ia64/xen-unstable

changeset 1058:23d2d95255c7

bitkeeper revision 1.697 (401a7dcfLSasqkAaMngsKdiVm_puVw)

config.h, ide-cd.c, dom0_ops.c, pci-pc.c:
Fix stack overflows in Xen.
author kaf24@scramble.cl.cam.ac.uk
date Fri Jan 30 15:52:47 2004 +0000 (2004-01-30)
parents 432277fa713c
children 871510593652
files xen/arch/i386/pci-pc.c xen/common/dom0_ops.c xen/drivers/ide/ide-cd.c xen/include/xeno/config.h
line diff
     1.1 --- a/xen/arch/i386/pci-pc.c	Fri Jan 30 15:41:36 2004 +0000
     1.2 +++ b/xen/arch/i386/pci-pc.c	Fri Jan 30 15:52:47 2004 +0000
     1.3 @@ -442,21 +442,36 @@ static struct pci_ops pci_direct_conf2 =
     1.4  static int __devinit pci_sanity_check(struct pci_ops *o)
     1.5  {
     1.6  	u16 x;
     1.7 -	struct pci_bus bus;		/* Fake bus and device */
     1.8 -	struct pci_dev dev;
     1.9 +	struct pci_bus *bus;		/* Fake bus and device */
    1.10 +	struct pci_dev *dev;
    1.11 +	int ret = 0;
    1.12  
    1.13  	if (pci_probe & PCI_NO_CHECKS)
    1.14  		return 1;
    1.15 -	bus.number = 0;
    1.16 -	dev.bus = &bus;
    1.17 -	for(dev.devfn=0; dev.devfn < 0x100; dev.devfn++)
    1.18 -		if ((!o->read_word(&dev, PCI_CLASS_DEVICE, &x) &&
    1.19 +
    1.20 +	bus = kmalloc(sizeof(*bus), GFP_KERNEL);
    1.21 +	dev = kmalloc(sizeof(*dev), GFP_KERNEL);
    1.22 +	if ( (bus == NULL) || (dev == NULL) )
    1.23 +		goto out;
    1.24 +
    1.25 +	bus->number = 0;
    1.26 +	dev->bus = bus;
    1.27 +	for(dev->devfn=0; dev->devfn < 0x100; dev->devfn++)
    1.28 +		if ((!o->read_word(dev, PCI_CLASS_DEVICE, &x) &&
    1.29  		     (x == PCI_CLASS_BRIDGE_HOST || x == PCI_CLASS_DISPLAY_VGA)) ||
    1.30 -		    (!o->read_word(&dev, PCI_VENDOR_ID, &x) &&
    1.31 +		    (!o->read_word(dev, PCI_VENDOR_ID, &x) &&
    1.32  		     (x == PCI_VENDOR_ID_INTEL || x == PCI_VENDOR_ID_COMPAQ)))
    1.33 -			return 1;
    1.34 +		{
    1.35 +			ret = 1;
    1.36 +			break;
    1.37 +		}
    1.38 + out:
    1.39 +	if ( bus != NULL )
    1.40 +		kfree(bus);
    1.41 +	if ( dev != NULL)
    1.42 +		kfree(dev);
    1.43  	DBG("PCI: Sanity check failed\n");
    1.44 -	return 0;
    1.45 +	return ret;
    1.46  }
    1.47  
    1.48  static struct pci_ops * __devinit pci_check_direct(void)
     2.1 --- a/xen/common/dom0_ops.c	Fri Jan 30 15:41:36 2004 +0000
     2.2 +++ b/xen/common/dom0_ops.c	Fri Jan 30 15:52:47 2004 +0000
     2.3 @@ -59,27 +59,36 @@ static void read_msr_for(void *unused)
     2.4  long do_dom0_op(dom0_op_t *u_dom0_op)
     2.5  {
     2.6      long ret = 0;
     2.7 -    dom0_op_t op;
     2.8 +    dom0_op_t *op;
     2.9  
    2.10      if ( !IS_PRIV(current) )
    2.11          return -EPERM;
    2.12  
    2.13 -    if ( copy_from_user(&op, u_dom0_op, sizeof(op)) )
    2.14 -        return -EFAULT;
    2.15 +    if ( (op = kmalloc(sizeof(*op), GFP_KERNEL)) == NULL )
    2.16 +        return -ENOMEM;
    2.17  
    2.18 -    if ( op.interface_version != DOM0_INTERFACE_VERSION )
    2.19 -        return -EACCES;
    2.20 +    if ( copy_from_user(op, u_dom0_op, sizeof(*op)) )
    2.21 +    {
    2.22 +        ret = -EFAULT;
    2.23 +        goto out;
    2.24 +    }
    2.25  
    2.26 -    switch ( op.cmd )
    2.27 +    if ( op->interface_version != DOM0_INTERFACE_VERSION )
    2.28 +    {
    2.29 +        ret = -EACCES;
    2.30 +        goto out;
    2.31 +    }
    2.32 +
    2.33 +    switch ( op->cmd )
    2.34      {
    2.35  
    2.36      case DOM0_BUILDDOMAIN:
