Commits on Nov 10, 2008
  1. @gregkh

    Linux 2.6.26.8

    gregkh committed Nov 10, 2008
  2. @kaber @gregkh

    netfilter: restore lost ifdef guarding defrag exception

    netfilter: restore lost #ifdef guarding defrag exception
    
    Upstream commit 38f7ac3:
    
    Nir Tzachar <nir.tzachar@gmail.com> reported a warning when sending
    fragments over loopback with NAT:
    
    [ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155()
    
    The reason is that defragmentation is skipped for already tracked connections.
    This is wrong in combination with NAT and ip_conntrack actually had some ifdefs
    to avoid this behaviour when NAT is compiled in.
    
    The entire "optimization" may seem a bit silly, for now simply restoring the
    lost #ifdef is the easiest solution until we can come up with something better.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    kaber committed with gregkh Oct 22, 2008
  3. @gregkh

    netfilter: snmp nat leaks memory in case of failure

    netfilter: snmp nat leaks memory in case of failure
    
    Upstream commit 311670f:
    
    Signed-off-by: Ilpo Jarvinen <ilpo.jarvinen@helsinki.fi>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Ilpo Järvinen committed with gregkh Oct 22, 2008
  4. @gregkh

    netfilter: xt_iprange: fix range inversion match

    netfilter: xt_iprange: fix range inversion match
    
    Upstream commit 6def1eb:
    
    Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1!
    
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Acked-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Alexey Dobriyan committed with gregkh Oct 22, 2008
  5. @gregkh

    ACPI: dock: avoid check _STA method

    commit 8b59560 upstream.
    
    ACPI: dock: avoid check _STA method
    
    In some BIOSes, every _STA method call will send a notification again,
    this cause freeze. And in some BIOSes, it appears _STA should be called
    after _DCK. This tries to avoid calls _STA, and still keep the device
    present check.
    
    http://bugzilla.kernel.org/show_bug.cgi?id=10431
    
    Signed-off-by: Shaohua Li <shaohua.li@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Shaohua Li committed with gregkh Nov 6, 2008
  6. @uuner @gregkh

    ACPI: video: fix brightness allocation

    upstream commit 469778c
    
    Thanks to Arjan for spotting this
    http://www.kerneloops.org/search.php?search=acpi_video_switch_brightness
    and suggesting it for .stable
    
    
    Fix use of uninitialized device->brightness.
    
    Signed-off-by: Julia Jomantaite <julia.jomantaite@gmail.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Acked-by: Zhang Rui <rui.zhang@intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    uuner committed with gregkh Oct 27, 2008
  7. @gregkh

    sparc64: Fix race in arch/sparc64/kernel/trampoline.S

    [ Upstream commit e0037df ]
    
    Make arch/sparc64/kernel/trampoline.S in 2.6.27.1 lock prom_entry_lock
    when calling the PROM.  This prevents a race condition that I observed
    causing a hang on startup on a 12-CPU E4500.
    
    I am not subscribed to this list, so please CC me on replies.
    
    Signed-off-by: Andrea Shepard <andrea@persephoneslair.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Andrea Shepard committed with gregkh Oct 19, 2008
  8. @kumargala @gregkh

    math-emu: Fix signalling of underflow and inexact while packing result.

    [ Upstream commit 930cc14 ]
    
    I'm trying to move the powerpc math-emu code to use the include/math-emu bits.
    
    In doing so I've been using TestFloat to see how good or bad we are
    doing.  For the most part the current math-emu code that PPC uses has
    a number of issues that the code in include/math-emu seems to solve
    (plus bugs we've had for ever that no one every realized).
    
    Anyways, I've come across a case that we are flagging underflow and
    inexact because we think we have a denormalized result from a double
    precision divide:
    
    000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE
    	soft: 001.0000000000000 .....  syst: 001.0000000000000 ...ux
    
    What it looks like is the results out of FP_DIV_D are:
    
    D:
    sign:	  0
    mantissa: 01000000 00000000
    exp:	 -1023 (0)
    
    The problem seems like we aren't normalizing the result and bumping the exp.
    
    Now that I'm digging into this a bit I'm thinking my issue has to do with
    the fix DaveM put in place from back in Aug 2007 (commit
    4058496):
    
    [MATH-EMU]: Fix underflow exception reporting.
    
        2) we ended up rounding back up to normal (this is the case where
           we set the exponent to 1 and set the fraction to zero), this
           should set inexact too
    ...
    
        Another example, "0x0.0000000000001p-1022 / 16.0", should signal both
        inexact and underflow.  The cpu implementations and ieee1754
        literature is very clear about this.  This is case #2 above.
    
    Here is the distilled glibc test case from Jakub Jelinek which prompted that
    commit:
    
    --------------------
    #include <float.h>
    #include <fenv.h>
    #include <stdio.h>
    
    volatile double d = DBL_MIN;
    volatile double e = 0x0.0000000000001p-1022;
    volatile double f = 16.0;
    int
    main (void)
    {
      printf ("%x\n", fetestexcept (FE_UNDERFLOW));
      d /= f;
      printf ("%x\n", fetestexcept (FE_UNDERFLOW));
      e /= f;
      printf ("%x\n", fetestexcept (FE_UNDERFLOW));
      return 0;
    }
    --------------------
    
    It looks like the case I have we are exact before rounding, but think it
    looks like the rounding case since it appears as if "overflow is set".
    
    000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE = 001.0000000000000
    
    I think the following adds the check for my case and still works for the
    issue your commit was trying to resolve.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    kumargala committed with gregkh Oct 21, 2008
  9. @gregkh

    tcpv6: fix option space offsets with md5

    [ Upstream commit 53b1257 ]
    
    More breakage :-), part of timestamps just were previously
    overwritten.
    
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Ilpo Järvinen committed with gregkh Oct 8, 2008
  10. @herbertx @gregkh

    net: Fix netdev_run_todo dead-lock

    [ Upstream commit 58ec3b4 ]
    
    Benjamin Thery tracked down a bug that explains many instances
    of the error
    
    unregister_netdevice: waiting for %s to become free. Usage count = %d
    
    It turns out that netdev_run_todo can dead-lock with itself if
    a second instance of it is run in a thread that will then free
    a reference to the device waited on by the first instance.
    
    The problem is really quite silly.  We were trying to create
    parallelism where none was required.  As netdev_run_todo always
    follows a RTNL section, and that todo tasks can only be added
    with the RTNL held, by definition you should only need to wait
    for the very ones that you've added and be done with it.
    
    There is no need for a second mutex or spinlock.
    
    This is exactly what the following patch does.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    herbertx committed with gregkh Oct 7, 2008
  11. @gregkh

    scx200_i2c: Add missing class parameter

    commit 4a029ab upstream
    
    The scx200_i2c driver is missing the .class parameter, which means no
    i2c drivers are willing to probe for devices on the bus and attach to
    them.
    
    Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Lennart Sorensen committed with gregkh Oct 31, 2008
  12. @gregkh

    DVB: s5h1411: Power down s5h1411 when not in use

    commit 11fc9a4 upstream.
    
    DVB: s5h1411: Power down s5h1411 when not in use
    
    Power down the s5h1411 demodulator when not in use
    (on the Pinnacle 801e, this brings idle power from
    123ma down to 84ma).
    
    Signed-off-by: Devin Heitmueller <devin.heitmueller@gmail.com>
    Acked-by: Steven Toth <stoth@linuxtv.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Devin Heitmueller committed with gregkh Nov 2, 2008
  13. @gregkh

    DVB: s5h1411: Perform s5h1411 soft reset after tuning

    commit f0d041e upstream.
    
    DVB: s5h1411: Perform s5h1411 soft reset after tuning
    
    If you instruct the tuner to change frequencies, it can take up to 2500ms to
    get a demod lock.  By performing a soft reset after the tuning call (which
    is consistent with how the Pinnacle 801e Windows driver behaves), you get
    a demod lock inside of 300ms
    
    Signed-off-by: Devin Heitmueller <devin.heitmueller@gmail.com>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Acked-by: Steven Toth <stoth@linuxtv.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Devin Heitmueller committed with gregkh Nov 2, 2008
  14. @gregkh

    DVB: s5h1411: bugfix: Setting serial or parallel mode could destroy bits

    commit 1af46b4 upstream.
    
    DVB: s5h1411: bugfix: Setting serial or parallel mode could destroy bits
    
    Adding a serialmode function to read/and/or/write the register for safety.
    
    Signed-off-by: Steven Toth <stoth@linuxtv.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Steven Toth committed with gregkh Nov 2, 2008
  15. @gregkh

    V4L: pvrusb2: Keep MPEG PTSs from drifting away

    commit 3f93d1a upstream.
    
