[xen staging] x86/shadow: fix UB pointer arithmetic in sh_mfn_is_a_page_table()

[patchbot@xxxxxxx]

commit 45ee73f1b24246f13cd9583cb2ee25fb9c782db8
Author:     Roger Pau Monne <roger.pau@xxxxxxxxxx>
AuthorDate: Tue Mar 18 09:20:59 2025 +0100
Commit:     Roger Pau Monne <roger.pau@xxxxxxxxxx>
CommitDate: Thu Mar 20 12:28:30 2025 +0100

    x86/shadow: fix UB pointer arithmetic in sh_mfn_is_a_page_table()
    
    UBSAN complains with:
    
    UBSAN: Undefined behaviour in arch/x86/mm/shadow/private.h:515:30
    pointer operation overflowed ffff82e000000000 to ffff82dfffffffe0
    [...]
    Xen call trace:
        [<ffff82d040303782>] R common/ubsan/ubsan.c#ubsan_epilogue+0xa/0xc0
        [<ffff82d040304bc3>] F __ubsan_handle_pointer_overflow+0xcb/0x100
        [<ffff82d040471b2d>] F 
arch/x86/mm/shadow/guest_2.c#sh_page_fault__guest_2+0x1e350
        [<ffff82d0403b206b>] F svm_vmexit_handler+0xdf3/0x2450
        [<ffff82d0402049c0>] F svm_stgi_label+0x5/0x15
    
    Fix by moving the call to mfn_to_page() after the check of whether the
    passed gmfn is valid.  This avoid the call to mfn_to_page() with an
    INVALID_MFN parameter.
    
    While there make the page local variable const, it's not modified by the
    function.
    
    Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/mm/shadow/private.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/mm/shadow/private.h b/xen/arch/x86/mm/shadow/private.h
index a5fc3a7676..cef9dbef2e 100644
--- a/xen/arch/x86/mm/shadow/private.h
+++ b/xen/arch/x86/mm/shadow/private.h
@@ -512,13 +512,14 @@ static inline unsigned long __backpointer(const struct 
page_info *sp)
 static inline int
 sh_mfn_is_a_page_table(mfn_t gmfn)
 {
-    struct page_info *page = mfn_to_page(gmfn);
+    const struct page_info *page;
     struct domain *owner;
     unsigned long type_info;
 
     if ( !mfn_valid(gmfn) )
         return 0;
 
+    page = mfn_to_page(gmfn);
     owner = page_get_owner(page);
     if ( owner && shadow_mode_refcounts(owner)
          && (page->count_info & PGC_shadowed_pt) )
--
generated by git-patchbot for /home/xen/git/xen.git#staging