snprintf() and vsnprintf() return the number of bytes that would have been written if the buffer were large enough, not the actual bytes written. If truncation occurs, the accumulated length can exceed the buffer size, causing kfifo_in() to read past the fifo_in[] stack buffer.
Switch to scnprintf() and vscnprintf() which return the actual number of bytes written, excluding the null terminator. This prevents the potential buffer over-read when calculating the offset for subsequent writes. Signed-off-by: William Palacek <[email protected]> --- drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c index d2bc169e84b0..a1fd0463a2bc 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c @@ -206,10 +206,10 @@ static void kfd_smi_event_add(pid_t pid, struct kfd_node *dev, if (list_empty(&dev->smi_clients)) return; - len = snprintf(fifo_in, sizeof(fifo_in), "%x ", event); + len = scnprintf(fifo_in, sizeof(fifo_in), "%x ", event); va_start(args, fmt); - len += vsnprintf(fifo_in + len, sizeof(fifo_in) - len, fmt, args); + len += vscnprintf(fifo_in + len, sizeof(fifo_in) - len, fmt, args); va_end(args); add_event_to_kfifo(pid, dev, event, fifo_in, len); -- 2.34.1
