The following issues were found
drivers/i2c/busses/i2c-tegra.c
4 issues
Line: 775
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
val = i2c_readl(i2c_dev, I2C_RX_FIFO);
val = cpu_to_le32(val);
memcpy(buf, &val, buf_remaining);
buf_remaining = 0;
rx_fifo_avail--;
}
/* RX FIFO must be drained, otherwise it's an Overflow case. */
Reported by FlawFinder.
Line: 850
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* when (words_to_transfer was > tx_fifo_avail) earlier
* in this function for non-zero words_to_transfer.
*/
memcpy(&val, buf, buf_remaining);
val = le32_to_cpu(val);
i2c_dev->msg_buf_remaining = 0;
i2c_dev->msg_buf = NULL;
Reported by FlawFinder.
Line: 1276
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!i2c_dev->msg_read) {
if (i2c_dev->dma_mode) {
memcpy(i2c_dev->dma_buf + I2C_PACKET_HEADER_SIZE,
msg->buf, msg->len);
dma_sync_single_for_device(i2c_dev->dev,
i2c_dev->dma_phys,
xfer_size, DMA_TO_DEVICE);
Reported by FlawFinder.
Line: 1334
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i2c_dev->dma_phys,
xfer_size, DMA_FROM_DEVICE);
memcpy(i2c_dev->msg_buf, i2c_dev->dma_buf, msg->len);
}
}
time_left = tegra_i2c_wait_completion(i2c_dev, &i2c_dev->msg_complete,
xfer_time);
Reported by FlawFinder.
drivers/gpu/drm/i915/gvt/gtt.c
4 issues
Line: 154
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define gtt_init_entry(e, t, p, v) do { \
(e)->type = t; \
(e)->pdev = p; \
memcpy(&(e)->val64, &v, sizeof(v)); \
} while (0)
/*
* Mappings between GTT_TYPE* enumerations.
* Following information can be found according to the given type:
Reported by FlawFinder.
Line: 2190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ggtt_get_guest_entry(ggtt_mm, &e, index);
memcpy(p_data, (void *)&e.val64 + (off & (info->gtt_entry_size - 1)),
bytes);
return 0;
}
/**
Reported by FlawFinder.
Line: 2259
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
e.type = GTT_TYPE_GGTT_PTE;
memcpy((void *)&e.val64 + (off & (info->gtt_entry_size - 1)), p_data,
bytes);
/* If ggtt entry size is 8 bytes, and it's split into two 4 bytes
* write, save the first 4 bytes in a list and update virtual
* PTE. Only update shadow PTE when the second 4 bytes comes.
Reported by FlawFinder.
Line: 2278
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int last_off = pos->offset &
(info->gtt_entry_size - 1);
memcpy((void *)&e.val64 + last_off,
(void *)&pos->data + last_off,
bytes);
list_del(&pos->list);
kfree(pos);
Reported by FlawFinder.
drivers/hid/intel-ish-hid/ishtp/bus.c
4 issues
Line: 88
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void *msg, void(*ipc_send_compl)(void *),
void *ipc_send_compl_prm)
{
unsigned char ipc_msg[IPC_FULL_MSG_SIZE];
uint32_t drbl_val;
drbl_val = dev->ops->ipc_get_header(dev, hdr->length +
sizeof(struct ishtp_msg_hdr),
1);
Reported by FlawFinder.
Line: 95
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct ishtp_msg_hdr),
1);
memcpy(ipc_msg, &drbl_val, sizeof(uint32_t));
memcpy(ipc_msg + sizeof(uint32_t), hdr, sizeof(uint32_t));
memcpy(ipc_msg + 2 * sizeof(uint32_t), msg, hdr->length);
return dev->ops->write(dev, ipc_send_compl, ipc_send_compl_prm,
ipc_msg, 2 * sizeof(uint32_t) + hdr->length);
}
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
1);
memcpy(ipc_msg, &drbl_val, sizeof(uint32_t));
memcpy(ipc_msg + sizeof(uint32_t), hdr, sizeof(uint32_t));
memcpy(ipc_msg + 2 * sizeof(uint32_t), msg, hdr->length);
return dev->ops->write(dev, ipc_send_compl, ipc_send_compl_prm,
ipc_msg, 2 * sizeof(uint32_t) + hdr->length);
}
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ipc_msg, &drbl_val, sizeof(uint32_t));
memcpy(ipc_msg + sizeof(uint32_t), hdr, sizeof(uint32_t));
memcpy(ipc_msg + 2 * sizeof(uint32_t), msg, hdr->length);
return dev->ops->write(dev, ipc_send_compl, ipc_send_compl_prm,
ipc_msg, 2 * sizeof(uint32_t) + hdr->length);
}
/**
Reported by FlawFinder.
drivers/gpu/drm/panel/panel-sony-acx565akm.c
4 issues
Line: 196
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mode >= 0 && mode < ARRAY_SIZE(acx565akm_cabc_modes))
mode_str = acx565akm_cabc_modes[mode];
return sprintf(buf, "%s\n", mode_str);
}
static ssize_t cabc_mode_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 241
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
size_t len = 0;
if (!lcd->has_cabc)
return sprintf(buf, "%s\n", acx565akm_cabc_modes[0]);
for (i = 0; i < ARRAY_SIZE(acx565akm_cabc_modes); i++)
len += sprintf(&buf[len], "%s%s", i ? " " : "",
acx565akm_cabc_modes[i]);
Reported by FlawFinder.
