5.10-stable patches

added patches:
	i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch

diff --git a/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch b/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch
new file mode 100644 (file)
index 0000000..68aec3e
--- /dev/null
+++ b/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch
@@ -0,0 +1,60 @@
+From 617eb7c0961a8dfcfc811844a6396e406b2923ea Mon Sep 17 00:00:00 2001
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream.
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/i2c-dev.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -477,12 +477,13 @@ static long i2cdev_ioctl(struct file *fi
+               client->adapter->retries = arg;
+               break;
+       case I2C_TIMEOUT:
+-              if (arg > INT_MAX)
++              /*
++               * For historical reasons, user-space sets the timeout value in
++               * units of 10 ms.
++               */
++              if (arg > INT_MAX / 10)
+                       return -EINVAL;
+ 
+-              /* For historical reasons, user-space sets the timeout
+-               * value in units of 10 ms.
+-               */
+               client->adapter->timeout = msecs_to_jiffies(arg * 10);
+               break;
+       default:

diff --git a/queue-5.10/series b/queue-5.10/series
index 009d4e8bc6c43f105b7eaed0d4b922f9b7053edc..077869718ad9689039f3a34b3bea3bbd333e508f 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -127,3 +127,4 @@ hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
 usb-serial-mct_u232-fix-memory-corruption-with-small.patch
 compiler-clang.h-add-__diag-infrastructure-for-clang.patch
 disable-wattribute-alias-for-clang-23-and-newer.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch