On Fri, 10 Apr 2026, Krzysztof Wilczyński wrote:
> Currently, __pci_mmap_fits() computes the BAR size using
> pci_resource_len() - 1, which wraps to a large value when the
> BAR length is zero, causing the bounds check to incorrectly
> succeed.
>
> Thus, add an early return for empty resources.
>
> Also, remove the WARN() that fires when userspace attempts to
> mmap beyond the BAR bounds. The check still returns 0 to reject
> the mapping, but the warning is excessive for normal operation.
>
> A similar warning was removed from the PCI core in the commit
> 3b519e4ea618 ("PCI: fix size checks for mmap() on /proc/bus/pci files").
This looks like entirely separate two changes to me which just happen
within the same context.
> Signed-off-by: Krzysztof Wilczyński <[email protected]>
> ---
> arch/alpha/kernel/pci-sysfs.c | 14 ++++++--------
> 1 file changed, 6 insertions(+), 8 deletions(-)
>
> diff --git a/arch/alpha/kernel/pci-sysfs.c b/arch/alpha/kernel/pci-sysfs.c
> index 7aac5e76dcd6..867199b988de 100644
> --- a/arch/alpha/kernel/pci-sysfs.c
> +++ b/arch/alpha/kernel/pci-sysfs.c
> @@ -37,20 +37,18 @@ static int hose_mmap_page_range(struct pci_controller
> *hose,
> static int __pci_mmap_fits(struct pci_dev *pdev, int num,
> struct vm_area_struct *vma, int sparse)
> {
> + resource_size_t len = pci_resource_len(pdev, num);
> unsigned long nr, start, size;
> int shift = sparse ? 5 : 0;
>
> + if (!len)
> + return 0;
> +
> nr = vma_pages(vma);
> start = vma->vm_pgoff;
> - size = ((pci_resource_len(pdev, num) - 1) >> (PAGE_SHIFT - shift)) + 1;
> + size = ((len - 1) >> (PAGE_SHIFT - shift)) + 1;
>
> - if (start < size && size - start >= nr)
> - return 1;
> - WARN(1, "process \"%s\" tried to map%s 0x%08lx-0x%08lx on %s BAR %d "
> - "(size 0x%08lx)\n",
> - current->comm, sparse ? " sparse" : "", start, start + nr,
> - pci_name(pdev), num, size);
> - return 0;
> + return start < size && size - start >= nr;
> }
>
> /**
>
--
i.
