virtio-blk: validate num_queues during probe

If an untrusted device neogitates BLK_F_MQ but advertises a zero num_queues, the driver may end up trying to allocating zero size buffers where ZERO_SIZE_PTR is returned which may pass the checking against the NULL. This will lead unexpected results. Fixing this by failing the probe in this case. Cc: Paolo Bonzini <[email protected]> Cc: Stefan Hajnoczi <[email protected]> Cc: Stefano Garzarella <[email protected]> Signed-off-by: Jason Wang <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Stefano Garzarella <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]>
author: Jason Wang <[email protected]> 2021-10-19 15:01:43 +0800
committer: Michael S. Tsirkin <[email protected]> 2021-11-01 05:26:48 -0400
commit: 6ae6ff6f6e7d2f304a12a53af8298e4f16ad633e (patch)
tree: 4a2beb6835b7b4412ba05db98f1cdb1919de256a
parent: f1429e6c36f5d12c9ea6edf6d704445fb048e8a6 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
index a33fe0743672..dbcf2a7e4a00 100644
--- a/drivers/block/virtio_blk.c
+++ b/drivers/block/virtio_blk.c
@@ -571,6 +571,10 @@ static int init_vq(struct virtio_blk *vblk)
 				   &num_vqs);
 	if (err)
 		num_vqs = 1;
+	if (!err && !num_vqs) {
+		dev_err(&vdev->dev, "MQ advertisted but zero queues reported\n");
+		return -EINVAL;
+	}
 
 	num_vqs = min_t(unsigned int,
 			min_not_zero(num_request_queues, nr_cpu_ids),
author	Jason Wang <[email protected]>	2021-10-19 15:01:43 +0800
committer	Michael S. Tsirkin <[email protected]>	2021-11-01 05:26:48 -0400
commit	6ae6ff6f6e7d2f304a12a53af8298e4f16ad633e (patch)
tree	4a2beb6835b7b4412ba05db98f1cdb1919de256a
parent	f1429e6c36f5d12c9ea6edf6d704445fb048e8a6 (diff)