[PATCH v2] PCI/proc: check user access return values in proc_bus_pci_{read,write}()

[PATCH v2] PCI/proc: check user access return values in proc_bus_pci_{read,write}()

[Deepanshu Kartikey]

proc_bus_pci_write() ignores the return value of __get_user(). On a
faulting user pointer the extable fixup zeros the destination, and the
function writes those zeros to PCI configuration space.

syzbot triggers this with writev()-ing a NULL iov_base to
/proc/bus/pci/00/03.0 (the virtio-blk controller in the syzkaller VM):
zero is written to the Command register, clearing Bus Master Enable,
and the disk stops responding. In-flight journal writes never complete
and jbd2 hangs in wait_on_buffer() indefinitely:

  INFO: task jbd2/sda1-8 blocked in I/O wait for more than 143 seconds.
   __wait_on_buffer fs/buffer.c:123
   jbd2_journal_commit_transaction+0x388a/0x6870 fs/jbd2/commit.c:837
   kjournald2 fs/jbd2/journal.c:201

proc_bus_pci_read() has the symmetric problem with __put_user(): a
faulting user pointer silently drops config-space data and returns
success.

Switch both functions to get_user()/put_user(), which combine the
access_ok() check with the load/store and return -EFAULT on failure.
The up-front access_ok() can be removed accordingly. On error, jump to
a common label that releases the runtime-PM reference and returns
-EFAULT.

Reported-by: syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c7604c9fdd7580cca4e0
Tested-by: syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
Changes in v2:
 - Use get_user()/put_user() and drop access_ok() (Krzysztof)
 - Rename label to err: per kernel convention (Krzysztof)
 - Simplify error path to release runtime-PM and return -EFAULT (Krzysztof)
 - Apply the same fix to proc_bus_pci_read() (Krzysztof)
---
 drivers/pci/proc.c | 44 ++++++++++++++++++++++++++++----------------
 1 file changed, 28 insertions(+), 16 deletions(-)

diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index ce36e35681e8..8e624d829840 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -53,15 +53,13 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
 		nbytes = size - pos;
 	cnt = nbytes;
 
-	if (!access_ok(buf, cnt))
-		return -EINVAL;
-
 	pci_config_pm_runtime_get(dev);
 
 	if ((pos & 1) && cnt) {
 		unsigned char val;
 		pci_user_read_config_byte(dev, pos, &val);
-		__put_user(val, buf);
+		if (put_user(val, buf))
+			goto err;
 		buf++;
 		pos++;
 		cnt--;
@@ -70,7 +68,8 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
 	if ((pos & 3) && cnt > 2) {
 		unsigned short val;
 		pci_user_read_config_word(dev, pos, &val);
-		__put_user(cpu_to_le16(val), (__le16 __user *) buf);
+		if (put_user(cpu_to_le16(val), (__le16 __user *) buf))
+			goto err;
 		buf += 2;
 		pos += 2;
 		cnt -= 2;
@@ -79,7 +78,8 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
 	while (cnt >= 4) {
 		unsigned int val;
 		pci_user_read_config_dword(dev, pos, &val);
-		__put_user(cpu_to_le32(val), (__le32 __user *) buf);
+		if (put_user(cpu_to_le32(val), (__le32 __user *) buf))
+			goto err;
 		buf += 4;
 		pos += 4;
 		cnt -= 4;
@@ -89,7 +89,8 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
 	if (cnt >= 2) {
 		unsigned short val;
 		pci_user_read_config_word(dev, pos, &val);
-		__put_user(cpu_to_le16(val), (__le16 __user *) buf);
+		if (put_user(cpu_to_le16(val), (__le16 __user *) buf))
+			goto err;
 		buf += 2;
 		pos += 2;
 		cnt -= 2;
@@ -98,7 +99,8 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
 	if (cnt) {
 		unsigned char val;
 		pci_user_read_config_byte(dev, pos, &val);
-		__put_user(val, buf);
+		if (put_user(val, buf))
+			goto err;
 		pos++;
 	}
 
@@ -106,6 +108,10 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
 
 	*ppos = pos;
 	return nbytes;
+
+err:
+	pci_config_pm_runtime_put(dev);
+	return -EFAULT;
 }
 
 static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
@@ -129,14 +135,12 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 		nbytes = size - pos;
 	cnt = nbytes;
 
