[thirdparty/kernel/stable-queue.git] / releases / 2.6.32.12 / agp-hp-fixup-hp-agp-after-acpi-changes.patch

From 67fe63b0715ccfaefa0af8a6e705c5470ee5cada Mon Sep 17 00:00:00 2001
From: Bjorn Helgaas <bjorn.helgaas@hp.com>
Date: Thu, 7 Jan 2010 12:58:51 -0700
Subject: agp/hp: fixup hp agp after ACPI changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Bjorn Helgaas <bjorn.helgaas@hp.com>

commit 67fe63b0715ccfaefa0af8a6e705c5470ee5cada upstream.

Commit 15b8dd53f5ffa changed the string in info->hardware_id from a static
array to a pointer and added a length field.  But instead of changing
"sizeof(array)" to "length", we changed it to "sizeof(length)" (== 4),
which corrupts the string we're trying to null-terminate.

We no longer even need to null-terminate the string, but we *do* need to
check whether we found a HID.  If there's no HID, we used to have an empty
array, but now we have a null pointer.

The combination of these defects causes this oops:

  Unable to handle kernel NULL pointer dereference (address 0000000000000003)
  modprobe[895]: Oops 8804682956800 [1]
  ip is at zx1_gart_probe+0xd0/0xcc0 [hp_agp]

  http://marc.info/?l=linux-ia64&m=126264484923647&w=2

Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Reported-by: Émeric Maschino <emeric.maschino@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/char/agp/hp-agp.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/char/agp/hp-agp.c
+++ b/drivers/char/agp/hp-agp.c
@@ -488,9 +488,8 @@ zx1_gart_probe (acpi_handle obj, u32 dep
 	handle = obj;
 	do {
 		status = acpi_get_object_info(handle, &info);
-		if (ACPI_SUCCESS(status)) {
+		if (ACPI_SUCCESS(status) && (info->valid & ACPI_VALID_HID)) {
 			/* TBD check _CID also */
-			info->hardware_id.string[sizeof(info->hardware_id.length)-1] = '\0';
 			match = (strcmp(info->hardware_id.string, "HWP0001") == 0);
 			kfree(info);
 			if (match) {
Commit	Line	Data
c885fe24 GKH	1	From 67fe63b0715ccfaefa0af8a6e705c5470ee5cada Mon Sep 17 00:00:00 2001
	2	From: Bjorn Helgaas <bjorn.helgaas@hp.com>
	3	Date: Thu, 7 Jan 2010 12:58:51 -0700
	4	Subject: agp/hp: fixup hp agp after ACPI changes
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	From: Bjorn Helgaas <bjorn.helgaas@hp.com>
	10
	11	commit 67fe63b0715ccfaefa0af8a6e705c5470ee5cada upstream.
	12
	13	Commit 15b8dd53f5ffa changed the string in info->hardware_id from a static
	14	array to a pointer and added a length field. But instead of changing
	15	"sizeof(array)" to "length", we changed it to "sizeof(length)" (== 4),
	16	which corrupts the string we're trying to null-terminate.
	17
	18	We no longer even need to null-terminate the string, but we do need to
	19	check whether we found a HID. If there's no HID, we used to have an empty
	20	array, but now we have a null pointer.
	21
	22	The combination of these defects causes this oops:
	23
	24	Unable to handle kernel NULL pointer dereference (address 0000000000000003)
	25	modprobe[895]: Oops 8804682956800 [1]
	26	ip is at zx1_gart_probe+0xd0/0xcc0 [hp_agp]
	27
	28	http://marc.info/?l=linux-ia64&m=126264484923647&w=2
	29
	30	Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
	31	Reported-by: Émeric Maschino <emeric.maschino@gmail.com>
	32	Signed-off-by: Dave Airlie <airlied@redhat.com>
	33	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	34
	35	---
	36	drivers/char/agp/hp-agp.c \| 3 +--
	37	1 file changed, 1 insertion(+), 2 deletions(-)
	38
	39	--- a/drivers/char/agp/hp-agp.c
	40	+++ b/drivers/char/agp/hp-agp.c
	41	@@ -488,9 +488,8 @@ zx1_gart_probe (acpi_handle obj, u32 dep
	42	handle = obj;
	43	do {
	44	status = acpi_get_object_info(handle, &info);
	45	- if (ACPI_SUCCESS(status)) {
	46	+ if (ACPI_SUCCESS(status) && (info->valid & ACPI_VALID_HID)) {
	47	/* TBD check _CID also */
	48	- info->hardware_id.string[sizeof(info->hardware_id.length)-1] = '\0';
	49	match = (strcmp(info->hardware_id.string, "HWP0001") == 0);
	50	kfree(info);
	51	if (match) {