[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/device-tree: Fix off-by-one bounds check in make_memory_node()

  • To: "Orzel, Michal" <michal.orzel@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>
  • Date: Thu, 2 Apr 2026 16:53:52 +0000
  • Accept-language: en-US, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aQqd8AKyR5za5xp0S+ghLRo8Ij748iWcoDWX/6XquFE=; b=sar5C4xs3MGF8INAz+FmDQHty4ILMm9d7XYEbMhl6faNWDeZmM+u7AzatUNjfKjJzDE5GwXFYvuL0DtZdjY9f1ziR+GjbzspCSwCPdumNN8o1jW+uEc8yG+U0ieuYGsr2UgXPAkTDZjGnXuAks08MZiuhELhWVTRAzglXQLo38KwLzT6IZC1YCI9R/3nOaNU0kNf83Pql6DvNpH4jUNFuno7UCR4tCMXR1bjGMbAzLBFNtn/GfYisCm9Qj4Ax1p+B3k4E03EhZmUoeYR3/XmDZsm2bBwAJro+ekiE/YTx85QoCEk56fZ0hyw5sanrX9b1PGV/z2SoUXpYCtmb28H0w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=W2J5Sc7rq+8noD4ETOCtKt1UsXupyQPfdAhhQI9XyFkxQwAuE3D8W0RGF7e547UA0/JwShj+NkWVjAlt++Wg/vPDd+riDBY8riEcWCfI3m4ZuriH/7/FwJI5TUFMRgQA9wswrt11Jx2jvZDFjNofUXTp3mGRZGqkuVWu0YoWik8/gORYKYeVzwjHlkdkckjQbi8SV/LiYRJYBdc7qB7KLk0lKaZHiutPlDtNt8R+zXWS4Pzb1jfhe3znKKqS98PO+fB2fcOokLaOkMXqgIOMYO5vBMj1fJs94B7//SGRN5lapaicgk2X+yE1s0OcSeRSgkeCliRW555RQJxzkINPCA==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=epam.com header.i="@epam.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>
  • Delivery-date: Thu, 02 Apr 2026 16:54:03 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcwpBhsnhldIRLa0qtQ6xVjLEK7LXLt/YAgABFcwA=
  • Thread-topic: [PATCH] xen/device-tree: Fix off-by-one bounds check in make_memory_node()

On 4/2/26 15:45, Orzel, Michal wrote:

Hello Michal

> 
> 
> On 02/04/2026 13:03, Oleksandr Tyshchenko wrote:
>> When building Xen with CONFIG_STATIC_SHM=n, booting a hardware
>> domain with exactly NR_MEM_BANKS (256) reserved-memory regions
>> causes a panic:
>>
>> (XEN) Xen BUG at common/device-tree/domain-build.c:497
>> (XEN) Xen call trace:
>> (XEN)    [<00000a0000289aa8>] make_memory_node+0x178/0x234 (PC)
>>
>> This occurs due to an off-by-one error in the bounds checking of
>> the reg array in make_memory_node(). The check:
>>      BUG_ON(nr_cells >= ARRAY_SIZE(reg));
>> incorrectly triggers when the array is exactly full (i.e., when
>> nr_cells == ARRAY_SIZE(reg)), preventing the 256th and final valid
>> memory region from being written.
>>
>> When CONFIG_STATIC_SHM=y, this bug remains hidden because
> AFAICT it remains hidden as long as you don't add NR_SHMEM_BANKS banks.
> In that case you will also hit this problem.

I think, you are right.

> 
>> DT_MEM_NODE_REG_RANGE_SIZE adds extra space for SHM banks.
>> This extra capacity prevents the array from ever reaching its
>> maximum limit while processing the 256th memory region.
>>
>> Fix this by changing the condition to strictly greater than (>).
>> Apply the exact same fix to shm_mem_node_fill_reg_range() to
>> prevent the same error.
>>
>> Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>
> This should have a Fixes tag.

It took some digging to locate the exact commit since this code has been 
moved and updated several times.

Initially, I thought about 9aaf437cd361 ("xen/arm: don't assign domU 
static-mem to dom0 as reserved-memory"). However, looking closely at the 
diff, that commit only moved the offending BUG_ON() inside a loop rather 
than introducing it. Unless I am mistaken, the correct target for the 
Fixes: is cd8015b634b0 ("ARM/dom0: Avoid using a variable length array 
in make_memory_node()").

As for shm_mem_node_fill_reg_range(), 7846f7699fea ("xen/arm: List 
static shared memory regions as /memory nodes") simply copied the 
existing BUG_ON() logic into the new function.


> With that:
> Reviewed-by: Michal Orzel <michal.orzel@xxxxxxx>

Thanks

> 
> ~Michal
>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.