Line: 244
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(buf, "%s\n", acx565akm_cabc_modes[0]);
for (i = 0; i < ARRAY_SIZE(acx565akm_cabc_modes); i++)
len += sprintf(&buf[len], "%s%s", i ? " " : "",
acx565akm_cabc_modes[i]);
buf[len++] = '\n';
return len;
Reported by FlawFinder.
Line: 208
Column: 17
CWE codes:
126
for (i = 0; i < ARRAY_SIZE(acx565akm_cabc_modes); i++) {
const char *mode_str = acx565akm_cabc_modes[i];
int cmp_len = strlen(mode_str);
if (count > 0 && buf[count - 1] == '\n')
count--;
if (count != cmp_len)
continue;
Reported by FlawFinder.
drivers/gpu/drm/i915/display/intel_display.c
4 issues
Line: 11581
CWE codes:
476
unsigned int *handle)
{
struct drm_i915_gem_object *obj = intel_fb_obj(fb);
struct drm_i915_private *i915 = to_i915(obj->base.dev);
if (i915_gem_object_is_userptr(obj)) {
drm_dbg(&i915->drm,
"attempting to use a userptr for a framebuffer, denied\n");
return -EINVAL;
Reported by Cppcheck.
Line: 7611
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
const struct intel_plane_state *plane_state;
struct intel_plane *plane;
char buf[64];
int i;
drm_dbg_kms(&dev_priv->drm, "[CRTC:%d:%s] enable: %s %s\n",
crtc->base.base.id, crtc->base.name,
yesno(pipe_config->hw.enable), context);
Reported by FlawFinder.
Line: 7909
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
saved_state->crc_enabled = crtc_state->crc_enabled;
intel_crtc_free_hw_state(crtc_state);
memcpy(crtc_state, saved_state, sizeof(*crtc_state));
kfree(saved_state);
/* Re-init hw state */
memset(&crtc_state->hw, 0, sizeof(saved_state->hw));
crtc_state->hw.enable = from_crtc_state->hw.enable;
Reported by FlawFinder.
Line: 7963
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
IS_VALLEYVIEW(dev_priv) || IS_CHERRYVIEW(dev_priv))
saved_state->wm = crtc_state->wm;
memcpy(crtc_state, saved_state, sizeof(*crtc_state));
kfree(saved_state);
intel_crtc_copy_uapi_to_hw_state(state, crtc_state);
return 0;
Reported by FlawFinder.
drivers/infiniband/ulp/rtrs/rtrs-clt.c
4 issues
Line: 1537
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_init(&sess->init_mutex);
uuid_gen(&sess->s.uuid);
memcpy(&sess->s.dst_addr, path->dst,
rdma_addr_size((struct sockaddr *)path->dst));
/*
* rdma_resolve_addr() passes src_addr to cma_bind_addr, which
* checks the sa_family to be non-zero. If user passed src_addr=NULL
Reported by FlawFinder.
Line: 1546
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* the sess->src_addr will contain only zeros, which is then fine.
*/
if (path->src)
memcpy(&sess->s.src_addr, path->src,
rdma_addr_size((struct sockaddr *)path->src));
strscpy(sess->s.sessname, clt->sessname, sizeof(sess->s.sessname));
sess->clt = clt;
sess->max_pages_per_mr = RTRS_MAX_SEGMENTS;
init_waitqueue_head(&sess->state_wq);
Reported by FlawFinder.
Line: 2586
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int init_sess(struct rtrs_clt_sess *sess)
{
int err;
char str[NAME_MAX];
struct rtrs_addr path = {
.src = &sess->s.src_addr,
.dst = &sess->s.dst_addr,
};
Reported by FlawFinder.
Line: 2680
Column: 6
CWE codes:
126
if (!paths_num || paths_num > MAX_PATHS_NUM)
return ERR_PTR(-EINVAL);
if (strlen(sessname) >= sizeof(clt->sessname))
return ERR_PTR(-EINVAL);
clt = kzalloc(sizeof(*clt), GFP_KERNEL);
if (!clt)
return ERR_PTR(-ENOMEM);
Reported by FlawFinder.
drivers/input/misc/axp20x-pek.c
4 issues
Line: 106
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (val == time[i].idx)
val = time[i].time;
return sprintf(buf, "%u\n", val);
}
static ssize_t axp20x_show_attr_startup(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 135
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count)
{
struct axp20x_pek *axp20x_pek = dev_get_drvdata(dev);
char val_str[20];
size_t len;
int ret, i;
unsigned int val, idx = 0;
unsigned int best_err = UINT_MAX;
Reported by FlawFinder.
