snprintf() returns the number of bytes that *would* have been copied if the buffer was large enough, so it can be larger than the size of the buffer. In this case it's ok, but let's put a cap on it anyway so it's easier to audit. Signed-off-by: Dan Carpenter <error27@xxxxxxxxx> diff --git a/arch/x86/kernel/tlb_uv.c b/arch/x86/kernel/tlb_uv.c index 312ef02..5e88b3a 100644 --- a/arch/x86/kernel/tlb_uv.c +++ b/arch/x86/kernel/tlb_uv.c @@ -1012,6 +1012,9 @@ static ssize_t tunables_read(struct file *file, char __user *userbuf, timeoutsb4reset, ipi_reset_limit, complete_threshold, congested_response_us, congested_reps, congested_period); + if (ret > 300) + ret = 300; + return simple_read_from_buffer(userbuf, count, ppos, buf, ret); } -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html