On 9/8/22 3:17 PM, Yichun Zhang (agentzh) wrote:
> CPU hotplug may introduce race conditions. We reproduced kernel panics
> due to this NULL ptr deref error when doing frequent random CPU hotplugs
> in a KVM guest.
>
> Signed-off-by: Yichun Zhang (agentzh) <yichun@xxxxxxxxxxxxx>
> ---
> kernel/relay.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/relay.c b/kernel/relay.c
> index 6a611e779e95..2db69fd527d1 100644
> --- a/kernel/relay.c
> +++ b/kernel/relay.c
> @@ -816,6 +816,9 @@ EXPORT_SYMBOL_GPL(relay_flush);
> static int relay_file_open(struct inode *inode, struct file *filp)
> {
> struct rchan_buf *buf = inode->i_private;
> + if (unlikely(buf == NULL))
> + return -ENOENT;
> +
> kref_get(&buf->kref);
> filp->private_data = buf;
If it can go away before open is called, what prevents it from going
away after that check but before kref_get() is called?
--
Jens Axboe
