The ->cap fields of struct acpi_video_device and struct acpi_video_bus are 1B each, not 4B. The oversized memset()'s corrupted the subsequent list_head fields. This resulted in silent corruption without CONFIG_DEBUG_LIST and BUG's with it. This patch uses sizeof() to pass the proper bounds to the memset() calls and thereby correct the bugs. Included as a MIME attachment is a compressed dmesg from an affected system. The patch was seen to resolve the issue on the affected system. vs. 2.6.24-rc5 Signed-off-by: William Irwin <wli@xxxxxxxxxxxxxx> -- wli diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c index 44a0d9b..7895d57 100644 --- a/drivers/acpi/video.c +++ b/drivers/acpi/video.c @@ -577,7 +577,7 @@ static void acpi_video_device_find_cap(struct acpi_video_device *device) struct acpi_video_device_brightness *br = NULL; - memset(&device->cap, 0, 4); + memset(&device->cap, 0, sizeof(struct acpi_video_device_cap)); if (ACPI_SUCCESS(acpi_get_handle(device->dev->handle, "_ADR", &h_dummy1))) { device->cap._ADR = 1; @@ -697,7 +697,7 @@ static void acpi_video_bus_find_cap(struct acpi_video_bus *video) { acpi_handle h_dummy1; - memset(&video->cap, 0, 4); + memset(&video->cap, 0, sizeof(struct acpi_video_bus_cap)); if (ACPI_SUCCESS(acpi_get_handle(video->device->handle, "_DOS", &h_dummy1))) { video->cap._DOS = 1; }
Attachment:
dmesg.acpibug.gz
Description: dmesg.acpibug.gz