-	if (!access_ok(buf, cnt))
-		return -EINVAL;
-
 	pci_config_pm_runtime_get(dev);
 
 	if ((pos & 1) && cnt) {
 		unsigned char val;
-		__get_user(val, buf);
+		if (get_user(val, buf))
+			goto err;
 		pci_user_write_config_byte(dev, pos, val);
 		buf++;
 		pos++;
@@ -145,7 +149,8 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if ((pos & 3) && cnt > 2) {
 		__le16 val;
-		__get_user(val, (__le16 __user *) buf);
+		if (get_user(val, (__le16 __user *) buf))
+			goto err;
 		pci_user_write_config_word(dev, pos, le16_to_cpu(val));
 		buf += 2;
 		pos += 2;
@@ -154,7 +159,8 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	while (cnt >= 4) {
 		__le32 val;
-		__get_user(val, (__le32 __user *) buf);
+		if (get_user(val, (__le32 __user *) buf))
+			goto err;
 		pci_user_write_config_dword(dev, pos, le32_to_cpu(val));
 		buf += 4;
 		pos += 4;
@@ -163,7 +169,8 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if (cnt >= 2) {
 		__le16 val;
-		__get_user(val, (__le16 __user *) buf);
+		if (get_user(val, (__le16 __user *) buf))
+			goto err;
 		pci_user_write_config_word(dev, pos, le16_to_cpu(val));
 		buf += 2;
 		pos += 2;
@@ -172,7 +179,8 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if (cnt) {
 		unsigned char val;
-		__get_user(val, buf);
+		if (get_user(val, buf))
+			goto err;
 		pci_user_write_config_byte(dev, pos, val);
 		pos++;
 	}
@@ -182,6 +190,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 	*ppos = pos;
 	i_size_write(ino, dev->cfg_size);
 	return nbytes;
+
+err:
+	pci_config_pm_runtime_put(dev);
+	return -EFAULT;
 }
 
 #ifdef HAVE_PCI_MMAP
-- 
2.43.0

Re: [PATCH v2] PCI/proc: check user access return values in proc_bus_pci_{read,write}()

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Integer truncation in proc_bus_pci_write allows negative offsets to bypass bounds checks, leading to out-of-bounds PCI accesses and soft lockups.
- [Medium] Error handling discards partial transfers, violating POSIX semantics and risking unintended side effects on retry.
--

commit e7bdf9d788abd98223b783ee67cefeac2bfdde52
Author: Deepanshu Kartikey <kartikey406@gmail.com>

PCI/proc: check user access return values in proc_bus_pci_{read,write}()

This commit replaces __get_user() and __put_user() with get_user() and
put_user() to check for user access faults during PCI config space reads
and writes. It removes the upfront access_ok() check and adds an error
path to release the runtime PM reference and return -EFAULT on failure.

> diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
> index ce36e35681e8..8e624d829840 100644
> --- a/drivers/pci/proc.c
> +++ b/drivers/pci/proc.c
> @@ -53,15 +53,13 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
>  		nbytes = size - pos;
>  	cnt = nbytes;
>  
> -	if (!access_ok(buf, cnt))
> -		return -EINVAL;
> -
>  	pci_config_pm_runtime_get(dev);
>  
>  	if ((pos & 1) && cnt) {
>  		unsigned char val;
>  		pci_user_read_config_byte(dev, pos, &val);
> -		__put_user(val, buf);
> +		if (put_user(val, buf))
> +			goto err;
>  		buf++;
>  		pos++;
>  		cnt--;
> @@ -70,7 +68,8 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
>  	if ((pos & 3) && cnt > 2) {
>  		unsigned short val;
>  		pci_user_read_config_word(dev, pos, &val);
> -		__put_user(cpu_to_le16(val), (__le16 __user *) buf);
> +		if (put_user(cpu_to_le16(val), (__le16 __user *) buf))
> +			goto err;

If a fault happens during this put_user() call, some bytes may have already
been successfully transferred by the previous call. Unconditionally jumping
to the err label and returning -EFAULT discards this partial progress and
fails to update *ppos.

Since configuration registers can be stateful, such as Write-1-to-Clear
bits, could userspace retrying the entire operation cause unintended side
effects?

If data has been successfully processed prior to a fault, should the function
update the file offset and return the number of bytes transferred instead?

[ ... ]
> @@ -106,6 +108,10 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
>  
>  	*ppos = pos;
>  	return nbytes;
> +
> +err:
> +	pci_config_pm_runtime_put(dev);
> +	return -EFAULT;
>  }
>  
>  static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,

This issue isn't introduced by the patch, but does this function truncate
*ppos? Looking at the full function:

static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
				  size_t nbytes, loff_t *ppos)
{
	...
	int pos = *ppos;
	...

If a large positive offset is passed, such as 2294967296, the assignment to
the 32-bit int pos would truncate it to a negative value.

This bypasses the if (pos >= size) check. When checking pos + nbytes > size,
pos is promoted to a 64-bit size_t and sign-extends to a huge value, making
the condition true. nbytes is then calculated as size - pos, resulting in a
massive positive integer for cnt.

[ ... ]
> @@ -154,7 +159,8 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
>  
>  	while (cnt >= 4) {
>  		__le32 val;
> -		__get_user(val, (__le32 __user *) buf);
> +		if (get_user(val, (__le32 __user *) buf))
> +			goto err;
>  		pci_user_write_config_dword(dev, pos, le32_to_cpu(val));
>  		buf += 4;
>  		pos += 4;
>  		cnt -= 4;

The while (cnt >= 4) loop would then execute hundreds of millions of times,
passing a negative offset to the configuration accessor functions.

Since proc_bus_pci_write() lacks a cond_resched() call in this loop, could
this trigger a soft lockup?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260504022231.15501-1-kartikey406@gmail.com?part=1