diff options
author | Jason Wang <jasowang@redhat.com> | 2021-10-19 09:01:43 +0200 |
---|---|---|
committer | Michael S. Tsirkin <mst@redhat.com> | 2021-11-01 10:26:48 +0100 |
commit | 6ae6ff6f6e7d2f304a12a53af8298e4f16ad633e (patch) | |
tree | 4a2beb6835b7b4412ba05db98f1cdb1919de256a | |
parent | virtio-pmem: add myself as virtio-pmem maintainer (diff) | |
download | linux-6ae6ff6f6e7d2f304a12a53af8298e4f16ad633e.tar.xz linux-6ae6ff6f6e7d2f304a12a53af8298e4f16ad633e.zip |
virtio-blk: validate num_queues during probe
If an untrusted device neogitates BLK_F_MQ but advertises a zero
num_queues, the driver may end up trying to allocating zero size
buffers where ZERO_SIZE_PTR is returned which may pass the checking
against the NULL. This will lead unexpected results.
Fixing this by failing the probe in this case.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20211019070152.8236-2-jasowang@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-rw-r--r-- | drivers/block/virtio_blk.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index a33fe0743672..dbcf2a7e4a00 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -571,6 +571,10 @@ static int init_vq(struct virtio_blk *vblk) &num_vqs); if (err) num_vqs = 1; + if (!err && !num_vqs) { + dev_err(&vdev->dev, "MQ advertisted but zero queues reported\n"); + return -EINVAL; + } num_vqs = min_t(unsigned int, min_not_zero(num_request_queues, nr_cpu_ids), |