drm: Fix potential overflow issue in event_string array

When calling scnprintf() to append recovery method to event_string,
the second argument should be `sizeof(event_string) - len`, otherwise
there is a potential overflow problem.

Fixes: b7cf9f4ac1b8 ("drm: Introduce device wedged event")
Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
Reviewed-by: André Almeida <andrealmeid@igalia.com>
Reviewed-by: Raag Jadav <raag.jadav@intel.com>
Link: https://lore.kernel.org/r/20250409014633.31303-1-jiangfeng@kylinos.cn
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index 17fc5dc708f472bee06b950a89583c83799eba6d..60e5ac179c151a5edd5d8a0fcb0ab5ecc0515f14 100644 (file)
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -549,7 +549,7 @@ int drm_dev_wedged_event(struct drm_device *dev, unsigned long method)
                if (drm_WARN_ONCE(dev, !recovery, "invalid recovery method %u\n", opt))
                        break;
 
-               len += scnprintf(event_string + len, sizeof(event_string), "%s,", recovery);
+               len += scnprintf(event_string + len, sizeof(event_string) - len, "%s,", recovery);
        }
 
        if (recovery)