Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2232004/?format=api
{ "id": 2232004, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2232004/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-pci/patch/20260502011446.125268-1-kartikey406@gmail.com/", "project": { "id": 28, "url": "http://patchwork.ozlabs.org/api/1.1/projects/28/?format=api", "name": "Linux PCI development", "link_name": "linux-pci", "list_id": "linux-pci.vger.kernel.org", "list_email": "linux-pci@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260502011446.125268-1-kartikey406@gmail.com>", "date": "2026-05-02T01:14:46", "name": "PCI/proc: check __get_user() return value in proc_bus_pci_write()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "dc4798dafc194440184e8d3240b745b1463e63b2", "submitter": { "id": 91725, "url": "http://patchwork.ozlabs.org/api/1.1/people/91725/?format=api", "name": "Deepanshu Kartikey", "email": "kartikey406@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-pci/patch/20260502011446.125268-1-kartikey406@gmail.com/mbox/", "series": [ { "id": 502509, "url": "http://patchwork.ozlabs.org/api/1.1/series/502509/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-pci/list/?series=502509", "date": "2026-05-02T01:14:46", "name": "PCI/proc: check __get_user() return value in proc_bus_pci_write()", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/502509/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2232004/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2232004/checks/", "tags": {}, "headers": { "Return-Path": "\n <linux-pci+bounces-53615-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-pci@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=KYBY0wzH;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=linux-pci+bounces-53615-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"KYBY0wzH\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.216.46", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com" ], "Received": [ "from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6qhQ0NW3z1yHZ\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 02 May 2026 11:15:01 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 9A35230066BA\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 2 May 2026 01:14:57 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 42AF1280A5B;\n\tSat, 2 May 2026 01:14:54 +0000 (UTC)", "from mail-pj1-f46.google.com (mail-pj1-f46.google.com\n [209.85.216.46])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id DF4917DA66\n\tfor <linux-pci@vger.kernel.org>; Sat, 2 May 2026 01:14:52 +0000 (UTC)", "by mail-pj1-f46.google.com with SMTP id\n 98e67ed59e1d1-35e576110adso1740175a91.0\n for <linux-pci@vger.kernel.org>; Fri, 01 May 2026 18:14:52 -0700 (PDT)", "from deepanshu-kernel-hacker..