diff options
author | David Disseldorp <ddiss@suse.de> | 2017-10-19 01:39:20 +0200 |
---|---|---|
committer | Nicholas Bellinger <nab@linux-iscsi.org> | 2017-11-04 15:00:30 -0700 |
commit | 55435badda8bd8e4c97a8b6c3fa9eef79b02fe44 (patch) | |
tree | 06e5ff31fadadac145ed76e2b69584d510dcd217 /drivers/target/target_core_alua.c | |
parent | bdc79f0ed12ff55a9b56a91da04d0c8d8a786b9c (diff) | |
download | lwn-55435badda8bd8e4c97a8b6c3fa9eef79b02fe44.tar.gz lwn-55435badda8bd8e4c97a8b6c3fa9eef79b02fe44.zip |
target: fix ALUA state file path truncation
A sufficiently long Unit Serial string, dbroot path, and/or ALUA target
portal group name may result in truncation of the ALUA state file path
prior to usage. Fix this by using kasprintf() instead.
Fixes: fdddf932269a ("target: use new "dbroot" target attribute")
Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Diffstat (limited to 'drivers/target/target_core_alua.c')
-rw-r--r-- | drivers/target/target_core_alua.c | 51 |
1 files changed, 28 insertions, 23 deletions
diff --git a/drivers/target/target_core_alua.c b/drivers/target/target_core_alua.c index 928127642574..e46ca968009c 100644 --- a/drivers/target/target_core_alua.c +++ b/drivers/target/target_core_alua.c @@ -918,7 +918,7 @@ static int core_alua_update_tpg_primary_metadata( { unsigned char *md_buf; struct t10_wwn *wwn = &tg_pt_gp->tg_pt_gp_dev->t10_wwn; - char path[ALUA_METADATA_PATH_LEN]; + char *path; int len, rc; md_buf = kzalloc(ALUA_MD_BUF_LEN, GFP_KERNEL); @@ -927,8 +927,6 @@ static int core_alua_update_tpg_primary_metadata( return -ENOMEM; } - memset(path, 0, ALUA_METADATA_PATH_LEN); - len = snprintf(md_buf, ALUA_MD_BUF_LEN, "tg_pt_gp_id=%hu\n" "alua_access_state=0x%02x\n" @@ -937,11 +935,14 @@ static int core_alua_update_tpg_primary_metadata( tg_pt_gp->tg_pt_gp_alua_access_state, tg_pt_gp->tg_pt_gp_alua_access_status); - snprintf(path, ALUA_METADATA_PATH_LEN, - "%s/alua/tpgs_%s/%s", db_root, &wwn->unit_serial[0], - config_item_name(&tg_pt_gp->tg_pt_gp_group.cg_item)); - - rc = core_alua_write_tpg_metadata(path, md_buf, len); + rc = -ENOMEM; + path = kasprintf(GFP_KERNEL, "%s/alua/tpgs_%s/%s", db_root, + &wwn->unit_serial[0], + config_item_name(&tg_pt_gp->tg_pt_gp_group.cg_item)); + if (path) { + rc = core_alua_write_tpg_metadata(path, md_buf, len); + kfree(path); + } kfree(md_buf); return rc; } @@ -1209,7 +1210,7 @@ static int core_alua_update_tpg_secondary_metadata(struct se_lun *lun) { struct se_portal_group *se_tpg = lun->lun_tpg; unsigned char *md_buf; - char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN]; + char *path; int len, rc; mutex_lock(&lun->lun_tg_pt_md_mutex); @@ -1221,28 +1222,32 @@ static int core_alua_update_tpg_secondary_metadata(struct se_lun *lun) goto out_unlock; } - memset(path, 0, ALUA_METADATA_PATH_LEN); - memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN); - - len = snprintf(wwn, ALUA_SECONDARY_METADATA_WWN_LEN, "%s", - se_tpg->se_tpg_tfo->tpg_get_wwn(se_tpg)); - - if (se_tpg->se_tpg_tfo->tpg_get_tag != NULL) - snprintf(wwn+len, ALUA_SECONDARY_METADATA_WWN_LEN-len, "+%hu", - se_tpg->se_tpg_tfo->tpg_get_tag(se_tpg)); - len = snprintf(md_buf, ALUA_MD_BUF_LEN, "alua_tg_pt_offline=%d\n" "alua_tg_pt_status=0x%02x\n", atomic_read(&lun->lun_tg_pt_secondary_offline), lun->lun_tg_pt_secondary_stat); - snprintf(path, ALUA_METADATA_PATH_LEN, "%s/alua/%s/%s/lun_%llu", - db_root, se_tpg->se_tpg_tfo->get_fabric_name(), wwn, - lun->unpacked_lun); + if (se_tpg->se_tpg_tfo->tpg_get_tag != NULL) { + path = kasprintf(GFP_KERNEL, "%s/alua/%s/%s+%hu/lun_%llu", + db_root, se_tpg->se_tpg_tfo->get_fabric_name(), + se_tpg->se_tpg_tfo->tpg_get_wwn(se_tpg), + se_tpg->se_tpg_tfo->tpg_get_tag(se_tpg), + lun->unpacked_lun); + } else { + path = kasprintf(GFP_KERNEL, "%s/alua/%s/%s/lun_%llu", + db_root, se_tpg->se_tpg_tfo->get_fabric_name(), + se_tpg->se_tpg_tfo->tpg_get_wwn(se_tpg), + lun->unpacked_lun); + } + if (!path) { + rc = -ENOMEM; + goto out_free; + } rc = core_alua_write_tpg_metadata(path, md_buf, len); + kfree(path); +out_free: kfree(md_buf); - out_unlock: mutex_unlock(&lun->lun_tg_pt_md_mutex); return rc; |