[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] xen/device-tree: Fix off-by-one bounds check in make_memory_node()
- To: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: "Orzel, Michal" <michal.orzel@xxxxxxx>
- Date: Thu, 2 Apr 2026 14:45:12 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=epam.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MDmhePtrtBr7bsPa52Us9Qvv5pPPG/pN9Cg8adr9NEg=; b=pVJhIAyBszpK2s5DvdFUrCafmgYHBSt5c81/Y5teKTQFjl6UfDcvrWwPtogAsqu6HsbPWgCRC76OqMEZW5XFMxUVFYyfG+lOY0UFzYjerOzkd4TeJGweidgA+OUZJqI93TckrIOOGIQ7LgYOfBNnnsaaZ7d4WsPRT7DvWyrpqwhnn+tA/rsSKEUzepyuQxMDz1LlYOaPruboqsJI+E9YsUyRc8b4p1PkqRn1r9663/0oYbyPoe9zYvPBkQdZ7mUgz4R3Pj7x/8Mr9D6FVGmci6vQsHY4BEGjKCiUGq03mA8bSNnhpWma51xNsTIGs4YvMCHBr/nShohxqWjTXeUEzg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vcAzMIHoWgegDxpUn/641PLBde6tHNURntOJq3CiLXNqcWwvCajepoTcNC+cyVnT+LLJlagfBooIwHA113haij53ld86+k5qgYrGso5oEn/ZQqp/pjVPfgBUA7NeFcd/U5fUSc1nn//s5BDVyxc83xhOIH1Q0l3Ls48EThadAp7ug0YrsQYzFSsn3yWEXaqlpf2CbtTBSES8K+ymlpm9nntkrG6BVBIByEi+UQ4YKyHq8MsLErIUVajB6OsFnoHIozpYjNMXOHkQaig4+yn7mKVeTM4X3ee6aqHXhNoIeAuOkm1hfjADpnGrprcERLJ96yXmd97MELuB040gnIfTsw==
- Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
- Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>
- Delivery-date: Thu, 02 Apr 2026 12:45:28 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 02/04/2026 13:03, Oleksandr Tyshchenko wrote:
> When building Xen with CONFIG_STATIC_SHM=n, booting a hardware
> domain with exactly NR_MEM_BANKS (256) reserved-memory regions
> causes a panic:
>
> (XEN) Xen BUG at common/device-tree/domain-build.c:497
> (XEN) Xen call trace:
> (XEN) [<00000a0000289aa8>] make_memory_node+0x178/0x234 (PC)
>
> This occurs due to an off-by-one error in the bounds checking of
> the reg array in make_memory_node(). The check:
> BUG_ON(nr_cells >= ARRAY_SIZE(reg));
> incorrectly triggers when the array is exactly full (i.e., when
> nr_cells == ARRAY_SIZE(reg)), preventing the 256th and final valid
> memory region from being written.
>
> When CONFIG_STATIC_SHM=y, this bug remains hidden because
AFAICT it remains hidden as long as you don't add NR_SHMEM_BANKS banks.
In that case you will also hit this problem.
> DT_MEM_NODE_REG_RANGE_SIZE adds extra space for SHM banks.
> This extra capacity prevents the array from ever reaching its
> maximum limit while processing the 256th memory region.
>
> Fix this by changing the condition to strictly greater than (>).
> Apply the exact same fix to shm_mem_node_fill_reg_range() to
> prevent the same error.
>
> Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>
This should have a Fixes tag.
With that:
Reviewed-by: Michal Orzel <michal.orzel@xxxxxxx>
~Michal
|
