bcache: fix input overflow to sequential_cutoff

BugLink: https://bugs.launchpad.net/bugs/1828410
[ Upstream commit 8c27a3953e92eb0b22dbb03d599f543a05f9574e ]

People may set sequential_cutoff of a cached device via sysfs file,
but current code does not check input value overflow. E.g. if value
4294967295 (UINT_MAX) is written to file sequential_cutoff, its value
is 4GB, but if 4294967296 (UINT_MAX + 1) is written into, its value
will be 0. This is an unexpected behavior.

This patch replaces d_strtoi_h() by sysfs_strtoul_clamp() to convert
input string to unsigned integer value, and limit its range in
[0, UINT_MAX]. Then the input overflow can be fixed.

Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index 3b287f974fd9c335f81d5d4ca9290055db573543..f98cda32065d5db910406ccb13f8a7756ccce73f 100644 (file)
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -299,7 +299,9 @@ STORE(__cached_dev)
                dc->io_disable = v ? 1 : 0;
        }
 
-       d_strtoi_h(sequential_cutoff);
+       sysfs_strtoul_clamp(sequential_cutoff,
+                           dc->sequential_cutoff,
+                           0, UINT_MAX);
        d_strtoi_h(readahead);
 
        if (attr == &sysfs_clear_stats)