On Fri, Nov 15, 2019 at 02:01:55PM +0100, Dietmar Hahn wrote: > Later a user tool dumped with SIGSEGV and the linux system crashed. > I investigated the crash dump and found the cause. > > Via format_corename() in fs/coredump.c the helper_argv[] with 3 entries is > created and helper_argv[0] == "" (because of the ' ' after the '|') > ispipe is set to 1. > Later in call_usermodehelper_setup(): > sub_info->path = path; == helper_argv[0] == "" > This leads in call_usermodehelper_exec() to: > if (strlen(sub_info->path) == 0) > goto out; > with a return value of 0. > But no pipe is created and thus cprm.file == NULL. > This leads in file_start_write() to the panic because of dereferencing > file_inode(file)->i_mode) > > I'am not sure what's the best way to fix this so I've no patch. > Thanks. Check in the caller of format_corename() for **argv being '\0' and fail if it is? I mean, turn that if (ispipe < 0) { printk(KERN_WARNING "format_corename failed\n"); printk(KERN_WARNING "Aborting core\n"); goto fail_unlock; } in there into if (ispipe < 0 || !**argv) { printk(KERN_WARNING "format_corename failed\n"); printk(KERN_WARNING "Aborting core\n"); goto fail_unlock; }