From nobody Fri Apr 3 01:25:51 2026 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F397395DA5 for ; Wed, 25 Mar 2026 10:44:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774435484; cv=none; b=MZAoACLDdwWpkiMFSYU6EGlQm6L4+bZrCSHCuhvH9BgKv64YIc6QueS7imCS3RR74qRn2Ycxnj1u0/oauVaNePgyI1JruMohy9PMPIAS/fAFBjhUoa0sKbP4TcPPRaMMKvhWQxQMHks9pICe3j7JcrqbHF2xPT1xKHD84j/CDbA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774435484; c=relaxed/simple; bh=kP1JN0TOsfXEJgq4h81TD02jJQMr92Q+lzeaEK0wPp8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mti8hmUhjaFsbH+NAVehVLt7XS4qP1ecGI7JRhzVEw61f505k+EzEaN0foNYZ+XLM+jDX6G3KvkAB9NwBqhIBFfW7WqqG/olwLhY5jhNOGv6GvcJDtYpE2GMAfikSawAWyETUdiR45QWoflLQujFd8e+Uw62eqgHqX+EbC8Ne7A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=WgV0jAlg; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=U5hnc0DX; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="WgV0jAlg"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="U5hnc0DX" Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 62P9I9PI3057532 for ; Wed, 25 Mar 2026 10:44:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=H3xEqupKPOV B9StA2RSOjiGfT+MC16oQI3PlkW+NAjA=; b=WgV0jAlg9v+aBGTve8TYJ8G78QG AqzY9gSnbrMfRwd2UWdamPjP82YtZ9BbfhvlsD7af/mRfyWNBf0E5T35+q4qhS7c 2EgG685KuyWbtl8FFHHGkGFhP2gsxMMtozQwj5qyJr1bTxJulY0FhfkbnmlzubL0 mwIbZM/um9Xb0rSYZa1KwrX0Ex3UrDddrMrWBFMuRnNIqrPEaOtOkKIEklZ/FRj2 Snnkwh5nRi9EKVQZGqQNeYt6/o9+m30xRt48u4nwW/zQeINNdt8H7oSQ40rfxIH+ Xh12NO/XicnfuY6izGPJBpltRagq+9aIU6lxfJJTGr3Ea/RLiRbvAN7xnhw== Received: from mail-pf1-f199.google.com (mail-pf1-f199.google.com [209.85.210.199]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4d46tp1nt4-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Wed, 25 Mar 2026 10:44:42 +0000 (GMT) Received: by mail-pf1-f199.google.com with SMTP id d2e1a72fcca58-82c1e1a6cfbso4155597b3a.0 for ; Wed, 25 Mar 2026 03:44:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1774435481; x=1775040281; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=H3xEqupKPOVB9StA2RSOjiGfT+MC16oQI3PlkW+NAjA=; b=U5hnc0DXoIOAYPLo7oHUHnbdb9QijauP5hwG3/RicvtGusa6SNb/9ZFVQAdKgL8wwl N5otJjlJSgL7yWZ1qABjv9mTNZjAjVkUB/eBqc3BT//QBHYhMFUx+oPOCCLe6jB6O4fE CdU9APxSwSDhmZAoD23Lc+1io8OTObOg1MPRbmSbVA0h/JidUKGEJrzgwBK2IUC89iA2 xr8QlSzniaarAyegcM2rGQ4sdCNq4upGL0nSP1bCiz0N11VNBVSKUdPmvQOURPzSae/+ kvy5oYqlIUQKgbYuzVjrk2JU4ORDmg/he48O7oZNpddoeyhRsoTQYStEu0jf10ZQC+Ou MHVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774435481; x=1775040281; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=H3xEqupKPOVB9StA2RSOjiGfT+MC16oQI3PlkW+NAjA=; b=AZ/uGWbVcuAsgtneQ7VRKmS6bLvoRIsRgzdtshO3TA0huo3Jx2HpKqfR4hRBQ8FJo3 ZcOKZ5Yoi4SXo8DfnALlR7YXYdUoslJlYZy8ZYRRKTgn0PHLosUgZi4wUhbu4vIxh+Ku qU3GSB5iljCrxK7c/7mrU2XKZVFTTJHCkAigBfADUoIBfMGM2EjyUhue2tWqeU4rWtjU