mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-28 15:20:41 +00:00
29baef789c
When validating drafted SPDK ublk target, in a case that
assigning large queue depth to multiqueue ublk device,
ublk target would run into a weird incorrect state. During
rounds of review and debug, An overflow bug was found
in ublk driver.
In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means
each ublk queue depth can be set as large as 4096. But
when setting qd for a ublk device,
sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)
will be larger than 65535 if qd is larger than 2728.
Then queue_size is overflowed, and ublk_get_queue()
references a wrong pointer position. The wrong content of
ublk_queue elements will lead to out-of-bounds memory
access.
Extend queue_size in ublk_device as "unsigned int".
Signed-off-by: Liu Xiaodong <xiaodong.liu@intel.com>
Fixes:
|
||
---|---|---|
.. | ||
aoe | ||
drbd | ||
mtip32xx | ||
null_blk | ||
paride | ||
rnbd | ||
xen-blkback | ||
zram | ||
amiflop.c | ||
ataflop.c | ||
brd.c | ||
floppy.c | ||
Kconfig | ||
loop.c | ||
Makefile | ||
n64cart.c | ||
nbd.c | ||
pktcdvd.c | ||
ps3disk.c | ||
ps3vram.c | ||
rbd.c | ||
rbd_types.h | ||
sunvdc.c | ||
swim.c | ||
swim3.c | ||
swim_asm.S | ||
ublk_drv.c | ||
virtio_blk.c | ||
xen-blkfront.c | ||
z2ram.c |