summaryrefslogtreecommitdiff
path: root/drivers/gpu/drm/msm/msm_rd.c
diff options
context:
space:
mode:
authorRob Clark <robdclark@gmail.com>2018-09-25 20:54:00 +0300
committerRob Clark <robdclark@gmail.com>2018-10-04 03:24:54 +0300
commitb689a830f5264e3a53307ba468e376e9f95f15e0 (patch)
treeae96c941ea7706a5f4daa4c4f9a2eeaa03b3816b /drivers/gpu/drm/msm/msm_rd.c
parent9027b8719bd4f46b09c6b9d082715209c17971e2 (diff)
downloadlinux-b689a830f5264e3a53307ba468e376e9f95f15e0.tar.xz
drm/msm/rd: fix crash with long process cmdlines
The [v]snprintf() functions return the size that *would have* been written into the buffer, rather than the size *actually* written. Which results in us trying to memcpy() past the end of the stack. What we really want is [v]scnprintf(). Signed-off-by: Rob Clark <robdclark@gmail.com>
Diffstat (limited to 'drivers/gpu/drm/msm/msm_rd.c')
-rw-r--r--drivers/gpu/drm/msm/msm_rd.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c
index 3aa8a8576abe..cca933458439 100644
--- a/drivers/gpu/drm/msm/msm_rd.c
+++ b/drivers/gpu/drm/msm/msm_rd.c
@@ -366,7 +366,7 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit,
va_list args;
va_start(args, fmt);
- n = vsnprintf(msg, sizeof(msg), fmt, args);
+ n = vscnprintf(msg, sizeof(msg), fmt, args);
va_end(args);
rd_write_section(rd, RD_CMD, msg, ALIGN(n, 4));
@@ -375,11 +375,11 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit,
rcu_read_lock();
task = pid_task(submit->pid, PIDTYPE_PID);
if (task) {
- n = snprintf(msg, sizeof(msg), "%.*s/%d: fence=%u",
+ n = scnprintf(msg, sizeof(msg), "%.*s/%d: fence=%u",
TASK_COMM_LEN, task->comm,
pid_nr(submit->pid), submit->seqno);
} else {
- n = snprintf(msg, sizeof(msg), "???/%d: fence=%u",
+ n = scnprintf(msg, sizeof(msg), "???/%d: fence=%u",
pid_nr(submit->pid), submit->seqno);
}
rcu_read_unlock();