{"id":2222927,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2222927/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/patch/20260414024544.2975605-4-duziming2@huawei.com/","project":{"id":28,"url":"http://patchwork.ozlabs.org/api/1.1/projects/28/?format=json","name":"Linux PCI development","link_name":"linux-pci","list_id":"linux-pci.vger.kernel.org","list_email":"linux-pci@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260414024544.2975605-4-duziming2@huawei.com>","date":"2026-04-14T02:45:43","name":"[3/4] PCI: Prevent overflow in proc_bus_pci_write()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"e3f25dff65b6b3e492764f490ac6f0b6ce7652a4","submitter":{"id":92271,"url":"http://patchwork.ozlabs.org/api/1.1/people/92271/?format=json","name":"Ziming Du","email":"duziming2@huawei.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-pci/patch/20260414024544.2975605-4-duziming2@huawei.com/mbox/","series":[{"id":499767,"url":"http://patchwork.ozlabs.org/api/1.1/series/499767/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/list/?series=499767","date":"2026-04-14T02:45:42","name":"PCI: Fix procfs PCI config access issues","version":1,"mbox":"http://patchwork.ozlabs.org/series/499767/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222927/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222927/checks/","tags":{},"headers":{"Return-Path":"\n <linux-pci+bounces-52464-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-pci@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=huawei.com header.i=@huawei.com header.a=rsa-sha256\n header.s=dkim header.b=DAOOkSiF;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-pci+bounces-52464-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com\n header.b=\"DAOOkSiF\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=113.46.200.217","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=huawei.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=huawei.com"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvp3S0lkhz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 12:23:16 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 932AD30372FD\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 02:22:36 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id E63963101C0;\n\tTue, 14 Apr 2026 02:22:31 +0000 (UTC)","from canpmsgout02.his.huawei.com (canpmsgout02.his.huawei.com\n [113.46.200.217])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id F08DC30C60E;\n\tTue, 14 Apr 2026 02:22:28 +0000 (UTC)","from mail.maildlp.com (unknown [172.19.162.140])\n\tby canpmsgout02.his.huawei.com (SkyGuard) with ESMTPS id 4fvnv25jlxzcZyN;\n\tTue, 14 Apr 2026 10:15:58 +0800 (CST)","from kwepemr500012.china.huawei.com (unknown [7.202.195.23])\n\tby mail.maildlp.com (Postfix) with ESMTPS id 854C1203AD;\n\tTue, 14 Apr 2026 10:22:26 +0800 (CST)","from localhost.localdomain (10.50.85.180) by\n kwepemr500012.china.huawei.com (7.202.195.23) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n 15.2.1544.11; Tue, 14 Apr 2026 10:22:26 +0800"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776133351; cv=none;\n b=qyBNpTuHvaig3n9DcxdaqZkWGW/LXDpq8r6QJH5A+1su6bkne9WoYkFfxPdT+dz4sE6PWYnQHXKDEvpbkOHF+jt8wSDjzSZ+jtJmezEEmZRKJVi4s0IlLTXAZRdqgT5/z69b6LLP0VBCSKN77mtYUEodtOE+OVs9cmbXNw5JL4U=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776133351; c=relaxed/simple;\n\tbh=/wtDT4MdnjgvJOOsjhVjUp0LNp1B6GMWXTJNUgL8GOo=;\n\th=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version:Content-Type;\n b=S3rpOZBpmY7v8TPAMMeKLW8ko1m6fPW7Smfy1UGJbttbdGExE6W3DJ6nPYPZ+qU05pTjFwOWB8yCJl+MsJiiWVUQp+Cypg0jsWuchxBMvg+yOEO9cL+RWrj9L6IMUsbQJ+GUzR11jADP+DB30IGvvxF30nHMAwpoMnfQzCe7h9o=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=huawei.com;\n spf=pass smtp.mailfrom=huawei.com;\n dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com\n header.b=DAOOkSiF; arc=none smtp.client-ip=113.46.200.217","dkim-signature":"v=1; a=rsa-sha256; d=huawei.com; s=dkim;\n\tc=relaxed/relaxed; q=dns/txt;\n\th=From;\n\tbh=M3KMhP/WcVNEddR6J8mToVU8dtDZqfoBTUitiX8FtdU=;\n\tb=DAOOkSiFkUmnJ7sRuOGEgkbjWmpxWq/TnfRveW+z+qQYyHKOPFoc4tYdJrvXDGFFY6aMdbaDL\n\tRZ8npvW2H7xWTC1OPjrbiXiUh6pRPcjwp+kNf2+mBgsrqcNqbOzHu8wdEI7/mZrt3adD+WIshqL\n\t5KoW4xtV/baKj1D2M1wlm0k=","From":"Ziming Du <duziming2@huawei.com>","To":"<bhelgaas@google.com>","CC":"<linux-pci@vger.kernel.org>, <linux-kernel@vger.kernel.org>,\n\t<liuyongqiang13@huawei.com>, <duziming2@huawei.com>","Subject":"[PATCH 3/4] PCI: Prevent overflow in proc_bus_pci_write()","Date":"Tue, 14 Apr 2026 10:45:43 +0800","Message-ID":"<20260414024544.2975605-4-duziming2@huawei.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260414024544.2975605-1-duziming2@huawei.com>","References":"<20260414024544.2975605-1-duziming2@huawei.com>","Precedence":"bulk","X-Mailing-List":"linux-pci@vger.kernel.org","List-Id":"<linux-pci.vger.kernel.org>","List-Subscribe":"<mailto:linux-pci+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-pci+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Content-Type":"text/plain","X-ClientProxiedBy":"kwepems500002.china.huawei.com (7.221.188.17) To\n kwepemr500012.china.huawei.com (7.202.195.23)"},"content":"When the value of *ppos over the INT_MAX, the variable off is over\nset to a negative value which will be passed to get_user() or\npci_user_write_config_dword(). Unexpected behavior such as a soft lockup\nwill happen as follows:\n\n watchdog: BUG: soft lockup - CPU#0 stuck for 130s! [syz.3.109:3444]\n RIP: 0010:_raw_spin_unlock_irq+0x17/0x30\n Call Trace:\n  <TASK>\n  pci_user_write_config_dword+0x126/0x1f0\n  proc_bus_pci_write+0x273/0x470\n  proc_reg_write+0x1b6/0x280\n  do_iter_write+0x48e/0x790\n  vfs_writev+0x125/0x4a0\n  __x64_sys_pwritev+0x1e2/0x2a0\n  do_syscall_64+0x59/0x110\n  entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nFix this by changing the type of off to loff_t.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nSigned-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>\nSigned-off-by: Ziming Du <duziming2@huawei.com>\n---\n drivers/pci/proc.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)","diff":"diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c\nindex 6524280bc903..a5db7d23353a 100644\n--- a/drivers/pci/proc.c\n+++ b/drivers/pci/proc.c\n@@ -113,7 +113,7 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,\n {\n \tstruct inode *ino = file_inode(file);\n \tstruct pci_dev *dev = pde_data(ino);\n-\tint off = *ppos;\n+\tloff_t off = *ppos;\n \tunsigned int size = nbytes;\n \tint ret;\n \n","prefixes":["3/4"]}