From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48018)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1bsQQM-0007F8-G3
	for qemu-devel@nongnu.org; Fri, 07 Oct 2016 04:22:35 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1bsQQI-0007yr-3E
	for qemu-devel@nongnu.org; Fri, 07 Oct 2016 04:22:34 -0400
Received: from mx1.redhat.com ([209.132.183.28]:33476)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kraxel@redhat.com>) id 1bsQQH-0007xZ-Nv
	for qemu-devel@nongnu.org; Fri, 07 Oct 2016 04:22:30 -0400
Message-ID: <1475828544.13132.16.camel@redhat.com>
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 07 Oct 2016 10:22:24 +0200
In-Reply-To: <1475733011-22266-1-git-send-email-ppandit@redhat.com>
References: <1475733011-22266-1-git-send-email-ppandit@redhat.com>
Content-Type: multipart/mixed; boundary="=-N3n+DOk0aV+UYQcJGTop"
Mime-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH] usb: xHCI: add check to limit command TRB
 processing
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>, Li Qiang <liqiang6-s@360.cn>, Prasad J Pandit <pjp@fedoraproject.org>


--=-N3n+DOk0aV+UYQcJGTop
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Do, 2016-10-06 at 11:20 +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>=20
> USB xHCI controller uses ring of Transfer Request Blocks(TRB)
> to process USB commands. These are processed by loop in
> 'xhci_ring_fetch'. A guest user could make it read and process
> a same TRB infinitely. Limit number of command TRBs to avoid it.

I think it is better to apply the limit to link trbs only (which allow
to jump to another address so the guest can build loops with it).  Also
I think the limit can be much stricter then without breaking stuff as
typically a link trb is used at the end of a page full of normal trbs,
to jump to the next page with trbs.  And we have the same problem in
both xhci_ring_fetch and xhci_ring_chain_length, so we should fix both.

Is there a reproducer?  If so, can you try the attached patch with it?

thanks,
  Gerd


--=-N3n+DOk0aV+UYQcJGTop
Content-Disposition: attachment;
	filename*0=0001-xhci-limit-the-number-of-link-trbs-we-are-willing-to.pat;
	filename*1=ch
Content-Transfer-Encoding: base64
Content-Type: text/x-patch;
	name="0001-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch";
	charset="UTF-8"

RnJvbSAyMDAwOWJkYWY5NWQxMGJmNzQ4ZmE2OWIxMDQ2NzJkM2NmYWNlZGRmIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBHZXJkIEhvZmZtYW5uIDxrcmF4ZWxAcmVkaGF0LmNvbT4KRGF0
ZTogRnJpLCA3IE9jdCAyMDE2IDEwOjE1OjI5ICswMjAwClN1YmplY3Q6IFtQQVRDSF0geGhjaTog
bGltaXQgdGhlIG51bWJlciBvZiBsaW5rIHRyYnMgd2UgYXJlIHdpbGxpbmcgdG8gcHJvY2VzcwoK
U2lnbmVkLW9mZi1ieTogR2VyZCBIb2ZmbWFubiA8a3JheGVsQHJlZGhhdC5jb20+Ci0tLQogaHcv
dXNiL2hjZC14aGNpLmMgfCAxMCArKysrKysrKysrCiAxIGZpbGUgY2hhbmdlZCwgMTAgaW5zZXJ0
aW9ucygrKQoKZGlmZiAtLWdpdCBhL2h3L3VzYi9oY2QteGhjaS5jIGIvaHcvdXNiL2hjZC14aGNp
LmMKaW5kZXggNzI2NDM1Yy4uZWU0ZmE0OCAxMDA2NDQKLS0tIGEvaHcvdXNiL2hjZC14aGNpLmMK
KysrIGIvaHcvdXNiL2hjZC14aGNpLmMKQEAgLTU0LDYgKzU0LDggQEAKICAqIHRvIHRoZSBzcGVj
cyB3aGVuIGl0IGdldHMgdGhlbSAqLwogI2RlZmluZSBFUl9GVUxMX0hBQ0sKIAorI2RlZmluZSBU
UkJfTElOS19MSU1JVCAgNAorCiAjZGVmaW5lIExFTl9DQVAgICAgICAgICAweDQwCiAjZGVmaW5l
IExFTl9PUEVSICAgICAgICAoMHg0MDAgKyAweDEwICogTUFYUE9SVFMpCiAjZGVmaW5lIExFTl9S
VU5USU1FICAgICAoKE1BWElOVFJTICsgMSkgKiAweDIwKQpAQCAtMTAwMCw2ICsxMDAyLDcgQEAg
c3RhdGljIFRSQlR5cGUgeGhjaV9yaW5nX2ZldGNoKFhIQ0lTdGF0ZSAqeGhjaSwgWEhDSVJpbmcg
KnJpbmcsIFhIQ0lUUkIgKnRyYiwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbWFf
YWRkcl90ICphZGRyKQogewogICAgIFBDSURldmljZSAqcGNpX2RldiA9IFBDSV9ERVZJQ0UoeGhj
aSk7CisgICAgdWludDMyX3QgbGlua19jbnQgPSAwOwogCiAgICAgd2hpbGUgKDEpIHsKICAgICAg
ICAgVFJCVHlwZSB0eXBlOwpAQCAtMTAyNiw2ICsxMDI5LDkgQEAgc3RhdGljIFRSQlR5cGUgeGhj
aV9yaW5nX2ZldGNoKFhIQ0lTdGF0ZSAqeGhjaSwgWEhDSVJpbmcgKnJpbmcsIFhIQ0lUUkIgKnRy
YiwKICAgICAgICAgICAgIHJpbmctPmRlcXVldWUgKz0gVFJCX1NJWkU7CiAgICAgICAgICAgICBy
ZXR1cm4gdHlwZTsKICAgICAgICAgfSBlbHNlIHsKKyAgICAgICAgICAgIGlmICgrK2xpbmtfY250
ID4gVFJCX0xJTktfTElNSVQpIHsKKyAgICAgICAgICAgICAgICByZXR1cm4gMDsKKyAgICAgICAg
ICAgIH0KICAgICAgICAgICAgIHJpbmctPmRlcXVldWUgPSB4aGNpX21hc2s2NCh0cmItPnBhcmFt
ZXRlcik7CiAgICAgICAgICAgICBpZiAodHJiLT5jb250cm9sICYgVFJCX0xLX1RDKSB7CiAgICAg
ICAgICAgICAgICAgcmluZy0+Y2NzID0gIXJpbmctPmNjczsKQEAgLTEwNDMsNiArMTA0OSw3IEBA
IHN0YXRpYyBpbnQgeGhjaV9yaW5nX2NoYWluX2xlbmd0aChYSENJU3RhdGUgKnhoY2ksIGNvbnN0
IFhIQ0lSaW5nICpyaW5nKQogICAgIGJvb2wgY2NzID0gcmluZy0+Y2NzOwogICAgIC8qIGhhY2sg
dG8gYnVuZGxlIHRvZ2V0aGVyIHRoZSB0d28vdGhyZWUgVERzIHRoYXQgbWFrZSBhIHNldHVwIHRy
YW5zZmVyICovCiAgICAgYm9vbCBjb250cm9sX3RkX3NldCA9IDA7CisgICAgdWludDMyX3QgbGlu
a19jbnQgPSAwOwogCiAgICAgd2hpbGUgKDEpIHsKICAgICAgICAgVFJCVHlwZSB0eXBlOwpAQCAt
MTA1OCw2ICsxMDY1LDkgQEAgc3RhdGljIGludCB4aGNpX3JpbmdfY2hhaW5fbGVuZ3RoKFhIQ0lT
dGF0ZSAqeGhjaSwgY29uc3QgWEhDSVJpbmcgKnJpbmcpCiAgICAgICAgIHR5cGUgPSBUUkJfVFlQ
RSh0cmIpOwogCiAgICAgICAgIGlmICh0eXBlID09IFRSX0xJTkspIHsKKyAgICAgICAgICAgIGlm
ICgrK2xpbmtfY250ID4gVFJCX0xJTktfTElNSVQpIHsKKyAgICAgICAgICAgICAgICByZXR1cm4g
LWxlbmd0aDsKKyAgICAgICAgICAgIH0KICAgICAgICAgICAgIGRlcXVldWUgPSB4aGNpX21hc2s2
NCh0cmIucGFyYW1ldGVyKTsKICAgICAgICAgICAgIGlmICh0cmIuY29udHJvbCAmIFRSQl9MS19U
QykgewogICAgICAgICAgICAgICAgIGNjcyA9ICFjY3M7Ci0tIAoxLjguMy4xCgo=


--=-N3n+DOk0aV+UYQcJGTop--