    2.37      {
    2.38 -        struct task_struct * p = find_domain_by_id(op.u.builddomain.domain);
    2.39 +        struct task_struct * p = find_domain_by_id(op->u.builddomain.domain);
    2.40          ret = -EINVAL;
    2.41          if ( p != NULL )
    2.42          {
    2.43 -            ret = final_setup_guestos(p, &op.u.builddomain);
    2.44 +            ret = final_setup_guestos(p, &op->u.builddomain);
    2.45              put_task_struct(p);
    2.46          }
    2.47      }
    2.48 @@ -87,7 +96,7 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
    2.49  
    2.50      case DOM0_STARTDOMAIN:
    2.51      {
    2.52 -        struct task_struct * p = find_domain_by_id(op.u.startdomain.domain);
    2.53 +        struct task_struct * p = find_domain_by_id(op->u.startdomain.domain);
    2.54          ret = -EINVAL;
    2.55          if ( p != NULL )
    2.56          {
    2.57 @@ -104,7 +113,7 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
    2.58  
    2.59      case DOM0_STOPDOMAIN:
    2.60      {
    2.61 -        ret = stop_other_domain(op.u.stopdomain.domain);
    2.62 +        ret = stop_other_domain(op->u.stopdomain.domain);
    2.63      }
    2.64      break;
    2.65  
    2.66 @@ -125,13 +134,13 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
    2.67          if ( p == NULL ) 
    2.68              goto exit_create;
    2.69  
    2.70 -	if ( op.u.createdomain.name[0] )
    2.71 +	if ( op->u.createdomain.name[0] )
    2.72          {
    2.73 -            strncpy (p->name, op.u.createdomain.name, MAX_DOMAIN_NAME);
    2.74 +            strncpy (p->name, op->u.createdomain.name, MAX_DOMAIN_NAME);
    2.75              p->name[MAX_DOMAIN_NAME - 1] = 0;
    2.76  	}
    2.77  
    2.78 -        ret = alloc_new_dom_mem(p, op.u.createdomain.memory_kb);
    2.79 +        ret = alloc_new_dom_mem(p, op->u.createdomain.memory_kb);
    2.80          if ( ret != 0 ) 
    2.81          {
    2.82              __kill_domain(p);
    2.83 @@ -140,8 +149,8 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
    2.84  
    2.85          ret = p->domain;
    2.86          
    2.87 -        op.u.createdomain.domain = ret;
    2.88 -        copy_to_user(u_dom0_op, &op, sizeof(op));
    2.89 +        op->u.createdomain.domain = ret;
    2.90 +        copy_to_user(u_dom0_op, op, sizeof(*op));
    2.91   
    2.92      exit_create:
    2.93          spin_unlock_irq(&create_dom_lock);
    2.94 @@ -150,16 +159,16 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
    2.95  
    2.96      case DOM0_DESTROYDOMAIN:
    2.97      {
    2.98 -        unsigned int dom = op.u.destroydomain.domain;
    2.99 -        int force = op.u.destroydomain.force;
   2.100 +        unsigned int dom = op->u.destroydomain.domain;
   2.101 +        int force = op->u.destroydomain.force;
   2.102          ret = (dom == IDLE_DOMAIN_ID) ? -EPERM : kill_other_domain(dom, force);
   2.103      }
   2.104      break;
   2.105  
   2.106      case DOM0_PINCPUDOMAIN:
   2.107      {
   2.108 -        struct task_struct * p = find_domain_by_id(op.u.pincpudomain.domain);
   2.109 -	int cpu = op.u.pincpudomain.cpu;
   2.110 +        struct task_struct * p = find_domain_by_id(op->u.pincpudomain.domain);
   2.111 +	int cpu = op->u.pincpudomain.cpu;
   2.112          ret = -EINVAL;
   2.113          if ( p != NULL )
   2.114          {
   2.115 @@ -197,18 +206,18 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
   2.116  
   2.117      case DOM0_BVTCTL:
   2.118      {
   2.119 -        unsigned long  ctx_allow = op.u.bvtctl.ctx_allow;
   2.120 +        unsigned long  ctx_allow = op->u.bvtctl.ctx_allow;
   2.121          ret = sched_bvtctl(ctx_allow);        
   2.122      }
   2.123      break;
   2.124  
   2.125      case DOM0_ADJUSTDOM:
   2.126      {
   2.127 -        unsigned int   dom     = op.u.adjustdom.domain;
   2.128 -        unsigned long  mcu_adv = op.u.adjustdom.mcu_adv;
   2.129 -        unsigned long  warp    = op.u.adjustdom.warp;
   2.130 -        unsigned long  warpl   = op.u.adjustdom.warpl;
   2.131 -        unsigned long  warpu   = op.u.adjustdom.warpu;
   2.132 +        unsigned int   dom     = op->u.adjustdom.domain;
   2.133 +        unsigned long  mcu_adv = op->u.adjustdom.mcu_adv;
   2.134 +        unsigned long  warp    = op->u.adjustdom.warp;
   2.135 +        unsigned long  warpl   = op->u.adjustdom.warpl;
   2.136 +        unsigned long  warpu   = op->u.adjustdom.warpu;
   2.137  
   2.138          ret = -EPERM;
   2.139          if ( dom != IDLE_DOMAIN_ID )
   2.140 @@ -219,10 +228,10 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
   2.141      case DOM0_GETMEMLIST:
   2.142      {
   2.143          int i;
   2.144 -        struct task_struct *p = find_domain_by_id(op.u.getmemlist.domain);
   2.145 -        unsigned long max_pfns = op.u.getmemlist.max_pfns;
   2.146 +        struct task_struct *p = find_domain_by_id(op->u.getmemlist.domain);
   2.147 +        unsigned long max_pfns = op->u.getmemlist.max_pfns;
   2.148          unsigned long pfn;
   2.149 -        unsigned long *buffer = op.u.getmemlist.buffer;
   2.150 +        unsigned long *buffer = op->u.getmemlist.buffer;
   2.151          struct list_head *list_ent;
   2.152  
   2.153          ret = -EINVAL;
   2.154 @@ -246,8 +255,8 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
   2.155              }
   2.156              spin_unlock(&p->page_list_lock);
   2.157  
   2.158 -            op.u.getmemlist.num_pfns = i;
   2.159 -            copy_to_user(u_dom0_op, &op, sizeof(op));
   2.160 +            op->u.getmemlist.num_pfns = i;
   2.161 +            copy_to_user(u_dom0_op, op, sizeof(*op));
   2.162              
   2.163              put_task_struct(p);
   2.164          }
   2.165 @@ -263,7 +272,8 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
   2.166          read_lock_irqsave (&tasklist_lock, flags);
   2.167  
   2.168          while ( (p = p->next_task) != &idle0_task )
   2.169 -            if ( !is_idle_task(p) && (p->domain >= op.u.getdomaininfo.domain) )
   2.170 +            if ( !is_idle_task(p) && 
   2.171 +                 (p->domain >= op->u.getdomaininfo.domain) )
   2.172                  break;
   2.173  
   2.174          if ( p == &idle0_task )
   2.175 @@ -272,76 +282,78 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
   2.176          }
   2.177          else
   2.178          {
   2.179 -            op.u.getdomaininfo.domain      = p->domain;
   2.180 -            strcpy (op.u.getdomaininfo.name, p->name);
   2.181 -            op.u.getdomaininfo.processor   = p->processor;
   2.182 -            op.u.getdomaininfo.has_cpu     = p->has_cpu;
   2.183 -            op.u.getdomaininfo.state       = DOMSTATE_ACTIVE;
   2.184 +            op->u.getdomaininfo.domain      = p->domain;
   2.185 +            strcpy (op->u.getdomaininfo.name, p->name);
   2.186 +            op->u.getdomaininfo.processor   = p->processor;
   2.187 +            op->u.getdomaininfo.has_cpu     = p->has_cpu;
   2.188 +            op->u.getdomaininfo.state       = DOMSTATE_ACTIVE;
   2.189              if ( (p->state == TASK_STOPPED) || (p->state == TASK_DYING) )
   2.190 -                op.u.getdomaininfo.state = DOMSTATE_STOPPED;
   2.191 -            op.u.getdomaininfo.hyp_events  = p->hyp_events;
   2.192 -            op.u.getdomaininfo.mcu_advance = p->mcu_advance;
   2.193 -            op.u.getdomaininfo.tot_pages   = p->tot_pages;
   2.194 -            op.u.getdomaininfo.cpu_time    = p->cpu_time;
   2.195 -            op.u.getdomaininfo.shared_info_frame = 
   2.196 +                op->u.getdomaininfo.state = DOMSTATE_STOPPED;
   2.197 +            op->u.getdomaininfo.hyp_events  = p->hyp_events;
   2.198 +            op->u.getdomaininfo.mcu_advance = p->mcu_advance;
   2.199 +            op->u.getdomaininfo.tot_pages   = p->tot_pages;
   2.200 +            op->u.getdomaininfo.cpu_time    = p->cpu_time;
   2.201 +            op->u.getdomaininfo.shared_info_frame = 
   2.202                  __pa(p->shared_info) >> PAGE_SHIFT;
   2.203              if ( p->state == TASK_STOPPED )
   2.204              {
   2.205                  rmb(); /* Ensure that we see saved register state. */
   2.206 -                op.u.getdomaininfo.ctxt.flags = 0;
   2.207 -                memcpy(&op.u.getdomaininfo.ctxt.i386_ctxt, 
   2.208 +                op->u.getdomaininfo.ctxt.flags = 0;
   2.209 +                memcpy(&op->u.getdomaininfo.ctxt.i386_ctxt, 
   2.210                         &p->shared_info->execution_context,
   2.211                         sizeof(p->shared_info->execution_context));
   2.212                  if ( p->flags & PF_DONEFPUINIT )
   2.213 -                    op.u.getdomaininfo.ctxt.flags |= ECF_I387_VALID;
   2.214 -                memcpy(&op.u.getdomaininfo.ctxt.i387_ctxt,
   2.215 +                    op->u.getdomaininfo.ctxt.flags |= ECF_I387_VALID;
   2.216 +                memcpy(&op->u.getdomaininfo.ctxt.i387_ctxt,
   2.217                         &p->thread.i387,
   2.218                         sizeof(p->thread.i387));
   2.219 -                memcpy(&op.u.getdomaininfo.ctxt.trap_ctxt,
   2.220 +                memcpy(&op->u.getdomaininfo.ctxt.trap_ctxt,
   2.221                         p->thread.traps,
   2.222                         sizeof(p->thread.traps));
   2.223                  if ( (p->thread.fast_trap_desc.a == 0) &&
   2.224                       (p->thread.fast_trap_desc.b == 0) )
   2.225 -                    op.u.getdomaininfo.ctxt.fast_trap_idx = 0;
   2.226 +                    op->u.getdomaininfo.ctxt.fast_trap_idx = 0;
   2.227                  else
   2.228 -                    op.u.getdomaininfo.ctxt.fast_trap_idx = 
   2.229 +                    op->u.getdomaininfo.ctxt.fast_trap_idx = 
   2.230                          p->thread.fast_trap_idx;
   2.231 -                op.u.getdomaininfo.ctxt.ldt_base = p->mm.ldt_base;
   2.232 -                op.u.getdomaininfo.ctxt.ldt_ents = p->mm.ldt_ents;
   2.233 -                op.u.getdomaininfo.ctxt.gdt_ents = 0;
   2.234 +                op->u.getdomaininfo.ctxt.ldt_base = p->mm.ldt_base;
   2.235 +                op->u.getdomaininfo.ctxt.ldt_ents = p->mm.ldt_ents;
   2.236 +                op->u.getdomaininfo.ctxt.gdt_ents = 0;
   2.237                  if ( GET_GDT_ADDRESS(p) == GDT_VIRT_START )
   2.238                  {
   2.239                      for ( i = 0; i < 16; i++ )
   2.240 -                        op.u.getdomaininfo.ctxt.gdt_frames[i] = 
   2.241 +                        op->u.getdomaininfo.ctxt.gdt_frames[i] = 
   2.242                              l1_pgentry_to_pagenr(p->mm.perdomain_pt[i]);
   2.243 -                    op.u.getdomaininfo.ctxt.gdt_ents = 
   2.244 +                    op->u.getdomaininfo.ctxt.gdt_ents = 
   2.245                          (GET_GDT_ENTRIES(p) + 1) >> 3;
   2.246                  }
   2.247 -                op.u.getdomaininfo.ctxt.ring1_ss  = p->thread.ss1;
   2.248 -                op.u.getdomaininfo.ctxt.ring1_esp = p->thread.esp1;
   2.249 -                op.u.getdomaininfo.ctxt.pt_base   = 
   2.250 +                op->u.getdomaininfo.ctxt.ring1_ss  = p->thread.ss1;
   2.251 +                op->u.getdomaininfo.ctxt.ring1_esp = p->thread.esp1;
   2.252 +                op->u.getdomaininfo.ctxt.pt_base   = 
   2.253                      pagetable_val(p->mm.pagetable);
   2.254 -                memcpy(op.u.getdomaininfo.ctxt.debugreg, 
   2.255 +                memcpy(op->u.getdomaininfo.ctxt.debugreg, 
   2.256                         p->thread.debugreg, 
   2.257                         sizeof(p->thread.debugreg));
   2.258 -                op.u.getdomaininfo.ctxt.event_callback_cs  = p->event_selector;
   2.259 -                op.u.getdomaininfo.ctxt.event_callback_eip = p->event_address;
   2.260 -                op.u.getdomaininfo.ctxt.failsafe_callback_cs  = 
   2.261 +                op->u.getdomaininfo.ctxt.event_callback_cs  =
   2.262 +                    p->event_selector;
   2.263 +                op->u.getdomaininfo.ctxt.event_callback_eip =
   2.264 +                    p->event_address;
   2.265 +                op->u.getdomaininfo.ctxt.failsafe_callback_cs  = 
   2.266                      p->failsafe_selector;
   2.267 -                op.u.getdomaininfo.ctxt.failsafe_callback_eip = 
   2.268 +                op->u.getdomaininfo.ctxt.failsafe_callback_eip = 
   2.269                      p->failsafe_address;
   2.270              }
   2.271          }
   2.272          read_unlock_irqrestore(&tasklist_lock, flags);
   2.273 -        copy_to_user(u_dom0_op, &op, sizeof(op));
   2.274 +        copy_to_user(u_dom0_op, op, sizeof(*op));
   2.275      }
   2.276      break;
   2.277  
   2.278      case DOM0_GETPAGEFRAMEINFO:
   2.279      {
   2.280          struct pfn_info *page;
   2.281 -        unsigned long pfn = op.u.getpageframeinfo.pfn;
   2.282 -        unsigned int dom = op.u.getpageframeinfo.domain;
   2.283 +        unsigned long pfn = op->u.getpageframeinfo.pfn;
   2.284 +        unsigned int dom = op->u.getpageframeinfo.domain;
   2.285          struct task_struct *p;
   2.286  
   2.287          ret = -EINVAL;
   2.288 @@ -356,17 +368,17 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
   2.289          {
   2.290              ret = 0;
   2.291  
   2.292 -            op.u.getpageframeinfo.type = NONE;
   2.293 +            op->u.getpageframeinfo.type = NONE;
   2.294  
   2.295              if ( (page->type_and_flags & PGT_count_mask) != 0 )
   2.296              {
   2.297                  switch ( page->type_and_flags & PGT_type_mask )
   2.298                  {
   2.299                  case PGT_l1_page_table:
   2.300 -                    op.u.getpageframeinfo.type = L1TAB;
   2.301 +                    op->u.getpageframeinfo.type = L1TAB;
   2.302                      break;
   2.303                  case PGT_l2_page_table:
   2.304 -                    op.u.getpageframeinfo.type = L2TAB;
   2.305 +                    op->u.getpageframeinfo.type = L2TAB;
   2.306                      break;
   2.307                  }
   2.308              }
   2.309 @@ -376,38 +388,38 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
   2.310  
   2.311          put_task_struct(p);
   2.312  
   2.313 -        copy_to_user(u_dom0_op, &op, sizeof(op));
   2.314 +        copy_to_user(u_dom0_op, op, sizeof(*op));
   2.315      }
   2.316      break;
   2.317  
   2.318      case DOM0_IOPL:
   2.319      {
   2.320          extern long do_iopl(unsigned int, unsigned int);
   2.321 -        ret = do_iopl(op.u.iopl.domain, op.u.iopl.iopl);
   2.322 +        ret = do_iopl(op->u.iopl.domain, op->u.iopl.iopl);
   2.323      }
   2.324      break;
   2.325  
   2.326      case DOM0_MSR:
   2.327      {
   2.328 -        if ( op.u.msr.write )
   2.329 +        if ( op->u.msr.write )
   2.330  	{
   2.331 -            msr_cpu_mask = op.u.msr.cpu_mask;
   2.332 -            msr_addr = op.u.msr.msr;
   2.333 -            msr_lo = op.u.msr.in1;
   2.334 -            msr_hi = op.u.msr.in2;
   2.335 +            msr_cpu_mask = op->u.msr.cpu_mask;
   2.336 +            msr_addr = op->u.msr.msr;
   2.337 +            msr_lo = op->u.msr.in1;
   2.338 +            msr_hi = op->u.msr.in2;
   2.339              smp_call_function(write_msr_for, NULL, 1, 1);
   2.340              write_msr_for(NULL);
   2.341  	}
   2.342          else
   2.343  	{
   2.344 -            msr_cpu_mask = op.u.msr.cpu_mask;
   2.345 -            msr_addr = op.u.msr.msr;
   2.346 +            msr_cpu_mask = op->u.msr.cpu_mask;
   2.347 +            msr_addr = op->u.msr.msr;
   2.348              smp_call_function(read_msr_for, NULL, 1, 1);
   2.349              read_msr_for(NULL);
   2.350  
   2.351 -            op.u.msr.out1 = msr_lo;
   2.352 -            op.u.msr.out2 = msr_hi;
   2.353 -            copy_to_user(u_dom0_op, &op, sizeof(op));
   2.354 +            op->u.msr.out1 = msr_lo;
   2.355 +            op->u.msr.out2 = msr_hi;
   2.356 +            copy_to_user(u_dom0_op, op, sizeof(*op));
   2.357  	}
   2.358          ret = 0;
   2.359      }
   2.360 @@ -416,27 +428,28 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
   2.361      case DOM0_DEBUG:
   2.362      {
   2.363          extern void pdb_do_debug(dom0_op_t *);
   2.364 -        pdb_do_debug(&op);
   2.365 -        copy_to_user(u_dom0_op, &op, sizeof(op));
   2.366 +        pdb_do_debug(op);
   2.367 +        copy_to_user(u_dom0_op, op, sizeof(*op));
   2.368          ret = 0;
   2.369      }
   2.370      break;
   2.371  
   2.372      case DOM0_SETTIME:
   2.373      {
   2.374 -        do_settime(op.u.settime.secs, 
   2.375 -                   op.u.settime.usecs, 
   2.376 -                   op.u.settime.system_time);
   2.377 +        do_settime(op->u.settime.secs, 
   2.378 +                   op->u.settime.usecs, 
   2.379 +                   op->u.settime.system_time);
   2.380          ret = 0;
   2.381      }
   2.382      break;
   2.383      
   2.384      case DOM0_READCONSOLE:
   2.385      {
   2.386 -    	extern long read_console_ring(unsigned long, unsigned int, unsigned int);
   2.387 -        ret = read_console_ring(op.u.readconsole.str, 
   2.388 -                         	op.u.readconsole.count,
   2.389 -				op.u.readconsole.cmd); 
   2.390 +    	extern long read_console_ring(unsigned long, 
   2.391 +                                      unsigned int, unsigned int);
   2.392 +        ret = read_console_ring(op->u.readconsole.str, 
   2.393 +                         	op->u.readconsole.count,
   2.394 +				op->u.readconsole.cmd); 
   2.395      }
   2.396      break;    
   2.397  
   2.398 @@ -445,5 +458,7 @@ long do_dom0_op(dom0_op_t *u_dom0_op)
   2.399  
   2.400      }
   2.401  
   2.402 + out:
   2.403 +    kfree(op);
   2.404      return ret;
   2.405  }
     3.1 --- a/xen/drivers/ide/ide-cd.c	Fri Jan 30 15:41:36 2004 +0000
     3.2 +++ b/xen/drivers/ide/ide-cd.c	Fri Jan 30 15:52:47 2004 +0000
     3.3 @@ -818,7 +818,7 @@ static void cdrom_buffer_sectors (ide_dr
     3.4  				 (SECTOR_BUFFER_SIZE >> SECTOR_BITS) -
     3.5  				 info->nsectors_buffered);
     3.6  
     3.7 -    char *dest;
     3.8 +    char *dest, *dum;
     3.9  
    3.10      /* If we couldn't get a buffer, don't try to buffer anything... */
    3.11      if (info->buffer == NULL)
    3.12 @@ -839,11 +839,12 @@ static void cdrom_buffer_sectors (ide_dr
    3.13      }
    3.14  
    3.15      /* Throw away any remaining data. */
    3.16 +    dum = kmalloc(SECTOR_SIZE, GFP_ATOMIC);
    3.17      while (sectors_to_transfer > 0) {
    3.18 -	char dum[SECTOR_SIZE];
    3.19 -	atapi_input_bytes (drive, dum, sizeof (dum));
    3.20 +	atapi_input_bytes (drive, dum, SECTOR_SIZE);
    3.21  	--sectors_to_transfer;
    3.22      }
    3.23 +    kfree(dum);
    3.24  }
    3.25  
    3.26  /*
    3.27 @@ -896,6 +897,7 @@ static ide_startstop_t cdrom_read_intr (
    3.28      struct cdrom_info *info = drive->driver_data;
    3.29      int i, dma = info->dma, dma_error = 0;
    3.30      ide_startstop_t startstop;
    3.31 +    char *dum;
    3.32  
    3.33      struct request *rq = HWGROUP(drive)->rq;
    3.34  
    3.35 @@ -965,15 +967,20 @@ static ide_startstop_t cdrom_read_intr (
    3.36      nskip = MIN ((int)(rq->current_nr_sectors - (rq->bh->b_size >> SECTOR_BITS)),
    3.37  		 sectors_to_transfer);
    3.38  
    3.39 +    if ( (dum = kmalloc(SECTOR_SIZE, GFP_ATOMIC)) == NULL )
    3.40 +    {
    3.41 +	cdrom_end_request (0, drive);
    3.42 +	return ide_stopped;        
    3.43 +    }
    3.44      while (nskip > 0) {
    3.45  	/* We need to throw away a sector. */
    3.46 -	char dum[SECTOR_SIZE];
    3.47 -	atapi_input_bytes (drive, dum, sizeof (dum));
    3.48 +	atapi_input_bytes (drive, dum, SECTOR_SIZE);
    3.49  
    3.50  	--rq->current_nr_sectors;
    3.51  	--nskip;
    3.52  	--sectors_to_transfer;
    3.53      }
    3.54 +    kfree(dum);
    3.55  
    3.56      /* Now loop while we still have data to read from the drive. */
    3.57      while (sectors_to_transfer > 0) {
     4.1 --- a/xen/include/xeno/config.h	Fri Jan 30 15:41:36 2004 +0000
     4.2 +++ b/xen/include/xeno/config.h	Fri Jan 30 15:52:47 2004 +0000
     4.3 @@ -145,10 +145,10 @@
     4.4  
     4.5  #define capable(_c) 0
     4.6  
     4.7 +#define STACK_GUARD
     4.8  #ifndef NDEBUG
     4.9  #define DPRINTK(_f, _a...) printk("(file=%s, line=%d) " _f, \
    4.10                             __FILE__, __LINE__, ## _a)
    4.11 -#define STACK_GUARD
    4.12  #else
    4.13  #define DPRINTK(_f, _a...) ((void)0)
    4.14  #endif