[PATCH v2] PCI: Fix the int overflow in proc_bus_pci_write()

Wang ShaoBo <bobo.shaobowang@xxxxxxxxxx> · Tue, 9 Sep 2025 10:46:43 +0800

Following testcase can trigger a softlockup BUG.
syscall(__NR_pwritev, /*fd=*/..., /*vec=*/..., /*vlen=*/...,
        /*pos_l=*/0x80010000, /*pos_h=*/0x100);

watchdog: BUG: soft lockup - CPU#19 stuck for 26s! [test:470]
Modules linked in:
CPU: 19 UID: 0 PID: 470 Comm: test Not tainted 6.17.0-rc4-00201-gd69eb204c255 #159 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:_raw_spin_unlock_irq+0xf/0x20
Code: 0f 1f 44 00 00 e9 51 18 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa c6 07 00 fb 65 ff 0d c1 78 35 010
RSP: 0018:ffffc900016b7d70 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000818d3878
RDX: 0000000000000cfc RSI: 0000000000000046 RDI: ffffffff835d76e8
RBP: ffff8880606c6000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 00000000818d3878 R14: 0000000080010000 R15: ffff888020898d68
FS:  000000002472d880(0000) GS:ffff8880bbd9c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000218c3878 CR3: 00000000206ae000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 pci_user_write_config_dword+0x66/0xc0
 proc_bus_pci_write+0x135/0x240
 proc_reg_write+0x50/0x90
 vfs_writev+0x1d9/0x340
 ? getname_flags.part.0+0x20/0x1d0
 ? do_sys_openat2+0x88/0xd0
 do_pwritev+0x85/0xc0
 do_syscall_64+0xa4/0x260
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The pos_l parameter for pwritev syscall may be an integer negative value,
which will make the variable pos in proc_bus_pci_write() negative and
variable cnt a very large number.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
Signed-off-by: Wang ShaoBo <bobo.shaobowang@xxxxxxxxxx>
---
 drivers/pci/proc.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 9348a0fb8084..2fc3340ff79e 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -113,9 +113,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
 {
 	struct inode *ino = file_inode(file);
 	struct pci_dev *dev = pde_data(ino);
-	int pos = *ppos;
-	int size = dev->cfg_size;
-	int cnt, ret;
+	unsigned int pos = *ppos;
+	unsigned int cnt, size = dev->cfg_size;
+	int ret;
 
 	ret = security_locked_down(LOCKDOWN_PCI_ACCESS);
 	if (ret)
-- 
2.25.1








