The following issues were found

drivers/char/tpm/tpm_tis_spi_main.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 119 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              		if (out) {
			spi_xfer.tx_buf = phy->iobuf;
			spi_xfer.rx_buf = NULL;
			memcpy(phy->iobuf, out, transfer_len);
			out += transfer_len;
		}

		spi_message_init(&m);
		spi_message_add_tail(&spi_xfer, &m);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 131 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              			goto exit;

		if (in) {
			memcpy(in, phy->iobuf, transfer_len);
			in += transfer_len;
		}

		len -= transfer_len;
	}

Reported by FlawFinder.

drivers/dma/ppc4xx/adma.c
2 issues
Possible null pointer dereference: scf
Error

Line: 2748 CWE codes: 476 

              				ppc440spe_desc_set_src_mult(iter, chan,
							    DMA_CUED_MULT1_OFF,
							    mult_dst,
							    scf[src_cnt - 1]);
			}
			if (!(--src_cnt))
				break;
		}
	}

Reported by Cppcheck.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 92 Column: 8 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              static struct ppc440spe_adma_desc_slot *xor_last_submit;

/* This array is used in data-check operations for storing a pattern */
static char ppc440spe_qword[16];

static atomic_t ppc440spe_adma_err_irq_ref;
static dcr_host_t ppc440spe_mq_dcr_host;
static unsigned int ppc440spe_mq_dcr_len;

Reported by FlawFinder.

drivers/char/tpm/tpm_vtpm_proxy.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 289 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              		goto out;
	}

	memcpy(buf, proxy_dev->buffer, len);
	proxy_dev->resp_len = 0;

out:
	mutex_unlock(&proxy_dev->buf_lock);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 355 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	proxy_dev->resp_len = 0;

	proxy_dev->req_len = count;
	memcpy(proxy_dev->buffer, buf, count);

	proxy_dev->state &= ~STATE_WAIT_RESPONSE_FLAG;

	mutex_unlock(&proxy_dev->buf_lock);

Reported by FlawFinder.

drivers/cpuidle/dt_idle_states.c
2 issues
strncpy - Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned]
Security

Line: 88 Column: 2 CWE codes: 120 

              	 *	replace with kstrdup and pointer assignment when name
	 *	and desc become string pointers
	 */
	strncpy(idle_state->name, state_node->name, CPUIDLE_NAME_LEN - 1);
	strncpy(idle_state->desc, desc, CPUIDLE_DESC_LEN - 1);
	return 0;
}

/*

Reported by FlawFinder.

strncpy - Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned]
Security

Line: 89 Column: 2 CWE codes: 120 

              	 *	and desc become string pointers
	 */
	strncpy(idle_state->name, state_node->name, CPUIDLE_NAME_LEN - 1);
	strncpy(idle_state->desc, desc, CPUIDLE_DESC_LEN - 1);
	return 0;
}

/*
 * Check that the idle state is uniform across all CPUs in the CPUidle driver

Reported by FlawFinder.

drivers/char/tpm/xen-tpmfront.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 156 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              		return -ETIME;
	}

	memcpy(offset + (u8 *)shr, buf, count);
	shr->length = count;
	barrier();
	shr->state = VTPM_STATE_SUBMIT;
	wmb();
	notify_remote_via_evtchn(priv->evtchn);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 202 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	if (length > count)
		length = count;

	memcpy(buf, offset + (u8 *)shr, length);

	return length;
}

static const struct tpm_class_ops tpm_vtpm = {

Reported by FlawFinder.

drivers/dma/qcom/hidma.c
2 issues
sprintf - Does not check for buffer overflows
Security

Line: 621 Column: 3 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf 

              	buf[0] = 0;

	if (strcmp(attr->attr.name, "chid") == 0)
		sprintf(buf, "%d\n", mdev->chidx);

	return strlen(buf);
}

static inline void  hidma_sysfs_uninit(struct hidma_dev *dev)

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 623 Column: 9 CWE codes: 126 

              	if (strcmp(attr->attr.name, "chid") == 0)
		sprintf(buf, "%d\n", mdev->chidx);

	return strlen(buf);
}

static inline void  hidma_sysfs_uninit(struct hidma_dev *dev)
{
	device_remove_file(dev->ddev.dev, dev->chid_attrs);

Reported by FlawFinder.

crypto/ecdh_helper.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 17 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              
static inline u8 *ecdh_pack_data(void *dst, const void *src, size_t sz)
{
	memcpy(dst, src, sz);
	return dst + sz;
}

static inline const u8 *ecdh_unpack_data(void *dst, const void *src, size_t sz)
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 23 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              
static inline const u8 *ecdh_unpack_data(void *dst, const void *src, size_t sz)
{
	memcpy(dst, src, sz);
	return src + sz;
}

unsigned int crypto_ecdh_key_len(const struct ecdh *params)
{

Reported by FlawFinder.

drivers/char/hw_random/virtio-rng.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 22 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              	struct hwrng hwrng;
	struct virtqueue *vq;
	struct completion have_data;
	char name[25];
	unsigned int data_avail;
	int index;
	bool busy;
	bool hwrng_register_done;
	bool hwrng_removed;

Reported by FlawFinder.

sprintf - Does not check for buffer overflows
Security

Line: 102 Column: 2 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf 

              		err = index;
		goto err_ida;
	}
	sprintf(vi->name, "virtio_rng.%d", index);
	init_completion(&vi->have_data);

	vi->hwrng = (struct hwrng) {
		.read = virtio_read,
		.cleanup = virtio_cleanup,

Reported by FlawFinder.

drivers/android/binderfs.c
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 155 Column: 13 CWE codes: 126 

              	inode->i_gid = info->root_gid;

	req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */
	name_len = strlen(req->name);
	/* Make sure to include terminating NUL byte */
	name = kmemdup(req->name, name_len + 1, GFP_KERNEL);
	if (!name)
		goto err;

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 490 Column: 40 CWE codes: 126 

              {
	struct dentry *dentry;

	dentry = lookup_one_len(name, parent, strlen(name));
	if (IS_ERR(dentry))
		return dentry;

	/* Return error if the file/dir already exists. */
	if (d_really_is_positive(dentry)) {

Reported by FlawFinder.

drivers/char/xilinx_hwicap/xilinx_hwicap.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 428 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              			status = -EFAULT;
			goto error;
		}
		memcpy(drvdata->read_buffer,
		       kbuf,
		       bytes_remaining);
		drvdata->read_buffer_in_use = bytes_remaining;
		free_page((unsigned long)kbuf);
	}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 479 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              		len &= ~3;

		if (drvdata->write_buffer_in_use) {
			memcpy(kbuf, drvdata->write_buffer,
					drvdata->write_buffer_in_use);
			if (copy_from_user(
			    (((char *)kbuf) + drvdata->write_buffer_in_use),
			    buf + written,
			    len - (drvdata->write_buffer_in_use))) {

Reported by FlawFinder.