From: Jan Beulich Date: Tue, 12 Dec 2017 13:29:13 +0000 (+0100) Subject: x86/shadow: fix refcount overflow check X-Git-Tag: 4.11.0-rc1~765 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=54e2292e8df7a1a7b041192be9d6d797b6d00869;p=xen.git x86/shadow: fix refcount overflow check Commit c385d27079 ("x86 shadow: for multi-page shadows, explicitly track the first page") reduced the refcount width to 25, without adjusting the overflow check. Eliminate the disconnect by using a manifest constant. Interestingly, up to commit 047782fa01 ("Out-of-sync L1 shadows: OOS snapshot") the refcount was 27 bits wide, yet the check was already using 26. This is XSA-249. Signed-off-by: Jan Beulich Reviewed-by: George Dunlap Reviewed-by: Tim Deegan --- diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h index 6a03370402..554905e87e 100644 --- a/xen/arch/x86/mm/shadow/private.h +++ b/xen/arch/x86/mm/shadow/private.h @@ -529,7 +529,7 @@ static inline int sh_get_ref(struct domain *d, mfn_t smfn, paddr_t entry_pa) x = sp->u.sh.count; nx = x + 1; - if ( unlikely(nx >= 1U<<26) ) + if ( unlikely(nx >= (1U << PAGE_SH_REFCOUNT_WIDTH)) ) { SHADOW_PRINTK("shadow ref overflow, gmfn=%lx smfn=%lx\n", __backpointer(sp), mfn_x(smfn)); diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h index 83626085e0..7e9f306ff5 100644 --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -82,7 +82,8 @@ struct page_info unsigned long type:5; /* What kind of shadow is this? */ unsigned long pinned:1; /* Is the shadow pinned? */ unsigned long head:1; /* Is this the first page of the shadow? */ - unsigned long count:25; /* Reference count */ +#define PAGE_SH_REFCOUNT_WIDTH 25 + unsigned long count:PAGE_SH_REFCOUNT_WIDTH; /* Reference count */ } sh; /* Page is on a free list: ((count_info & PGC_count_mask) == 0). */