EDAC/armada_xp: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the actual
output size, the succeeding calls may go beyond the given buffer limit.
Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Jan Luebbe <jlu@pengutronix.de>
Link: https://lkml.kernel.org/r/20200311071728.4541-1-tiwai@suse.de

diff --git a/drivers/edac/armada_xp_edac.c b/drivers/edac/armada_xp_edac.c
index 7f227bdcbc845d9ecc365d9acf5675167dc3dc1c..a7502ebe9bdc529c1ed17ab827f1a3321bf0aab1 100644 (file)
--- a/drivers/edac/armada_xp_edac.c
+++ b/drivers/edac/armada_xp_edac.c
@@ -429,26 +429,26 @@ static void aurora_l2_check(struct edac_device_ctl_info *dci)
 
        src = (attr_cap & AURORA_ERR_ATTR_SRC_MSK) >> AURORA_ERR_ATTR_SRC_OFF;
        if (src <= 3)
-               len += snprintf(msg+len, size-len, "src=CPU%d ", src);
+               len += scnprintf(msg+len, size-len, "src=CPU%d ", src);
        else
-               len += snprintf(msg+len, size-len, "src=IO ");
+               len += scnprintf(msg+len, size-len, "src=IO ");
 
        txn =  (attr_cap & AURORA_ERR_ATTR_TXN_MSK) >> AURORA_ERR_ATTR_TXN_OFF;
        switch (txn) {
        case 0:
-               len += snprintf(msg+len, size-len, "txn=Data-Read ");
+               len += scnprintf(msg+len, size-len, "txn=Data-Read ");
                break;
        case 1:
-               len += snprintf(msg+len, size-len, "txn=Isn-Read ");
+               len += scnprintf(msg+len, size-len, "txn=Isn-Read ");
                break;
        case 2:
-               len += snprintf(msg+len, size-len, "txn=Clean-Flush ");
+               len += scnprintf(msg+len, size-len, "txn=Clean-Flush ");
                break;
        case 3:
-               len += snprintf(msg+len, size-len, "txn=Eviction ");
+               len += scnprintf(msg+len, size-len, "txn=Eviction ");
                break;
        case 4:
-               len += snprintf(msg+len, size-len,
+               len += scnprintf(msg+len, size-len,
                                "txn=Read-Modify-Write ");
                break;
        }
@@ -456,19 +456,19 @@ static void aurora_l2_check(struct edac_device_ctl_info *dci)
        err = (attr_cap & AURORA_ERR_ATTR_ERR_MSK) >> AURORA_ERR_ATTR_ERR_OFF;
        switch (err) {
        case 0:
-               len += snprintf(msg+len, size-len, "err=CorrECC ");
+               len += scnprintf(msg+len, size-len, "err=CorrECC ");
                break;
        case 1:
-               len += snprintf(msg+len, size-len, "err=UnCorrECC ");
+               len += scnprintf(msg+len, size-len, "err=UnCorrECC ");
                break;
        case 2:
-               len += snprintf(msg+len, size-len, "err=TagParity ");
+               len += scnprintf(msg+len, size-len, "err=TagParity ");
                break;
        }
 
-       len += snprintf(msg+len, size-len, "addr=0x%x ", addr_cap & AURORA_ERR_ADDR_CAP_ADDR_MASK);
-       len += snprintf(msg+len, size-len, "index=0x%x ", (way_cap & AURORA_ERR_WAY_IDX_MSK) >> AURORA_ERR_WAY_IDX_OFF);
-       len += snprintf(msg+len, size-len, "way=0x%x", (way_cap & AURORA_ERR_WAY_CAP_WAY_MASK) >> AURORA_ERR_WAY_CAP_WAY_OFFSET);
+       len += scnprintf(msg+len, size-len, "addr=0x%x ", addr_cap & AURORA_ERR_ADDR_CAP_ADDR_MASK);
+       len += scnprintf(msg+len, size-len, "index=0x%x ", (way_cap & AURORA_ERR_WAY_IDX_MSK) >> AURORA_ERR_WAY_IDX_OFF);
+       len += scnprintf(msg+len, size-len, "way=0x%x", (way_cap & AURORA_ERR_WAY_CAP_WAY_MASK) >> AURORA_ERR_WAY_CAP_WAY_OFFSET);
 
        /* clear error capture registers */
        writel(AURORA_ERR_ATTR_CAP_VALID, drvdata->base + AURORA_ERR_ATTR_CAP_REG);