Jo6KZCNZWLiaxt/id1rYEGbFCT+UQbugi8/yH+5Bcsi3LbuthyPFAA8ASIiwRpmC/UH6 +CGrYsHmqWmnNGWScrAFtGgScdiyEUKibT7YlmEtsGsMQV+pncK5wgGOGIRlX3XwBOzQ DDjw== X-Forwarded-Encrypted: i=1; AJvYcCXyuTIkWlxpE2aSR0e60LpOhoKRCSZGJLb0sbnNVpjYfvmO5C3n8tncBj/1e8V8DpDbDIdqAf+NjLv2vjY=@vger.kernel.org X-Gm-Message-State: AOJu0Yw2qt9gcluAc7wADRunzTE6t4d35/u0xSBxfxDRgOLi/i8fGmuW ve0wKF/CvT7L2NnmbLAwNuNLyv87ICTU6kHDdkTCWkfPlUYfPxWiEWaL24Q9ZVoxKJnLhF5CD54 F00sx96NFab+GqEkYQL+Ox+Wr2Ulwla+HNw/Owx07v8I7/f2C+ApuWSa2Jmfj6lyOZxE= X-Gm-Gg: ATEYQzxJ/FEsKwr5gZ65++rmOmJLBGYEoTrwLhWZTCZZ0y05sKBBm5oCHhe+bm9CiHG ryw9k6WnTW2pIkHbcDtHnu2UeQfCRlhySgR5xbApoS/+vwSO4qrsQYzlDEwowbf1hw6sL9375ju C1mdkvdhLw5I7oCnUH1va5HZgV0t1rMXXAVcT104HuuEuFVPZbL7XYTsI/SZ7H8Yadf2qjrHS1I onVg8C12ccUHW8mYXiceg09/QoFj2j3YZKmiYC0IF+/PHdCa21c/+RWdZTPOAETI8t0AGoMGJKd fLwPF+2uh24tPVE+wnT3gvlXBBr9bsJJ5hE2z2lHUpFM1dz217VccUTVHksRJFy84f4tFiU9Xi0 VU9mmVlWwFY/pjqlGyjovrdGSEEoM9PKKi61K X-Received: by 2002:a05:6a00:b908:b0:822:682d:2c5f with SMTP id d2e1a72fcca58-82c6df88024mr2827693b3a.28.1774435481256; Wed, 25 Mar 2026 03:44:41 -0700 (PDT) X-Received: by 2002:a05:6a00:b908:b0:822:682d:2c5f with SMTP id d2e1a72fcca58-82c6df88024mr2827678b3a.28.1774435480683; Wed, 25 Mar 2026 03:44:40 -0700 (PDT) Received: from work ([120.60.74.210]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82b0409c6besm17867251b3a.32.2026.03.25.03.44.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Mar 2026 03:44:40 -0700 (PDT) From: Manivannan Sadhasivam To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org Cc: linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, andersson@kernel.org, yimingqian591@gmail.com, chris.lew@oss.qualcomm.com, mani@kernel.org, Manivannan Sadhasivam , stable@vger.kernel.org Subject: [PATCH 1/2] net: qrtr: ns: Limit the maximum server registration per node Date: Wed, 25 Mar 2026 16:14:14 +0530 Message-ID: <20260325104415.104972-2-manivannan.sadhasivam@oss.qualcomm.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260325104415.104972-1-manivannan.sadhasivam@oss.qualcomm.com> References: <20260325104415.104972-1-manivannan.sadhasivam@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-ORIG-GUID: xlMzYB466lZn5poYBXRVngR86a7mrBKR X-Authority-Analysis: v=2.4 cv=F4lat6hN c=1 sm=1 tr=0 ts=69c3bc9a cx=c_pps a=WW5sKcV1LcKqjgzy2JUPuA==:117 a=DfnuZq+CPLWApegUcJV09w==:17 a=Yq5XynenixoA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=yOCtJkima9RkubShWh1s:22 a=VwQbUJbxAAAA:8 a=pGLkceISAAAA:8 a=EUspDBNiAAAA:8 a=CceYW8o60cFt6G1gYt4A:9 a=OpyuDcXvxspvyRM73sMx:22 X-Proofpoint-GUID: xlMzYB466lZn5poYBXRVngR86a7mrBKR X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzI1MDA3NiBTYWx0ZWRfX3JLlzo7xD+Nh VpRTP3AUPg+b3rc7+MJIwoTjmtzTi3w5s/JmX99WADnv/fB7iCWDfddonlB7OpHPAppXuwZOVzJ PJzS0fWvx/ca/P8fkXYFSXclRcknHE6SeEkX1voxOxoxxwUcyeuCZcUhrJvzoJ+p/Lh255BfJsE