[thirdparty/kernel/stable-queue.git] / releases / 4.14.111 / bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch

From 8df0a6c1b443294005e9c23d76d38ed7472ebd0e Mon Sep 17 00:00:00 2001
From: Coly Li <colyli@suse.de>
Date: Sat, 9 Feb 2019 12:53:10 +0800
Subject: bcache: fix input overflow to cache set sysfs file io_error_halflife

[ Upstream commit a91fbda49f746119828f7e8ad0f0aa2ab0578f65 ]

Cache set sysfs entry io_error_halflife is used to set c->error_decay.
c->error_decay is in type unsigned int, and it is converted by
strtoul_or_return(), therefore overflow to c->error_decay is possible
for a large input value.

This patch fixes the overflow by using strtoul_safe_clamp() to convert
input string to an unsigned long value in range [0, UINT_MAX], then
divides by 88 and set it to c->error_decay.

Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/bcache/sysfs.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index 5d81cd06af00..43ff7fbcbc7c 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -660,8 +660,17 @@ STORE(__bch_cache_set)
 		c->error_limit = strtoul_or_return(buf) << IO_ERROR_SHIFT;
 
 	/* See count_io_errors() for why 88 */
-	if (attr == &sysfs_io_error_halflife)
-		c->error_decay = strtoul_or_return(buf) / 88;
+	if (attr == &sysfs_io_error_halflife) {
+		unsigned long v = 0;
+		ssize_t ret;
+
+		ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX);
+		if (!ret) {
+			c->error_decay = v / 88;
+			return size;
+		}
+		return ret;
+	}
 
 	sysfs_strtoul(journal_delay_ms,		c->journal_delay_ms);
 	sysfs_strtoul(verify,			c->verify);
-- 
2.19.1
Commit	Line	Data
04fd09d4 SL	1	From 8df0a6c1b443294005e9c23d76d38ed7472ebd0e Mon Sep 17 00:00:00 2001
	2	From: Coly Li <colyli@suse.de>
	3	Date: Sat, 9 Feb 2019 12:53:10 +0800
	4	Subject: bcache: fix input overflow to cache set sysfs file io_error_halflife
	5
	6	[ Upstream commit a91fbda49f746119828f7e8ad0f0aa2ab0578f65 ]
	7
	8	Cache set sysfs entry io_error_halflife is used to set c->error_decay.
	9	c->error_decay is in type unsigned int, and it is converted by
	10	strtoul_or_return(), therefore overflow to c->error_decay is possible
	11	for a large input value.
	12
	13	This patch fixes the overflow by using strtoul_safe_clamp() to convert
	14	input string to an unsigned long value in range [0, UINT_MAX], then
	15	divides by 88 and set it to c->error_decay.
	16
	17	Signed-off-by: Coly Li <colyli@suse.de>
	18	Signed-off-by: Jens Axboe <axboe@kernel.dk>
	19	Signed-off-by: Sasha Levin <sashal@kernel.org>
	20	---
	21	drivers/md/bcache/sysfs.c \| 13 +++++++++++--
	22	1 file changed, 11 insertions(+), 2 deletions(-)
	23
	24	diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
	25	index 5d81cd06af00..43ff7fbcbc7c 100644
	26	--- a/drivers/md/bcache/sysfs.c
	27	+++ b/drivers/md/bcache/sysfs.c
	28	@@ -660,8 +660,17 @@ STORE(__bch_cache_set)
	29	c->error_limit = strtoul_or_return(buf) << IO_ERROR_SHIFT;
	30
	31	/* See count_io_errors() for why 88 */
	32	- if (attr == &sysfs_io_error_halflife)
	33	- c->error_decay = strtoul_or_return(buf) / 88;
	34	+ if (attr == &sysfs_io_error_halflife) {
	35	+ unsigned long v = 0;
	36	+ ssize_t ret;
	37	+
	38	+ ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX);
	39	+ if (!ret) {
	40	+ c->error_decay = v / 88;
	41	+ return size;
	42	+ }
	43	+ return ret;
	44	+ }
	45
	46	sysfs_strtoul(journal_delay_ms, c->journal_delay_ms);
	47	sysfs_strtoul(verify, c->verify);
	48	--
	49	2.19.1
	50