[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.2] xentrace: fix off-by-one in calculate_tbuf_size

commit 16c5ea879748ea07d62aa9592d8f25f5850ea8f4
Author:     Olaf Hering <olaf@xxxxxxxxx>
AuthorDate: Tue Mar 12 16:18:02 2013 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Mar 12 16:18:02 2013 +0100

    xentrace: fix off-by-one in calculate_tbuf_size
    
    Commit "xentrace: reduce trace buffer size to something mfn_offset can
    reach" contains an off-by-one bug. max_mfn_offset needs to be reduced by
    exactly the value of t_info_first_offset.
    
    If the system has two cpus and the number of requested trace pages is
    very large, the final number of trace pages + the offset will not fit
    into a short. As a result the variable offset in alloc_trace_bufs() will
    wrap while allocating buffers for the second cpu. Later
    share_xen_page_with_privileged_guests() will be called with a wrong page
    and the ASSERT in this function triggers. If the ASSERT is ignored by
    running a non-dbg hypervisor the asserts in xentrace itself trigger
    because "cons" is not aligned because the very last trace page for the
    second cpu is a random mfn.
    
    Thanks to Jan for the quick analysis.
    
    Signed-off-by: Olaf Hering <olaf@xxxxxxxxx>
    Acked-by: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
    master changeset: d9fb28ae6d41c8201482948660e52889481830dd
    master date: 2013-03-04 13:42:17 +0100
---
 xen/common/trace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xen/common/trace.c b/xen/common/trace.c
index cacaeb2..cc0b2e0 100644
--- a/xen/common/trace.c
+++ b/xen/common/trace.c
@@ -133,7 +133,7 @@ static int calculate_tbuf_size(unsigned int pages, uint16_t 
t_info_first_offset)
      * The array of mfns for the highest cpu can start at the maximum value
      * mfn_offset can hold. So reduce the number of cpus and also the 
mfn_offset.
      */
-    max_mfn_offset -= t_info_first_offset - 1;
+    max_mfn_offset -= t_info_first_offset;
     max_cpus--;
     if ( max_cpus )
         max_mfn_offset /= max_cpus;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.2

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.