Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai tiwai@suse.de --- drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c index bf876faea592..faefaaef7909 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c @@ -604,7 +604,7 @@ static struct dma_pool *ttm_dma_pool_init(struct device *dev, gfp_t flags, p = pool->name; for (i = 0; i < ARRAY_SIZE(t); i++) { if (type & t[i]) { - p += snprintf(p, sizeof(pool->name) - (p - pool->name), + p += scnprintf(p, sizeof(pool->name) - (p - pool->name), "%s", n[i]); } }
On Wed, Mar 11, 2020 at 03:34:52PM +0800, Takashi Iwai wrote:
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai tiwai@suse.de
Reviewed-by: Huang Rui ray.huang@amd.com
drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c index bf876faea592..faefaaef7909 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c @@ -604,7 +604,7 @@ static struct dma_pool *ttm_dma_pool_init(struct device *dev, gfp_t flags, p = pool->name; for (i = 0; i < ARRAY_SIZE(t); i++) { if (type & t[i]) {
p += snprintf(p, sizeof(pool->name) - (p - pool->name),
p += scnprintf(p, sizeof(pool->name) - (p - pool->name), "%s", n[i]);-- 2.16.4
Am 11.03.20 um 08:52 schrieb Huang Rui:
On Wed, Mar 11, 2020 at 03:34:52PM +0800, Takashi Iwai wrote:
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai tiwai@suse.de
Reviewed-by: Huang Rui ray.huang@amd.com
Reviewed-by: Christian König christian.koenig@amd.com
Takashi, should I push this to drm-misc-next or do you want to merge that somehow else?
Thanks, Christian.
drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c index bf876faea592..faefaaef7909 100644 --- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c @@ -604,7 +604,7 @@ static struct dma_pool *ttm_dma_pool_init(struct device *dev, gfp_t flags, p = pool->name; for (i = 0; i < ARRAY_SIZE(t); i++) { if (type & t[i]) {
p += snprintf(p, sizeof(pool->name) - (p - pool->name),
p += scnprintf(p, sizeof(pool->name) - (p - pool->name), "%s", n[i]);-- 2.16.4
On Wed, 11 Mar 2020 08:56:11 +0100, Christian K6nig wrote:
Am 11.03.20 um 08:52 schrieb Huang Rui:
On Wed, Mar 11, 2020 at 03:34:52PM +0800, Takashi Iwai wrote:
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf().
Signed-off-by: Takashi Iwai tiwai@suse.de
Reviewed-by: Huang Rui ray.huang@amd.com
Reviewed-by: Christian König christian.koenig@amd.com
Takashi, should I push this to drm-misc-next or do you want to merge that somehow else?
Please take through your tree as you like.
Thanks!
Takashi
dri-devel@lists.freedesktop.org
-
Christian König -
Huang Rui -
Takashi Iwai