[Devel] [PATCH vz10 1/4] vhost-blk: fix NULL deref on bad fd in VHOST_BLK_SET_BACKEND
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Jun 5 20:49:06 MSK 2026
vhost_blk_set_backend() validates the fd returned by fget() with
IS_ERR(), but fget() reports failure by returning NULL, not an
ERR_PTR().
IS_ERR(NULL) is false, so a bad (but non-negative) fd slips past the
check and the next line dereferences it via file->f_mapping->host,
oopsing the kernel.
Test for NULL and return -EBADF, which is the proper error for a bad
file descriptor.
Fixes: 40a5928ec730 ("drivers/vhost: vhost-blk accelerator for virtio-blk guests")
Feature: vhost-blk: in-kernel accelerator for virtio-blk guests
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
drivers/vhost/blk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vhost/blk.c b/drivers/vhost/blk.c
index c66e710ec9105..ed9b7041893f2 100644
--- a/drivers/vhost/blk.c
+++ b/drivers/vhost/blk.c
@@ -769,8 +769,8 @@ static long vhost_blk_set_backend(struct vhost_blk *blk, int fd)
}
file = fget(fd);
- if (IS_ERR(file)) {
- ret = PTR_ERR(file);
+ if (!file) {
+ ret = -EBADF;
goto out_dev;
}
--
2.43.0
More information about the Devel
mailing list