Hello Michael Zaidman,
The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge
driver" from Feb 19, 2021, leads to the following static checker
warning:
drivers/hid/hid-ft260.c:441 ft260_smbus_write()
error: '__memcpy()' '&rep->data[1]' too small (59 vs 255)
drivers/hid/hid-ft260.c
423 static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd,
424 u8 *data, u8 data_len, u8 flag)
425 {
426 int ret = 0;
427 int len = 4;
428
429 struct ft260_i2c_write_request_report *rep =
430 (struct ft260_i2c_write_request_report *)dev->write_buf;
431
432 rep->address = addr;
433 rep->data[0] = cmd;
434 rep->length = data_len + 1;
435 rep->flag = flag;
436 len += rep->length;
437
438 rep->report = FT260_I2C_DATA_REPORT_ID(len);
439
440 if (data_len > 0)
441 memcpy(&rep->data[1], data, data_len);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Smatch says that this can be called from the i2cdev_ioctl_smbus()
function.
i2cdev_ioctl_smbus()
--> i2c_smbus_xfer
--> __i2c_smbus_xfer
--> ft260_smbus_xfer
--> ft260_smbus_write
442
443 ft260_dbg("rep %#02x addr %#02x cmd %#02x datlen %d replen %d\n",
444 rep->report, addr, cmd, rep->length, len);
445
446 ret = ft260_hid_output_report_check_status(dev, (u8 *)rep, len);
447
448 return ret;
449 }
regards,
dan carpenter
