The following issues were found
drivers/infiniband/hw/bnxt_re/qplib_fp.h
2 issues
Line: 289
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
u16 pkey_index;
u32 qkey;
u32 dest_qp_id;
u8 access;
u8 timeout;
u8 retry_cnt;
u8 rnr_retry;
u64 wqe_cnt;
u32 min_rnr_timer;
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bnxt_qplib_nq {
struct pci_dev *pdev;
struct bnxt_qplib_res *res;
char name[32];
struct bnxt_qplib_hwq hwq;
struct bnxt_qplib_nq_db nq_db;
u16 ring_id;
int msix_vec;
cpumask_t mask;
Reported by FlawFinder.
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
2 issues
Line: 177
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy a segment of the req cmd to the cmdq */
memset(cmdqe, 0, sizeof(*cmdqe));
memcpy(cmdqe, preq, min_t(u32, size, sizeof(*cmdqe)));
preq += min_t(u32, size, sizeof(*cmdqe));
size -= min_t(u32, size, sizeof(*cmdqe));
hwq->prod++;
} while (size > 0);
cmdq->seq_num++;
Reported by FlawFinder.
Line: 353
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
crsqe = &rcfw->crsqe_tbl[cbit];
if (crsqe->resp &&
crsqe->resp->cookie == mcookie) {
memcpy(crsqe->resp, qp_event, sizeof(*qp_event));
crsqe->resp = NULL;
} else {
if (crsqe->resp && crsqe->resp->cookie)
dev_err(&pdev->dev,
"CMD %s cookie sent=%#x, recd=%#x\n",
Reported by FlawFinder.
drivers/infiniband/hw/cxgb4/iw_cxgb4.h
2 issues
Line: 467
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 max_ird;
u32 pd;
u32 next_state;
char terminate_buffer[52];
u32 terminate_msg_len;
u8 is_terminate_local;
struct c4iw_mpa_attributes mpa_attr;
struct c4iw_ep *llp_stream_handle;
u8 layer_etype;
Reported by FlawFinder.
Line: 839
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cpl_abort_rpl abrt_rpl;
struct fw_ri_wr ri_req;
struct cpl_close_con_req close_req;
char flowc_buf[FLOWC_LEN];
};
struct c4iw_ep_common {
struct iw_cm_id *cm_id;
struct c4iw_qp *qp;
Reported by FlawFinder.
drivers/infiniband/hw/efa/efa_com.c
2 issues
Line: 333
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
aqe = &aq->sq.entries[pi];
memset(aqe, 0, sizeof(*aqe));
memcpy(aqe, cmd, cmd_size_in_bytes);
aq->sq.pc++;
atomic64_inc(&aq->stats.submitted_cmd);
if ((aq->sq.pc & queue_size_mask) == 0)
Reported by FlawFinder.
Line: 419
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
comp_ctx->status = EFA_CMD_COMPLETED;
memcpy(comp_ctx->user_cqe, cqe, comp_ctx->comp_size);
if (!test_bit(EFA_AQ_STATE_POLLING_BIT, &aq->state))
complete(&comp_ctx->wait_event);
}
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/sysfs.c
2 issues
Line: 96
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rcu_read_unlock();
return -EINVAL;
}
memcpy(buf, (void *)&cc_state->cct + pos, count);
rcu_read_unlock();
return count;
}
static BIN_ATTR_RO(cc_table_bin, PAGE_SIZE);
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rcu_read_unlock();
return -EINVAL;
}
memcpy(buf, (void *)&cc_state->cong_setting + pos, count);
rcu_read_unlock();
return count;
}
static BIN_ATTR_RO(cc_setting_bin, PAGE_SIZE);
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/tid_rdma.c
2 issues
Line: 1909
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pktlen = packet->tlen - (packet->hlen + 4);
if (pktlen > sizeof(flow->tid_entry))
return 1;
memcpy(flow->tid_entry, packet->ebuf, pktlen);
flow->tidcnt = pktlen / sizeof(*flow->tid_entry);
/*
* Walk the TID_ENTRY list to make sure we have enough space for a
* complete segment. Also calculate the number of required packets.
Reported by FlawFinder.
