| Message ID | 20250301111053.2661-1-v.shevtsov@mt-integration.ru |
|---|---|
| State | New |
| Headers | show |
| Series | media: cec: avoid wraparound in timer interval calculation | expand |
diff --git a/drivers/media/cec/core/cec-pin.c b/drivers/media/cec/core/cec-pin.c index a70451d99ebc..f15ed5c67a65 100644 --- a/drivers/media/cec/core/cec-pin.c +++ b/drivers/media/cec/core/cec-pin.c @@ -1021,7 +1021,7 @@ static enum hrtimer_restart cec_pin_timer(struct hrtimer *timer) pin->wait_usecs = 0; pin->timer_ts = ktime_add_us(ts, usecs); hrtimer_forward_now(timer, - ns_to_ktime(usecs * 1000)); + ns_to_ktime((u64)usecs * 1000)); return HRTIMER_RESTART; } pin->wait_usecs = usecs - 100;
[Why] The timer function code may have an integer wraparound issue. Since both pin->tx_custom_low_usecs and pin->tx_custom_high_usecs can be set to up to 9999999 from the user space via cec_pin_error_inj_parse_line(), this may cause usecs to be overflowed when adap->monitor_pin_cnt is zero and usecs is multiplied by 1000. [How] Fix this by casting usecs to u64 when it is being converted from microseconds to nanoseconds. Found by Linux Verification Center (linuxtesting.org) with Svace. Fixes: 865463fc03ed ("media: cec-pin: add error injection support") Signed-off-by: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru> --- drivers/media/cec/core/cec-pin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)