commit 322df44ba33ce740d4980019d7202e6f6a3df53c Author: Greg Kroah-Hartman Date: Wed Oct 22 14:38:01 2008 -0700 Linux 2.6.27.3 commit cd9f58efb861a86283931f3db17aa2a4fe4da642 Author: Arjan van de Ven Date: Fri Oct 10 21:16:12 2008 -0700 security: avoid calling a NULL function pointer in drivers/video/tvaudio.c commit 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1 upstream NULL function pointers are very bad security wise. This one got caught by kerneloops.org quite a few times, so it's happening in the field.... Fix is simple, check the function pointer for NULL, like 6 other places in the same function are already doing. Signed-off-by: Arjan van de Ven Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 686c714cce06e8804e15daf7ce3d4f80c35c6a69 Author: Michael Krufky Date: Sat Oct 18 10:36:06 2008 -0400 DVB: sms1xxx: support two new revisions of the Hauppauge WinTV MiniStick (cherry picked from commit 3dfbe31f09fb1da5f17437fd384cdfb6114765d9) DVB: sms1xxx: support two new revisions of the Hauppauge WinTV MiniStick Autodetect 2040:5520 and 2040:5530 as Hauppauge WinTV MiniStick Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 3937df1fec50759893da5d9fa675cbc3a74eb6b2 Author: Michael Krufky Date: Sat Oct 18 10:36:01 2008 -0400 DVB: au0828: add support for another USB id for Hauppauge HVR950Q (cherry picked from commit a636da6bab3307fc8c6e6a22a63b0b25ba0687be) DVB: au0828: add support for another USB id for Hauppauge HVR950Q Add autodetection support for a new revision of the Hauppauge HVR950Q (2040:721e) Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit f8d61d1be61999a76cb207125d3bfb1885cd40eb Author: Matthias Hopf Date: Sat Oct 18 07:18:05 2008 +1000 drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to write actual exploit code though. It only affects the Intel G33 series and newer. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit ee3b0b543db121a5fe144d755fcb7c0429d1fa50 Author: David Brownell Date: Fri Oct 17 23:10:16 2008 +0000 usb: musb_hdrc build fixes commit c767c1c6f1febbd1351cc152bba6e37889322d17 upstream Minor musb_hdrc updates: - so it'll build on DaVinci, given relevant platform updates; * remove support for an un-shipped OTG prototype * rely on gpiolib framework conversion for the I2C GPIOs * the mechanism has been removed - catch comments up to the recent removal of the per-SOC header with the silicon configuration data; - and remove two inappropriate "inline" declarations which just bloat host side code. There are still some more ==> changes needed in this driver, catching up to the relocation of most of the include/asm-arm/arch-* contents. Signed-off-by: David Brownell Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 4e4ce5b5cb10b08eeafff642b286eb302d53f7eb Author: David Brownell Date: Fri Oct 17 23:10:12 2008 +0000 usb gadget: cdc ethernet notification bugfix commit 29bac7b7661bbbdbbd32bc1e6cedca22f260da7f upstream Bugfix for the new CDC Ethernet code: as part of activating the network interface's USB link, make sure its link management code knows whether the interface is open or not. Without this fix, the link won't work right when it's brought up before the link is active ... because the initial notification it sends will have the wrong link state (down, not up). Makes it hard to bridge these links (on the host side), among other things. Signed-off-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit c78487b1d935d938014ddbec7b3d5816c1580fce Author: Alan Stern Date: Fri Oct 17 23:10:07 2008 +0000 USB: EHCI: log a warning if ehci-hcd is not loaded first commit 9beeee6584b9aa4f9192055512411484a2a624df upstream This patch (as1139) adds a warning to the system log whenever ehci-hcd is loaded after ohci-hcd or uhci-hcd. Nowadays most distributions are pretty good about not doing this; maybe the warning will help convince anyone still doing it wrong. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 1f41088c56185a338b1e916a95c2ce11e3996e6a Author: Yauhen Kharuzhy Date: Fri Oct 17 23:10:20 2008 +0000 USB: Fix s3c2410_udc usb speed handling commit f9e9cff613b8239ce9159735aa662c9c85b478bf upstream The new composite framework revealed a weakness in the s3c2410_udc driver gadget register function. Instead of checking if speed asked for was USB_LOW_SPEED upon usb_gadget_register() to deny service, it checked only for USB_FULL_SPEED, thus denying service to usb high speed capable gadgets (like g_ether). Signed-off-by: Yauhen Kharuzhy Signed-off-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit 48e12d72efd753818139a1870ee840ceb1a776e3 Author: Alan Stern Date: Fri Oct 17 23:10:03 2008 +0000 USB: OHCI: fix endless polling behavior commit 71b7497c078a97e2afb774ad7c1f8ff5bdda8a60 upstream This patch (as1149) fixes an obscure problem in OHCI polling. In the current code, if the RHSC interrupt status flag turns on at a time when RHSC interrupts are disabled, it will remain on forever: The interrupt handler is the only place where RHSC status gets turned back off; The interrupt handler won't turn RHSC status off because it doesn't turn off status flags if the corresponding interrupt isn't enabled; RHSC interrupts will never get enabled because ohci_root_hub_state_changes() doesn't reenable RHSC if RHSC status is on! As a result we will continue polling indefinitely instead of reverting to interrupt-driven operation, and the root hub will not autosuspend. This particular sequence of events is not at all unusual; in fact plugging a USB device into an OHCI controller will usually cause it to occur. Of course, this is a bug. The proper thing to do is to turn off RHSC status just before reading the actual port status values. That way either a port status change will be detected (if it occurs before the status read) or it will turn RHSC back on. Possibly both, but that won't hurt anything. We can still check for systems in which RHSC is totally broken, by re-reading RHSC after clearing it and before reading the port statuses. (This re-read has to be done anyway, to post the earlier write.) If RHSC is on but no port-change statuses are set, then we know that RHSC is broken and we can avoid re-enabling it. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 5bad3352aa6262a0e4515315060d93d691913399 Author: Alan Stern Date: Fri Oct 17 23:10:23 2008 +0000 OHCI: Allow broken controllers to auto-stop commit 4a511bc3f5829bc18428bcf11c25417a79d09396 upstream This patch (as1134) attempts to improve the way we handle OHCI controllers with broken Root Hub Status Change interrupt support. In these controllers the RHSC interrupt bit essentially never turns off, making RHSC interrupts useless -- they have to remain permanently disabled. Such controllers should still be allowed to turn off their root hubs when no devices are attached. Polling for new connections can continue while the root hub is suspended. The patch implements this feature. (It won't have much effect unless CONFIG_PM is enabled and CONFIG_USB_SUSPEND is disabled, but since the overhead is very small we may as well do it.) Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit dd1f7982f569821f0f35237644e1900456adc58e Author: Luis R. Rodriguez Date: Fri Oct 3 15:45:26 2008 -0700 ath9k: fix oops on trying to hold the wrong spinlock commit a477e4e6d48d3ac7c7a75bad40585cb391e5c237 upstream We were trying to hold the wrong spinlock due to a typo on IEEE80211_BAR_CTL_TID_S's definition. We use this to compute the tid number and then hold this this tid number's spinlock. Tested-by: Steven Noonan Signed-off-by: Vasanthakumar Thiagarajan Signed-off-by: Sujith Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c068663ae65e507814545b59a8e2090f48a85613 Author: Christoph Hellwig Date: Sun Oct 12 14:30:44 2008 +0200 xfs: fix remount rw with unrecognized options commit 6c5e51dae2c37127e00be392f40842e08077e96a upstream When we skip unrecognized options in xfs_fs_remount we should just break out of the switch and not return because otherwise we may skip clearing the xfs-internal read-only flag. This will only show up on some operations like touch because most read-only checks are done by the VFS which thinks this filesystem is r/w. Eventually we should replace the XFS read-only flag with a helper that always checks the VFS flag to make sure they can never get out of sync. Bug reported and fix verified by Marcel Beister on #xfs. Bug fix verified by updated xfstests/189. Signed-off-by: Christoph Hellwig Acked-by: Eric Sandeen Signed-off-by: Timothy Shimmin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 72da00bb9053a46e338496def4225febb5137ed3 Author: Chris Webb Date: Thu Oct 16 19:05:16 2008 +0000 md: Fix rdev_size_store with size == 0 commit 7d3c6f8717ee6c2bf6cba5fa0bda3b28fbda6015 upstream Fix rdev_size_store with size == 0. size == 0 means to use the largest size allowed by the underlying device and is used when modifying an active array. This fixes a regression introduced by commit d7027458d68b2f1752a28016dcf2ffd0a7e8f567 Signed-off-by: Chris Webb Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit f76f2408cccf448917c8a2a2b775571fd60aee30 Author: Johannes Berg Date: Thu Oct 16 19:05:12 2008 +0000 ath9k/mac80211: disallow fragmentation in ath9k, report to userspace commit 4233df6b748193d45f79fb7448991a473061a65d upstream As I've reported, ath9k currently fails utterly when fragmentation is enabled. This makes ath9k "support" hardware fragmentation by not supporting fragmentation at all to avoid the double-free issue. The patch also changes mac80211 to report errors from the driver operation to userspace. That hack in ath9k should be removed once the rate control algorithm it has is fixed, and we can at that time consider removing the hw fragmentation support entirely since it's not used by any driver. Signed-off-by: Johannes Berg Acked-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 02d4bc2c23cabd7930011b4d030807db2c6604a2 Author: Cornelia Huck Date: Thu Oct 16 22:05:07 2008 +0000 Driver core: Clarify device cleanup. commit 5739411acbaa63a6c22c91e340fdcdbcc7d82a51 upstream Make the comments on how to use device_initialize(), device_add() and device_register() a bit clearer - in particular, explicitly note that put_device() must be used once we tried to add the device to the hierarchy. Signed-off-by: Cornelia Huck Signed-off-by: Greg Kroah-Hartman commit c552cad06920b6dc20bb0b41bbb37b60f194e46a Author: Cornelia Huck Date: Thu Oct 16 22:05:05 2008 +0000 Driver core: Fix cleanup in device_create_vargs(). commit 286661b3777897220ecfcd774bccc68a34667f39 upstream If device_register() in device_create_vargs() fails, the device must be cleaned up with put_device() (which is also fine on NULL) instead of kfree(). Signed-off-by: Cornelia Huck Signed-off-by: Greg Kroah-Hartman commit 0b84283d642d6865e15ddad62dd2f1a092812f5a Author: Alexey Dobriyan Date: Thu Oct 16 22:05:10 2008 +0000 modules: fix module "notes" kobject leak commit e94320939f44e0cbaccc3f259a5778abced4949c upstream Fix "notes" kobject leak It happens every rmmod if KALLSYMS=y and SYSFS=y. # modprobe foo kobject: 'foo' (ffffffffa00743d0): kobject_add_internal: parent: 'module', set: 'module' kobject: 'holders' (ffff88017e7c5770): kobject_add_internal: parent: 'foo', set: '' kobject: 'foo' (ffffffffa00743d0): kobject_uevent_env kobject: 'foo' (ffffffffa00743d0): fill_kobj_path: path = '/module/foo' kobject: 'notes' (ffff88017fa9b668): kobject_add_internal: parent: 'foo', set: '' ^^^^^ # rmmod foo kobject: 'holders' (ffff88017e7c5770): kobject_cleanup kobject: 'holders' (ffff88017e7c5770): auto cleanup kobject_del kobject: 'holders' (ffff88017e7c5770): calling ktype release kobject: (ffff88017e7c5770): dynamic_kobj_release kobject: 'holders': free name kobject: 'foo' (ffffffffa00743d0): kobject_cleanup kobject: 'foo' (ffffffffa00743d0): does not have a release() function, it is broken and must be fixed. kobject: 'foo' (ffffffffa00743d0): auto cleanup 'remove' event kobject: 'foo' (ffffffffa00743d0): kobject_uevent_env kobject: 'foo' (ffffffffa00743d0): fill_kobj_path: path = '/module/foo' kobject: 'foo' (ffffffffa00743d0): auto cleanup kobject_del kobject: 'foo': free name [whooops] Signed-off-by: Alexey Dobriyan Signed-off-by: Greg Kroah-Hartman commit e6e5cdaae090c6c5c5bfe7d058983cd464269ca6 Author: Oleg Nesterov Date: Thu Oct 16 19:05:07 2008 +0000 fbcon_set_all_vcs: fix kernel crash when switching the rotated consoles commit 232fb69a53a5ec3f22a8104d447abe4806848a8f upstream echo 3 >> /sys/class/graphics/fbcon/rotate_all, then switch to another console. Result: BUG: unable to handle kernel paging request at ffffc20005d00000 IP: [bitfill_aligned+149/265] bitfill_aligned+0x95/0x109 PGD 7e228067 PUD 7e229067 PMD 7bc1f067 PTE 0 Oops: 0002 [1] SMP CPU 1 Modules linked in: [...a lot...] Pid: 10, comm: events/1 Not tainted 2.6.26.5-45.fc9.x86_64 #1 RIP: 0010:[bitfill_aligned+149/265] [bitfill_aligned+149/265] bitfill_aligned+0x95/0x109 RSP: 0018:ffff81007d811bc8 EFLAGS: 00010216 RAX: ffffc20005d00000 RBX: 0000000000000000 RCX: 0000000000000400 RDX: 0000000000000000 RSI: ffffc20005d00000 RDI: ffffffffffffffff RBP: ffff81007d811be0 R08: 0000000000000400 R09: 0000000000000040 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000010000 R13: ffffffff811632f0 R14: 0000000000000006 R15: ffff81007cb85400 FS: 0000000000000000(0000) GS:ffff81007e004780(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: ffffc20005d00000 CR3: 0000000000201000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process events/1 (pid: 10, threadinfo ffff81007d810000, task ffff81007d808000) Stack: ffff81007c9d75a0 0000000000000000 0000000000000000 ffff81007d811c80 ffffffff81163a61 ffff810000000000 ffffffff8115f9c8 0000001000000000 0000000100aaaaaa 000000007cd0d4a0 fffffd8a00000800 0001000000000000 Call Trace: [cfb_fillrect+523/798] cfb_fillrect+0x20b/0x31e [soft_cursor+416/436] ? soft_cursor+0x1a0/0x1b4 [ccw_clear_margins+205/263] ccw_clear_margins+0xcd/0x107 [fbcon_clear_margins+59/61] fbcon_clear_margins+0x3b/0x3d [fbcon_switch+1291/1466] fbcon_switch+0x50b/0x5ba [redraw_screen+261/481] redraw_screen+0x105/0x1e1 [ccw_cursor+0/1869] ? ccw_cursor+0x0/0x74d [complete_change_console+48/190] complete_change_console+0x30/0xbe [change_console+115/120] change_console+0x73/0x78 [console_callback+0/292] ? console_callback+0x0/0x124 [console_callback+97/292] console_callback+0x61/0x124 [schedule_delayed_work+25/30] ? schedule_delayed_work+0x19/0x1e [run_workqueue+139/282] run_workqueue+0x8b/0x11a [worker_thread+221/238] worker_thread+0xdd/0xee [autoremove_wake_function+0/56] ? autoremove_wake_function+0x0/0x38 [worker_thread+0/238] ? worker_thread+0x0/0xee [kthread+73/118] kthread+0x49/0x76 [child_rip+10/18] child_rip+0xa/0x12 [kthread+0/118] ? kthread+0x0/0x76 [child_rip+0/18] ? child_rip+0x0/0x12 Because fbcon_set_all_vcs()->FBCON_SWAP() uses display->rotate == 0 instead of fbcon_ops->rotate, and vc_resize() has no effect because it is called with new_cols/rows == ->vc_cols/rows. Tested on 2.6.26.5-45.fc9.x86_64, but http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git seems to have the same problem. Signed-off-by: Oleg Nesterov Cc: Krzysztof Helt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman