From nobody Mon Feb 9 00:27:02 2026 Received: from canpmsgout08.his.huawei.com (canpmsgout08.his.huawei.com [113.46.200.223]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B2C8F2D5950; Fri, 16 Jan 2026 07:52:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.223 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768549956; cv=none; b=qnUWNV+xJnqtLS5b4ZVvOxI+L6YQws7I/h1rJQo7aeTku7pIoANyS3QX96vvjFqpC5055PDeogXcsA2GGQpn/1dwUX+HUij8WrDIBGK1werD+W1Nu5qA/2WlsShqEgwjsSSyg5cfprvJ5xorKkIj9WNwoDQrIdo9VD8ASgtqiE4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768549956; c=relaxed/simple; bh=u92f1kbTpIdKtEEuVeYvX55xieu/6RBt+ks+eV0Jdcc=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=H+U3U3fLuG1zG7UY42PlTY3rBhqLTHpyjCg+4cpRucVJc7f/i9LwIP1poPbVCTSc8+9mDnYjt0HgV9UdxYcacgBZiQXJiisHZpIansLjnZ9hTvL/Ec1RWCWs9t1aZmyez66t4YK5RdMLDGD095NvkR6yQRqrog1YO5DKrxAnPHo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=lxVLbGGP; arc=none smtp.client-ip=113.46.200.223 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="lxVLbGGP" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=3vxAPAMjiZnbkDd7gTIpK7c4P2xbFpz++FhONFEcjcg=; b=lxVLbGGPAJ1Q2ZkMqwn2Y1+76UEq84emQlyR5k6Tibxp037a6+mhKCE9ZMUIMpZW0/IphQZ/m rkSJ+P5k+TONPtt/biXHy0wmfXqyoMycqT4mZ4EPT3P5aWUrq2uZcuuqyhRf/Lgl5wqIWmWNmjW DeDZ6zJAPAu3uMux3SUeh8c= Received: from mail.maildlp.com (unknown [172.19.163.200]) by canpmsgout08.his.huawei.com (SkyGuard) with ESMTPS id 4dssRx3nFwzmVWy; Fri, 16 Jan 2026 15:49:01 +0800 (CST) Received: from kwepemr500012.china.huawei.com (unknown [7.202.195.23]) by mail.maildlp.com (Postfix) with ESMTPS id DC4684055B; Fri, 16 Jan 2026 15:52:22 +0800 (CST) Received: from localhost.localdomain (10.50.85.180) by kwepemr500012.china.huawei.com (7.202.195.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Fri, 16 Jan 2026 15:52:22 +0800 From: Ziming Du To: , , , CC: , , Subject: [PATCH v4 1/4] PCI/sysfs: Prohibit unaligned access to I/O port Date: Fri, 16 Jan 2026 16:17:18 +0800 Message-ID: <20260116081723.1603603-2-duziming2@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260116081723.1603603-1-duziming2@huawei.com> References: <20260116081723.1603603-1-duziming2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To kwepemr500012.china.huawei.com (7.202.195.23) Unaligned access is harmful for non-x86 archs such as arm64. When we use pwrite or pread to access the I/O port resources with unaligned offset, system will crash as follows: Unable to handle kernel paging request at virtual address fffffbfffe8010c1 Internal error: Oops: 0000000096000061 [#1] SMP Call trace: _outw include/asm-generic/io.h:594 [inline] logic_outw+0x54/0x218 lib/logic_pio.c:305 pci_resource_io drivers/pci/pci-sysfs.c:1157 [inline] pci_write_resource_io drivers/pci/pci-sysfs.c:1191 [inline] pci_write_resource_io+0x208/0x260 drivers/pci/pci-sysfs.c:1181 sysfs_kf_bin_write+0x188/0x210 fs/sysfs/file.c:158 kernfs_fop_write_iter+0x2e8/0x4b0 fs/kernfs/file.c:338 vfs_write+0x7bc/0xac8 fs/read_write.c:586 ksys_write+0x12c/0x270 fs/read_write.c:639 __arm64_sys_write+0x78/0xb8 fs/read_write.c:648 Although x86 might handle unaligned I/O accesses by splitting cycles, this approach is still limited because PCI device registers typically expect natural alignment. A global prohibition of unaligned accesses ensures consistent behavior across all architectures and prevents unexpected hardware side effects. Fixes: 8633328be242 ("PCI: Allow read/write access to sysfs I/O port resour= ces") Signed-off-by: Yongqiang Liu Signed-off-by: Ziming Du Suggested-by: Ilpo J=C3=A4rvinen --- drivers/pci/pci-sysfs.