Commit b689a830 authored by Rob Clark's avatar Rob Clark

drm/msm/rd: fix crash with long process cmdlines

The [v]snprintf() functions return the size that *would have* been
written into the buffer, rather than the size *actually* written.
Which results in us trying to memcpy() past the end of the stack.

What we really want is [v]scnprintf().
Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
parent 9027b871
...@@ -366,7 +366,7 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit, ...@@ -366,7 +366,7 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit,
va_list args; va_list args;
va_start(args, fmt); va_start(args, fmt);
n = vsnprintf(msg, sizeof(msg), fmt, args); n = vscnprintf(msg, sizeof(msg), fmt, args);
va_end(args); va_end(args);
rd_write_section(rd, RD_CMD, msg, ALIGN(n, 4)); rd_write_section(rd, RD_CMD, msg, ALIGN(n, 4));
...@@ -375,11 +375,11 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit, ...@@ -375,11 +375,11 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit,
rcu_read_lock(); rcu_read_lock();
task = pid_task(submit->pid, PIDTYPE_PID); task = pid_task(submit->pid, PIDTYPE_PID);
if (task) { if (task) {
n = snprintf(msg, sizeof(msg), "%.*s/%d: fence=%u", n = scnprintf(msg, sizeof(msg), "%.*s/%d: fence=%u",
TASK_COMM_LEN, task->comm, TASK_COMM_LEN, task->comm,
pid_nr(submit->pid), submit->seqno); pid_nr(submit->pid), submit->seqno);
} else { } else {
n = snprintf(msg, sizeof(msg), "???/%d: fence=%u", n = scnprintf(msg, sizeof(msg), "???/%d: fence=%u",
pid_nr(submit->pid), submit->seqno); pid_nr(submit->pid), submit->seqno);
} }
rcu_read_unlock(); rcu_read_unlock();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment