Unfortunately, I encountered some difficulties due to my unfamiliarity with the process while sending the patch mail last month. Here is the re-submitted patch attached for your consideration. Best regards, Hyeonjun Ahn. (last mail: https://groups.google.com/g/syzkaller/c/peuwDOjcCZY/m/pQLVAYP2BgAJ, https://lore.kernel.org/all/CACoNggxJiTfTd3BCNbQfySbW=D4jmCPe832cZO1XLhc0=r9C9w@xxxxxxxxxxxxxx) Add max_connections to prevent out-of-memory in nbd_add_socket. Fixes: e46c7287b1c2 ("nbd: add a basic netlink interface") Reported-by: Hyeonjun Ahn <guswns0863@xxxxxxxxx> Signed-off-by: Hyeonjun Ahn <guswns0863@xxxxxxxxx> --- drivers/block/nbd.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 800f131222fc..69f7fe0d07d6 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -162,6 +162,7 @@ static struct dentry *nbd_dbg_dir; static unsigned int nbds_max = 16; static int max_part = 16; static int part_shift; +static unsigned long max_connections = PAGE_SIZE / sizeof(struct nbd_sock *); static int nbd_dev_dbg_init(struct nbd_device *nbd); static void nbd_dev_dbg_close(struct nbd_device *nbd); @@ -1117,6 +1118,13 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, /* Arg will be cast to int, check it to avoid overflow */ if (arg > INT_MAX) return -EINVAL; + + if (config->num_connections >= max_connections) { + dev_err(disk_to_dev(nbd->disk), + "Number of socket connections exceeded limit.\n"); + return -ENOMEM; + } + sock = nbd_get_socket(nbd, arg, &err); if (!sock) return err; -- 2.34.1
