diff options
author | Rob Clark <robdclark@gmail.com> | 2018-09-25 20:54:00 +0300 |
---|---|---|
committer | Rob Clark <robdclark@gmail.com> | 2018-10-04 03:24:54 +0300 |
commit | b689a830f5264e3a53307ba468e376e9f95f15e0 (patch) | |
tree | ae96c941ea7706a5f4daa4c4f9a2eeaa03b3816b /drivers/gpu/drm/msm/msm_rd.c | |
parent | 9027b8719bd4f46b09c6b9d082715209c17971e2 (diff) | |
download | linux-b689a830f5264e3a53307ba468e376e9f95f15e0.tar.xz |
drm/msm/rd: fix crash with long process cmdlines
The [v]snprintf() functions return the size that *would have* been
written into the buffer, rather than the size *actually* written.
Which results in us trying to memcpy() past the end of the stack.
What we really want is [v]scnprintf().
Signed-off-by: Rob Clark <robdclark@gmail.com>
Diffstat (limited to 'drivers/gpu/drm/msm/msm_rd.c')
-rw-r--r-- | drivers/gpu/drm/msm/msm_rd.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c index 3aa8a8576abe..cca933458439 100644 --- a/drivers/gpu/drm/msm/msm_rd.c +++ b/drivers/gpu/drm/msm/msm_rd.c @@ -366,7 +366,7 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit, va_list args; va_start(args, fmt); - n = vsnprintf(msg, sizeof(msg), fmt, args); + n = vscnprintf(msg, sizeof(msg), fmt, args); va_end(args); rd_write_section(rd, RD_CMD, msg, ALIGN(n, 4)); @@ -375,11 +375,11 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit, rcu_read_lock(); task = pid_task(submit->pid, PIDTYPE_PID); if (task) { - n = snprintf(msg, sizeof(msg), "%.*s/%d: fence=%u", + n = scnprintf(msg, sizeof(msg), "%.*s/%d: fence=%u", TASK_COMM_LEN, task->comm, pid_nr(submit->pid), submit->seqno); } else { - n = snprintf(msg, sizeof(msg), "???/%d: fence=%u", + n = scnprintf(msg, sizeof(msg), "???/%d: fence=%u", pid_nr(submit->pid), submit->seqno); } rcu_read_unlock(); |