|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.13] memory: fix off-by-one in XSA-346 change
commit 5e4914e60da9a8dfdc00e839278f40c87525b8ae
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Nov 24 14:13:29 2020 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Nov 24 14:13:29 2020 +0100
memory: fix off-by-one in XSA-346 change
The comparison against ARRAY_SIZE() needs to be >= in order to avoid
overrunning the pages[] array.
This is XSA-355.
Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush")
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
master commit: 9b156bcc3ffcc7949edd4460b718a241e87ae302
master date: 2020-11-24 14:01:31 +0100
---
xen/common/memory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xen/common/memory.c b/xen/common/memory.c
index 031ed6ecbe..4c982f3db7 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -853,7 +853,7 @@ int xenmem_add_to_physmap(struct domain *d, struct
xen_add_to_physmap *xatp,
++extra.ppage;
/* Check for continuation if it's not the last iteration. */
- if ( (++done > ARRAY_SIZE(pages) && extra.ppage) ||
+ if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) ||
(xatp->size > done && hypercall_preempt_check()) )
{
rc = start + done;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.13
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |