]>
Commit | Line | Data |
---|---|---|
c885fe24 GKH |
1 | From 67fe63b0715ccfaefa0af8a6e705c5470ee5cada Mon Sep 17 00:00:00 2001 |
2 | From: Bjorn Helgaas <bjorn.helgaas@hp.com> | |
3 | Date: Thu, 7 Jan 2010 12:58:51 -0700 | |
4 | Subject: agp/hp: fixup hp agp after ACPI changes | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | From: Bjorn Helgaas <bjorn.helgaas@hp.com> | |
10 | ||
11 | commit 67fe63b0715ccfaefa0af8a6e705c5470ee5cada upstream. | |
12 | ||
13 | Commit 15b8dd53f5ffa changed the string in info->hardware_id from a static | |
14 | array to a pointer and added a length field. But instead of changing | |
15 | "sizeof(array)" to "length", we changed it to "sizeof(length)" (== 4), | |
16 | which corrupts the string we're trying to null-terminate. | |
17 | ||
18 | We no longer even need to null-terminate the string, but we *do* need to | |
19 | check whether we found a HID. If there's no HID, we used to have an empty | |
20 | array, but now we have a null pointer. | |
21 | ||
22 | The combination of these defects causes this oops: | |
23 | ||
24 | Unable to handle kernel NULL pointer dereference (address 0000000000000003) | |
25 | modprobe[895]: Oops 8804682956800 [1] | |
26 | ip is at zx1_gart_probe+0xd0/0xcc0 [hp_agp] | |
27 | ||
28 | http://marc.info/?l=linux-ia64&m=126264484923647&w=2 | |
29 | ||
30 | Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com> | |
31 | Reported-by: Émeric Maschino <emeric.maschino@gmail.com> | |
32 | Signed-off-by: Dave Airlie <airlied@redhat.com> | |
33 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
34 | ||
35 | --- | |
36 | drivers/char/agp/hp-agp.c | 3 +-- | |
37 | 1 file changed, 1 insertion(+), 2 deletions(-) | |
38 | ||
39 | --- a/drivers/char/agp/hp-agp.c | |
40 | +++ b/drivers/char/agp/hp-agp.c | |
41 | @@ -488,9 +488,8 @@ zx1_gart_probe (acpi_handle obj, u32 dep | |
42 | handle = obj; | |
43 | do { | |
44 | status = acpi_get_object_info(handle, &info); | |
45 | - if (ACPI_SUCCESS(status)) { | |
46 | + if (ACPI_SUCCESS(status) && (info->valid & ACPI_VALID_HID)) { | |
47 | /* TBD check _CID also */ | |
48 | - info->hardware_id.string[sizeof(info->hardware_id.length)-1] = '\0'; | |
49 | match = (strcmp(info->hardware_id.string, "HWP0001") == 0); | |
50 | kfree(info); | |
51 | if (match) { |