* [PATCH net] xen-netback: reject zero-queue configuration from guest
@ 2026-02-12 22:40 Ziyi Guo
2026-02-13 11:12 ` Jürgen Groß
2026-02-17 11:10 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Ziyi Guo @ 2026-02-12 22:40 UTC (permalink / raw)
To: Wei Liu, Paul Durrant, Andrew Lunn, David S . Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni
Cc: Andrew J . Bennieston, xen-devel, netdev, linux-kernel, Ziyi Guo
A malicious or buggy Xen guest can write "0" to the xenbus key
"multi-queue-num-queues". The connect() function in the backend only
validates the upper bound (requested_num_queues > xenvif_max_queues)
but not zero, allowing requested_num_queues=0 to reach
vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers
WARN_ON_ONCE(!size) in __vmalloc_node_range().
On systems with panic_on_warn=1, this allows a guest-to-host denial
of service.
The Xen network interface specification requires
the queue count to be "greater than zero".
Add a zero check to match the validation already present
in xen-blkback, which has included this
guard since its multi-queue support was added.
Fixes: 8d3d53b3e433 ("xen-netback: Add support for multiple queues")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
---
drivers/net/xen-netback/xenbus.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c
index a78a25b87240..2ef59b08ae21 100644
--- a/drivers/net/xen-netback/xenbus.c
+++ b/drivers/net/xen-netback/xenbus.c
@@ -735,10 +735,11 @@ static void connect(struct backend_info *be)
*/
requested_num_queues = xenbus_read_unsigned(dev->otherend,
"multi-queue-num-queues", 1);
- if (requested_num_queues > xenvif_max_queues) {
+ if (requested_num_queues > xenvif_max_queues ||
+ requested_num_queues == 0) {
/* buggy or malicious guest */
xenbus_dev_fatal(dev, -EINVAL,
- "guest requested %u queues, exceeding the maximum of %u.",
+ "guest requested %u queues, but valid range is 1 - %u.",
requested_num_queues, xenvif_max_queues);
return;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] xen-netback: reject zero-queue configuration from guest
2026-02-12 22:40 [PATCH net] xen-netback: reject zero-queue configuration from guest Ziyi Guo
@ 2026-02-13 11:12 ` Jürgen Groß
2026-02-17 11:10 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Jürgen Groß @ 2026-02-13 11:12 UTC (permalink / raw)
To: Ziyi Guo, Wei Liu, Paul Durrant, Andrew Lunn, David S . Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni
Cc: Andrew J . Bennieston, xen-devel, netdev, linux-kernel
[-- Attachment #1.1.1: Type: text/plain, Size: 966 bytes --]
On 12.02.26 23:40, Ziyi Guo wrote:
> A malicious or buggy Xen guest can write "0" to the xenbus key
> "multi-queue-num-queues". The connect() function in the backend only
> validates the upper bound (requested_num_queues > xenvif_max_queues)
> but not zero, allowing requested_num_queues=0 to reach
> vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers
> WARN_ON_ONCE(!size) in __vmalloc_node_range().
>
> On systems with panic_on_warn=1, this allows a guest-to-host denial
> of service.
>
> The Xen network interface specification requires
> the queue count to be "greater than zero".
>
> Add a zero check to match the validation already present
> in xen-blkback, which has included this
> guard since its multi-queue support was added.
>
> Fixes: 8d3d53b3e433 ("xen-netback: Add support for multiple queues")
> Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Reviewed-by: Juergen Gross <jgross@suse.com>
Juergen
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3743 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] xen-netback: reject zero-queue configuration from guest
2026-02-12 22:40 [PATCH net] xen-netback: reject zero-queue configuration from guest Ziyi Guo
2026-02-13 11:12 ` Jürgen Groß
@ 2026-02-17 11:10 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-02-17 11:10 UTC (permalink / raw)
To: Ziyi Guo
Cc: wei.liu, paul, andrew+netdev, davem, edumazet, kuba, pabeni,
andrew.bennieston, xen-devel, netdev, linux-kernel
Hello:
This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:
On Thu, 12 Feb 2026 22:40:40 +0000 you wrote:
> A malicious or buggy Xen guest can write "0" to the xenbus key
> "multi-queue-num-queues". The connect() function in the backend only
> validates the upper bound (requested_num_queues > xenvif_max_queues)
> but not zero, allowing requested_num_queues=0 to reach
> vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers
> WARN_ON_ONCE(!size) in __vmalloc_node_range().
>
> [...]
Here is the summary with links:
- [net] xen-netback: reject zero-queue configuration from guest
https://git.kernel.org/netdev/net/c/6d1dc8014334
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-17 11:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-12 22:40 [PATCH net] xen-netback: reject zero-queue configuration from guest Ziyi Guo
2026-02-13 11:12 ` Jürgen Groß
2026-02-17 11:10 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox