{"id":2231661,"url":"http://patchwork.ozlabs.org/api/patches/2231661/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/31ad94bc89d44156ee700c5bd006cb47a748e3cb.1777606826.git.ritesh.list@gmail.com/","project":{"id":2,"url":"http://patchwork.ozlabs.org/api/projects/2/?format=json","name":"Linux PPC development","link_name":"linuxppc-dev","list_id":"linuxppc-dev.lists.ozlabs.org","list_email":"linuxppc-dev@lists.ozlabs.org","web_url":"https://github.com/linuxppc/wiki/wiki","scm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git","webscm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/","list_archive_url":"https://lore.kernel.org/linuxppc-dev/","list_archive_url_format":"https://lore.kernel.org/linuxppc-dev/{}/","commit_url_format":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}"},"msgid":"<31ad94bc89d44156ee700c5bd006cb47a748e3cb.1777606826.git.ritesh.list@gmail.com>","list_archive_url":"https://lore.kernel.org/linuxppc-dev/31ad94bc89d44156ee700c5bd006cb47a748e3cb.1777606826.git.ritesh.list@gmail.com/","date":"2026-05-01T04:11:42","name":"[v3,3/9] pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"ff786cb5b8e56380057b2dff5d82e40f3ab8c3af","submitter":{"id":79126,"url":"http://patchwork.ozlabs.org/api/people/79126/?format=json","name":"Ritesh Harjani (IBM)","email":"ritesh.list@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/31ad94bc89d44156ee700c5bd006cb47a748e3cb.1777606826.git.ritesh.list@gmail.com/mbox/","series":[{"id":502420,"url":"http://patchwork.ozlabs.org/api/series/502420/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=502420","date":"2026-05-01T04:11:39","name":"pseries/papr-hvpipe: Fix deadlock, races and misc cleanups","version":3,"mbox":"http://patchwork.ozlabs.org/series/502420/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231661/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231661/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linuxppc-dev@lists.ozlabs.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=sGAB6lGb;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=2404:9400:21b9:f100::1; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-20354-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)","lists.ozlabs.org;\n arc=none smtp.remote-ip=\"2607:f8b0:4864:20::533\"","lists.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","lists.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=sGAB6lGb;\n\tdkim-atps=neutral","lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com\n (client-ip=2607:f8b0:4864:20::533; helo=mail-pg1-x533.google.com;\n envelope-from=ritesh.list@gmail.com; receiver=lists.ozlabs.org)"],"Received":["from lists.ozlabs.org (lists.ozlabs.org\n [IPv6:2404:9400:21b9:f100::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6Hgy0MQxz1y04\n\tfor ; Fri, 01 May 2026 14:12:46 +1000 (AEST)","from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4g6Hgg5qNvz30WQ;\n\tFri, 01 May 2026 14:12:31 +1000 (AEST)","from mail-pg1-x533.google.com (mail-pg1-x533.google.com\n [IPv6:2607:f8b0:4864:20::533])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4g6Hgg0rxHz2xjd\n\tfor ; Fri, 01 May 2026 14:12:31 +1000 (AEST)","by mail-pg1-x533.google.com with SMTP id\n 41be03b00d2f7-c76c067bc51so598590a12.0\n for ;\n Thu, 30 Apr 2026 21:12:30 -0700 (PDT)","from localhost.localdomain ([49.205.216.49])\n by smtp.gmail.com with ESMTPSA id\n d2e1a72fcca58-83515b485eesm1159428b3a.48.2026.04.30.21.12.24\n (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);\n Thu, 30 Apr 2026 21:12:27 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1777608751;\n\tcv=none;\n b=Dn9pup0r5YFq3VZ1cWsZCfjKxZ69q4nPzpnu2t/0XStDS+u5Tu5V/WpKxD8PBMmbtujCJW7sZJ5jEufdSCyCnsVigqVQaGytx8yqFZqMFljG605gVljaLkc9eBKqAcUV5sgNt6gfKQdZ+GmYnVX6Uh1MM3kbhhD1A0aY0+K+6K5DFwapJ6AmNMze33wYqDNTjL8i6mpE8U06BvywiGfn+3y3/j4OEOuMo6ptj6IkNEG5Ef3TBXesj8R90PBWSkRRhAUsKw6mnUogFQpUzPd2RBuQfLw3u9Knrswn5ptWqitz+VE/IOgTANMvK29pLz9ylGBVZg8UA9aup8lpM3mmxw==","ARC-Message-Signature":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1777608751; c=relaxed/relaxed;\n\tbh=dF2w3z4/59cYB6Oy2yDdp9rDcfrHGTFcj+1xeJe6XK4=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=UwTnunN99EWS9pktv4cJ48xjFL7Q35MLupI7eyASgU3wFSl4B7wTnx6b20yZqekAJuHa9Le5Ghi+kTgZuf/4FFqofM5Bvpv9kdTi0v3qyXETCdEdN65AYrVh+Vzc3V4Tgy6SwrDUQQzOnN+4r0/r6tW/ICO7irZo79Ok0xBUqGO4zjraMHc0SEzBCbMM9a4Lvtcm/PvP4EQY673YSvKoYiz7L/MihsK8n38ANq31xOgI2Du0DwmzuKuvDcXI/VAeraSzhmMjvrnVO/OrHmHlJJk1SGmEnmjTBv+ISyHZtHbsopN4Hvmd0cp4EoouVuzM+niKZVKEr2daAiLmmWw+Tw==","ARC-Authentication-Results":"i=1; lists.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com; dkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=sGAB6lGb; dkim-atps=neutral;\n spf=pass (client-ip=2607:f8b0:4864:20::533; helo=mail-pg1-x533.google.com;\n envelope-from=ritesh.list@gmail.com;\n receiver=lists.ozlabs.org) smtp.mailfrom=gmail.com","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777608748; x=1778213548;\n darn=lists.ozlabs.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=dF2w3z4/59cYB6Oy2yDdp9rDcfrHGTFcj+1xeJe6XK4=;\n b=sGAB6lGbnrh9quwiyn6i8CgXlkd3Q/RgX9VCV3tXhpYxr2w1KVa6y43Ad5MNIU98oj\n Zis6BAr1mhzdLAC8MQF06qq5WBrE9kcM5ggFGDQvKArcMdxcFxcPasgAuFN4taaho/XN\n O8qPHhTJMYf5Vl8VtC9LwH5O6K4oddtWhA+uT9LrRu1iV63qchtpNtZVoZslsbc4bs+e\n zE8uvtgcwk4oUOSS+0eC408hNtluLjAgAwjIFePnQflBrvJ3q+w837JWU2itKTxL0VIu\n 6lCP3FCYt5LEdXqZsdF01HpI1PsV3G1Lyjq/zLEiFMiVCHBwlAISHOBpXOJeXoa+0BeH\n hbvQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777608748; x=1778213548;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=dF2w3z4/59cYB6Oy2yDdp9rDcfrHGTFcj+1xeJe6XK4=;\n b=mk/5QWJw52JahY4OfNTqfG+90dhc1uReVReYpdbnXNDhC975SOTi7gwiDO+CEUYXrE\n KDHE5QAEL/QA0EEGiV00Us0b2d/kFyCCvcUfzyTO7yeGjYdl6fo/Flrz9xibloxfWtKp\n 90S6nugGk0OLASqLk+zKgs6VnG28AGxvsSZeFJV8ehCkDg01ZUGUEuXkzlawEtd7vqou\n 9nnjjWTXf10pQXKg9wuluEQ2ekPCS6H8+7I+ReZEjSL4w0+nbAXklv2Vpt5U83UFQ2QY\n I8LhtpO+mmNVj5siytRcnnXG2Dg+6Z1niBoM/qadLNjAs+5XIm9sNlxD0f9U1qwbSwUm\n JJNQ==","X-Gm-Message-State":"AOJu0YwMJ5Ri3sh/BWhqjZr86e30kxrHhQx8ZVMqoHc/AgvPvARKjJ7T\n\t7fJho6oQ5pXvn1R2VZdtSdLr3CyHXtqUeZ1W0lhkAoI9BbQTThtXbOTAeSy5fiog","X-Gm-Gg":"AeBDietMqCovFjFyRdn+Fe+0DF9PGE9mMg8WLvxKEA782AtalCN37f8WRUF0+cl+X2F\n\tV7iMN4o7E0BJsntU8k2d4oQOwBcj1a1uj/CVY3YXJwYjFUgQ/pUcBZmjUtMiRHhZ9uTcI9bUh3W\n\t/+Amvs9gBkmdSO3V0QfVZgAll/ntQS8gaDuAHS9t8RAg4qucJcI1LfgnzqhnBGZooN1XaSGGtDG\n\tIP1k+SiOPgQPZRyzyJmLDSl4/QYPlHQGEdDWcARCcNUpfGkhranHFxIgo9Poy67bpvA7boM3Er2\n\txcfgAhO8oAkscAg2+/AgK5Q6P7j2K5Hw5IvikkkaioobD6CyGo2X3zn8ffQt9QaOpADTyYsQ/EU\n\tRmLadZv7RUXVJyCQc3pIqzSULHL35PqBSU/khA02SvOx0il2SkYVT6qQkjEfkgpxQbrzxEQOUyp\n\tDFX1X1Uemj/3o++TCp9mFkbls0/v8GyWOC5Y5CGROV/tIIkknX3OyirU3kwg0rL6o=","X-Received":"by 2002:a05:6a20:5483:b0:395:ce56:4448 with SMTP id\n adf61e73a8af0-3a3cf68b511mr6112736637.25.1777608748275;\n Thu, 30 Apr 2026 21:12:28 -0700 (PDT)","From":"\"Ritesh Harjani (IBM)\" ","To":"linuxppc-dev@lists.ozlabs.org,\n\tHaren Myneni ","Cc":"Madhavan Srinivasan ,\n\tChristophe Leroy ,\n\tVenkat Rao Bagalkote ,\n\tNicholas Piggin ,\n\tlinux-kernel@vger.kernel.org,\n\t\"Ritesh Harjani (IBM)\" ,\n\tChristian Brauner ,\n\tstable@vger.kernel.org","Subject":"[PATCH v3 3/9] pseries/papr-hvpipe: Fix null ptr deref in\n papr_hvpipe_dev_create_handle()","Date":"Fri, 1 May 2026 09:41:42 +0530","Message-ID":"\n <31ad94bc89d44156ee700c5bd006cb47a748e3cb.1777606826.git.ritesh.list@gmail.com>","X-Mailer":"git-send-email 2.50.1","In-Reply-To":"","References":"","X-Mailing-List":"linuxppc-dev@lists.ozlabs.org","List-Id":"","List-Help":"","List-Owner":"","List-Post":"","List-Archive":",\n ","List-Subscribe":",\n ,\n ","List-Unsubscribe":"","Precedence":"list","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Spam-Status":"No, score=-0.2 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,\n\tDKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,\n\tSPF_HELO_NONE,SPF_PASS autolearn=disabled version=4.0.1 OzLabs 8","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org"},"content":"commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"),\nchanged the create handle to FD_PREPARE(), but it caused kernel\nnull-ptr-deref because after call to retain_and_null_ptr(src_info),\nsrc_info is re-used for adding it to the global list.\n\nGetting the following kernel panic in papr_hvpipe_dev_create_handle()\nwhen trying to add src_info to the list.\n Kernel attempted to write user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on write at 0x00000000\n Faulting instruction address: 0xc0000000001b44a0\n Oops: Kernel access of bad area, sig: 11 [#1]\n ...\n Call Trace:\n papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)\n sys_ioctl+0x528/0x1064\n system_call_exception+0x128/0x360\n system_call_vectored_common+0x15c/0x2ec\n\nNow, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto\ncleanup is getting too convoluted. This is mainly because we need to\nensure only 1 user get the srcID handle. To simplify this, we allocate\nprepare the src_info in the beginning and add it to the global list\nunder a spinlock after checking that no duplicates exist.\n\nThis simplify the error handling where if the FD_ADD fails, we can\nsimply remove the src_info from the list and consume any pending msg in\nhvpipe to be cleared, after src_info became visible in the global list.\n\nCc: Christian Brauner \nCc: stable@vger.kernel.org\nFixes: 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\")\nReported-by: Haren Myneni \nSigned-off-by: Ritesh Harjani (IBM) \n---\n arch/powerpc/platforms/pseries/papr-hvpipe.c | 57 ++++++++++----------\n 1 file changed, 30 insertions(+), 27 deletions(-)","diff":"diff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c\nindex 3392874ebdf6..402781299497 100644\n--- a/arch/powerpc/platforms/pseries/papr-hvpipe.c\n+++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c\n@@ -480,23 +480,10 @@ static const struct file_operations papr_hvpipe_handle_ops = {\n \n static int papr_hvpipe_dev_create_handle(u32 srcID)\n {\n-\tstruct hvpipe_source_info *src_info __free(kfree) = NULL;\n+\tstruct hvpipe_source_info *src_info;\n+\tint fd;\n \tunsigned long flags;\n \n-\tspin_lock_irqsave(&hvpipe_src_list_lock, flags);\n-\t/*\n-\t * Do not allow more than one process communicates with\n-\t * each source.\n-\t */\n-\tsrc_info = hvpipe_find_source(srcID);\n-\tif (src_info) {\n-\t\tspin_unlock_irqrestore(&hvpipe_src_list_lock, flags);\n-\t\tpr_err(\"pid(%d) is already using the source(%d)\\n\",\n-\t\t\t\tsrc_info->tsk->pid, srcID);\n-\t\treturn -EALREADY;\n-\t}\n-\tspin_unlock_irqrestore(&hvpipe_src_list_lock, flags);\n-\n \tsrc_info = kzalloc_obj(*src_info, GFP_KERNEL_ACCOUNT);\n \tif (!src_info)\n \t\treturn -ENOMEM;\n@@ -505,26 +492,42 @@ static int papr_hvpipe_dev_create_handle(u32 srcID)\n \tsrc_info->tsk = current;\n \tinit_waitqueue_head(&src_info->recv_wqh);\n \n-\tFD_PREPARE(fdf, O_RDONLY | O_CLOEXEC,\n-\t\t anon_inode_getfile(\"[papr-hvpipe]\", &papr_hvpipe_handle_ops,\n-\t\t\t\t (void *)src_info, O_RDWR));\n-\tif (fdf.err)\n-\t\treturn fdf.err;\n-\n-\tretain_and_null_ptr(src_info);\n-\tspin_lock_irqsave(&hvpipe_src_list_lock, flags);\n \t/*\n-\t * If two processes are executing ioctl() for the same\n-\t * source ID concurrently, prevent the second process to\n-\t * acquire FD.\n+\t * Do not allow more than one process communicates with\n+\t * each source.\n \t */\n+\tspin_lock_irqsave(&hvpipe_src_list_lock, flags);\n \tif (hvpipe_find_source(srcID)) {\n \t\tspin_unlock_irqrestore(&hvpipe_src_list_lock, flags);\n+\t\tpr_err(\"pid(%d) could not get the source(%d)\\n\",\n+\t\t\t\tsrc_info->tsk->pid, srcID);\n+\t\tkfree(src_info);\n \t\treturn -EALREADY;\n \t}\n \tlist_add(&src_info->list, &hvpipe_src_list);\n \tspin_unlock_irqrestore(&hvpipe_src_list_lock, flags);\n-\treturn fd_publish(fdf);\n+\n+\tfd = FD_ADD(O_RDONLY | O_CLOEXEC,\n+\t\t anon_inode_getfile(\"[papr-hvpipe]\", &papr_hvpipe_handle_ops,\n+\t\t\t\t (void *)src_info, O_RDWR));\n+\tif (fd < 0) {\n+\t\tspin_lock_irqsave(&hvpipe_src_list_lock, flags);\n+\t\tlist_del(&src_info->list);\n+\t\tspin_unlock_irqrestore(&hvpipe_src_list_lock, flags);\n+\t\t/*\n+\t\t * if we fail to add FD, that means no userspace program is\n+\t\t * polling. In that case if there is a msg pending because the\n+\t\t * interrupt was fired after the src_info was added to the\n+\t\t * global list, then let's consume it here, to unblock the\n+\t\t * hvpipe\n+\t\t */\n+\t\tif (src_info->hvpipe_status & HVPIPE_MSG_AVAILABLE)\n+\t\t\thvpipe_rtas_recv_msg(NULL, 0);\n+\t\tkfree(src_info);\n+\t\treturn fd;\n+\t}\n+\n+\treturn fd;\n }\n \n /*\n","prefixes":["v3","3/9"]}