From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBD99946A for ; Sat, 2 May 2026 01:14:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777684494; cv=none; b=D0pxmNcgaSHEhfIj/EueWaFV8YtqTYYb0pzfNrpITyvlJcMhqGcblssqCW0TMy6fvL12J7OhfLLRuX8WDwhJ/881LFBQ/NF+9qbchxjy0t8imoC7rpXD1qpNxY1UN/jTZ+OP0PAv44eWOSy3Q2MErSfxz4RUpudI9YFiAc8Sy/g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777684494; c=relaxed/simple; bh=NVRIJd3sZaE3k1Wk/wG1jgBSallzpNrHo8Bzg1ND7So=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Q0ud6aPDcOJiU3/6bCSfZhysqg/S7Ies/rIR4ox7bzcnSGiyKlN0M1XUC7DBkEriV2jdJSWVun7Y6BisJ1lQ6ptmfcdRaEGFxDlqCPYEW8+yiMZzRYalchoptZu2EAjR79T5PcxzPjK8lZFtDYcobIzO/lwnvA7MClozStEYNME= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KYBY0wzH; arc=none smtp.client-ip=209.85.216.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KYBY0wzH" Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-364ef7a759bso701039a91.1 for ; Fri, 01 May 2026 18:14:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777684492; x=1778289292; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=yeW4hvV/WgVLnj/KuoEdcGxxm7PZW4GZRo6L36S6Gq0=; b=KYBY0wzHyBDbRO/no9hZBaOOugPuMM9H8tHVBNksxdU63o4cTvKB/ZJ77xaWzb3V3p sv53QJXLQ7AEZdSPCdEj556p69cYnCaLZRTH3rdU0mDen9fGtx5ak83AOK/yG9L+lM+T CkSYMU8pkd3uMXM6HC0/6RX9hpXV++L6bV6pj/tr1JHxjXCt70AdnhlZZ4P9p7BPvfeH zNIbhcB1mkydtUbtA3xmBXq/vxV0U9CMoZR79lU6venrzKQnGWZRlInvib8pRmqTg5wL EnWiG5uFDsKgdhmJshWer/iJKtqc9JxkMgtZxRROAPnEYrsR8Svcg9b0/byvw4Bg9UxW tjlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777684492; x=1778289292; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yeW4hvV/WgVLnj/KuoEdcGxxm7PZW4GZRo6L36S6Gq0=; b=Ut+l7ndW9peLkmQjR7qsWTW9lUu/5aROm7S4qZlFem4rzKmr6szWS0S+MdkPo+RGML MqpR2eBFqsKuXROVvKxZzxJxppsYG0GGo7lVT+H3AESCo5g/MRetAlFBfN7H03h2lBRR uzqMcNNUme21O4h43cHzlOdy3xtXrqnM1y/xCOQq0tdIRYljv879XXegQRp13pKeecff hj5GbJMluscGSpv0Dp2AZ1+MNlnbx95I4Q97iRYfdu81AoFa99yN6t3M98RLTj5zXVs0 Q+RyEErymbihMM1T+JL2Bqd6KtFbRCpNcbmEeTPfYouyMiZM92XxOTtG5FvRAUNkxDmA 7TdQ== X-Forwarded-Encrypted: i=1; AFNElJ/a8t242X5cJ6Ed5dZjwEgXTmDqDJle0wMv+3UER78sR/4LEmAKwkmMUgGrSWlLUJH/1oF7C+sTq+oKq3A=@vger.kernel.org X-Gm-Message-State: AOJu0YyFFbO6A9zvJZ6X6xUPP5Vh8Mt01OskN6Mzfd/hSDvRyWsXBszU Kf4LN2ZuPkKI9L/81L1pg4a9CM61NanPLNMp4oIS4bQZCaWFJGhVR41mOkLG/w== X-Gm-Gg: AeBDievzwhdMHkLcy7voKp6BE6XSSK6xJv+UOCJiZiusGVrlnMRZWRS7z5KPu2Odj2d PbZx7HHt5pO6HuUvYSjq9XAO/HNjjuA82k3aKV6dqxs92z5QaLoeXBk+snG7McHwEn+iYvH+fHQ b9yKYiKLjdDWhj6iCl1LooDhYk2xAIYMtzbCmAoEWq36kID+AC63oTZuNOhISWrJDkOIUMyjM4o uLrGIbiIcRL+G5enlwFwZpnJ0wTez3JS5w03YixkeP41ufbQhvXWGjjT1LWXXEMoWazen0mZ8qE I6xDXm1+vZNCmJYNKyNAOg8ogOimTG3VlWMbcvq2hej6QxJ2esqlmYwEjEt9PtWVtLPdbHiMuaC cYFGIuHJ79hB+YCpayo9poGCc1FA2wSG2BICfLDT9tzeFRJ1YzbHWkp9l+MkAwE6TfE46ovJGNl +Vz8q1arvJLpCYuUs6izCL6hrWEM2frEKspcGWOkEj3Ao6d6gZPmkoEiwLrRb5UdUnbEfJpprGq VvIfMSm53lhRf8VTw== X-Received: by 2002:a17:90b:52:b0:35d:a31e:6b04 with SMTP id 98e67ed59e1d1-364c44b5c8bmr8336612a91.3.1777684492207; Fri, 01 May 2026 18:14:52 -0700 (PDT) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:383f:844b:65dc:f203:e880]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-364ebec736dsm3631644a91.3.2026.05.01.18.14.