{"id":2220569,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2220569/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/5984bd91ad6d3541d08dc9f3c99e6de0214dbfcc.1775569027.git.ritesh.list@gmail.com/","project":{"id":2,"url":"http://patchwork.ozlabs.org/api/1.2/projects/2/?format=json","name":"Linux PPC development","link_name":"linuxppc-dev","list_id":"linuxppc-dev.lists.ozlabs.org","list_email":"linuxppc-dev@lists.ozlabs.org","web_url":"https://github.com/linuxppc/wiki/wiki","scm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git","webscm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/","list_archive_url":"https://lore.kernel.org/linuxppc-dev/","list_archive_url_format":"https://lore.kernel.org/linuxppc-dev/{}/","commit_url_format":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}"},"msgid":"<5984bd91ad6d3541d08dc9f3c99e6de0214dbfcc.1775569027.git.ritesh.list@gmail.com>","list_archive_url":"https://lore.kernel.org/linuxppc-dev/5984bd91ad6d3541d08dc9f3c99e6de0214dbfcc.1775569027.git.ritesh.list@gmail.com/","date":"2026-04-07T14:31:35","name":"[RFC,v1,1/6] pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle","commit_ref":null,"pull_url":null,"state":"superseded","archived":false,"hash":"b3926cbce91cbceb6d69329b68537db55190fb11","submitter":{"id":79126,"url":"http://patchwork.ozlabs.org/api/1.2/people/79126/?format=json","name":"Ritesh Harjani (IBM)","email":"ritesh.list@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/5984bd91ad6d3541d08dc9f3c99e6de0214dbfcc.1775569027.git.ritesh.list@gmail.com/mbox/","series":[{"id":498988,"url":"http://patchwork.ozlabs.org/api/1.2/series/498988/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=498988","date":"2026-04-07T14:31:34","name":"pseries/papr-hvpipe: Fix and simplify papr-hvpipe","version":1,"mbox":"http://patchwork.ozlabs.org/series/498988/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2220569/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220569/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linuxppc-dev@lists.ozlabs.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=LO8GJy2J;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=2404:9400:21b9:f100::1; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-19436-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)","lists.ozlabs.org;\n arc=none smtp.remote-ip=\"2607:f8b0:4864:20::62e\"","lists.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","lists.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=LO8GJy2J;\n\tdkim-atps=neutral","lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com\n (client-ip=2607:f8b0:4864:20::62e; helo=mail-pl1-x62e.google.com;\n envelope-from=ritesh.list@gmail.com; receiver=lists.ozlabs.org)"],"Received":["from lists.ozlabs.org (lists.ozlabs.org\n [IPv6:2404:9400:21b9:f100::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1 raw public key)\n server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fqpYj5Ztbz1xy1\n\tfor ; Wed, 08 Apr 2026 00:32:09 +1000 (AEST)","from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4fqpYd2HVMz2ynC;\n\tWed, 08 Apr 2026 00:32:05 +1000 (AEST)","from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com\n [IPv6:2607:f8b0:4864:20::62e])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4fqpYc0mZXz2ySk\n\tfor ; Wed, 08 Apr 2026 00:32:04 +1000 (AEST)","by mail-pl1-x62e.google.com with SMTP id\n d9443c01a7336-2b23fcf90b2so50188845ad.3\n for ;\n Tue, 07 Apr 2026 07:32:04 -0700 (PDT)","from Mac.localdomain.com ([49.205.216.49])\n by smtp.gmail.com with ESMTPSA id\n d9443c01a7336-2b2749cbc58sm181201525ad.78.2026.04.07.07.31.57\n (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);\n Tue, 07 Apr 2026 07:32:00 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1775572325;\n\tcv=none;\n b=bTazJydSCXbyp3rWp9WHyoy73DFTBNnW2M9bZW3R8nZWStedej+qWJTFTVvxbEBfXCco3+Cs0Szi/BSzZe2+kkdCTgnbSNEAKr6z4V3wKvBE6lGHhHQVO6Zpi4xTWHSnK01n2QRLO+lbkmh414NLfGaVsOcI4Is6Qxe8zjKojDSl4bSN238tW3wF8gD1dcSHA7T+n6tqcrgy2bpvUfIwhpvY92JeAyyxES3udXBtZY5O5MiAekCB0RTrODpPP+xggFTJgknCkurFcSrt6SYrzph5PbGnCs1SkU4WyR5JNCAgRcgWtJ2SjdbigQPPm4z/89sYCKCMHrNeTXvXEDfZlg==","ARC-Message-Signature":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1775572325; c=relaxed/relaxed;\n\tbh=aWlqSctU1ZNN/z0ZDozfOPMSEatR6CHgCywrgmA5uDE=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=VnJS6saX6LNhWUUMuqMTjG86GQNzKHyfxeFWxaP4cpbCgYZu51bJ/sOMvllXJuzN01kYIIiaPv6r0l2iyO9g7cYSWmdYEKAUKipYPhHTq+MMHsMaMj1FJ8YoJcisdgQGXp/GIPIjJEI2mOetf9e5UQTM/l7ybZY8Zi8seEETizOYmjg3qt5nIej6u070w49THv41fVveVToJRLyQHYPq7WyFgrJgUsE+xxwSpwXQNKzTotVOaqTq28d/n8nGu6ot6KlLeOStBJK/o3Ex0Q4SdVab+OHs3RPo5H02r2QN4yFa2Prmi3CIH5Jm74flOUIkKLmvw0IrDLYRDo3JqP15YA==","ARC-Authentication-Results":"i=1; lists.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com; dkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=LO8GJy2J; dkim-atps=neutral;\n spf=pass (client-ip=2607:f8b0:4864:20::62e; helo=mail-pl1-x62e.google.com;\n envelope-from=ritesh.list@gmail.com;\n receiver=lists.ozlabs.org) smtp.mailfrom=gmail.com","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1775572321; x=1776177121;\n darn=lists.ozlabs.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=aWlqSctU1ZNN/z0ZDozfOPMSEatR6CHgCywrgmA5uDE=;\n b=LO8GJy2JC5Gy+bL0x4LdYknaljIbUvwucunaVXdmHtijFPSTJyszNJJr1wRPbGKkp8\n B1JPq1hmGryYtL0B1IWIYafOWBvEs9Nl4bU9VrWZ40zTGrhhSVebqhI3PyRIskCuPVO+\n jaG+S2D8YMI4u/KJABuaYPT5997QTYePsOgEyeb8DG6F0SijvHXJP7YXb5ZSotOGtVZd\n 3eIZjyqq8FR2B5+qQNeGQ1gq7xJBji1cRFUfyVzLEZ8f6Ozj6k28Q0FlN+olmec3QPh3\n 5RodNfhpqEjKK3YeIx2rcDTz3TTV2tlNrs9fNAaH6V8oV0fPD7q0rNE+ybpf6BKNPzBE\n 45lA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775572321; x=1776177121;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=aWlqSctU1ZNN/z0ZDozfOPMSEatR6CHgCywrgmA5uDE=;\n b=MqfwF+9/TspIX8pKaa2YM1qCxgVL7Nj6Fo7EbNPfufyNXh5R/FlqHeReq5uBsqsiR+\n zf7TtRQbRJPhKt1NiUKSWKY2NvqI/xZP58wfL/OV5L3ZoHSOo+ysJV1VZt7x022rfXh9\n