From nobody Mon Jun 15 21:44:15 2026 Received: from canpmsgout12.his.huawei.com (canpmsgout12.his.huawei.com [113.46.200.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D37630ACF1; Tue, 14 Apr 2026 02:22:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776133352; cv=none; b=dnWyOfK9RupoznC9XgWbVv2CM+ntkAxqW2066ujxJI+We+jNb/eZKzxTpYL5spl5jcjB9+O7FndlYw5zTor9B2jYz9msPsBBEFUHBkA9PNH/DKHXVO8UB+mG29X4Wq9L53wAVpjhvbNS8qGY7SjkC5zGt9qQhXibzOhOXvwhdLA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776133352; c=relaxed/simple; bh=gLbu8vV6zSfCb2K3PXxLXG24R45tEvAkDPA1Z9QOjU4=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=TQIPQji23CzHabkYvVlcUFPoz1tTCZs2AKUsrKdD6Ahbn/WRVGdTQhra2xpu5neyMxAWzLEPCpQKm6EL3nygp3HH62Ma94lsqYCmYpLSnLEEDORJf5cP2LQ9Z7TGiZCCwKy/LnS1NJqTzB62BnbDPUQWYH+KvdV1NWSs3spodeg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=g7CCuyJR; arc=none smtp.client-ip=113.46.200.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="g7CCuyJR" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=TcGN3KT4A6NaI0fC1ZrfIs//CROmnI9Y++uz8C6hcO0=; b=g7CCuyJRfXZEPycaDlHO/eDtVqTu6bJ7MdFAUwDzIlVDFyAsWMYCZ0f07yr+ZXXcGW1BVSWxs MuLpUT1Wp9K8goDnUy/4k0lh3kHnOARQENoMNTr4CLykLRcZep5VRpEPPIBv4jZcmDhi6NFOCeS 562i9/cH8ayip95FFyHzwiM= Received: from mail.maildlp.com (unknown [172.19.162.92]) by canpmsgout12.his.huawei.com (SkyGuard) with ESMTPS id 4fvnvC1MnSznTXb; Tue, 14 Apr 2026 10:16:07 +0800 (CST) Received: from kwepemr500012.china.huawei.com (unknown [7.202.195.23]) by mail.maildlp.com (Postfix) with ESMTPS id DEC5940565; Tue, 14 Apr 2026 10:22:25 +0800 (CST) Received: from localhost.localdomain (10.50.85.180) by kwepemr500012.china.huawei.com (7.202.195.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 14 Apr 2026 10:22:25 +0800 From: Ziming Du To: CC: , , , Subject: [PATCH 1/4] PCI: Align proc_bus_pci_write() with pci_write_config() Date: Tue, 14 Apr 2026 10:45:41 +0800 Message-ID: <20260414024544.2975605-2-duziming2@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260414024544.2975605-1-duziming2@huawei.com> References: <20260414024544.2975605-1-duziming2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems500002.china.huawei.com (7.221.188.17) To kwepemr500012.china.huawei.com (7.202.195.23) Content-Type: text/plain; charset="utf-8" proc_bus_pci_write() and pci_write_config() implement essentially the same functionality. To improve consistency across the PCI subsystem, align the implementation in procfs with the sysfs counterpart. Specifically: - Use dev->cfg_size directly insted of assigning it to 'size'. - Rename the variable 'pos' to 'off' and replace 'cnt' with 'size'. - Remove the redundant bounds check `if (nbytes >=3D size)`. No functional change intended. Suggested-by: Bjorn Helgaas Signed-off-by: Ziming Du --- drivers/pci/proc.c | 57 +++++++++++++++++++++++----------------------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index ce36e35681e8..ff5e4980c99c 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -113,73 +113,72 @@ static ssize_t proc_bus_pci_write(struct file *file, = const char __user *buf, { struct inode *ino =3D file_inode(file); struct pci_dev *dev =3D pde_data(ino); - int pos =3D *ppos; - int size =3D dev->cfg_size; - int cnt, ret; + int off =3D *ppos; + unsigned int size =3D nbytes; + int ret; =20 ret =3D security_locked_down(LOCKDOWN_PCI_ACCESS); if (ret) return ret; =20 - if (pos >=3D size) + if (off >=3D dev->cfg_size) return 0; - if (nbytes >=3D size) + if (off + size > dev->cfg_size) { + size =3D dev->cfg_size - off; nbytes =3D size; - if (pos + nbytes > size) - nbytes =3D size - pos; - cnt =3D nbytes; + } =20 - if (!access_ok(buf, cnt)) + if (!access_ok(buf, size)) return -EINVAL; =20 pci_config_pm_runtime_get(dev); =20 - if ((pos & 1) && cnt) { + if ((off & 1) && size) { unsigned char val; __get_user(val, buf); - pci_user_write_config_byte(dev, pos, val); + pci_user_write_config_byte(dev, off, val); buf++; - pos++; - cnt--; + off++; + size--; } =20 - if ((pos & 3) && cnt > 2) { + if ((off & 3) && size > 2) { __le16 val; __get_user(val, (__le16 __user *) buf); - pci_user_write_config_word(dev, pos, le16_to_cpu(val)); + pci_user_write_config_word(dev, off, le16_to_cpu(val)); buf +=3D 2; - pos +=3D 2; - cnt -=3D 2; + off +=3D 2; + size -=3D 2; } =20 - while (cnt >=3D 4) { + while (size >=3D 4) { __le32 val; __get_user(val, (__le32 __user *) buf); - pci_user_write_config_dword(dev, pos, le32_to_cpu(val)); + pci_user_write_config_dword(dev, off, le32_to_cpu(val)); buf +=3D 4; - pos +=3D 4; - cnt -=3D 4; + off +=3D 4; + size -=3D 4; } =20 - if (cnt >=3D 2) { + if (size >=3D 2) { __le16 val; __get_user(val, (__le16 __user *) buf); - pci_user_write_config_word(dev, pos, le16_to_cpu(val)); + pci_user_write_config_word(dev, off, le16_to_cpu(val)); buf +=3D 2; - pos +=3D 2; - cnt -=3D 2; + off +=3D 2; + size -=3D 2; } =20 - if (cnt) { + if (size) { unsigned char val; __get_user(val, buf); - pci_user_write_config_byte(dev, pos, val); - pos++; + pci_user_write_config_byte(dev, off, val); + off++; } =20 pci_config_pm_runtime_put(dev); =20 - *ppos =3D pos; + *ppos =3D off; i_size_write(ino, dev->cfg_size); return nbytes; } --=20 2.43.0 From nobody Mon Jun 15 21:44:15 2026 Received: from canpmsgout09.his.huawei.com (canpmsgout09.his.huawei.com [113.46.200.224]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F7E730B521; Tue, 14 Apr 2026 02:22:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.224 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776133352; cv=none; b=bqXz+8FQ9wM5fpFQmcDp8787L8LLYa0lHe2VgK8nIlC5Xc5OA7MIuyCoDZyi4uYc4PSW5YzWFr4739bb0P9y2EaYqu5V2/6aOU6AihBHemiM434lKObBlp6qy1gU7+FFJtcrGagJk3LorSI3NHyhoBmxKanOMCn4zdoUs+gSMfg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776133352; c=relaxed/simple; bh=OYkLhFwawqdifqFscbU3VrkupspsrT9kdrl8ENlfcaA=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ClifDsAAx3srE01Wr6DBASwg0hAlcEX2iwJ5YjqeU/2nRCnehOgTPQdBwgPSgBHnpVQbjc/wanYdMLF29QKZQDmE+VLPa0uizYx6p5G88GjS0T6xLohzfaAixDhPkRRdiqSmb4EdNgd2RuQT3IcC3GuD/GSUkV10/5Wc6gejX5A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=3oJ7rQSZ; arc=none smtp.client-ip=113.46.200.224 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="3oJ7rQSZ" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=3CqcaT1vZ2gMe5Cbby6fLwgvxf74pWm2QxJf1ILn2LM=; b=3oJ7rQSZsri+ydi0m7rb2IRDNY3IYhS0SKZGz0K1SsEp4vKU8fQ+H6Umdcme34/L4QeHSOVM7 0t7xwaBkU6jW6sK7bX2LWEqyHsiisuI+jnKwNdKDv/n4l+TuFFHatOWDdDE31/y/oAgy18ex0Vl Q45+0eHJH1WRTBUlPOoKABc= Received: from mail.maildlp.com (unknown [172.19.163.15]) by canpmsgout09.his.huawei.com (SkyGuard) with ESMTPS id 4fvnvF3PZrz1cyPZ; Tue, 14 Apr 2026 10:16:09 +0800 (CST) Received: from kwepemr500012.china.huawei.com (unknown [7.202.195.23]) by mail.maildlp.com (Postfix) with ESMTPS id 3B8B740539; Tue, 14 Apr 2026 10:22:26 +0800 (CST) Received: from localhost.localdomain (10.50.85.180) by kwepemr500012.china.huawei.com (7.202.195.