[Devel] [PATCH RHEL10 COMMIT] vhost-blk: fix NULL deref on bad fd in VHOST_BLK_SET_BACKEND
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Jun 19 21:32:58 MSK 2026
The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.12.4.vz10
------>
commit bc76295ba93cd4216483849703512429d63e2a79
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Fri Jun 5 19:49:06 2026 +0200
vhost-blk: fix NULL deref on bad fd in VHOST_BLK_SET_BACKEND
vhost_blk_set_backend() validates the fd returned by fget() with
IS_ERR(), but fget() reports failure by returning NULL, not an
ERR_PTR().
IS_ERR(NULL) is false, so a bad (but non-negative) fd slips past the
check and the next line dereferences it via file->f_mapping->host,
oopsing the kernel.
Test for NULL and return -EBADF, which is the proper error for a bad
file descriptor.
Fixes: 40a5928ec730 ("drivers/vhost: vhost-blk accelerator for virtio-blk guests")
Feature: vhost-blk: in-kernel accelerator for virtio-blk guests
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Reviewed-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
drivers/vhost/blk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vhost/blk.c b/drivers/vhost/blk.c
index fb70b381eae92..8bb83ae39f5c8 100644
--- a/drivers/vhost/blk.c
+++ b/drivers/vhost/blk.c
@@ -786,8 +786,8 @@ static long vhost_blk_set_backend(struct vhost_blk *blk, int fd)
}
file = fget(fd);
- if (IS_ERR(file)) {
- ret = PTR_ERR(file);
+ if (!file) {
+ ret = -EBADF;
goto out_dev;
}
More information about the Devel
mailing list