From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: drivers/pci/controller/pci-hyperv.c:2313 prepopulate_bars() error: buffer overflow 'hpdev->probed_bar' 6 <= 6
Date: Tue, 31 Mar 2026 07:16:29 +0800 [thread overview]
Message-ID: <202603310721.yBIfyrK7-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Roman Kisel <romank@linux.microsoft.com>
CC: Wei Liu <wei.liu@kernel.org>
CC: Michael Kelley <mhklinux@outlook.com>
Hi Roman,
First bad commit (maybe != root cause):
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
commit: d684f9b28809b783e8473727fdf14595b36d8fd3 PCI: hv: Get vPCI MSI IRQ domain from DeviceTree
date: 10 months ago
:::::: branch date: 25 hours ago
:::::: commit date: 10 months ago
config: arm64-randconfig-r072-20260330 (https://download.01.org/0day-ci/archive/20260331/202603310721.yBIfyrK7-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 10.5.0
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202603310721.yBIfyrK7-lkp@intel.com/
smatch warnings:
drivers/pci/controller/pci-hyperv.c:2313 prepopulate_bars() error: buffer overflow 'hpdev->probed_bar' 6 <= 6
vim +2313 drivers/pci/controller/pci-hyperv.c
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2246
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2247 /**
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2248 * prepopulate_bars() - Fill in BARs with defaults
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2249 * @hbus: Root PCI bus, as understood by this driver
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2250 *
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2251 * The core PCI driver code seems much, much happier if the BARs
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2252 * for a device have values upon first scan. So fill them in.
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2253 * The algorithm below works down from large sizes to small,
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2254 * attempting to pack the assignments optimally. The assumption,
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2255 * enforced in other parts of the code, is that the beginning of
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2256 * the memory-mapped I/O space will be aligned on the largest
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2257 * BAR size.
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2258 */
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2259 static void prepopulate_bars(struct hv_pcibus_device *hbus)
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2260 {
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2261 resource_size_t high_size = 0;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2262 resource_size_t low_size = 0;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2263 resource_size_t high_base = 0;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2264 resource_size_t low_base = 0;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2265 resource_size_t bar_size;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2266 struct hv_pci_dev *hpdev;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2267 unsigned long flags;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2268 u64 bar_val;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2269 u32 command;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2270 bool high;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2271 int i;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2272
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2273 if (hbus->low_mmio_space) {
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2274 low_size = 1ULL << (63 - __builtin_clzll(hbus->low_mmio_space));
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2275 low_base = hbus->low_mmio_res->start;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2276 }
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2277
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2278 if (hbus->high_mmio_space) {
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2279 high_size = 1ULL <<
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2280 (63 - __builtin_clzll(hbus->high_mmio_space));
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2281 high_base = hbus->high_mmio_res->start;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2282 }
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2283
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2284 spin_lock_irqsave(&hbus->device_list_lock, flags);
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2285
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2286 /*
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2287 * Clear the memory enable bit, in case it's already set. This occurs
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2288 * in the suspend path of hibernation, where the device is suspended,
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2289 * resumed and suspended again: see hibernation_snapshot() and
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2290 * hibernation_platform_enter().
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2291 *
c77bfb54174308 drivers/pci/controller/pci-hyperv.c Bjorn Helgaas 2021-01-26 2292 * If the memory enable bit is already set, Hyper-V silently ignores
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2293 * the below BAR updates, and the related PCI device driver can not
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2294 * work, because reading from the device register(s) always returns
14e04d0d5ed065 drivers/pci/controller/pci-hyperv.c Naveen Naidu 2021-11-18 2295 * 0xFFFFFFFF (PCI_ERROR_RESPONSE).
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2296 */
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2297 list_for_each_entry(hpdev, &hbus->children, list_entry) {
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2298 _hv_pcifront_read_config(hpdev, PCI_COMMAND, 2, &command);
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2299 command &= ~PCI_COMMAND_MEMORY;
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2300 _hv_pcifront_write_config(hpdev, PCI_COMMAND, 2, command);
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2301 }
ac82fc83270884 drivers/pci/controller/pci-hyperv.c Dexuan Cui 2019-11-24 2302
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2303 /* Pick addresses for the BARs. */
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2304 do {
5b8db8f66e08fa drivers/pci/host/pci-hyperv.c Stephen Hemminger 2018-05-23 2305 list_for_each_entry(hpdev, &hbus->children, list_entry) {
c9c13ba428ef90 drivers/pci/controller/pci-hyperv.c Denis Efremov 2019-09-28 2306 for (i = 0; i < PCI_STD_NUM_BARS; i++) {
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2307 bar_val = hpdev->probed_bar[i];
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2308 if (bar_val == 0)
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2309 continue;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2310 high = bar_val & PCI_BASE_ADDRESS_MEM_TYPE_64;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2311 if (high) {
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2312 bar_val |=
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 @2313 ((u64)hpdev->probed_bar[i + 1]
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2314 << 32);
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2315 } else {
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2316 bar_val |= 0xffffffffULL << 32;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2317 }
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2318 bar_size = get_bar_size(bar_val);
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2319 if (high) {
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2320 if (high_size != bar_size) {
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2321 i++;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2322 continue;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2323 }
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2324 _hv_pcifront_write_config(hpdev,
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2325 PCI_BASE_ADDRESS_0 + (4 * i),
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2326 4,
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2327 (u32)(high_base & 0xffffff00));
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2328 i++;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2329 _hv_pcifront_write_config(hpdev,
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2330 PCI_BASE_ADDRESS_0 + (4 * i),
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2331 4, (u32)(high_base >> 32));
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2332 high_base += bar_size;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2333 } else {
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2334 if (low_size != bar_size)
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2335 continue;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2336 _hv_pcifront_write_config(hpdev,
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2337 PCI_BASE_ADDRESS_0 + (4 * i),
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2338 4,
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2339 (u32)(low_base & 0xffffff00));
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2340 low_base += bar_size;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2341 }
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2342 }
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2343 if (high_size <= 1 && low_size <= 1) {
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2344 /*
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2345 * No need to set the PCI_COMMAND_MEMORY bit as
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2346 * the core PCI driver doesn't require the bit
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2347 * to be pre-set. Actually here we intentionally
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2348 * keep the bit off so that the PCI BAR probing
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2349 * in the core PCI driver doesn't cause Hyper-V
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2350 * to unnecessarily unmap/map the virtual BARs
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2351 * from/to the physical BARs multiple times.
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2352 * This reduces the VM boot time significantly
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2353 * if the BAR sizes are huge.
23e118a48acf7b drivers/pci/controller/pci-hyperv.c Dexuan Cui 2022-05-02 2354 */
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2355 break;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2356 }
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2357 }
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2358
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2359 high_size >>= 1;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2360 low_size >>= 1;
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2361 } while (high_size || low_size);
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2362
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2363 spin_unlock_irqrestore(&hbus->device_list_lock, flags);
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2364 }
4daace0d8ce851 drivers/pci/host/pci-hyperv.c Jake Oshins 2016-02-16 2365
:::::: The code at line 2313 was first introduced by commit
:::::: 4daace0d8ce851f8f8f91563c835e3000c954d5e PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs
:::::: TO: Jake Oshins <jakeo@microsoft.com>
:::::: CC: Bjorn Helgaas <bhelgaas@google.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
reply other threads:[~2026-03-30 23:16 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202603310721.yBIfyrK7-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox