The following issues were found
drivers/gpu/drm/nouveau/nouveau_acpi.c
2 issues
Line: 75
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
union acpi_object *obj;
char args_buff[4];
union acpi_object argv4 = {
.buffer.type = ACPI_TYPE_BUFFER,
.buffer.length = 4,
.buffer.pointer = args_buff
};
Reported by FlawFinder.
Line: 265
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool nouveau_dsm_detect(void)
{
char acpi_method_name[255] = { 0 };
struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name};
struct pci_dev *pdev = NULL;
acpi_handle dhandle = NULL;
bool has_mux = false;
bool has_optimus = false;
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nouveau_backlight.c
2 issues
Line: 51
Column: 28
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
static bool
nouveau_get_backlight_name(char backlight_name[BL_NAME_SIZE],
struct nouveau_backlight *bl)
{
const int nb = ida_simple_get(&bl_ida, 0, 0, GFP_KERNEL);
if (nb < 0 || nb >= 100)
return false;
Reported by FlawFinder.
Line: 228
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nouveau_backlight *bl;
struct nouveau_encoder *nv_encoder = NULL;
struct nvif_device *device = &drm->client.device;
char backlight_name[BL_NAME_SIZE];
struct backlight_properties props = {0};
const struct backlight_ops *ops;
int ret;
if (apple_gmux_present()) {
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nouveau_connector.c
2 issues
Line: 1256
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nouveau_connector *nv_connector = NULL;
struct drm_connector *connector;
struct drm_connector_list_iter conn_iter;
char aux_name[48] = {0};
int index = dcbe->connector;
int type, ret = 0;
bool dummy;
drm_connector_list_iter_begin(dev, &conn_iter);
Reported by FlawFinder.
Line: 475
Column: 25
CWE codes:
126
for_each_child_of_node(dn, cn) {
const char *name = of_get_property(cn, "name", NULL);
const void *edid = of_get_property(cn, "EDID", NULL);
int idx = name ? name[strlen(name) - 1] - 'A' : 0;
if (nv_encoder->dcb->i2c_index == idx && edid) {
nv_connector->edid =
kmemdup(edid, EDID_LENGTH, GFP_KERNEL);
of_node_put(cn);
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nouveau_fence.h
2 issues
Line: 45
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 sequence;
u32 context;
char name[32];
struct nvif_notify notify;
int notify_ref, dead;
};
Reported by FlawFinder.
Line: 39
Column: 9
CWE codes:
120
20
int (*emit)(struct nouveau_fence *);
int (*sync)(struct nouveau_fence *, struct nouveau_channel *,
struct nouveau_channel *);
u32 (*read)(struct nouveau_channel *);
int (*emit32)(struct nouveau_channel *, u64, u32);
int (*sync32)(struct nouveau_channel *, u64, u32);
u32 sequence;
u32 context;
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nouveau_hwmon.c
2 issues
Line: 128
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%i\n", ret);
}
static ssize_t
nouveau_hwmon_get_pwm1_min(struct device *d,
struct device_attribute *a, char *buf)
Reported by FlawFinder.
Line: 144
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret < 0)
return ret;
return sprintf(buf, "%i\n", ret);
}
static ssize_t
nouveau_hwmon_set_pwm1_min(struct device *d, struct device_attribute *a,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nouveau_usif.c
2 issues
Line: 99
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
filp = ntfy->p->base.file_priv;
dev = filp->minor->dev;
memcpy(&ntfy->p->e.data[0], header, length);
memcpy(&ntfy->p->e.data[length], data, size);
switch (rep->v0.version) {
case 0: {
struct nvif_notify_rep_v0 *rep = (void *)ntfy->p->e.data;
rep->route = ntfy->route;
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev = filp->minor->dev;
memcpy(&ntfy->p->e.data[0], header, length);
memcpy(&ntfy->p->e.data[length], data, size);
switch (rep->v0.version) {
case 0: {
struct nvif_notify_rep_v0 *rep = (void *)ntfy->p->e.data;
rep->route = ntfy->route;
rep->token = ntfy->token;
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvif/notify.c
2 issues
Line: 131
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!WARN_ON(notify->size != size)) {
atomic_inc(¬ify->putcnt);
if (test_bit(NVIF_NOTIFY_WORK, ¬ify->flags)) {
memcpy((void *)notify->data, data, size);
schedule_work(¬ify->work);
return NVIF_NOTIFY_DROP;
}
notify->data = data;
ret = nvif_notify_func(notify, client->driver->keep);
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
args->req.route = 0;
args->req.token = (unsigned long)(void *)notify;
memcpy(args->req.data, data, size);
ret = nvif_object_ioctl(object, args, sizeof(*args) + size, NULL);
notify->index = args->ntfy.index;
kfree(args);
done:
if (ret)
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvif/vmm.c
2 issues
Line: 55
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
args->size = size;
args->memory = nvif_handle(&mem->object);
args->offset = offset;
memcpy(args->data, argv, argc);
ret = nvif_object_mthd(&vmm->object, NVIF_VMM_V0_MAP,
args, sizeof(*args) + argc);
if (args != (void *)stack)
kfree(args);
Reported by FlawFinder.
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
args->managed = managed;
args->addr = addr;
args->size = size;
memcpy(args->data, argv, argc);
ret = nvif_object_ctor(&mmu->object, name ? name : "nvifVmm", 0,
oclass, args, argn, &vmm->object);
if (ret)
goto done;
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvkm/engine/device/user.c
2 issues
Line: 164
Column: 2
CWE codes:
120
if (imem && args->v0.ram_size > 0)
args->v0.ram_user = args->v0.ram_user - imem->reserved;
strncpy(args->v0.chip, device->chip->name, sizeof(args->v0.chip));
strncpy(args->v0.name, device->name, sizeof(args->v0.name));
return 0;
}
static int
Reported by FlawFinder.
Line: 165
Column: 2
CWE codes:
120
args->v0.ram_user = args->v0.ram_user - imem->reserved;
strncpy(args->v0.chip, device->chip->name, sizeof(args->v0.chip));
strncpy(args->v0.name, device->name, sizeof(args->v0.name));
return 0;
}
static int
nvkm_udevice_time(struct nvkm_udevice *udev, void *data, u32 size)
Reported by FlawFinder.
drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxnv40.h
2 issues
Line: 92
cp_out(ctx, CP_BRA | (mod << 18) | ip | flag |
(state ? 0 : CP_BRA_IF_CLEAR));
}
#define cp_bra(c, f, s, n) _cp_bra((c), 0, CP_FLAG_##f, CP_FLAG_##f##_##s, n)
#define cp_cal(c, f, s, n) _cp_bra((c), 1, CP_FLAG_##f, CP_FLAG_##f##_##s, n)
#define cp_ret(c, f, s) _cp_bra((c), 2, CP_FLAG_##f, CP_FLAG_##f##_##s, 0)
static inline void
_cp_wait(struct nvkm_grctx *ctx, int flag, int state)
Reported by Cppcheck.
Line: 108
{
cp_out(ctx, CP_SET | flag | (state ? CP_SET_1 : 0));
}
#define cp_set(c, f, s) _cp_set((c), CP_FLAG_##f, CP_FLAG_##f##_##s)
static inline void
cp_pos(struct nvkm_grctx *ctx, int offset)
{
ctx->ctxvals_pos = offset;
Reported by Cppcheck.