On Wed, Dec 24, 2025 at 12:44:22PM +0000, veygax wrote: > From: Evan Lambert <[email protected]> > > The refill_buf function uses snprintf to append to a fixed-size buffer. > snprintf returns the length that would have been written, which can > exceed the remaining buffer size. If this happens, ptr advances beyond > the buffer and rem becomes negative. In the 2nd iteration, rem is > treated as a large unsigned integer, causing snprintf to write oob. > > While this behavior is technically mitigated by num_perfcntrs being > locked at 5, it's still unsafe if num_perfcntrs were ever to change/a > second source was added. > > Signed-off-by: Evan Lambert <[email protected]> > --- > v2: Use real name in Signed-off-by as requested by Dmitry Baryshkov.
Thanks! Reviewed-by: Dmitry Baryshkov <[email protected]> > > drivers/gpu/drm/msm/msm_perf.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > -- With best wishes Dmitry
