From nobody Fri Apr 17 09:02:35 2026
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF812374757
	for <linux-kernel@vger.kernel.org>; Mon, 23 Feb 2026 19:59:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771876786; cv=none;
 b=hL91udwl4MDOxSiJUUY49aPudtPS5SdtvAMQYsWOFvFUhUvg45xD5B8/KjMsabRmreBeWZU/Uu5tSjpcToJN1aYFk8kl0zbW5xpC9hy6KXm+tptLAR4eeKjqyvKmhTrIP7qBUjAtvksMdwftC3ZZovsvOGv2VgL9hU4CVCezeGg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771876786; c=relaxed/simple;
	bh=vSGezea+kHW8+I4FXMUBtjpPhAkkh38ljsBUp1un6Fs=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;
 b=Y1Vh5BdjOA3BDgb2TpoaCWW5oxeeNAQUU/VTgiwuHKOIXf2hl7MA1axJwJfVPHbw0azCzb/clIxW1P7Qndm0zKYR+ZLbPYJ6HbZKibt4W7nUwwuhc1C65IfzrtNbEL10NjVvnjogys0829VAmyXpgdtKxTdpRdvAFJDXZOiWPgE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=PuTgYCgx; arc=none smtp.client-ip=209.85.128.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="PuTgYCgx"
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-4806b0963a9so13085e9.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 23 Feb 2026 11:59:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1771876783; x=1772481583;
 darn=vger.kernel.org;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=szNx6Q9HpZ/iwXNBTZ4lMVazeKKlYTctcpZDy3jvygs=;
        b=PuTgYCgxqHEeEQaPpdXskpsK/s6pQE+bbQL11TWMGAdhyx5mvimruMIPGPQYuKn/c4
         /4PvFooIdPWbfBvRbFEN344fS+lJZk5OB9H55jzjIJjLXNk+RNBjACQ+a78ab9meS4c7
         FkcH4X9LfcKbP4LUrBkWx7kZdP2H+uRzA18kIwCOuuPRG/vKA6S3FqwgG8KvFbXwEd3R
         o+8BLMvv0f3QlY77awO6OPiWUt7lNCGsH7o5O100LeS1Nw6WbwMQ1dMvf58WoQK6qwae
         VASxq68Qyk62krV+RfmbiFY6zuR0VakymyNeigK0PhgGVLSFw2ghaISekar6OIiavimF
         SL+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771876783; x=1772481583;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=szNx6Q9HpZ/iwXNBTZ4lMVazeKKlYTctcpZDy3jvygs=;
        b=pC93nxXJxLPvqV5Qrhp0hW/3Bkwez0jttbSNx8cmCL3GITwuMk9SyVuokGNuE6Wut/
         rvAITDciVVtqbvz2mZGuVIoP7NpuVxW8ZatsmWWn+tOQTrN9h5CYvM0hyR1oaNEJB4Oc
         OwqUoD3bQDwVisAyKbc4yu6WkBwt+HoP6hEOmxj70T49u7MLQDsD5+xDtnwnMXWGggpc
         zp6hOP/GxkLatcBsv1/8o5QjmjWVyVMZYmVc96u0in0RwNHQhcv5kGrcTxLzTQ7DGXJv
         EPNwUoUK/0pHs+EW4H9hMO4eHLApdoGRO5oe3HrxAtgUb7TIHCN37l92hDtd3dNtyyV+
         yQQw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUwzetp+z9XGNveVjcyK2sqcvsU1cXrK8Exty3SiBkIgGKkJhsfLyz52nECWEnz0xc0Kx3J/98LiAQyhCs=@vger.kernel.org
X-Gm-Message-State: AOJu0YwVcIfua7+GeAu08BZAFQNR7xMxBZtzw9SxdagJPFj92G6CMWYC
	qoHuWpdu/Ra+xGM3D0u/psGZskwnMcaTrlRFJTCPx2P7ZIAH1ZkLi2sKsqxsDccQ+jK/3hxynIM
	OLdwTBCNt
X-Gm-Gg: AZuq6aJvdsurj0qkSzIig2ZroB/Ku5FUJ5McFKGSr8NR0E8UgMoHQdNUIIDJR41gGPO
	7Ja9o100twTTfjQjX6XN/oETUaHkrYFpE09zHexJL1gA5ui3qFr11Lo0lqjj+OO+hUGf3BIg/+e
	LfcNmEWuVf05vMZ3gAsl0V1rdYcZBmWV560Dk2VdNTDuZv15rPb8N0hwn11ZKOmT0hiCsmx7qod
	QybChfWTAC+aT7riy8vdg4xK/VveV/5HpfI3n0RGcDEGPB11BAN0PqeM+Z0QT9X7WwaSY7/mTl8
	MGyyZh0zQEtC3PE0nTPoySwV1Q+58MFlRv0D5iFJzPnhg57tK1hD8lpzb9UXbmA3O0AC5S2DO3I
	jSSBK9TykNoCZ3a8UtzLvDkNwmAbkoB2MJklDM78Ex2uQT5KDNBzWNJzyuWVrk1400GIQZ07M/z
	hMkTonXLInBTjYlsI7c6ojN48AQccleZ3GSyymOCkoVqT6bm3f9Ak=
X-Received: by 2002:a05:600c:4454:b0:477:86fd:fb1b with SMTP id
 5b1f17b1804b1-483b878837emr116465e9.11.1771876782542;
        Mon, 23 Feb 2026 11:59:42 -0800 (PST)
Received: from localhost ([2a00:79e0:288a:8:e3f8:d6ab:bdc7:bdcf])
        by smtp.gmail.com with UTF8SMTPSA id
 5b1f17b1804b1-483b81f8912sm4486845e9.1.2026.02.23.11.59.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 23 Feb 2026 11:59:42 -0800 (PST)
From: Jann Horn <jannh@google.com>
Date: Mon, 23 Feb 2026 20:59:33 +0100
Subject: [PATCH] eventpoll: Fix integer overflow in ep_loop_check_proc()
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260223-epoll-int-overflow-v1-1-452f35132224@google.com>
X-B4-Tracking: v=1; b=H4sIAKSxnGkC/x3MQQqAIBBA0avErBswjYKuEi3MxhoQFY0KwrsnL
 d/i/xcyJaYMU/NCooszB1/RtQ2YQ/udkLdqkEIOQkqFFINzyP7EcFGyLtyotOhXOyoyeoAaxkS
 Wn386L6V8a/Zz4GQAAAA=
X-Change-ID: 20260223-epoll-int-overflow-3a04bf73eca6
To: Alexander Viro <viro@zeniv.linux.org.uk>,
 Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
 Jann Horn <jannh@google.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
 Guenter Roeck <linux@roeck-us.net>, stable@vger.kernel.org
X-Mailer: b4 0.15-dev
X-Developer-Signature: v=1; a=ed25519-sha256; t=1771876777; l=1946;
 i=jannh@google.com; s=20240730; h=from:subject:message-id;
 bh=vSGezea+kHW8+I4FXMUBtjpPhAkkh38ljsBUp1un6Fs=;
 b=RdragfDp77ExTy4XNQd7Cde3KK3Eu2MW9GuvLXcoBKzltgC7byd5LbGI5kPdL8Vyo4Wccnt4U
 6Gt2X0RHjm4AJOJHzmkeblC3ZLcrSB3Jwn43TzRKzit2MbcKn7TWTZT
X-Developer-Key: i=jannh@google.com; a=ed25519;
 pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8=

If a recursive call to ep_loop_check_proc() hits the `result =3D INT_MAX`,
an integer overflow will occur in the calling ep_loop_check_proc() at
`result =3D max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1)`,
breaking the recursion depth check.

Fix it by using a different placeholder value that can't lead to an
overflow.

Reported-by: Guenter Roeck <linux@roeck-us.net>
Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
Gah, I introduced such an obvious integer overflow when I touched this
code the last time...

No "Closes:" link because the bug was not reported publicly.
---
 fs/eventpoll.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index a8c278c50083..5714e900567c 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -2061,7 +2061,8 @@ static int ep_poll(struct eventpoll *ep, struct epoll=
_event __user *events,
  * @ep: the &struct eventpoll to be currently checked.
  * @depth: Current depth of the path being checked.
  *
- * Return: depth of the subtree, or INT_MAX if we found a loop or went too=
 deep.
+ * Return: depth of the subtree, or a value bigger than EP_MAX_NESTS if we=
 found
+ * a loop or went too deep.
  */
 static int ep_loop_check_proc(struct eventpoll *ep, int depth)
 {
@@ -2080,7 +2081,7 @@ static int ep_loop_check_proc(struct eventpoll *ep, i=
nt depth)
 			struct eventpoll *ep_tovisit;
 			ep_tovisit =3D epi->ffd.file->private_data;
 			if (ep_tovisit =3D=3D inserting_into || depth > EP_MAX_NESTS)
-				result =3D INT_MAX;
+				result =3D EP_MAX_NESTS+1;
 			else
 				result =3D max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1);
 			if (result > EP_MAX_NESTS)

---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260223-epoll-int-overflow-3a04bf73eca6

-- =20
Jann Horn <jannh@google.com>