The following issues were found
drivers/gpu/drm/i915/gt/shmem_utils.c
2 issues
Line: 109
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vaddr = kmap(page);
if (write) {
memcpy(vaddr + offset_in_page(off), ptr, this);
set_page_dirty(page);
} else {
memcpy(ptr, vaddr + offset_in_page(off), this);
}
mark_page_accessed(page);
Reported by FlawFinder.
Line: 112
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(vaddr + offset_in_page(off), ptr, this);
set_page_dirty(page);
} else {
memcpy(ptr, vaddr + offset_in_page(off), this);
}
mark_page_accessed(page);
kunmap(page);
put_page(page);
Reported by FlawFinder.
drivers/gpu/drm/i915/gt/uc/intel_guc_log.c
2 issues
Line: 254
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* (which is uncached mapped), on the stack to avoid reading
* from it multiple times.
*/
memcpy(&log_buf_state_local, log_buf_state,
sizeof(struct guc_log_buffer_state));
buffer_size = guc_get_log_buffer_size(type);
read_offset = log_buf_state_local.read_ptr;
write_offset = log_buf_state_local.sampled_write_ptr;
full_cnt = log_buf_state_local.buffer_full_cnt;
Reported by FlawFinder.
Line: 271
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
log_buf_state++;
/* First copy the state structure in snapshot buffer */
memcpy(log_buf_snapshot_state, &log_buf_state_local,
sizeof(struct guc_log_buffer_state));
/*
* The write pointer could have been updated by GuC firmware,
* after sending the flush interrupt to Host, for consistency
Reported by FlawFinder.
drivers/gpu/drm/i915/gt/uc/intel_uc_fw_abi.h
2 issues
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define CSS_TIME_HOUR (0xFF << 0)
#define CSS_DATE_MIN (0xFF << 8)
#define CSS_DATE_SEC (0xFFFF << 16)
char username[8];
char buildnumber[12];
u32 sw_version;
#define CSS_SW_VERSION_UC_MAJOR (0xFF << 16)
#define CSS_SW_VERSION_UC_MINOR (0xFF << 8)
#define CSS_SW_VERSION_UC_PATCH (0xFF << 0)
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define CSS_DATE_MIN (0xFF << 8)
#define CSS_DATE_SEC (0xFFFF << 16)
char username[8];
char buildnumber[12];
u32 sw_version;
#define CSS_SW_VERSION_UC_MAJOR (0xFF << 16)
#define CSS_SW_VERSION_UC_MINOR (0xFF << 8)
#define CSS_SW_VERSION_UC_PATCH (0xFF << 0)
u32 reserved0[13];
Reported by FlawFinder.
drivers/gpu/drm/i915/gvt/vgpu.c
2 issues
Line: 153
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
high_avail / vgpu_types[i].high_mm);
if (GRAPHICS_VER(gvt->gt->i915) == 8)
sprintf(gvt->types[i].name, "GVTg_V4_%s",
vgpu_types[i].name);
else if (GRAPHICS_VER(gvt->gt->i915) == 9)
sprintf(gvt->types[i].name, "GVTg_V5_%s",
vgpu_types[i].name);
Reported by FlawFinder.
Line: 156
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(gvt->types[i].name, "GVTg_V4_%s",
vgpu_types[i].name);
else if (GRAPHICS_VER(gvt->gt->i915) == 9)
sprintf(gvt->types[i].name, "GVTg_V5_%s",
vgpu_types[i].name);
gvt_dbg_core("type[%d]: %s avail %u low %u high %u fence %u weight %u res %s\n",
i, gvt->types[i].name,
gvt->types[i].avail_instance,
Reported by FlawFinder.
drivers/gpu/drm/i915/i915_pmu.c
2 issues
Line: 806
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i915_str_attribute *eattr;
eattr = container_of(attr, struct i915_str_attribute, attr);
return sprintf(buf, "%s\n", eattr->str);
}
#define I915_PMU_FORMAT_ATTR(_name, _config) \
(&((struct i915_str_attribute[]) { \
{ .attr = __ATTR(_name, 0444, i915_pmu_format_show, NULL), \
Reported by FlawFinder.
Line: 836
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i915_ext_attribute *eattr;
eattr = container_of(attr, struct i915_ext_attribute, attr);
return sprintf(buf, "config=0x%lx\n", eattr->val);
}
static ssize_t cpumask_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
drivers/gpu/drm/i915/i915_request.c
2 issues
Line: 446
CWE codes:
908
do {
tmp = list_first_entry(&tl->requests, typeof(*tmp), link);
} while (i915_request_retire(tmp) && tmp != rq);
}
static struct i915_request * const *
__engine_active(struct intel_engine_cs *engine)
{
Reported by Cppcheck.
Line: 2057
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int indent)
{
const char *name = rq->fence.ops->get_timeline_name((struct dma_fence *)&rq->fence);
char buf[80] = "";
int x = 0;
/*
* The prefix is used to show the queue status, for which we use
* the following flags:
Reported by FlawFinder.
drivers/gpu/drm/i915/intel_uncore.h
2 issues
Line: 270
Column: 9
CWE codes:
120
20
static inline u##x__ __raw_uncore_read##x__(const struct intel_uncore *uncore, \
i915_reg_t reg) \
{ \
return read##s__(uncore->regs + i915_mmio_reg_offset(reg)); \
}
#define __raw_write(x__, s__) \
static inline void __raw_uncore_write##x__(const struct intel_uncore *uncore, \
i915_reg_t reg, u##x__ val) \
Reported by FlawFinder.
Line: 308
Column: 15
CWE codes:
120
20
__uncore_read(read8, 8, b, true)
__uncore_read(read16, 16, w, true)
__uncore_read(read, 32, l, true)
__uncore_read(read16_notrace, 16, w, false)
__uncore_read(read_notrace, 32, l, false)
__uncore_write(write8, 8, b, true)
__uncore_write(write16, 16, w, true)
Reported by FlawFinder.
drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
2 issues
Line: 116
CWE codes:
908
GEM_BUG_ON(!size);
GEM_BUG_ON(!IS_ALIGNED(size, I915_GTT_PAGE_SIZE));
if (overflows_type(size, obj->base.size))
return ERR_PTR(-E2BIG);
obj = i915_gem_object_alloc();
if (!obj)
goto err;
Reported by Cppcheck.
Line: 1062
Column: 37
CWE codes:
362
goto out_free;
}
GEM_BUG_ON(offset_in_page(ppgtt->vm.total));
GEM_BUG_ON(!atomic_read(&ppgtt->vm.open));
err = func(&ppgtt->vm, 0, ppgtt->vm.total, end_time);
i915_vm_put(&ppgtt->vm);
Reported by FlawFinder.
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
2 issues
Line: 101
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *dst = state_kcalloc(a6xx_state, 1, size);
if (dst)
memcpy(dst, src, size);
return dst;
}
/*
* Allocate 1MB for the crashdumper scratch region - 8k for the script and
Reported by FlawFinder.
Line: 1021
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_ascii85(struct drm_printer *p, size_t len, u32 *data)
{
char out[ASCII85_BUFSZ];
long i, l, datalen = 0;
for (i = 0; i < len >> 2; i++) {
if (data[i])
datalen = (i + 1) << 2;
Reported by FlawFinder.
drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.h
2 issues
Line: 229
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @features bit mask identifying sub-blocks/features
*/
#define DPU_HW_BLK_INFO \
char name[DPU_HW_BLK_NAME_LEN]; \
u32 id; \
u32 base; \
u32 len; \
unsigned long features
Reported by FlawFinder.
Line: 244
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @len register block length of this sub-block
*/
#define DPU_HW_SUBBLK_INFO \
char name[DPU_HW_BLK_NAME_LEN]; \
u32 id; \
u32 base; \
u32 len
/**
Reported by FlawFinder.