| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <995450c5-a4f2-d2d1-8a44-569726eb7231@kernel.dk>
Date: Thu, 8 Sep 2022 15:19:55 -0600
From: Jens Axboe <axboe@...nel.dk>
To: "Yichun Zhang (agentzh)" <yichun@...nresty.com>,
linux-fsdevel@...r.kernel.org
Cc: Colin Ian King <colin.i.king@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] relay: replay_file_open(): NULL ptr deref in CPU hotplugs
On 9/8/22 3:17 PM, Yichun Zhang (agentzh) wrote:
> CPU hotplug may introduce race conditions. We reproduced kernel panics
> due to this NULL ptr deref error when doing frequent random CPU hotplugs
> in a KVM guest.
>
> Signed-off-by: Yichun Zhang (agentzh) <yichun@...nresty.com>
> ---
> kernel/relay.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/relay.c b/kernel/relay.c
> index 6a611e779e95..2db69fd527d1 100644
> --- a/kernel/relay.c
> +++ b/kernel/relay.c
> @@ -816,6 +816,9 @@ EXPORT_SYMBOL_GPL(relay_flush);
> static int relay_file_open(struct inode *inode, struct file *filp)
> {
> struct rchan_buf *buf = inode->i_private;
> + if (unlikely(buf == NULL))
> + return -ENOENT;
> +
> kref_get(&buf->kref);
> filp->private_data = buf;
If it can go away before open is called, what prevents it from going
away after that check but before kref_get() is called?
--
Jens Axboe
Powered by blists - more mailing lists