From: Jakub Kicinski <kuba@kernel.org>
To: manivannan.sadhasivam@oss.qualcomm.com
Cc: Jakub Kicinski <kuba@kernel.org>,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
horms@kernel.org, linux-arm-msm@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
andersson@kernel.org, yimingqian591@gmail.com,
chris.lew@oss.qualcomm.com, mani@kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH 1/2] net: qrtr: ns: Limit the maximum server registration per node
Date: Sun, 29 Mar 2026 13:33:54 -0700 [thread overview]
Message-ID: <20260329203354.2815284-1-kuba@kernel.org> (raw)
In-Reply-To: <20260325104415.104972-2-manivannan.sadhasivam@oss.qualcomm.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
net: qrtr: ns: Limit the maximum server registration per node
This commit introduces a limit of 256 server registrations per node to
prevent malicious clients from exhausting memory by flooding NEW_SERVER
messages.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
> diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
> index 3203b2220860..fb4e8a2d370d 100644
> --- a/net/qrtr/ns.c
> +++ b/net/qrtr/ns.c
[ ... ]
> @@ -229,6 +235,17 @@ static struct qrtr_server *server_add(unsigned int service,
> if (!service || !port)
> return NULL;
>
> + node = node_get(node_id);
Does this per-node limit fully protect against memory exhaustion?
If a remote client spoofs the node ID in the NEW_SERVER message, the
attacker-controlled node_id is passed to server_add(). Because node_get()
unconditionally allocates a new qrtr_node structure when one is not found,
an attacker could continuously send messages with unique node IDs.
Could this result in unbounded node allocations that still exhaust system
memory despite the per-node server limit?
> + if (!node)
> + return NULL;
> +
> + /* Make sure the new servers per port are capped at the maximum value */
> + old = xa_load(&node->servers, port);
> + if (!old && node->server_count >= QRTR_NS_MAX_SERVERS) {
> + pr_err_ratelimited("QRTR client node %u exceeds max server limit!\n", node_id);
> + return NULL;
While this error message is rate-limited, returning NULL here causes
ctrl_cmd_new_server() to return -EINVAL.
In the main packet loop qrtr_ns_worker(), a negative return value triggers
an un-ratelimited error:
if (ret < 0)
pr_err("failed while handling packet from %d:%d",
sq.sq_node, sq.sq_port);
Could a flood of excess server registrations trigger this un-ratelimited
message and cause a console logging storm?
> + }
> +
> srv = kzalloc_obj(*srv);
> if (!srv)
> return NULL;
--
pw-bot: cr
next prev parent reply other threads:[~2026-03-29 20:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 10:44 [PATCH 0/2] net: qrtr: ns: Fix unbounded server/lookup messages Manivannan Sadhasivam
2026-03-25 10:44 ` [PATCH 1/2] net: qrtr: ns: Limit the maximum server registration per node Manivannan Sadhasivam
2026-03-27 9:58 ` Simon Horman
2026-03-27 10:10 ` Manivannan Sadhasivam
2026-03-29 20:33 ` Jakub Kicinski
2026-03-29 20:33 ` Jakub Kicinski [this message]
2026-03-25 10:44 ` [PATCH 2/2] net: qrtr: ns: Limit the maximum lookups per socket Manivannan Sadhasivam
2026-03-27 10:07 ` Simon Horman
2026-03-27 10:17 ` Manivannan Sadhasivam
2026-03-29 20:33 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260329203354.2815284-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=andersson@kernel.org \
--cc=chris.lew@oss.qualcomm.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mani@kernel.org \
--cc=manivannan.sadhasivam@oss.qualcomm.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=yimingqian591@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox