From nobody Thu Apr  2 20:22:16 2026
Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com
 [209.85.222.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 98CF328A3EF
	for <linux-kernel@vger.kernel.org>; Thu, 12 Feb 2026 22:40:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770936045; cv=none;
 b=ky5na4bIVTYRVOLjJf03HpbgmN9WQWavLohc6adRFDKIn4z2DtYafvGC1bhruLWZmxIxVjepXCY2qhLP0NGjAtbx4Kb+hkbo4RUGddZothXVJenph5XW0aPfzlHArNkUCj4fp3TWHWTgYoY0HiNndahA7EOtGdRnO97ZPpXnUBE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770936045; c=relaxed/simple;
	bh=B30fNyjs/sRZ8qy2TlpcByjrvsb1rtWES5yfvfygjUs=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=qkR/QpO1ZF/vyhaNg8sMnPGaZfqqec/lWUhwHZa7pP3vUhA4bQnYwspQN5iXCH/1G4XC6M3Y6d1E7mDck4/+5nRZY4crlqd+tJdXU43pbN2YiyIbIMMx9kKkn8jKJmUdxmZdCAZw2r9k03DUemxyh2sTaxjI6a0mZZgLdZgm3Qs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=u.northwestern.edu;
 spf=pass smtp.mailfrom=u.northwestern.edu;
 dkim=pass (2048-bit key) header.d=u-northwestern-edu.20230601.gappssmtp.com
 header.i=@u-northwestern-edu.20230601.gappssmtp.com header.b=avI28/bm;
 arc=none smtp.client-ip=209.85.222.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=u.northwestern.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=u.northwestern.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=u-northwestern-edu.20230601.gappssmtp.com
 header.i=@u-northwestern-edu.20230601.gappssmtp.com header.b="avI28/bm"
Received: by mail-qk1-f180.google.com with SMTP id
 af79cd13be357-8c70b5594f4so37216185a.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 12 Feb 2026 14:40:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=u-northwestern-edu.20230601.gappssmtp.com; s=20230601; t=1770936043;
 x=1771540843; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=UWWGIVqElCdFKk2jvTyzzGQRjen7XYqCpsyceyHmbuY=;
        b=avI28/bmMh7RENrx+ypCIBr3DNfhSNVBQjr767mkqVt6OsYeftv051NaCzOJuX83uL
         94SuoGklQPwVmlKAne5ETsUmJaD3rNC96+FsFuwLwNzcUOoW1XI0IDJNgysC/ex6PKyl
         YqX4952VN7idjh6IYpUOnrgIIvoIDOi3Vy33fWyB9Zp5Hct/vBYNGD9T1vw5Q6EMYcQF
         PSg9jXs1xyI617AFn9z7fC60JSzRLs1BautQovCKu27HABIzaF7+oqXL+gqUe0atRcUt
         DFhTdIJtGP65n62WQViYHE6WVFIw3/QGM+OMcjScsl6+clfGRnte/J1Zq9qMxvv2EoFy
         GDYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770936043; x=1771540843;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=UWWGIVqElCdFKk2jvTyzzGQRjen7XYqCpsyceyHmbuY=;
        b=c7JiJw97KqPg+bVyNhBLQBivcHnowTyzGQEp0NEBCChEYQ3UxbTASECUBjvCIU1gU8
         8C/4bmUfc+lGUfBiVPcKpjBs3onyLBeoK5yGh9s+cV0t7vcaGCCXTNDBMu1DXbNYd4Z2
         BP22A1eGNwnSWaIsayGm8xtVSNagLAFem61TKtsEgvR9+mtpOiLPNYCN5aoZwWeQUIK9
         TV5152xEuAz5vUS+nXUzdgTWYMYGFHF7FNfyf9mPujf4FZYYI+TG4FmTbjMxrC0w8Fp/
         7B7Um99hK7yzXK2YiU0gQQzU99UxUUA/kh4POfEIsN5LO6tcyx6z9IinQlPyB2cpr4hH
         nQ+g==
X-Forwarded-Encrypted: i=1;
 AJvYcCVr6LvUubuah46uKsQNqKOT4YEDJjPEZyaPeXbrS3hbRm7thAX99yF5sbRxQP0q2ConbBdqCrmFmY3qGwc=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzm7nYa7/eCuE4hD6GMzMvner5Dk/85x25SurceiYw4FK1sKlSD
	Z0UOyXrsoY+T0YgvILXehd2YxWJ5FZsIuzmU+ZCmU03bHjBvalNspb+4wOoFQWsUdjo=
X-Gm-Gg: AZuq6aL0JJsT8oGoe+gw5u6bYlXnJJUwW48mMnNGtAPGNEEU758vgRrB3Onww/tMUuH
	ggWM24N3QOggUufX8n2PQodWiscAp4PhE8RuxOJKRMIz1xrz3cMr3VwTSdBb56TMcns8Wc1ASyE
	iafT6tEnqEUPOn9oa5BlQwF2lFbvjujkPluNVxz8+pIu/mR1jO6Yc6tkFK/GsYtvNhQ1q/VCXC0
	3APAkA4KI8L8cZwD6JUmE1VC7E10+vxydMQISgKj2EUsRXWXW7wo6YLeLZLLS04BOdth1nfCLh1
	sICToib8jqXHGiYpdbDaiBRiDhwmAzZScdddFOWj4+pb2koLHK7hlKu6d3ufJPLEFJddR64r5WZ
	jiVsTon8SBIkjMfLt8SFvVW4F654Zrs7yJspUWNRtAKSd8aUIxGK+9DCtwWrwrEs191KNm820TT
	sXY0Or4K/3gSEO8edbU2KYiWc9ytn/ioS9+BVoaJX89vG6mpHt3fEqXOMTiVleZLX0TrMTvMc0Q
	oE6xD7h8oDDt0oEzJJE2Zx+4uLBHQGFf9yXACTA6Y8=
X-Received: by 2002:a05:620a:1a2a:b0:891:7008:f2e0 with SMTP id
 af79cd13be357-8cb33a58005mr507763185a.8.1770936043069;
        Thu, 12 Feb 2026 14:40:43 -0800 (PST)
Received: from security.cs.northwestern.edu (security.cs.northwestern.edu.
 [165.124.184.136])
        by smtp.gmail.com with ESMTPSA id
 d75a77b69052e-50684bb9251sm46363411cf.30.2026.02.12.14.40.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 12 Feb 2026 14:40:42 -0800 (PST)
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
To: Wei Liu <wei.liu@kernel.org>,
	Paul Durrant <paul@xen.org>,
	Andrew Lunn <andrew+netdev@lunn.ch>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>
Cc: "Andrew J . Bennieston" <andrew.bennieston@citrix.com>,
	xen-devel@lists.xenproject.org,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Ziyi Guo <n7l8m4@u.northwestern.edu>
Subject: [PATCH net] xen-netback: reject zero-queue configuration from guest
Date: Thu, 12 Feb 2026 22:40:40 +0000
Message-Id: <20260212224040.86674-1-n7l8m4@u.northwestern.edu>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

