The size passed to kmem functions should be in terms of bytes and not

pages.

Avoid an out-of-bounds array access.

Reviewed by:	cperciva

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/i386/xen/mp_machdep.c b/sys/i386/xen/mp_machdep.c
index b36eed2..b878884 100644
--- a/sys/i386/xen/mp_machdep.c
+++ b/sys/i386/xen/mp_machdep.c
@@ -810,7 +810,7 @@ cpu_initialize_context(unsigned int cpu)
 {
 	/* vcpu_guest_context_t is too large to allocate on the stack.
 	 * Hence we allocate statically and protect it with a lock */
-	vm_page_t m[4];
+	vm_page_t m[NPGPTD + 2];
 	static vcpu_guest_context_t ctxt;
 	vm_offset_t boot_stack;
 	vm_offset_t newPTD;
@@ -831,8 +831,8 @@ cpu_initialize_context(unsigned int cpu)
 		pmap_zero_page(m[i]);
 
 	}
-	boot_stack = kmem_alloc_nofault(kernel_map, 1);
-	newPTD = kmem_alloc_nofault(kernel_map, NPGPTD);
+	boot_stack = kmem_alloc_nofault(kernel_map, PAGE_SIZE);
+	newPTD = kmem_alloc_nofault(kernel_map, NPGPTD * PAGE_SIZE);
 	ma[0] = VM_PAGE_TO_MACH(m[0])|PG_V;
 
 #ifdef PAE	
@@ -854,7 +854,7 @@ cpu_initialize_context(unsigned int cpu)
 	    nkpt*sizeof(vm_paddr_t));
 
 	pmap_qremove(newPTD, 4);
-	kmem_free(kernel_map, newPTD, 4);
+	kmem_free(kernel_map, newPTD, 4 * PAGE_SIZE);
 	/*
 	 * map actual idle stack to boot_stack
 	 */