* [PATCH 01/11] bcache: fix input integer overflow of congested threshold
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 02/11] bcache: fix input overflow to sequential_cutoff Coly Li
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
Cache set congested threshold values congested_read_threshold_us and
congested_write_threshold_us can be set via sysfs interface. These
two values are 'unsigned int' type, but sysfs interface uses strtoul
to convert input string. So if people input a large number like
9999999999, the value indeed set is 1410065407, which is not expected
behavior.
This patch replaces sysfs_strtoul() by sysfs_strtoul_clamp() when
convert input string to unsigned int value, and set value range in
[0, UINT_MAX], to avoid the above integer overflow errors.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index b5028ba90795..b7cbfeb63007 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -766,10 +766,12 @@ STORE(__bch_cache_set)
c->shrink.scan_objects(&c->shrink, &sc);
}
- sysfs_strtoul(congested_read_threshold_us,
- c->congested_read_threshold_us);
- sysfs_strtoul(congested_write_threshold_us,
- c->congested_write_threshold_us);
+ sysfs_strtoul_clamp(congested_read_threshold_us,
+ c->congested_read_threshold_us,
+ 0, UINT_MAX);
+ sysfs_strtoul_clamp(congested_write_threshold_us,
+ c->congested_write_threshold_us,
+ 0, UINT_MAX);
if (attr == &sysfs_errors) {
v = __sysfs_match_string(error_actions, -1, buf);
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 02/11] bcache: fix input overflow to sequential_cutoff
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
2018-12-23 11:09 ` [PATCH 01/11] bcache: fix input integer overflow of congested threshold Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 03/11] bcache: add sysfs_strtoul_bool() for setting bit-field variables Coly Li
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
People may set sequential_cutoff of a cached device via sysfs file,
but current code does not check input value overflow. E.g. if value
4294967295 (UINT_MAX) is written to file sequential_cutoff, its value
is 4GB, but if 4294967296 (UINT_MAX + 1) is written into, its value
will be 0. This is an unexpected behavior.
This patch replaces d_strtoi_h() by sysfs_strtoul_clamp() to convert
input string to unsigned integer value, and limit its range in
[0, UINT_MAX]. Then the input overflow can be fixed.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index b7cbfeb63007..29564bcb76c3 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -310,7 +310,9 @@ STORE(__cached_dev)
dc->io_disable = v ? 1 : 0;
}
- d_strtoi_h(sequential_cutoff);
+ sysfs_strtoul_clamp(sequential_cutoff,
+ dc->sequential_cutoff,
+ 0, UINT_MAX);
d_strtoi_h(readahead);
if (attr == &sysfs_clear_stats)
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 03/11] bcache: add sysfs_strtoul_bool() for setting bit-field variables
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
2018-12-23 11:09 ` [PATCH 01/11] bcache: fix input integer overflow of congested threshold Coly Li
2018-12-23 11:09 ` [PATCH 02/11] bcache: fix input overflow to sequential_cutoff Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 04/11] bcache: use sysfs_strtoul_bool() to set " Coly Li
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
When setting bool values via sysfs interface, e.g. writeback_metadata,
if writing 1 into writeback_metadata file, dc->writeback_metadata is
set to 1, but if writing 2 into the file, dc->writeback_metadata is
0. This is misleading, a better result should be 1 for all non-zero
input value.
It is because dc->writeback_metadata is a bit-field variable, and
current code simply use d_strtoul() to convert a string into integer
and takes the lowest bit value. To fix such error, we need a routine
to convert the input string into unsigned integer, and set target
variable to 1 if the converted integer is non-zero.
This patch introduces a new macro called sysfs_strtoul_bool(), it can
be used to convert input string into bool value, we can use it to set
bool value for bit-field vairables.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.h | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/md/bcache/sysfs.h b/drivers/md/bcache/sysfs.h
index 3fe82425859c..c89bf6d78c03 100644
--- a/drivers/md/bcache/sysfs.h
+++ b/drivers/md/bcache/sysfs.h
@@ -79,6 +79,16 @@ do { \
return strtoul_safe(buf, var) ?: (ssize_t) size; \
} while (0)
+#define sysfs_strtoul_bool(file, var) \
+do { \
+ if (attr == &sysfs_## file) { \
+ unsigned long v = strtoul_or_return(buf); \
+ \
+ var = v ? 1 : 0; \
+ return size; \
+ } \
+} while (0)
+
#define sysfs_strtoul_clamp(file, var, min, max) \
do { \
if (attr == &sysfs_ ## file) \
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 04/11] bcache: use sysfs_strtoul_bool() to set bit-field variables
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
` (2 preceding siblings ...)
