md/raid10: fix overflow of md/safe_mode_delay (283f4a63) · Commits · e / devices / android_kernel_fairphone_FP5

[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ] There is no input check when echo md/safe_mode_delay in safe_delay_store(). And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by checking overflow in safe_delay_store() and use unsigned long conversion in safe_delay_show(). Fixes: ("md: factor out parsing of fixed-point numbers") Signed-off-by:

Li Nan <linan122@huawei.com> Signed-off-by:

Song Liu <song@kernel.org> Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com Signed-off-by:

Sasha Levin <sashal@kernel.org>

drivers/md/md.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -3766,8 +3766,9 @@ int strict_strtoul_scaled(const char cp, unsigned long res, int scale)
		static ssize_t
		safe_delay_show(struct mddev mddev, char page)
		{
		int msec = (mddev->safemode_delay*1000)/HZ;
		return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
		unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;

		return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
		}
		static ssize_t
		safe_delay_store(struct mddev mddev, const char cbuf, size_t len)
		@@ -3779,7 +3780,7 @@ safe_delay_store(struct mddev mddev, const char cbuf, size_t len)
		return -EINVAL;
		}

		if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
		if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 \|\| msec > UINT_MAX / HZ)
		return -EINVAL;
		if (msec == 0)
		mddev->safemode_delay = 0;