------------------------------------------------------------------------

*From*: 	Gerd Hoffmann

*Subject*: 	[Qemu-devel] [PATCH 1/2] ehci: apply limit to itd/sidt

descriptors

*Date*: 	Mon, 18 Apr 2016 11:27:22 +0200

------------------------------------------------------------------------

Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a

DoS by the guest (create a circular itd queue and let qemu ehci

emulation run in circles forever).  Unfortunaly this has two problems:

First it misses the case of sitds, and second it reportly breaks

freebsd.

So lets go for a different approach: just count the number of itds and

sitds we have seen per frame and apply a limit.  That should really

catch all cases now.

Signed-off-by: Gerd Hoffmann <address@hidden>

---

 hw/usb/hcd-ehci.c | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/tools/qemu-xen/hw/usb/hcd-ehci.c b/tools/qemu-xen/hw/usb/hcd-ehci.c

index 159f58d..923f110 100644

--- a/tools/qemu-xen/hw/usb/hcd-ehci.c

+++ b/tools/qemu-xen/hw/usb/hcd-ehci.c

@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q)

 static void ehci_advance_state(EHCIState *ehci, int async)

 {

     EHCIQueue *q = NULL;

+    int idt_count = 0;

     int again;

     do {

@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)

         case EST_FETCHITD:

             again = ehci_state_fetchitd(ehci, async);

+            idt_count++;

             break;

         case EST_FETCHSITD:

             again = ehci_state_fetchsitd(ehci, async);

+            idt_count++;

             break;

         case EST_ADVANCEQUEUE:

@@ -2092,6 +2095,11 @@ static void ehci_advance_state(EHCIState *ehci, int async)

             ehci_reset(ehci);

             again = 0;

         }

+

+        /* limit the amout of idts we are willing to process each frame */

+        if (idt_count > 16) {

+            again = 0;

+        }

     }

     while (again);

 }

-- 

1.8.3.1