From: William Lee Irwin III <wli@holomorphy.com>
Date: Thu, 13 Dec 2007 21:29:16 +0000 (-0500)
Subject: ACPI: video_device_list corruption
X-Git-Tag: v2.6.23.15~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8444021c69b0787dbe4dde1c4e15818ab4e42986;p=thirdparty%2Fkernel%2Fstable.git

ACPI: video_device_list corruption

The ->cap fields of struct acpi_video_device and struct acpi_video_bus
are 1B each, not 4B. The oversized memset()'s corrupted the subsequent
list_head fields. This resulted in silent corruption without
CONFIG_DEBUG_LIST and BUG's with it. This patch uses sizeof() to pass
the proper bounds to the memset() calls and thereby correct the bugs.

upstream commit 98934def70b48dac74fac3738b78ab2d1a28edda

Signed-off-by: William Irwin <wli@holomorphy.com>
Acked-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
index dad84c00ae438..9d71f256a4f52 100644
--- a/drivers/acpi/video.c
+++ b/drivers/acpi/video.c
@@ -573,7 +573,7 @@ static void acpi_video_device_find_cap(struct acpi_video_device *device)
 	struct acpi_video_device_brightness *br = NULL;
 
 
-	memset(&device->cap, 0, 4);
+	memset(&device->cap, 0, sizeof(device->cap));
 
 	if (ACPI_SUCCESS(acpi_get_handle(device->dev->handle, "_ADR", &h_dummy1))) {
 		device->cap._ADR = 1;
@@ -693,7 +693,7 @@ static void acpi_video_bus_find_cap(struct acpi_video_bus *video)
 {
 	acpi_handle h_dummy1;
 
-	memset(&video->cap, 0, 4);
+	memset(&video->cap, 0, sizeof(video->cap));
 	if (ACPI_SUCCESS(acpi_get_handle(video->device->handle, "_DOS", &h_dummy1))) {
 		video->cap._DOS = 1;
 	}