The following issues were found
drivers/gpu/drm/i2c/tda998x_drv.c
2 issues
Line: 623
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
buf[0] = REG2ADDR(reg);
memcpy(&buf[1], p, cnt);
mutex_lock(&priv->mutex);
ret = set_page(priv, reg);
if (ret < 0)
goto out;
Reported by FlawFinder.
Line: 1155
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct tda998x_priv *priv = dev_get_drvdata(dev);
mutex_lock(&priv->audio_mutex);
memcpy(buf, priv->connector.eld,
min(sizeof(priv->connector.eld), len));
mutex_unlock(&priv->audio_mutex);
return 0;
}
Reported by FlawFinder.
drivers/gpu/drm/i915/display/intel_atomic_plane.c
2 issues
Line: 505
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 update_mask = new_crtc_state->update_planes;
struct intel_plane *plane;
memcpy(entries_y, old_crtc_state->wm.skl.plane_ddb_y,
sizeof(old_crtc_state->wm.skl.plane_ddb_y));
memcpy(entries_uv, old_crtc_state->wm.skl.plane_ddb_uv,
sizeof(old_crtc_state->wm.skl.plane_ddb_uv));
while ((plane = skl_next_plane_to_commit(state, crtc,
Reported by FlawFinder.
Line: 507
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(entries_y, old_crtc_state->wm.skl.plane_ddb_y,
sizeof(old_crtc_state->wm.skl.plane_ddb_y));
memcpy(entries_uv, old_crtc_state->wm.skl.plane_ddb_uv,
sizeof(old_crtc_state->wm.skl.plane_ddb_uv));
while ((plane = skl_next_plane_to_commit(state, crtc,
entries_y, entries_uv,
&update_mask))) {
Reported by FlawFinder.
drivers/gpu/drm/i915/display/intel_dp_aux.c
2 issues
Line: 431
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
drm_WARN_ON(&i915->drm, !msg->buffer != !msg->size);
if (msg->buffer)
memcpy(txbuf + HEADER_SIZE, msg->buffer, msg->size);
ret = intel_dp_aux_xfer(intel_dp, txbuf, txsize,
rxbuf, rxsize, flags);
if (ret > 0) {
msg->reply = rxbuf[0] >> 4;
Reported by FlawFinder.
Line: 467
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Return payload size.
*/
ret--;
memcpy(msg->buffer, rxbuf + 1, ret);
}
break;
default:
ret = -EINVAL;
Reported by FlawFinder.
drivers/gpu/drm/i915/display/intel_hdmi.c
2 issues
Line: 1664
CWE codes:
768
ret = __wait_for(ret = hdcp2_detect_msg_availability(dig_port,
msg_id, &msg_ready,
&msg_sz),
!ret && msg_ready && msg_sz, timeout * 1000,
1000, 5 * 1000);
if (ret)
drm_dbg_kms(&i915->drm, "msg_id: %d, ret: %d, timeout: %d\n",
msg_id, ret, timeout);
Reported by Cppcheck.
Line: 1306
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
write_buf[0] = offset & 0xff;
memcpy(&write_buf[1], buffer, size);
msg.addr = DRM_HDCP_DDC_ADDR;
msg.flags = 0,
msg.len = size + 1,
msg.buf = write_buf;
Reported by FlawFinder.
drivers/gpu/drm/i915/gem/i915_gem_mman.c
2 issues
Line: 457
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (write) {
memcpy(vaddr + addr, buf, len);
__i915_gem_object_flush_map(obj, addr, len);
} else {
memcpy(buf, vaddr + addr, len);
}
Reported by FlawFinder.
Line: 460
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(vaddr + addr, buf, len);
__i915_gem_object_flush_map(obj, addr, len);
} else {
memcpy(buf, vaddr + addr, len);
}
i915_gem_object_unpin_map(obj);
out:
if (err == -EDEADLK) {
Reported by FlawFinder.
drivers/gpu/drm/i915/gem/i915_gem_phys.c
2 issues
Line: 68
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto err_st;
src = kmap_atomic(page);
memcpy(dst, src, PAGE_SIZE);
drm_clflush_virt_range(dst, PAGE_SIZE);
kunmap_atomic(src);
put_page(page);
dst += PAGE_SIZE;
Reported by FlawFinder.