\n ([2405:201:682f:383f:844b:65dc:f203:e880])\n by smtp.gmail.com with ESMTPSA id\n 98e67ed59e1d1-364ebec736dsm3631644a91.3.2026.05.01.18.14.49\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 01 May 2026 18:14:51 -0700 (PDT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777684494; cv=none;\n b=V2JNOUgqofBrY18MVdRxrJyP58mjd+60YugyjCBeVRe9P3miXC4RCkSDR7ZpnUUFhGm4ujEa53DCY6P1ox74YfMObAjghyNX72qPg53p71tVedpRYA7t6zRsZwzFiw/mJ6i6dsldG5E8BSSArOA+N905sApzx54s2DBKOw3XaWA=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777684494; c=relaxed/simple;\n\tbh=NVRIJd3sZaE3k1Wk/wG1jgBSallzpNrHo8Bzg1ND7So=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=Q0ud6aPDcOJiU3/6bCSfZhysqg/S7Ies/rIR4ox7bzcnSGiyKlN0M1XUC7DBkEriV2jdJSWVun7Y6BisJ1lQ6ptmfcdRaEGFxDlqCPYEW8+yiMZzRYalchoptZu2EAjR79T5PcxzPjK8lZFtDYcobIzO/lwnvA7MClozStEYNME=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=KYBY0wzH; arc=none smtp.client-ip=209.85.216.46", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777684492; x=1778289292;\n darn=vger.kernel.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=yeW4hvV/WgVLnj/KuoEdcGxxm7PZW4GZRo6L36S6Gq0=;\n b=KYBY0wzHyBDbRO/no9hZBaOOugPuMM9H8tHVBNksxdU63o4cTvKB/ZJ77xaWzb3V3p\n sv53QJXLQ7AEZdSPCdEj556p69cYnCaLZRTH3rdU0mDen9fGtx5ak83AOK/yG9L+lM+T\n CkSYMU8pkd3uMXM6HC0/6RX9hpXV++L6bV6pj/tr1JHxjXCt70AdnhlZZ4P9p7BPvfeH\n zNIbhcB1mkydtUbtA3xmBXq/vxV0U9CMoZR79lU6venrzKQnGWZRlInvib8pRmqTg5wL\n EnWiG5uFDsKgdhmJshWer/iJKtqc9JxkMgtZxRROAPnEYrsR8Svcg9b0/byvw4Bg9UxW\n tjlg==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777684492; x=1778289292;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=yeW4hvV/WgVLnj/KuoEdcGxxm7PZW4GZRo6L36S6Gq0=;\n b=kOmrxfiLov+Ayhj66insXnPlJEVADPTDNy/FJm2b9gwugbVKG5ADy0qGNXt09iqnM4\n c6gvl5bWQ2TbDYiWTTuZl6EnhCWG5dtzaiTEx7E3+w0o9wuR18WURNKR/LVimj5icT0F\n Q9T1FurAoECjNaoWdioWQIILrxNyjQ0jDYB8fYQAQqCVYSeg3p1EJxZR2mrSKjTD7Hes\n gpjWJd6C1QtNS5mO1U6NxbjkhM4z5Nt23RytvYoDPP27xCgL86cL9X8jeIwmINt99rB4\n 5Z+pJkRCPP1lcNCv5kLObDgqw1oFsFG5fTHgfTykYlmzXqFbt/hEaaGMpq/eYMZKMX1v\n 05Aw==", "X-Gm-Message-State": "AOJu0YwEg6iviPetWlLoGTPF8sOLym+gd+/HQr+04l5ifpfUcIfNY7uA\n\thkQNRzdXLcI13hu4xOcVn9NaaTMlQm96HDNDqpdQ4z1YfUWGjnQPTmr3", "X-Gm-Gg": "AeBDiesW1aB8KcIFTAQ7scaC6euWK0vVd2b7L2YEolEGksxLLSb0PDfFNiPZ98p2BLZ\n\tWDyGrucN1wrugPkVt/vn8AxqFVPEPRsslC0B0DGQyl3Iwan42tu4f3u8Lx61I14mv6ntqojs+US\n\t7FPc3nfOO5nXtlb7QXuse+RYZAzV+3kR0m16PTY/YfSt2PqJIVT0Qy5rLesaPEMjRjsupCWV3J7\n\tZXwW8hFbOazzzH4GDo1FABemhWwYmFJZfqycX5Ab75ANFCaochHCgRmuxCK7F93Ky488kb25arm\n\tAgXUS6P9VWdRShUBz1tmj/xBOKxVxRIFohhxK05aHsHJqqx0yzEAf/ALpwjHTH1WycK/XTABXOW\n\tsCL1ks72UOZZudt+jUPCS6D0e8enByIdP78teRyg1GzG4ojtfiBcdNkQOlGLfj9ALoI1YWFSolf\n\tqNa86ZGrQ2A0fZ6LeXhdP9/B+djKs9JfwLgS/FiSiEjS15wHfv6r4OVux03ysg4h8xTX71fx9S0\n\tMaytajx5WP1KUsoPQ==", "X-Received": "by 2002:a17:90b:52:b0:35d:a31e:6b04 with SMTP id\n 98e67ed59e1d1-364c44b5c8bmr8336612a91.3.1777684492207;\n Fri, 01 May 2026 18:14:52 -0700 (PDT)", "From": "Deepanshu Kartikey <kartikey406@gmail.com>", "To": "bhelgaas@google.com", "Cc": "linux-pci@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tDeepanshu Kartikey <kartikey406@gmail.com>,\n\tsyzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com", "Subject": "[PATCH] PCI/proc: check __get_user() return value in\n proc_bus_pci_write()", "Date": "Sat, 2 May 2026 06:44:46 +0530", "Message-ID": "<20260502011446.125268-1-kartikey406@gmail.com>", "X-Mailer": "git-send-email 2.43.0", "Precedence": "bulk", "X-Mailing-List": "linux-pci@vger.kernel.org", "List-Id": "<linux-pci.vger.kernel.org>", "List-Subscribe": "<mailto:linux-pci+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-pci+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "proc_bus_pci_write() does not check the return value of __get_user().\nOn a faulting user pointer the extable fixup zeros the destination,\nand the function writes those zeros to PCI configuration space.\n\nsyzbot exploits this by writev()-ing a NULL iov_base to\n/proc/bus/pci/00/03.0 (the virtio-blk controller in the syzkaller VM):\nzero is written to the Command register, clearing Bus Master Enable,\nand the disk stops responding. In-flight journal writes never complete\nand jbd2 hangs in wait_on_buffer() indefinitely.\n\nCheck __get_user() and return -EFAULT on failure.\n\nReported-by: syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid=c7604c9fdd7580cca4e0\nTested-by: syzbot+c7604c9fdd7580cca4e0@syzkaller.appspotmail.com\nSigned-off-by: Deepanshu Kartikey <kartikey406@gmail.com>\n---\n drivers/pci/proc.c | 33 +++++++++++++++++++++++++--------\n 1 file changed, 25 insertions(+), 8 deletions(-)", "diff": "diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c\nindex ce36e35681e8..54052157c276 100644\n--- a/drivers/pci/proc.c\n+++ b/drivers/pci/proc.c\n@@ -136,7 +136,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,\n \n \tif ((pos & 1) && cnt) {\n \t\tunsigned char val;\n-\t\t__get_user(val, buf);\n+\t\tif (__get_user(val, buf)) {\n+\t\t\tret = -EFAULT;\n+\t\t\tgoto out;\n+\t\t}\n \t\tpci_user_write_config_byte(dev, pos, val);\n \t\tbuf++;\n \t\tpos++;\n@@ -145,7 +148,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,\n \n \tif ((pos & 3) && cnt > 2) {\n \t\t__le16 val;\n-\t\t__get_user(val, (__le16 __user *) buf);\n+\t\tif (__get_user(val, (__le16 __user *) buf)) {\n+\t\t\tret = -EFAULT;\n+\t\t\tgoto out;\n+\t\t}\n \t\tpci_user_write_config_word(dev, pos, le16_to_cpu(val));\n \t\tbuf += 2;\n \t\tpos += 2;\n@@ -154,7 +160,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,\n \n \twhile (cnt >= 4) {\n \t\t__le32 val;\n-\t\t__get_user(val, (__le32 __user *) buf);\n+\t\tif (__get_user(val, (__le32 __user *) buf)) {\n+\t\t\tret = -EFAULT;\n+\t\t\tgoto out;\n+\t\t}\n \t\tpci_user_write_config_dword(dev, pos, le32_to_cpu(val));\n \t\tbuf += 4;\n \t\tpos += 4;\n@@ -163,7 +172,10 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,\n \n \tif (cnt >= 2) {\n \t\t__le16 val;\n-\t\t__get_user(val, (__le16 __user *) buf);\n+\t\tif (__get_user(val, (__le16 __user *) buf)) {\n+\t\t\tret = -EFAULT;\n+\t\t\tgoto out;\n+\t\t}\n \t\tpci_user_write_config_word(dev, pos, le16_to_cpu(val));\n \t\tbuf += 2;\n \t\tpos += 2;\n@@ -172,16 +184,21 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,\n \n \tif (cnt) {\n \t\tunsigned char val;\n-\t\t__get_user(val, buf);\n+\t\tif (__get_user(val, buf)) {\n+\t\t\tret = -EFAULT;\n+\t\t\tgoto out;\n+\t\t}\n \t\tpci_user_write_config_byte(dev, pos, val);\n \t\tpos++;\n \t}\n \n+\tret = nbytes;\n+out:\n \tpci_config_pm_runtime_put(dev);\n-\n \t*ppos = pos;\n-\ti_size_write(ino, dev->cfg_size);\n-\treturn nbytes;\n+\tif (ret > 0)\n+\t\ti_size_write(ino, dev->cfg_size);\n+\treturn ret;\n }\n \n #ifdef HAVE_PCI_MMAP\n", "prefixes": [] }