[Devel] [PATCH RHEL10 COMMIT] vhost-blk: fix NULL deref on bad fd in VHOST_BLK_SET_BACKEND

Konstantin Khorenko khorenko at virtuozzo.com
Fri Jun 19 21:32:58 MSK 2026


The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.12.4.vz10
------>
commit bc76295ba93cd4216483849703512429d63e2a79
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Fri Jun 5 19:49:06 2026 +0200

    vhost-blk: fix NULL deref on bad fd in VHOST_BLK_SET_BACKEND
    
    vhost_blk_set_backend() validates the fd returned by fget() with
    IS_ERR(), but fget() reports failure by returning NULL, not an
    ERR_PTR().
    
    IS_ERR(NULL) is false, so a bad (but non-negative) fd slips past the
    check and the next line dereferences it via file->f_mapping->host,
    oopsing the kernel.
    
    Test for NULL and return -EBADF, which is the proper error for a bad
    file descriptor.
    
    Fixes: 40a5928ec730 ("drivers/vhost: vhost-blk accelerator for virtio-blk guests")
    
    Feature: vhost-blk: in-kernel accelerator for virtio-blk guests
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    Reviewed-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 drivers/vhost/blk.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/vhost/blk.c b/drivers/vhost/blk.c
index fb70b381eae92..8bb83ae39f5c8 100644
--- a/drivers/vhost/blk.c
+++ b/drivers/vhost/blk.c
@@ -786,8 +786,8 @@ static long vhost_blk_set_backend(struct vhost_blk *blk, int fd)
 	}
 
 	file = fget(fd);
-	if (IS_ERR(file)) {
-		ret = PTR_ERR(file);
+	if (!file) {
+		ret = -EBADF;
 		goto out_dev;
 	}
 


More information about the Devel mailing list