[PATCH 1/2] xen: Fix page <-> pfn conversion on 32 bit systems

[PATCH 1/2] xen: Fix page <-> pfn conversion on 32 bit systems

[Ross Lagerwall]

The xen functions to convert between pages and pfns fail due to an
overflow on systems where a physical address may not fit in an unsigned
long (e.g. x86 32 bit PAE systems). Rework the conversion to avoid
overflow. This should also result in simpler object code.

This bug manifested itself as disk corruption with Linux 4.4 when using
blkfront in a Xen HVM x86 32 bit guest with more than 4 GiB of memory.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
---
 include/xen/page.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/xen/page.h b/include/xen/page.h
index 96294ac..9dc46cb 100644
--- a/include/xen/page.h
+++ b/include/xen/page.h
@@ -15,9 +15,9 @@
  */
 
 #define xen_pfn_to_page(xen_pfn)	\
-	((pfn_to_page(((unsigned long)(xen_pfn) << XEN_PAGE_SHIFT) >> PAGE_SHIFT)))
+	(pfn_to_page((unsigned long)(xen_pfn) >> (PAGE_SHIFT - XEN_PAGE_SHIFT)))
 #define page_to_xen_pfn(page)		\
-	(((page_to_pfn(page)) << PAGE_SHIFT) >> XEN_PAGE_SHIFT)
+	((page_to_pfn(page)) << (PAGE_SHIFT - XEN_PAGE_SHIFT))
 
 #define XEN_PFN_PER_PAGE	(PAGE_SIZE / XEN_PAGE_SIZE)
 
-- 
2.4.3


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[PATCH 2/2] xen/balloon: Fix crash when ballooning on x86 32 bit PAE

[Ross Lagerwall]

When ballooning on an x86 32 bit PAE system with close to 64 GiB of memory, the
address returned by allocate_resource may be above 64 GiB.  When using
CONFIG_SPARSEMEM, this setup is limited to using physical addresses < 64 GiB.
When adding memory at this address, it runs off the end of the mem_section
array and causes a crash.  Instead, fail the ballooning request.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
---
 drivers/xen/balloon.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
index 12eab50..329695d 100644
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -152,6 +152,8 @@ static DECLARE_WAIT_QUEUE_HEAD(balloon_wq);
 static void balloon_process(struct work_struct *work);
 static DECLARE_DELAYED_WORK(balloon_worker, balloon_process);
 
+static void release_memory_resource(struct resource *resource);
+
 /* When ballooning out (allocating memory to return to Xen) we don't really
    want the kernel to try too hard since that can trigger the oom killer. */
 #define GFP_BALLOON \
@@ -268,6 +270,19 @@ static struct resource *additional_memory_resource(phys_addr_t size)
 		return NULL;
 	}
 
+#ifdef CONFIG_SPARSEMEM
+	{
+		unsigned long max_pfn = 1UL << (MAX_PHYSMEM_BITS - PAGE_SHIFT);
+		unsigned long pfn = res->start >> PAGE_SHIFT;
+
+		if (pfn > max_pfn) {
+			pr_err("pfn %lu exceeds max_pfn %lu\n", pfn, max_pfn);
+			release_memory_resource(res);
+			return NULL;
+		}
+	}
+#endif
+
 	return res;
 }
 
-- 
2.4.3


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATCH 2/2] xen/balloon: Fix crash when ballooning on x86 32 bit PAE

[David Vrabel]

These two have been applied to for-linus-4.6, thanks.

I tagged them for stable since they are regression in 4.4.

On 17/03/16 16:52, Ross Lagerwall wrote:
> When ballooning on an x86 32 bit PAE system with close to 64 GiB of memory, the
> address returned by allocate_resource may be above 64 GiB.  When using
> CONFIG_SPARSEMEM, this setup is limited to using physical addresses < 64 GiB.
> When adding memory at this address, it runs off the end of the mem_section
> array and causes a crash.  Instead, fail the ballooning request.
> 
> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
> ---
>  drivers/xen/balloon.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 
> diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
> index 12eab50..329695d 100644
> --- a/drivers/xen/balloon.c
> +++ b/drivers/xen/balloon.c
> @@ -152,6 +152,8 @@ static DECLARE_WAIT_QUEUE_HEAD(balloon_wq);
>  static void balloon_process(struct work_struct *work);
>  static DECLARE_DELAYED_WORK(balloon_worker, balloon_process);
>  
> +static void release_memory_resource(struct resource *resource);
> +
>  /* When ballooning out (allocating memory to return to Xen) we don't really
>     want the kernel to try too hard since that can trigger the oom killer. */
>  #define GFP_BALLOON \
> @@ -268,6 +270,19 @@ static struct resource *additional_memory_resource(phys_addr_t size)
>  		return NULL;
>  	}
>  
> +#ifdef CONFIG_SPARSEMEM
> +	{
> +		unsigned long max_pfn = 1UL << (MAX_PHYSMEM_BITS - PAGE_SHIFT);

I changed max_pfn to limit, to avoid confusion with the global max_pfn.

David

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel