NTB: ntb_transport: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Fixes: fce8a7bb5b4b (PCI-Express Non-Transparent Bridge Support)
Fixes: 282a2feeb9bf (NTB: Use DMA Engine to Transmit and Receive)
Fixes: a754a8fcaf38 (NTB: allocate number transport entries depending on size of ring size)
Fixes: d98ef99e378b (NTB: Clean up QP stats info)
Fixes: e74bfeedad08 (NTB: Add flow control to the ntb_netdev)
Fixes: 569410ca756c (NTB: Use unique DMA channels for TX and RX)
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>

diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
index 00a5d5764993c0339268ba98bf08a55bd4bc2ac1..e6d1f5b298f34083217a66873b7acc283d1060c2 100644 (file)
--- a/drivers/ntb/ntb_transport.c
+++ b/drivers/ntb/ntb_transport.c
@@ -481,70 +481,70 @@ static ssize_t debugfs_read(struct file *filp, char __user *ubuf, size_t count,
                return -ENOMEM;
 
        out_offset = 0;
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "\nNTB QP stats:\n\n");
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_bytes - \t%llu\n", qp->rx_bytes);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_pkts - \t%llu\n", qp->rx_pkts);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_memcpy - \t%llu\n", qp->rx_memcpy);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_async - \t%llu\n", qp->rx_async);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_ring_empty - %llu\n", qp->rx_ring_empty);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_err_no_buf - %llu\n", qp->rx_err_no_buf);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_err_oflow - \t%llu\n", qp->rx_err_oflow);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_err_ver - \t%llu\n", qp->rx_err_ver);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_buff - \t0x%p\n", qp->rx_buff);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_index - \t%u\n", qp->rx_index);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_max_entry - \t%u\n", qp->rx_max_entry);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "rx_alloc_entry - \t%u\n\n", qp->rx_alloc_entry);
 
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "tx_bytes - \t%llu\n", qp->tx_bytes);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "tx_pkts - \t%llu\n", qp->tx_pkts);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "tx_memcpy - \t%llu\n", qp->tx_memcpy);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "tx_async - \t%llu\n", qp->tx_async);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "tx_ring_full - \t%llu\n", qp->tx_ring_full);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "tx_err_no_buf - %llu\n", qp->tx_err_no_buf);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "tx_mw - \t0x%p\n", qp->tx_mw);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "tx_index (H) - \t%u\n", qp->tx_index);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "RRI (T) - \t%u\n",
                               qp->remote_rx_info->entry);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "tx_max_entry - \t%u\n", qp->tx_max_entry);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "free tx - \t%u\n",
                               ntb_transport_tx_free_entry(qp));
 
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "\n");
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "Using TX DMA - \t%s\n",
                               qp->tx_dma_chan ? "Yes" : "No");
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "Using RX DMA - \t%s\n",
                               qp->rx_dma_chan ? "Yes" : "No");
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "QP Link - \t%s\n",
                               qp->link_is_up ? "Up" : "Down");
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "\n");
 
        if (out_offset > out_count)