Re: [syzbot] WARNING in __i2c_transfer (2)

[Pavel Skripkin]

On 11/15/21 15:19, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    c8c109546a19 Merge tag 'zstd-for-linus-v5.16' of git://git..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10a5bb32b00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a262045c4c15a9e0
> dashboard link: https://syzkaller.appspot.com/bug?extid=e417648b303855b91d8a
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: i386
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e417648b303855b91d8a@xxxxxxxxxxxxxxxxxxxxxxxxx

#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


With regards,
Pavel Skripkindiff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index bce0e8bb7852..3b54efa4b1ec 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -535,7 +535,7 @@ static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo
 				   sizeof(rdwr_arg)))
 			return -EFAULT;
 
-		if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
+		if (!rdwr_arg.nmsgs || rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
 			return -EINVAL;
 
 		rdwr_pa = kmalloc_array(rdwr_arg.nmsgs, sizeof(struct i2c_msg),