Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v2.6.26.7 2008-10-22T21:46:18Z 2008-10-22T21:46:18Z Greg Kroah-Hartman gregkh@suse.de 2008-10-22T21:46:18Z urn:sha1:a9dc6714276111b43349ee81db71dda9b31c8c28 2008-10-22T21:13:29Z Arjan van de Ven arjan@linux.intel.com 2008-10-11T04:16:12Z urn:sha1:7afc74502277568d6f9c5a4542fb63e26e272638 commit 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1 upstream NULL function pointers are very bad security wise. This one got caught by kerneloops.org quite a few times, so it's happening in the field.... Fix is simple, check the function pointer for NULL, like 6 other places in the same function are already doing. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-10-22T21:13:29Z Michael Krufky mkrufky@linuxtv.org 2008-10-18T14:35:56Z urn:sha1:3a15062b0cf6ab65de38e320fe293470c2931561 (cherry picked from commit a636da6bab3307fc8c6e6a22a63b0b25ba0687be) DVB: au0828: add support for another USB id for Hauppauge HVR950Q Add autodetection support for a new revision of the Hauppauge HVR950Q (2040:721e) Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-10-22T21:13:28Z Matthias Hopf mhopf@suse.de 2008-10-17T21:18:05Z urn:sha1:b42c416b24706bd94ab7bea1569a89368adbfe7d commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to write actual exploit code though. It only affects the Intel G33 series and newer. Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-10-22T21:13:28Z Zhao Yakui yakui.zhao@intel.com 2008-10-17T06:16:41Z urn:sha1:40e24cff25b9c5b12b7f2c8aefecb72bc9c6fd26 upstream commmit: c2c789057f075022658b38b498755c29c1ba8055 According to acpi spec , the objectes of _BCL and _BCM are required if integrated LCD is present and supports brightness level and the _BQC is the optional object. So the _BQC object will be ignored when the backlight device is registered. At the same time when there is no _BQC object, the current brightness will be set to the maximum. http://bugzilla.kernel.org/show_bug.cgi?id=10206 Signed-off-by: Zhao Yakui <yakui.zhao@intel.com> Signed-off-by: Zhang Rui <rui.zhang@intel.com> Signed-off-by: Andi Kleen <ak@linux.intel.com> Cc: Len Brown <lenb@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-10-22T21:13:27Z Jean Delvare khali@linux-fr.org 2008-10-10T09:04:39Z urn:sha1:116018950eb5201c8e74d04b01b319c8d65d5c5b based on commit 98dd22c3e086d76058083432d4d8fb85f04bab90 upstream On the Shuttle SN68PT, FAN_CTL2 is apparently not connected to a fan, but to something else. One user has reported instant system power-off when changing the PWM2 duty cycle, so we disable it. I use the board name string as the trigger in case the same board is ever used in other systems. This closes lm-sensors ticket #2349: pwmconfig causes a hard poweroff http://www.lm-sensors.org/ticket/2349 Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-10-22T21:13:27Z Linus Torvalds torvalds@linux-foundation.org 2008-10-15T22:09:14Z urn:sha1:fe2615638c671468e28b15d5e15f9b594b1fa23c commit b5ff7df3df9efab511244d5a299fce706c71af48 upstream Check mapped ranges on sysfs resource files This is loosely based on a patch by Jesse Barnes to check the user-space PCI mappings though the sysfs interfaces. Quoting Jesse's original explanation: It's fairly common for applications to map PCI resources through sysfs. However, with the current implementation, it's possible for an application to map far more than the range corresponding to the resourceN file it opened. This patch plugs that hole by checking the range at mmap time, similar to what is done on platforms like sparc64 in their lower level PCI remapping routines. It was initially put together to help debug the e1000e NVRAM corruption problem, since we initially thought an X driver might be walking past the end of one of its mappings and clobbering the NVRAM. It now looks like that's not the case, but doing the check is still important for obvious reasons. and this version of the patch differs in that it uses a helper function to clarify the code, and does all the checks in pages (instead of bytes) in order to avoid overflows when doing "<< PAGE_SHIFT" etc. [cebbert@redhat.com: backport, changing WARN() to printk()] Acked-by: Jesse Barnes <jbarnes@virtuousgeek.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-10-22T21:13:25Z David Rientjes rientjes@google.com 2008-10-13T23:42:12Z urn:sha1:76d8cb9a1e102231935e586e888b10ea6ca41101 commit 60e6258cd43f9b06884f04f0f7cefb9c40f17a32 upstream It's possible for get_wchan() to dereference past task->stack + THREAD_SIZE while iterating through instruction pointers if fp equals the upper boundary, causing a kernel panic. Signed-off-by: David Rientjes <rientjes@google.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-10-22T21:13:25Z Shaohua Li shaohua.li@intel.com 2008-10-13T23:39:25Z urn:sha1:7a69c701bd95e1dc0eaf7e4008e5fd409ac7e042 commit 149e16372a2066c5474d8a8db9b252afd57eb427 upstream Disable ASPM on pre-1.1 PCIe devices, as many of them don't implement it correctly. Tested-by: Jack Howarth <howarth@bromo.msbb.uc.edu> Signed-off-by: Shaohua Li <shaohua.li@intel.com> Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2008-10-22T21:13:24Z Shaohua Li shaohua.li@intel.com 2008-10-13T23:38:11Z urn:sha1:7a17866e8cc637a5ffb91266e3b551ae3c95b40a commit 5fde244d39b88625ac578d83e6625138714de031 upstream The ACPI FADT table includes an ASPM control bit. If the bit is set, do not enable ASPM since it may indicate that the platform doesn't actually support the feature. Tested-by: Jack Howarth <howarth@bromo.msbb.uc.edu> Signed-off-by: Shaohua Li <shaohua.li@intel.com> Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>