vringh: Fix loop descriptors check in the indirect cases

[ Upstream commit dbd29e0752286af74243cf891accf472b2f3edd8 ]

We should use size of descriptor chain to test loop condition
in the indirect case. And another statistical count is also introduced
for indirect descriptors to avoid conflict with the statistical count
of direct descriptors.

Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Signed-off-by: Fam Zheng <fam.zheng@bytedance.com>
Message-Id: <20220505100910.137-1-xieyongji@bytedance.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
index 0bd7e64331f086acd9cb7d7139d174624a59077e..5a0340c85dc6b19f7876d643b33adec5301569d4 100644 (file)
--- a/drivers/vhost/vringh.c
+++ b/drivers/vhost/vringh.c
@@ -274,7 +274,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
             int (*copy)(const struct vringh *vrh,
                         void *dst, const void *src, size_t len))
 {
-       int err, count = 0, up_next, desc_max;
+       int err, count = 0, indirect_count = 0, up_next, desc_max;
        struct vring_desc desc, *descs;
        struct vringh_range range = { -1ULL, 0 }, slowrange;
        bool slow = false;
@@ -331,7 +331,12 @@ __vringh_iov(struct vringh *vrh, u16 i,
                        continue;
                }
 
-               if (count++ == vrh->vring.num) {
+               if (up_next == -1)
+                       count++;
+               else
+                       indirect_count++;
+
+               if (count > vrh->vring.num || indirect_count > desc_max) {
                        vringh_bad("Descriptor loop in %p", descs);
                        err = -ELOOP;
                        goto fail;
@@ -393,6 +398,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
                                i = return_from_indirect(vrh, &up_next,
                                                         &descs, &desc_max);
                                slow = false;
+                               indirect_count = 0;
                        } else
                                break;
                }