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 14 Apr 2026 10:22:25 +0800 From: Ziming Du To: CC: , , , Subject: [PATCH 2/4] PCI: Align proc_bus_pci_read() with pci_read_config() Date: Tue, 14 Apr 2026 10:45:42 +0800 Message-ID: <20260414024544.2975605-3-duziming2@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260414024544.2975605-1-duziming2@huawei.com> References: <20260414024544.2975605-1-duziming2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems500002.china.huawei.com (7.221.188.17) To kwepemr500012.china.huawei.com (7.202.195.23) Content-Type: text/plain; charset="utf-8" proc_bus_pci_read() and pci_read_config() implement essentially the same functionality. To improve consistency across the PCI subsystem, align the implementation in procfs with the sysfs counterpart. Specifically: - Rename the variable 'pos' to 'off' and replace 'cnt' with 'count'. - Remove the redundant bounds check `if (nbytes >=3D size)`. No functional change intended. Suggested-by: Bjorn Helgaas Signed-off-by: Ziming Du --- drivers/pci/proc.c | 58 +++++++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index ff5e4980c99c..6524280bc903 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -29,8 +29,9 @@ static ssize_t proc_bus_pci_read(struct file *file, char = __user *buf, size_t nbytes, loff_t *ppos) { struct pci_dev *dev =3D pde_data(file_inode(file)); - unsigned int pos =3D *ppos; - unsigned int cnt, size; + unsigned int off =3D *ppos; + unsigned int count =3D nbytes; + unsigned int size; =20 /* * Normal users can read only the standardized portion of the @@ -45,66 +46,65 @@ static ssize_t proc_bus_pci_read(struct file *file, cha= r __user *buf, else size =3D 64; =20 - if (pos >=3D size) + if (off >=3D size) return 0; - if (nbytes >=3D size) - nbytes =3D size; - if (pos + nbytes > size) - nbytes =3D size - pos; - cnt =3D nbytes; + if (off + count > size) { + count =3D size - off; + nbytes =3D count; + } =20 - if (!access_ok(buf, cnt)) + if (!access_ok(buf, count)) return -EINVAL; =20 pci_config_pm_runtime_get(dev); =20 - if ((pos & 1) && cnt) { + if ((off & 1) && count) { unsigned char val; - pci_user_read_config_byte(dev, pos, &val); + pci_user_read_config_byte(dev, off, &val); __put_user(val, buf); buf++; - pos++; - cnt--; + off++; + count--; } =20 - if ((pos & 3) && cnt > 2) { + if ((off & 3) && count > 2) { unsigned short val; - pci_user_read_config_word(dev, pos, &val); + pci_user_read_config_word(dev, off, &val); __put_user(cpu_to_le16(val), (__le16 __user *) buf); buf +=3D 2; - pos +=3D 2; - cnt -=3D 2; + off +=3D 2; + count -=3D 2; } =20 - while (cnt >=3D 4) { + while (count >=3D 4) { unsigned int val; - pci_user_read_config_dword(dev, pos, &val); + pci_user_read_config_dword(dev, off, &val); __put_user(cpu_to_le32(val), (__le32 __user *) buf); buf +=3D 4; - pos +=3D 4; - cnt -=3D 4; + off +=3D 4; + count -=3D 4; cond_resched(); } =20 - if (cnt >=3D 2) { + if (count >=3D 2) { unsigned short val; - pci_user_read_config_word(dev, pos, &val); + pci_user_read_config_word(dev, off, &val); __put_user(cpu_to_le16(val), (__le16 __user *) buf); buf +=3D 2; - pos +=3D 2; - cnt -=3D 2; + off +=3D 2; + count -=3D 2; } =20 - if (cnt) { + if (count) { unsigned char val; - pci_user_read_config_byte(dev, pos, &val); + pci_user_read_config_byte(dev, off, &val); __put_user(val, buf); - pos++; + off++; } =20 pci_config_pm_runtime_put(dev); =20 - *ppos =3D pos; + *ppos =3D off; return nbytes; } =20 --=20 2.43.0 From nobody Mon Jun 15 21:44:15 2026 Received: from canpmsgout02.his.huawei.com (canpmsgout02.his.huawei.com [113.46.200.