[XEN] Off-by one error in range checks translating gfns to mfns

Signed-off-by: Tim Deegan <Tim.Deegan@xensource.com>

diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
index 0e36afafb6432a926a388e24c8ca531f486d3db8..9057b35448c8364919b6047f92c33cae3575fcad 100644 (file)
--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -1121,7 +1121,7 @@ sh_gfn_to_mfn_foreign(struct domain *d, unsigned long gpfn)
 
 
 #if CONFIG_PAGING_LEVELS > 2
-    if ( gpfn > (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) 
+    if ( gpfn >= (RO_MPT_VIRT_END-RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) 
         /* This pfn is higher than the p2m map can hold */
         return _mfn(INVALID_MFN);
 #endif

diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h
index f470a874ba42e41f9dbfa40e0c5b3e8b6b79effc..eeb2d8634203bb964aa6e5dc72b9cef450bc6335 100644 (file)
--- a/xen/arch/x86/mm/shadow/private.h
+++ b/xen/arch/x86/mm/shadow/private.h
@@ -555,7 +555,7 @@ vcpu_gfn_to_mfn_nofault(struct vcpu *v, unsigned long gfn)
         return _mfn(gfn);
 
 #if CONFIG_PAGING_LEVELS > 2
-    if ( gfn > (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) 
+    if ( gfn >= (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) 
         /* This pfn is higher than the p2m map can hold */
         return _mfn(INVALID_MFN);
 #endif

diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h
index 2acdd2f23dcd74fc038bb6f840b1e7755389d59c..826319982474f4b208fdfb851cecbbadd5d756c0 100644 (file)
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
@@ -368,7 +368,7 @@ static inline unsigned long get_mfn_from_gpfn(unsigned long pfn)
     int ret;
 
 #if CONFIG_PAGING_LEVELS > 2
-    if ( pfn > (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof (l1_pgentry_t) ) 
+    if ( pfn >= (RO_MPT_VIRT_END - RO_MPT_VIRT_START) / sizeof(l1_pgentry_t) ) 
         /* This pfn is higher than the p2m map can hold */
         return INVALID_MFN;
 #endif