From: dean gaudet <dean@arctic.org>

There's an off-by-1 in kernel/power/main.c:state_store() ...  if your
kernel just happens to have some non-zero data at pm_states[PM_SUSPEND_MAX]
(i.e.  one past the end of the array) then it'll let you write anything you
want to /sys/power/state and in response the box will enter S5.

Signed-off-by: dean gaudet <dean@arctic.org>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 kernel/power/main.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

diff -puN kernel/power/main.c~off-by-1-in-kernel-power-mainc kernel/power/main.c
--- devel/kernel/power/main.c~off-by-1-in-kernel-power-mainc	2006-04-22 16:20:29.000000000 -0700
+++ devel-akpm/kernel/power/main.c	2006-04-22 16:20:29.000000000 -0700
@@ -272,7 +272,7 @@ static ssize_t state_store(struct subsys
 		if (*s && !strncmp(buf, *s, len))
 			break;
 	}
-	if (*s)
+	if (state < PM_SUSPEND_MAX && *s)
 		error = enter_state(state);
 	else
 		error = -EINVAL;
_