2018-12-23 11:09 ` [PATCH 03/11] bcache: add sysfs_strtoul_bool() for setting bit-field variables Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 05/11] bcache: fix input overflow to writeback_delay Coly Li
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
When setting bcache parameters via sysfs, there are some variables are
defined as bit-field value. Current bcache code in sysfs.c uses either
d_strtoul() or sysfs_strtoul() to convert the input string to unsigned
integer value and set it to the corresponded bit-field value.
The problem is, the bit-field value only takes the lowest bit of the
converted value. If input is 2, the expected value (like bool value)
of the bit-field value should be 1, but indeed it is 0.
The following sysfs files for bit-field variables have such problem,
bypass_torture_test, for dc->bypass_torture_test
writeback_metadata, for dc->writeback_metadata
writeback_running, for dc->writeback_running
verify, for c->verify
key_merging_disabled, for c->key_merging_disabled
gc_always_rewrite, for c->gc_always_rewrite
btree_shrinker_disabled,for c->shrinker_disabled
copy_gc_enabled, for c->copy_gc_enabled
This patch uses sysfs_strtoul_bool() to set such bit-field variables,
then if the converted value is non-zero, the bit-field variables will
be set to 1, like setting a bool value like expensive_debug_checks.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index 29564bcb76c3..8dcafae6dd8a 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -274,9 +274,9 @@ STORE(__cached_dev)
sysfs_strtoul(data_csum, dc->disk.data_csum);
d_strtoul(verify);
- d_strtoul(bypass_torture_test);
- d_strtoul(writeback_metadata);
- d_strtoul(writeback_running);
+ sysfs_strtoul_bool(bypass_torture_test, dc->bypass_torture_test);
+ sysfs_strtoul_bool(writeback_metadata, dc->writeback_metadata);
+ sysfs_strtoul_bool(writeback_running, dc->writeback_running);
d_strtoul(writeback_delay);
sysfs_strtoul_clamp(writeback_percent, dc->writeback_percent, 0, 40);
@@ -804,12 +804,12 @@ STORE(__bch_cache_set)
}
sysfs_strtoul(journal_delay_ms, c->journal_delay_ms);
- sysfs_strtoul(verify, c->verify);
- sysfs_strtoul(key_merging_disabled, c->key_merging_disabled);
+ sysfs_strtoul_bool(verify, c->verify);
+ sysfs_strtoul_bool(key_merging_disabled, c->key_merging_disabled);
sysfs_strtoul(expensive_debug_checks, c->expensive_debug_checks);
- sysfs_strtoul(gc_always_rewrite, c->gc_always_rewrite);
- sysfs_strtoul(btree_shrinker_disabled, c->shrinker_disabled);
- sysfs_strtoul(copy_gc_enabled, c->copy_gc_enabled);
+ sysfs_strtoul_bool(gc_always_rewrite, c->gc_always_rewrite);
+ sysfs_strtoul_bool(btree_shrinker_disabled, c->shrinker_disabled);
+ sysfs_strtoul_bool(copy_gc_enabled, c->copy_gc_enabled);
return size;
}
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 05/11] bcache: fix input overflow to writeback_delay
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
` (3 preceding siblings ...)
2018-12-23 11:09 ` [PATCH 04/11] bcache: use sysfs_strtoul_bool() to set " Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 06/11] bcache: fix potential div-zero error of writeback_rate_i_term_inverse Coly Li
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
Sysfs file writeback_delay is used to configure dc->writeback_delay
which is type unsigned int. But bcache code uses sysfs_strtoul() to
convert the input string, therefore it might be overflowed if the input
value is too large. E.g. input value is 4294967296 but indeed 0 is
set to dc->writeback_delay.
This patch uses sysfs_strtoul_clamp() to convert the input string and
set the result value range in [0, UINT_MAX] to avoid such unsigned
integer overflow.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index 8dcafae6dd8a..16cd710f5f8b 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -277,7 +277,7 @@ STORE(__cached_dev)
sysfs_strtoul_bool(bypass_torture_test, dc->bypass_torture_test);
sysfs_strtoul_bool(writeback_metadata, dc->writeback_metadata);
sysfs_strtoul_bool(writeback_running, dc->writeback_running);
- d_strtoul(writeback_delay);
+ sysfs_strtoul_clamp(writeback_delay, dc->writeback_delay, 0, UINT_MAX);
sysfs_strtoul_clamp(writeback_percent, dc->writeback_percent, 0, 40);
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 06/11] bcache: fix potential div-zero error of writeback_rate_i_term_inverse
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
` (4 preceding siblings ...)
