--- /dev/null
+From cebbert@redhat.com Thu Oct 16 16:09:36 2008
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 15 Oct 2008 18:09:14 -0400
+Subject: Check mapped ranges on sysfs resource files
+To: stable@kernel.org
+Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
+Message-ID: <20081015180914.0e44fdb6@redhat.com>
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b5ff7df3df9efab511244d5a299fce706c71af48 upstream
+
+Check mapped ranges on sysfs resource files
+
+This is loosely based on a patch by Jesse Barnes to check the user-space
+PCI mappings though the sysfs interfaces. Quoting Jesse's original
+explanation:
+
+ It's fairly common for applications to map PCI resources through sysfs.
+ However, with the current implementation, it's possible for an application
+ to map far more than the range corresponding to the resourceN file it
+ opened. This patch plugs that hole by checking the range at mmap time,
+ similar to what is done on platforms like sparc64 in their lower level
+ PCI remapping routines.
+
+ It was initially put together to help debug the e1000e NVRAM corruption
+ problem, since we initially thought an X driver might be walking past the
+ end of one of its mappings and clobbering the NVRAM. It now looks like
+ that's not the case, but doing the check is still important for obvious
+ reasons.
+
+and this version of the patch differs in that it uses a helper function
+to clarify the code, and does all the checks in pages (instead of bytes)
+in order to avoid overflows when doing "<< PAGE_SHIFT" etc.
+
+[cebbert@redhat.com: backport, changing WARN() to printk()]
+
+Acked-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/pci-sysfs.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -16,6 +16,7 @@
+
+
+ #include <linux/kernel.h>
++#include <linux/sched.h>
+ #include <linux/pci.h>
+ #include <linux/stat.h>
+ #include <linux/topology.h>
+@@ -484,6 +485,21 @@ pci_mmap_legacy_mem(struct kobject *kobj
+ #endif /* HAVE_PCI_LEGACY */
+
+ #ifdef HAVE_PCI_MMAP
++
++static int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma)
++{
++ unsigned long nr, start, size;
++
++ nr = (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
++ start = vma->vm_pgoff;
++ size = pci_resource_len(pdev, resno) >> PAGE_SHIFT;
++ if (start < size && size - start >= nr)
++ return 1;
++ printk(KERN_WARNING "WARNING: process \"%s\" tried to map 0x%08lx-0x%08lx on %s BAR %d (size 0x%08lx)\n",
++ current->comm, start, start+nr, pci_name(pdev), resno, size);
++ return 0;
++}
++
+ /**
+ * pci_mmap_resource - map a PCI resource into user memory space
+ * @kobj: kobject for mapping
+@@ -510,6 +526,9 @@ pci_mmap_resource(struct kobject *kobj,
+ if (i >= PCI_ROM_RESOURCE)
+ return -ENODEV;
+
++ if (!pci_mmap_fits(pdev, i, vma))
++ return -EINVAL;
++
+ /* pci_mmap_page_range() expects the same kind of entry as coming
+ * from /proc/bus/pci/ which is a "user visible" value. If this is
+ * different from the resource itself, arch will do necessary fixup.
--- /dev/null
+From khali@linux-fr.org Thu Oct 16 16:11:40 2008
+From: Jean Delvare <khali@linux-fr.org>
+Date: Fri, 10 Oct 2008 11:04:39 +0200
+Subject: hwmon: (it87) Prevent power-off on Shuttle SN68PT
+To: stable@kernel.org
+Message-ID: <20081010110439.0c508954@hyperion.delvare>
+
+From: Jean Delvare <khali@linux-fr.org>
+
+based on commit 98dd22c3e086d76058083432d4d8fb85f04bab90 upstream
+
+On the Shuttle SN68PT, FAN_CTL2 is apparently not connected to a fan,
+but to something else. One user has reported instant system power-off
+when changing the PWM2 duty cycle, so we disable it.
+
+I use the board name string as the trigger in case the same board is
+ever used in other systems.
