From: Rob Clark <robdclark@gmail.com>
Date: Tue, 25 Sep 2018 17:54:00 +0000 (-0400)
Subject: drm/msm/rd: fix crash with long process cmdlines
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=b689a830f5264e3a53307ba468e376e9f95f15e0;p=openwrt%2Fstaging%2Fblogic.git

drm/msm/rd: fix crash with long process cmdlines

The [v]snprintf() functions return the size that *would have* been
written into the buffer, rather than the size *actually* written.
Which results in us trying to memcpy() past the end of the stack.

What we really want is [v]scnprintf().

Signed-off-by: Rob Clark <robdclark@gmail.com>
---

diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c
index 3aa8a8576abe..cca933458439 100644
--- a/drivers/gpu/drm/msm/msm_rd.c
+++ b/drivers/gpu/drm/msm/msm_rd.c
@@ -366,7 +366,7 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit,
 		va_list args;
 
 		va_start(args, fmt);
-		n = vsnprintf(msg, sizeof(msg), fmt, args);
+		n = vscnprintf(msg, sizeof(msg), fmt, args);
 		va_end(args);
 
 		rd_write_section(rd, RD_CMD, msg, ALIGN(n, 4));
@@ -375,11 +375,11 @@ void msm_rd_dump_submit(struct msm_rd_state *rd, struct msm_gem_submit *submit,
 	rcu_read_lock();
 	task = pid_task(submit->pid, PIDTYPE_PID);
 	if (task) {
-		n = snprintf(msg, sizeof(msg), "%.*s/%d: fence=%u",
+		n = scnprintf(msg, sizeof(msg), "%.*s/%d: fence=%u",
 				TASK_COMM_LEN, task->comm,
 				pid_nr(submit->pid), submit->seqno);
 	} else {
-		n = snprintf(msg, sizeof(msg), "???/%d: fence=%u",
+		n = scnprintf(msg, sizeof(msg), "???/%d: fence=%u",
 				pid_nr(submit->pid), submit->seqno);
 	}
 	rcu_read_unlock();