From 332b34337623929a0a8d156fc1b4411d4853dec6 Mon Sep 17 00:00:00 2001
From: Andrew Turner <andrew@FreeBSD.org>
Date: Tue, 2 Feb 2016 17:57:15 +0000
Subject: [PATCH] Ensure we don't overflow the phys_avail array. Some firmware
 may provide more memory locations than we have space to record.

Sponsored by:	ABT Systems Ltd
---
 sys/arm64/arm64/pmap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c
index dcd6e5dc8021..37b9480b620c 100644
--- a/sys/arm64/arm64/pmap.c
+++ b/sys/arm64/arm64/pmap.c
@@ -596,7 +596,8 @@ pmap_bootstrap(vm_offset_t l1pt, vm_paddr_t kernstart, vm_size_t kernlen)
 	 * up to the physical address KERNBASE points at.
 	 */
 	map_slot = avail_slot = 0;
-	for (; map_slot < (physmap_idx * 2); map_slot += 2) {
+	for (; map_slot < (physmap_idx * 2) &&
+	    avail_slot < (PHYS_AVAIL_SIZE - 2); map_slot += 2) {
 		if (physmap[map_slot] == physmap[map_slot + 1])
 			continue;
 
@@ -612,7 +613,7 @@ pmap_bootstrap(vm_offset_t l1pt, vm_paddr_t kernstart, vm_size_t kernlen)
 	}
 
 	/* Add the memory before the kernel */
-	if (physmap[avail_slot] < pa) {
+	if (physmap[avail_slot] < pa && avail_slot < (PHYS_AVAIL_SIZE - 2)) {
 		phys_avail[avail_slot] = physmap[map_slot];
 		phys_avail[avail_slot + 1] = pa;
 		physmem += (phys_avail[avail_slot + 1] -