcpy(pt, p_data, bytes);
}
Reported by FlawFinder.