On Fri, Aug 01, 2025 at 06:46:09PM +0300, Michael Tokarev wrote:
> On 21.07.2025 18:02, Jonah Palmer wrote:
> > Commit b44135daa372 introduced virtqueue_ordered_fill for
> > VIRTIO_F_IN_ORDER support but had a few issues:
> >
> > * Conditional while loop used 'steps <= max_steps' but should've been
> > 'steps < max_steps' since reaching steps == max_steps would indicate
> > that we didn't find an element, which is an error. Without this
> > change, the code would attempt to read invalid data at an index
> > outside of our search range.
> >
> > * Incremented 'steps' using the next chain's ndescs instead of the
> > current one.
> >
> > This patch corrects the loop bounds and synchronizes 'steps' and index
> > increments.
> >
> > We also add a defensive sanity check against malicious or invalid
> > descriptor counts to avoid a potential infinite loop and DoS.
> >
> > Fixes: b44135daa372 ("virtio: virtqueue_ordered_fill - VIRTIO_F_IN_ORDER
> > support")
>
> This looks like a good candidate for qemu-stable, isn't it?
>
> Thanks,
>
> /mjt
indeed.
