When the bumping by <nr> (instead of just 1) was introduced, a comment
was left untouched, and a bogus ASSERT_UNREACHABLE() was inserted. That
code path can in principle be taken (depending on configuration coming
from the outside), and we shouldn't assert anything we didn't check
elsewhere.
Signed-off-by: Jan Beulich <jbeul...@suse.com>
---
Noticed while reviewing the RISC-V code copying this machinery almost
verbatim.
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -256,16 +256,13 @@ static struct domain *page_get_owner_and
/* Restrict nr to avoid "double" overflow */
if ( nr >= PGC_count_mask )
- {
- ASSERT_UNREACHABLE();
return NULL;
- }
do {
x = y;
/*
- * Count == 0: Page is not allocated, so we cannot take a reference.
- * Count == -1: Reference count would wrap, which is invalid.
+ * Count == 0: Page is not allocated, so we cannot take a reference.
+ * Count >= -nr: Reference count would wrap, which is invalid.
*/
if ( unlikely(((x + nr) & PGC_count_mask) <= nr) )
return NULL;
