usb: ohci: limit the number of link eds

The guest may builds an infinite loop with link eds. This patch
limit the number of linked ed to avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
Li Qiang 2017-02-07 02:23:33 -08:00 committed by Gerd Hoffmann
parent 26f670a244
commit 95ed56939e

View File

@ -42,6 +42,8 @@
#define OHCI_MAX_PORTS 15 #define OHCI_MAX_PORTS 15
#define ED_LINK_LIMIT 4
static int64_t usb_frame_time; static int64_t usb_frame_time;
static int64_t usb_bit_time; static int64_t usb_bit_time;
@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
uint32_t next_ed; uint32_t next_ed;
uint32_t cur; uint32_t cur;
int active; int active;
uint32_t link_cnt = 0;
active = 0; active = 0;
if (head == 0) if (head == 0)
@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
next_ed = ed.next & OHCI_DPTR_MASK; next_ed = ed.next & OHCI_DPTR_MASK;
if (++link_cnt > ED_LINK_LIMIT) {
ohci_die(ohci);
return 0;
}
if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
uint32_t addr; uint32_t addr;
/* Cancel pending packets for ED that have been paused. */ /* Cancel pending packets for ED that have been paused. */