o22bwaOIHvFKPfeGnXRGyen0IrrdgtcsXo+vo5dfbBucwBeWGqGHTdIaopCDcxRNSVhW\n 5F8I1T6/OZhx3nsY2nze/1CGrBH5G9Kihmsc3w+xTrmYrqcVOeQ8n0OpEgiXEOW2hoT7\n Iw51OrEwLkYrSjxWvdCXNQp2AgyPx1S1XLIchIni2HsV1yXQwAJNHJVRI9UuzujCQTAT\n LScw==","X-Gm-Message-State":"AOJu0YyLzaNsRsnGke8Le8/Hz+5NjJbJrbhiEH1yuao0GONr3LLWzdu/\n\tnLHhtCOz0+DeT38xVgoPyNI8o4ucGBdOai/Nov7tKVFpsRpvraS6GAo649pe/Q==","X-Gm-Gg":"AeBDietdp1JbyxcVQ7ddM4FzlXykRaZJzRsoGcYCyJqakPgyO6Nbr86FGX3ZUrN4s6V\n\tyMzYcF20f9PrscuG1O2UdV7p++HqyOTVHY5p67HuZZ796nRhovKY88wBoI+Z5NNxy14cuoJHur1\n\tTz2GcW42I+vqaV+rZ7na+3EMvtN7STIizW41W0w/OVoM5JUf6Iamy7qOlLO0ShzDc5LBLZtHuOE\n\t/vte8f6u+SXVPYa1Z1zH0K58MV8o2SoCAvuXf7zPJ7UeQKipsr9rm3w2mlwETqpP0apCFERQRcJ\n\twZD1unMV94RQgDOTx2bNCmvB2vY7bqVVM20kFtgWI6feF3Hi8O55isiWSLVis7k5ugiealSMr1v\n\tY5Bx8Cfdx7PlbYVs9PAYaSUUrtLIiQZwz9loQsWBfQpEnsmAGMdB4T09PemV1nFdNIEEiOXEIA2\n\tzJsEWeAe6tFTJeF1y8j/f3aaqpVgjCodoVABXD7Y6mYqb9l2wlwrEWkrRQL76k","X-Received":"by 2002:a17:903:3b84:b0:2b2:4728:aa6f with SMTP id\n d9443c01a7336-2b2818016cemr160584395ad.26.1775572321227;\n Tue, 07 Apr 2026 07:32:01 -0700 (PDT)","From":"\"Ritesh Harjani (IBM)\" ","To":"linuxppc-dev@lists.ozlabs.org,\n\tHaren Myneni ","Cc":"Madhavan Srinivasan ,\n\tChristophe Leroy ,\n\tVenkat Rao Bagalkote ,\n\tNicholas Piggin ,\n\tlinux-kernel@vger.kernel.org,\n\t\"Ritesh Harjani (IBM)\" ,\n\tChristian Brauner ","Subject":"[RFC v1 1/6] pseries/papr-hvpipe: Fix null ptr deref in\n papr_hvpipe_dev_create_handle","Date":"Tue, 7 Apr 2026 20:01:35 +0530","Message-ID":"\n <5984bd91ad6d3541d08dc9f3c99e6de0214dbfcc.1775569027.git.ritesh.list@gmail.com>","X-Mailer":"git-send-email 2.50.1","In-Reply-To":"","References":"","X-Mailing-List":"linuxppc-dev@lists.ozlabs.org","List-Id":"","List-Help":"","List-Owner":"","List-Post":"","List-Archive":",\n ","List-Subscribe":",\n ,\n ","List-Unsubscribe":"","Precedence":"list","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Spam-Status":"No, score=-0.2 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,\n\tDKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,\n\tSPF_HELO_NONE,SPF_PASS autolearn=disabled version=4.0.1 OzLabs 8","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org"},"content":"Getting the following kernel panic in papr_hvpipe_dev_create_handle()\nwhen trying to add src_info to the list.\n Kernel attempted to write user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on write at 0x00000000\n Faulting instruction address: 0xc0000000001b44a0\n Oops: Kernel access of bad area, sig: 11 [#1]\n ...\n Call Trace:\n papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)\n sys_ioctl+0x528/0x1064\n system_call_exception+0x128/0x360\n system_call_vectored_common+0x15c/0x2ec\n\nThe error handling with FD_PREPARE's file cleanup and __free(kfree) auto\ncleanup is getting too convoluted. This is mainly because we need to\nensure only 1 user get the srcID handle. To simplify this, we allocate\nprepare the src_info in the beginning and add it to the global list\nunder a spinlock after checking that no duplicates exist.\n\nThis simplify the error handling where if the FD_ADD fails, we can\nsimply remove the src_info from the list.\n\nCc: Christian Brauner \nFixes: 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\")\nReported-by: Haren Myneni \nSigned-off-by: Ritesh Harjani (IBM) \n---\n arch/powerpc/platforms/pseries/papr-hvpipe.c | 50 +++++++++-----------\n 1 file changed, 22 insertions(+), 28 deletions(-)\n\n--\n2.39.5","diff":"diff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c\nindex 14ae480d060a..ef10f5a5a4fa 100644\n--- a/arch/powerpc/platforms/pseries/papr-hvpipe.c\n+++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c\n@@ -479,21 +479,8 @@ static const struct file_operations papr_hvpipe_handle_ops = {\n\n static int papr_hvpipe_dev_create_handle(u32 srcID)\n {\n-\tstruct hvpipe_source_info *src_info __free(kfree) = NULL;\n-\n-\tspin_lock(&hvpipe_src_list_lock);\n-\t/*\n-\t * Do not allow more than one process communicates with\n-\t * each source.\n-\t */\n-\tsrc_info = hvpipe_find_source(srcID);\n-\tif (src_info) {\n-\t\tspin_unlock(&hvpipe_src_list_lock);\n-\t\tpr_err(\"pid(%d) is already using the source(%d)\\n\",\n-\t\t\t\tsrc_info->tsk->pid, srcID);\n-\t\treturn -EALREADY;\n-\t}\n-\tspin_unlock(&hvpipe_src_list_lock);\n+\tstruct hvpipe_source_info *src_info;\n+\tint fd;\n\n \tsrc_info = kzalloc_obj(*src_info, GFP_KERNEL_ACCOUNT);\n \tif (!src_info)\n@@ -503,26 +490,33 @@ static int papr_hvpipe_dev_create_handle(u32 srcID)\n \tsrc_info->tsk = current;\n \tinit_waitqueue_head(&src_info->recv_wqh);\n\n-\tFD_PREPARE(fdf, O_RDONLY | O_CLOEXEC,\n-\t\t anon_inode_getfile(\"[papr-hvpipe]\", &papr_hvpipe_handle_ops,\n-\t\t\t\t (void *)src_info, O_RDWR));\n-\tif (fdf.err)\n-\t\treturn fdf.err;\n-\n-\tretain_and_null_ptr(src_info);\n-\tspin_lock(&hvpipe_src_list_lock);\n \t/*\n-\t * If two processes are executing ioctl() for the same\n-\t * source ID concurrently, prevent the second process to\n-\t * acquire FD.\n+\t * Do not allow more than one process communicates with\n+\t * each source.\n \t */\n-\tif (hvpipe_find_source(srcID)) {\n+\tspin_lock(&hvpipe_src_list_lock);\n+\tif(hvpipe_find_source(srcID)) {\n \t\tspin_unlock(&hvpipe_src_list_lock);\n+\t\tpr_err(\"pid(%d) could not get the source(%d)\\n\",\n+\t\t\t\tsrc_info->tsk->pid, srcID);\n+\t\tkfree(src_info);\n \t\treturn -EALREADY;\n \t}\n \tlist_add(&src_info->list, &hvpipe_src_list);\n \tspin_unlock(&hvpipe_src_list_lock);\n-\treturn fd_publish(fdf);\n+\n+\tfd = FD_ADD(O_RDONLY | O_CLOEXEC,\n+\t\t anon_inode_getfile(\"[papr-hvpipe]\", &papr_hvpipe_handle_ops,\n+\t\t\t\t (void *)src_info, O_RDWR));\n+\tif (fd < 0) {\n+\t\tspin_lock(&hvpipe_src_list_lock);\n+\t\tlist_del(&src_info->list);\n+\t\tspin_unlock(&hvpipe_src_list_lock);\n+\t\tkfree(src_info);\n+\t\treturn fd;\n+\t}\n+\n+\treturn fd;\n }\n\n /*\n","prefixes":["RFC","v1","1/6"]}