Commit 967060d0 authored by Darrick J. Wong's avatar Darrick J. Wong Committed by Ingo Molnar

x86, msr: fix NULL pointer deref due to msr_open on nonexistent CPUs

msr_open tests for someone trying to open a device for a nonexistent CPU.
However, the function always returns 0, not ret like it should, hence
userspace can BUG the kernel trivially.  This bug was introduced by the
cdev lock_kernel pushdown patch last May.

The BUG can be reproduced with these commands:

# mknod fubar c 202 8 <-- pick a number less than NR_CPUS that is not
                          the number of an online CPU
# cat fubar
Signed-off-by: default avatarDarrick J. Wong <djwong@us.ibm.com>
Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
parent a6825f1c
...@@ -131,7 +131,7 @@ static int msr_open(struct inode *inode, struct file *file) ...@@ -131,7 +131,7 @@ static int msr_open(struct inode *inode, struct file *file)
ret = -EIO; /* MSR not supported */ ret = -EIO; /* MSR not supported */
out: out:
unlock_kernel(); unlock_kernel();
return 0; return ret;
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment