target: fix ALUA state file path truncation

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

A sufficiently long Unit Serial string, dbroot path, and/or ALUA target
portal group name may result in truncation of the ALUA state file path
prior to usage. Fix this by using kasprintf() instead.

Fixes: fdddf932269a ("target: use new "dbroot" target attribute")
Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

authored by

David Disseldorp and committed by

Nicholas Bellinger 8 years ago 55435bad bdc79f0e

+28 -32

2 changed files

expand all

drivers

target

target_core_alua.c

target_core_alua.h

+28 -23

drivers/target/target_core_alua.c

··· 918 918 { 919 919 unsigned char *md_buf; 920 920 struct t10_wwn *wwn = &tg_pt_gp->tg_pt_gp_dev->t10_wwn; 921 - char path[ALUA_METADATA_PATH_LEN]; 921 + char *path; 922 922 int len, rc; 923 923 924 924 md_buf = kzalloc(ALUA_MD_BUF_LEN, GFP_KERNEL); ··· 926 926 pr_err("Unable to allocate buf for ALUA metadata\n"); 927 927 return -ENOMEM; 928 928 } 929 - 930 - memset(path, 0, ALUA_METADATA_PATH_LEN); 931 929 932 930 len = snprintf(md_buf, ALUA_MD_BUF_LEN, 933 931 "tg_pt_gp_id=%hu\n" ··· 935 937 tg_pt_gp->tg_pt_gp_alua_access_state, 936 938 tg_pt_gp->tg_pt_gp_alua_access_status); 937 939 938 - snprintf(path, ALUA_METADATA_PATH_LEN, 939 - "%s/alua/tpgs_%s/%s", db_root, &wwn->unit_serial[0], 940 - config_item_name(&tg_pt_gp->tg_pt_gp_group.cg_item)); 941 - 942 - rc = core_alua_write_tpg_metadata(path, md_buf, len); 940 + rc = -ENOMEM; 941 + path = kasprintf(GFP_KERNEL, "%s/alua/tpgs_%s/%s", db_root, 942 + &wwn->unit_serial[0], 943 + config_item_name(&tg_pt_gp->tg_pt_gp_group.cg_item)); 944 + if (path) { 945 + rc = core_alua_write_tpg_metadata(path, md_buf, len); 946 + kfree(path); 947 + } 943 948 kfree(md_buf); 944 949 return rc; 945 950 } ··· 1210 1209 { 1211 1210 struct se_portal_group *se_tpg = lun->lun_tpg; 1212 1211 unsigned char *md_buf; 1213 - char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN]; 1212 + char *path; 1214 1213 int len, rc; 1215 1214 1216 1215 mutex_lock(&lun->lun_tg_pt_md_mutex); ··· 1222 1221 goto out_unlock; 1223 1222 } 1224 1223 1225 - memset(path, 0, ALUA_METADATA_PATH_LEN); 1226 - memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN); 1227 - 1228 - len = snprintf(wwn, ALUA_SECONDARY_METADATA_WWN_LEN, "%s", 1229 - se_tpg->se_tpg_tfo->tpg_get_wwn(se_tpg)); 1230 - 1231 - if (se_tpg->se_tpg_tfo->tpg_get_tag != NULL) 1232 - snprintf(wwn+len, ALUA_SECONDARY_METADATA_WWN_LEN-len, "+%hu", 1233 - se_tpg->se_tpg_tfo->tpg_get_tag(se_tpg)); 1234 - 1235 1224 len = snprintf(md_buf, ALUA_MD_BUF_LEN, "alua_tg_pt_offline=%d\n" 1236 1225 "alua_tg_pt_status=0x%02x\n", 1237 1226 atomic_read(&lun->lun_tg_pt_secondary_offline), 1238 1227 lun->lun_tg_pt_secondary_stat); 1239 1228 1240 - snprintf(path, ALUA_METADATA_PATH_LEN, "%s/alua/%s/%s/lun_%llu", 1241 - db_root, se_tpg->se_tpg_tfo->get_fabric_name(), wwn, 1242 - lun->unpacked_lun); 1229 + if (se_tpg->se_tpg_tfo->tpg_get_tag != NULL) { 1230 + path = kasprintf(GFP_KERNEL, "%s/alua/%s/%s+%hu/lun_%llu", 1231 + db_root, se_tpg->se_tpg_tfo->get_fabric_name(), 1232 + se_tpg->se_tpg_tfo->tpg_get_wwn(se_tpg), 1233 + se_tpg->se_tpg_tfo->tpg_get_tag(se_tpg), 1234 + lun->unpacked_lun); 1235 + } else { 1236 + path = kasprintf(GFP_KERNEL, "%s/alua/%s/%s/lun_%llu", 1237 + db_root, se_tpg->se_tpg_tfo->get_fabric_name(), 1238 + se_tpg->se_tpg_tfo->tpg_get_wwn(se_tpg), 1239 + lun->unpacked_lun); 1240 + } 1241 + if (!path) { 1242 + rc = -ENOMEM; 1243 + goto out_free; 1244 + } 1243 1245 1244 1246 rc = core_alua_write_tpg_metadata(path, md_buf, len); 1247 + kfree(path); 1248 + out_free: 1245 1249 kfree(md_buf); 1246 - 1247 1250 out_unlock: 1248 1251 mutex_unlock(&lun->lun_tg_pt_md_mutex); 1249 1252 return rc;

-9

drivers/target/target_core_alua.h

··· 71 71 */ 72 72 #define ALUA_DEFAULT_IMPLICIT_TRANS_SECS 0 73 73 #define ALUA_MAX_IMPLICIT_TRANS_SECS 255 74 - /* 75 - * Used by core_alua_update_tpg_primary_metadata() and 76 - * core_alua_update_tpg_secondary_metadata() 77 - */ 78 - #define ALUA_METADATA_PATH_LEN 512 79 - /* 80 - * Used by core_alua_update_tpg_secondary_metadata() 81 - */ 82 - #define ALUA_SECONDARY_METADATA_WWN_LEN 256 83 74 84 75 /* Used by core_alua_update_tpg_(primary,secondary)_metadata */ 85 76 #define ALUA_MD_BUF_LEN 1024