The following issues were found
drivers/iio/dac/ad5686.c
3 issues
Line: 131
Column: 13
CWE codes:
120
20
switch (m) {
case IIO_CHAN_INFO_RAW:
mutex_lock(&st->lock);
ret = st->read(st, chan->address);
mutex_unlock(&st->lock);
if (ret < 0)
return ret;
*val = (ret >> chan->scan_type.shift) &
GENMASK(chan->scan_type.realbits - 1, 0);
Reported by FlawFinder.
Line: 446
Column: 21
CWE codes:
120
20
int ad5686_probe(struct device *dev,
enum ad5686_supported_device_ids chip_type,
const char *name, ad5686_write_func write,
ad5686_read_func read)
{
struct ad5686_state *st;
struct iio_dev *indio_dev;
unsigned int val, ref_bit_msk;
u8 cmd;
Reported by FlawFinder.
Line: 463
Column: 13
CWE codes:
120
20
st->dev = dev;
st->write = write;
st->read = read;
st->reg = devm_regulator_get_optional(dev, "vcc");
if (!IS_ERR(st->reg)) {
ret = regulator_enable(st->reg);
if (ret)
Reported by FlawFinder.
drivers/iio/dac/ad5766.c
3 issues
Line: 365
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (private) {
case AD5766_DITHER_ENABLE:
return sprintf(buf, "%u\n",
!(st->dither_enable & BIT(chan->channel)));
break;
case AD5766_DITHER_INVERT:
return sprintf(buf, "%u\n",
!!(st->dither_invert & BIT(chan->channel)));
Reported by FlawFinder.
Line: 369
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
!(st->dither_enable & BIT(chan->channel)));
break;
case AD5766_DITHER_INVERT:
return sprintf(buf, "%u\n",
!!(st->dither_invert & BIT(chan->channel)));
break;
case AD5766_DITHER_SOURCE:
return sprintf(buf, "%d\n",
ad5766_get_dither_source(indio_dev, chan));
Reported by FlawFinder.
Line: 373
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
!!(st->dither_invert & BIT(chan->channel)));
break;
case AD5766_DITHER_SOURCE:
return sprintf(buf, "%d\n",
ad5766_get_dither_source(indio_dev, chan));
default:
return -EINVAL;
}
}
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadow.c
3 issues
Line: 140
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
const struct firmware *fw = data;
if (offset + length <= fw->size) {
memcpy(bios->data + offset, fw->data + offset, length);
return length;
}
return 0;
}
Reported by FlawFinder.
Line: 45
Column: 26
CWE codes:
120
20
const u32 start = bios->size;
void *data = mthd->data;
if (nvbios_extend(bios, limit) > 0) {
u32 read = mthd->func->read(data, start, limit - start, bios);
bios->size = start + read;
}
return bios->size >= upto;
}
Reported by FlawFinder.
Line: 46
Column: 24
CWE codes:
120
20
void *data = mthd->data;
if (nvbios_extend(bios, limit) > 0) {
u32 read = mthd->func->read(data, start, limit - start, bios);
bios->size = start + read;
}
return bios->size >= upto;
}
static int
Reported by FlawFinder.
drivers/infiniband/sw/rxe/rxe_verbs.h
3 issues
Line: 322
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
u64 iova;
size_t length;
u32 offset;
int access;
int page_shift;
int page_mask;
int map_shift;
int map_mask;
Reported by FlawFinder.
Line: 353
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
enum rxe_mw_state state;
struct rxe_qp *qp; /* Type 2 only */
struct rxe_mr *mr;
int access;
u64 addr;
u64 length;
};
struct rxe_mc_grp {
Reported by FlawFinder.
drivers/infiniband/sw/rxe/rxe_icrc.c
3 issues
Line: 36
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
crc = 0xdebb20e3;
if (skb->protocol == htons(ETH_P_IP)) { /* IPv4 */
memcpy(pshdr, ip_hdr(skb), hdr_size);
ip4h = (struct iphdr *)pshdr;
udph = (struct udphdr *)(ip4h + 1);
ip4h->ttl = 0xff;
ip4h->check = CSUM_MANGLED_0;
Reported by FlawFinder.
Line: 44
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ip4h->check = CSUM_MANGLED_0;
ip4h->tos = 0xff;
} else { /* IPv6 */
memcpy(pshdr, ipv6_hdr(skb), hdr_size);
ip6h = (struct ipv6hdr *)pshdr;
udph = (struct udphdr *)(ip6h + 1);
memset(ip6h->flow_lbl, 0xff, sizeof(ip6h->flow_lbl));
ip6h->priority = 0xf;
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bth_offset += hdr_size;
memcpy(&pshdr[bth_offset], pkt->hdr, RXE_BTH_BYTES);
bth = (struct rxe_bth *)&pshdr[bth_offset];
/* exclude bth.resv8a */
bth->qpn |= cpu_to_be32(~BTH_QPN_MASK);
Reported by FlawFinder.
drivers/infiniband/sw/rxe/rxe_av.c
3 issues
Line: 14
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
rxe_av_from_attr(rdma_ah_get_port_num(attr), av, attr);
rxe_av_fill_ip_info(av, attr);
memcpy(av->dmac, attr->roce.dmac, ETH_ALEN);
}
int rxe_av_chk_attr(struct rxe_dev *rxe, struct rdma_ah_attr *attr)
{
const struct ib_global_route *grh = rdma_ah_read_grh(attr);
Reported by FlawFinder.
