提交 7cd37a00 编写于 作者: T Takashi Iwai 提交者: Jens Axboe

lightnvm: pblk: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
Signed-off-by: NJens Axboe <axboe@kernel.dk>
上级 03485104
...@@ -37,7 +37,7 @@ static ssize_t pblk_sysfs_luns_show(struct pblk *pblk, char *page) ...@@ -37,7 +37,7 @@ static ssize_t pblk_sysfs_luns_show(struct pblk *pblk, char *page)
active = 0; active = 0;
up(&rlun->wr_sem); up(&rlun->wr_sem);
} }
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"pblk: pos:%d, ch:%d, lun:%d - %d\n", "pblk: pos:%d, ch:%d, lun:%d - %d\n",
i, i,
rlun->bppa.a.ch, rlun->bppa.a.ch,
...@@ -120,7 +120,7 @@ static ssize_t pblk_sysfs_ppaf(struct pblk *pblk, char *page) ...@@ -120,7 +120,7 @@ static ssize_t pblk_sysfs_ppaf(struct pblk *pblk, char *page)
struct nvm_addrf_12 *ppaf = (struct nvm_addrf_12 *)&pblk->addrf; struct nvm_addrf_12 *ppaf = (struct nvm_addrf_12 *)&pblk->addrf;
struct nvm_addrf_12 *gppaf = (struct nvm_addrf_12 *)&geo->addrf; struct nvm_addrf_12 *gppaf = (struct nvm_addrf_12 *)&geo->addrf;
sz = snprintf(page, PAGE_SIZE, sz = scnprintf(page, PAGE_SIZE,
"g:(b:%d)blk:%d/%d,pg:%d/%d,lun:%d/%d,ch:%d/%d,pl:%d/%d,sec:%d/%d\n", "g:(b:%d)blk:%d/%d,pg:%d/%d,lun:%d/%d,ch:%d/%d,pl:%d/%d,sec:%d/%d\n",
pblk->addrf_len, pblk->addrf_len,
ppaf->blk_offset, ppaf->blk_len, ppaf->blk_offset, ppaf->blk_len,
...@@ -130,7 +130,7 @@ static ssize_t pblk_sysfs_ppaf(struct pblk *pblk, char *page) ...@@ -130,7 +130,7 @@ static ssize_t pblk_sysfs_ppaf(struct pblk *pblk, char *page)
ppaf->pln_offset, ppaf->pln_len, ppaf->pln_offset, ppaf->pln_len,
ppaf->sec_offset, ppaf->sec_len); ppaf->sec_offset, ppaf->sec_len);
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"d:blk:%d/%d,pg:%d/%d,lun:%d/%d,ch:%d/%d,pl:%d/%d,sec:%d/%d\n", "d:blk:%d/%d,pg:%d/%d,lun:%d/%d,ch:%d/%d,pl:%d/%d,sec:%d/%d\n",
gppaf->blk_offset, gppaf->blk_len, gppaf->blk_offset, gppaf->blk_len,
gppaf->pg_offset, gppaf->pg_len, gppaf->pg_offset, gppaf->pg_len,
...@@ -142,7 +142,7 @@ static ssize_t pblk_sysfs_ppaf(struct pblk *pblk, char *page) ...@@ -142,7 +142,7 @@ static ssize_t pblk_sysfs_ppaf(struct pblk *pblk, char *page)
struct nvm_addrf *ppaf = &pblk->addrf; struct nvm_addrf *ppaf = &pblk->addrf;
struct nvm_addrf *gppaf = &geo->addrf; struct nvm_addrf *gppaf = &geo->addrf;
sz = snprintf(page, PAGE_SIZE, sz = scnprintf(page, PAGE_SIZE,
"pblk:(s:%d)ch:%d/%d,lun:%d/%d,chk:%d/%d/sec:%d/%d\n", "pblk:(s:%d)ch:%d/%d,lun:%d/%d,chk:%d/%d/sec:%d/%d\n",
pblk->addrf_len, pblk->addrf_len,
ppaf->ch_offset, ppaf->ch_len, ppaf->ch_offset, ppaf->ch_len,
...@@ -150,7 +150,7 @@ static ssize_t pblk_sysfs_ppaf(struct pblk *pblk, char *page) ...@@ -150,7 +150,7 @@ static ssize_t pblk_sysfs_ppaf(struct pblk *pblk, char *page)
ppaf->chk_offset, ppaf->chk_len, ppaf->chk_offset, ppaf->chk_len,
ppaf->sec_offset, ppaf->sec_len); ppaf->sec_offset, ppaf->sec_len);
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"device:ch:%d/%d,lun:%d/%d,chk:%d/%d,sec:%d/%d\n", "device:ch:%d/%d,lun:%d/%d,chk:%d/%d,sec:%d/%d\n",
gppaf->ch_offset, gppaf->ch_len, gppaf->ch_offset, gppaf->ch_len,
