Differential D16416 Diff 46059 head/emulators/xen-kernel47/files/xsa249.patch

Changeset View

Standalone View

Property	Old Value	New Value
fbsd:nokeywords	null	yes \ No newline at end of property
svn:eol-style	null	native \ No newline at end of property
svn:mime-type	null	text/plain \ No newline at end of property

				From: Jan Beulich <jbeulich@suse.com>
				Subject: x86/shadow: fix refcount overflow check

				Commit c385d27079 ("x86 shadow: for multi-page shadows, explicitly track
				the first page") reduced the refcount width to 25, without adjusting the
				overflow check. Eliminate the disconnect by using a manifest constant.

				Interestingly, up to commit 047782fa01 ("Out-of-sync L1 shadows: OOS
				snapshot") the refcount was 27 bits wide, yet the check was already
				using 26.

				This is XSA-249.

				Signed-off-by: Jan Beulich <jbeulich@suse.com>
				Reviewed-by: George Dunlap <george.dunlap@citrix.com>
				Reviewed-by: Tim Deegan <tim@xen.org>
				---
				v2: Simplify expression back to the style it was.

				--- a/xen/arch/x86/mm/shadow/private.h
				+++ b/xen/arch/x86/mm/shadow/private.h
				@@ -529,7 +529,7 @@ static inline int sh_get_ref(struct doma
				x = sp->u.sh.count;
				nx = x + 1;

				- if ( unlikely(nx >= 1U<<26) )
				+ if ( unlikely(nx >= (1U << PAGE_SH_REFCOUNT_WIDTH)) )
				{
				SHADOW_PRINTK("shadow ref overflow, gmfn=%lx smfn=%lx\n",
				__backpointer(sp), mfn_x(smfn));
				--- a/xen/include/asm-x86/mm.h
				+++ b/xen/include/asm-x86/mm.h
				@@ -82,7 +82,8 @@ struct page_info
				unsigned long type:5; /* What kind of shadow is this? */
				unsigned long pinned:1; /* Is the shadow pinned? */
				unsigned long head:1; /* Is this the first page of the shadow? */
				- unsigned long count:25; /* Reference count */
				+#define PAGE_SH_REFCOUNT_WIDTH 25
				+ unsigned long count:PAGE_SH_REFCOUNT_WIDTH; /* Reference count */
				} sh;

				/* Page is on a free list: ((count_info & PGC_count_mask) == 0). */