From: "Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>
To: Ziming Du <duziming2@huawei.com>
Cc: bhelgaas@google.com, linux-pci@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
chrisw@redhat.com, jbarnes@virtuousgeek.org,
alex.williamson@redhat.com, liuyongqiang13@huawei.com
Subject: Re: [PATCH 3/3] PCI: Prevent overflow in proc_bus_pci_write()
Date: Tue, 16 Dec 2025 12:57:38 +0200 (EET) [thread overview]
Message-ID: <47ccdb75-7134-b86a-e8bb-eebb9f1e0b47@linux.intel.com> (raw)
In-Reply-To: <20251216083912.758219-4-duziming2@huawei.com>
On Tue, 16 Dec 2025, Ziming Du wrote:
> When the value of ppos over the INT_MAX, the pos will be
is over
> set a negtive value which will be pass to get_user() or
set to a negative value which will be passed
> pci_user_write_config_dword(). And unexpected behavior
Please start the sentence with something else than And.
Hmm, the lines look rather short too, can you please reflow the changelog
paragraphs to 75 characters.
> such as a softlock happens:
>
> watchdog: BUG: soft lockup - CPU#0 stuck for 130s! [syz.3.109:3444]
> Modules linked in:
> CPU: 0 PID: 3444 Comm: syz.3.109 Not tainted 6.6.0+ #33
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
> RIP: 0010:_raw_spin_unlock_irq+0x17/0x30
> Code: cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 e8 52 12 00 00 90 fb 65 ff 0d b1 a1 86 6d <74> 05 e9 42 52 00 00 0f 1f 44 00 00 c3 cc cc cc cc 0f 1f 84 00 00
> RSP: 0018:ffff88816851fb50 EFLAGS: 00000246
> RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff927daf9b
> RDX: 0000000000000cfc RSI: 0000000000000046 RDI: ffffffff9a7c7400
> RBP: 00000000818bb9dc R08: 0000000000000001 R09: ffffed102d0a3f59
> R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
> R13: ffff888102220000 R14: ffffffff926d3b10 R15: 00000000210bbb5f
> FS: 00007ff2d4e56640(0000) GS:ffff8881f5c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000210bbb5b CR3: 0000000147374002 CR4: 0000000000772ef0
> PKRU: 00000000
> Call Trace:
> <TASK>
> pci_user_write_config_dword+0x126/0x1f0
> ? __get_user_nocheck_8+0x20/0x20
> proc_bus_pci_write+0x273/0x470
> proc_reg_write+0x1b6/0x280
> do_iter_write+0x48e/0x790
> ? import_iovec+0x47/0x90
> vfs_writev+0x125/0x4a0
> ? futex_wake+0xed/0x500
> ? __pfx_vfs_writev+0x10/0x10
> ? userfaultfd_ioctl+0x131/0x1ae0
> ? userfaultfd_ioctl+0x131/0x1ae0
> ? do_futex+0x17e/0x220
> ? __pfx_do_futex+0x10/0x10
> ? __fget_files+0x193/0x2b0
> __x64_sys_pwritev+0x1e2/0x2a0
> ? __pfx___x64_sys_pwritev+0x10/0x10
> do_syscall_64+0x59/0x110
> entry_SYSCALL_64_after_hwframe+0x78/0xe2
Could you please trim the dump so it only contains things relevant to this
issue () (also check trimming in the other patches).
> Fix this by use unsigned int for the pos.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
> Signed-off-by: Ziming Du <duziming2@huawei.com>
> ---
> drivers/pci/proc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
> index 9348a0fb8084..dbec1d4209c9 100644
> --- a/drivers/pci/proc.c
> +++ b/drivers/pci/proc.c
> @@ -113,7 +113,7 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
> {
> struct inode *ino = file_inode(file);
> struct pci_dev *dev = pde_data(ino);
> - int pos = *ppos;
> + unsigned int pos = *ppos;
> int size = dev->cfg_size;
> int cnt, ret;
So this still throws away some bits compared with the original ppos ?
--
i.
next prev parent reply other threads:[~2025-12-16 10:58 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-16 8:39 [PATCH 0/3] Miscellaneous fixes for pci subsystem Ziming Du
2025-12-16 8:39 ` [PATCH 1/3] PCI/sysfs: fix null pointer dereference during PCI hotplug Ziming Du
2025-12-23 16:55 ` Bjorn Helgaas
2025-12-24 1:28 ` duziming
2025-12-16 8:39 ` [PATCH 2/3] PCI/sysfs: Prohibit unaligned access to I/O port on non-x86 Ziming Du
2025-12-16 10:43 ` Ilpo Järvinen
2025-12-17 9:47 ` duziming
2025-12-17 10:15 ` Ilpo Järvinen
2025-12-18 8:03 ` duziming
2025-12-20 16:20 ` kernel test robot
2025-12-22 5:01 ` kernel test robot
2025-12-16 8:39 ` [PATCH 3/3] PCI: Prevent overflow in proc_bus_pci_write() Ziming Du
2025-12-16 10:57 ` Ilpo Järvinen [this message]
2025-12-17 9:33 ` duziming
2025-12-17 10:19 ` Ilpo Järvinen
2025-12-18 7:18 ` duziming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47ccdb75-7134-b86a-e8bb-eebb9f1e0b47@linux.intel.com \
--to=ilpo.jarvinen@linux.intel.com \
--cc=alex.williamson@redhat.com \
--cc=bhelgaas@google.com \
--cc=chrisw@redhat.com \
--cc=duziming2@huawei.com \
--cc=jbarnes@virtuousgeek.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=liuyongqiang13@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox