From: Jason Wang jasowang@redhat.com
mainline inclusion from mainline-5.16 commit 6ae6ff6f6e7d category: bugfix bugzilla: NA CVE: NA
-------------------------------------------------
If an untrusted device neogitates BLK_F_MQ but advertises a zero num_queues, the driver may end up trying to allocating zero size buffers where ZERO_SIZE_PTR is returned which may pass the checking against the NULL. This will lead unexpected results.
Fixing this by failing the probe in this case.
Cc: Paolo Bonzini pbonzini@redhat.com Cc: Stefan Hajnoczi stefanha@redhat.com Cc: Stefano Garzarella sgarzare@redhat.com Signed-off-by: Jason Wang jasowang@redhat.com Link: https://lore.kernel.org/r/20211019070152.8236-2-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin mst@redhat.com Reviewed-by: Stefano Garzarella sgarzare@redhat.com Reviewed-by: Stefan Hajnoczi stefanha@redhat.com Signed-off-by: Wenchao Hao haowenchao@huawei.com Reviewed-by: Miaohe Lin linmiaohe@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/block/virtio_blk.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index 4da0012922e84..8ec6b00138265 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -582,6 +582,10 @@ static int init_vq(struct virtio_blk *vblk) num_vqs = 1;
num_vqs = min_t(unsigned int, nr_cpu_ids, num_vqs); + if (!err && !num_vqs) { + dev_err(&vdev->dev, "MQ advertisted but zero queues reported\n"); + return -EINVAL; + }
vblk->vqs = kmalloc_array(num_vqs, sizeof(*vblk->vqs), GFP_KERNEL); if (!vblk->vqs)