bcache: fix input overflow to cache set sysfs file io_error_halflife

BugLink: https://bugs.launchpad.net/bugs/1838116
[ Upstream commit a91fbda49f746119828f7e8ad0f0aa2ab0578f65 ]

Cache set sysfs entry io_error_halflife is used to set c->error_decay.
c->error_decay is in type unsigned int, and it is converted by
strtoul_or_return(), therefore overflow to c->error_decay is possible
for a large input value.

This patch fixes the overflow by using strtoul_safe_clamp() to convert
input string to an unsigned long value in range [0, UINT_MAX], then
divides by 88 and set it to c->error_decay.

Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index 17df47d085f1c09071dde60ed11a8e11d7e681a1..c18d4f67c5d1cc9fa768a5e797ddcd6c6565ff20 100644 (file)
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -700,8 +700,17 @@ STORE(__bch_cache_set)
                c->error_limit = strtoul_or_return(buf) << IO_ERROR_SHIFT;
 
        /* See count_io_errors() for why 88 */
-       if (attr == &sysfs_io_error_halflife)
-               c->error_decay = strtoul_or_return(buf) / 88;
+       if (attr == &sysfs_io_error_halflife) {
+               unsigned long v = 0;
+               ssize_t ret;
+
+               ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX);
+               if (!ret) {
+                       c->error_decay = v / 88;
+                       return size;
+               }
+               return ret;
+       }
 
        if (attr == &sysfs_io_disable) {
                int v = strtoul_or_return(buf);