The following issues were found
drivers/infiniband/hw/hfi1/user_pages.c
3 issues
Line: 85
Column: 17
CWE codes:
676
Suggestion:
Use getrlimit(2), setrlimit(2), and sysconf(3) instead
* of the available per-context limit. This leaves space for other
* pinning. Should we worry about shared ctxts?
*/
cache_limit = (ulimit / usr_ctxts) / 4;
/* If ulimit isn't set to "unlimited" and is smaller than cache_size. */
if (ulimit != (-1UL) && size > cache_limit)
size = cache_limit;
Reported by FlawFinder.
Line: 88
Column: 6
CWE codes:
676
Suggestion:
Use getrlimit(2), setrlimit(2), and sysconf(3) instead
cache_limit = (ulimit / usr_ctxts) / 4;
/* If ulimit isn't set to "unlimited" and is smaller than cache_size. */
if (ulimit != (-1UL) && size > cache_limit)
size = cache_limit;
/* Convert to number of pages */
size = DIV_ROUND_UP(size, PAGE_SIZE);
Reported by FlawFinder.
Line: 97
Column: 25
CWE codes:
676
Suggestion:
Use getrlimit(2), setrlimit(2), and sysconf(3) instead
pinned = atomic64_read(&mm->pinned_vm);
/* First, check the absolute limit against all pinned pages. */
if (pinned + npages >= ulimit && !can_lock)
return false;
return ((nlocked + npages) <= size) || can_lock;
}
Reported by FlawFinder.
drivers/input/keyboard/xtkbd.c
3 issues
Line: 29
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define XTKBD_KEY 0x7f
#define XTKBD_RELEASE 0x80
static unsigned char xtkbd_keycode[256] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79,
Reported by FlawFinder.
Line: 41
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct xtkbd {
unsigned char keycode[256];
struct input_dev *dev;
struct serio *serio;
char phys[32];
};
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char keycode[256];
struct input_dev *dev;
struct serio *serio;
char phys[32];
};
static irqreturn_t xtkbd_interrupt(struct serio *serio,
unsigned char data, unsigned int flags)
{
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/sdma.c
3 issues
Line: 2163
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* print info for each entry in the descriptor queue */
while (head != tail) {
char flags[6] = { 'x', 'x', 'x', 'x', 0 };
descqp = &sde->descq[head];
desc[0] = le64_to_cpu(descqp->qw[0]);
desc[1] = le64_to_cpu(descqp->qw[1]);
flags[0] = (desc[1] & SDMA_DESC1_INT_REQ_FLAG) ? 'I' : '-';
Reported by FlawFinder.
Line: 2246
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* print info for each entry in the descriptor queue */
while (head != tail) {
char flags[6] = { 'x', 'x', 'x', 'x', 0 };
descqp = &sde->descq[head];
desc[0] = le64_to_cpu(descqp->qw[0]);
desc[1] = le64_to_cpu(descqp->qw[1]);
flags[0] = (desc[1] & SDMA_DESC1_INT_REQ_FLAG) ? 'I' : '-';
Reported by FlawFinder.
Line: 3140
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(tx->coalesce_buf + tx->coalesce_idx, kvaddr, len);
tx->coalesce_idx += len;
if (type == SDMA_MAP_PAGE)
kunmap_local(kvaddr);
/* If there is more data, return */
Reported by FlawFinder.
drivers/gpu/drm/vboxvideo/vbva_base.c
3 issues
Line: 39
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (diff <= 0) {
/* Chunk will not cross buffer boundary. */
memcpy(dst, p, len);
} else {
/* Chunk crosses buffer boundary. */
memcpy(dst, p, bytes_till_boundary);
memcpy(&vbva->data[0], (u8 *)p + bytes_till_boundary, diff);
}
Reported by FlawFinder.
Line: 42
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dst, p, len);
} else {
/* Chunk crosses buffer boundary. */
memcpy(dst, p, bytes_till_boundary);
memcpy(&vbva->data[0], (u8 *)p + bytes_till_boundary, diff);
}
}
static void vbva_buffer_flush(struct gen_pool *ctx)
Reported by FlawFinder.
Line: 43
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
/* Chunk crosses buffer boundary. */
memcpy(dst, p, bytes_till_boundary);
memcpy(&vbva->data[0], (u8 *)p + bytes_till_boundary, diff);
}
}
static void vbva_buffer_flush(struct gen_pool *ctx)
{
Reported by FlawFinder.
drivers/input/misc/cm109.c
3 issues
Line: 116
Column: 11
CWE codes:
362
unsigned char buzzer_state; /* on/off */
/* flags */
unsigned open:1;
unsigned resetting:1;
unsigned shutdown:1;
/* This mutex protects writes to the above flags */
struct mutex pm_mutex;
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short keymap[KEYMAP_SIZE];
char phys[64]; /* physical device path */
int key_code; /* last reported key */
int keybit; /* 0=new scan 1,2,4,8=scan columns */
u8 gpi; /* Cached value of GPI (high nibble) */
};
Reported by FlawFinder.
Line: 534
Column: 11
CWE codes:
362
static void cm109_restore_state(struct cm109_dev *dev)
{
if (dev->open) {
/*
* Restore buzzer state.
* This will also kick regular URB submission
*/
cm109_toggle_buzzer_async(dev);
Reported by FlawFinder.
drivers/iio/trigger/stm32-timer-trigger.c
3 issues
Line: 254
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
do_div(freq, arr + 1);
}
return sprintf(buf, "%d\n", (unsigned int)freq);
}
static IIO_DEV_ATTR_SAMP_FREQ(0660,
stm32_tt_read_frequency,
stm32_tt_store_frequency);
Reported by FlawFinder.
Line: 323
Column: 9
CWE codes:
126
for (i = 0; i <= master_mode_max; i++) {
if (!strncmp(master_mode_table[i], buf,
strlen(master_mode_table[i]))) {
mutex_lock(&priv->lock);
if (!priv->enabled) {
/* Clock should be enabled first */
priv->enabled = true;
clk_enable(priv->clk);
Reported by FlawFinder.
Line: 528
Column: 34
CWE codes:
126
return -EINVAL;
while (cur && *cur) {
if (!strncmp(trig->name, *cur, strlen(trig->name))) {
regmap_update_bits(priv->regmap,
TIM_SMCR, TIM_SMCR_TS,
i << TIM_SMCR_TS_SHIFT);
return 0;
}
Reported by FlawFinder.
drivers/gpu/drm/nouveau/include/nvif/if0002.h
3 issues
Line: 16
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 iter;
__u16 signal_nr;
__u8 pad05[2];
char name[64];
};
struct nvif_perfmon_query_signal_v0 {
__u8 version;
__u8 domain;
Reported by FlawFinder.
Line: 26
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 signal;
__u8 source_nr;
__u8 pad05[2];
char name[64];
};
struct nvif_perfmon_query_source_v0 {
__u8 version;
__u8 domain;
Reported by FlawFinder.
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 pad04[4];
__u32 source;
__u32 mask;
char name[64];
};
#endif
Reported by FlawFinder.
drivers/gpu/drm/vc4/vc4_validate.c
3 issues
Line: 517
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (cmd != VC4_PACKET_GEM_HANDLES)
memcpy(dst_pkt, src_pkt, info->len);
if (info->func && info->func(exec,
dst_pkt + 1,
src_pkt + 1)) {
DRM_DEBUG("0x%08x: packet %d (%s) failed to validate\n",
Reported by FlawFinder.
Line: 784
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
pkt_u = exec->shader_rec_u;
pkt_v = exec->shader_rec_v;
memcpy(pkt_v, pkt_u, packet_size);
exec->shader_rec_u += packet_size;
/* Shader recs have to be aligned to 16 bytes (due to the attribute
* flags being in the low bytes), so round the next validated shader
* rec address up. This should be safe, since we've got so many
* relocations in a shader rec packet.
Reported by FlawFinder.
Line: 853
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uniform_data_u = (texture_handles_u +
validated_shader->num_texture_samples);
memcpy(exec->uniforms_v, uniform_data_u,
validated_shader->uniforms_size);
for (tex = 0;
tex < validated_shader->num_texture_samples;
tex++) {
Reported by FlawFinder.
drivers/hwmon/pmbus/ibm-cffps.c
3 issues
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int debugfs_entries[CFFPS_DEBUGFS_NUM_ENTRIES];
char led_name[32];
u8 led_state;
struct led_classdev led;
};
static const struct i2c_device_id ibm_cffps_id[];
Reported by FlawFinder.
Line: 133
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
psu->input_history.byte_count = msgbuf1[0];
memcpy(psu->input_history.data, &msgbuf1[1],
CFFPS_INPUT_HISTORY_SIZE);
psu->input_history.last_update = jiffies;
}
mutex_unlock(&psu->input_history.update_lock);
Reported by FlawFinder.
Line: 154
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int *idxp = file->private_data;
int idx = *idxp;
struct ibm_cffps *psu = to_psu(idxp, idx);
char data[I2C_SMBUS_BLOCK_MAX + 2] = { 0 };
pmbus_set_page(psu->client, 0, 0xff);
switch (idx) {
case CFFPS_DEBUGFS_INPUT_HISTORY:
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/efivar.c
3 issues
Line: 154
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int read_hfi1_efi_var(struct hfi1_devdata *dd, const char *kind,
unsigned long *size, void **return_data)
{
char prefix_name[64];
char name[64];
int result;
int i;
/* create a common prefix */
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long *size, void **return_data)
{
char prefix_name[64];
char name[64];
int result;
int i;
/* create a common prefix */
snprintf(prefix_name, sizeof(prefix_name), "%04x:%02x:%02x.%x",
Reported by FlawFinder.
Line: 84
Column: 21
CWE codes:
126
if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
return -EOPNOTSUPP;
uni_name = kcalloc(strlen(name) + 1, sizeof(efi_char16_t), GFP_KERNEL);
temp_buffer = kzalloc(EFI_DATA_SIZE, GFP_KERNEL);
if (!uni_name || !temp_buffer) {
ret = -ENOMEM;
goto fail;
Reported by FlawFinder.