On Mon, Jul 21, 2025 at 11:02 PM Jonah Palmer <jonah.pal...@oracle.com> wrote: > > Commit b44135daa372 introduced virtqueue_ordered_fill for > VIRTIO_F_IN_ORDER support but had a few issues: > > * Conditional while loop used 'steps <= max_steps' but should've been > 'steps < max_steps' since reaching steps == max_steps would indicate > that we didn't find an element, which is an error. Without this > change, the code would attempt to read invalid data at an index > outside of our search range. > > * Incremented 'steps' using the next chain's ndescs instead of the > current one. > > This patch corrects the loop bounds and synchronizes 'steps' and index > increments. > > We also add a defensive sanity check against malicious or invalid > descriptor counts to avoid a potential infinite loop and DoS. > > Fixes: b44135daa372 ("virtio: virtqueue_ordered_fill - VIRTIO_F_IN_ORDER > support") > Reported-by: terrynini <terrynini38...@gmail.com> > Signed-off-by: Jonah Palmer <jonah.pal...@oracle.com> > ---
Acked-by: Jason Wang <jasow...@redhat.com> Thanks