Line: 142
Column: 2
CWE codes:
120
unsigned int best_err = UINT_MAX;
val_str[sizeof(val_str) - 1] = '\0';
strncpy(val_str, buf, sizeof(val_str) - 1);
len = strlen(val_str);
if (len && val_str[len - 1] == '\n')
val_str[len - 1] = '\0';
Reported by FlawFinder.
Line: 143
Column: 8
CWE codes:
126
val_str[sizeof(val_str) - 1] = '\0';
strncpy(val_str, buf, sizeof(val_str) - 1);
len = strlen(val_str);
if (len && val_str[len - 1] == '\n')
val_str[len - 1] = '\0';
ret = kstrtouint(val_str, 10, &val);
Reported by FlawFinder.
drivers/gpu/drm/i915/intel_pm.c
4 issues
Line: 5970
CWE codes:
908
return 0;
new_dbuf_state->active_pipes =
intel_calc_active_pipes(state, old_dbuf_state->active_pipes);
if (old_dbuf_state->active_pipes != new_dbuf_state->active_pipes) {
ret = intel_atomic_lock_global_state(&new_dbuf_state->base);
if (ret)
return ret;
Reported by Cppcheck.
Line: 5972
CWE codes:
908
new_dbuf_state->active_pipes =
intel_calc_active_pipes(state, old_dbuf_state->active_pipes);
if (old_dbuf_state->active_pipes != new_dbuf_state->active_pipes) {
ret = intel_atomic_lock_global_state(&new_dbuf_state->base);
if (ret)
return ret;
}
Reported by Cppcheck.
Line: 3099
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency);
memcpy(dev_priv->wm.spr_latency, dev_priv->wm.pri_latency,
sizeof(dev_priv->wm.pri_latency));
memcpy(dev_priv->wm.cur_latency, dev_priv->wm.pri_latency,
sizeof(dev_priv->wm.pri_latency));
intel_fixup_spr_wm_latency(dev_priv, dev_priv->wm.spr_latency);
Reported by FlawFinder.
Line: 3101
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dev_priv->wm.spr_latency, dev_priv->wm.pri_latency,
sizeof(dev_priv->wm.pri_latency));
memcpy(dev_priv->wm.cur_latency, dev_priv->wm.pri_latency,
sizeof(dev_priv->wm.pri_latency));
intel_fixup_spr_wm_latency(dev_priv, dev_priv->wm.spr_latency);
intel_fixup_cur_wm_latency(dev_priv, dev_priv->wm.cur_latency);
Reported by FlawFinder.
drivers/i2c/busses/i2c-cp2615.c
4 issues
Line: 92
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret->length = htons(data_len + 6);
ret->msg = htons(msg);
if (data && data_len)
memcpy(&ret->data, data, data_len);
return 0;
}
static int cp2615_init_i2c_msg(struct cp2615_iop_msg *ret, const struct cp2615_i2c_transfer *data)
{
Reported by FlawFinder.
Line: 165
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
res = cp2615_check_status(i2c_r->status);
if (!res)
memcpy(buf, &i2c_r->data, i2c_r->read_len);
kfree(msg);
return res;
}
Reported by FlawFinder.
Line: 234
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
i2c_w.read_len = 0;
i2c_w.write_len = msg->len;
memcpy(&i2c_w.data, msg->buf, i2c_w.write_len);
}
ret = cp2615_i2c_send(usbif, &i2c_w);
if (ret)
break;
ret = cp2615_i2c_recv(usbif, i2c_w.tag, msg->buf);
Reported by FlawFinder.
Line: 301
Column: 2
CWE codes:
120
if (!adap)
return -ENOMEM;
strncpy(adap->name, usbdev->serial, sizeof(adap->name) - 1);
adap->owner = THIS_MODULE;
adap->dev.parent = &usbif->dev;
adap->dev.of_node = usbif->dev.of_node;
adap->timeout = HZ;
adap->algo = &cp2615_i2c_algo;
Reported by FlawFinder.
drivers/input/keyboard/lm8323.c
4 issues
Line: 141
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool kp_enabled;
bool pm_suspend;
unsigned keys_down;
char phys[32];
unsigned short keymap[LM8323_KEYMAP_SIZE];
int size_x;
int size_y;
int debounce_time;
int active_time;
Reported by FlawFinder.
Line: 528
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct led_classdev *led_cdev = dev_get_drvdata(dev);
struct lm8323_pwm *pwm = cdev_to_pwm(led_cdev);
return sprintf(buf, "%d\n", pwm->fade_time);
}
static ssize_t lm8323_pwm_store_time(struct device *dev,
struct device_attribute *attr, const char *buf, size_t len)
{
Reported by FlawFinder.
Line: 595
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct lm8323_chip *lm = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", !lm->kp_enabled);
}
static ssize_t lm8323_set_disable(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 545
Column: 9
CWE codes:
126
pwm->fade_time = time;
return strlen(buf);
}
static DEVICE_ATTR(time, 0644, lm8323_pwm_show_time, lm8323_pwm_store_time);
static struct attribute *lm8323_pwm_attrs[] = {
&dev_attr_time.attr,
Reported by FlawFinder.