From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 14 Jun 2026 17:33:20 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fc09650fa7f77932239c2fa7364474a187dc8bc3;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch
---

diff --git a/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch b/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch
new file mode 100644
index 0000000000..68aec3e7a4
--- /dev/null
+++ b/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch
@@ -0,0 +1,60 @@
+From 617eb7c0961a8dfcfc811844a6396e406b2923ea Mon Sep 17 00:00:00 2001
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream.
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/i2c-dev.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -477,12 +477,13 @@ static long i2cdev_ioctl(struct file *fi
+ 		client->adapter->retries = arg;
+ 		break;
+ 	case I2C_TIMEOUT:
+-		if (arg > INT_MAX)
++		/*
++		 * For historical reasons, user-space sets the timeout value in
++		 * units of 10 ms.
++		 */
++		if (arg > INT_MAX / 10)
+ 			return -EINVAL;
+ 
+-		/* For historical reasons, user-space sets the timeout
+-		 * value in units of 10 ms.
+-		 */
+ 		client->adapter->timeout = msecs_to_jiffies(arg * 10);
+ 		break;
+ 	default:
diff --git a/queue-5.10/series b/queue-5.10/series
index 009d4e8bc6..077869718a 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -127,3 +127,4 @@ hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
 usb-serial-mct_u232-fix-memory-corruption-with-small.patch
 compiler-clang.h-add-__diag-infrastructure-for-clang.patch
 disable-wattribute-alias-for-clang-23-and-newer.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch