firmware_loader: prevent integer overflow in firmware_loading_timeout()

Sergey Shtylyov · mcgrof · commit ff179672569f · 2025-07-23T16:07:15.000-07:00
In firmware_loading_timeout(), *int* result of __firmware_loading_timeout()
multiplied by HZ might overflow before being implicitly cast to *long* when
being returned. Rewrite the function using check_mul_overflow() and capping
the result at LONG_MAX on actual overflow...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Signed-off-by: Sergey Shtylyov &lt;s.shtylyov@omp.ru&gt;
Cc: stable@vger.kernel.org
Reviewed-by: Luis Chamberlain &lt;mcgrof@kernel.org&gt;
diff --git a/drivers/base/firmware_loader/fallback.c b/drivers/base/firmware_loader/fallback.c
@@ -35,8 +35,13 @@ void fw_fallback_set_default_timeout(void)
 
 static long firmware_loading_timeout(void)
 {
-	return __firmware_loading_timeout() > 0 ?
-		__firmware_loading_timeout() * HZ : MAX_JIFFY_OFFSET;
+	long timeout;
+
+	if (__firmware_loading_timeout() <= 0)
+		return MAX_JIFFY_OFFSET;
+	if (check_mul_overflow(__firmware_loading_timeout(), HZ, &timeout))
+		return LONG_MAX;
+	return timeout;
 }
 
 static inline int fw_sysfs_wait_timeout(struct fw_priv *fw_priv,  long timeout)

Original file line number	Diff line number	Diff line change
`@@ -35,8 +35,13 @@ void fw_fallback_set_default_timeout(void)`
`35`	`35`
`36`	`36`	`static long firmware_loading_timeout(void)`
`37`	`37`	`{`
`38`		`- return __firmware_loading_timeout() > 0 ?`
`39`		`- __firmware_loading_timeout() * HZ : MAX_JIFFY_OFFSET;`
	`38`	`+ long timeout;`
	`39`	`+`
	`40`	`+ if (__firmware_loading_timeout() <= 0)`
	`41`	`+ return MAX_JIFFY_OFFSET;`
	`42`	`+ if (check_mul_overflow(__firmware_loading_timeout(), HZ, &timeout))`
	`43`	`+ return LONG_MAX;`
	`44`	`+ return timeout;`
`40`	`45`	`}`
`41`	`46`
`42`	`47`	`static inline int fw_sysfs_wait_timeout(struct fw_priv *fw_priv, long timeout)`