From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E8AA3A3E78; Tue, 16 Jun 2026 17:34:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781631299; cv=none; b=YHKbH86+dmHqlY9c16TnDFNBQjPhU16yCo/mabyHiIriGB6wIEV1L2EgH3vDEsREOvveYRbP8ZQOlM2PllroDQdds3XAmppktH4NVJ5nyLRrj4ClH4XZUXTwvRdOcWWnym7F/94LZs6imR/FHonMwggo3wSywXXi4qvgnsjOEv0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781631299; c=relaxed/simple; bh=nhug6SHQ199U+MNnLUqpQ92i1Ztek0ynBZ8ucEAkB1c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EjF7SDaCY5FgWfCxR5GPN5/RFGAwtX3FYh+a3Ptgp51akPGWG70ing/SDsi/wajHsv5+ofljSGW4DRrTU9/oSrOQ+0o9oqEkqCFfaRkGNqSSjW66kED56fMKmiaHEtJzOCcXn7k1BmdWfJESbT7KJQHAabpiUGq+EBDmhWBE+SA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=QjpMd6Qg; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="QjpMd6Qg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5D2A31F000E9; Tue, 16 Jun 2026 17:34:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1781631298; bh=ESzwgtSPIgZLuyTYK5sWkB5IK7eyMgsA7s0Zz9fXb2Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=QjpMd6QgFLqtLosHirO01SdYiCR97CEqff+OeqkhNBaTGIOVqxeIipV6hRKDl0L8R ejHX1xiNE5HX66D1CPaIEIgjCcw1n88alWOrUlAs4VBgbxLA9/J937LoFILT6/M5gT 0b4UeW3RC57vVgg2emfgKDjOdfz5c9Fb26WZ110c= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mingyu Wang <25181214217@stu.xidian.edu.cn>, Wolfram Sang Subject: [PATCH 6.1 194/522] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Date: Tue, 16 Jun 2026 20:25:41 +0530 Message-ID: <20260616145135.176792006@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260616145125.307082728@linuxfoundation.org> References: <20260616145125.307082728@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mingyu Wang <25181214217@stu.xidian.edu.cn> commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream. While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> [wsa: move the comment as well] Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman --- drivers/i2c/i2c-dev.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/drivers/i2c/i2c-dev.c +++ b/drivers/i2c/i2c-dev.c @@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *fi client->adapter->retries = arg; break; case I2C_TIMEOUT: - if (arg > INT_MAX) + /* + * For historical reasons, user-space sets the timeout value in + * units of 10 ms. + */ + if (arg > INT_MAX / 10) return -EINVAL; - /* For historical reasons, user-space sets the timeout - * value in units of 10 ms. - */ client->adapter->timeout = msecs_to_jiffies(arg * 10); break; default: