tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

xen-netback: reject zero-queue configuration from guest

A malicious or buggy Xen guest can write "0" to the xenbus key
"multi-queue-num-queues". The connect() function in the backend only
validates the upper bound (requested_num_queues > xenvif_max_queues)
but not zero, allowing requested_num_queues=0 to reach
vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers
WARN_ON_ONCE(!size) in __vmalloc_node_range().

On systems with panic_on_warn=1, this allows a guest-to-host denial
of service.

The Xen network interface specification requires
the queue count to be "greater than zero".

Add a zero check to match the validation already present
in xen-blkback, which has included this
guard since its multi-queue support was added.

Fixes: 8d3d53b3e433 ("xen-netback: Add support for multiple queues")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://patch.msgid.link/20260212224040.86674-1-n7l8m4@u.northwestern.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

authored by

Ziyi Guo and committed by
Paolo Abeni 6d1dc801 9e7021d2

+3 -2
+3 -2
drivers/net/xen-netback/xenbus.c
··· 735 735 */ 736 736 requested_num_queues = xenbus_read_unsigned(dev->otherend, 737 737 "multi-queue-num-queues", 1); 738 - if (requested_num_queues > xenvif_max_queues) { 738 + if (requested_num_queues > xenvif_max_queues || 739 + requested_num_queues == 0) { 739 740 /* buggy or malicious guest */ 740 741 xenbus_dev_fatal(dev, -EINVAL, 741 - "guest requested %u queues, exceeding the maximum of %u.", 742 + "guest requested %u queues, but valid range is 1 - %u.", 742 743 requested_num_queues, xenvif_max_queues); 743 744 return; 744 745 }