The following issues were found
drivers/infiniband/hw/hfi1/debugfs.c
3 issues
Line: 1262
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
/* per port files */
for (ppd = dd->pport, j = 0; j < dd->num_pports; j++, ppd++)
for (i = 0; i < ARRAY_SIZE(port_cntr_ops); i++) {
snprintf(name,
sizeof(name),
port_cntr_ops[i].name,
j + 1);
debugfs_create_file(name,
!port_cntr_ops[i].ops.write ?
Reported by FlawFinder.
Line: 1224
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void hfi1_dbg_ibdev_init(struct hfi1_ibdev *ibd)
{
char name[sizeof("port0counters") + 1];
char link[10];
struct hfi1_devdata *dd = dd_from_dev(ibd);
struct hfi1_pportdata *ppd;
struct dentry *root;
int unit = dd->unit;
Reported by FlawFinder.
Line: 1225
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void hfi1_dbg_ibdev_init(struct hfi1_ibdev *ibd)
{
char name[sizeof("port0counters") + 1];
char link[10];
struct hfi1_devdata *dd = dd_from_dev(ibd);
struct hfi1_pportdata *ppd;
struct dentry *root;
int unit = dd->unit;
int i, j;
Reported by FlawFinder.
drivers/macintosh/via-cuda.c
3 issues
Line: 165
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct adb_request *current_req;
static struct adb_request *last_req;
static unsigned char cuda_rbuf[16];
static unsigned char *reply_ptr;
static int reading_reply;
static int data_index;
static int cuda_irq;
#ifdef CONFIG_PPC
Reported by FlawFinder.
Line: 569
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long flags;
u8 status;
struct adb_request *req = NULL;
unsigned char ibuf[16];
int ibuf_len = 0;
int complete = 0;
bool full;
spin_lock_irqsave(&cuda_lock, flags);
Reported by FlawFinder.
Line: 711
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* call to cuda_input to outside of the lock.
*/
ibuf_len = reply_ptr - cuda_rbuf;
memcpy(ibuf, cuda_rbuf, ibuf_len);
}
reply_ptr = cuda_rbuf;
cuda_state = idle;
cuda_start();
if (cuda_state == idle && TREQ_asserted(in_8(&via[B]))) {
Reported by FlawFinder.
drivers/gpu/drm/vkms/vkms_plane.c
3 issues
Line: 110
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vkms_plane_state = to_vkms_plane_state(new_state);
composer = vkms_plane_state->composer;
memcpy(&composer->src, &new_state->src, sizeof(struct drm_rect));
memcpy(&composer->dst, &new_state->dst, sizeof(struct drm_rect));
memcpy(&composer->fb, fb, sizeof(struct drm_framebuffer));
drm_framebuffer_get(&composer->fb);
composer->offset = fb->offsets[0];
composer->pitch = fb->pitches[0];
Reported by FlawFinder.
Line: 111
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
composer = vkms_plane_state->composer;
memcpy(&composer->src, &new_state->src, sizeof(struct drm_rect));
memcpy(&composer->dst, &new_state->dst, sizeof(struct drm_rect));
memcpy(&composer->fb, fb, sizeof(struct drm_framebuffer));
drm_framebuffer_get(&composer->fb);
composer->offset = fb->offsets[0];
composer->pitch = fb->pitches[0];
composer->cpp = fb->format->cpp[0];
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
composer = vkms_plane_state->composer;
memcpy(&composer->src, &new_state->src, sizeof(struct drm_rect));
memcpy(&composer->dst, &new_state->dst, sizeof(struct drm_rect));
memcpy(&composer->fb, fb, sizeof(struct drm_framebuffer));
drm_framebuffer_get(&composer->fb);
composer->offset = fb->offsets[0];
composer->pitch = fb->pitches[0];
composer->cpp = fb->format->cpp[0];
}
Reported by FlawFinder.
drivers/input/misc/iqs626a.c
3 issues
Line: 275
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
} __packed;
struct iqs626_flags {
__be16 system;
u8 gesture;
u8 padding_a;
u8 states[4];
u8 ref_active;
u8 padding_b;
Reported by FlawFinder.
Line: 1526
Column: 24
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
* in the event of an I2C communication error. In this case, the device
* asserts a SHOW_RESET interrupt and all registers must be restored.
*/
if (be16_to_cpu(flags.system) & IQS626_SYS_FLAGS_SHOW_RESET) {
dev_err(&client->dev, "Unexpected device reset\n");
error = regmap_raw_write(iqs626->regmap, IQS626_SYS_SETTINGS,
sys_reg, sizeof(*sys_reg));
if (error)
Reported by FlawFinder.
Line: 1538
Column: 24
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
return error;
}
if (be16_to_cpu(flags.system) & IQS626_SYS_FLAGS_IN_ATI)
return 0;
/*
* Unlike the ULP or generic channels, the Hall channel does not have a
* direction flag. Instead, the direction (i.e. magnet polarity) can be
Reported by FlawFinder.
drivers/input/mouse/alps.h
3 issues
Line: 290
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct psmouse *psmouse;
struct input_dev *dev2;
struct input_dev *dev3;
char phys2[32];
char phys3[32];
struct delayed_work dev3_register_work;
/* these are autodetected when the device is identified */
const struct alps_nibble_commands *nibble_commands;
Reported by FlawFinder.
Line: 291
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *dev2;
struct input_dev *dev3;
char phys2[32];
char phys3[32];
struct delayed_work dev3_register_work;
/* these are autodetected when the device is identified */
const struct alps_nibble_commands *nibble_commands;
int addr_command;
Reported by FlawFinder.
Line: 318
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int prev_fin;
int multi_packet;
int second_touch;
unsigned char multi_data[6];
struct alps_fields f;
u8 quirks;
struct timer_list timer;
};
Reported by FlawFinder.
drivers/md/dm-ebs-target.c
3 issues
Line: 401
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
*result = '\0';
break;
case STATUSTYPE_TABLE:
snprintf(result, maxlen, ec->u_bs_set ? "%s %llu %u %u" : "%s %llu %u",
ec->dev->name, (unsigned long long) ec->start, ec->e_bs, ec->u_bs);
break;
}
}
Reported by FlawFinder.
Line: 99
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy data to/from bio to buffer if read/new was successful above. */
ba += buf_off;
if (rw == READ) {
memcpy(pa, ba, cur_len);
flush_dcache_page(bv->bv_page);
} else {
flush_dcache_page(bv->bv_page);
memcpy(ba, pa, cur_len);
dm_bufio_mark_partial_buffer_dirty(b, buf_off, buf_off + cur_len);
Reported by FlawFinder.
Line: 103
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
flush_dcache_page(bv->bv_page);
} else {
flush_dcache_page(bv->bv_page);
memcpy(ba, pa, cur_len);
dm_bufio_mark_partial_buffer_dirty(b, buf_off, buf_off + cur_len);
}
dm_bufio_release(b);
}
Reported by FlawFinder.
drivers/isdn/hardware/mISDN/speedfax.c
3 issues
Line: 60
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sfax_hw {
struct list_head list;
struct pci_dev *pdev;
char name[MISDN_MAX_IDLEN];
u32 irq;
u32 irqcnt;
u32 cfg;
struct _ioport p_isac;
struct _ioport p_isar;
Reported by FlawFinder.
Line: 249
Column: 19
CWE codes:
362
case OPEN_CHANNEL:
rq = arg;
if (rq->protocol == ISDN_P_TE_S0)
err = sf->isac.open(&sf->isac, rq);
else
err = sf->isar.open(&sf->isar, rq);
if (err)
break;
if (!try_module_get(THIS_MODULE))
Reported by FlawFinder.
Line: 251
Column: 19
CWE codes:
362
if (rq->protocol == ISDN_P_TE_S0)
err = sf->isac.open(&sf->isac, rq);
else
err = sf->isar.open(&sf->isar, rq);
if (err)
break;
if (!try_module_get(THIS_MODULE))
pr_info("%s: cannot get module\n", sf->name);
break;
Reported by FlawFinder.
drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
3 issues
Line: 62
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
define_cmd.numPages = num_pages;
*cmd++ = SVGA_CMD_DEFINE_GMR2;
memcpy(cmd, &define_cmd, sizeof(define_cmd));
cmd += sizeof(define_cmd) / sizeof(*cmd);
/*
* Need to split the command if there are too many
* pages that goes into the gmr.
Reported by FlawFinder.
Line: 81
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
remap_cmd.numPages = nr;
*cmd++ = SVGA_CMD_REMAP_GMR2;
memcpy(cmd, &remap_cmd, sizeof(remap_cmd));
cmd += sizeof(remap_cmd) / sizeof(*cmd);
for (i = 0; i < nr; ++i) {
if (VMW_PPN_SIZE <= 4)
*cmd = vmw_piter_dma_addr(iter) >> PAGE_SHIFT;
Reported by FlawFinder.
Line: 121
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
define_cmd.numPages = 0;
*cmd++ = SVGA_CMD_DEFINE_GMR2;
memcpy(cmd, &define_cmd, sizeof(define_cmd));
vmw_cmd_commit(dev_priv, define_size);
}
Reported by FlawFinder.
drivers/gpu/drm/msm/msm_perf.c
3 issues
Line: 28
Column: 7
CWE codes:
362
struct msm_perf_state {
struct drm_device *dev;
bool open;
int cnt;
struct mutex read_lock;
char buf[256];
int buftot, bufpos;
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cnt;
struct mutex read_lock;
char buf[256];
int buftot, bufpos;
unsigned long next_jiffies;
};
Reported by FlawFinder.
Line: 160
Column: 12
CWE codes:
362
mutex_lock(&dev->struct_mutex);
if (perf->open || !gpu) {
ret = -EBUSY;
goto out;
}
file->private_data = perf;
Reported by FlawFinder.
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
3 issues
Line: 76
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(cmd, 0, sizeof(*cmd));
memcpy(&cmd[1], image, image_size);
cmd->cmd = SVGA_CMD_DEFINE_ALPHA_CURSOR;
cmd->cursor.id = 0;
cmd->cursor.width = width;
cmd->cursor.height = height;
Reported by FlawFinder.
Line: 218
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
virtual = ttm_kmap_obj_virtual(&map, &dummy);
if (box->w == 64 && cmd->dma.guest.pitch == 64*4) {
memcpy(srf->snooper.image, virtual, 64*64*4);
} else {
/* Image is unsigned pointer. */
for (i = 0; i < box->h; i++)
memcpy(srf->snooper.image + i * 64,
virtual + i * cmd->dma.guest.pitch,
Reported by FlawFinder.
Line: 222
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
/* Image is unsigned pointer. */
for (i = 0; i < box->h; i++)
memcpy(srf->snooper.image + i * 64,
virtual + i * cmd->dma.guest.pitch,
box->w * 4);
}
srf->snooper.age++;
Reported by FlawFinder.