On Wed, 24 Dec 2025 12:44:22 +0000, veygax wrote:
> The refill_buf function uses snprintf to append to a fixed-size buffer.
> snprintf returns the length that would have been written, which can
> exceed the remaining buffer size. If this happens, ptr advances beyond
> the buffer and rem becomes negative. In the 2nd iteration, rem is
> treated as a large unsigned integer, causing snprintf to write oob.
>
> While this behavior is technically mitigated by num_perfcntrs being
> locked at 5, it's still unsafe if num_perfcntrs were ever to change/a
> second source was added.
>
> [...]
Applied to msm-fixes, thanks!
[1/1] drm/msm: Replace unsafe snprintf usage with scnprintf
https://gitlab.freedesktop.org/lumag/msm/-/commit/66691e272e40
Best regards,
--
With best wishes
Dmitry
