Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp591531iog;
        Mon, 13 Jun 2022 08:44:54 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxpXZ0I8QzOYZnH14c7KNUhfmsqrqM9PA20mxdV6uEdUU/z27+bghjE2c4cWVDwa2eA27/x
X-Received: by 2002:a17:906:1109:b0:711:d8fe:fe56 with SMTP id h9-20020a170906110900b00711d8fefe56mr401417eja.261.1655135094377;
        Mon, 13 Jun 2022 08:44:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655135094; cv=none;
        d=google.com; s=arc-20160816;
        b=lig380wX+drIGh4zg23uK+3UkD6oW+JGJzfB1dVGequ4RKg6wfpbNnWcUYc7JdCBZf
         21dYCvleZulqGsnRFcDYX7hrQdXxnHJpN6I3VQ+60crNNQU+cGP/NsHoheNZXlJP73ap
         tkC0F+jePUYc0HoA72g/sXTyrpHYd1M74uX95rbN8V1oa3L5CWR8QhmC66go7jBa+y1U
         VvB84W062VeSWvtHKI2i881dW2+j2sZa7/8Ld8GiBgTfHhe7BAjkNZR6LHRa5RVmhLCe
         obmf8GAo0jMciHsxGPptohJYQ57tBe20BK3iouMrtF7hGRogLXGV/G9pyNX/7YT7zNHH
         gOkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=voULpV7leHfLgskBmvgNPW8J18A961mSHUIq7nzWTUk=;
        b=SrapfBYyCG6XznGCRuvfddoUb5HPkJ5kB6+LDFxrz2DcAqFTSWAQ1MDGeRsTA8Eqxh
         9L3hEn5rxXHl27Rp8kJKd/fD5Px0eUYGMTSB2+Vp2QDLRQBoBz5q/G+kohCsGhxUlbrl
         0pAZqTsO5Fxi8buGxUQDxtACvar6n75hORkTKgHnKpwZ4jHE0Zuj1vYegyFV9vh2u/uH
         BkQrvDhlim8KZLHzCIJ+eNh/Q0QRrUSrgNNBfciCuiZMjRJLRTEYCyGE4KvXSq3nqkVp
         VSACKyC6U6Siow7/EkvHInKHXEi0jFrJM42hkuIUvqwzPpVsqUz9WagEJ28xwOK3ebf5
         pkLw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mOCmNAzn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id p18-20020a056402045200b0042dd723a671si6923915edw.272.2022.06.13.08.44.28;
        Mon, 13 Jun 2022 08:44:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mOCmNAzn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S245481AbiFMKdD (ORCPT
        <rfc822;aditya.jainadityajain.jain@gmail.com> + 99 others);
        Mon, 13 Jun 2022 06:33:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35700 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1346339AbiFMKa1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Jun 2022 06:30:27 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 245591FA51;
        Mon, 13 Jun 2022 03:21:14 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 6DCEE60AE8;
        Mon, 13 Jun 2022 10:21:14 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7D628C34114;
        Mon, 13 Jun 2022 10:21:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1655115673;
        bh=l3M5qn6Xz2e9y3Wi8sYO0gsFwQC5uBAZ1xUE9h4tvp0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=mOCmNAzn9/0jKl2Lh39GElGKYdNVFM1owI+mMSAReP+FplQnPYCBXmah7NtfizMiI
         2AUcUaCQflBjfe6Smoi92xoWgzNJDqNTfcWwg26xl0Pnq/tnJ0bmAm+26FjETIltXq
         PDMCTTSIJ0ose61prdwVULNSBBTeKr+lCliSabIg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Xie Yongji <xieyongji@bytedance.com>,
        Fam Zheng <fam.zheng@bytedance.com>,
        "Michael S. Tsirkin" <mst@redhat.com>,
        Jason Wang <jasowang@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 157/167] vringh: Fix loop descriptors check in the indirect cases
Date:   Mon, 13 Jun 2022 12:10:31 +0200
Message-Id: <20220613094917.736801133@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220613094840.720778945@linuxfoundation.org>
References: <20220613094840.720778945@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xie Yongji <xieyongji@bytedance.com>

[ Upstream commit dbd29e0752286af74243cf891accf472b2f3edd8 ]

We should use size of descriptor chain to test loop condition
in the indirect case. And another statistical count is also introduced
for indirect descriptors to avoid conflict with the statistical count
of direct descriptors.

Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Signed-off-by: Fam Zheng <fam.zheng@bytedance.com>
Message-Id: <20220505100910.137-1-xieyongji@bytedance.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/vhost/vringh.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
index da47542496cc..63f0ab3e6f63 100644
--- a/drivers/vhost/vringh.c
+++ b/drivers/vhost/vringh.c
@@ -262,7 +262,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
 	     gfp_t gfp,
 	     int (*copy)(void *dst, const void *src, size_t len))
 {
-	int err, count = 0, up_next, desc_max;
+	int err, count = 0, indirect_count = 0, up_next, desc_max;
 	struct vring_desc desc, *descs;
 	struct vringh_range range = { -1ULL, 0 }, slowrange;
 	bool slow = false;
@@ -319,7 +319,12 @@ __vringh_iov(struct vringh *vrh, u16 i,
 			continue;
 		}
 
-		if (count++ == vrh->vring.num) {
+		if (up_next == -1)
+			count++;
+		else
+			indirect_count++;
+
+		if (count > vrh->vring.num || indirect_count > desc_max) {
 			vringh_bad("Descriptor loop in %p", descs);
 			err = -ELOOP;
 			goto fail;
@@ -381,6 +386,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
 				i = return_from_indirect(vrh, &up_next,
 							 &descs, &desc_max);
 				slow = false;
+				indirect_count = 0;
 			} else
 				break;
 		}
-- 
2.35.1