[SRU][R][PATCH 0/2] HVPIPE ioctl generates trace and returns failure
Massimiliano Pellizzer
massimiliano.pellizzer at canonical.com
Mon May 25 18:25:45 UTC 2026
BugLink: https://bugs.launchpad.net/bugs/2152161
[ Impact ]
A kernel null pointer dereference oops is triggered on IBM pseries machines
when a userspace process opens the HVPIPE character device (/dev/papr-hvpipe)
and issues an ioctl to obtain a file descriptor for a specific HMC source ID.
The root cause is a semantic misuse of a kernel file descriptor preparation macro
(FD_PREPARE / retain_and_null_ptr) introduced by an upstream refactoring commit,
which nullified a pointer that was subsequently reused in a list-insertion operation,
leading to a write to address 0x0.
[ Fix ]
Backport the fix commit and it's dependency:
- 7a4f0846ee6c pseries/papr-hvpipe: Fix race with interrupt handler
- 1b9f7aafa44f pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()
[ Test Plan ]
Compile tested only.
[ Regression Potential ]
The fix affects hvpipe's src_info registration ordering
relative to file descriptor creation.
An issue with this patch may break HMC communication.
Ritesh Harjani (IBM) (2):
pseries/papr-hvpipe: Fix race with interrupt handler
pseries/papr-hvpipe: Fix null ptr deref in
papr_hvpipe_dev_create_handle()
arch/powerpc/platforms/pseries/papr-hvpipe.c | 69 +++++++++++---------
1 file changed, 37 insertions(+), 32 deletions(-)
--
2.53.0
More information about the kernel-team
mailing list