releases/4.14.111/bcache-fix-input-overflow-to-sequential_cutoff.patch

   1 From 322c20d857dbffea47081acfd5745508689c60da Mon Sep 17 00:00:00 2001
   2 From: Coly Li <colyli@suse.de>
   3 Date: Sat, 9 Feb 2019 12:53:01 +0800
   4 Subject: bcache: fix input overflow to sequential_cutoff
   5
   6 [ Upstream commit 8c27a3953e92eb0b22dbb03d599f543a05f9574e ]
   7
   8 People may set sequential_cutoff of a cached device via sysfs file,
   9 but current code does not check input value overflow. E.g. if value
  10 4294967295 (UINT_MAX) is written to file sequential_cutoff, its value
  11 is 4GB, but if 4294967296 (UINT_MAX + 1) is written into, its value
  12 will be 0. This is an unexpected behavior.
  13
  14 This patch replaces d_strtoi_h() by sysfs_strtoul_clamp() to convert
  15 input string to unsigned integer value, and limit its range in
  16 [0, UINT_MAX]. Then the input overflow can be fixed.
  17
  18 Signed-off-by: Coly Li <colyli@suse.de>
  19 Signed-off-by: Jens Axboe <axboe@kernel.dk>
  20 Signed-off-by: Sasha Levin <sashal@kernel.org>
  21 ---
  22  drivers/md/bcache/sysfs.c | 4 +++-
  23  1 file changed, 3 insertions(+), 1 deletion(-)
  24
  25 diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
  26 index 43ff7fbcbc7c..def9c3478b89 100644
  27 --- a/drivers/md/bcache/sysfs.c
  28 +++ b/drivers/md/bcache/sysfs.c
  29 @@ -217,7 +217,9 @@ STORE(__cached_dev)
  30         d_strtoul(writeback_rate_d_term);
  31         d_strtoul_nonzero(writeback_rate_p_term_inverse);
  32
  33 -       d_strtoi_h(sequential_cutoff);
  34 +       sysfs_strtoul_clamp(sequential_cutoff,
  35 +                           dc->sequential_cutoff,
  36 +                           0, UINT_MAX);
  37         d_strtoi_h(readahead);
  38
  39         if (attr == &sysfs_clear_stats)
  40 --
  41 2.19.1
  42