# HG changeset patch
# User Tim Deegan <tim@xen.org>
# Date 1358426606 -3600
# Node ID 0db8dfa1a378df5a3ec10485164b57e8b3b3e573
# Parent  a064a93a1eadff8adc14b488c6beb4ccdc7931ae
x86/mm: Fix loop increment in paging_log_dirty_range()

In 23417:53ef1f35a0f8 (the fix for XSA-27 / CVE-2012-5511), the
loop variable gets incremented twice, so the loop only clears every
second page of the bitmap.  This might cause the tools to think that
pages are dirty when they are not.

Reported-by: Steven Noonan <snoonan@amazon.com>
Reported-by: Matt Wilson <msw@amazon.com>
Signed-off-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Jan Beulich <jbeulich@suse.com>

diff -r a064a93a1ead -r 0db8dfa1a378 xen/arch/x86/mm/paging.c
--- a/xen/arch/x86/mm/paging.c	Thu Jan 17 12:22:48 2013 +0000
+++ b/xen/arch/x86/mm/paging.c	Thu Jan 17 13:43:26 2013 +0100
@@ -534,7 +534,8 @@ int paging_log_dirty_range(struct domain
 
         size = ((nr + BITS_PER_LONG - 1) / BITS_PER_LONG) * sizeof (long);
         rv = 0;
-        for ( off = 0; !rv && off < size; off += sizeof zeroes )
+        off = 0;
+        while ( !rv && off < size )
         {
             int todo = min(size - off, (int) PAGE_SIZE);
             if ( copy_to_guest_offset(dirty_bitmap, off, zeroes, todo) )