LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: "Michael S. Tsirkin" <mst@redhat.com>
To: Jason Wang <jasowang@redhat.com>
Cc: virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, f.hetzelt@tu-berlin.de,
david.kaplan@amd.com, konrad.wilk@oracle.com,
Paolo Bonzini <pbonzini@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Stefano Garzarella <sgarzare@redhat.com>
Subject: Re: [PATCH V2 01/12] virtio-blk: validate num_queues during probe
Date: Wed, 13 Oct 2021 06:04:39 -0400 [thread overview]
Message-ID: <20211013060341-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20211012065227.9953-2-jasowang@redhat.com>
On Tue, Oct 12, 2021 at 02:52:16PM +0800, Jason Wang wrote:
> If an untrusted device neogitates BLK_F_MQ but advertises a zero
> num_queues, the driver may end up trying to allocating zero size
> buffers where ZERO_SIZE_PTR is returned which may pass the checking
> against the NULL. This will lead unexpected results.
>
> Fixing this by using single queue if num_queues is zero.
>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> Cc: Stefano Garzarella <sgarzare@redhat.com>
> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
I'd rather fail probe so we don't need to support that.
> ---
> drivers/block/virtio_blk.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
> index 9b3bd083b411..9deff01a38cb 100644
> --- a/drivers/block/virtio_blk.c
> +++ b/drivers/block/virtio_blk.c
> @@ -495,7 +495,8 @@ static int init_vq(struct virtio_blk *vblk)
> err = virtio_cread_feature(vdev, VIRTIO_BLK_F_MQ,
> struct virtio_blk_config, num_queues,
> &num_vqs);
> - if (err)
> + /* We need at least one virtqueue */
> + if (err || !num_vqs)
> num_vqs = 1;
>
> num_vqs = min_t(unsigned int, nr_cpu_ids, num_vqs);
> --
> 2.25.1
next prev parent reply other threads:[~2021-10-13 10:04 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-12 6:52 [PATCH V2 00/12] More virtio hardening Jason Wang
2021-10-12 6:52 ` [PATCH V2 01/12] virtio-blk: validate num_queues during probe Jason Wang
2021-10-13 10:04 ` Michael S. Tsirkin [this message]
2021-10-14 2:32 ` Jason Wang
2021-10-14 5:45 ` Michael S. Tsirkin
2021-10-14 6:23 ` Jason Wang
2021-10-12 6:52 ` [PATCH V2 02/12] virtio: add doc for validate() method Jason Wang
2021-10-13 10:09 ` Michael S. Tsirkin
2021-10-14 2:32 ` Jason Wang
2021-10-12 6:52 ` [PATCH V2 03/12] virtio-console: switch to use .validate() Jason Wang
2021-10-13 9:50 ` Michael S. Tsirkin
2021-10-14 2:28 ` Jason Wang
2021-10-14 5:58 ` Michael S. Tsirkin
2021-10-12 6:52 ` [PATCH V2 04/12] virtio_console: validate max_nr_ports before trying to use it Jason Wang
2021-10-12 6:52 ` [PATCH V2 05/12] virtio_config: introduce a new ready method Jason Wang
2021-10-13 9:57 ` Michael S. Tsirkin
2021-10-12 6:52 ` [PATCH V2 06/12] virtio_pci: harden MSI-X interrupts Jason Wang
2021-10-13 9:59 ` Michael S. Tsirkin
2021-10-14 2:29 ` Jason Wang
2021-10-15 12:09 ` Dongli Zhang
2021-10-15 17:27 ` Michael S. Tsirkin
2021-10-19 1:33 ` Jason Wang
2021-10-19 17:01 ` Dongli Zhang
2021-10-20 1:33 ` Jason Wang
2021-10-20 6:56 ` Michael S. Tsirkin
2021-10-12 6:52 ` [PATCH V2 07/12] virtio-pci: harden INTX interrupts Jason Wang
2021-10-13 9:42 ` Michael S. Tsirkin
2021-10-14 2:35 ` Jason Wang
2021-10-14 5:49 ` Michael S. Tsirkin
2021-10-14 6:20 ` Jason Wang
2021-10-14 6:26 ` Michael S. Tsirkin
2021-10-14 6:32 ` Jason Wang
2021-10-14 7:04 ` Michael S. Tsirkin
2021-10-14 7:12 ` Jason Wang
2021-10-14 9:25 ` Michael S. Tsirkin
2021-10-14 10:03 ` Jason Wang
2021-10-12 6:52 ` [PATCH V2 08/12] virtio_ring: fix typos in vring_desc_extra Jason Wang
2021-10-12 6:52 ` [PATCH V2 09/12] virtio_ring: validate used buffer length Jason Wang
2021-10-13 10:02 ` Michael S. Tsirkin
2021-10-14 2:30 ` Jason Wang
2021-10-12 6:52 ` [PATCH V2 10/12] virtio-net: don't let virtio core to validate used length Jason Wang
2021-10-12 6:52 ` [PATCH V2 11/12] virtio-blk: " Jason Wang
2021-10-12 6:52 ` [PATCH V2 12/12] virtio-scsi: don't let virtio core to validate used buffer length Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211013060341-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=david.kaplan@amd.com \
--cc=f.hetzelt@tu-berlin.de \
--cc=jasowang@redhat.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=sgarzare@redhat.com \
--cc=stefanha@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).