kernel/linux.git/drivers/i2c/i2c-dev.c, branch v6.18.36

i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl

2026-06-19T11:43:50+00:00

commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream. While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> [wsa: move the comment as well] Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman

i2c: dev: Fix memory leak when underlying adapter does not support I2C

2024-11-14T10:22:57+00:00

Early return in i2cdev_ioctl_rdwr() failed to free the memory allocated by the caller. Move freeing the memory to the function where it has been allocated to prevent similar leaks in the future. Fixes: 97ca843f6ad3 ("i2c: dev: Check for I2C_FUNC_I2C before calling i2c_transfer") Signed-off-by: Igor Pylypiv [wsa: replaced '== NULL' with '!'] Signed-off-by: Wolfram Sang

[tree-wide] finally take no_llseek out

2024-09-27T15:18:43+00:00

no_llseek had been defined to NULL two years ago, in commit 868941b14441 ("fs: remove no_llseek") To quote that commit, At -rc1 we'll need do a mechanical removal of no_llseek - git grep -l -w no_llseek | grep -v porting.rst | while read i; do sed -i '/\/d' $i done would do it. Unfortunately, that hadn't been done. Linus, could you do that now, so that we could finally put that thing to rest? All instances are of the form .llseek = no_llseek, so it's obviously safe. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds

i2c: dev: Check for I2C_FUNC_I2C before calling i2c_transfer

2024-06-26T10:45:25+00:00

It is good practice to check that the underlying adapter supports I2C transfers before attempting them. The i2c core would eventually return an error, but it's more efficient to fail early. Signed-off-by: Jean Delvare Reviewed-by: Andi Shyti Signed-off-by: Wolfram Sang

i2c: dev: copy userspace array safely

2023-11-08T09:26:27+00:00

i2c-dev.c utilizes memdup_user() to copy a userspace array. This is done without an overflow check. Use the new wrapper memdup_array_user() to copy the array more safely. Suggested-by: Dave Airlie Signed-off-by: Philipp Stanner Signed-off-by: Wolfram Sang

i2c: dev: make i2c_dev_class a static const structure

2023-09-19T20:09:58+00:00

Now that the driver core allows for struct class to be in read-only memory, move the i2c_dev_class structure to be declared at build time placing it into read-only memory, instead of having to be dynamically allocated at boot time. Suggested-by: Greg Kroah-Hartman Signed-off-by: Ivan Orlov Signed-off-by: Wolfram Sang

Merge 6.3-rc5 into driver-core-next

2023-04-03T07:33:30+00:00

We need the fixes in here for testing, as well as the driver core changes for documentation updates to build on. Signed-off-by: Greg Kroah-Hartman

driver core: class: remove module * from class_create()

2023-03-17T14:16:33+00:00

The module pointer in class_create() never actually did anything, and it shouldn't have been requred to be set as a parameter even if it did something. So just remove it and fix up all callers of the function in the kernel tree at the same time. Cc: "Rafael J. Wysocki" Acked-by: Benjamin Tissoires Link: https://lore.kernel.org/r/20230313181843.1207845-4-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman

i2c: dev: Fix bus callback return values

2023-03-09T21:07:52+00:00

The i2cdev_{at,de}tach_adapter() callbacks are used for two purposes: 1. As notifier callbacks, when (un)registering I2C adapters created or destroyed after i2c_dev_init(), 2. As bus iterator callbacks, for registering already existing adapters from i2c_dev_init(), and for cleanup. Unfortunately both use cases expect different return values: the former expects NOTIFY_* return codes, while the latter expects zero or error codes, and aborts in case of error. Hence in case 2, as soon as i2cdev_{at,de}tach_adapter() returns (non-zero) NOTIFY_OK, the bus iterator aborts. This causes (a) only the first already existing adapter to be registered, leading to missing /dev/i2c-* entries, and (b) a failure to unregister all but the first I2C adapter during cleanup. Fix this by introducing separate callbacks for the bus iterator, wrapping the notifier functions, and always returning succes. Any errors inside these callback functions are unlikely to happen, and are fatal anyway. Fixes: cddf70d0bce71c2a ("i2c: dev: fix notifier return values") Signed-off-by: Geert Uytterhoeven Reviewed-by: Bartosz Golaszewski Signed-off-by: Wolfram Sang

i2c: dev: fix notifier return values

2023-01-17T10:02:21+00:00

We have a set of return values that notifier callbacks can return. They should not return 0, error codes or anything other than those predefined values. Make the i2c character device's callback return NOTIFY_DONE or NOTIFY_OK depending on the situation. Signed-off-by: Bartosz Golaszewski Signed-off-by: Wolfram Sang