From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B8B8C43334 for ; Mon, 13 Jun 2022 11:11:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351690AbiFMLLZ (ORCPT ); Mon, 13 Jun 2022 07:11:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351770AbiFMLIL (ORCPT ); Mon, 13 Jun 2022 07:08:11 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D5D3D33A22; Mon, 13 Jun 2022 03:35:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7A88BB80EAF; Mon, 13 Jun 2022 10:35:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CA711C34114; Mon, 13 Jun 2022 10:35:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1655116514; bh=XCfyyp/SpNXn1B7LF8SU/L3pLBwEj/28+24y99Csbfo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hXOLP9YOl0n+AvEm+uhWuB939fF57BELBvCxLBzoJnwwhsyS8ZtvrDDUixFeEQwkn zMO6rRhJ7mdKln40U7KwwkxTBXRpcbf564Whdc1EZ/YtRN1Y0k8WHfVp/lbpjhAFuS XXuB+dtTk9x0eT5m8/zwJEoR5ELyNVFE1jJOwVGE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xie Yongji , Fam Zheng , "Michael S. Tsirkin" , Jason Wang , Sasha Levin Subject: [PATCH 4.14 205/218] vringh: Fix loop descriptors check in the indirect cases Date: Mon, 13 Jun 2022 12:11:03 +0200 Message-Id: <20220613094926.840709254@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220613094908.257446132@linuxfoundation.org> References: <20220613094908.257446132@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xie Yongji [ Upstream commit dbd29e0752286af74243cf891accf472b2f3edd8 ] We should use size of descriptor chain to test loop condition in the indirect case. And another statistical count is also introduced for indirect descriptors to avoid conflict with the statistical count of direct descriptors. Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.") Signed-off-by: Xie Yongji Signed-off-by: Fam Zheng Message-Id: <20220505100910.137-1-xieyongji@bytedance.com> Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: Sasha Levin --- drivers/vhost/vringh.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c index c23045aa9873..a764d36c4d38 100644 --- a/drivers/vhost/vringh.c +++ b/drivers/vhost/vringh.c @@ -263,7 +263,7 @@ __vringh_iov(struct vringh *vrh, u16 i, gfp_t gfp, int (*copy)(void *dst, const void *src, size_t len)) { - int err, count = 0, up_next, desc_max; + int err, count = 0, indirect_count = 0, up_next, desc_max; struct vring_desc desc, *descs; struct vringh_range range = { -1ULL, 0 }, slowrange; bool slow = false; @@ -320,7 +320,12 @@ __vringh_iov(struct vringh *vrh, u16 i, continue; } - if (count++ == vrh->vring.num) { + if (up_next == -1) + count++; + else + indirect_count++; + + if (count > vrh->vring.num || indirect_count > desc_max) { vringh_bad("Descriptor loop in %p", descs); err = -ELOOP; goto fail; @@ -382,6 +387,7 @@ __vringh_iov(struct vringh *vrh, u16 i, i = return_from_indirect(vrh, &up_next, &descs, &desc_max); slow = false; + indirect_count = 0; } else break; } -- 2.35.1