From nobody Fri Apr 3 03:01:58 2026 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F397395DA5 for ; Wed, 25 Mar 2026 10:44:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774435484; cv=none; b=MZAoACLDdwWpkiMFSYU6EGlQm6L4+bZrCSHCuhvH9BgKv64YIc6QueS7imCS3RR74qRn2Ycxnj1u0/oauVaNePgyI1JruMohy9PMPIAS/fAFBjhUoa0sKbP4TcPPRaMMKvhWQxQMHks9pICe3j7JcrqbHF2xPT1xKHD84j/CDbA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774435484; c=relaxed/simple; bh=kP1JN0TOsfXEJgq4h81TD02jJQMr92Q+lzeaEK0wPp8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mti8hmUhjaFsbH+NAVehVLt7XS4qP1ecGI7JRhzVEw61f505k+EzEaN0foNYZ+XLM+jDX6G3KvkAB9NwBqhIBFfW7WqqG/olwLhY5jhNOGv6GvcJDtYpE2GMAfikSawAWyETUdiR45QWoflLQujFd8e+Uw62eqgHqX+EbC8Ne7A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=WgV0jAlg; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=U5hnc0DX; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="WgV0jAlg"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="U5hnc0DX" Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 62P9I9PI3057532 for ; Wed, 25 Mar 2026 10:44:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=H3xEqupKPOV B9StA2RSOjiGfT+MC16oQI3PlkW+NAjA=; b=WgV0jAlg9v+aBGTve8TYJ8G78QG AqzY9gSnbrMfRwd2UWdamPjP82YtZ9BbfhvlsD7af/mRfyWNBf0E5T35+q4qhS7c 2EgG685KuyWbtl8FFHHGkGFhP2gsxMMtozQwj5qyJr1bTxJulY0FhfkbnmlzubL0 mwIbZM/um9Xb0rSYZa1KwrX0Ex3UrDddrMrWBFMuRnNIqrPEaOtOkKIEklZ/FRj2 Snnkwh5nRi9EKVQZGqQNeYt6/o9+m30xRt48u4nwW/zQeINNdt8H7oSQ40rfxIH+ Xh12NO/XicnfuY6izGPJBpltRagq+9aIU6lxfJJTGr3Ea/RLiRbvAN7xnhw== Received: from mail-pf1-f199.google.com (mail-pf1-f199.google.com [209.85.210.199]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4d46tp1nt4-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Wed, 25 Mar 2026 10:44:42 +0000 (GMT) Received: by mail-pf1-f199.google.com with SMTP id d2e1a72fcca58-82c1e1a6cfbso4155597b3a.0 for ; Wed, 25 Mar 2026 03:44:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1774435481; x=1775040281; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=H3xEqupKPOVB9StA2RSOjiGfT+MC16oQI3PlkW+NAjA=; b=U5hnc0DXoIOAYPLo7oHUHnbdb9QijauP5hwG3/RicvtGusa6SNb/9ZFVQAdKgL8wwl N5otJjlJSgL7yWZ1qABjv9mTNZjAjVkUB/eBqc3BT//QBHYhMFUx+oPOCCLe6jB6O4fE CdU9APxSwSDhmZAoD23Lc+1io8OTObOg1MPRbmSbVA0h/JidUKGEJrzgwBK2IUC89iA2 xr8QlSzniaarAyegcM2rGQ4sdCNq4upGL0nSP1bCiz0N11VNBVSKUdPmvQOURPzSae/+ kvy5oYqlIUQKgbYuzVjrk2JU4ORDmg/he48O7oZNpddoeyhRsoTQYStEu0jf10ZQC+Ou MHVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774435481; x=1775040281; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=H3xEqupKPOVB9StA2RSOjiGfT+MC16oQI3PlkW+NAjA=; b=AZ/uGWbVcuAsgtneQ7VRKmS6bLvoRIsRgzdtshO3TA0huo3Jx2HpKqfR4hRBQ8FJo3 ZcOKZ5Yoi4SXo8DfnALlR7YXYdUoslJlYZy8ZYRRKTgn0PHLosUgZi4wUhbu4vIxh+Ku qU3GSB5iljCrxK7c/7mrU2XKZVFTTJHCkAigBfADUoIBfMGM2EjyUhue2tWqeU4rWtjU Jo6KZCNZWLiaxt/id1rYEGbFCT+UQbugi8/yH+5Bcsi3LbuthyPFAA8ASIiwRpmC/UH6 +CGrYsHmqWmnNGWScrAFtGgScdiyEUKibT7YlmEtsGsMQV+pncK5wgGOGIRlX3XwBOzQ DDjw== X-Forwarded-Encrypted: i=1; AJvYcCXyuTIkWlxpE2aSR0e60LpOhoKRCSZGJLb0sbnNVpjYfvmO5C3n8tncBj/1e8V8DpDbDIdqAf+NjLv2vjY=@vger.kernel.org X-Gm-Message-State: AOJu0Yw2qt9gcluAc7wADRunzTE6t4d35/u0xSBxfxDRgOLi/i8fGmuW ve0wKF/CvT7L2NnmbLAwNuNLyv87ICTU6kHDdkTCWkfPlUYfPxWiEWaL24Q9ZVoxKJnLhF5CD54 F00sx96NFab+GqEkYQL+Ox+Wr2Ulwla+HNw/Owx07v8I7/f2C+ApuWSa2Jmfj6lyOZxE= X-Gm-Gg: ATEYQzxJ/FEsKwr5gZ65++rmOmJLBGYEoTrwLhWZTCZZ0y05sKBBm5oCHhe+bm9CiHG ryw9k6WnTW2pIkHbcDtHnu2UeQfCRlhySgR5xbApoS/+vwSO4qrsQYzlDEwowbf1hw6sL9375ju C1mdkvdhLw5I7oCnUH1va5HZgV0t1rMXXAVcT104HuuEuFVPZbL7XYTsI/SZ7H8Yadf2qjrHS1I onVg8C12ccUHW8mYXiceg09/QoFj2j3YZKmiYC0IF+/PHdCa21c/+RWdZTPOAETI8t0AGoMGJKd fLwPF+2uh24tPVE+wnT3gvlXBBr9bsJJ5hE2z2lHUpFM1dz217VccUTVHksRJFy84f4tFiU9Xi0 VU9mmVlWwFY/pjqlGyjovrdGSEEoM9PKKi61K X-Received: by 2002:a05:6a00:b908:b0:822:682d:2c5f with SMTP id d2e1a72fcca58-82c6df88024mr2827693b3a.28.1774435481256; Wed, 25 Mar 2026 03:44:41 -0700 (PDT) X-Received: by 2002:a05:6a00:b908:b0:822:682d:2c5f with SMTP id d2e1a72fcca58-82c6df88024mr2827678b3a.28.1774435480683; Wed, 25 Mar 2026 03:44:40 -0700 (PDT) Received: from work ([120.60.74.210]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82b0409c6besm17867251b3a.32.2026.03.25.03.44.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Mar 2026 03:44:40 -0700 (PDT) From: Manivannan Sadhasivam To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org Cc: linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, andersson@kernel.org, yimingqian591@gmail.com, chris.lew@oss.qualcomm.com, mani@kernel.org, Manivannan Sadhasivam , stable@vger.kernel.org Subject: [PATCH 1/2] net: qrtr: ns: Limit the maximum server registration per node Date: Wed, 25 Mar 2026 16:14:14 +0530 Message-ID: <20260325104415.104972-2-manivannan.sadhasivam@oss.qualcomm.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260325104415.104972-1-manivannan.sadhasivam@oss.qualcomm.com> References: <20260325104415.104972-1-manivannan.sadhasivam@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-ORIG-GUID: xlMzYB466lZn5poYBXRVngR86a7mrBKR X-Authority-Analysis: v=2.4 cv=F4lat6hN c=1 sm=1 tr=0 ts=69c3bc9a cx=c_pps a=WW5sKcV1LcKqjgzy2JUPuA==:117 a=DfnuZq+CPLWApegUcJV09w==:17 a=Yq5XynenixoA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=yOCtJkima9RkubShWh1s:22 a=VwQbUJbxAAAA:8 a=pGLkceISAAAA:8 a=EUspDBNiAAAA:8 a=CceYW8o60cFt6G1gYt4A:9 a=OpyuDcXvxspvyRM73sMx:22 X-Proofpoint-GUID: xlMzYB466lZn5poYBXRVngR86a7mrBKR X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzI1MDA3NiBTYWx0ZWRfX3JLlzo7xD+Nh VpRTP3AUPg+b3rc7+MJIwoTjmtzTi3w5s/JmX99WADnv/fB7iCWDfddonlB7OpHPAppXuwZOVzJ PJzS0fWvx/ca/P8fkXYFSXclRcknHE6SeEkX1voxOxoxxwUcyeuCZcUhrJvzoJ+p/Lh255BfJsE tM6lJ9ifNN3NLLjrb+D+71XSoq0r/1ERGYBg6N1Dw3L8JAY9Hu7ks/DEIsraSvfHMHh9VhPthvR