Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/series b/queue-4.14/series
index ea8f3c0ba503bdf61e0b814004573f660ba919b6..d592547f2939ae4d127abf9ff65c71f8ef301791 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -203,3 +203,4 @@ nbd-call-genl_unregister_family-first-in-nbd_cleanup.patch
 nbd-fix-race-between-nbd_alloc_config-and-module-rem.patch
 nbd-fix-io-hung-while-disconnecting-device.patch
 nodemask-fix-return-values-to-be-unsigned.patch
+vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch

diff --git a/queue-4.14/vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch b/queue-4.14/vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch
new file mode 100644 (file)
index 0000000..5262545
--- /dev/null
+++ b/queue-4.14/vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch
@@ -0,0 +1,63 @@
+From 6b54a0d0b606da5c44744339024bd63591b176a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 May 2022 18:09:10 +0800
+Subject: vringh: Fix loop descriptors check in the indirect cases
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit dbd29e0752286af74243cf891accf472b2f3edd8 ]
+
+We should use size of descriptor chain to test loop condition
+in the indirect case. And another statistical count is also introduced
+for indirect descriptors to avoid conflict with the statistical count
+of direct descriptors.
+
+Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Signed-off-by: Fam Zheng <fam.zheng@bytedance.com>
+Message-Id: <20220505100910.137-1-xieyongji@bytedance.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vringh.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
+index c23045aa9873..a764d36c4d38 100644
+--- a/drivers/vhost/vringh.c
++++ b/drivers/vhost/vringh.c
+@@ -263,7 +263,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
+            gfp_t gfp,
+            int (*copy)(void *dst, const void *src, size_t len))
+ {
+-      int err, count = 0, up_next, desc_max;
++      int err, count = 0, indirect_count = 0, up_next, desc_max;
+       struct vring_desc desc, *descs;
+       struct vringh_range range = { -1ULL, 0 }, slowrange;
+       bool slow = false;
+@@ -320,7 +320,12 @@ __vringh_iov(struct vringh *vrh, u16 i,
+                       continue;
+               }
+ 
+-              if (count++ == vrh->vring.num) {
++              if (up_next == -1)
++                      count++;
++              else
++                      indirect_count++;
++
++              if (count > vrh->vring.num || indirect_count > desc_max) {
+                       vringh_bad("Descriptor loop in %p", descs);
+                       err = -ELOOP;
+                       goto fail;
+@@ -382,6 +387,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
+                               i = return_from_indirect(vrh, &up_next,
+                                                        &descs, &desc_max);
+                               slow = false;
++                              indirect_count = 0;
+                       } else
+                               break;
+               }
+-- 
+2.35.1
+