[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.9] x86/shadow: fix refcount overflow check



commit c553285d2d98ea626b9e89af76b14ee2de7d7b80
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Dec 12 14:39:57 2017 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Dec 12 14:39:57 2017 +0100

    x86/shadow: fix refcount overflow check
    
    Commit c385d27079 ("x86 shadow: for multi-page shadows, explicitly track
    the first page") reduced the refcount width to 25, without adjusting the
    overflow check. Eliminate the disconnect by using a manifest constant.
    
    Interestingly, up to commit 047782fa01 ("Out-of-sync L1 shadows: OOS
    snapshot") the refcount was 27 bits wide, yet the check was already
    using 26.
    
    This is XSA-249.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: George Dunlap <george.dunlap@xxxxxxxxxx>
    Reviewed-by: Tim Deegan <tim@xxxxxxx>
    master commit: 54e2292e8df7a1a7b041192be9d6d797b6d00869
    master date: 2017-12-12 14:29:13 +0100
---
 xen/arch/x86/mm/shadow/private.h | 2 +-
 xen/include/asm-x86/mm.h         | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h
index 472676c..7f6a0a5 100644
--- a/xen/arch/x86/mm/shadow/private.h
+++ b/xen/arch/x86/mm/shadow/private.h
@@ -530,7 +530,7 @@ static inline int sh_get_ref(struct domain *d, mfn_t smfn, 
paddr_t entry_pa)
     x = sp->u.sh.count;
     nx = x + 1;
 
-    if ( unlikely(nx >= 1U<<26) )
+    if ( unlikely(nx >= (1U << PAGE_SH_REFCOUNT_WIDTH)) )
     {
         SHADOW_PRINTK("shadow ref overflow, gmfn=%lx smfn=%lx\n",
                        __backpointer(sp), mfn_x(smfn));
diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h
index 445da50..2e41779 100644
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
@@ -82,7 +82,8 @@ struct page_info
             unsigned long type:5;   /* What kind of shadow is this? */
             unsigned long pinned:1; /* Is the shadow pinned? */
             unsigned long head:1;   /* Is this the first page of the shadow? */
-            unsigned long count:25; /* Reference count */
+#define PAGE_SH_REFCOUNT_WIDTH 25
+            unsigned long count:PAGE_SH_REFCOUNT_WIDTH; /* Reference count */
         } sh;
 
         /* Page is on a free list: ((count_info & PGC_count_mask) == 0). */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.9

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.