Commit 36dd288f0f930c154ec6a4d73a6a35f3079418c6
Committed by
James Bottomley
James Bottomley
1 parent
bb789d0162
Exists in
master
and in
7 other branches
[SCSI] scsi_transport_fc: Protect against overflow in dev_loss_tmo
The rport structure defines dev_loss_tmo as u32, which is later multiplied with HZ to get the actual timeout value. This might overflow for large dev_loss_tmo values. So we should be better using u64 as intermediate variables here to protect against overflow. Signed-off-by: Hannes Reinecke <hare@suse.de> Acked-by: James Smart <james.smart@emulex.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Showing 1 changed file with 8 additions and 2 deletions Side-by-side Diff
drivers/scsi/scsi_transport_fc.c
| ... | ... | @@ -834,7 +834,7 @@ |
| 834 | 834 | store_fc_rport_dev_loss_tmo(struct device *dev, struct device_attribute *attr, |
| 835 | 835 | const char *buf, size_t count) |
| 836 | 836 | { |
| 837 | - int val; | |
| 837 | + unsigned long val; | |
| 838 | 838 | struct fc_rport *rport = transport_class_to_rport(dev); |
| 839 | 839 | struct Scsi_Host *shost = rport_to_shost(rport); |
| 840 | 840 | struct fc_internal *i = to_fc_internal(shost->transportt); |
| ... | ... | @@ -848,6 +848,12 @@ |
| 848 | 848 | return -EINVAL; |
| 849 | 849 | |
| 850 | 850 | /* |
| 851 | + * Check for overflow; dev_loss_tmo is u32 | |
| 852 | + */ | |
| 853 | + if (val > UINT_MAX) | |
| 854 | + return -EINVAL; | |
| 855 | + | |
| 856 | + /* | |
| 851 | 857 | * If fast_io_fail is off we have to cap |
| 852 | 858 | * dev_loss_tmo at SCSI_DEVICE_BLOCK_MAX_TIMEOUT |
| 853 | 859 | */ |
| ... | ... | @@ -2865,7 +2871,7 @@ |
| 2865 | 2871 | fc_remote_port_delete(struct fc_rport *rport) |
| 2866 | 2872 | { |
| 2867 | 2873 | struct Scsi_Host *shost = rport_to_shost(rport); |
| 2868 | - int timeout = rport->dev_loss_tmo; | |
| 2874 | + unsigned long timeout = rport->dev_loss_tmo; | |
| 2869 | 2875 | unsigned long flags; |
| 2870 | 2876 | |
| 2871 | 2877 | /* |