    V4L: pvrusb2: Keep MPEG PTSs from drifting away
    
    This change was empirically figured out by Boris Dores after
    empirically comparing against behavior in the Windows driver.
    
    Signed-off-by: Mike Isely <isely@pobox.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Boris Dores committed with gregkh Nov 2, 2008
  16. @gregkh

    ACPI: Always report a sync event after a lid state change

    upstream commit df316e9
    
    Currently not always an EV_SYN event is reported to userland
    after the EV_SW SW_LID event has been sent. This is easy to verify
    by using “input-events” from input-utils and just closing and opening
    the lid.
    
    Signed-off-by: Guillem Jover <guillem.jover@nokia.com>
    Acked-by: Dmitry Torokhov <dtor@mail.ru>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Guillem Jover committed with gregkh Oct 28, 2008
  17. @tiwai @gregkh

    ALSA: use correct lock in snd_ctl_dev_disconnect()

    commit d800988 upstream
    
    The lock used in snd_ctl_dev_disconnect() should be card->ctl_files_rwlock
    for protection of card->ctl_files entries, instead of card->controls_rwsem.
    
    Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Jaroslav Kysela <perex@perex.cz>
    Cc: Chris Wedgwood <cw@f00f.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    tiwai committed with gregkh Sep 7, 2008
  18. @gregkh

    file caps: always start with clear bprm->caps_*

    commit 3318a38 upstream
    
    While Linux doesn't honor setuid on scripts.  However, it mistakenly
    behaves differently for file capabilities.
    
    This patch fixes that behavior by making sure that get_file_caps()
    begins with empty bprm->caps_*.  That way when a script is loaded,
    its bprm->caps_* may be filled when binfmt_misc calls prepare_binprm(),
    but they will be cleared again when binfmt_elf calls prepare_binprm()
    next to read the interpreter's file capabilities.
    
    Signed-off-by: Serge Hallyn <serue@us.ibm.com>
    Acked-by: David Howells <dhowells@redhat.com>
    Acked-by: Andrew G. Morgan <morgan@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Serge Hallyn committed with gregkh Oct 30, 2008
  19. @jmberg @gregkh

    libertas: fix buffer overrun

    commit 48735d8 upstream
    
    If somebody sends an invalid beacon/probe response, that can trash the
    whole BSS descriptor. The descriptor is, luckily, large enough so that
    it cannot scribble past the end of it; it's well above 400 bytes long.
    
    Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jmberg committed with gregkh Nov 2, 2008
  20. @davem330 @gregkh

    net: Fix recursive descent in __scm_destroy().

    commit f8d570a and
    3b53fbf upstream (because once wasn't
    good enough...)
    
    __scm_destroy() walks the list of file descriptors in the scm_fp_list
    pointed to by the scm_cookie argument.
    
    Those, in turn, can close sockets and invoke __scm_destroy() again.
    
    There is nothing which limits how deeply this can occur.
    
    The idea for how to fix this is from Linus.  Basically, we do all of
    the fput()s at the top level by collecting all of the scm_fp_list
    objects hit by an fput().  Inside of the initial __scm_destroy() we
    keep running the list until it is empty.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    davem330 committed with gregkh Nov 6, 2008
  21. @avasquez01 @gregkh

    SCSI: qla2xxx: Skip FDMI registration on ISP21xx/22xx parts.

    commit 031e134 upstream
    
    Firmware does not have the facilities to issue management server
    IOCBs.
    
    Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
    Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
    Cc: Ferenc Wagner <wferi@niif.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    avasquez01 committed with gregkh Oct 21, 2008
  22. @ozbenh @gregkh

    edac cell: fix incorrect edac_mode

    commit 3b274f4 upstream
    
    The cell_edac driver is setting the edac_mode field of the csrow's to an
    incorrect value, causing the sysfs show routine for that field to go out
    of an array bound and Oopsing the kernel when used.
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Doug Thompson <dougthompson@xmission.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    ozbenh committed with gregkh Oct 20, 2008
  23. @gregkh

    ext[234]: Avoid printk floods in the face of directory corruption (CV…

    …E-2008-3528)
    
    This is a trivial backport of the following upstream commits:
    
    - bd39597 (ext2)
    - cdbf6db (ext3)
    - 9d9f177 (ext4)
    
    This addresses CVE-2008-3528
    
    ext[234]: Avoid printk floods in the face of directory corruption
    
    Note: some people thinks this represents a security bug, since it
    might make the system go away while it is printing a large number of
    console messages, especially if a serial console is involved.  Hence,
    it has been assigned CVE-2008-3528, but it requires that the attacker
    either has physical access to your machine to insert a USB disk with a
    corrupted filesystem image (at which point why not just hit the power
    button), or is otherwise able to convince the system administrator to
    mount an arbitrary filesystem image (at which point why not just
    include a setuid shell or world-writable hard disk device file or some
    such).  Me, I think they're just being silly. --tytso
    
    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: linux-ext4@vger.kernel.org
    Cc: Eugene Teo <eugeneteo@kernel.sg>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Eric Sandeen committed with gregkh Oct 22, 2008
  24. @gregkh

    gpiolib: fix oops in gpio_get_value_cansleep()

    commit 978ccaa upstream
    
    We can get the following oops from gpio_get_value_cansleep() when a GPIO
    controller doesn't provide a get() callback:
    
     Unable to handle kernel paging request for instruction fetch
     Faulting instruction address: 0x00000000
     Oops: Kernel access of bad area, sig: 11 [#1]
     [...]
     NIP [00000000] 0x0
     LR [c0182fb0] gpio_get_value_cansleep+0x40/0x50
     Call Trace:
     [c7b79e80] [c0183f28] gpio_value_show+0x5c/0x94
     [c7b79ea0] [c01a584c] dev_attr_show+0x30/0x7c
     [c7b79eb0] [c00d6b48] fill_read_buffer+0x68/0xe0
     [c7b79ed0] [c00d6c54] sysfs_read_file+0x94/0xbc
     [c7b79ef0] [c008f24c] vfs_read+0xb4/0x16c
     [c7b79f10] [c008f580] sys_read+0x4c/0x90
     [c7b79f40] [c0013a14] ret_from_syscall+0x0/0x38
    
    It's OK to request the value of *any* GPIO; most GPIOs are bidirectional,
    so configuring them as outputs just enables an output driver and doesn't
    disable the input logic.
    
    So the problem is that gpio_get_value_cansleep() isn't making the same
    sanity check that gpio_get_value() does: making sure this GPIO isn't one
    of the atypical "no input logic" cases.
    
    Reported-by: Anton Vorontsov <avorontsov@ru.mvista.com>
    Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    David Brownell committed with gregkh Oct 20, 2008
Commits on Oct 22, 2008
  1. @gregkh

    Linux 2.6.26.7

    gregkh committed Oct 22, 2008
  2. @fenrus75 @gregkh

    security: avoid calling a NULL function pointer in drivers/video/tvau…

    …dio.c
    
    commit 5ba2f67 upstream
    
    NULL function pointers are very bad security wise. This one got caught by
    kerneloops.org quite a few times, so it's happening in the field....
    
    Fix is simple, check the function pointer for NULL, like 6 other places
    in the same function are already doing.
    
    Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    fenrus75 committed with gregkh Oct 10, 2008
  3. @mkrufky @gregkh

    DVB: au0828: add support for another USB id for Hauppauge HVR950Q

    (cherry picked from commit a636da6)
    
    DVB: au0828: add support for another USB id for Hauppauge HVR950Q
    
    Add autodetection support for a new revision of the Hauppauge HVR950Q (2040:721e)
    
    Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    mkrufky committed with gregkh Oct 18, 2008
  4. @gregkh

    drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)

    commit 4b40893 upstream
    
    Olaf Kirch noticed that the i915_set_status_page() function of the i915
    kernel driver calls ioremap with an address offset that is supplied by
    userspace via ioctl. The function zeroes the mapped memory via memset
    and tells the hardware about the address. Turns out that access to that
    ioctl is not restricted to root so users could probably exploit that to
    do nasty things. We haven't tried to write actual exploit code though.
    
    It only affects the Intel G33 series and newer.
    
