Hello Gerd, +-- On Fri, 7 Oct 2016, Gerd Hoffmann wrote --+ | I think it is better to apply the limit to link trbs only (which allow | to jump to another address so the guest can build loops with it). Also | I think the limit can be much stricter then without breaking stuff as | typically a link trb is used at the end of a page full of normal trbs, | to jump to the next page with trbs.
Okay. | both xhci_ring_fetch and xhci_ring_chain_length, so we should fix both. | Is there a reproducer? If so, can you try the attached patch with it? Yes, the attached patch does fix this issue. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
