Hello Dmitry Torokhov, The patch 17dd3f0f7aa7: "[PATCH] drivers/input/joystick: convert to dynamic input_dev allocation" from Sep 15, 2005, leads to the following static checker warning: drivers/input/joystick/turbografx.c:235 tgfx_probe() error: buffer overflow 'tgfx_buttons' 5 <= 5 drivers/input/joystick/turbografx.c 195 for (i = 0; i < n_devs; i++) { 196 if (n_buttons[i] < 1) 197 continue; 198 199 if (n_buttons[i] > 6) { ^^^^^^^^^^^^^^^^ Possibly off by one. >= 6. 200 printk(KERN_ERR "turbografx.c: Invalid number of buttons %d\n", n_buttons[i]); 201 err = -EINVAL; 202 goto err_unreg_devs; 203 } 204 205 tgfx->dev[i] = input_dev = input_allocate_device(); 206 if (!input_dev) { 207 printk(KERN_ERR "turbografx.c: Not enough memory for input device\n"); 208 err = -ENOMEM; 209 goto err_unreg_devs; 210 } 211 212 tgfx->sticks |= (1 << i); 213 snprintf(tgfx->name[i], sizeof(tgfx->name[i]), 214 "TurboGraFX %d-button Multisystem joystick", n_buttons[i]); 215 snprintf(tgfx->phys[i], sizeof(tgfx->phys[i]), 216 "%s/input%d", tgfx->pd->port->name, i); 217 218 input_dev->name = tgfx->name[i]; 219 input_dev->phys = tgfx->phys[i]; 220 input_dev->id.bustype = BUS_PARPORT; 221 input_dev->id.vendor = 0x0003; 222 input_dev->id.product = n_buttons[i]; 223 input_dev->id.version = 0x0100; 224 225 input_set_drvdata(input_dev, tgfx); 226 227 input_dev->open = tgfx_open; 228 input_dev->close = tgfx_close; 229 230 input_dev->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_ABS); 231 input_set_abs_params(input_dev, ABS_X, -1, 1, 0, 0); 232 input_set_abs_params(input_dev, ABS_Y, -1, 1, 0, 0); 233 234 for (j = 0; j < n_buttons[i]; j++) 235 set_bit(tgfx_buttons[j], input_dev->keybit); ^^^^^^^^^^^^^^^ Leading to an off by one write here. This only has 5 elements. 236 regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html