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Matthias Hopf committed with gregkh Oct 18, 2008
  5. @yakuizhao @gregkh

    ACPI: Ignore _BQC object when registering backlight device

    upstream commmit: c2c7890
    
    According to acpi spec , the objectes of  _BCL and _BCM are required if
    integrated LCD is present and supports brightness level and the _BQC is
    the optional object. So the _BQC object will be ignored when the backlight
    device is registered.
    At the same time when there is no _BQC object, the current brightness will be
    set to the maximum.
    
    http://bugzilla.kernel.org/show_bug.cgi?id=10206
    
    Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
    Signed-off-by: Zhang Rui  <rui.zhang@intel.com>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Len Brown <lenb@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    yakuizhao committed with gregkh Oct 17, 2008
  6. @gregkh

    hwmon: (it87) Prevent power-off on Shuttle SN68PT

    based on commit 98dd22c upstream
    
    On the Shuttle SN68PT, FAN_CTL2 is apparently not connected to a fan,
    but to something else. One user has reported instant system power-off
    when changing the PWM2 duty cycle, so we disable it.
    
    I use the board name string as the trigger in case the same board is
    ever used in other systems.
    
    This closes lm-sensors ticket #2349:
    pwmconfig causes a hard poweroff
    http://www.lm-sensors.org/ticket/2349
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Jean Delvare committed with gregkh Oct 10, 2008
  7. @torvalds @gregkh

    Check mapped ranges on sysfs resource files

    commit b5ff7df upstream
    
    Check mapped ranges on sysfs resource files
    
    This is loosely based on a patch by Jesse Barnes to check the user-space
    PCI mappings though the sysfs interfaces.  Quoting Jesse's original
    explanation:
    
      It's fairly common for applications to map PCI resources through sysfs.
      However, with the current implementation, it's possible for an application
      to map far more than the range corresponding to the resourceN file it
      opened.  This patch plugs that hole by checking the range at mmap time,
      similar to what is done on platforms like sparc64 in their lower level
      PCI remapping routines.
    
      It was initially put together to help debug the e1000e NVRAM corruption
      problem, since we initially thought an X driver might be walking past the
      end of one of its mappings and clobbering the NVRAM.  It now looks like
      that's not the case, but doing the check is still important for obvious
      reasons.
    
    and this version of the patch differs in that it uses a helper function
    to clarify the code, and does all the checks in pages (instead of bytes)
    in order to avoid overflows when doing "<< PAGE_SHIFT" etc.
    
    [cebbert@redhat.com: backport, changing WARN() to printk()]
    
    Acked-by: Jesse Barnes <jbarnes@virtuousgeek.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    torvalds committed with gregkh Oct 15, 2008
  8. @gregkh

    x86: avoid dereferencing beyond stack + THREAD_SIZE

    commit 60e6258cd43f9b06884f04f0f7cefb9c40f17a32 upstream
    
    It's possible for get_wchan() to dereference past task->stack + THREAD_SIZE
    while iterating through instruction pointers if fp equals the upper boundary,
    causing a kernel panic.
    
    Signed-off-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    David Rientjes committed with gregkh Oct 13, 2008
  9. @gregkh

    PCI: disable ASPM on pre-1.1 PCIe devices

    commit 149e163 upstream
    
    Disable ASPM on pre-1.1 PCIe devices, as many of them don't implement it
    correctly.
    
    Tested-by: Jack Howarth <howarth@bromo.msbb.uc.edu>
    Signed-off-by: Shaohua Li <shaohua.li@intel.com>
    Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Shaohua Li committed with gregkh Oct 13, 2008
  10. @gregkh

    PCI: disable ASPM per ACPI FADT setting

    commit 5fde244 upstream
    
    The ACPI FADT table includes an ASPM control bit. If the bit is set, do
    not enable ASPM since it may indicate that the platform doesn't actually
    support the feature.
    
    Tested-by: Jack Howarth <howarth@bromo.msbb.uc.edu>
    Signed-off-by: Shaohua Li <shaohua.li@intel.com>
    Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Shaohua Li committed with gregkh Oct 13, 2008
  11. @rcls @gregkh

    V4L/DVB (9053): fix buffer overflow in uvc-video

    Commit fe6c700 upstream
    
    V4L/DVB (9053): fix buffer overflow in uvc-video
    
    There is a buffer overflow in drivers/media/video/uvc/uvc_ctrl.c:
    
    INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1 instead of 0xcc
    INFO: Allocated in uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975
    ...
    
    A fixed size 8-byte buffer is allocated, and a variable size field is read
    into it; there is no particular bound on the size of the field (it is
    dependent on hardware and configuration) and it can overflow [also
    verified by inserting printk's.]
    
    The patch attempts to size the buffer to the correctly.
    
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Acked-by: Laurent Pinchart <laurent.pinchart@skynet.be>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    rcls committed with gregkh Oct 13, 2008