1 From e58d7975d11bda8a4a5139ade371c131b7041434 Mon Sep 17 00:00:00 2001
2 From: Coly Li <colyli@suse.de>
3 Date: Sat, 9 Feb 2019 12:53:10 +0800
4 Subject: bcache: fix input overflow to cache set sysfs file io_error_halflife
6 [ Upstream commit a91fbda49f746119828f7e8ad0f0aa2ab0578f65 ]
8 Cache set sysfs entry io_error_halflife is used to set c->error_decay.
9 c->error_decay is in type unsigned int, and it is converted by
10 strtoul_or_return(), therefore overflow to c->error_decay is possible
11 for a large input value.
13 This patch fixes the overflow by using strtoul_safe_clamp() to convert
14 input string to an unsigned long value in range [0, UINT_MAX], then
15 divides by 88 and set it to c->error_decay.
17 Signed-off-by: Coly Li <colyli@suse.de>
18 Signed-off-by: Jens Axboe <axboe@kernel.dk>
19 Signed-off-by: Sasha Levin <sashal@kernel.org>
21 drivers/md/bcache/sysfs.c | 13 +++++++++++--
22 1 file changed, 11 insertions(+), 2 deletions(-)
24 diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
25 index 5a5c1f1bd8a5..87daccbbc61b 100644
26 --- a/drivers/md/bcache/sysfs.c
27 +++ b/drivers/md/bcache/sysfs.c
28 @@ -645,8 +645,17 @@ STORE(__bch_cache_set)
29 c->error_limit = strtoul_or_return(buf) << IO_ERROR_SHIFT;
31 /* See count_io_errors() for why 88 */
32 - if (attr == &sysfs_io_error_halflife)
33 - c->error_decay = strtoul_or_return(buf) / 88;
34 + if (attr == &sysfs_io_error_halflife) {
35 + unsigned long v = 0;
38 + ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX);
40 + c->error_decay = v / 88;
46 sysfs_strtoul(journal_delay_ms, c->journal_delay_ms);
47 sysfs_strtoul(verify, c->verify);