The following issues were found
drivers/i2c/busses/i2c-pasemi.c
2 issues
Line: 111
Column: 6
CWE codes:
120
20
struct i2c_msg *msg, int stop)
{
struct pasemi_smbus *smbus = adapter->algo_data;
int read, i, err;
u32 rd;
read = msg->flags & I2C_M_RD ? 1 : 0;
TXFIFO_WR(smbus, MTXFIFO_START | i2c_8bit_addr_from_msg(msg));
Reported by FlawFinder.
Line: 118
Column: 6
CWE codes:
120
20
TXFIFO_WR(smbus, MTXFIFO_START | i2c_8bit_addr_from_msg(msg));
if (read) {
TXFIFO_WR(smbus, msg->len | MTXFIFO_READ |
(stop ? MTXFIFO_STOP : 0));
err = pasemi_smb_waitready(smbus);
if (err)
Reported by FlawFinder.
drivers/i2c/busses/i2c-xgene-slimpro.c
2 issues
Line: 296
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = slimpro_i2c_send_msg(ctx, msg, msg);
/* Copy to destination */
memcpy(data, ctx->dma_buffer, readlen);
dma_unmap_single(ctx->dev, paddr, readlen, DMA_FROM_DEVICE);
return rc;
}
Reported by FlawFinder.
Line: 310
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 msg[3];
int rc;
memcpy(ctx->dma_buffer, data, writelen);
paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen,
DMA_TO_DEVICE);
if (dma_mapping_error(ctx->dev, paddr)) {
dev_err(&ctx->adapter.dev, "Error in mapping dma buffer %p\n",
ctx->dma_buffer);
Reported by FlawFinder.
drivers/i2c/i2c-core-acpi.c
2 issues
Line: 530
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data_len, client->addr, cmd, ret);
/* 2 transfers must have completed successfully */
} else if (ret == 2) {
memcpy(data, buffer, data_len);
ret = 0;
} else {
ret = -EIO;
}
Reported by FlawFinder.
Line: 553
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return AE_NO_MEMORY;
buffer[0] = cmd;
memcpy(buffer + 1, data, data_len);
msgs[0].addr = client->addr;
msgs[0].flags = client->flags;
msgs[0].len = data_len + 1;
msgs[0].buf = buffer;
Reported by FlawFinder.
drivers/i2c/i2c-mux.c
2 issues
Line: 288
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct i2c_adapter *parent = muxc->parent;
struct i2c_mux_priv *priv;
char symlink_name[20];
int ret;
if (muxc->num_adapters >= muxc->max_adapters) {
dev_err(muxc->dev, "No room for more i2c-mux adapters\n");
return -EINVAL;
Reported by FlawFinder.
Line: 442
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void i2c_mux_del_adapters(struct i2c_mux_core *muxc)
{
char symlink_name[20];
while (muxc->num_adapters) {
struct i2c_adapter *adap = muxc->adapter[--muxc->num_adapters];
struct i2c_mux_priv *priv = adap->algo_data;
struct device_node *np = adap->dev.of_node;
Reported by FlawFinder.
drivers/i2c/i2c-slave-eeprom.c
2 issues
Line: 102
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eeprom = dev_get_drvdata(kobj_to_dev(kobj));
spin_lock_irqsave(&eeprom->buffer_lock, flags);
memcpy(buf, &eeprom->buffer[off], count);
spin_unlock_irqrestore(&eeprom->buffer_lock, flags);
return count;
}
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
eeprom = dev_get_drvdata(kobj_to_dev(kobj));
spin_lock_irqsave(&eeprom->buffer_lock, flags);
memcpy(&eeprom->buffer[off], buf, count);
spin_unlock_irqrestore(&eeprom->buffer_lock, flags);
return count;
}
Reported by FlawFinder.
drivers/i3c/master/mipi-i3c-hci/dma.c
2 issues
Line: 696
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
first_part = ibi_size;
dma_sync_single_for_cpu(&hci->master.dev, ring_ibi_data_dma,
first_part, DMA_FROM_DEVICE);
memcpy(slot->data, ring_ibi_data, first_part);
/* copy second part if any */
if (ibi_size > first_part) {
/* we wrap back to the start and copy remaining data */
ring_ibi_data = rh->ibi_data;
Reported by FlawFinder.
Line: 705
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ring_ibi_data_dma = rh->ibi_data_dma;
dma_sync_single_for_cpu(&hci->master.dev, ring_ibi_data_dma,
ibi_size - first_part, DMA_FROM_DEVICE);
memcpy(slot->data + first_part, ring_ibi_data,
ibi_size - first_part);
}
/* submit it */
slot->dev = dev;
Reported by FlawFinder.
drivers/iio/accel/dmard10.c
2 issues
Line: 76
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Init sequence taken from the android driver */
static int dmard10_reset(struct i2c_client *client)
{
unsigned char buffer[7];
int ret;
/* 1. Powerdown reset */
ret = i2c_smbus_write_byte_data(client, DMARD10_REG_PD,
DMARD10_VALUE_PD_RST);
Reported by FlawFinder.
Line: 129
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Shutdown sequence taken from the android driver */
static int dmard10_shutdown(struct i2c_client *client)
{
unsigned char buffer[3];
buffer[0] = DMARD10_REG_ACTR;
buffer[1] = DMARD10_MODE_STANDBY;
buffer[2] = DMARD10_MODE_OFF;
Reported by FlawFinder.
drivers/iio/accel/mma9551_core.c
2 issues
Line: 135
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
req.nbytes = num_outbytes;
if (num_inbytes)
memcpy(req.buf, inbytes, num_inbytes);
out.addr = client->addr;
out.flags = 0;
out.len = req_len;
out.buf = (u8 *)&req;
Reported by FlawFinder.
Line: 194
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (num_outbytes)
memcpy(outbytes, rsp.buf, num_outbytes);
return 0;
}
/**
Reported by FlawFinder.
drivers/iio/adc/ad7192.c
2 issues
Line: 434
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ad7192_state *st = iio_priv(indio_dev);
return sprintf(buf, "%d\n", !!(st->mode & AD7192_MODE_ACX));
}
static ssize_t ad7192_show_bridge_switch(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 444
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ad7192_state *st = iio_priv(indio_dev);
return sprintf(buf, "%d\n", !!(st->gpocon & AD7192_GPOCON_BPDSW));
}
static ssize_t ad7192_set(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
drivers/iio/adc/ad7476.c
2 issues
Line: 197
static const struct ad7476_chip_info ad7476_chip_info_tbl[] = {
[ID_AD7091] = {
.channel[0] = AD7091R_CHAN(12),
.channel[1] = IIO_CHAN_SOFT_TIMESTAMP(1),
.convst_channel[0] = AD7091R_CONVST_CHAN(12),
.convst_channel[1] = IIO_CHAN_SOFT_TIMESTAMP(1),
.reset = ad7091_reset,
},
Reported by Cppcheck.
Line: 52
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Make the buffer large enough for one 16 bit sample and one 64 bit
* aligned 64 bit timestamp.
*/
unsigned char data[ALIGN(2, sizeof(s64)) + sizeof(s64)]
____cacheline_aligned;
};
enum ad7476_supported_device_ids {
ID_AD7091,
Reported by FlawFinder.