From: Tiwei Bie <tiwei.bie@intel.com>
Date: Fri, 4 Jan 2019 04:06:41 +0000 (+0800)
Subject: vhost: fix possible dead loop in vector filling
X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=450539b47ec89bcb49973a24b4c85c5f0bc8f37b;p=dpdk.git

vhost: fix possible dead loop in vector filling

Fix a possible dead loop which may happen, e.g. when driver
created a loop in the desc list and lens in descs are zero.

Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
Fixes: 2f3225a7d69b ("vhost: add vector filling support for packed ring")
Cc: stable@dpdk.org

Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index d64c355b98..0893a1d045 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -309,6 +309,7 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	uint16_t vec_id = *vec_idx;
 	uint32_t len    = 0;
 	uint64_t dlen;
+	uint32_t nr_descs = vq->size;
 	struct vring_desc *descs = vq->desc;
 	struct vring_desc *idesc = NULL;
 
@@ -319,6 +320,10 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 
 	if (vq->desc[idx].flags & VRING_DESC_F_INDIRECT) {
 		dlen = vq->desc[idx].len;
+		nr_descs = dlen / sizeof(struct vring_desc);
+		if (unlikely(nr_descs > vq->size))
+			return -1;
+
 		descs = (struct vring_desc *)(uintptr_t)
 			vhost_iova_to_vva(dev, vq, vq->desc[idx].addr,
 						&dlen,
@@ -348,6 +353,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 			return -1;
 		}
 
+		if (unlikely(nr_descs-- == 0)) {
+			free_ind_table(idesc);
+			return -1;
+		}
+
 		len += descs[idx].len;
 
 		if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,
@@ -510,6 +520,9 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
 		if (unlikely(vec_id >= BUF_VECTOR_MAX))
 			return -1;
 
+		if (unlikely(*desc_count >= vq->size))
+			return -1;
+
 		*desc_count += 1;
 		*buf_id = descs[avail_idx].id;