[xen stable-4.8] x86/shadow: fix refcount overflow check

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[xen stable-4.8] x86/shadow: fix refcount overflow check

patchbot
commit 5069fdde82e21f2ffa4ed90b3150375dfe8d49e7
Author:     Jan Beulich <[hidden email]>
AuthorDate: Tue Dec 12 14:44:23 2017 +0100
Commit:     Jan Beulich <[hidden email]>
CommitDate: Tue Dec 12 14:44:23 2017 +0100

    x86/shadow: fix refcount overflow check
   
    Commit c385d27079 ("x86 shadow: for multi-page shadows, explicitly track
    the first page") reduced the refcount width to 25, without adjusting the
    overflow check. Eliminate the disconnect by using a manifest constant.
   
    Interestingly, up to commit 047782fa01 ("Out-of-sync L1 shadows: OOS
    snapshot") the refcount was 27 bits wide, yet the check was already
    using 26.
   
    This is XSA-249.
   
    Signed-off-by: Jan Beulich <[hidden email]>
    Reviewed-by: George Dunlap <[hidden email]>
    Reviewed-by: Tim Deegan <[hidden email]>
    master commit: 54e2292e8df7a1a7b041192be9d6d797b6d00869
    master date: 2017-12-12 14:29:13 +0100
---
 xen/arch/x86/mm/shadow/private.h | 2 +-
 xen/include/asm-x86/mm.h         | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h
index f0b0ed4..58e37f3 100644
--- a/xen/arch/x86/mm/shadow/private.h
+++ b/xen/arch/x86/mm/shadow/private.h
@@ -532,7 +532,7 @@ static inline int sh_get_ref(struct domain *d, mfn_t smfn, paddr_t entry_pa)
     x = sp->u.sh.count;
     nx = x + 1;
 
-    if ( unlikely(nx >= 1U<<26) )
+    if ( unlikely(nx >= (1U << PAGE_SH_REFCOUNT_WIDTH)) )
     {
         SHADOW_PRINTK("shadow ref overflow, gmfn=%lx smfn=%lx\n",
                        __backpointer(sp), mfn_x(smfn));
diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h
index 63590a7..a900eca 100644
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
@@ -83,7 +83,8 @@ struct page_info
             unsigned long type:5;   /* What kind of shadow is this? */
             unsigned long pinned:1; /* Is the shadow pinned? */
             unsigned long head:1;   /* Is this the first page of the shadow? */
-            unsigned long count:25; /* Reference count */
+#define PAGE_SH_REFCOUNT_WIDTH 25
+            unsigned long count:PAGE_SH_REFCOUNT_WIDTH; /* Reference count */
         } sh;
 
         /* Page is on a free list: ((count_info & PGC_count_mask) == 0). */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.8

_______________________________________________
Xen-changelog mailing list
[hidden email]
https://lists.xenproject.org/xen-changelog