Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.9/series b/queue-4.9/series
index f4a975c9dfdbd4d660d46507ea0a82ff9d3ffa7a..c8559e98c5711b3c739146487bc98a9eeeed9cda 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -155,3 +155,4 @@ revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch
 drm-radeon-fix-a-possible-null-pointer-dereference.patch
 modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch
 nodemask-fix-return-values-to-be-unsigned.patch
+vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch

diff --git a/queue-4.9/vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch b/queue-4.9/vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch
new file mode 100644 (file)
index 0000000..84f1058
--- /dev/null
+++ b/queue-4.9/vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch
@@ -0,0 +1,63 @@
+From 9e8ed5086092eafdef689cc5a469371020012c53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 May 2022 18:09:10 +0800
+Subject: vringh: Fix loop descriptors check in the indirect cases
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit dbd29e0752286af74243cf891accf472b2f3edd8 ]
+
+We should use size of descriptor chain to test loop condition
+in the indirect case. And another statistical count is also introduced
+for indirect descriptors to avoid conflict with the statistical count
+of direct descriptors.
+
+Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Signed-off-by: Fam Zheng <fam.zheng@bytedance.com>
+Message-Id: <20220505100910.137-1-xieyongji@bytedance.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vringh.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
+index da47542496cc..63f0ab3e6f63 100644
+--- a/drivers/vhost/vringh.c
++++ b/drivers/vhost/vringh.c
+@@ -262,7 +262,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
+            gfp_t gfp,
+            int (*copy)(void *dst, const void *src, size_t len))
+ {
+-      int err, count = 0, up_next, desc_max;
++      int err, count = 0, indirect_count = 0, up_next, desc_max;
+       struct vring_desc desc, *descs;
+       struct vringh_range range = { -1ULL, 0 }, slowrange;
+       bool slow = false;
+@@ -319,7 +319,12 @@ __vringh_iov(struct vringh *vrh, u16 i,
+                       continue;
+               }
+ 
+-              if (count++ == vrh->vring.num) {
++              if (up_next == -1)
++                      count++;
++              else
++                      indirect_count++;
++
++              if (count > vrh->vring.num || indirect_count > desc_max) {
+                       vringh_bad("Descriptor loop in %p", descs);
+                       err = -ELOOP;
+                       goto fail;
+@@ -381,6 +386,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
+                               i = return_from_indirect(vrh, &up_next,
+                                                        &descs, &desc_max);
+                               slow = false;
++                              indirect_count = 0;
+                       } else
+                               break;
+               }
+-- 
+2.35.1
+