max_idx is not a pdx, and hence needs to be converted to one in all
cases where it is being passed to pdx_to_page().

Also, just like for max_pdx, the conversion result of max_idx may
point into an address space hole, and hence it must not be used
directly as an argument to pdx_to_page(). Note that this doesn't apply
to the arguments passed to memset(), as the size argument would be
zero in the case of hitting an address space hole.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxxxx>

--- 2010-01-27.orig/xen/arch/x86/mm.c	2010-02-03 13:29:46.000000000 +0100
+++ 2010-01-27/xen/arch/x86/mm.c	2010-02-03 13:39:05.000000000 +0100
@@ -227,10 +227,11 @@ void __init init_frametable(void)
                               pdx_to_page(max_pdx - 1) + 1);
     else
     {
-        init_frametable_chunk(pdx_to_page(sidx *PDX_GROUP_COUNT),
-                              pdx_to_page(max_idx * PDX_GROUP_COUNT));
-        memset(pdx_to_page(max_pdx), -1, (unsigned long)pdx_to_page(max_idx) -
-                        (unsigned long)(pdx_to_page(max_pdx)));
+        init_frametable_chunk(pdx_to_page(sidx * PDX_GROUP_COUNT),
+                              pdx_to_page(max_idx * PDX_GROUP_COUNT - 1) + 1);
+        memset(pdx_to_page(max_pdx), -1,
+               (unsigned long)pdx_to_page(max_idx * PDX_GROUP_COUNT) -
+               (unsigned long)pdx_to_page(max_pdx));
     }
 }