tM6lJ9ifNN3NLLjrb+D+71XSoq0r/1ERGYBg6N1Dw3L8JAY9Hu7ks/DEIsraSvfHMHh9VhPthvR roO68X6/fdkAbxkrk7gev9EDFvUG3Cazjjk7WLEKMGemymWgFi1DQGLpFdSx44BUvM2LMV4f6yS AA+Q12+qqru9pyzKN4TWeGrrssRvfI+wgnvLl2b+ZIiwWwl3QWnOW6EMW4ikYVZQF2GJzjq/U9R xmu3f6qqrc9Jf9orFpekjlC5JwLxv55T1o3+I+t8UjKnM8EQSMdD+IgRsC5RSz4am9gOlA5k/XH Ppxvf6RVQvMOFLmVWtw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-25_03,2026-03-24_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 priorityscore=1501 bulkscore=0 adultscore=0 malwarescore=0 clxscore=1015 suspectscore=0 impostorscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2603250076 Content-Type: text/plain; charset="utf-8" Current code does no bound checking on the number of servers added per node. A malicious client can flood NEW_SERVER messages and exhaust memory. Fix this issue by limiting the maximum number of server registrations to 256 per node. If the NEW_SERVER message is received for an old port, then don't restrict it as it will get replaced. Note that the limit of 256 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. Cc: stable@vger.kernel.org Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspa= ce") Reported-by: Yiming Qian Signed-off-by: Manivannan Sadhasivam Reviewed-by: Simon Horman --- net/qrtr/ns.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c index 3203b2220860..fb4e8a2d370d 100644 --- a/net/qrtr/ns.c +++ b/net/qrtr/ns.c @@ -67,8 +67,14 @@ struct qrtr_server { struct qrtr_node { unsigned int id; struct xarray servers; + u32 server_count; }; =20 +/* Max server limit is chosen based on the current platform requirements. = If the + * requirement changes in the future, this value can be increased. + */ +#define QRTR_NS_MAX_SERVERS 256 + static struct qrtr_node *node_get(unsigned int node_id) { struct qrtr_node *node; @@ -229,6 +235,17 @@ static struct qrtr_server *server_add(unsigned int ser= vice, if (!service || !port) return NULL; =20 + node =3D node_get(node_id); + if (!node) + return NULL; + + /* Make sure the new servers per port are capped at the maximum value */ + old =3D xa_load(&node->servers, port); + if (!old && node->server_count >=3D QRTR_NS_MAX_SERVERS) { + pr_err_ratelimited("QRTR client node %u exceeds max server limit!\n", no= de_id); + return NULL; + } + srv =3D kzalloc_obj(*srv); if (!srv) return NULL; @@ -238,10 +255,6 @@ static struct qrtr_server *server_add(unsigned int ser= vice, srv->node =3D node_id; srv->port =3D port; =20 - node =3D node_get(node_id); - if (!node) - goto err; - /* Delete the old server on the same port */ old =3D xa_store(&node->servers, port, srv, GFP_KERNEL); if (old) { @@ -252,6 +265,8 @@ static struct qrtr_server *server_add(unsigned int serv= ice, } else { kfree(old); } + } else { + node->server_count++; } =20 