diff options
author | Bjorn Helgaas <bjorn.helgaas@hp.com> | 2010-01-07 14:58:51 -0500 |
---|---|---|
committer | Dave Airlie <airlied@redhat.com> | 2010-01-11 00:09:02 -0500 |
commit | 67fe63b0715ccfaefa0af8a6e705c5470ee5cada (patch) | |
tree | 0cc5d9be7755311b8b73806d976bffc9c1852bdd | |
parent | 3f50b0222e4c6ac59a5c4819f8be0fa500970381 (diff) |
agp/hp: fixup hp agp after ACPI changes
Commit 15b8dd53f5ffa changed the string in info->hardware_id from a static
array to a pointer and added a length field. But instead of changing
"sizeof(array)" to "length", we changed it to "sizeof(length)" (== 4),
which corrupts the string we're trying to null-terminate.
We no longer even need to null-terminate the string, but we *do* need to
check whether we found a HID. If there's no HID, we used to have an empty
array, but now we have a null pointer.
The combination of these defects causes this oops:
Unable to handle kernel NULL pointer dereference (address 0000000000000003)
modprobe[895]: Oops 8804682956800 [1]
ip is at zx1_gart_probe+0xd0/0xcc0 [hp_agp]
http://marc.info/?l=linux-ia64&m=126264484923647&w=2
Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Reported-by: Émeric Maschino <emeric.maschino@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r-- | drivers/char/agp/hp-agp.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/char/agp/hp-agp.c b/drivers/char/agp/hp-agp.c index 9047b2714653..dc8a6f70483b 100644 --- a/drivers/char/agp/hp-agp.c +++ b/drivers/char/agp/hp-agp.c | |||
@@ -488,9 +488,8 @@ zx1_gart_probe (acpi_handle obj, u32 depth, void *context, void **ret) | |||
488 | handle = obj; | 488 | handle = obj; |
489 | do { | 489 | do { |
490 | status = acpi_get_object_info(handle, &info); | 490 | status = acpi_get_object_info(handle, &info); |
491 | if (ACPI_SUCCESS(status)) { | 491 | if (ACPI_SUCCESS(status) && (info->valid & ACPI_VALID_HID)) { |
492 | /* TBD check _CID also */ | 492 | /* TBD check _CID also */ |
493 | info->hardware_id.string[sizeof(info->hardware_id.length)-1] = '\0'; | ||
494 | match = (strcmp(info->hardware_id.string, "HWP0001") == 0); | 493 | match = (strcmp(info->hardware_id.string, "HWP0001") == 0); |
495 | kfree(info); | 494 | kfree(info); |
496 | if (match) { | 495 | if (match) { |