[Devel] [PATCH vz10 1/4] vhost-blk: fix NULL deref on bad fd in VHOST_BLK_SET_BACKEND

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jun 5 20:49:06 MSK 2026


vhost_blk_set_backend() validates the fd returned by fget() with
IS_ERR(), but fget() reports failure by returning NULL, not an
ERR_PTR().

IS_ERR(NULL) is false, so a bad (but non-negative) fd slips past the
check and the next line dereferences it via file->f_mapping->host,
oopsing the kernel.

Test for NULL and return -EBADF, which is the proper error for a bad
file descriptor.

Fixes: 40a5928ec730 ("drivers/vhost: vhost-blk accelerator for virtio-blk guests")

Feature: vhost-blk: in-kernel accelerator for virtio-blk guests
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 drivers/vhost/blk.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/vhost/blk.c b/drivers/vhost/blk.c
index c66e710ec9105..ed9b7041893f2 100644
--- a/drivers/vhost/blk.c
+++ b/drivers/vhost/blk.c
@@ -769,8 +769,8 @@ static long vhost_blk_set_backend(struct vhost_blk *blk, int fd)
 	}
 
 	file = fget(fd);
-	if (IS_ERR(file)) {
-		ret = PTR_ERR(file);
+	if (!file) {
+		ret = -EBADF;
 		goto out_dev;
 	}
 
-- 
2.43.0



More information about the Devel mailing list