[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] xen/device-tree: Fix off-by-one bounds check in make_memory_node()

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>
  • Date: Thu, 2 Apr 2026 11:03:48 +0000
  • Accept-language: en-US, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uwecGfUgjnXcZt7A/fraa8cxaYLtuD5RKkI7VkYfn60=; b=TM+BMf6drXqiyIbvpmZ/4Rqr9outoLGP1GhQia7LKftql4UZy/J5QUHWT84IA5SGN9gy2tdkG9F6beQvkkGGRJedN3NigVsgo0oNxWYjzUYyU6u6FvfNhAFFYVwYPGATm/b9Dv5lbQRfjFxh5mg32TrUNB93SC1QQoghbAnxY9NxTeSPehBK269rZxJzA1uHYu6HE/nidSpj2AjYU4lyk9KEKZ+zEwSW6nTn5sgUi/RcuEpjcL8N9FQwenIR5bgNgh9UZOE7RUSWYLAFRUKMbo+xxUR/VGtPE7D9N/tyeJ7gPKQaHGvzzpFp6wL3u7anH79Au3p5Mry3bpTTdOM0LQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=m8GMt58p7L9fxdS/EDVqGFAwBccm3YBNH23Qz2rHKWa/xJPbg9PbQ8bz5U4Omt5KjMmgJVLr246Kr/xVblBD9FI49ex6qIbqhOIsU+nCpx9YRyYoqUAuzY1oSYZU1vKUL+xMmh1hBm38aT2V/DncXFJVpLdpKJ8dcutyqcUVnWen08Cg61Xuluac6L+YmaYyO9NLnHM7PkgXM7E9w/ReLz9m+ZOPFoLKbB7SontHdR1STS3XTP7izptbTPvpiSu7uhvk47frx77to+nnP5/lCzN3oQ3HLWTqScLBnMcR53A/hA7eJU5g5KFsFe66JJZpfNHmOnc9JAV+rTVlR9rd1g==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=epam.com header.i="@epam.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Thu, 02 Apr 2026 11:04:00 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcwpBhsnhldIRLa0qtQ6xVjLEK7A==
  • Thread-topic: [PATCH] xen/device-tree: Fix off-by-one bounds check in make_memory_node()
When building Xen with CONFIG_STATIC_SHM=n, booting a hardware
domain with exactly NR_MEM_BANKS (256) reserved-memory regions
causes a panic:

(XEN) Xen BUG at common/device-tree/domain-build.c:497
(XEN) Xen call trace:
(XEN)    [<00000a0000289aa8>] make_memory_node+0x178/0x234 (PC)

This occurs due to an off-by-one error in the bounds checking of
the reg array in make_memory_node(). The check:
    BUG_ON(nr_cells >= ARRAY_SIZE(reg));
incorrectly triggers when the array is exactly full (i.e., when
nr_cells == ARRAY_SIZE(reg)), preventing the 256th and final valid
memory region from being written.

When CONFIG_STATIC_SHM=y, this bug remains hidden because
DT_MEM_NODE_REG_RANGE_SIZE adds extra space for SHM banks.
This extra capacity prevents the array from ever reaching its
maximum limit while processing the 256th memory region.

Fix this by changing the condition to strictly greater than (>).
Apply the exact same fix to shm_mem_node_fill_reg_range() to
prevent the same error.

Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>
---
For context, this issue was also discovered while testing maximum limits.
I did not notice it while working on my previous DOM0_FDT_EXTRA_SIZE patch
because my .config had CONFIG_STATIC_SHM=y enabled at the time, which
masks the error.
---
 xen/common/device-tree/domain-build.c | 2 +-
 xen/common/device-tree/static-shmem.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/common/device-tree/domain-build.c 
b/xen/common/device-tree/domain-build.c
index 6708c9dd66..540627b74e 100644
--- a/xen/common/device-tree/domain-build.c
+++ b/xen/common/device-tree/domain-build.c
@@ -494,7 +494,7 @@ int __init make_memory_node(const struct kernel_info 
*kinfo, int addrcells,
             continue;
 
         nr_cells += reg_size;
-        BUG_ON(nr_cells >= ARRAY_SIZE(reg));
+        BUG_ON(nr_cells > ARRAY_SIZE(reg));
         dt_child_set_range(&cells, addrcells, sizecells, start, size);
     }
 
diff --git a/xen/common/device-tree/static-shmem.c 
b/xen/common/device-tree/static-shmem.c
index 79f23caa77..4c4cc1b123 100644
--- a/xen/common/device-tree/static-shmem.c
+++ b/xen/common/device-tree/static-shmem.c
@@ -838,7 +838,7 @@ void __init shm_mem_node_fill_reg_range(const struct 
kernel_info *kinfo,
         paddr_t size = mem->bank[i].size;
 
         *nr_cells += addrcells + sizecells;
-        BUG_ON(*nr_cells >= DT_MEM_NODE_REG_RANGE_SIZE);
+        BUG_ON(*nr_cells > DT_MEM_NODE_REG_RANGE_SIZE);
         dt_child_set_range(&cells, addrcells, sizecells, start, size);
     }
 }
-- 
2.34.1

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.