[PATCH] ACPI: fix vendor resource length computation
authorBjorn Helgaas <bjorn.helgaas@hp.com>
Fri, 17 Feb 2006 21:59:50 +0000 (13:59 -0800)
committerLinus Torvalds <torvalds@g5.osdl.org>
Fri, 17 Feb 2006 22:09:22 +0000 (14:09 -0800)
acpi_rs_get_list_length() needs to account for all the vendor-defined data
bytes.  Failing to include these causes buffers to be sized too small,
which causes slab corruption when we later convert AML to resources and run
off the end of the buffer.

This causes slab corruption on machines that use ACPI vendor-defined
resources.  All HP ia64 machines do, and I'm told that some NEC machines
may as well.

Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Cc: "Brown, Len" <len.brown@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/acpi/resources/rscalc.c

index 7d6481d9fbecded65bbeb2137bf718cd6ea18c64..4038dbfa63a0c1b88de380d9a80b326dfd24c39c 100644 (file)
@@ -391,8 +391,7 @@ acpi_rs_get_list_length(u8 * aml_buffer,
                         * Ensure a 32-bit boundary for the structure
                         */
                        extra_struct_bytes =
-                           ACPI_ROUND_UP_to_32_bITS(resource_length) -
-                           resource_length;
+                           ACPI_ROUND_UP_to_32_bITS(resource_length);
                        break;
 
                case ACPI_RESOURCE_NAME_END_TAG:
@@ -408,8 +407,7 @@ acpi_rs_get_list_length(u8 * aml_buffer,
                         * Add vendor data and ensure a 32-bit boundary for the structure
                         */
                        extra_struct_bytes =
-                           ACPI_ROUND_UP_to_32_bITS(resource_length) -
-                           resource_length;
+                           ACPI_ROUND_UP_to_32_bITS(resource_length);
                        break;
 
                case ACPI_RESOURCE_NAME_ADDRESS32: