From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <maxime.coquelin@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by dpdk.org (Postfix) with ESMTP id 324212C01
 for <dev@dpdk.org>; Mon, 25 Jul 2016 16:10:10 +0200 (CEST)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
 (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 93D5C3683C;
 Mon, 25 Jul 2016 14:10:09 +0000 (UTC)
Received: from max-t460s.redhat.com (vpn1-4-65.ams2.redhat.com [10.36.4.65])
 by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 u6PEA7SB022325; Mon, 25 Jul 2016 10:10:08 -0400
From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: huawei.xie@intel.com, yuanhan.liu@linux.intel.com
Cc: dev@dpdk.org, Maxime Coquelin <maxime.coquelin@redhat.com>
Date: Mon, 25 Jul 2016 16:09:58 +0200
Message-Id: <1469455798-19790-1-git-send-email-maxime.coquelin@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.30]); Mon, 25 Jul 2016 14:10:09 +0000 (UTC)
Subject: [dpdk-dev] [PATCH] vhost: fix off-by-one error on nr_desc check
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2016 14:10:10 -0000

nr_desc is not an index but the number of descriptors,
so can be equal to the virtqueue size.

Fixes: a436f53ebfeb ("vhost: avoid dead loop chain")

Cc: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
Hi Yuanhan,

I faced the bug while testing my indirect descriptor patch, it happens
as soon as the number of chained descritors is above 2.

But the bug may in theory also be faced with normal descriptors, so it might
be good to have it 16.07?

Regards,
Maxime

---
 lib/librte_vhost/vhost_rxtx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c
index bc00518..08a73fd 100644
--- a/lib/librte_vhost/vhost_rxtx.c
+++ b/lib/librte_vhost/vhost_rxtx.c
@@ -748,7 +748,7 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
 				break;
 
 			if (unlikely(desc->next >= vq->size ||
-				     ++nr_desc >= vq->size))
+				     ++nr_desc > vq->size))
 				return -1;
 			desc = &vq->desc[desc->next];
 
-- 
2.7.4