Re: [Qemu-devel] [PATCH] xenfb.c: avoid expensive loops when prod <= out_cons

2016-01-06 Thread Paul Durrant 
> -Original Message-
> From: qemu-devel-bounces+paul.durrant=citrix@nongnu.org
> [mailto:qemu-devel-bounces+paul.durrant=citrix@nongnu.org] On
> Behalf Of Stefano Stabellini
> Sent: 06 January 2016 12:08
> To: qemu-devel@nongnu.org
> Cc: liuling...@360.cn; xen-de...@lists.xensource.com; Stefano Stabellini
> Subject: [Qemu-devel] [PATCH] xenfb.c: avoid expensive loops when prod
> <= out_cons
> 
> If the frontend sets out_cons to a value higher than out_prod, it will
> cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
> better checks at the beginning of the function.
> 

What happens when out_prod wraps?

  Paul

> Signed-off-by: Stefano Stabellini 
> 
> diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
> index 4e2a27a..f963cf2 100644
> --- a/hw/display/xenfb.c
> +++ b/hw/display/xenfb.c
> @@ -789,10 +789,11 @@ static void xenfb_handle_events(struct XenFB
> *xenfb)
> 
>  prod = page->out_prod;
>  out_cons = page->out_cons;
> -if (prod == out_cons)
> - return;
> +if (prod <= out_cons) {
> +return;
> +}
>  xen_rmb();   /* ensure we see ring contents up to prod */
> -for (cons = out_cons; cons != prod; cons++) {
> +for (cons = out_cons; cons < prod; cons++) {
>   union xenfb_out_event *event = &XENFB_OUT_RING_REF(page,
> cons);
>  uint8_t type = event->type;
>   int x, y, w, h;

[Qemu-devel] [PATCH] xenfb.c: avoid expensive loops when prod <= out_cons

2016-01-06 Thread Stefano Stabellini 
If the frontend sets out_cons to a value higher than out_prod, it will
cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
better checks at the beginning of the function.

Signed-off-by: Stefano Stabellini 

diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
index 4e2a27a..f963cf2 100644
--- a/hw/display/xenfb.c
+++ b/hw/display/xenfb.c
@@ -789,10 +789,11 @@ static void xenfb_handle_events(struct XenFB *xenfb)
 
 prod = page->out_prod;
 out_cons = page->out_cons;
-if (prod == out_cons)
-   return;
+if (prod <= out_cons) {
+return;
+}
 xen_rmb(); /* ensure we see ring contents up to prod */
-for (cons = out_cons; cons != prod; cons++) {
+for (cons = out_cons; cons < prod; cons++) {
union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
 uint8_t type = event->type;
int x, y, w, h;