From b689a830f5264e3a53307ba468e376e9f95f15e0 Mon Sep 17 00:00:00 2001 From: Rob Clark Date: Tue, 25 Sep 2018 13:54:00 -0400 Subject: [PATCH] drm/msm/rd: fix crash with long process cmdlines The [v]snprintf() functions return the size that *would have* been written into the buffer, rather than the size *actually* written. Which results in us trying to memcpy() past the end of the stack. What we really want is [v]scnprintf(). Signed-off-by: Rob Clark --- drivers/gpu/drm/msm/msm_rd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c index 3aa8a8576abe..cca933458439 100644 --- a/drivers/gpu/drm/msm/msm_rd.c +++ b/drivers/gpu/drm/msm/msm_rd.c @@ -366,7 +366,7 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit, va_list args; va_start(args, fmt); - n = vsnprintf(msg, sizeof(msg), fmt, args); + n = vscnprintf(msg, sizeof(msg), fmt, args); va_end(args); rd_write_section(rd, RD_CMD, msg, ALIGN(n, 4)); @@ -375,11 +375,11 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit, rcu_read_lock(); task = pid_task(submit->pid, PIDTYPE_PID); if (task) { - n = snprintf(msg, sizeof(msg), "%.*s/%d: fence=%u", + n = scnprintf(msg, sizeof(msg), "%.*s/%d: fence=%u", TASK_COMM_LEN, task->comm, pid_nr(submit->pid), submit->seqno); } else { - n = snprintf(msg, sizeof(msg), "???/%d: fence=%u", + n = scnprintf(msg, sizeof(msg), "???/%d: fence=%u", pid_nr(submit->pid), submit->seqno); } rcu_read_unlock(); -- 2.11.0