[PATCH] firmware_loader: prevent integer overflow in firmware_loading_timeout()

[Sergey Shtylyov]

In firmware_loading_timeout(), *int* result of __firmware_loading_timeout()
multiplied by HZ might overflow before being implicitly cast to *long* when
being returned. Rewrite the function using check_mul_overflow() and capping
the result at LONG_MAX on actual overflow...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxx>
Cc: stable@xxxxxxxxxxxxxxx

---
The patch is against the commit 78f4e737a53e1163ded2687a922fce138aee73f5 in
Linus Torvalds' linux.git repo -- that's the most recent commit I could get
(git {fetch,pull} from git.kernel stopped working for me first with git://
and then with https:// protocol)...

 drivers/base/firmware_loader/fallback.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Index: linux/drivers/base/firmware_loader/fallback.c
===================================================================
--- linux.orig/drivers/base/firmware_loader/fallback.c
+++ linux/drivers/base/firmware_loader/fallback.c
@@ -35,8 +35,13 @@ void fw_fallback_set_default_timeout(voi
 
 static long firmware_loading_timeout(void)
 {
-	return __firmware_loading_timeout() > 0 ?
-		__firmware_loading_timeout() * HZ : MAX_JIFFY_OFFSET;
+	long timeout;
+
+	if (__firmware_loading_timeout() <= 0)
+		return MAX_JIFFY_OFFSET;
+	if (check_mul_overflow(__firmware_loading_timeout(), HZ, &timeout))
+		return LONG_MAX;
+	return timeout;
 }
 
 static inline int fw_sysfs_wait_timeout(struct fw_priv *fw_priv,  long timeout)