Commit 617eb7c0 authored Apr 27, 2026 by Mingyu Wang Committed by Wolfram Sang May 04, 2026

i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl



While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
timeout value` warning was observed, accompanied by SMBus controller
state machine corruption.

The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
10 ms. The user argument is checked against INT_MAX, but it is
subsequently multiplied by 10 before being passed to msecs_to_jiffies().

A malicious user can pass a large value (e.g., 429496729) that passes
the `arg > INT_MAX` check but overflows when multiplied by 10. This
results in a truncated 32-bit unsigned value that bypasses the
internal `(int)m < 0` check in `msecs_to_jiffies()`.

The truncated value is then assigned to `client->adapter->timeout`
(a signed 32-bit int), which is reinterpreted as a negative number.
When passed to wait_for_completion_timeout(), this negative value
undergoes sign extension to a 64-bit unsigned long, triggering the
`schedule_timeout` warning and causing premature returns. This leaves
the SMBus state machine in an unrecoverable state, constituting a
local Denial of Service (DoS).

Fix this by bounding the user argument to `INT_MAX / 10`.

Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
[wsa: move the comment as well]
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>

parent 9998e388

drivers/i2c/i2c-dev.c

+5 −4

Original line number	Diff line number	Diff line
		@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
		client->adapter->retries = arg;
		break;
		case I2C_TIMEOUT:
		if (arg > INT_MAX)
		/*
		* For historical reasons, user-space sets the timeout value in
		* units of 10 ms.
		*/
		if (arg > INT_MAX / 10)
		return -EINVAL;

		/* For historical reasons, user-space sets the timeout
		* value in units of 10 ms.
		*/
		client->adapter->timeout = msecs_to_jiffies(arg * 10);
		break;
		default: