memory: fix off-by-one in XSA-346 change

The comparison against ARRAY_SIZE() needs to be >= in order to avoid overrunning the pages[] array. This is XSA-355. Fixes: 5777a3742d88 ("IOMMU: hold page ref until after deferred TLB flush") Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Julien Grall <jgrall@amazon.com>
author: Jan Beulich <jbeulich@suse.com> 2020-11-24 14:01:31 +0100
committer: Jan Beulich <jbeulich@suse.com> 2020-11-24 14:01:31 +0100
commit: 9b156bcc3ffcc7949edd4460b718a241e87ae302 (patch)
tree: 1216275c014be4ba422631b5b6522168add4e502
parent: 8147e00e4fbfcc43b665dc6bf279b204c501ba04 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/xen/common/memory.c b/xen/common/memory.c
index df85b550a1..2c86934ae8 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -854,7 +854,7 @@ int xenmem_add_to_physmap(struct domain *d, struct xen_add_to_physmap *xatp,
             ++extra.ppage;
 
         /* Check for continuation if it's not the last iteration. */
-        if ( (++done > ARRAY_SIZE(pages) && extra.ppage) ||
+        if ( (++done >= ARRAY_SIZE(pages) && extra.ppage) ||
              (xatp->size > done && hypercall_preempt_check()) )
         {
             rc = start + done;
author	Jan Beulich <jbeulich@suse.com>	2020-11-24 14:01:31 +0100
committer	Jan Beulich <jbeulich@suse.com>	2020-11-24 14:01:31 +0100
commit	9b156bcc3ffcc7949edd4460b718a241e87ae302 (patch)
tree	1216275c014be4ba422631b5b6522168add4e502
parent	8147e00e4fbfcc43b665dc6bf279b204c501ba04 (diff)