Line: 4131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
status = IB_WC_LOC_LEN_ERR;
goto ack_err;
}
memcpy(flow->tid_entry, packet->ebuf, pktlen);
flow->tidcnt = pktlen / sizeof(*flow->tid_entry);
trace_hfi1_tid_flow_rcv_write_resp(qp, req->setup_head, flow);
req->comp_seg++;
trace_hfi1_tid_write_sender_rcv_resp(qp, 0);
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/trace_tx.h
2 issues
Line: 759
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->idx = ahgidx;
__entry->len = len;
__entry->tidval = tidval;
memcpy(__entry->ahg, ahg, len * sizeof(u32));
),
TP_printk("[%s:%u:%u:%u] (SDE%u/AHG%u) ahg[0-%d]=(%s) TIDVal=0x%x",
__get_str(dev),
__entry->ctxt,
__entry->subctxt,
Reported by FlawFinder.
Line: 811
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__dynamic_array(u8, bct, sizeof(*bc))
),
TP_fast_assign(DD_DEV_ASSIGN(dd);
memcpy(__get_dynamic_array(bct), bc,
sizeof(*bc));
),
TP_printk(BCT_FORMAT,
BCT(overall_shared_limit),
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/user_exp_rcv.c
2 issues
Line: 535
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock(&fd->invalid_lock);
if (fd->invalid_tid_idx) {
memcpy(array, fd->invalid_tids, sizeof(*array) *
fd->invalid_tid_idx);
memset(fd->invalid_tids, 0, sizeof(*fd->invalid_tids) *
fd->invalid_tid_idx);
tinfo->tidcnt = fd->invalid_tid_idx;
fd->invalid_tid_idx = 0;
Reported by FlawFinder.
Line: 759
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
node->dma_addr = phys;
node->grp = grp;
node->freed = false;
memcpy(node->pages, pages, sizeof(struct page *) * npages);
if (fd->use_mn) {
ret = mmu_interval_notifier_insert(
&node->notifier, current->mm,
tbuf->vaddr + (pageidx * PAGE_SIZE), npages * PAGE_SIZE,
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/vnic_sdma.c
2 issues
Line: 75
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hfi1_vnic_sdma *sdma;
struct sk_buff *skb;
unsigned char pad[HFI1_VNIC_MAX_PAD];
u16 plen;
__le64 pbc_val;
};
static void vnic_sdma_complete(struct sdma_txreq *txreq,
Reported by FlawFinder.
Line: 307
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int hfi1_vnic_txreq_init(struct hfi1_devdata *dd)
{
char buf[HFI1_VNIC_TXREQ_NAME_LEN];
snprintf(buf, sizeof(buf), "hfi1_%u_vnic_txreq_cache", dd->unit);
dd->vnic.txreq_cache = kmem_cache_create(buf,
sizeof(struct vnic_txreq),
0, SLAB_HWCACHE_ALIGN,
Reported by FlawFinder.
drivers/infiniband/hw/hns/hns_roce_ah.c
2 issues
Line: 79
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ah->av.sl = rdma_ah_get_sl(ah_attr);
ah->av.tclass = get_tclass(grh);
memcpy(ah->av.dgid, grh->dgid.raw, HNS_ROCE_GID_SIZE);
memcpy(ah->av.mac, ah_attr->roce.dmac, ETH_ALEN);
/* HIP08 needs to record vlan info in Address Vector */
if (hr_dev->pci_dev->revision <= PCI_REVISION_ID_HIP08) {
ret = rdma_read_gid_l2_fields(ah_attr->grh.sgid_attr,
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ah->av.tclass = get_tclass(grh);
memcpy(ah->av.dgid, grh->dgid.raw, HNS_ROCE_GID_SIZE);
memcpy(ah->av.mac, ah_attr->roce.dmac, ETH_ALEN);
/* HIP08 needs to record vlan info in Address Vector */
if (hr_dev->pci_dev->revision <= PCI_REVISION_ID_HIP08) {
ret = rdma_read_gid_l2_fields(ah_attr->grh.sgid_attr,
&ah->av.vlan_id, NULL);
Reported by FlawFinder.