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index c2df915ad2d29..18e5d4603b472 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -31,6 +31,7 @@ #include #include #include +#include #include "pci.h" =20 #ifndef ARCH_PCI_DEV_GROUPS @@ -1166,12 +1167,16 @@ static ssize_t pci_resource_io(struct file *filp, s= truct kobject *kobj, *(u8 *)buf =3D inb(port); return 1; case 2: + if (!IS_ALIGNED(port, count)) + return -EINVAL; if (write) outw(*(u16 *)buf, port); else *(u16 *)buf =3D inw(port); return 2; case 4: + if (!IS_ALIGNED(port, count)) + return -EINVAL; if (write) outl(*(u32 *)buf, port); else --=20 2.43.0 From nobody Mon Feb 9 00:27:02 2026 Received: from canpmsgout07.his.huawei.com (canpmsgout07.his.huawei.com [113.46.200.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42007224240; Fri, 16 Jan 2026 07:52:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.222 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768549960; cv=none; b=VsfxRAVjdu8T8tMtvGNhr+nc1QmuvHDOXDfPs6sYtTImuC7doVAR4tBsVSSoPkAOBD3W+FFRd4cXbi+iFTi+lII8KCnmYSvlWk7yHYqnGPYgVQI81RrY1NT2Jz2yWX1km3TG1sQG5XAPCtBVlfGkEmkdlYGEzxZXOVtYTgSgudM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768549960; c=relaxed/simple; bh=/woUAYAa+Rvl1TqiNjM7hekaZtjAweiHoYnZIyNJF28=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=CaVcvtsZNgkBHNBb9n9PMd1uRD4/mkSHGBY+njLlpAUurgJ5AZRxYgraVq+Ff1DnKorivt+tZC9hdLJdir0ethPrCX3UhBUzW8f6pJO9W/YGczJ2vVyzN7TMKqlb6Yrk64hHQypxCNW0C+NHNjqhCOnvOts1/X6Ul/cTCYuxlMI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=EqCVV5Sj; arc=none smtp.client-ip=113.46.200.222 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="EqCVV5Sj" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=SrOJJn0uHaQI5nwBo4evlkh4P3KvPi5BUYcQmVZGlDE=; b=EqCVV5Sjdz9e6H7Ae4v0u53JS0NpjcULzDFmFdi7QESxT/T2Rc7qEogRL8hqRTC4SZy14601C Nd3wcSWfeT41M57ou05jBUOdfHKkM/5w7NP/UcYyq18jrKQdIIZjzjguUUP072cIf3fbHBdT15/ gar7QvKRDDQvZiIbKQDjSvM= Received: from mail.maildlp.com (unknown [172.19.163.214]) by canpmsgout07.his.huawei.com (SkyGuard) with ESMTPS id 4dssRz1H0czLlTd; Fri, 16 Jan 2026 15:49:03 +0800 (CST) Received: from kwepemr500012.china.huawei.com (unknown [7.202.195.23]) by mail.maildlp.com (Postfix) with ESMTPS id 404814056C; Fri, 16 Jan 2026 15:52:23 +0800 (CST) Received: from localhost.localdomain (10.50.85.180) by kwepemr500012.china.huawei.com (7.202.195.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Fri, 16 Jan 2026 15:52:22 +0800 From: Ziming Du To: , , , CC: , , Subject: [PATCH v4 2/4] PCI/sysfs: Fix null pointer dereference during hotplug Date: Fri, 16 Jan 2026 16:17:19 +0800 Message-ID: <20260116081723.1603603-3-duziming2@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260116081723.1603603-1-duziming2@huawei.com> References: <20260116081723.1603603-1-duziming2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To kwepemr500012.china.huawei.com (7.202.195.23) Content-Type: text/plain; charset="utf-8" During the concurrent process of creating and rescanning in VF, the resource files for the same pci_dev may be created twice. The second creation attempt fails, resulting the res_attr in pci_dev to kfree(), but the pointer is not set to NULL. This will subsequently lead to dereferencing a null pointer when removing the device. When we perform the following operation: echo $sriov_totalvfs > /sys/class/net/"$pfname"/device/sriov_numvfs & sleep 0.5 echo 1 > /sys/bus/pci/rescan pci_remove "$pfname" system will crash as follows: Unable to handle kernel NULL pointer dereference at virtual address 00000= 00000000000 Call trace: __pi_strlen+0x14/0x150 kernfs_find_ns+0x54/0x120 kernfs_remove_by_name_ns+0x58/0xf0 sysfs_remove_bin_file+0x24/0x38 pci_remove_resource_files+0x44/0x90 pci_remove_sysfs_dev_files+0x28/0x40 pci_stop_bus_device+0xb8/0x118 pci_stop_and_remove_bus_device+0x20/0x40 pci_iov_remove_virtfn+0xb8/0x138 sriov_disable+0xbc/0x190 pci_disable_sriov+0x30/0x48 hinic_pci_sriov_disable+0x54/0x138 [hinic] hinic_remove+0x140/0x290 [hinic] pci_device_remove+0x4c/0xf8 device_remove+0x54/0x90 device_release_driver_internal+0x1d4/0x238 device_release_driver+0x20/0x38 pci_stop_bus_device+0xa8/0x118 pci_stop_and_remove_bus_device_locked+0x28/0x50 remove_store+0x128/0x208 Fix this by set the pointer to NULL after releasing 'res_attr' immediately. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ziming Du --- drivers/pci/pci-sysfs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 18e5d4603b472..fbcbf39232732 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -1227,12 +1227,14 @@ static void pci_remove_resource_files(struct pci_de= v *pdev) if (res_attr) { sysfs_remove_bin_file(&pdev->dev.kobj, res_attr); kfree(res_attr); + pdev->res_attr[i] =3D NULL; } =20 res_attr =3D pdev->res_attr_wc[i]; if (res_attr) { sysfs_remove_bin_file(&pdev->dev.kobj, res_attr); kfree(res_attr); + pdev->res_attr_wc[i] =3D NULL; } } } --=20 2.43.0 From nobody Mon Feb 9 00:27:02 2026 Received: from canpmsgout05.his.huawei.com (canpmsgout05.his.huawei.com [113.46.200.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E743B1C84B8; Fri, 16 Jan 2026 07:52:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.220 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768549948; cv=none; b=kCui+eL78hz6ot2mby6L4dYx0+t604gHdbrdj8c+RXmn+REDzyYOWv/MyaZK8fwjb/yhtt8ky0HhbC3rcn/a1a7FhjlxSp/VzPPkRe0+WuXvcgRH4rCITORuHRyiusfJgOT+lKOOc/k7BNFgYJVHseYCZEms0Q2LUEt3rEDfpXw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768549948; c=relaxed/simple; bh=nm0eA/yDztL9ix7zhcM5v7OQgf1tHidKRps0ydXnkLc=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=hlGdHj9HiYCXtkg8We73aPn58YWRt6Fq4TjOfOcyXHoHO003XXguSTeSbSbePomDMduPA+KEyMv2ew3beircEUUillnuWCZb9svti+shw45+9mZ6mhn22h+6MRE6hvN80gtGxwTR+Em7+qaYXdML+Qc5R9JuaaQrQQ55gP19RF4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=2hBsRfUj; arc=none smtp.client-ip=113.46.200.220 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="2hBsRfUj" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=Xdx1CNYDh2ae1MTXHIUWs+/1UyQlOBpJoTdTAzXNXzY=; b=2hBsRfUj4YVCi0IoVG9f60uhEKZg4gCKaBMtZz3lhUUOtKuB5LtvLqs8guMXtBaR3zxxXGU/7 7WcSb8xhiA9fNl+eG8b9dOzYKjC3oHHiRDaFzAlVeM/TVIs+RrANWKdjgu5IwiUg9G4RTD2vjLi ZIiV73sb3Q76fKBd7XX7dPM= Received: from mail.maildlp.com (unknown [172.19.163.104]) by canpmsgout05.his.huawei.com (SkyGuard) with ESMTPS id 4dssSN3bnnz12LJH; Fri, 16 Jan 2026 15:49:24 +0800 (CST) Received: from kwepemr500012.china.huawei.com (unknown [7.202.195.23]) by mail.maildlp.com (Postfix) with ESMTPS id 96ACE404AD; Fri, 16 Jan 2026 15:52:23 +0800 (CST) Received: from localhost.localdomain (10.50.85.180) by kwepemr500012.china.huawei.com (7.202.195.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Fri, 16 Jan 2026 15:52:23 +0800 From: Ziming Du To: , , , CC: , , Subject: [PATCH v4 3/4] PCI: Prevent overflow in proc_bus_pci_write() Date: Fri, 16 Jan 2026 16:17:20 +0800 Message-ID: <20260116081723.1603603-4-duziming2@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260116081723.1603603-1-duziming2@huawei.com> References: <20260116081723.1603603-1-duziming2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To kwepemr500012.china.huawei.com (7.202.195.23) From: Yongqiang Liu When the value of *ppos over the INT_MAX, the pos is over set to a negative value which will be passed to get_user() or pci_user_write_config_dword(). Unexpected behavior such as a soft lockup will happen as follows: watchdog: BUG: soft lockup - CPU#0 stuck for 130s! [syz.3.109:3444] RIP: 0010:_raw_spin_unlock_irq+0x17/0x30 Call Trace: pci_user_write_config_dword+0x126/0x1f0 proc_bus_pci_write+0x273/0x470 proc_reg_write+0x1b6/0x280 do_iter_write+0x48e/0x790 vfs_writev+0x125/0x4a0 __x64_sys_pwritev+0x1e2/0x2a0 do_syscall_64+0x59/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Fix this by adding a non-negative check before assign *ppos to pos. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yongqiang Liu Signed-off-by: Ziming Du Reviewed-by: Ilpo J=C3=A4rvinen --- drivers/pci/proc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 9348a0fb80847..2d51b26edbe74 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -113,10 +113,14 @@ static ssize_t proc_bus_pci_write(struct file *file, = const char __user *buf, { struct inode *ino =3D file_inode(file); struct pci_dev *dev =3D pde_data(ino); - int pos =3D *ppos; + int pos; int size =3D dev->cfg_size; int cnt, ret; =20 + if (*ppos > INT_MAX) + return -EINVAL; + pos =3D *ppos; + ret =3D security_locked_down(LOCKDOWN_PCI_ACCESS); if (ret) return ret; --=20 2.43.0 From nobody Mon Feb 9 00:27:02 2026 Received: from canpmsgout12.his.huawei.com (canpmsgout12.his.huawei.com [113.46.200.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12756224240; Fri, 16 Jan 2026 07:52:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768549949; cv=none; b=r09K8trzA0TNFQv4Ek9S9FFZlRnnXHYSjLbXm5BECbTm16nUCqR8rJD3LxAzYy4g1rdv/q1CjpI27xLREaWxKeRfJbjjdld4R9iLsFwCfQn7h5nrcUDVFL1vqnbg3n5SsAQGR1bugcNfyoJ8HOyr8c/VmK4xp5+lQrEpzCdGr/w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768549949; c=relaxed/simple; bh=Ud2R8irrjHV8oKAesOvvjnfDJQcG9DLau/Q333OJ60E=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=SwJ2kyEFC8C/VTnJNA3SpoYCyIxXmMTBBAfInYEA8hq//Rl+5qWxOD8ehOUa4r/rtDL2Ih864V29yUomUnIrUFtx1gcAu5UAUSKZU+7djROj/gMPITcEaZ7GsxMfLjNzM5YC1DSS4SwDv7L0dVx+htA7qwJBzv+pR4T6UVUiGuk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=gNhT2San; arc=none smtp.client-ip=113.46.200.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="gNhT2San" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=dqybSqFRGWH2S5xIK9Mjnk5ZtSwQkwEhkJIGN6a62is=; b=gNhT2Sanmno83BrnYUVhut8QeP+WLWVvWvc0boguOaRphYR1j67TMTTe7ODcjv+FcHRk4iemW d02a6Y+eM+UakPzFKRvV+QBU4/dSicIB5FQFuENfe6DDPLxsm+yim9glZVnviOUK2ocaPfX9wYE tei1X7EotstbwX88QJeuV30= Received: from mail.maildlp.com (unknown [172.19.163.214]) by canpmsgout12.his.huawei.com (SkyGuard) with ESMTPS id 4dssSN5sHJznTVR; Fri, 16 Jan 2026 15:49:24 +0800 (CST) Received: from kwepemr500012.china.huawei.com (unknown [7.202.195.23]) by mail.maildlp.com (Postfix) with ESMTPS id E35734056C; Fri, 16 Jan 2026 15:52:23 +0800 (CST) Received: from localhost.localdomain (10.50.85.180) by kwepemr500012.china.huawei.com (7.202.195.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Fri, 16 Jan 2026 15:52:23 +0800 From: Ziming Du To: , , , CC: , , Subject: [PATCH v4 4/4] PCI: Prevent overflow in proc_bus_pci_read() Date: Fri, 16 Jan 2026 16:17:21 +0800 Message-ID: <20260116081723.1603603-5-duziming2@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260116081723.1603603-1-duziming2@huawei.com> References: <20260116081723.1603603-1-duziming2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To kwepemr500012.china.huawei.com (7.202.195.23) proc_bus_pci_read() assigns *ppos directly to an unsigned integer variable. For large offsets, this implicit conversion may truncate the value and cause reads from an incorrect position. proc_bus_pci_write() explicitly validates *ppos and rejects values larger than INT_MAX, while proc_bus_pci_read() currently accepts them. This difference in position handling is unjustified. Fix this by validating *ppos in proc_bus_pci_read() and rejecting offsets larger than INT_MAX before the assignment, matching proc_bus_pci_write(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ziming Du Suggested-by: Ilpo J=C3=A4rvinen --- drivers/pci/proc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 2d51b26edbe74..f4ef7629dc78b 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -29,9 +29,12 @@ static ssize_t proc_bus_pci_read(struct file *file, char= __user *buf, size_t nbytes, loff_t *ppos) { struct pci_dev *dev =3D pde_data(file_inode(file)); - unsigned int pos =3D *ppos; + int pos; unsigned int cnt, size; =20 + if (*ppos > INT_MAX) + return -EINVAL; + pos =3D *ppos; /* * Normal users can read only the standardized portion of the * configuration space as several chips lock up when trying to read --=20 2.43.0