1 From 04d46122655ea02ca47a9572bcce87a23c458e9a Mon Sep 17 00:00:00 2001
2 From: Gerd Hoffmann <kraxel@redhat.com>
3 Date: Mon, 18 Apr 2016 09:11:38 +0200
4 Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
9 Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
10 DoS by the guest (create a circular iTD queue and let qemu ehci
11 emulation run in circles forever). Unfortunately this has two problems:
12 First it misses the case of siTDs, and second it reportedly breaks
15 So lets go for a different approach: just count the number of iTDs and
16 siTDs we have seen per frame and apply a limit. That should really
19 Reported-by: 杜少博 <dushaobo@360.cn>
20 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
22 hw/usb/hcd-ehci.c | 6 +++++-
23 1 file changed, 5 insertions(+), 1 deletion(-)
25 diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
26 index 9b7ef92..99ae453 100644
27 --- a/hw/usb/hcd-ehci.c
28 +++ b/hw/usb/hcd-ehci.c
29 @@ -2009,6 +2009,7 @@ static int ehci_state_writeback(EHCIQueue *q)
30 static void ehci_advance_state(EHCIState *ehci, int async)
37 @@ -2033,10 +2034,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)
40 again = ehci_state_fetchitd(ehci, async);
45 again = ehci_state_fetchsitd(ehci, async);
49 case EST_ADVANCEQUEUE:
50 @@ -2085,7 +2088,8 @@ static void ehci_advance_state(EHCIState *ehci, int async)
55 + if (again < 0 || itd_count > 16) {
56 + /* TODO: notify guest (raise HSE irq?) */
57 fprintf(stderr, "processing error - resetting ehci HC\n");
projects / pve-qemu-kvm.git / blob