On Mon, 2011-05-30 at 16:42 +0800, Dan Carpenter wrote:
> Commit 28c2103dad04 "ACPI: Add D3 cold state" introduced a read past
> the end of the array in drivers/acpi/bus.c
>
> 224 static int __acpi_bus_set_power(struct acpi_device *device, int state)
> 225 {
> 226 int result = 0;
> 227 acpi_status status = AE_OK;
> 228 char object_name[5] = { '_', 'P', 'S', '0' + state, '\0' };
> 229
> 230 if (!device || (state < ACPI_STATE_D0) || (state > ACPI_STATE_D3_COLD))
> ^^^^^^^^^^^^^^^^^^
> This is 4 now.
>
> 231 return -EINVAL;
> 232
> 233 /* Make sure this is a valid target state */
> 234
> 235 if (state == device->power.state) {
> 236 ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Device is already at D%d\n",
> 237 state));
> 238 return 0;
> 239 }
> 240
> 241 if (!device->power.states[state].flags.valid) {
> ^^^^^^^^^^^^^
> This array has 4 elements so we are one space past the end
> of the array.
Ah! We need fix like below.
diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
index 3a10ef5..ff246e8 100644
--- a/include/acpi/acpi_bus.h
+++ b/include/acpi/acpi_bus.h
@@ -210,7 +210,7 @@ struct acpi_device_power_state {
struct acpi_device_power {
int state; /* Current state */
struct acpi_device_power_flags flags;
- struct acpi_device_power_state states[4]; /* Power states (D0-D3) */
+ struct acpi_device_power_state states[5]; /* Power states (D0-D3Cold) */
};
/* Performance Management */
--
To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
