diff options
| author | Bjorn Helgaas <bjorn.helgaas@hp.com> | 2006-02-17 16:59:50 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-02-17 17:09:22 -0500 |
| commit | 35b73ceb9a7d10c81bd9e79e8485f7079ef2b40e (patch) | |
| tree | c09177d88d8cbef4c753744c72053a0bd8f35fef | |
| parent | 636f13c174dd7c84a437d3c3e8fa66f03f7fda63 (diff) | |
[PATCH] ACPI: fix vendor resource length computation
acpi_rs_get_list_length() needs to account for all the vendor-defined data
bytes. Failing to include these causes buffers to be sized too small,
which causes slab corruption when we later convert AML to resources and run
off the end of the buffer.
This causes slab corruption on machines that use ACPI vendor-defined
resources. All HP ia64 machines do, and I'm told that some NEC machines
may as well.
Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Cc: "Brown, Len" <len.brown@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| -rw-r--r-- | drivers/acpi/resources/rscalc.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/drivers/acpi/resources/rscalc.c b/drivers/acpi/resources/rscalc.c index 7d6481d9fbec..4038dbfa63a0 100644 --- a/drivers/acpi/resources/rscalc.c +++ b/drivers/acpi/resources/rscalc.c | |||
| @@ -391,8 +391,7 @@ acpi_rs_get_list_length(u8 * aml_buffer, | |||
| 391 | * Ensure a 32-bit boundary for the structure | 391 | * Ensure a 32-bit boundary for the structure |
| 392 | */ | 392 | */ |
| 393 | extra_struct_bytes = | 393 | extra_struct_bytes = |
| 394 | ACPI_ROUND_UP_to_32_bITS(resource_length) - | 394 | ACPI_ROUND_UP_to_32_bITS(resource_length); |
| 395 | resource_length; | ||
| 396 | break; | 395 | break; |
| 397 | 396 | ||
| 398 | case ACPI_RESOURCE_NAME_END_TAG: | 397 | case ACPI_RESOURCE_NAME_END_TAG: |
| @@ -408,8 +407,7 @@ acpi_rs_get_list_length(u8 * aml_buffer, | |||
| 408 | * Add vendor data and ensure a 32-bit boundary for the structure | 407 | * Add vendor data and ensure a 32-bit boundary for the structure |
| 409 | */ | 408 | */ |
| 410 | extra_struct_bytes = | 409 | extra_struct_bytes = |
| 411 | ACPI_ROUND_UP_to_32_bITS(resource_length) - | 410 | ACPI_ROUND_UP_to_32_bITS(resource_length); |
| 412 | resource_length; | ||
| 413 | break; | 411 | break; |
| 414 | 412 | ||
| 415 | case ACPI_RESOURCE_NAME_ADDRESS32: | 413 | case ACPI_RESOURCE_NAME_ADDRESS32: |