From owner-svn-src-all@FreeBSD.ORG  Tue Dec 20 20:29:46 2011
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5B4BF106566C;
	Tue, 20 Dec 2011 20:29:46 +0000 (UTC) (envelope-from alc@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 4676F8FC0C;
	Tue, 20 Dec 2011 20:29:46 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pBKKTkv5033681;
	Tue, 20 Dec 2011 20:29:46 GMT (envelope-from alc@svn.freebsd.org)
Received: (from alc@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id pBKKTkkJ033679;
	Tue, 20 Dec 2011 20:29:46 GMT (envelope-from alc@svn.freebsd.org)
Message-Id: <201112202029.pBKKTkkJ033679@svn.freebsd.org>
From: Alan Cox <alc@FreeBSD.org>
Date: Tue, 20 Dec 2011 20:29:46 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r228747 - head/sys/i386/xen
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2011 20:29:46 -0000

Author: alc
Date: Tue Dec 20 20:29:45 2011
New Revision: 228747
URL: http://svn.freebsd.org/changeset/base/228747

Log:
  The size passed to kmem functions should be in terms of bytes and not
  pages.
  
  Avoid an out-of-bounds array access.
  
  Reviewed by:	cperciva

Modified:
  head/sys/i386/xen/mp_machdep.c

Modified: head/sys/i386/xen/mp_machdep.c
==============================================================================
--- head/sys/i386/xen/mp_machdep.c	Tue Dec 20 20:16:12 2011	(r228746)
+++ head/sys/i386/xen/mp_machdep.c	Tue Dec 20 20:29:45 2011	(r228747)
@@ -810,7 +810,7 @@ cpu_initialize_context(unsigned int cpu)
 {
 	/* vcpu_guest_context_t is too large to allocate on the stack.
 	 * Hence we allocate statically and protect it with a lock */
-	vm_page_t m[4];
+	vm_page_t m[NPGPTD + 2];
 	static vcpu_guest_context_t ctxt;
 	vm_offset_t boot_stack;
 	vm_offset_t newPTD;
@@ -831,8 +831,8 @@ cpu_initialize_context(unsigned int cpu)
 		pmap_zero_page(m[i]);
 
 	}
-	boot_stack = kmem_alloc_nofault(kernel_map, 1);
-	newPTD = kmem_alloc_nofault(kernel_map, NPGPTD);
+	boot_stack = kmem_alloc_nofault(kernel_map, PAGE_SIZE);
+	newPTD = kmem_alloc_nofault(kernel_map, NPGPTD * PAGE_SIZE);
 	ma[0] = VM_PAGE_TO_MACH(m[0])|PG_V;
 
 #ifdef PAE	
@@ -854,7 +854,7 @@ cpu_initialize_context(unsigned int cpu)
 	    nkpt*sizeof(vm_paddr_t));
 
 	pmap_qremove(newPTD, 4);
-	kmem_free(kernel_map, newPTD, 4);
+	kmem_free(kernel_map, newPTD, 4 * PAGE_SIZE);
 	/*
 	 * map actual idle stack to boot_stack
 	 */