From ce72f6c96385524059215fcbe383f0f436b8871f Mon Sep 17 00:00:00 2001 From: Sergey Shtylyov Date: Thu, 3 Jul 2025 23:38:33 +0300 Subject: [PATCH] firmware_loader: prevent integer overflow in firmware_loading_timeout() In firmware_loading_timeout(), *int* result of __firmware_loading_timeout() multiplied by HZ might overflow before being implicitly cast to *long* when being returned. Rewrite the function using check_mul_overflow() and capping the result at LONG_MAX on actual overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov Cc: stable@vger.kernel.org Reviewed-by: Luis Chamberlain --- drivers/base/firmware_loader/fallback.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/base/firmware_loader/fallback.c b/drivers/base/firmware_loader/fallback.c index 3ef0b312ae7190..1c710b2b4cd88c 100644 --- a/drivers/base/firmware_loader/fallback.c +++ b/drivers/base/firmware_loader/fallback.c @@ -35,8 +35,13 @@ void fw_fallback_set_default_timeout(void) static long firmware_loading_timeout(void) { - return __firmware_loading_timeout() > 0 ? - __firmware_loading_timeout() * HZ : MAX_JIFFY_OFFSET; + long timeout; + + if (__firmware_loading_timeout() <= 0) + return MAX_JIFFY_OFFSET; + if (check_mul_overflow(__firmware_loading_timeout(), HZ, &timeout)) + return LONG_MAX; + return timeout; } static inline int fw_sysfs_wait_timeout(struct fw_priv *fw_priv, long timeout)