diff options
author | Stefano Stabellini | 2016-01-06 17:32:22 +0100 |
---|---|---|
committer | Stefano Stabellini | 2016-01-14 17:49:11 +0100 |
commit | ac0487e1d2ae811cd4d035741a109a4ecfb013f1 (patch) | |
tree | 200aac3b8918640a4f467cf9901c728d5f6dfd50 /hw/display | |
parent | MAINTAINERS: update Xen files (diff) | |
download | qemu-ac0487e1d2ae811cd4d035741a109a4ecfb013f1.tar.gz qemu-ac0487e1d2ae811cd4d035741a109a4ecfb013f1.tar.xz qemu-ac0487e1d2ae811cd4d035741a109a4ecfb013f1.zip |
xenfb.c: avoid expensive loops when prod <= out_cons
If the frontend sets out_cons to a value higher than out_prod, it will
cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
better checks at the beginning of the function.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reported-by: Ling Liu <liuling-it@360.cn>
Diffstat (limited to 'hw/display')
-rw-r--r-- | hw/display/xenfb.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c index 4e2a27a3d6..8eb3046244 100644 --- a/hw/display/xenfb.c +++ b/hw/display/xenfb.c @@ -789,8 +789,9 @@ static void xenfb_handle_events(struct XenFB *xenfb) prod = page->out_prod; out_cons = page->out_cons; - if (prod == out_cons) - return; + if (prod - out_cons >= XENFB_OUT_RING_LEN) { + return; + } xen_rmb(); /* ensure we see ring contents up to prod */ for (cons = out_cons; cons != prod; cons++) { union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); |