+
+This closes lm-sensors ticket #2349:
+pwmconfig causes a hard poweroff
+http://www.lm-sensors.org/ticket/2349
+
+Signed-off-by: Jean Delvare <khali@linux-fr.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hwmon/it87.c | 39 +++++++++++++++++++++++++++++++++------
+ 1 file changed, 33 insertions(+), 6 deletions(-)
+
+--- a/drivers/hwmon/it87.c
++++ b/drivers/hwmon/it87.c
+@@ -46,6 +46,8 @@
+ #include <linux/err.h>
+ #include <linux/mutex.h>
+ #include <linux/sysfs.h>
++#include <linux/string.h>
++#include <linux/dmi.h>
+ #include <asm/io.h>
+
+ #define DRVNAME "it87"
+@@ -235,6 +237,8 @@ struct it87_sio_data {
+ enum chips type;
+ /* Values read from Super-I/O config space */
+ u8 vid_value;
++ /* Values set based on DMI strings */
++ u8 skip_pwm;
+ };
+
+ /* For each registered chip, we need to keep some data in memory.
+@@ -952,6 +956,7 @@ static int __init it87_find(unsigned sho
+ {
+ int err = -ENODEV;
+ u16 chip_type;
++ const char *board_vendor, *board_name;
+
+ superio_enter();
+ chip_type = force_id ? force_id : superio_inw(DEVID);
+@@ -1009,6 +1014,25 @@ static int __init it87_find(unsigned sho
+ pr_info("it87: in7 is VCCH (+5V Stand-By)\n");
+ }
+
++ sio_data->skip_pwm = 0;
++ /* Disable specific features based on DMI strings */
++ board_vendor = dmi_get_system_info(DMI_BOARD_VENDOR);
++ board_name = dmi_get_system_info(DMI_BOARD_NAME);
++ if (board_vendor && board_name) {
++ if (strcmp(board_vendor, "nVIDIA") == 0
++ && strcmp(board_name, "FN68PT") == 0) {
++ /* On the Shuttle SN68PT, FAN_CTL2 is apparently not
++ connected to a fan, but to something else. One user
++ has reported instant system power-off when changing
++ the PWM2 duty cycle, so we disable it.
++ I use the board name string as the trigger in case
++ the same board is ever used in other systems. */
++ pr_info("it87: Disabling pwm2 due to "
++ "hardware constraints\n");
++ sio_data->skip_pwm = (1 << 1);
++ }
++ }
++
+ exit:
+ superio_exit();
+ return err;
+@@ -1157,22 +1181,25 @@ static int __devinit it87_probe(struct p
+ if ((err = device_create_file(dev,
+ &sensor_dev_attr_pwm1_enable.dev_attr))
+ || (err = device_create_file(dev,
+- &sensor_dev_attr_pwm2_enable.dev_attr))
+- || (err = device_create_file(dev,
+ &sensor_dev_attr_pwm3_enable.dev_attr))
+ || (err = device_create_file(dev,
+ &sensor_dev_attr_pwm1.dev_attr))
+ || (err = device_create_file(dev,
+- &sensor_dev_attr_pwm2.dev_attr))
+- || (err = device_create_file(dev,
+ &sensor_dev_attr_pwm3.dev_attr))
+ || (err = device_create_file(dev,
+ &dev_attr_pwm1_freq))
+ || (err = device_create_file(dev,
+- &dev_attr_pwm2_freq))
+- || (err = device_create_file(dev,
+ &dev_attr_pwm3_freq)))
+ goto ERROR4;
++ if (!(sio_data->skip_pwm & (1 << 1))) {
++ if ((err = device_create_file(dev,
++ &sensor_dev_attr_pwm2_enable.dev_attr))
++ || (err = device_create_file(dev,
++ &sensor_dev_attr_pwm2.dev_attr))
++ || (err = device_create_file(dev,
++ &dev_attr_pwm2_freq)))
++ goto ERROR4;
++ }
+ }
+
+ if (data->type == it8712 || data->type == it8716
--- /dev/null
+From cebbert@redhat.com Thu Oct 16 16:08:16 2008
+From: Shaohua Li <shaohua.li@intel.com>
+Date: Mon, 13 Oct 2008 19:39:25 -0400
+Subject: PCI: disable ASPM on pre-1.1 PCIe devices
+To: stable@kernel.org
+Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
+Message-ID: <20081013193925.477fc770@redhat.com>
+
+From: Shaohua Li <shaohua.li@intel.com>
+
+commit 149e16372a2066c5474d8a8db9b252afd57eb427 upstream
+
+Disable ASPM on pre-1.1 PCIe devices, as many of them don't implement it
+correctly.
+
+Tested-by: Jack Howarth <howarth@bromo.msbb.uc.edu>
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/pcie/aspm.c | 13 +++++++++++++
+ drivers/pci/probe.c | 3 ++-
+ include/linux/pci_regs.h | 1 +
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -510,6 +510,7 @@ static int pcie_aspm_sanity_check(struct
+ {
+ struct pci_dev *child_dev;
+ int child_pos;
++ u32 reg32;
+
+ /*
+ * Some functions in a slot might not all be PCIE functions, very
+@@ -519,6 +520,18 @@ static int pcie_aspm_sanity_check(struct
+ child_pos = pci_find_capability(child_dev, PCI_CAP_ID_EXP);
+ if (!child_pos)
+ return -EINVAL;
++
++ /*
++ * Disable ASPM for pre-1.1 PCIe device, we follow MS to use
++ * RBER bit to determine if a function is 1.1 version device
++ */
++ pci_read_config_dword(child_dev, child_pos + PCI_EXP_DEVCAP,
++ ®32);
++ if (!(reg32 & PCI_EXP_DEVCAP_RBER)) {
++ printk("Pre-1.1 PCIe device detected, "
++ "disable ASPM for %s\n", pci_name(pdev));
++ return -EINVAL;
++ }
+ }
+ return 0;
+ }
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1047,7 +1047,8 @@ int pci_scan_slot(struct pci_bus *bus, i
+ }
+ }
+
+- if (bus->self)
++ /* only one slot has pcie device */
++ if (bus->self && nr)
+ pcie_aspm_init_link_state(bus->self);
+
+ return nr;
+--- a/include/linux/pci_regs.h
++++ b/include/linux/pci_regs.h
+@@ -373,6 +373,7 @@
+ #define PCI_EXP_DEVCAP_ATN_BUT 0x1000 /* Attention Button Present */
+ #define PCI_EXP_DEVCAP_ATN_IND 0x2000 /* Attention Indicator Present */
+ #define PCI_EXP_DEVCAP_PWR_IND 0x4000 /* Power Indicator Present */
++#define PCI_EXP_DEVCAP_RBER 0x8000 /* Role-Based Error Reporting */
+ #define PCI_EXP_DEVCAP_PWR_VAL 0x3fc0000 /* Slot Power Limit Value */
+ #define PCI_EXP_DEVCAP_PWR_SCL 0xc000000 /* Slot Power Limit Scale */
+ #define PCI_EXP_DEVCTL 8 /* Device Control */
--- /dev/null
+From cebbert@redhat.com Thu Oct 16 16:07:33 2008
+From: Shaohua Li <shaohua.li@intel.com>
+Date: Mon, 13 Oct 2008 19:38:11 -0400
+Subject: PCI: disable ASPM per ACPI FADT setting
+To: stable@kernel.org
+Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
+Message-ID: <20081013193811.1baf8b98@redhat.com>
+
+
+From: Shaohua Li <shaohua.li@intel.com>
+commit 5fde244d39b88625ac578d83e6625138714de031 upstream
+
+The ACPI FADT table includes an ASPM control bit. If the bit is set, do
+not enable ASPM since it may indicate that the platform doesn't actually
+support the feature.
+
+Tested-by: Jack Howarth <howarth@bromo.msbb.uc.edu>
+Signed-off-by: Shaohua Li <shaohua.li@intel.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/pci-acpi.c | 7 +++++++
+ drivers/pci/pcie/aspm.c | 5 +++++
+ include/acpi/actbl.h | 1 +
+ include/linux/pci-aspm.h | 5 +++++
+ 4 files changed, 18 insertions(+)
+
+--- a/drivers/pci/pci-acpi.c
++++ b/drivers/pci/pci-acpi.c
+@@ -11,6 +11,7 @@
+ #include <linux/init.h>
+ #include <linux/pci.h>
+ #include <linux/module.h>
++#include <linux/pci-aspm.h>
+ #include <acpi/acpi.h>
+ #include <acpi/acnamesp.h>
+ #include <acpi/acresrc.h>
+@@ -394,6 +395,12 @@ static int __init acpi_pci_init(void)
+ printk(KERN_INFO"ACPI FADT declares the system doesn't support MSI, so disable it\n");
+ pci_no_msi();
+ }
++
++ if (acpi_gbl_FADT.boot_flags & BAF_PCIE_ASPM_CONTROL) {
++ printk(KERN_INFO"ACPI FADT declares the system doesn't support PCIe ASPM, so disable it\n");
++ pcie_no_aspm();
++ }
++
+ ret = register_acpi_bus_type(&acpi_pci_bus);
+ if (ret)
+ return 0;
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -808,6 +808,11 @@ static int __init pcie_aspm_disable(char
+
+ __setup("pcie_noaspm", pcie_aspm_disable);
+
++void pcie_no_aspm(void)
++{
++ aspm_disabled = 1;
++}
++
+ #ifdef CONFIG_ACPI
+ #include <acpi/acpi_bus.h>
+ #include <linux/pci-acpi.h>
+--- a/include/acpi/actbl.h
++++ b/include/acpi/actbl.h
+@@ -277,6 +277,7 @@ enum acpi_prefered_pm_profiles {
+ #define BAF_LEGACY_DEVICES 0x0001
+ #define BAF_8042_KEYBOARD_CONTROLLER 0x0002
+ #define BAF_MSI_NOT_SUPPORTED 0x0008
++#define BAF_PCIE_ASPM_CONTROL 0x0010
+
+ #define FADT2_REVISION_ID 3
+ #define FADT2_MINUS_REVISION_ID 2
+--- a/include/linux/pci-aspm.h
++++ b/include/linux/pci-aspm.h
+@@ -27,6 +27,7 @@ extern void pcie_aspm_init_link_state(st
+ extern void pcie_aspm_exit_link_state(struct pci_dev *pdev);
+ extern void pcie_aspm_pm_state_change(struct pci_dev *pdev);
+ extern void pci_disable_link_state(struct pci_dev *pdev, int state);
++extern void pcie_no_aspm(void);
+ #else
+ static inline void pcie_aspm_init_link_state(struct pci_dev *pdev)
+ {
+@@ -40,6 +41,10 @@ static inline void pcie_aspm_pm_state_ch
+ static inline void pci_disable_link_state(struct pci_dev *pdev, int state)
+ {
+ }
++
++static inline void pcie_no_aspm(void)
++{
++}
+ #endif
+
+ #ifdef CONFIG_PCIEASPM_DEBUG /* this depends on CONFIG_PCIEASPM */
v4l-bttv-prevent-null-pointer-dereference-in-radio_open.patch
v4l-zr36067-fix-rgbr-pixel-format.patch
don-t-allow-splice-to-files-opened-with-o_append.patch
+v4l-dvb-uvcvideo-return-sensible-min-and-max-values-when-querying-a-boolean-control.patch
+v4l-dvb-uvcvideo-don-t-use-stack-based-buffers-for-usb-transfers.patch
+v4l-dvb-fix-buffer-overflow-in-uvc-video.patch
+pci-disable-aspm-per-acpi-fadt-setting.patch
+pci-disable-aspm-on-pre-1.1-pcie-devices.patch
+x86-avoid-dereferencing-beyond-stack-thread_size.patch
+check-mapped-ranges-on-sysfs-resource-files.patch
+hwmon-prevent-power-off-on-shuttle-sn68pt.patch
--- /dev/null
+From cebbert@redhat.com Thu Oct 16 16:06:43 2008
+From: Ralph Loader <suckfish@ihug.co.nz>
+Date: Mon, 13 Oct 2008 19:35:38 -0400
+Subject: V4L/DVB (9053): fix buffer overflow in uvc-video
+To: stable@kernel.org
+Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
+Message-ID: <20081013193538.155c96fc@redhat.com>
+
+Commit fe6c700ff34e68e1eb7991e9c5d18986d0005ac1 upstream
+
+V4L/DVB (9053): fix buffer overflow in uvc-video
+
+There is a buffer overflow in drivers/media/video/uvc/uvc_ctrl.c:
+
+INFO: 0xf2c5ce08-0xf2c5ce0b. First byte 0xa1 instead of 0xcc
+INFO: Allocated in uvc_query_v4l2_ctrl+0x3c/0x239 [uvcvideo] age=13 cpu=1 pid=4975
+...
+
+A fixed size 8-byte buffer is allocated, and a variable size field is read
+into it; there is no particular bound on the size of the field (it is
+dependent on hardware and configuration) and it can overflow [also
+verified by inserting printk's.]
+
+The patch attempts to size the buffer to the correctly.
+
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Laurent Pinchart <laurent.pinchart@skynet.be>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/uvc/uvc_ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/video/uvc/uvc_ctrl.c
++++ b/drivers/media/video/uvc/uvc_ctrl.c
+@@ -592,7 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video
+ if (ctrl == NULL)
+ return -EINVAL;
+
+- data = kmalloc(8, GFP_KERNEL);
++ data = kmalloc(ctrl->info->size, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+
--- /dev/null
+From cebbert@redhat.com Thu Oct 16 16:06:03 2008
+From: Laurent Pinchart <laurent.pinchart@skynet.be>
+Date: Mon, 13 Oct 2008 19:33:49 -0400
+Subject: V4L/DVB (8617): uvcvideo: don't use stack-based buffers for USB transfers.
+To: stable@kernel.org
+Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
+Message-ID: <20081013193349.071ff299@redhat.com>
+
+From: Laurent Pinchart <laurent.pinchart@skynet.be>
+
+commit 04793dd041bbb88a39b768b714c725de2c339b51 upstream
+
+Data buffers on the stack are not allowed for USB I/O. Use dynamically
+allocated buffers instead.
+
+Signed-off-by: Bruce Schmid <duck@freescale.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@skynet.be>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/uvc/uvc_ctrl.c | 33 +++++++++++++++++++++------------
+ drivers/media/video/uvc/uvc_video.c | 33 ++++++++++++++++++++++-----------
+ 2 files changed, 43 insertions(+), 23 deletions(-)
+
+--- a/drivers/media/video/uvc/uvc_ctrl.c
++++ b/drivers/media/video/uvc/uvc_ctrl.c
+@@ -585,13 +585,17 @@ int uvc_query_v4l2_ctrl(struct uvc_video
+ struct uvc_control_mapping *mapping;
+ struct uvc_menu_info *menu;
+ unsigned int i;
+- __u8 data[8];
++ __u8 *data;
+ int ret;
+
+ ctrl = uvc_find_control(video, v4l2_ctrl->id, &mapping);
+ if (ctrl == NULL)
+ return -EINVAL;
+
++ data = kmalloc(8, GFP_KERNEL);
++ if (data == NULL)
++ return -ENOMEM;
++
+ memset(v4l2_ctrl, 0, sizeof *v4l2_ctrl);
+ v4l2_ctrl->id = mapping->id;
+ v4l2_ctrl->type = mapping->v4l2_type;
+@@ -604,8 +608,8 @@ int uvc_query_v4l2_ctrl(struct uvc_video
+ if (ctrl->info->flags & UVC_CONTROL_GET_DEF) {
+ if ((ret = uvc_query_ctrl(video->dev, GET_DEF, ctrl->entity->id,
+ video->dev->intfnum, ctrl->info->selector,
+- &data, ctrl->info->size)) < 0)
+- return ret;
++ data, ctrl->info->size)) < 0)
++ goto out;
+ v4l2_ctrl->default_value = uvc_get_le_value(data, mapping);
+ }
+
+@@ -623,13 +627,15 @@ int uvc_query_v4l2_ctrl(struct uvc_video
+ }
+ }
+
+- return 0;
++ ret = 0;
++ goto out;
+
+ case V4L2_CTRL_TYPE_BOOLEAN:
+ v4l2_ctrl->minimum = 0;
+ v4l2_ctrl->maximum = 1;
+ v4l2_ctrl->step = 1;
+- return 0;
++ ret = 0;
++ goto out;
+
+ default:
+ break;
+@@ -638,26 +644,29 @@ int uvc_query_v4l2_ctrl(struct uvc_video
+ if (ctrl->info->flags & UVC_CONTROL_GET_MIN) {
+ if ((ret = uvc_query_ctrl(video->dev, GET_MIN, ctrl->entity->id,
+ video->dev->intfnum, ctrl->info->selector,
+- &data, ctrl->info->size)) < 0)
+- return ret;
++ data, ctrl->info->size)) < 0)
++ goto out;
+ v4l2_ctrl->minimum = uvc_get_le_value(data, mapping);
+ }
+ if (ctrl->info->flags & UVC_CONTROL_GET_MAX) {
+ if ((ret = uvc_query_ctrl(video->dev, GET_MAX, ctrl->entity->id,
+ video->dev->intfnum, ctrl->info->selector,
+- &data, ctrl->info->size)) < 0)
+- return ret;
++ data, ctrl->info->size)) < 0)
++ goto out;
+ v4l2_ctrl->maximum = uvc_get_le_value(data, mapping);
+ }
+ if (ctrl->info->flags & UVC_CONTROL_GET_RES) {
+ if ((ret = uvc_query_ctrl(video->dev, GET_RES, ctrl->entity->id,
+ video->dev->intfnum, ctrl->info->selector,
+- &data, ctrl->info->size)) < 0)
+- return ret;
++ data, ctrl->info->size)) < 0)
++ goto out;
+ v4l2_ctrl->step = uvc_get_le_value(data, mapping);
+ }
+
+- return 0;
++ ret = 0;
++out:
++ kfree(data);
++ return ret;
+ }
+
+
+--- a/drivers/media/video/uvc/uvc_video.c
++++ b/drivers/media/video/uvc/uvc_video.c
+@@ -90,17 +90,20 @@ static void uvc_fixup_buffer_size(struct
+ static int uvc_get_video_ctrl(struct uvc_video_device *video,
+ struct uvc_streaming_control *ctrl, int probe, __u8 query)
+ {
+- __u8 data[34];
+- __u8 size;
++ __u8 *data;
++ __u16 size;
+ int ret;
+
+ size = video->dev->uvc_version >= 0x0110 ? 34 : 26;
++ data = kmalloc(size, GFP_KERNEL);
++ if (data == NULL)
++ return -ENOMEM;
++
+ ret = __uvc_query_ctrl(video->dev, query, 0, video->streaming->intfnum,
+- probe ? VS_PROBE_CONTROL : VS_COMMIT_CONTROL, &data, size,
++ probe ? VS_PROBE_CONTROL : VS_COMMIT_CONTROL, data, size,
+ UVC_CTRL_STREAMING_TIMEOUT);
+-
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ ctrl->bmHint = le16_to_cpup((__le16 *)&data[0]);
+ ctrl->bFormatIndex = data[2];
+@@ -136,17 +139,22 @@ static int uvc_get_video_ctrl(struct uvc
+ */
+ uvc_fixup_buffer_size(video, ctrl);
+
+- return 0;
++out:
++ kfree(data);
++ return ret;
+ }
+
+ int uvc_set_video_ctrl(struct uvc_video_device *video,
+ struct uvc_streaming_control *ctrl, int probe)
+ {
+- __u8 data[34];
+- __u8 size;
++ __u8 *data;
++ __u16 size;
++ int ret;
+
+ size = video->dev->uvc_version >= 0x0110 ? 34 : 26;
+- memset(data, 0, sizeof data);
++ data = kzalloc(size, GFP_KERNEL);
++ if (data == NULL)
++ return -ENOMEM;
+
+ *(__le16 *)&data[0] = cpu_to_le16(ctrl->bmHint);
+ data[2] = ctrl->bFormatIndex;
+@@ -174,10 +182,13 @@ int uvc_set_video_ctrl(struct uvc_video_
+ data[33] = ctrl->bMaxVersion;
+ }
+
+- return __uvc_query_ctrl(video->dev, SET_CUR, 0,
++ ret = __uvc_query_ctrl(video->dev, SET_CUR, 0,
+ video->streaming->intfnum,
+- probe ? VS_PROBE_CONTROL : VS_COMMIT_CONTROL, &data, size,
++ probe ? VS_PROBE_CONTROL : VS_COMMIT_CONTROL, data, size,
+ UVC_CTRL_STREAMING_TIMEOUT);
++
++ kfree(data);
++ return ret;
+ }
+
+ int uvc_probe_video(struct uvc_video_device *video,
--- /dev/null
+From cebbert@redhat.com Thu Oct 16 16:02:56 2008
+From: Laurent Pinchart <laurent.pinchart@skynet.be>
+Date: Mon, 13 Oct 2008 19:32:03 -0400
+Subject: V4L/DVB (8498): uvcvideo: Return sensible min and max values when querying a boolean control.
+To: stable@kernel.org
+Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
+Message-ID: <20081013193203.672839be@redhat.com>
+
+From: Laurent Pinchart <laurent.pinchart@skynet.be>
+
+commit 54812c77bc830e2dbcb62b4c6d8a9c7f97cfdd1b upstream
+
+[required to get the following two patches to apply]
+
+Although the V4L2 spec states that the minimum and maximum fields may not be
+valid for control types other than V4L2_CTRL_TYPE_INTEGER, it makes sense
+to set the bounds to 0 and 1 for boolean controls instead of returning
+uninitialized values.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@skynet.be>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/uvc/uvc_ctrl.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/video/uvc/uvc_ctrl.c
++++ b/drivers/media/video/uvc/uvc_ctrl.c
+@@ -592,6 +592,7 @@ int uvc_query_v4l2_ctrl(struct uvc_video
+ if (ctrl == NULL)
+ return -EINVAL;
+
++ memset(v4l2_ctrl, 0, sizeof *v4l2_ctrl);
+ v4l2_ctrl->id = mapping->id;
+ v4l2_ctrl->type = mapping->v4l2_type;
+ strncpy(v4l2_ctrl->name, mapping->name, sizeof v4l2_ctrl->name);
+@@ -608,7 +609,8 @@ int uvc_query_v4l2_ctrl(struct uvc_video
+ v4l2_ctrl->default_value = uvc_get_le_value(data, mapping);
+ }
+
+- if (mapping->v4l2_type == V4L2_CTRL_TYPE_MENU) {
++ switch (mapping->v4l2_type) {
++ case V4L2_CTRL_TYPE_MENU:
+ v4l2_ctrl->minimum = 0;
+ v4l2_ctrl->maximum = mapping->menu_count - 1;
+ v4l2_ctrl->step = 1;
+@@ -622,6 +624,15 @@ int uvc_query_v4l2_ctrl(struct uvc_video
+ }
+
+ return 0;
++
++ case V4L2_CTRL_TYPE_BOOLEAN:
++ v4l2_ctrl->minimum = 0;
++ v4l2_ctrl->maximum = 1;
++ v4l2_ctrl->step = 1;
++ return 0;
++
++ default:
++ break;
+ }
+
+ if (ctrl->info->flags & UVC_CONTROL_GET_MIN) {
--- /dev/null
+From cebbert@redhat.com Thu Oct 16 16:09:02 2008
+From: David Rientjes <rientjes@google.com>
+Date: Mon, 13 Oct 2008 19:42:12 -0400
+Subject: x86: avoid dereferencing beyond stack + THREAD_SIZE
+To: stable@kernel.org
+Cc: Ingo Molnar <mingo@elte.hu>
+Message-ID: <20081013194212.6c49544a@redhat.com>
+
+
+From: David Rientjes <rientjes@google.com>
+
+commit 60e6258cd43f9b06884f04f0f7cefb9c40f17a32 upstream
+
+It's possible for get_wchan() to dereference past task->stack + THREAD_SIZE
+while iterating through instruction pointers if fp equals the upper boundary,
+causing a kernel panic.
+
+Signed-off-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/process_64.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -740,12 +740,12 @@ unsigned long get_wchan(struct task_stru
+ if (!p || p == current || p->state==TASK_RUNNING)
+ return 0;
+ stack = (unsigned long)task_stack_page(p);
+- if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE)
++ if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
+ return 0;
+ fp = *(u64 *)(p->thread.sp);
+ do {
+ if (fp < (unsigned long)stack ||
+- fp > (unsigned long)stack+THREAD_SIZE)
++ fp >= (unsigned long)stack+THREAD_SIZE)
+ return 0;
+ ip = *(u64 *)(fp+8);
+ if (!in_sched_functions(ip))
projects / thirdparty / kernel / stable-queue.git / commitdiff
