From 5177ee26e9f11a4e074e64567cfd1778bdbd2997 Mon Sep 17 00:00:00 2001
From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Date: Wed, 6 Jan 2016 16:32:22 +0000
Subject: [PATCH] xenfb.c: avoid expensive loops when prod <= out_cons

If the frontend sets out_cons to a value higher than out_prod, it will
cause xenfb_handle_events to loop about 2^32 times. Avoid that by using
better checks at the beginning of the function.

upstream-commit-id: ac0487e1d2ae811cd4d035741a109a4ecfb013f1

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reported-by: Ling Liu <liuling-it@360.cn>
---
 hw/display/xenfb.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
index 7baacbe29..56d1a3651 100644
--- a/hw/display/xenfb.c
+++ b/hw/display/xenfb.c
@@ -784,8 +784,9 @@ static void xenfb_handle_events(struct XenFB *xenfb)
 
     prod = page->out_prod;
     out_cons = page->out_cons;
-    if (prod == out_cons)
-	return;
+    if (prod - out_cons >= XENFB_OUT_RING_LEN) {
+        return;
+    }
     xen_rmb();		/* ensure we see ring contents up to prod */
     for (cons = out_cons; cons != prod; cons++) {
 	union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
-- 
2.39.5