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F08DC30C60E; Tue, 14 Apr 2026 02:22:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.217 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776133351; cv=none; b=qyBNpTuHvaig3n9DcxdaqZkWGW/LXDpq8r6QJH5A+1su6bkne9WoYkFfxPdT+dz4sE6PWYnQHXKDEvpbkOHF+jt8wSDjzSZ+jtJmezEEmZRKJVi4s0IlLTXAZRdqgT5/z69b6LLP0VBCSKN77mtYUEodtOE+OVs9cmbXNw5JL4U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776133351; c=relaxed/simple; bh=/wtDT4MdnjgvJOOsjhVjUp0LNp1B6GMWXTJNUgL8GOo=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=S3rpOZBpmY7v8TPAMMeKLW8ko1m6fPW7Smfy1UGJbttbdGExE6W3DJ6nPYPZ+qU05pTjFwOWB8yCJl+MsJiiWVUQp+Cypg0jsWuchxBMvg+yOEO9cL+RWrj9L6IMUsbQJ+GUzR11jADP+DB30IGvvxF30nHMAwpoMnfQzCe7h9o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=DAOOkSiF; arc=none smtp.client-ip=113.46.200.217 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="DAOOkSiF" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=M3KMhP/WcVNEddR6J8mToVU8dtDZqfoBTUitiX8FtdU=; b=DAOOkSiFkUmnJ7sRuOGEgkbjWmpxWq/TnfRveW+z+qQYyHKOPFoc4tYdJrvXDGFFY6aMdbaDL RZ8npvW2H7xWTC1OPjrbiXiUh6pRPcjwp+kNf2+mBgsrqcNqbOzHu8wdEI7/mZrt3adD+WIshqL 5KoW4xtV/baKj1D2M1wlm0k= Received: from mail.maildlp.com (unknown [172.19.162.140]) by canpmsgout02.his.huawei.com (SkyGuard) with ESMTPS id 4fvnv25jlxzcZyN; Tue, 14 Apr 2026 10:15:58 +0800 (CST) Received: from kwepemr500012.china.huawei.com (unknown [7.202.195.23]) by mail.maildlp.com (Postfix) with ESMTPS id 854C1203AD; Tue, 14 Apr 2026 10:22:26 +0800 (CST) Received: from localhost.localdomain (10.50.85.180) by kwepemr500012.china.huawei.com (7.202.195.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 14 Apr 2026 10:22:26 +0800 From: Ziming Du To: CC: , , , Subject: [PATCH 3/4] PCI: Prevent overflow in proc_bus_pci_write() Date: Tue, 14 Apr 2026 10:45:43 +0800 Message-ID: <20260414024544.2975605-4-duziming2@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260414024544.2975605-1-duziming2@huawei.com> References: <20260414024544.2975605-1-duziming2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems500002.china.huawei.com (7.221.188.17) To kwepemr500012.china.huawei.com (7.202.195.23) Content-Type: text/plain; charset="utf-8" When the value of *ppos over the INT_MAX, the variable off is over set to a negative value which will be passed to get_user() or pci_user_write_config_dword(). Unexpected behavior such as a soft lockup will happen as follows: watchdog: BUG: soft lockup - CPU#0 stuck for 130s! [syz.3.109:3444] RIP: 0010:_raw_spin_unlock_irq+0x17/0x30 Call Trace: pci_user_write_config_dword+0x126/0x1f0 proc_bus_pci_write+0x273/0x470 proc_reg_write+0x1b6/0x280 do_iter_write+0x48e/0x790 vfs_writev+0x125/0x4a0 __x64_sys_pwritev+0x1e2/0x2a0 do_syscall_64+0x59/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Fix this by changing the type of off to loff_t. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yongqiang Liu Signed-off-by: Ziming Du --- drivers/pci/proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index 6524280bc903..a5db7d23353a 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -113,7 +113,7 @@ static ssize_t proc_bus_pci_write(struct file *file, co= nst char __user *buf, { struct inode *ino =3D file_inode(file); struct pci_dev *dev =3D pde_data(ino); - int off =3D *ppos; + loff_t off =3D *ppos; unsigned int size =3D nbytes; int ret; =20 --=20 2.43.0 From nobody Mon Jun 15 21:44:15 2026 Received: from canpmsgout05.his.huawei.com (canpmsgout05.his.huawei.com [113.46.200.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2512A30FF31; Tue, 14 Apr 2026 02:22:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.220 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776133351; cv=none; b=Y4GseAtqhuwbccT4Cu3fDWR6ws821woaRvj+dTtBYP1xlG5wPNjQY3IhjzLvxZwMUR6hzqgV4i4bVcXZkMCJvLYB5NjQuJl0bfQYWa5IC16HKpvH79y44i7F8Lj3+tOxVqul2VF+9r9kgOoKQJ957Ykjw2z8a9thHpp1RJuqYHk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776133351; c=relaxed/simple; bh=FS1SeOowBA8gVevNxsZJHOuY/+0HP+CQiKPo21lhM/E=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=R3xxB4Kh90h9tF7WHvQt3IEidiuMbWuO9pYbkvE3suvdnHchR40lgmklL2P2UyMftU9hr/rv3xv/1JRceakndEj4o4h77VBAX2BwqKMlan0cReNRUJbStL0AmfovqxDSzI0mRK0HpcWp4NJvI33fwt0/vHWjo2roPpRQ9PA+lrc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=6XizOr64; arc=none smtp.client-ip=113.46.200.220 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="6XizOr64" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=qzl/k/41auKXeIJoyyj8kJiE746ZRuL8fpePAiVIFKA=; b=6XizOr64tVdveY4iAm9fCU/G8D5ioZ293uPIDR5NVwmM9mYeYpLmin2rN2ppXYZ/i6CE1B5lQ NDU1ddxR5YhsWFwcik9zSAC5JnKmeOVhYzwh8oj0D7yMkjXNvxRPhhlYVylolDL3sZ2jCjQTz7S qX0GFx5ihCanyPddXHMQmgE= Received: from mail.maildlp.com (unknown [172.19.162.144]) by canpmsgout05.his.huawei.com (SkyGuard) with ESMTPS id 4fvnvD18GQz12LCb; Tue, 14 Apr 2026 10:16:08 +0800 (CST) Received: from kwepemr500012.china.huawei.com (unknown [7.202.195.23]) by mail.maildlp.com (Postfix) with ESMTPS id D58AE40572; Tue, 14 Apr 2026 10:22:26 +0800 (CST) Received: from localhost.localdomain (10.50.85.180) by kwepemr500012.china.huawei.com (7.202.195.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 14 Apr 2026 10:22:26 +0800 From: Ziming Du To: CC: , , , Subject: [PATCH 4/4] PCI: Prevent overflow in proc_bus_pci_read() Date: Tue, 14 Apr 2026 10:45:44 +0800 Message-ID: <20260414024544.2975605-5-duziming2@huawei.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260414024544.2975605-1-duziming2@huawei.com> References: <20260414024544.2975605-1-duziming2@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems500002.china.huawei.com (7.221.188.17) To kwepemr500012.china.huawei.com (7.202.195.23) proc_bus_pci_read() assigns the 64-bit loff_t *ppos directly to a 32-bit integer variable. For large offsets, such as 0x100000000, this implicit conversion could truncate the value and incorrectly consider the offset as valid. Fix this by changing the type of off to loff_t. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ziming Du Suggested-by: Ilpo J=C3=A4rvinen --- drivers/pci/proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c index a5db7d23353a..f11f48becf52 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -29,7 +29,7 @@ static ssize_t proc_bus_pci_read(struct file *file, char = __user *buf, size_t nbytes, loff_t *ppos) { struct pci_dev *dev =3D pde_data(file_inode(file)); - unsigned int off =3D *ppos; + loff_t off =3D *ppos; unsigned int count =3D nbytes; unsigned int size; =20 --=20 2.43.0