gppaf->lun_offset, gppaf->lun_len, gppaf->lun_offset, gppaf->lun_len,
...@@ -278,11 +278,11 @@ static ssize_t pblk_sysfs_lines(struct pblk *pblk, char *page) ...@@ -278,11 +278,11 @@ static ssize_t pblk_sysfs_lines(struct pblk *pblk, char *page)
pblk_err(pblk, "corrupted free line list:%d/%d\n", pblk_err(pblk, "corrupted free line list:%d/%d\n",
nr_free_lines, free_line_cnt); nr_free_lines, free_line_cnt);
sz = snprintf(page, PAGE_SIZE - sz, sz = scnprintf(page, PAGE_SIZE - sz,
"line: nluns:%d, nblks:%d, nsecs:%d\n", "line: nluns:%d, nblks:%d, nsecs:%d\n",
geo->all_luns, lm->blk_per_line, lm->sec_per_line); geo->all_luns, lm->blk_per_line, lm->sec_per_line);
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"lines:d:%d,l:%d-f:%d,m:%d/%d,c:%d,b:%d,co:%d(d:%d,l:%d)t:%d\n", "lines:d:%d,l:%d-f:%d,m:%d/%d,c:%d,b:%d,co:%d(d:%d,l:%d)t:%d\n",
cur_data, cur_log, cur_data, cur_log,
nr_free_lines, nr_free_lines,
...@@ -292,12 +292,12 @@ static ssize_t pblk_sysfs_lines(struct pblk *pblk, char *page) ...@@ -292,12 +292,12 @@ static ssize_t pblk_sysfs_lines(struct pblk *pblk, char *page)
d_line_cnt, l_line_cnt, d_line_cnt, l_line_cnt,
l_mg->nr_lines); l_mg->nr_lines);
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"GC: full:%d, high:%d, mid:%d, low:%d, empty:%d, werr: %d, queue:%d\n", "GC: full:%d, high:%d, mid:%d, low:%d, empty:%d, werr: %d, queue:%d\n",
gc_full, gc_high, gc_mid, gc_low, gc_empty, gc_werr, gc_full, gc_high, gc_mid, gc_low, gc_empty, gc_werr,
atomic_read(&pblk->gc.read_inflight_gc)); atomic_read(&pblk->gc.read_inflight_gc));
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"data (%d) cur:%d, left:%d, vsc:%d, s:%d, map:%d/%d (%d)\n", "data (%d) cur:%d, left:%d, vsc:%d, s:%d, map:%d/%d (%d)\n",
cur_data, cur_sec, msecs, vsc, sec_in_line, cur_data, cur_sec, msecs, vsc, sec_in_line,
map_weight, lm->sec_per_line, map_weight, lm->sec_per_line,
...@@ -313,19 +313,19 @@ static ssize_t pblk_sysfs_lines_info(struct pblk *pblk, char *page) ...@@ -313,19 +313,19 @@ static ssize_t pblk_sysfs_lines_info(struct pblk *pblk, char *page)
struct pblk_line_meta *lm = &pblk->lm; struct pblk_line_meta *lm = &pblk->lm;
ssize_t sz = 0; ssize_t sz = 0;
sz = snprintf(page, PAGE_SIZE - sz, sz = scnprintf(page, PAGE_SIZE - sz,
"smeta - len:%d, secs:%d\n", "smeta - len:%d, secs:%d\n",
lm->smeta_len, lm->smeta_sec); lm->smeta_len, lm->smeta_sec);
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"emeta - len:%d, sec:%d, bb_start:%d\n", "emeta - len:%d, sec:%d, bb_start:%d\n",
lm->emeta_len[0], lm->emeta_sec[0], lm->emeta_len[0], lm->emeta_sec[0],
lm->emeta_bb); lm->emeta_bb);
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"bitmap lengths: sec:%d, blk:%d, lun:%d\n", "bitmap lengths: sec:%d, blk:%d, lun:%d\n",
lm->sec_bitmap_len, lm->sec_bitmap_len,
lm->blk_bitmap_len, lm->blk_bitmap_len,
lm->lun_bitmap_len); lm->lun_bitmap_len);
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"blk_line:%d, sec_line:%d, sec_blk:%d\n", "blk_line:%d, sec_line:%d, sec_blk:%d\n",
lm->blk_per_line, lm->blk_per_line,
lm->sec_per_line, lm->sec_per_line,
...@@ -344,12 +344,12 @@ static ssize_t pblk_get_write_amp(u64 user, u64 gc, u64 pad, ...@@ -344,12 +344,12 @@ static ssize_t pblk_get_write_amp(u64 user, u64 gc, u64 pad,
{ {
int sz; int sz;
sz = snprintf(page, PAGE_SIZE, sz = scnprintf(page, PAGE_SIZE,
"user:%lld gc:%lld pad:%lld WA:", "user:%lld gc:%lld pad:%lld WA:",
user, gc, pad); user, gc, pad);
if (!user) { if (!user) {
sz += snprintf(page + sz, PAGE_SIZE - sz, "NaN\n"); sz += scnprintf(page + sz, PAGE_SIZE - sz, "NaN\n");
} else { } else {
u64 wa_int; u64 wa_int;
u32 wa_frac; u32 wa_frac;
...@@ -358,7 +358,7 @@ static ssize_t pblk_get_write_amp(u64 user, u64 gc, u64 pad, ...@@ -358,7 +358,7 @@ static ssize_t pblk_get_write_amp(u64 user, u64 gc, u64 pad,
wa_int = div64_u64(wa_int, user); wa_int = div64_u64(wa_int, user);
wa_int = div_u64_rem(wa_int, 100000, &wa_frac); wa_int = div_u64_rem(wa_int, 100000, &wa_frac);
sz += snprintf(page + sz, PAGE_SIZE - sz, "%llu.%05u\n", sz += scnprintf(page + sz, PAGE_SIZE - sz, "%llu.%05u\n",
wa_int, wa_frac); wa_int, wa_frac);
} }
...@@ -401,9 +401,9 @@ static ssize_t pblk_sysfs_get_padding_dist(struct pblk *pblk, char *page) ...@@ -401,9 +401,9 @@ static ssize_t pblk_sysfs_get_padding_dist(struct pblk *pblk, char *page)
total = atomic64_read(&pblk->nr_flush) - pblk->nr_flush_rst; total = atomic64_read(&pblk->nr_flush) - pblk->nr_flush_rst;
if (!total) { if (!total) {
for (i = 0; i < (buckets + 1); i++) for (i = 0; i < (buckets + 1); i++)
sz += snprintf(page + sz, PAGE_SIZE - sz, sz += scnprintf(page + sz, PAGE_SIZE - sz,
"%d:0 ", i); "%d:0 ", i);
sz += snprintf(page + sz, PAGE_SIZE - sz, "\n"); sz += scnprintf(page + sz, PAGE_SIZE - sz, "\n");
return sz; return sz;
} }
...@@ -411,7 +411,7 @@ static ssize_t pblk_sysfs_get_padding_dist(struct pblk *pblk, char *page) ...@@ -411,7 +411,7 @@ static ssize_t pblk_sysfs_get_padding_dist(struct pblk *pblk, char *page)
for (i = 0; i < buckets; i++) for (i = 0; i < buckets; i++)
total_buckets += atomic64_read(&pblk->pad_dist[i]); total_buckets += atomic64_read(&pblk->pad_dist[i]);
sz += snprintf(page + sz, PAGE_SIZE - sz, "0:%lld%% ", sz += scnprintf(page + sz, PAGE_SIZE - sz, "0:%lld%% ",
bucket_percentage(total - total_buckets, total)); bucket_percentage(total - total_buckets, total));
for (i = 0; i < buckets; i++) { for (i = 0; i < buckets; i++) {
...@@ -419,10 +419,10 @@ static ssize_t pblk_sysfs_get_padding_dist(struct pblk *pblk, char *page) ...@@ -419,10 +419,10 @@ static ssize_t pblk_sysfs_get_padding_dist(struct pblk *pblk, char *page)
p = bucket_percentage(atomic64_read(&pblk->pad_dist[i]), p = bucket_percentage(atomic64_read(&pblk->pad_dist[i]),
total); total);
sz += snprintf(page + sz, PAGE_SIZE - sz, "%d:%lld%% ", sz += scnprintf(page + sz, PAGE_SIZE - sz, "%d:%lld%% ",
i + 1, p); i + 1, p);
} }
sz += snprintf(page + sz, PAGE_SIZE - sz, "\n"); sz += scnprintf(page + sz, PAGE_SIZE - sz, "\n");
return sz; return sz;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册