From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57136) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bsTVq-0002PN-0J for qemu-devel@nongnu.org; Fri, 07 Oct 2016 07:40:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bsTVl-0001ZX-Px for qemu-devel@nongnu.org; Fri, 07 Oct 2016 07:40:24 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39004) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bsTVl-0001ZK-Je for qemu-devel@nongnu.org; Fri, 07 Oct 2016 07:40:21 -0400 Date: Fri, 7 Oct 2016 17:10:14 +0530 (IST) From: P J P In-Reply-To: <1475828544.13132.16.camel@redhat.com> Message-ID: References: <1475733011-22266-1-git-send-email-ppandit@redhat.com> <1475828544.13132.16.camel@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Subject: Re: [Qemu-devel] [PATCH] usb: xHCI: add check to limit command TRB processing List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Gerd Hoffmann Cc: Qemu Developers , Li Qiang Hello Gerd, +-- On Fri, 7 Oct 2016, Gerd Hoffmann wrote --+ | I think it is better to apply the limit to link trbs only (which allow | to jump to another address so the guest can build loops with it). Also | I think the limit can be much stricter then without breaking stuff as | typically a link trb is used at the end of a page full of normal trbs, | to jump to the next page with trbs. Okay. | both xhci_ring_fetch and xhci_ring_chain_length, so we should fix both. | Is there a reproducer? If so, can you try the attached patch with it? Yes, the attached patch does fix this issue. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F