From: sashiko-bot@kernel.org
To: "Krzysztof Wilczyński" <kwilczynski@kernel.org>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v8 22/25] PCI/sysfs: Add legacy I/O and memory attribute macros
Date: Fri, 19 Jun 2026 09:18:35 +0000 [thread overview]
Message-ID: <20260619091836.0883F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260619085200.3729431-23-kwilczynski@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] An out-of-bounds heap read occurs in `pci_write_legacy_io` when a user writes 1 or 2 bytes to the `legacy_io` sysfs file.
--
commit 9cf38c5cdfc69788fc6aaf6dcdc29d5b5da5960b
Author: Krzysztof Wilczyński <kwilczynski@kernel.org>
PCI/sysfs: Add legacy I/O and memory attribute macros
Add two macros for declaring static binary attributes for PCI legacy
I/O port and ISA memory space files.
> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
> index a861484ac0c08..7f1d8e07924f5 100644
> --- a/drivers/pci/pci-sysfs.c
> +++ b/drivers/pci/pci-sysfs.c
> @@ -893,6 +893,27 @@ pci_llseek_resource_legacy(struct file *filep,
> }
>
> #ifdef HAVE_PCI_LEGACY
> +
> +#define pci_legacy_resource_io_attr(_suffix, _size) \
> +static const struct bin_attribute pci_legacy_io##_suffix##_attr = { \
> + .attr = { .name = "legacy_io" __stringify(_suffix), .mode = 0600 }, \
> + .size = (_size), \
> + .read = pci_read_legacy_io, \
> + .write = pci_write_legacy_io, \
[Severity: High]
This isn't a bug introduced by this patch, but can the use of
pci_write_legacy_io() here trigger an out-of-bounds heap read?
When a user writes 1 or 2 bytes to a legacy_io sysfs file,
kernfs_fop_write_iter() allocates a buffer of count + 1 bytes.
In pci_write_legacy_io(), after validating count is 1, 2, or 4, the buffer is
cast and unconditionally dereferenced as a u32:
drivers/pci/pci-sysfs.c:pci_write_legacy_io() {
/* Only support 1, 2 or 4 byte accesses */
if (count != 1 && count != 2 && count != 4)
return -EINVAL;
return pci_legacy_write(bus, off, *(u32 *)buf, count);
}
Does the *(u32 *)buf dereference cause a 4-byte read from the smaller 2-byte
or 3-byte buffer, potentially triggering a KASAN slab-out-of-bounds read?
> + .f_mapping = iomem_get_mapping, \
> + .llseek = pci_llseek_resource_legacy, \
> + .mmap = pci_mmap_legacy_io, \
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260619085200.3729431-1-kwilczynski@kernel.org?part=22
next prev parent reply other threads:[~2026-06-19 9:18 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 8:51 [PATCH v8 00/25] PCI: Convert all dynamic sysfs attributes to static Krzysztof Wilczyński
2026-06-19 8:51 ` [PATCH v8 01/25] PCI/sysfs: Use PCI resource accessor macros Krzysztof Wilczyński
2026-06-19 9:09 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 02/25] PCI: Add pci_resource_is_io() and pci_resource_is_mem() helpers Krzysztof Wilczyński
2026-06-19 8:59 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 03/25] PCI/sysfs: Only allow supported resource types in I/O and MMIO helpers Krzysztof Wilczyński
2026-06-19 9:01 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 04/25] PCI/sysfs: Split pci_llseek_resource() for device and legacy attributes Krzysztof Wilczyński
2026-06-19 9:03 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 05/25] PCI/sysfs: Add CAP_SYS_ADMIN check to __resource_resize_store() Krzysztof Wilczyński
2026-06-19 9:01 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 06/25] PCI/sysfs: Add static PCI resource attribute macros Krzysztof Wilczyński
2026-06-19 9:11 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 07/25] PCI/sysfs: Convert PCI resource files to static attributes Krzysztof Wilczyński
2026-06-19 9:08 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 08/25] PCI/sysfs: Warn about BAR resize failure in __resource_resize_store() Krzysztof Wilczyński
2026-06-19 9:03 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 09/25] PCI/sysfs: Add stubs for pci_{create,remove}_sysfs_dev_files() Krzysztof Wilczyński
2026-06-19 9:28 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 10/25] PCI/sysfs: Limit pci_sysfs_init() late_initcall compile scope Krzysztof Wilczyński
2026-06-19 9:35 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 11/25] alpha/PCI: Add security_locked_down() check to pci_mmap_resource() Krzysztof Wilczyński
2026-06-19 9:05 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 12/25] alpha/PCI: Use BAR index in sysfs attr->private instead of resource pointer Krzysztof Wilczyński
2026-06-19 9:02 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 13/25] alpha/PCI: Use PCI resource accessor macros Krzysztof Wilczyński
2026-06-19 9:04 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 14/25] alpha/PCI: Fix __pci_mmap_fits() overflow for zero-length BARs Krzysztof Wilczyński
2026-06-19 9:11 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 15/25] alpha/PCI: Remove WARN from __pci_mmap_fits() and __legacy_mmap_fits() Krzysztof Wilczyński
2026-06-19 8:56 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 16/25] alpha/PCI: Add static PCI resource attribute macros Krzysztof Wilczyński
2026-06-19 9:04 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 17/25] alpha/PCI: Convert resource files to static attributes Krzysztof Wilczyński
2026-06-19 9:09 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 18/25] PCI/sysfs: Remove pci_{create,remove}_sysfs_dev_files() Krzysztof Wilczyński
2026-06-19 9:20 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 19/25] PCI: Add macros for legacy I/O and memory address space sizes Krzysztof Wilczyński
2026-06-19 9:12 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 20/25] alpha/PCI: Compute legacy size in pci_mmap_legacy_page_range() Krzysztof Wilczyński
2026-06-19 9:12 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 21/25] PCI/sysfs: Add __weak pci_legacy_has_sparse() helper Krzysztof Wilczyński
2026-06-19 9:08 ` sashiko-bot
2026-06-19 8:51 ` [PATCH v8 22/25] PCI/sysfs: Add legacy I/O and memory attribute macros Krzysztof Wilczyński
2026-06-19 9:18 ` sashiko-bot [this message]
2026-06-19 18:26 ` Krzysztof Wilczyński
2026-06-19 8:51 ` [PATCH v8 23/25] PCI/sysfs: Convert legacy I/O and memory attributes to static definitions Krzysztof Wilczyński
2026-06-19 9:16 ` sashiko-bot
2026-06-19 18:31 ` Krzysztof Wilczyński
2026-06-19 8:51 ` [PATCH v8 24/25] PCI/sysfs: Remove pci_create_legacy_files() and pci_sysfs_init() Krzysztof Wilczyński
2026-06-19 9:11 ` sashiko-bot
2026-06-19 8:52 ` [PATCH v8 25/25] PCI/sysfs: Limit BAR resize attribute scope to platforms with PCI mmap Krzysztof Wilczyński
2026-06-19 9:29 ` sashiko-bot
2026-06-19 18:39 ` [PATCH v8 00/25] PCI: Convert all dynamic sysfs attributes to static Krzysztof Wilczyński
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619091836.0883F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kwilczynski@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.