ACK: [SRU][R][PATCH 0/2] HVPIPE ioctl generates trace and returns failure
Ross Porter
ross.porter at canonical.com
Mon May 25 22:34:49 UTC 2026
Acked-by: Ross Porter <ross.porter at canonical.com>
On 26/05/2026 06:25, Massimiliano Pellizzer wrote:
> BugLink: https://bugs.launchpad.net/bugs/2152161
>
> [ Impact ]
>
> A kernel null pointer dereference oops is triggered on IBM pseries machines
> when a userspace process opens the HVPIPE character device (/dev/papr-hvpipe)
> and issues an ioctl to obtain a file descriptor for a specific HMC source ID.
> The root cause is a semantic misuse of a kernel file descriptor preparation macro
> (FD_PREPARE / retain_and_null_ptr) introduced by an upstream refactoring commit,
> which nullified a pointer that was subsequently reused in a list-insertion operation,
> leading to a write to address 0x0.
>
> [ Fix ]
>
> Backport the fix commit and it's dependency:
> - 7a4f0846ee6c pseries/papr-hvpipe: Fix race with interrupt handler
> - 1b9f7aafa44f pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()
>
> [ Test Plan ]
>
> Compile tested only.
>
> [ Regression Potential ]
>
> The fix affects hvpipe's src_info registration ordering
> relative to file descriptor creation.
> An issue with this patch may break HMC communication.
>
>
> Ritesh Harjani (IBM) (2):
> pseries/papr-hvpipe: Fix race with interrupt handler
> pseries/papr-hvpipe: Fix null ptr deref in
> papr_hvpipe_dev_create_handle()
>
> arch/powerpc/platforms/pseries/papr-hvpipe.c | 69 +++++++++++---------
> 1 file changed, 37 insertions(+), 32 deletions(-)
>
More information about the kernel-team
mailing list