• Coly Li's avatar
    bcache: fix overflow in offset_to_stripe() · 7a148126
    Coly Li authored
    offset_to_stripe() returns the stripe number (in type unsigned int) from
    an offset (in type uint64_t) by the following calculation,
    	do_div(offset, d->stripe_size);
    For large capacity backing device (e.g. 18TB) with small stripe size
    (e.g. 4KB), the result is 4831838208 and exceeds UINT_MAX. The actual
    returned value which caller receives is 536870912, due to the overflow.
    
    Indeed in bcache_device_init(), bcache_device->nr_stripes is limited in
    range [1, INT_MAX]. Therefore all valid stripe numbers in bcache are
    in range [0, bcache_dev->nr_stripes - 1].
    
    This patch adds a upper limition check in offset_to_stripe(): the max
    valid stripe number should be less than bcache_device->nr_stripes. If
    the calculated stripe number from do_div() is equal to or larger than
    bcache_device->nr_stripe, -EINVAL will be returned. (Normally nr_stripes
    is less than INT_MAX, exceeding upper limitation doesn't mean overflow,
    therefore -EOVERFLOW is not used as error code.)
    
    This patch also changes nr_stripes' type of struct bcache_device from
    'unsigned int' to 'int', and return value type of offset_to_stripe()
    from 'unsigned int' to 'int', to match their exact data ranges.
    
    All locations where bcache_device->nr_stripes and offset_to_stripe() are
    referenced also get updated for the above type change.
    Reported-and-tested-by: default avatarKen Raeburn <raeburn@redhat.com>
    Signed-off-by: default avatarColy Li <colyli@suse.de>
    Cc: stable@vger.kernel.org
    Link: https://bugzilla.redhat.com/show_bug.cgi?id=1783075Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
    7a148126
writeback.c 25.8 KB