[PATCH] reboot: keep parsed reboot CPU in range

Next message: Ian Bridges: "Re: [PATCH] fbdev: fix use-after-free of fb_display[i].mode in store_modes()"
Previous message: Haoxiang Li: "[PATCH] scsi_sysfs: Fix runtime PM usage count leak on device add failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bradley Morgan

Date: Mon Jun 22 2026 - 11:43:17 EST

reboot=s... parses the CPU number with simple_strtoul(), but stores
it in an int before checking it against num_possible_cpus(). Very
large values can wrap negative and bypass the range check, leaving
reboot_cpu invalid for migrate_to_reboot_cpu().

Keep the parsed value unsigned until after the range check.

Fixes: f9a90501faac ("reboot: refactor and comment the cpu selection code")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Bradley Morgan <include@xxxxxxxxx>
---
kernel/reboot.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/kernel/reboot.c b/kernel/reboot.c
index 695c33e75efd..a1ad6047b14a 100644
--- a/kernel/reboot.c
+++ b/kernel/reboot.c
@@ -1134,12 +1134,11 @@ static int __init reboot_setup(char *str)
str += str[1] == 'm' && str[2] == 'p' ? 3 : 1;

if (isdigit(str[0])) {
- int cpu = simple_strtoul(str, NULL, 0);
+ unsigned long cpu = simple_strtoul(str, NULL, 0);

if (cpu >= num_possible_cpus()) {
- pr_err("Ignoring the CPU number in reboot= option. "
- "CPU %d exceeds possible cpu number %d\n",
- cpu, num_possible_cpus());
+ pr_err("Ignoring the CPU number in reboot= option. CPU %lu exceeds possible cpu number %u\n",
+ cpu, num_possible_cpus());
break;
}
reboot_cpu = cpu;
--
2.53.0