From: Ronnie Sahlberg <rsahlberg@xxxxxxxxxxxxx> [ Upstream commit 969127bf0783a4ac0c8a27e633a9e8ea1738583f ] Add additional checks that queue depth and number of queues are non-zero. Signed-off-by: Ronnie Sahlberg <rsahlberg@xxxxxxxxxxxxx> Reviewed-by: Ming Lei <ming.lei@xxxxxxxxxx> Link: https://lore.kernel.org/r/20250626022046.235018-1-ronniesahlberg@xxxxxxxxx Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- **YES** This commit should be backported to stable kernel trees for the following reasons: **1. Fixes a Critical Input Validation Bug** The commit addresses a serious bug where userspace could pass zero values for `queue_depth` or `nr_hw_queues`, leading to: - Memory allocation failures (`kcalloc(0, ubq_size, GFP_KERNEL)` in `ublk_init_queues()`) - Non-functional block devices with zero queues - Potential kernel crashes or undefined behavior **2. Minimal and Contained Fix** The change is extremely minimal - just adding two checks to an existing validation: ```diff - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) ``` **3. Prevents Security/Stability Issues** Based on the kernel source analysis: - `ublk_init_queues()` uses these values directly for memory allocation - Multiple loops iterate based on `nr_hw_queues` - zero would skip all initialization - The block layer's `blk_mq_alloc_tag_set()` expects non-zero values **4. Similar to Previously Backported Commits** This is very similar to "block: ublk: extending queue_size to fix overflow" (Similar Commit #2), which was marked YES for backporting. Both fix input validation issues that could cause memory/stability problems. **5. Clear Bug Fix Following Stable Rules** - Fixes a real bug (not theoretical) - No new features or architectural changes - Minimal risk - simply rejects invalid input - Confined to the ublk subsystem - Prevents userspace from creating broken/dangerous kernel state The commit prevents userspace from triggering undefined behavior in the kernel by passing invalid parameters, which is exactly the type of bug fix that belongs in stable kernels. drivers/block/ublk_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 746ef36e58df2..3b1a5cdd63116 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -2457,7 +2457,8 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd) if (copy_from_user(&info, argp, sizeof(info))) return -EFAULT; - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) return -EINVAL; if (capable(CAP_SYS_ADMIN)) -- 2.39.5
