Commit ac0487e1 authored by Stefano Stabellini's avatar Stefano Stabellini
Browse files

xenfb.c: avoid expensive loops when prod <= out_cons 



If the frontend sets out_cons to a value higher than out_prod, it will
cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
better checks at the beginning of the function.

Signed-off-by: default avatarStefano Stabellini <stefano.stabellini@eu.citrix.com>
Reported-by: default avatarLing Liu <liuling-it@360.cn>
parent 9027ac50

hw/display/xenfb.c

+3 −2
Original line number Diff line number Diff line
@@ -789,8 +789,9 @@ static void xenfb_handle_events(struct XenFB *xenfb) 


    prod = page->out_prod;

    out_cons = page->out_cons;

    if (prod == out_cons)

    if (prod - out_cons >= XENFB_OUT_RING_LEN) {

        return;

    }

    xen_rmb();		/* ensure we see ring contents up to prod */

    for (cons = out_cons; cons != prod; cons++) {

	union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);