Line: 50
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const struct ib_global_route *grh = rdma_ah_read_grh(attr);
memset(av, 0, sizeof(*av));
memcpy(av->grh.dgid.raw, grh->dgid.raw, sizeof(grh->dgid.raw));
av->grh.flow_label = grh->flow_label;
av->grh.sgid_index = grh->sgid_index;
av->grh.hop_limit = grh->hop_limit;
av->grh.traffic_class = grh->traffic_class;
av->port_num = port_num;
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
attr->type = RDMA_AH_ATTR_TYPE_ROCE;
memcpy(grh->dgid.raw, av->grh.dgid.raw, sizeof(av->grh.dgid.raw));
grh->flow_label = av->grh.flow_label;
grh->sgid_index = av->grh.sgid_index;
grh->hop_limit = av->grh.hop_limit;
grh->traffic_class = av->grh.traffic_class;
Reported by FlawFinder.
drivers/iio/imu/adis16480.c
3 issues
Line: 174
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__be16 data[ADIS16495_BURST_MAX_DATA] __aligned(8);
};
static const char * const adis16480_int_pin_names[4] = {
[ADIS16480_PIN_DIO1] = "DIO1",
[ADIS16480_PIN_DIO2] = "DIO2",
[ADIS16480_PIN_DIO3] = "DIO3",
[ADIS16480_PIN_DIO4] = "DIO4",
};
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char __user *userbuf, size_t count, loff_t *ppos)
{
struct adis16480 *adis16480 = file->private_data;
char buf[7];
size_t len;
u16 rev;
int ret;
ret = adis_read_reg_16(&adis16480->adis, ADIS16480_REG_FIRM_REV, &rev);
Reported by FlawFinder.
Line: 218
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct adis16480 *adis16480 = file->private_data;
u16 md, year;
char buf[12];
size_t len;
int ret;
ret = adis_read_reg_16(&adis16480->adis, ADIS16480_REG_FIRM_Y, &year);
if (ret)
Reported by FlawFinder.
drivers/infiniband/sw/rdmavt/qp.c
3 issues
Line: 2070
Column: 24
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
ret = rvt_fast_reg_mr(qp,
reg_wr(wr)->mr,
reg_wr(wr)->key,
reg_wr(wr)->access);
if (ret || !(wr->send_flags & IB_SEND_SIGNALED))
return ret;
break;
case IB_WR_LOCAL_INV:
if ((wr->send_flags & IB_SEND_FENCE) ||
Reported by FlawFinder.
Line: 2105
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wqe = rvt_get_swqe_ptr(qp, qp->s_head);
/* cplen has length from above */
memcpy(&wqe->wr, wr, cplen);
wqe->length = 0;
j = 0;
if (wr->num_sge) {
struct rvt_sge *last_sge = NULL;
Reported by FlawFinder.
Line: 2928
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (cacheless_copy) {
cacheless_memcpy(sge->vaddr, data, len);
} else {
memcpy(sge->vaddr, data, len);
}
rvt_update_sge(ss, len, release);
data += len;
length -= len;
}
Reported by FlawFinder.
drivers/infiniband/hw/vmw_pvrdma/pvrdma_misc.c
3 issues
Line: 245
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void pvrdma_gid_to_ib(union ib_gid *dst, const union pvrdma_gid *src)
{
BUILD_BUG_ON(sizeof(union pvrdma_gid) != sizeof(union ib_gid));
memcpy(dst, src, sizeof(*src));
}
void ib_gid_to_pvrdma(union pvrdma_gid *dst, const union ib_gid *src)
{
BUILD_BUG_ON(sizeof(union pvrdma_gid) != sizeof(union ib_gid));
Reported by FlawFinder.
Line: 251
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void ib_gid_to_pvrdma(union pvrdma_gid *dst, const union ib_gid *src)
{
BUILD_BUG_ON(sizeof(union pvrdma_gid) != sizeof(union ib_gid));
memcpy(dst, src, sizeof(*src));
}
void pvrdma_global_route_to_ib(struct ib_global_route *dst,
const struct pvrdma_global_route *src)
{
Reported by FlawFinder.
Line: 285
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rdma_ah_set_static_rate(dst, src->static_rate);
rdma_ah_set_ah_flags(dst, src->ah_flags);
rdma_ah_set_port_num(dst, src->port_num);
memcpy(dst->roce.dmac, &src->dmac, ETH_ALEN);
}
void rdma_ah_attr_to_pvrdma(struct pvrdma_ah_attr *dst,
const struct rdma_ah_attr *src)
{
Reported by FlawFinder.
drivers/infiniband/hw/vmw_pvrdma/pvrdma_main.c
3 issues
Line: 597
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(cmd_bind, 0, sizeof(*cmd_bind));
cmd_bind->hdr.cmd = PVRDMA_CMD_CREATE_BIND;
memcpy(cmd_bind->new_gid, gid->raw, 16);
cmd_bind->mtu = ib_mtu_enum_to_int(IB_MTU_1024);
cmd_bind->vlan = 0xfff;
cmd_bind->index = index;
cmd_bind->gid_type = gid_type;
Reported by FlawFinder.
Line: 609
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"could not create binding, error: %d\n", ret);
return -EFAULT;
}
memcpy(&dev->sgid_tbl[index], gid, sizeof(*gid));
return 0;
}
static int pvrdma_add_gid(const struct ib_gid_attr *attr, void **context)
{
Reported by FlawFinder.
Line: 636
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(cmd_dest, 0, sizeof(*cmd_dest));
cmd_dest->hdr.cmd = PVRDMA_CMD_DESTROY_BIND;
memcpy(cmd_dest->dest_gid, &dev->sgid_tbl[index], 16);
cmd_dest->index = index;
ret = pvrdma_cmd_post(dev, &req, NULL, 0);
if (ret < 0) {
dev_warn(&dev->pdev->dev,
Reported by FlawFinder.