[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] usb: xHCI: add check to limit command TRB proce
Re: [Qemu-devel] [PATCH] usb: xHCI: add check to limit command TRB processing
Fri, 07 Oct 2016 10:22:24 +0200
On Do, 2016-10-06 at 11:20 +0530, P J P wrote:
> From: Prasad J Pandit <address@hidden>
> USB xHCI controller uses ring of Transfer Request Blocks(TRB)
> to process USB commands. These are processed by loop in
> 'xhci_ring_fetch'. A guest user could make it read and process
> a same TRB infinitely. Limit number of command TRBs to avoid it.
I think it is better to apply the limit to link trbs only (which allow
to jump to another address so the guest can build loops with it). Also
I think the limit can be much stricter then without breaking stuff as
typically a link trb is used at the end of a page full of normal trbs,
to jump to the next page with trbs. And we have the same problem in
both xhci_ring_fetch and xhci_ring_chain_length, so we should fix both.
Is there a reproducer? If so, can you try the attached patch with it?
Description: Text Data