drm/msm/rd: fix crash with long process cmdlines
authorRob Clark <robdclark@gmail.com>
Tue, 25 Sep 2018 17:54:00 +0000 (13:54 -0400)
committerRob Clark <robdclark@gmail.com>
Thu, 4 Oct 2018 00:24:54 +0000 (20:24 -0400)
The [v]snprintf() functions return the size that *would have* been
written into the buffer, rather than the size *actually* written.
Which results in us trying to memcpy() past the end of the stack.

What we really want is [v]scnprintf().

Signed-off-by: Rob Clark <robdclark@gmail.com>
drivers/gpu/drm/msm/msm_rd.c

index 3aa8a8576abea8323a4c30534837a3defcac9b17..cca9334584391d97a4026f6ae48bfdb8d7f12ae9 100644 (file)
@@ -366,7 +366,7 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit,
                va_list args;
 
                va_start(args, fmt);
-               n = vsnprintf(msg, sizeof(msg), fmt, args);
+               n = vscnprintf(msg, sizeof(msg), fmt, args);
                va_end(args);
 
                rd_write_section(rd, RD_CMD, msg, ALIGN(n, 4));
@@ -375,11 +375,11 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit,
        rcu_read_lock();
        task = pid_task(submit->pid, PIDTYPE_PID);
        if (task) {
-               n = snprintf(msg, sizeof(msg), "%.*s/%d: fence=%u",
+               n = scnprintf(msg, sizeof(msg), "%.*s/%d: fence=%u",
                                TASK_COMM_LEN, task->comm,
                                pid_nr(submit->pid), submit->seqno);
        } else {
-               n = snprintf(msg, sizeof(msg), "???/%d: fence=%u",
+               n = scnprintf(msg, sizeof(msg), "???/%d: fence=%u",
                                pid_nr(submit->pid), submit->seqno);
        }
        rcu_read_unlock();