md: avoid signed overflow in slot_store()

[ Upstream commit 3bc57292278a0b6ac4656cad94c14f2453344b57 ] slot_store() uses kstrtouint() to get a slot number, but stores the result in an "int" variable (by casting a pointer). This can result in a negative slot number if the unsigned int value is very large. A negative number means that the slot is empty, but setting a negative slot number this way will not remove the device from the array. I don't think this is a serious problem, but it could cause confusion and it is best to fix it. Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Song Liu <song@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: NeilBrown <neilb@suse.de> 2023-03-06 01:36:25 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-04-06 13:10:39 +0300
commit: df0833da4bfac69739b849b3dff4838e590542e5 (patch)
tree: da8b54f03ae1619ddfcaef9225eec17271b98fdf
parent: 50f6507aadf81b1bef255ab7e794b8e4758ebb70 (diff)
download: linux-df0833da4bfac69739b849b3dff4838e590542e5.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 0368b3c51c7f..d5c362b1602b 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3152,6 +3152,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len)
 		err = kstrtouint(buf, 10, (unsigned int *)&slot);
 		if (err < 0)
 			return err;
+		if (slot < 0)
+			/* overflow */
+			return -ENOSPC;
 	}
 	if (rdev->mddev->pers && slot == -1) {
 		/* Setting 'slot' on an active array requires also
author	NeilBrown <neilb@suse.de>	2023-03-06 01:36:25 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-04-06 13:10:39 +0300
commit	df0833da4bfac69739b849b3dff4838e590542e5 (patch)
tree	da8b54f03ae1619ddfcaef9225eec17271b98fdf
parent	50f6507aadf81b1bef255ab7e794b8e4758ebb70 (diff)
download	linux-df0833da4bfac69739b849b3dff4838e590542e5.tar.xz