roO68X6/fdkAbxkrk7gev9EDFvUG3Cazjjk7WLEKMGemymWgFi1DQGLpFdSx44BUvM2LMV4f6yS AA+Q12+qqru9pyzKN4TWeGrrssRvfI+wgnvLl2b+ZIiwWwl3QWnOW6EMW4ikYVZQF2GJzjq/U9R xmu3f6qqrc9Jf9orFpekjlC5JwLxv55T1o3+I+t8UjKnM8EQSMdD+IgRsC5RSz4am9gOlA5k/XH Ppxvf6RVQvMOFLmVWtw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-25_03,2026-03-24_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 priorityscore=1501 bulkscore=0 adultscore=0 malwarescore=0 clxscore=1015 suspectscore=0 impostorscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2603250076 Content-Type: text/plain; charset="utf-8" Current code does no bound checking on the number of servers added per node. A malicious client can flood NEW_SERVER messages and exhaust memory. Fix this issue by limiting the maximum number of server registrations to 256 per node. If the NEW_SERVER message is received for an old port, then don't restrict it as it will get replaced. Note that the limit of 256 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. Cc: stable@vger.kernel.org Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspa= ce") Reported-by: Yiming Qian Signed-off-by: Manivannan Sadhasivam Reviewed-by: Simon Horman --- net/qrtr/ns.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c index 3203b2220860..fb4e8a2d370d 100644 --- a/net/qrtr/ns.c +++ b/net/qrtr/ns.c @@ -67,8 +67,14 @@ struct qrtr_server { struct qrtr_node { unsigned int id; struct xarray servers; + u32 server_count; }; =20 +/* Max server limit is chosen based on the current platform requirements. = If the + * requirement changes in the future, this value can be increased. + */ +#define QRTR_NS_MAX_SERVERS 256 + static struct qrtr_node *node_get(unsigned int node_id) { struct qrtr_node *node; @@ -229,6 +235,17 @@ static struct qrtr_server *server_add(unsigned int ser= vice, if (!service || !port) return NULL; =20 + node =3D node_get(node_id); + if (!node) + return NULL; + + /* Make sure the new servers per port are capped at the maximum value */ + old =3D xa_load(&node->servers, port); + if (!old && node->server_count >=3D QRTR_NS_MAX_SERVERS) { + pr_err_ratelimited("QRTR client node %u exceeds max server limit!\n", no= de_id); + return NULL; + } + srv =3D kzalloc_obj(*srv); if (!srv) return NULL; @@ -238,10 +255,6 @@ static struct qrtr_server *server_add(unsigned int ser= vice, srv->node =3D node_id; srv->port =3D port; =20 - node =3D node_get(node_id); - if (!node) - goto err; - /* Delete the old server on the same port */ old =3D xa_store(&node->servers, port, srv, GFP_KERNEL); if (old) { @@ -252,6 +265,8 @@ static struct qrtr_server *server_add(unsigned int serv= ice, } else { kfree(old); } + } else { + node->server_count++; } =20 trace_qrtr_ns_server_add(srv->service, srv->instance, @@ -292,6 +307,7 @@ static int server_del(struct qrtr_node *node, unsigned = int port, bool bcast) } =20 kfree(srv); + node->server_count--; =20 return 0; } --=20 2.51.0