From: Jan Beulich <jbeulich@suse.com>
Date: Mon, 25 Nov 2019 15:17:14 +0000 (+0100)
Subject: x86: fix off-by-one in is_xen_fixed_mfn()
X-Git-Tag: archive/raspbian/4.11.3+24-g14b62ab3e5-1+rpi1^2~55^2~38
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=0b1e97d77f3003ad1775eb0e4fae4350941f962a;p=xen.git

x86: fix off-by-one in is_xen_fixed_mfn()

__2M_rwdata_end marks the first byte after the Xen image, not its last
byte. Subtract 1 to obtain the upper bound to compare against. (Note
that instead switching from <= to < is less desirable, as in principle
__pa() might return rubbish for addresses outside of the Xen image.)

Since the & needs to be dropped from the line in question, also drop it
from the adjacent one.

Reported-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 9633929824204ca7a6d60d083466de79993d60f1
master date: 2019-10-25 10:38:58 +0200
---

diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h
index c6ba9e4d73..7825691d06 100644
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
@@ -295,8 +295,8 @@ struct page_info
 #define is_xen_heap_mfn(mfn) \
     (__mfn_valid(mfn) && is_xen_heap_page(mfn_to_page(_mfn(mfn))))
 #define is_xen_fixed_mfn(mfn)                     \
-    ((((mfn) << PAGE_SHIFT) >= __pa(&_stext)) &&  \
-     (((mfn) << PAGE_SHIFT) <= __pa(&__2M_rwdata_end)))
+    ((((mfn) << PAGE_SHIFT) >= __pa(_stext)) &&  \
+     (((mfn) << PAGE_SHIFT) <= __pa(__2M_rwdata_end - 1)))
 
 #define PRtype_info "016lx"/* should only be used for printk's */