2018-12-23 11:09 ` [PATCH 05/11] bcache: fix input overflow to writeback_delay Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 07/11] bcache: fix potential div-zero error of writeback_rate_p_term_inverse Coly Li
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
dc->writeback_rate_i_term_inverse can be set via sysfs interface. It is
in type unsigned int, and convert from input string by d_strtoul(). The
problem is d_strtoul() does not check valid range of the input, if
4294967296 is written into sysfs file writeback_rate_i_term_inverse,
an overflow of unsigned integer will happen and value 0 is set to
dc->writeback_rate_i_term_inverse.
In writeback.c:__update_writeback_rate(), there are following lines of
code,
integral_scaled = div_s64(dc->writeback_rate_integral,
dc->writeback_rate_i_term_inverse);
If dc->writeback_rate_i_term_inverse is set to 0 via sysfs interface,
a div-zero error might be triggered in the above code.
Therefore we need to add a range limitation in the sysfs interface,
this is what this patch does, use sysfs_stroul_clamp() to replace
d_strtoul() and restrict the input range in [1, UINT_MAX].
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index 16cd710f5f8b..d57ab24e9ccd 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -298,7 +298,9 @@ STORE(__cached_dev)
sysfs_strtoul_clamp(writeback_rate_update_seconds,
dc->writeback_rate_update_seconds,
1, WRITEBACK_RATE_UPDATE_SECS_MAX);
- d_strtoul(writeback_rate_i_term_inverse);
+ sysfs_strtoul_clamp(writeback_rate_i_term_inverse,
+ dc->writeback_rate_i_term_inverse,
+ 1, UINT_MAX);
d_strtoul_nonzero(writeback_rate_p_term_inverse);
d_strtoul_nonzero(writeback_rate_minimum);
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 07/11] bcache: fix potential div-zero error of writeback_rate_p_term_inverse
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
` (5 preceding siblings ...)
2018-12-23 11:09 ` [PATCH 06/11] bcache: fix potential div-zero error of writeback_rate_i_term_inverse Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 08/11] bcache: fix input overflow to writeback_rate_minimum Coly Li
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
Current code already uses d_strtoul_nonzero() to convert input string
to an unsigned integer, to make sure writeback_rate_p_term_inverse
won't be zero value. But overflow may happen when converting input
string to an unsigned integer value by d_strtoul_nonzero(), then
dc->writeback_rate_p_term_inverse can still be set to 0 even if the
sysfs file input value is not zero, e.g. 4294967296 (a.k.a UINT_MAX+1).
If dc->writeback_rate_p_term_inverse is set to 0, it might cause a
dev-zero error in following code from __update_writeback_rate(),
int64_t proportional_scaled =
div_s64(error, dc->writeback_rate_p_term_inverse);
This patch replaces d_strtoul_nonzero() by sysfs_strtoul_clamp() and
limit the value range in [1, UINT_MAX]. Then the unsigned integer
overflow and dev-zero error can be avoided.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index d57ab24e9ccd..a5d292707698 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -301,7 +301,9 @@ STORE(__cached_dev)
sysfs_strtoul_clamp(writeback_rate_i_term_inverse,
dc->writeback_rate_i_term_inverse,
1, UINT_MAX);
- d_strtoul_nonzero(writeback_rate_p_term_inverse);
+ sysfs_strtoul_clamp(writeback_rate_p_term_inverse,
+ dc->writeback_rate_p_term_inverse,
+ 1, UINT_MAX);
d_strtoul_nonzero(writeback_rate_minimum);
sysfs_strtoul_clamp(io_error_limit, dc->error_limit, 0, INT_MAX);
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 08/11] bcache: fix input overflow to writeback_rate_minimum
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
` (6 preceding siblings ...)
2018-12-23 11:09 ` [PATCH 07/11] bcache: fix potential div-zero error of writeback_rate_p_term_inverse Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 09/11] bcache: fix input overflow to journal_delay_ms Coly Li
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
dc->writeback_rate_minimum is type unsigned integer variable, it is set
via sysfs interface, and converte from input string to unsigned integer
by d_strtoul_nonzero(). When the converted input value is larger than
UINT_MAX, overflow to unsigned integer happens.
This patch fixes the overflow by using sysfs_strotoul_clamp() to
convert input string and limit the value in range [1, UINT_MAX], then
the overflow can be avoided.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index a5d292707698..31e41cc3c162 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -304,7 +304,9 @@ STORE(__cached_dev)
sysfs_strtoul_clamp(writeback_rate_p_term_inverse,
dc->writeback_rate_p_term_inverse,
1, UINT_MAX);
- d_strtoul_nonzero(writeback_rate_minimum);
+ sysfs_strtoul_clamp(writeback_rate_minimum,
+ dc->writeback_rate_minimum,
+ 1, UINT_MAX);
sysfs_strtoul_clamp(io_error_limit, dc->error_limit, 0, INT_MAX);
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 09/11] bcache: fix input overflow to journal_delay_ms
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
` (7 preceding siblings ...)
