[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH V2] xen/device-tree: Fix off-by-one bounds check in make_memory_node()

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>
  • Date: Thu, 2 Apr 2026 18:38:35 +0000
  • Accept-language: en-US, ru-RU
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8yXz7rfI4PY70kRbzfvSDIjlUz3zdZiB6oYj3pBrM1E=; b=Qn5aB7yYin9znS1typM4QGLlnIVRnxJk9fslCN4irNDPOjqMVsMpdA4mYcRcpPZJNwGZ5BIz56+7iosJQkYx9FdhuhJ0QUTRppuZDYxL8JP6alouHeaDcCr9X+phGeH2Kmp1aKeIpit0n3fKgUVmHz5iha++NFsWpjYHSaKMz0007eCsuTm9NJNv6seu3ZgzenyTPCY7DLQtJHbIobOzM7uvd4y28ew9fOiU77okN9lHNuUGvZaFvJyVYInFgJL0N9PtwynEemPAAb0oZI+HH7b/jouFjpGPKPINgA+BFva8NMq/EkwaG1ysz1AG4uif5Fg0iObb+8ulJnKDzcUEAA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=W9gIPlxvCp1zTRpNxVpdIIv0hZ1WXGQ2nvOGc1MrtTF2jgq6qQpkf+CTt+1YvXtYAG+wOeiXmeEjSSYq6RoWXEPuy/qZ6iwLp3AIg17ZMXJXLvkn5lCAQ1AvxgEIykHKqNbHo2cl6DxlOJo14QacmNUxNEK4aCqmsjuOAXgiz+R25Wb7V8fXW/pVySNOW7Ag9nCIqeDcfCHyCAUGpZDjuenqiZAhQmVduoS3EQ3Zj7ZUHYaz9zFVcsB7I7NVL4O/h7921roJEdmZoXeP5T+xVLrqjKCZpD9ZrMwvy5m8Ydn29PxBuHeo5uc4O4oJwVnrhnuRFH0lGjgeF1eay5SJtg==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=epam.com header.i="@epam.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Ayan Kumar Halder <ayankuma@xxxxxxx>
  • Delivery-date: Thu, 02 Apr 2026 18:38:54 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcws/qu0Bt5vsAHEqQEICE62xUmQ==
  • Thread-topic: [PATCH V2] xen/device-tree: Fix off-by-one bounds check in make_memory_node()
When building Xen with CONFIG_STATIC_SHM=n, booting a hardware
domain with exactly NR_MEM_BANKS (256) reserved-memory regions
causes a panic:

(XEN) Xen BUG at common/device-tree/domain-build.c:497
(XEN) Xen call trace:
(XEN)    [<00000a0000289aa8>] make_memory_node+0x178/0x234 (PC)

This occurs due to an off-by-one error in the bounds checking of
the reg array in make_memory_node(). The check:
    BUG_ON(nr_cells >= ARRAY_SIZE(reg));
incorrectly triggers when the array is exactly full (i.e., when
nr_cells == ARRAY_SIZE(reg)), preventing the 256th and final valid
memory region from being written.

When CONFIG_STATIC_SHM=y, this bug is usually hidden because
DT_MEM_NODE_REG_RANGE_SIZE adds extra space for SHM banks.
This extra capacity prevents the array from reaching its
maximum limit while processing the 256th memory region.
However, if a domain is configured with exactly NR_MEM_BANKS
and NR_SHMEM_BANKS, the array will completely fill up and trigger
the same panic.

Fix this by changing the condition to strictly greater than (>).
Apply the exact same fix to shm_mem_node_fill_reg_range() to
prevent the same error.

Fixes: cd8015b634b0 ("ARM/dom0: Avoid using a variable length array in 
make_memory_node()")
Fixes: 7846f7699fea ("xen/arm: List static shared memory regions as /memory 
nodes")
Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>
Reviewed-by: Michal Orzel <michal.orzel@xxxxxxx>
---
  V2:
   - slightly update commit desc (according to Michal's remark)
   - add Fixes tags
   - add R-b tag
---
---
 xen/common/device-tree/domain-build.c | 2 +-
 xen/common/device-tree/static-shmem.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/common/device-tree/domain-build.c 
b/xen/common/device-tree/domain-build.c
index 6708c9dd66..540627b74e 100644
--- a/xen/common/device-tree/domain-build.c
+++ b/xen/common/device-tree/domain-build.c
@@ -494,7 +494,7 @@ int __init make_memory_node(const struct kernel_info 
*kinfo, int addrcells,
             continue;
 
         nr_cells += reg_size;
-        BUG_ON(nr_cells >= ARRAY_SIZE(reg));
+        BUG_ON(nr_cells > ARRAY_SIZE(reg));
         dt_child_set_range(&cells, addrcells, sizecells, start, size);
     }
 
diff --git a/xen/common/device-tree/static-shmem.c 
b/xen/common/device-tree/static-shmem.c
index 79f23caa77..4c4cc1b123 100644
--- a/xen/common/device-tree/static-shmem.c
+++ b/xen/common/device-tree/static-shmem.c
@@ -838,7 +838,7 @@ void __init shm_mem_node_fill_reg_range(const struct 
kernel_info *kinfo,
         paddr_t size = mem->bank[i].size;
 
         *nr_cells += addrcells + sizecells;
-        BUG_ON(*nr_cells >= DT_MEM_NODE_REG_RANGE_SIZE);
+        BUG_ON(*nr_cells > DT_MEM_NODE_REG_RANGE_SIZE);
         dt_child_set_range(&cells, addrcells, sizecells, start, size);
     }
 }
-- 
2.34.1

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.