relid2channel() assumes vmbus channel array to be allocated when called. However, if the guest receives a vmbus interrupt during driver initialization before vmbus_connect() is called or if vmbus_connect() fails, the vmbus interrupt service routine is called which in turn calls relid2channel() and can cause a null pointer dereference. So Make relid2channel() check if vmbus channels is allocated first and return NULL to the caller if not allocated. Fixes: 8b6a877c060e ("Drivers: hv: vmbus: Replace the per-CPU channel lists with a global array of channels") Signed-off-by: Mohammed Gamal <mgamal@xxxxxxxxxx> --- drivers/hv/connection.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c index 9dc27e5d367a..5c603c4f75a2 100644 --- a/drivers/hv/connection.c +++ b/drivers/hv/connection.c @@ -409,6 +409,8 @@ void vmbus_disconnect(void) */ struct vmbus_channel *relid2channel(u32 relid) { + if (WARN_ON(vmbus_connection.channels == NULL)) + return NULL; if (WARN_ON(relid >= MAX_CHANNEL_RELIDS)) return NULL; return READ_ONCE(vmbus_connection.channels[relid]); -- 2.38.1