trace_qrtr_ns_server_add(srv->service, srv->instance, @@ -292,6 +307,7 @@ static int server_del(struct qrtr_node *node, unsigned = int port, bool bcast) } =20 kfree(srv); + node->server_count--; =20 return 0; } --=20 2.51.0 From nobody Fri Apr 3 01:25:52 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B46E13BED42 for ; Wed, 25 Mar 2026 10:44:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774435489; cv=none; b=o5V2y/8DxVy2ZVjFsaonJSlzZgEJ6Z7j1B3jxq0zLTkkxECqZbDZq0ZjGmQdLHZwABBzqsK6HClnYg4VwtKeH53hsTWLLt/e7rnJydTSbk67XsQvMW43R59QqHuFrGxHeEFdfncc83NqDZHbxOEpa6g9nI7u2k/q0+HHhb11GLU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774435489; c=relaxed/simple; bh=VUckc1SdCNWURMt3QHIG/kYLSzYqTmALMFLTy9j3q9Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=k1tGd1hGpGhrjYeGjSlwG1jue9R69If3uMNpLPGZtOvU0habNm91F2Fdilsr4RQC3/0uWN1zE+p7r4HwbGNTl6RkbVP22/U7mrTNvNcc3EcsX2WkOlEo9rsCveXy3w/hR5sUDhPoGr+0VDiOaI58HmhSEOexDeB+hA15XyHKrBA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=SaUEpGDP; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=J7QHEEMN; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="SaUEpGDP"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="J7QHEEMN" Received: from pps.filterd (m0279869.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 62PAMvga1208640 for ; Wed, 25 Mar 2026 10:44:47 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=ufmukem2JRe bh6l819czpXtmpvPfo+OtOsxaUsB7OdE=; b=SaUEpGDPQpb8ngfVjbGra2zTUk5 FfKp4nIbTqWqPuh0ffH84bPugQq6YfCIMZSDK7cXxXYDZjH+4wFrUC9JlaCC5MAA 04fQwRe3VaTJP0h4jhkG7cja0P5Of7SAuxlbxz0FDlCCgD0wFXzwrFPNqSuF99hf 25U+j77Uszvhp0u9l9aGIZBG8Wwu+F4yA24P4h63N6NL7hcsLlLATQ0Lpuu3YZwd +SD+fHTtes2YVuiHPK3z/NxV3YtxEkbKQFO5WblaycEu8dzR7Cgmxn02cw8VrhGc Pt3O3ijGQVbNE3MUndZx/oAFqTrXmgCXIz2QetvgSOmtvdITX0CO1Njx51w== Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com [209.85.216.72]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4d48599dmg-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Wed, 25 Mar 2026 10:44:47 +0000 (GMT) Received: by mail-pj1-f72.google.com with SMTP id 98e67ed59e1d1-358e425c261so8252535a91.3 for ; Wed, 25 Mar 2026 03:44:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1774435486; x=1775040286; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ufmukem2JRebh6l819czpXtmpvPfo+OtOsxaUsB7OdE=; b=J7QHEEMNmD8fI+e1elAZVwOn75WdQ7WmhTb5sUgfKyplH3dbGDdLe/yutxhBxyQXZP Rp8j3PVUNqNVSkHsZwYJsx3rH+5a9eTLsQ/V804LUlKMD2mz3KA5Iz4Mr9Z6S3bLrmMQ 3haH5xtey9w3cXR+6LR0vgjIhkyLVjE8DmalUJ96ygxEhze1YcyigknvrhXVWkPQWXFA bxyBcJqc4ow4yhl+6MqwqQuorqCZIzSv21G2xo6bhQjJUbLY5jlAWMRCTkAMRzGiKj5Z 8V35ghqfJWLwwXnTnYnV0qX+0Tc2sdV06it04AgWmggmnMBB2H1Nc5WznOmO2NaTl7ji QHvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774435486; x=1775040286; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ufmukem2JRebh6l819czpXtmpvPfo+OtOsxaUsB7OdE=; b=d+LMta67oLA0UNCJfXW8+xqeErWechifhWTSeaewUSntQDurOTCylkMcm01s+hsH93 jqmgasLPxYvPDbLX4Y+cvJ9AUI711hnS+Rg24fMqJPk1+HVPzEuzonWRBnuO/TXZMZR0 Fxf2E7Y6gyCLp35TRGWLrpGw0bw2Wz5Ev06wplQKCFMh0YN/7H9vtXKdFi1Pk9s7JS8C 1ycrxCt9yYPMDIOjW+5f+1Grxcv6TBCPyJtXS5mgqlrnAm3kZdhdpHi81Gz/uDbSVwCQ u/8MvgMDAm6tVrzYxn2bi/Jow+FhHqpicpUN5xlDXGqMdAL5M1O+UyWLExLaiC0jH64D 9wkQ== X-Forwarded-Encrypted: i=1; AJvYcCXbDj0M+jWTDpu2Q5sKzhrnpk+4ZhO+YLqUclDhJllQq7oTD0Dqe0Faomh1Byc70349bSXrfbZFl/1Uly8=@vger.kernel.org X-Gm-Message-State: AOJu0Ywa+HdvSYycVwdp6tT39fU9zRR5xzl7BoNLea6oi/kREihckmc9 WTg9fYALo6SNbDyVSLxafjFZXmbLu5Cdlem0Vl60/KyOZSBIz2+jsZVLUX8lbyFlwjiZ/CrkVb9 njHv7vkz3f/sg/ftdUAdwn18md+/cjy8VNuf4dXF3molbJjLo5QVUQPRqimcLo/6AI7Uqi6xCSV 8= X-Gm-Gg: ATEYQzxnXNU0KsXrZJ0JfdZwXF4FGwlEHpL4y1qSycFtsOxs5LP3NA4df8bkk69LmJX 0eJQVckCBNVf2h8+0Dxf7LPDYVvaQ0KLoNcMjLAmsxG1inC8os+RWNjrjwXEVBL36kWL9uEafch CrAUZWMDAd+iJ9bfuUCvTRr69jGJqsaaaiJk3dgk1WuiU1hBZ5ciWtF44wMzfhRUNMxP+1x4g+L y8+SdF87Qy3E/YJd5Rqd/E/GatepXrYKKzVmdBGaotzadkzBb6AUc5BCkI8brEV/3e/ZHYyamci WxHP9nJ+rqvMT4W6SzYgdSrW+26ihEw0W6fcIg6WLC0Ih2tz/EOl0nDN/z78nYkiIjLHfm5Ldrc wLHnvioObwWpqfkeMMtXs90x6RZgpGY98lTkT X-Received: by 2002:a05:6a20:3d1c:b0:39b:c686:6306 with SMTP id adf61e73a8af0-39c4ace66aemr2930376637.30.1774435486257; Wed, 25 Mar 2026 03:44:46 -0700 (PDT) X-Received: by 2002:a05:6a20:3d1c:b0:39b:c686:6306 with SMTP id adf61e73a8af0-39c4ace66aemr2930342637.30.1774435485700; Wed, 25 Mar 2026 03:44:45 -0700 (PDT) Received: from work ([120.60.74.210]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82b0409c6besm17867251b3a.32.2026.03.25.03.44.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Mar 2026 03:44:45 -0700 (PDT) From: Manivannan Sadhasivam To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org Cc: linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, andersson@kernel.org, yimingqian591@gmail.com, chris.lew@oss.qualcomm.com, mani@kernel.org, Manivannan Sadhasivam , stable@vger.kernel.org Subject: [PATCH 2/2] net: qrtr: ns: Limit the maximum lookups per socket Date: Wed, 25 Mar 2026 16:14:15 +0530 Message-ID: <20260325104415.104972-3-manivannan.sadhasivam@oss.qualcomm.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260325104415.104972-1-manivannan.sadhasivam@oss.qualcomm.com> References: <20260325104415.104972-1-manivannan.sadhasivam@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzI1MDA3NiBTYWx0ZWRfX0PJRioYJpzQL tJxqv6sgrphPAHXSZ2GuOqmf1iM9wcoaeFk48Jsmnm2hUCDYbw/z5i8hj/V27ZSntpEsCrM6Jk/ 3iBabOWq3CIQd9ffqUnkyYQ33lisZN83U7kaLl/0kj8XxbBGNfPk0rR9lC7L7aiNg4vN2uYXsuZ IkSUy+hFK+/NcIGxVtu9zPBRXSwz/xdR4bBpQGmSMctKDyfjHAu8lfXWStVdjqUTcDbVPyMwlmB KqTcNxhO3wgb6XJ1uGoH4gKBdl24WqNl480on63R/0slt5wZqYm6ACA1AmIRX5ZF0Hki9z3D/Zx k2Ng3XxY1ztPQr3pmFSY8jEWtpvVV2r+caPV97pGKHTW7EoVzPlA06MtJ3jXBLWlthI7i1WXeFs ToVVbBoiu1jEY0/PbsPso/mp/QqGrYeqrgEp4p+lCnf2yrV+3g0EifCEk28HQYcE3vn8UtVOpwa +S+8PttxIYgGyIoUpqw== X-Authority-Analysis: v=2.4 cv=VODQXtPX c=1 sm=1 tr=0 ts=69c3bc9f cx=c_pps a=RP+M6JBNLl+fLTcSJhASfg==:117 a=DfnuZq+CPLWApegUcJV09w==:17 a=Yq5XynenixoA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=_glEPmIy2e8OvE2BGh3C:22 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=X_qntSa0dJ9H4pJGHfIA:9 a=iS9zxrgQBfv6-_F4QbHw:22 X-Proofpoint-GUID: EF7XsLW4Ee5LPW5wf-KIy1wvLjlRsPAQ X-Proofpoint-ORIG-GUID: EF7XsLW4Ee5LPW5wf-KIy1wvLjlRsPAQ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-25_03,2026-03-24_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 lowpriorityscore=0 malwarescore=0 phishscore=0 priorityscore=1501 spamscore=0 impostorscore=0 clxscore=1015 adultscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2603250076 Content-Type: text/plain; charset="utf-8" Current code does no bound checking on the number of lookups a client can perform per socket. Though the code restricts the lookups to local clients, there is still a possibility of a malicious local client sending a flood of NEW_LOOKUP messages over the same socket. Fix this issue by limiting the maximum number of lookups to 64 per socket. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. Cc: stable@vger.kernel.org Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspa= ce") Signed-off-by: Manivannan Sadhasivam --- net/qrtr/ns.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c index fb4e8a2d370d..707fde809939 100644 --- a/net/qrtr/ns.c +++ b/net/qrtr/ns.c @@ -70,10 +70,11 @@ struct qrtr_node { u32 server_count; }; =20 -/* Max server limit is chosen based on the current platform requirements. = If the - * requirement changes in the future, this value can be increased. +/* Max server, lookup limits are chosen based on the current platform requ= irements. + * If the requirement changes in the future, these values can be increased. */ #define QRTR_NS_MAX_SERVERS 256 +#define QRTR_NS_MAX_LOOKUPS 64 =20 static struct qrtr_node *node_get(unsigned int node_id) { @@ -545,11 +546,24 @@ static int ctrl_cmd_new_lookup(struct sockaddr_qrtr *= from, struct qrtr_node *node; unsigned long node_idx; unsigned long srv_idx; + u8 count =3D 0; =20 /* Accept only local observers */ if (from->sq_node !=3D qrtr_ns.local_node) return -EINVAL; =20 + /* Make sure the client performs only maximum allowed lookups */ + list_for_each_entry(lookup, &qrtr_ns.lookups, li) { + if (lookup->sq.sq_node =3D=3D from->sq_node && + lookup->sq.sq_port =3D=3D from->sq_port) + count++; + } + + if (count >=3D QRTR_NS_MAX_LOOKUPS) { + pr_err_ratelimited("QRTR client node exceeds max lookup limit!\n"); + return -ENOSPC; + } + lookup =3D kzalloc_obj(*lookup); if (!lookup) return -ENOMEM; --=20 2.51.0