From 0b4922aa3fb090ee05d2e7c20379aabe2a047835 Mon Sep 17 00:00:00 2001
From: "H. Peter Anvin" <hpa@zytor.com>
Date: Wed, 14 Mar 2007 18:59:40 -0700
Subject: [PATCH] Fix the shuffle and boot interface.  It was probably always
 broken.

---
 bootsect.inc |  7 ++++---
 comboot.doc  |  4 +++-
 comboot.inc  | 21 +++++++++++----------
 3 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/bootsect.inc b/bootsect.inc
index 7c288da..3a5fd1b 100644
--- a/bootsect.inc
+++ b/bootsect.inc
@@ -92,8 +92,8 @@ load_bootsec:
 ;
 
 replace_bootstrap_one:
-		push word trackbuf		; Address of descriptor list
 		push word 1			; Length of descriptor list
+		push word trackbuf		; Address of descriptor list
 		; Fall through
 
 ;
@@ -149,7 +149,8 @@ replace_bootstrap:
 		cmp dword [fs:bx], "$PnP"
 		jz .foundpnp
 		inc bx
-		jnz .findpnp
+		cmp bx,-3		; Don't get a segment overflow error!
+		jb .findpnp
 		jmp .donepnp		; No $PnP header found
 .foundpnp:
 		movzx cx,byte [fs:bx+5]	; Size of $PnP header
@@ -171,8 +172,8 @@ replace_bootstrap:
 %endif
 
 .donepnp:
-		pop ax			; Copy list count
 		pop bx			; Copy from...
+		pop ax			; Copy list count
 
 		cli
 		mov cx,es
diff --git a/comboot.doc b/comboot.doc
index b61fb08..bc6433c 100644
--- a/comboot.doc
+++ b/comboot.doc
@@ -548,7 +548,7 @@ AX=0011h [3.05] Maximum number of shuffle descriptors
 	Typical values are 682 and 1365.
 
 
-AX=0012h [3.05] Cleanup, shuffle and boot
+AX=0012h [3.40] Cleanup, shuffle and boot
 	Input:	AX	0012h
 		DX	derivative-specific flags (see function 000Ch)
 		ES:DI	shuffle descriptor list (must be in low memory)
@@ -589,6 +589,8 @@ AX=0012h [3.05] Cleanup, shuffle and boot
 	(except DS, ESI and EDX) and the stack will be set up as they
 	were set up by the PXE ROM.
 
+	This interface was probably broken before version 3.40.
+
 
 AX=0013h [3.08] Idle loop call
 	Input:	AX	0013h
diff --git a/comboot.inc b/comboot.inc
index d0ac808..70d7d7b 100644
--- a/comboot.inc
+++ b/comboot.inc
@@ -606,11 +606,12 @@ comapi_maxshuffle:
 ; INT 22h AX=0012h	Cleanup, shuffle and boot
 ;
 comapi_shuffle:
-		call comapi_cleanup
-		mov cx,P_CX
-		cmp cx,(2*trackbufsize)/12
+		cmp P_CX,(2*trackbufsize)/12
 		ja .error
 
+		call comapi_cleanup
+
+		mov cx, P_CX
 		push cx				; On stack: descriptor count
 
 		lea cx,[ecx+ecx*2]		; CX *= 3
@@ -799,11 +800,12 @@ comapi_readdisk	equ comapi_err
 ; INT 22h AX=001Ah	Cleanup, shuffle and boot to flat protected mode
 ;
 comapi_shufflepm:
-		call comapi_cleanup
-		mov cx,P_CX
-		cmp cx,(2*trackbufsize)/12
+		cmp P_CX,(2*trackbufsize)/12
 		ja .error
 
+		call comapi_cleanup
+
+		mov cx, P_CX
 		push cx				; On stack: descriptor count
 
 		lea cx,[ecx+ecx*2]		; CX *= 3
@@ -816,8 +818,7 @@ comapi_shufflepm:
 
 		mov fs,P_DS
 		mov si,P_SI
-		xor edi,edi
-		mov di,PMTrampolineBuf
+		mov edi,PMTrampolineBuf
 		mov al,0B8h			; MOV EAX opcode
 		mov cx,9
 .maketramp:
@@ -825,8 +826,8 @@ comapi_shufflepm:
 		inc ax				; Next register opcode
 		fs movsd			; immediate value
 		loop .maketramp
-		mov byte [di-9],0E9h		; Last opcode is JMP
-		sub dword [di-8],edi		; Make JMP target relative
+		mov byte [di-5],0E9h		; Last opcode is JMP
+		sub [di-4],edi			; Make JMP target relative
 
 		mov dword [EntryPoint],trampoline_to_pm
 		xor bx,bx			; DS on entry
-- 
2.7.4