[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xenfb.c: avoid expensive loops when prod <= out_cons



On Wed, 6 Jan 2016, David Vrabel wrote:
> On 06/01/16 12:08, Stefano Stabellini wrote:
> > If the frontend sets out_cons to a value higher than out_prod, it will
> > cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
> > better checks at the beginning of the function.
> 
> You can't use less than to compare prod and cons because they wrap.
> 
> You need to compare (prod - cons) against ring size (or similar) to
> check for overflow.  See RING_REQUEST_PROD_OVERFLOW() etc.

Yes, you are right. I think that the right fix should be:


diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
index 4e2a27a..594baff 100644
--- a/hw/display/xenfb.c
+++ b/hw/display/xenfb.c
@@ -789,8 +789,9 @@ static void xenfb_handle_events(struct XenFB *xenfb)
 
     prod = page->out_prod;
     out_cons = page->out_cons;
-    if (prod == out_cons)
-       return;
+    if (prod - out_cons >= XENFB_OUT_RING_LEL) {
+        return;
+    }
     xen_rmb();         /* ensure we see ring contents up to prod */
     for (cons = out_cons; cons != prod; cons++) {
        union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.