From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-oo1-f71.google.com (mail-oo1-f71.google.com [209.85.161.71])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E4AB186A
	for <linux-kernel@vger.kernel.org>; Sat,  2 May 2026 00:02:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.71
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777680176; cv=none; b=usE0294EW+ziCY22W1BMyk+NMlPQK+bZpvrNikkLdTYvkIEjJchQsPauCeSBRXsECPB1X6Bk6uCZ331Rdnwb8I6HRu8LoG+JM7s2mg0zZNMcf8Z+nqe8nxeeiCIq+AZvOzlCNcunXNIAoNCcWXucdByOmhA0OtYTyYoRsnKlWPk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777680176; c=relaxed/simple;
	bh=VD4+FX89rHw3O46pj8LTQr26N0h27mMHHNyRBhsQNKo=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type; b=bYlNtYNxu52wseDijn9YQqaaY0nDCmJnm9fwGwIbdEx267PBXxSPNw5JdAhVqIVi5vt2aulHqlFHrvoDvlqu9ZHzFfQ10uH/BzoC2DBDXcC9mKxRsU+0+Lxls3/U/3k+DomI1BGVl6sT192dPG3y9PzOd9XJE9tWSBFlJDnyHGY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.71
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f71.google.com with SMTP id 006d021491bc7-6967fe3eeb1so3313898eaf.0
        for <linux-kernel@vger.kernel.org>; Fri, 01 May 2026 17:02:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777680174; x=1778284974;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=QX9XI6X9j4eXwDfKvepeR2i200crs+hKjyoYJcduM2E=;
        b=RBqvjB77A6Mj7K1mc4PlXxkmpiLXBGytCQr5gR1PLEtY8ZTzNicoa3m5YtGeGBXvW7
         eMZF8TlFtcIleNL6C5iJdWEafsXcmt6TLqU9+09vC/4O9koDn9Q1pNpEAEy3K5WcAwrC
         xnJtJEkihqWEyYkJHp2rjPyNjlle0I1x8XvnmzkeG4gvMzCcpcKijdlvIhGtYzzbVLm2
         cIQXeUP3qmLhxYu8PF/VNZm6q3tkVgiJJO/JkJCQ7RbqQMSe8O1u5gus68D/ZlScoybM
         pOs7UESPXILQAWOEPv5bPXeeAD1vOtHN9MJoZdy7nwisbBpftp2vLNInU/UCyf3SAKGK
         n4Kw==
X-Gm-Message-State: AOJu0Ywp+7z+HODtFkL7TCj1uSIz0vBpWQmfSoHVTEf+4GjnHnmMaxxd
	YDpY7wnk62RZEW1GOqiIqEtQYoFJrASgyqUILxAjm6UhHi82vMMPf4nHb9AVYP9W2bh59go7he7
	c/AAt6RgiGp6GRwirtCHZixWo/8JBfc1BHyipQw8TdKLflqSe9sIWXEilVd4=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:c8c:b0:688:3372:3a0e with SMTP id
 006d021491bc7-69697e446femr611080eaf.50.1777680174272; Fri, 01 May 2026
 17:02:54 -0700 (PDT)
Date: Fri, 01 May 2026 17:02:54 -0700
In-Reply-To: <69f3f165.170a0220.5f1b.0010.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <69f53f2e.050a0220.312cd3.001d.GAE@google.com>
Subject: Forwarded: [PATCH] PCI/proc: check return value of __get_user() in proc_bus_pci_write()
From: syzbot <syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] PCI/proc: check return value of __get_user() in proc_bus_pci_write()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


proc_bus_pci_write() invokes __get_user() in five places without
checking its return value.  When the user pointer faults, the extable
fixup leaves the destination indeterminate but the function still hands
the value to pci_user_write_config_*(), writing fixup state to PCI
configuration space.

syzbot triggers this with a writev() whose iov_base is NULL on
/proc/bus/pci/00/03.0 (the virtio-blk controller in the syzkaller VM).
Every __get_user() faults, val ends up as fixup-zero, and zero is
written to config space offsets 0..6 -- including the Command register
at offset 4, clearing Bus Master and Memory Space Enable.  The disk
goes silent mid-flight, in-flight journal bios never complete, and
jbd2 hangs in wait_on_buffer() indefinitely:

  INFO: task jbd2/sda1-8:4955 blocked in I/O wait for more than 143 seconds.
   __wait_on_buffer fs/buffer.c:123
   jbd2_journal_commit_transaction+0x388a/0x6870 fs/jbd2/commit.c:837
   kjournald2 fs/jbd2/journal.c:201

Check the return value of every __get_user() and bail with -EFAULT on
failure, releasing the runtime-PM reference via a common exit path.

Reported-by: syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c7604c9fdd7580cca4e0
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/pci/proc.c | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index ce36e35681e8..54052157c276 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -136,7 +136,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if ((pos & 1) && cnt) {
 		unsigned char val;
-		__get_user(val, buf);
+		if (__get_user(val, buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_byte(dev, pos, val);
 		buf++;
 		pos++;
@@ -145,7 +148,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if ((pos & 3) && cnt > 2) {
 		__le16 val;
-		__get_user(val, (__le16 __user *) buf);
+		if (__get_user(val, (__le16 __user *) buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_word(dev, pos, le16_to_cpu(val));
 		buf += 2;
 		pos += 2;
@@ -154,7 +160,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	while (cnt >= 4) {
 		__le32 val;
-		__get_user(val, (__le32 __user *) buf);
+		if (__get_user(val, (__le32 __user *) buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_dword(dev, pos, le32_to_cpu(val));
 		buf += 4;
 		pos += 4;
@@ -163,7 +172,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if (cnt >= 2) {
 		__le16 val;
-		__get_user(val, (__le16 __user *) buf);
+		if (__get_user(val, (__le16 __user *) buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_word(dev, pos, le16_to_cpu(val));
 		buf += 2;
 		pos += 2;
@@ -172,16 +184,21 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 
 	if (cnt) {
 		unsigned char val;
-		__get_user(val, buf);
+		if (__get_user(val, buf)) {
+			ret = -EFAULT;
+			goto out;
+		}
 		pci_user_write_config_byte(dev, pos, val);
 		pos++;
 	}
 
+	ret = nbytes;
+out:
 	pci_config_pm_runtime_put(dev);
-
 	*ppos = pos;
-	i_size_write(ino, dev->cfg_size);
-	return nbytes;
+	if (ret > 0)
+		i_size_write(ino, dev->cfg_size);
+	return ret;
 }
 
 #ifdef HAVE_PCI_MMAP
-- 
2.43.0