vringh: Fix loop descriptors check in the indirect cases (45984b3a) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/vhost/vringh.c

+8 −2

Original line number	Original line	Diff line number	Diff line
	@@ -262,7 +262,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
	gfp_t gfp,		gfp_t gfp,
	int (copy)(void dst, const void *src, size_t len))		int (copy)(void dst, const void *src, size_t len))
	{		{
	int err, count = 0, up_next, desc_max;		int err, count = 0, indirect_count = 0, up_next, desc_max;
	struct vring_desc desc, *descs;		struct vring_desc desc, *descs;
	struct vringh_range range = { -1ULL, 0 }, slowrange;		struct vringh_range range = { -1ULL, 0 }, slowrange;
	bool slow = false;		bool slow = false;
	@@ -319,7 +319,12 @@ __vringh_iov(struct vringh *vrh, u16 i,
	continue;		continue;
	}		}

	if (count++ == vrh->vring.num) {		if (up_next == -1)
			count++;
			else
			indirect_count++;

			if (count > vrh->vring.num \|\| indirect_count > desc_max) {
	vringh_bad("Descriptor loop in %p", descs);		vringh_bad("Descriptor loop in %p", descs);
	err = -ELOOP;		err = -ELOOP;
	goto fail;		goto fail;
	@@ -381,6 +386,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
	i = return_from_indirect(vrh, &up_next,		i = return_from_indirect(vrh, &up_next,
	&descs, &desc_max);		&descs, &desc_max);
	slow = false;		slow = false;
			indirect_count = 0;
	} else		} else
	break;		break;
	}		}