From 2eb0a1e08ebad5be00433093449abf025450ca6d Mon Sep 17 00:00:00 2001 From: Ian Kent Date: Wed, 17 Jun 2026 12:08:43 +0800 Subject: [PATCH] eventpoll: Fix integer overflow in ep_loop_check_proc() JIRA: https://redhat.atlassian.net/browse/RHEL-180777 Upstream status: Linus commit fdcfce93073d990ed4b71752e31ad1c1d6e9d58b Author: Jann Horn Date: Mon Feb 23 20:59:33 2026 +0100 eventpoll: Fix integer overflow in ep_loop_check_proc() If a recursive call to ep_loop_check_proc() hits the `result = INT_MAX`, an integer overflow will occur in the calling ep_loop_check_proc() at `result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1)`, breaking the recursion depth check. Fix it by using a different placeholder value that can't lead to an overflow. Reported-by: Guenter Roeck Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Link: https://patch.msgid.link/20260223-epoll-int-overflow-v1-1-452f35132224@google.com Signed-off-by: Christian Brauner Signed-off-by: Ian Kent diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 5228ff9c8742..cb21dfe9ee0a 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -2130,7 +2130,8 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, * @ep: the &struct eventpoll to be currently checked. * @depth: Current depth of the path being checked. * - * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep. + * Return: depth of the subtree, or a value bigger than EP_MAX_NESTS if we found + * a loop or went too deep. */ static int ep_loop_check_proc(struct eventpoll *ep, int depth) { @@ -2149,7 +2150,7 @@ static int ep_loop_check_proc(struct eventpoll *ep, int depth) struct eventpoll *ep_tovisit; ep_tovisit = epi->ffd.file->private_data; if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS) - result = INT_MAX; + result = EP_MAX_NESTS+1; else result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1); if (result > EP_MAX_NESTS) -- 2.50.1 (Apple Git-155)