diff options
author | Jason Wang <jasowang@redhat.com> | 2021-10-19 10:01:43 +0300 |
---|---|---|
committer | Michael S. Tsirkin <mst@redhat.com> | 2021-11-01 12:26:48 +0300 |
commit | 6ae6ff6f6e7d2f304a12a53af8298e4f16ad633e (patch) | |
tree | 4a2beb6835b7b4412ba05db98f1cdb1919de256a /drivers/block/virtio_blk.c | |
parent | f1429e6c36f5d12c9ea6edf6d704445fb048e8a6 (diff) | |
download | linux-6ae6ff6f6e7d2f304a12a53af8298e4f16ad633e.tar.xz |
virtio-blk: validate num_queues during probe
If an untrusted device neogitates BLK_F_MQ but advertises a zero
num_queues, the driver may end up trying to allocating zero size
buffers where ZERO_SIZE_PTR is returned which may pass the checking
against the NULL. This will lead unexpected results.
Fixing this by failing the probe in this case.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20211019070152.8236-2-jasowang@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'drivers/block/virtio_blk.c')
-rw-r--r-- | drivers/block/virtio_blk.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index a33fe0743672..dbcf2a7e4a00 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -571,6 +571,10 @@ static int init_vq(struct virtio_blk *vblk) &num_vqs); if (err) num_vqs = 1; + if (!err && !num_vqs) { + dev_err(&vdev->dev, "MQ advertisted but zero queues reported\n"); + return -EINVAL; + } num_vqs = min_t(unsigned int, min_not_zero(num_request_queues, nr_cpu_ids), |