[PATCH] zram: off by one in read_block_state()
From: Dan Carpenter <hidden>
Date: 2021-09-16 13:04:30
Also in:
kernel-janitors, lkml
Subsystem:
block layer, the rest, zram compressed ram block device drvier · Maintainers:
Jens Axboe, Linus Torvalds, Minchan Kim, Sergey Senozhatsky
The snprintf() function returns the number of bytes it would have
printed if there were space. But it does not count the NUL terminator.
So that means that if "count == copied" then this has already
overflowed by one character.
This bug likely isn't super harmful in real life.
Fixes: c0265342bff4 ("zram: introduce zram memory tracking")
Signed-off-by: Dan Carpenter <redacted>
---
drivers/block/zram/zram_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
index fcaf2750f68f..6383c81ac5b3 100644
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c@@ -910,7 +910,7 @@ static ssize_t read_block_state(struct file *file, char __user *buf, zram_test_flag(zram, index, ZRAM_HUGE) ? 'h' : '.', zram_test_flag(zram, index, ZRAM_IDLE) ? 'i' : '.'); - if (count < copied) { + if (count <= copied) { zram_slot_unlock(zram, index); break; }
--
2.20.1