diff options
| author | Stefano Stabellini <stefano.stabellini@eu.citrix.com> | 2016-01-06 16:32:22 +0000 |
|---|---|---|
| committer | Timothy Pearson <tpearson@raptorengineering.com> | 2019-11-29 19:28:24 -0600 |
| commit | 5d96518b1f119dd1301a96ce6066b6053c689de5 (patch) | |
| tree | 39d028a6ec1b2a0d6f2dc8a933a3d83dc80fcfc5 | |
| parent | 695f6b51343a40bb27368eea288b7cd9fa690c0a (diff) | |
| download | hqemu-5d96518b1f119dd1301a96ce6066b6053c689de5.zip hqemu-5d96518b1f119dd1301a96ce6066b6053c689de5.tar.gz | |
xenfb.c: avoid expensive loops when prod <= out_cons
If the frontend sets out_cons to a value higher than out_prod, it will
cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
better checks at the beginning of the function.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reported-by: Ling Liu <liuling-it@360.cn>
| -rw-r--r-- | hw/display/xenfb.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c index 4e2a27a..8eb3046 100644 --- a/hw/display/xenfb.c +++ b/hw/display/xenfb.c @@ -789,8 +789,9 @@ static void xenfb_handle_events(struct XenFB *xenfb) prod = page->out_prod; out_cons = page->out_cons; - if (prod == out_cons) - return; + if (prod - out_cons >= XENFB_OUT_RING_LEN) { + return; + } xen_rmb(); /* ensure we see ring contents up to prod */ for (cons = out_cons; cons != prod; cons++) { union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); |
