Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 967060d0 authored by Darrick J. Wong's avatar Darrick J. Wong Committed by Ingo Molnar
Browse files

x86, msr: fix NULL pointer deref due to msr_open on nonexistent CPUs 



msr_open tests for someone trying to open a device for a nonexistent CPU.
However, the function always returns 0, not ret like it should, hence
userspace can BUG the kernel trivially.  This bug was introduced by the
cdev lock_kernel pushdown patch last May.

The BUG can be reproduced with these commands:

# mknod fubar c 202 8 <-- pick a number less than NR_CPUS that is not
                          the number of an online CPU
# cat fubar

Signed-off-by: default avatarDarrick J. Wong <djwong@us.ibm.com>
Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
parent a6825f1c

arch/x86/kernel/msr.c

+1 −1
Original line number Diff line number Diff line
@@ -131,7 +131,7 @@ static int msr_open(struct inode *inode, struct file *file) 
		ret = -EIO;	/* MSR not supported */

out:

	unlock_kernel();

	return 0;

	return ret;

}



/*