mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-28 15:20:41 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/block
History
Liu Xiaodong 29baef789c block: ublk: extending queue_size to fix overflow 
When validating drafted SPDK ublk target, in a case that
assigning large queue depth to multiqueue ublk device,
ublk target would run into a weird incorrect state. During
rounds of review and debug, An overflow bug was found
in ublk driver.

In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means
each ublk queue depth can be set as large as 4096. But
when setting qd for a ublk device,
sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)
will be larger than 65535 if qd is larger than 2728.
Then queue_size is overflowed, and ublk_get_queue()
references a wrong pointer position. The wrong content of
ublk_queue elements will lead to out-of-bounds memory
access.

Extend queue_size in ublk_device as "unsigned int".

Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Fixes: 71f28f3136 ("ublk_drv: add io_uring based userspace block driver")
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20230131070552.115067-1-xiaodong.liu@intel.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2023-01-31 07:58:53 -07:00
..
aoe block: aoe: use DEFINE_SHOW_ATTRIBUTE to simplify aoe_debugfs 2022-09-21 19:49:24 -06:00
drbd block: handle bio_split_to_limits() NULL return 2023-01-04 09:05:23 -07:00
mtip32xx block: move from strlcpy with unused retval to strscpy 2022-09-21 19:45:04 -06:00
null_blk null_blk: support read-only and offline zone conditions 2022-12-01 14:49:48 -07:00
paride block: Change the type of req_op() and bio_op() into enum req_op 2022-07-14 12:14:30 -06:00
rnbd block/rnbd-clt: fix wrong max ID in ida_alloc_max 2023-01-17 08:33:36 -07:00
xen-blkback xen: branch for v6.0-rc4 2022-09-03 13:23:11 -07:00
zram zram: remove unused stats fields 2022-11-30 15:59:01 -08:00
amiflop.c block: remove blk_cleanup_disk 2022-06-28 06:33:15 -06:00
ataflop.c block: remove blk_cleanup_disk 2022-06-28 06:33:15 -06:00
brd.c block: move from strlcpy with unused retval to strscpy 2022-09-21 19:45:04 -06:00
floppy.c floppy: Fix memory leak in do_floppy_init() 2022-12-04 18:03:41 +04:00
Kconfig Revert "pktcdvd: remove driver." 2023-01-04 14:44:13 -07:00
loop.c loop: Fix the max_loop commandline argument treatment when it is set to 0 2022-12-14 10:55:20 -07:00
Makefile Revert "pktcdvd: remove driver." 2023-01-04 14:44:13 -07:00
n64cart.c block: remove blk_cleanup_disk 2022-06-28 06:33:15 -06:00
nbd.c use less confusing names for iov_iter direction initializers 2022-11-25 13:01:55 -05:00
pktcdvd.c pktcdvd: check for NULL returna fter calling bio_split_to_limits() 2023-01-16 08:51:05 -07:00
ps3disk.c block: remove blk_cleanup_disk 2022-06-28 06:33:15 -06:00
ps3vram.c block: handle bio_split_to_limits() NULL return 2023-01-04 09:05:23 -07:00
rbd.c rbd: fix possible memory leak in rbd_sysfs_init() 2022-10-27 07:15:30 -06:00
rbd_types.h libceph, rbd: replace zero-length array with flexible-array 2020-06-01 13:22:53 +02:00
sunvdc.c block: remove blk_cleanup_disk 2022-06-28 06:33:15 -06:00
swim.c block: remove blk_cleanup_disk 2022-06-28 06:33:15 -06:00
swim3.c block: remove blk_cleanup_disk 2022-06-28 06:33:15 -06:00
swim_asm.S
ublk_drv.c block: ublk: extending queue_size to fix overflow 2023-01-31 07:58:53 -07:00
virtio_blk.c virtio-blk: replace ida_simple[get|remove] with ida_[alloc_range|free] 2022-11-30 14:23:34 -07:00
xen-blkfront.c block: set the disk capacity to 0 in blk_mark_disk_dead 2022-11-02 08:32:31 -06:00
z2ram.c block: remove blk_cleanup_disk 2022-06-28 06:33:15 -06:00