linux-toradex.git, branch v2.6.27.3 Linux kernel for Apalis and Colibri modules Linux 2.6.27.3 2008-10-22T21:38:01+00:00 Greg Kroah-Hartman gregkh@suse.de 2008-10-22T21:38:01+00:00 322df44ba33ce740d4980019d7202e6f6a3df53c 






security: avoid calling a NULL function pointer in drivers/video/tvaudio.c
2008-10-22T21:21:33+00:00

Arjan van de Ven
arjan@linux.intel.com

2008-10-11T04:16:12+00:00

cd9f58efb861a86283931f3db17aa2a4fe4da642

commit 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1 upstream

NULL function pointers are very bad security wise. This one got caught by
kerneloops.org quite a few times, so it's happening in the field....

Fix is simple, check the function pointer for NULL, like 6 other places
in the same function are already doing.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1 upstream

NULL function pointers are very bad security wise. This one got caught by
kerneloops.org quite a few times, so it's happening in the field....

Fix is simple, check the function pointer for NULL, like 6 other places
in the same function are already doing.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








DVB: sms1xxx: support two new revisions of the Hauppauge WinTV MiniStick
2008-10-22T21:21:32+00:00

Michael Krufky
mkrufky@linuxtv.org

2008-10-18T14:36:06+00:00

686c714cce06e8804e15daf7ce3d4f80c35c6a69

(cherry picked from commit 3dfbe31f09fb1da5f17437fd384cdfb6114765d9)

DVB: sms1xxx: support two new revisions of the Hauppauge WinTV MiniStick

Autodetect 2040:5520 and 2040:5530 as Hauppauge WinTV MiniStick

Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






(cherry picked from commit 3dfbe31f09fb1da5f17437fd384cdfb6114765d9)

DVB: sms1xxx: support two new revisions of the Hauppauge WinTV MiniStick

Autodetect 2040:5520 and 2040:5530 as Hauppauge WinTV MiniStick

Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








DVB: au0828: add support for another USB id for Hauppauge HVR950Q
2008-10-22T21:21:29+00:00

Michael Krufky
mkrufky@linuxtv.org

2008-10-18T14:36:01+00:00

3937df1fec50759893da5d9fa675cbc3a74eb6b2

(cherry picked from commit a636da6bab3307fc8c6e6a22a63b0b25ba0687be)

DVB: au0828: add support for another USB id for Hauppauge HVR950Q

Add autodetection support for a new revision of the Hauppauge HVR950Q (2040:721e)

Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






(cherry picked from commit a636da6bab3307fc8c6e6a22a63b0b25ba0687be)

DVB: au0828: add support for another USB id for Hauppauge HVR950Q

Add autodetection support for a new revision of the Hauppauge HVR950Q (2040:721e)

Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
2008-10-22T21:21:29+00:00

Matthias Hopf
mhopf@suse.de

2008-10-17T21:18:05+00:00

f8d61d1be61999a76cb207125d3bfb1885cd40eb

commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream

Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.

It only affects the Intel G33 series and newer.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream

Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.

It only affects the Intel G33 series and newer.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








usb: musb_hdrc build fixes
2008-10-22T21:21:27+00:00

David Brownell
dbrownell@users.sourceforge.net

2008-10-17T23:10:16+00:00

ee3b0b543db121a5fe144d755fcb7c0429d1fa50

commit c767c1c6f1febbd1351cc152bba6e37889322d17 upstream

Minor musb_hdrc updates:

  - so it'll build on DaVinci, given relevant platform updates;
      * remove support for an un-shipped OTG prototype
      * rely on gpiolib framework conversion for the I2C GPIOs
      * the <asm/arch/hdrc_cnf.h> mechanism has been removed

  - catch comments up to the recent removal of the per-SOC header
    with the silicon configuration data;

  - and remove two inappropriate "inline" declarations which
    just bloat host side code.

There are still some more <asm/arch/XYZ.h> ==> <mach/XYZ.h>
changes needed in this driver, catching up to the relocation
of most of the include/asm-arm/arch-* contents.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit c767c1c6f1febbd1351cc152bba6e37889322d17 upstream

Minor musb_hdrc updates:

  - so it'll build on DaVinci, given relevant platform updates;
      * remove support for an un-shipped OTG prototype
      * rely on gpiolib framework conversion for the I2C GPIOs
      * the <asm/arch/hdrc_cnf.h> mechanism has been removed

  - catch comments up to the recent removal of the per-SOC header
    with the silicon configuration data;

  - and remove two inappropriate "inline" declarations which
    just bloat host side code.

There are still some more <asm/arch/XYZ.h> ==> <mach/XYZ.h>
changes needed in this driver, catching up to the relocation
of most of the include/asm-arm/arch-* contents.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








usb gadget: cdc ethernet notification bugfix
2008-10-22T21:21:25+00:00

David Brownell
dbrownell@users.sourceforge.net

2008-10-17T23:10:12+00:00

4e4ce5b5cb10b08eeafff642b286eb302d53f7eb

commit 29bac7b7661bbbdbbd32bc1e6cedca22f260da7f upstream

Bugfix for the new CDC Ethernet code:  as part of activating the
network interface's USB link, make sure its link management code
knows whether the interface is open or not.

Without this fix, the link won't work right when it's brought up
before the link is active ... because the initial notification it
sends will have the wrong link state (down, not up).  Makes it
hard to bridge these links (on the host side), among other things.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit 29bac7b7661bbbdbbd32bc1e6cedca22f260da7f upstream

Bugfix for the new CDC Ethernet code:  as part of activating the
network interface's USB link, make sure its link management code
knows whether the interface is open or not.

Without this fix, the link won't work right when it's brought up
before the link is active ... because the initial notification it
sends will have the wrong link state (down, not up).  Makes it
hard to bridge these links (on the host side), among other things.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








USB: EHCI: log a warning if ehci-hcd is not loaded first
2008-10-22T21:21:22+00:00

Alan Stern
stern@rowland.harvard.edu

2008-10-17T23:10:07+00:00

c78487b1d935d938014ddbec7b3d5816c1580fce

commit 9beeee6584b9aa4f9192055512411484a2a624df upstream

This patch (as1139) adds a warning to the system log whenever ehci-hcd
is loaded after ohci-hcd or uhci-hcd.  Nowadays most distributions are
pretty good about not doing this; maybe the warning will help convince
anyone still doing it wrong.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit 9beeee6584b9aa4f9192055512411484a2a624df upstream

This patch (as1139) adds a warning to the system log whenever ehci-hcd
is loaded after ohci-hcd or uhci-hcd.  Nowadays most distributions are
pretty good about not doing this; maybe the warning will help convince
anyone still doing it wrong.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








USB: Fix s3c2410_udc usb speed handling
2008-10-22T21:21:21+00:00

Yauhen Kharuzhy
jekhor@gmail.com

2008-10-17T23:10:20+00:00

1f41088c56185a338b1e916a95c2ce11e3996e6a

commit f9e9cff613b8239ce9159735aa662c9c85b478bf upstream

The new composite framework revealed a weakness in the
s3c2410_udc driver gadget register function. Instead of
checking if speed asked for was USB_LOW_SPEED upon
usb_gadget_register() to deny service, it checked only
for USB_FULL_SPEED, thus denying service to usb high
speed capable gadgets (like g_ether).

Signed-off-by: Yauhen Kharuzhy <jekhor@gmail.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit f9e9cff613b8239ce9159735aa662c9c85b478bf upstream

The new composite framework revealed a weakness in the
s3c2410_udc driver gadget register function. Instead of
checking if speed asked for was USB_LOW_SPEED upon
usb_gadget_register() to deny service, it checked only
for USB_FULL_SPEED, thus denying service to usb high
speed capable gadgets (like g_ether).

Signed-off-by: Yauhen Kharuzhy <jekhor@gmail.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>








USB: OHCI: fix endless polling behavior
2008-10-22T21:21:19+00:00

Alan Stern
stern@rowland.harvard.edu

2008-10-17T23:10:03+00:00

48e12d72efd753818139a1870ee840ceb1a776e3

commit 71b7497c078a97e2afb774ad7c1f8ff5bdda8a60 upstream

This patch (as1149) fixes an obscure problem in OHCI polling.  In the
current code, if the RHSC interrupt status flag turns on at a time
when RHSC interrupts are disabled, it will remain on forever:

	The interrupt handler is the only place where RHSC status
	gets turned back off;

	The interrupt handler won't turn RHSC status off because it
	doesn't turn off status flags if the corresponding interrupt
	isn't enabled;

	RHSC interrupts will never get enabled because
	ohci_root_hub_state_changes() doesn't reenable RHSC if RHSC
	status is on!

As a result we will continue polling indefinitely instead of reverting
to interrupt-driven operation, and the root hub will not autosuspend.
This particular sequence of events is not at all unusual; in fact
plugging a USB device into an OHCI controller will usually cause it to
occur.

Of course, this is a bug.  The proper thing to do is to turn off RHSC
status just before reading the actual port status values.  That way
either a port status change will be detected (if it occurs before the
status read) or it will turn RHSC back on.  Possibly both, but that
won't hurt anything.

We can still check for systems in which RHSC is totally broken, by
re-reading RHSC after clearing it and before reading the port
statuses.  (This re-read has to be done anyway, to post the earlier
write.)  If RHSC is on but no port-change statuses are set, then we
know that RHSC is broken and we can avoid re-enabling it.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>






commit 71b7497c078a97e2afb774ad7c1f8ff5bdda8a60 upstream

This patch (as1149) fixes an obscure problem in OHCI polling.  In the
current code, if the RHSC interrupt status flag turns on at a time
when RHSC interrupts are disabled, it will remain on forever:

	The interrupt handler is the only place where RHSC status
	gets turned back off;

	The interrupt handler won't turn RHSC status off because it
	doesn't turn off status flags if the corresponding interrupt
	isn't enabled;

	RHSC interrupts will never get enabled because
	ohci_root_hub_state_changes() doesn't reenable RHSC if RHSC
	status is on!

As a result we will continue polling indefinitely instead of reverting
to interrupt-driven operation, and the root hub will not autosuspend.
This particular sequence of events is not at all unusual; in fact
plugging a USB device into an OHCI controller will usually cause it to
occur.

Of course, this is a bug.  The proper thing to do is to turn off RHSC
status just before reading the actual port status values.  That way
either a port status change will be detected (if it occurs before the
status read) or it will turn RHSC back on.  Possibly both, but that
won't hurt anything.

We can still check for systems in which RHSC is totally broken, by
re-reading RHSC after clearing it and before reading the port
statuses.  (This re-read has to be done anyway, to post the earlier
write.)  If RHSC is on but no port-change statuses are set, then we
know that RHSC is broken and we can avoid re-enabling it.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>