2018-12-23 11:09 ` [PATCH 08/11] bcache: fix input overflow to writeback_rate_minimum Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 10/11] bcache: fix input overflow to cache set io_error_limit Coly Li
2018-12-23 11:09 ` [PATCH 11/11] bcache: fix input overflow to cache set sysfs file io_error_halflife Coly Li
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
c->journal_delay_ms is in type unsigned short, it is set via sysfs
interface and converted by sysfs_strtoul() from input string to
unsigned short value. Therefore overflow to unsigned short might be
happen when the converted value exceed USHRT_MAX. e.g. writing
65536 into sysfs file journal_delay_ms, c->journal_delay_ms is set to
0.
This patch uses sysfs_strtoul_clamp() to convert the input string and
limit value range in [0, USHRT_MAX], to avoid the input overflow.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index 31e41cc3c162..032d108d3041 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -809,7 +809,9 @@ STORE(__bch_cache_set)
}
}
- sysfs_strtoul(journal_delay_ms, c->journal_delay_ms);
+ sysfs_strtoul_clamp(journal_delay_ms,
+ c->journal_delay_ms,
+ 0, USHRT_MAX);
sysfs_strtoul_bool(verify, c->verify);
sysfs_strtoul_bool(key_merging_disabled, c->key_merging_disabled);
sysfs_strtoul(expensive_debug_checks, c->expensive_debug_checks);
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 10/11] bcache: fix input overflow to cache set io_error_limit
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
` (8 preceding siblings ...)
2018-12-23 11:09 ` [PATCH 09/11] bcache: fix input overflow to journal_delay_ms Coly Li
@ 2018-12-23 11:09 ` Coly Li
2018-12-23 11:09 ` [PATCH 11/11] bcache: fix input overflow to cache set sysfs file io_error_halflife Coly Li
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
c->error_limit is in type unsigned int, it is set via cache set sysfs
file io_error_limit. Inside the bcache code, input string is converted
by strtoul_or_return() and set the converted value to c->error_limit.
Because the converted value is unsigned long, and c->error_limit is
unsigned int, if the input is large enought, overflow will happen to
c->error_limit.
This patch uses sysfs_strtoul_clamp() to convert input string, and set
the range in [0, UINT_MAX] to avoid the potential overflow.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index 032d108d3041..c9888c45cb03 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -789,8 +789,7 @@ STORE(__bch_cache_set)
c->on_error = v;
}
- if (attr == &sysfs_io_error_limit)
- c->error_limit = strtoul_or_return(buf);
+ sysfs_strtoul_clamp(io_error_limit, c->error_limit, 0, UINT_MAX);
/* See count_io_errors() for why 88 */
if (attr == &sysfs_io_error_halflife)
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 11/11] bcache: fix input overflow to cache set sysfs file io_error_halflife
2018-12-23 11:09 [PATCH 00/11] fixes for setting values via sysfs interface Coly Li
` (9 preceding siblings ...)
2018-12-23 11:09 ` [PATCH 10/11] bcache: fix input overflow to cache set io_error_limit Coly Li
@ 2018-12-23 11:09 ` Coly Li
10 siblings, 0 replies; 12+ messages in thread
From: Coly Li @ 2018-12-23 11:09 UTC (permalink / raw)
To: linux-bcache; +Cc: linux-block, Coly Li
Cache set sysfs entry io_error_halflife is used to set c->error_decay.
c->error_decay is in type unsigned int, and it is converted by
strtoul_or_return(), therefore overflow to c->error_decay is possible
for a large input value.
This patch fixes the overflow by using strtoul_safe_clamp() to convert
input string to an unsigned long value in range [0, UINT_MAX], then
divides by 88 and set it to c->error_decay.
Signed-off-by: Coly Li <colyli@suse.de>
---
drivers/md/bcache/sysfs.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
index c9888c45cb03..c0e2dcc94668 100644
--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -792,8 +792,14 @@ STORE(__bch_cache_set)
sysfs_strtoul_clamp(io_error_limit, c->error_limit, 0, UINT_MAX);
/* See count_io_errors() for why 88 */
- if (attr == &sysfs_io_error_halflife)
- c->error_decay = strtoul_or_return(buf) / 88;
+ if (attr == &sysfs_io_error_halflife) {
+ long v;
+
+ v = strtoul_safe_clamp(buf, v, 0, UINT_MAX);
+ if (v < 0)
+ return v;
+ c->error_decay = v / 88;
+ }
if (attr == &sysfs_io_disable) {
v = strtoul_or_return(buf);
--
2.16.4
^ permalink raw reply related [flat|nested] 12+ messages in thread