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2026 18:14:51 -0700 (PDT) From: Deepanshu Kartikey To: bhelgaas@google.com Cc: linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org, Deepanshu Kartikey , syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com Subject: [PATCH] PCI/proc: check __get_user() return value in proc_bus_pci_write() Date: Sat, 2 May 2026 06:44:46 +0530 Message-ID: <20260502011446.125268-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit proc_bus_pci_write() does not check the return value of __get_user(). On a faulting user pointer the extable fixup zeros the destination, and the function writes those zeros to PCI configuration space. syzbot exploits this by writev()-ing a NULL iov_base to /proc/bus/pci/00/03.0 (the virtio-blk controller in the syzkaller VM): zero is written to the Command register, clearing Bus Master Enable, and the disk stops responding. In-flight journal writes never complete and jbd2 hangs in wait_on_buffer() indefinitely. Check __get_user() and return -EFAULT on failure. Reported-by: syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c7604c9fdd7580cca4e0 Tested-by: syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey --- drivers/pci/proc.c | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index ce36e35681e8..54052157c276 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -136,7 +136,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, if ((pos & 1) && cnt) { unsigned char val; - __get_user(val, buf); + if (__get_user(val, buf)) { + ret = -EFAULT; + goto out; + } pci_user_write_config_byte(dev, pos, val); buf++; pos++; @@ -145,7 +148,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, if ((pos & 3) && cnt > 2) { __le16 val; - __get_user(val, (__le16 __user *) buf); + if (__get_user(val, (__le16 __user *) buf)) { + ret = -EFAULT; + goto out; + } pci_user_write_config_word(dev, pos, le16_to_cpu(val)); buf += 2; pos += 2; @@ -154,7 +160,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, while (cnt >= 4) { __le32 val; - __get_user(val, (__le32 __user *) buf); + if (__get_user(val, (__le32 __user *) buf)) { + ret = -EFAULT; + goto out; + } pci_user_write_config_dword(dev, pos, le32_to_cpu(val)); buf += 4; pos += 4; @@ -163,7 +172,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, if (cnt >= 2) { __le16 val; - __get_user(val, (__le16 __user *) buf); + if (__get_user(val, (__le16 __user *) buf)) { + ret = -EFAULT; + goto out; + } pci_user_write_config_word(dev, pos, le16_to_cpu(val)); buf += 2; pos += 2; @@ -172,16 +184,21 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, if (cnt) { unsigned char val; - __get_user(val, buf); + if (__get_user(val, buf)) { + ret = -EFAULT; + goto out; + } pci_user_write_config_byte(dev, pos, val); pos++; } + ret = nbytes; +out: pci_config_pm_runtime_put(dev); - *ppos = pos; - i_size_write(ino, dev->cfg_size); - return nbytes; + if (ret > 0) + i_size_write(ino, dev->cfg_size); + return ret; } #ifdef HAVE_PCI_MMAP -- 2.43.0