[PATCH net] xen-netback: reject zero-queue configuration from guest

[Ziyi Guo <n7l8m4@xxxxxxxxxxxxxxxxxx>]

A malicious or buggy Xen guest can write "0" to the xenbus key
"multi-queue-num-queues". The connect() function in the backend only
validates the upper bound (requested_num_queues > xenvif_max_queues)
but not zero, allowing requested_num_queues=0 to reach
vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers
WARN_ON_ONCE(!size) in __vmalloc_node_range().

On systems with panic_on_warn=1, this allows a guest-to-host denial
of service.

The Xen network interface specification requires 
the queue count to be "greater than zero".

Add a zero check to match the validation already present 
in xen-blkback, which has included this
guard since its multi-queue support was added.

Fixes: 8d3d53b3e433 ("xen-netback: Add support for multiple queues")
Signed-off-by: Ziyi Guo <n7l8m4@xxxxxxxxxxxxxxxxxx>
---
 drivers/net/xen-netback/xenbus.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c
index a78a25b87240..2ef59b08ae21 100644
--- a/drivers/net/xen-netback/xenbus.c
+++ b/drivers/net/xen-netback/xenbus.c
@@ -735,10 +735,11 @@ static void connect(struct backend_info *be)
         */
        requested_num_queues = xenbus_read_unsigned(dev->otherend,
                                        "multi-queue-num-queues", 1);
-       if (requested_num_queues > xenvif_max_queues) {
+       if (requested_num_queues > xenvif_max_queues ||
+           requested_num_queues == 0) {
                /* buggy or malicious guest */
                xenbus_dev_fatal(dev, -EINVAL,
-                                "guest requested %u queues, exceeding the 
maximum of %u.",
+                                "guest requested %u queues, but valid range is 
1 - %u.",
                                 requested_num_queues, xenvif_max_queues);
                return;
        }
-- 
2.34.1