summaryrefslogtreecommitdiffstats
path: root/drivers/scsi/scsi_transport_fc.c
diff options
context:
space:
mode:
authorHannes Reinecke <hare@suse.de>2010-03-09 10:18:48 +0100
committerJames Bottomley <James.Bottomley@suse.de>2010-04-11 09:23:27 -0500
commit36dd288f0f930c154ec6a4d73a6a35f3079418c6 (patch)
tree63fb1e1ec6716561051a2da94479904ffaeac016 /drivers/scsi/scsi_transport_fc.c
parentbb789d01620e5d36081b22edb6fb71cf55ff043c (diff)
downloadlinux-36dd288f0f930c154ec6a4d73a6a35f3079418c6.tar.gz
linux-36dd288f0f930c154ec6a4d73a6a35f3079418c6.tar.bz2
linux-36dd288f0f930c154ec6a4d73a6a35f3079418c6.zip
[SCSI] scsi_transport_fc: Protect against overflow in dev_loss_tmo
The rport structure defines dev_loss_tmo as u32, which is later multiplied with HZ to get the actual timeout value. This might overflow for large dev_loss_tmo values. So we should be better using u64 as intermediate variables here to protect against overflow. Signed-off-by: Hannes Reinecke <hare@suse.de> Acked-by: James Smart <james.smart@emulex.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Diffstat (limited to 'drivers/scsi/scsi_transport_fc.c')
-rw-r--r--drivers/scsi/scsi_transport_fc.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c
index 6cfffc88022a..55fe730a8606 100644
--- a/drivers/scsi/scsi_transport_fc.c
+++ b/drivers/scsi/scsi_transport_fc.c
@@ -834,7 +834,7 @@ static ssize_t
store_fc_rport_dev_loss_tmo(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
- int val;
+ unsigned long val;
struct fc_rport *rport = transport_class_to_rport(dev);
struct Scsi_Host *shost = rport_to_shost(rport);
struct fc_internal *i = to_fc_internal(shost->transportt);
@@ -848,6 +848,12 @@ store_fc_rport_dev_loss_tmo(struct device *dev, struct device_attribute *attr,
return -EINVAL;
/*
+ * Check for overflow; dev_loss_tmo is u32
+ */
+ if (val > UINT_MAX)
+ return -EINVAL;
+
+ /*
* If fast_io_fail is off we have to cap
* dev_loss_tmo at SCSI_DEVICE_BLOCK_MAX_TIMEOUT
*/
@@ -2865,7 +2871,7 @@ void
fc_remote_port_delete(struct fc_rport *rport)
{
struct Scsi_Host *shost = rport_to_shost(rport);
- int timeout = rport->dev_loss_tmo;
+ unsigned long timeout = rport->dev_loss_tmo;
unsigned long flags;
/*