From 53decd322157e922cac2988e07da6d39538c8033 Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Fri, 1 Mar 2013 16:59:49 +0100
Subject: [PATCH] fix compat memory exchange op splitting

A shift with a negative count was erroneously used here, yielding
undefined behavior.

Reported-by: Xi Wang <xi@mit.edu>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
---
 xen/common/compat/memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c
index e0fc20524c..caa24ccbe6 100644
--- a/xen/common/compat/memory.c
+++ b/xen/common/compat/memory.c
@@ -172,7 +172,7 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat)
                 if ( order_delta >= 0 )
                     nat.xchg->out.nr_extents = end_extent >> order_delta;
                 else
-                    nat.xchg->out.nr_extents = end_extent << order_delta;
+                    nat.xchg->out.nr_extents = end_extent << -order_delta;
                 ++split;
             }
 
-- 
2.30.2