Use opt->max-1 in bch2_opt_validate when option type is BCH_OPT_STR. When option type is BCH_OPT_STR, real option's max is one less than the max value stored in option structure.
Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=bee87a0c3291c06aa8c6 Fixes: 63c4b2545382 ("bcachefs: Better superblock opt validation") Signed-off-by: Piotr Zalewski <[email protected]> --- fs/bcachefs/opts.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/bcachefs/opts.c b/fs/bcachefs/opts.c index 83f55cf99d46..bffcbe6a6fd0 100644 --- a/fs/bcachefs/opts.c +++ b/fs/bcachefs/opts.c @@ -290,6 +290,8 @@ static int bch2_mount_opt_lookup(const char *name) int bch2_opt_validate(const struct bch_option *opt, u64 v, struct printbuf *err) { + const u64 opt_max = opt->type == BCH_OPT_STR ? opt->max - 1 : opt->max; + if (v < opt->min) { if (err) prt_printf(err, "%s: too small (min %llu)", @@ -297,10 +299,10 @@ int bch2_opt_validate(const struct bch_option *opt, u64 v, struct printbuf *err) return -BCH_ERR_ERANGE_option_too_small; } - if (opt->max && v >= opt->max) { + if (opt->max && v >= opt_max) { if (err) prt_printf(err, "%s: too big (max %llu)", - opt->attr.name, opt->max); + opt->attr.name, opt_max); return -BCH_ERR_ERANGE_option_too_big; } -- 2.47.0
