Forwarded: [PATCH] PCI/proc: check return value of __get_user() in proc_bus_pci_write()

[syzbot <syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] PCI/proc: check return value of __get_user() in proc_bus_pci_write()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


proc_bus_pci_write() invokes __get_user() in five places without
checking its return value.  When the user pointer faults, the extable
fixup leaves the destination indeterminate but the function still hands
the value to pci_user_write_config_*(), writing fixup state to PCI
configuration space.

syzbot triggers this with a writev() whose iov_base is NULL on
/proc/bus/pci/00/03.0 (the virtio-blk controller in the syzkaller VM).
Every __get_user() faults, val ends up as fixup-zero, and zero is
written to config space offsets 0..6 -- including the Command register
at offset 4, clearing Bus Master and Memory Space Enable.  The disk
goes silent mid-flight, in-flight journal bios never complete, and
jbd2 hangs in wait_on_buffer() indefinitely:

  INFO: task jbd2/sda1-8:4955 blocked in I/O wait for more than 143 seconds.
   __wait_on_buffer fs/buffer.c:123
   jbd2_journal_commit_transaction+0x388a/0x6870 fs/jbd2/commit.c:837
   kjournald2 fs/jbd2/journal.c:201

Check the return value of every __get_user() and bail with -EFAULT on
failure, releasing the runtime-PM reference via a common exit path.

Reported-by: syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c7604c9fdd7580cca4e0
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/pci/proc.c | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index ce36e35681e8..54052157c276 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -136,7 +136,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if ((pos & 1) && cnt) {
 		unsigned char val;
-		__get_user(val, buf);
+		if (__get_user(val, buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_byte(dev, pos, val);
 		buf++;
 		pos++;
@@ -145,7 +148,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if ((pos & 3) && cnt > 2) {
 		__le16 val;
-		__get_user(val, (__le16 __user *) buf);
+		if (__get_user(val, (__le16 __user *) buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_word(dev, pos, le16_to_cpu(val));
 		buf += 2;
 		pos += 2;
@@ -154,7 +160,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	while (cnt >= 4) {
 		__le32 val;
-		__get_user(val, (__le32 __user *) buf);
+		if (__get_user(val, (__le32 __user *) buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_dword(dev, pos, le32_to_cpu(val));
 		buf += 4;
 		pos += 4;
@@ -163,7 +172,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if (cnt >= 2) {
 		__le16 val;
-		__get_user(val, (__le16 __user *) buf);
+		if (__get_user(val, (__le16 __user *) buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_word(dev, pos, le16_to_cpu(val));
 		buf += 2;
 		pos += 2;
@@ -172,16 +184,21 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if (cnt) {
 		unsigned char val;
-		__get_user(val, buf);
+		if (__get_user(val, buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_byte(dev, pos, val);
 		pos++;
 	}
 
+	ret = nbytes;
+out:
 	pci_config_pm_runtime_put(dev);
-
 	*ppos = pos;
-	i_size_write(ino, dev->cfg_size);
-	return nbytes;
+	if (ret > 0)
+		i_size_write(ino, dev->cfg_size);
+	return ret;
 }
 
 #ifdef HAVE_PCI_MMAP
-- 
2.43.0