vringh: Fix loop descriptors check in the indirect cases

stable inclusion from stable-v5.10.122 commit b6ea26873edbd9ca3c0c338c9de856de7f1fcede category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5W6OE Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b6ea26873edbd9ca3c0c338c9de856de7f1fcede -------------------------------- [ Upstream commit dbd29e07 ] We should use size of descriptor chain to test loop condition in the indirect case. And another statistical count is also introduced for indirect descriptors to avoid conflict with the statistical count of direct descriptors. Fixes: f87d0fbb ("vringh: host-side implementation of virtio rings.") Signed-off-by: N Xie Yongji <xieyongji@bytedance.com> Signed-off-by: N Fam Zheng <fam.zheng@bytedance.com> Message-Id: <20220505100910.137-1-xieyongji@bytedance.com> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Acked-by: N Jason Wang <jasowang@redhat.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>

vringh: Fix loop descriptors check in the indirect cases
stable inclusion from stable-v5.10.122 commit b6ea26873edbd9ca3c0c338c9de856de7f1fcede category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5W6OE Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b6ea26873edbd9ca3c0c338c9de856de7f1fcede -------------------------------- [ Upstream commit dbd29e07 ] We should use size of descriptor chain to test loop condition in the indirect case. And another statistical count is also introduced for indirect descriptors to avoid conflict with the statistical count of direct descriptors. Fixes: f87d0fbb ("vringh: host-side implementation of virtio rings.") Signed-off-by: N Xie Yongji <xieyongji@bytedance.com> Signed-off-by: N Fam Zheng <fam.zheng@bytedance.com> Message-Id: <20220505100910.137-1-xieyongji@bytedance.com> Signed-off-by: N Michael S. Tsirkin <mst@redhat.com> Acked-by: N Jason Wang <jasowang@redhat.com> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>
36d7dc79 · Xie Yongji · Zheng Zengkai · e91af759 · 36d7dc79
隐藏空白更改
内联并排

Showing with 8 addition and 2 deletion

drivers/vhost/vringh.c drivers/vhost/vringh.c +8 -2

未找到文件。
--- a/drivers/vhost/vringh.c
+++ b/drivers/vhost/vringh.c
@@ -274,7 +274,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
 	     int (*copy)(const struct vringh *vrh,
 			 void *dst, const void *src, size_t len))
 {
-	int err, count = 0, up_next, desc_max;
+	int err, count = 0, indirect_count = 0, up_next, desc_max;
 	struct vring_desc desc, *descs;
 	struct vringh_range range = { -1ULL, 0 }, slowrange;
 	bool slow = false;
@@ -331,7 +331,12 @@ __vringh_iov(struct vringh *vrh, u16 i,
 			continue;
 		}
-		if (count++ == vrh->vring.num) {
+		if (up_next == -1)
+			count++;
+		else
+			indirect_count++;
+		if (count > vrh->vring.num || indirect_count > desc_max) {
 			vringh_bad("Descriptor loop in %p", descs);
 			err = -ELOOP;
 			goto fail;
@@ -393,6 +398,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
 				i = return_from_indirect(vrh, &up_next,
 							 &descs, &desc_max);
 				slow = false;
+				indirect_count = 0;
 			} else
 				break;
 		}