archive mirror
 help / color / mirror / Atom feed
* [PATCH] zram: off by one in read_block_state()
@ 2021-09-16 13:04 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2021-09-16 13:04 UTC (permalink / raw)
  To: Minchan Kim
  Cc: Nitin Gupta, Sergey Senozhatsky, Jens Axboe, Andrew Morton,
	linux-kernel, linux-block, kernel-janitors

The snprintf() function returns the number of bytes it would have
printed if there were space.  But it does not count the NUL terminator.
So that means that if "count == copied" then this has already
overflowed by one character.

This bug likely isn't super harmful in real life.

Fixes: c0265342bff4 ("zram: introduce zram memory tracking")
Signed-off-by: Dan Carpenter <>
 drivers/block/zram/zram_drv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
index fcaf2750f68f..6383c81ac5b3 100644
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -910,7 +910,7 @@ static ssize_t read_block_state(struct file *file, char __user *buf,
 			zram_test_flag(zram, index, ZRAM_HUGE) ? 'h' : '.',
 			zram_test_flag(zram, index, ZRAM_IDLE) ? 'i' : '.');
-		if (count < copied) {
+		if (count <= copied) {
 			zram_slot_unlock(zram, index);

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-09-16 13:04 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-16 13:04 [PATCH] zram: off by one in read_block_state() Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).