Line: 117
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst = kmap_atomic(page);
drm_clflush_virt_range(src, PAGE_SIZE);
memcpy(dst, src, PAGE_SIZE);
kunmap_atomic(dst);
set_page_dirty(page);
if (obj->mm.madv == I915_MADV_WILLNEED)
mark_page_accessed(page);
Reported by FlawFinder.
drivers/gpu/drm/i915/gem/selftests/huge_pages.c
2 issues
Line: 162
CWE codes:
908
if (size >> PAGE_SHIFT > INT_MAX)
return ERR_PTR(-E2BIG);
if (overflows_type(size, obj->base.size))
return ERR_PTR(-E2BIG);
obj = i915_gem_object_alloc();
if (!obj)
return ERR_PTR(-ENOMEM);
Reported by Cppcheck.
Line: 312
CWE codes:
908
if (size >> PAGE_SHIFT > UINT_MAX)
return ERR_PTR(-E2BIG);
if (overflows_type(size, obj->base.size))
return ERR_PTR(-E2BIG);
obj = i915_gem_object_alloc();
if (!obj)
return ERR_PTR(-ENOMEM);
Reported by Cppcheck.
drivers/gpu/drm/i915/gt/intel_engine.h
2 issues
Line: 59
Column: 43
CWE codes:
120
20
__ENGINE_REG_OP(op__, (engine__), reg__((engine__)->mmio_base))
#define ENGINE_READ16(...) __ENGINE_READ_OP(read16, __VA_ARGS__)
#define ENGINE_READ(...) __ENGINE_READ_OP(read, __VA_ARGS__)
#define ENGINE_READ_FW(...) __ENGINE_READ_OP(read_fw, __VA_ARGS__)
#define ENGINE_POSTING_READ(...) __ENGINE_READ_OP(posting_read_fw, __VA_ARGS__)
#define ENGINE_POSTING_READ16(...) __ENGINE_READ_OP(posting_read16, __VA_ARGS__)
#define ENGINE_READ64(engine__, lower_reg__, upper_reg__) \
Reported by FlawFinder.
Line: 70
Column: 18
CWE codes:
120
20
upper_reg__((engine__)->mmio_base))
#define ENGINE_READ_IDX(engine__, reg__, idx__) \
__ENGINE_REG_OP(read, (engine__), reg__((engine__)->mmio_base, (idx__)))
#define __ENGINE_WRITE_OP(op__, engine__, reg__, val__) \
__ENGINE_REG_OP(op__, (engine__), reg__((engine__)->mmio_base), (val__))
#define ENGINE_WRITE16(...) __ENGINE_WRITE_OP(write16, __VA_ARGS__)
Reported by FlawFinder.
drivers/gpu/drm/i915/gt/intel_engine_user.c
2 issues
Line: 202
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct intel_engine_cs *engine =
container_of((struct rb_node *)it, typeof(*engine),
uabi_node);
char old[sizeof(engine->name)];
if (intel_gt_has_unrecoverable_error(engine->gt))
continue; /* ignore incomplete engines */
GEM_BUG_ON(engine->class >= ARRAY_SIZE(uabi_classes));
Reported by FlawFinder.
Line: 214
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
engine->uabi_instance = uabi_instances[engine->uabi_class]++;
/* Replace the internal name with the final user facing name */
memcpy(old, engine->name, sizeof(engine->name));
scnprintf(engine->name, sizeof(engine->name), "%s%u",
intel_engine_class_repr(engine->class),
engine->uabi_instance);
DRM_DEBUG_DRIVER("renamed %s to %s\n", old, engine->name);
Reported by FlawFinder.
drivers/gpu/drm/i915/gt/intel_gtt.c
2 issues
Line: 86
Column: 38
CWE codes:
362
{
struct i915_vma *vma, *vn;
if (!atomic_dec_and_mutex_lock(&vm->open, &vm->mutex))
return;
list_for_each_entry_safe(vma, vn, &vm->bound_list, vm_link) {
struct drm_i915_gem_object *obj = vma->obj;
Reported by FlawFinder.
Line: 177
Column: 18
CWE codes:
362
kref_init(&vm->resv_ref);
INIT_RCU_WORK(&vm->rcu, __i915_vm_release);
atomic_set(&vm->open, 1);
/*
* The vm->mutex must be reclaim safe (for use in the shrinker).
* Do a dummy acquire now under fs_reclaim so that any allocation
* attempt holding the lock is immediately reported by lockdep.
Reported by FlawFinder.