A malicious or buggy Xen guest can write "0" to the xenbus key
"multi-queue-num-queues". The connect() function in the backend only
validates the upper bound (requested_num_queues > xenvif_max_queues)
but not zero, allowing requested_num_queues=3D0 to reach
vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers
WARN_ON_ONCE(!size) in __vmalloc_node_range().

On systems with panic_on_warn=3D1, this allows a guest-to-host denial
of service.

The Xen network interface specification requires=20
the queue count to be "greater than zero".

Add a zero check to match the validation already present=20
in xen-blkback, which has included this
guard since its multi-queue support was added.

Fixes: 8d3d53b3e433 ("xen-netback: Add support for multiple queues")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Reviewed-by: Juergen Gross <jgross@suse.com>
---
 drivers/net/xen-netback/xenbus.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xen=
bus.c
index a78a25b87240..2ef59b08ae21 100644
--- a/drivers/net/xen-netback/xenbus.c
+++ b/drivers/net/xen-netback/xenbus.c
@@ -735,10 +735,11 @@ static void connect(struct backend_info *be)
 	 */
 	requested_num_queues =3D xenbus_read_unsigned(dev->otherend,
 					"multi-queue-num-queues", 1);
-	if (requested_num_queues > xenvif_max_queues) {
+	if (requested_num_queues > xenvif_max_queues ||
+	    requested_num_queues =3D=3D 0) {
 		/* buggy or malicious guest */
 		xenbus_dev_fatal(dev, -EINVAL,
-				 "guest requested %u queues, exceeding the maximum of %u.",
+				 "guest requested %u queues, but valid range is 1 - %u.",
 				 requested_num_queues, xenvif_max_queues);
 		return;
 	}
--=20
2.34.1