On 28/05/2021 16.22, Justin He wrote: > >> From: Matthew Wilcox <willy@xxxxxxxxxxxxx> >> How is it "safer"? You already have a buffer passed from the caller. >> Are you saying that d_path_fast() might overrun a really small buffer >> but won't overrun a 256 byte buffer? > No, it won't overrun a 256 byte buf. When the full path size is larger than 256, the p->len is < 0 in prepend_name, and this overrun will be > dectected in extract_string() with "-ENAMETOOLONG". > > Each printk contains 2 vsnprintf. vsnprintf() returns the required size after formatting the string.> > 1. vprintk_store() will invoke 1st vsnprintf() will 8 bytes space to get the reserve_size. In this case, the _buf_ could be less than _end_ by design. > 2. Then it invokes 2nd printk_sprint()->vscnprintf()->vsnprintf() to really fill the space. Please do not assume that printk is the only user of vsnprintf() or the only one that would use a given %p<foo> extension. Also, is it clear that nothing can change underneath you in between two calls to vsnprintf()? IOW, is it certain that the path will fit upon a second call using the size returned from the first? Rasmus
