--- /dev/null
+From lenb@kernel.org Fri Oct 17 16:33:15 2008
+From: Zhao Yakui <yakui.zhao@intel.com>
+Date: Fri, 17 Oct 2008 02:16:41 -0400 (EDT)
+Subject: ACPI: Ignore _BQC object when registering backlight device
+To: stable@kernel.org
+Cc: Zhao Yakui <yakui.zhao@intel.com>, linux-acpi@vger.kernel.org
+Message-ID: <alpine.LFD.1.10.0810170213450.3026@localhost.localdomain>
+
+
+From: Zhao Yakui <yakui.zhao@intel.com>
+
+upstream commmit: c2c789057f075022658b38b498755c29c1ba8055
+
+According to acpi spec , the objectes of _BCL and _BCM are required if
+integrated LCD is present and supports brightness level and the _BQC is
+the optional object. So the _BQC object will be ignored when the backlight
+device is registered.
+At the same time when there is no _BQC object, the current brightness will be
+set to the maximum.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=10206
+
+Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Cc: Len Brown <lenb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/video.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/video.c
++++ b/drivers/acpi/video.c
+@@ -720,7 +720,7 @@ static void acpi_video_device_find_cap(s
+
+ kfree(obj);
+
+- if (device->cap._BCL && device->cap._BCM && device->cap._BQC && max_level > 0){
++ if (device->cap._BCL && device->cap._BCM && max_level > 0) {
+ int result;
+ static int count = 0;
+ char *name;
+@@ -732,7 +732,17 @@ static void acpi_video_device_find_cap(s
+ device->backlight = backlight_device_register(name,
+ NULL, device, &acpi_backlight_ops);
+ device->backlight->props.max_brightness = device->brightness->count-3;
+- device->backlight->props.brightness = acpi_video_get_brightness(device->backlight);
++ /*
++ * If there exists the _BQC object, the _BQC object will be
++ * called to get the current backlight brightness. Otherwise
++ * the brightness will be set to the maximum.
++ */
++ if (device->cap._BQC)
++ device->backlight->props.brightness =
++ acpi_video_get_brightness(device->backlight);
++ else
++ device->backlight->props.brightness =
++ device->backlight->props.max_brightness;
+ backlight_update_status(device->backlight);
+ kfree(name);
+
--- /dev/null
+From 4b40893918203ee1a1f6a114316c2a19c072e9bd Mon Sep 17 00:00:00 2001
+From: Matthias Hopf <mhopf@suse.de>
+Date: Sat, 18 Oct 2008 07:18:05 +1000
+Subject: drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
+
+From: Matthias Hopf <mhopf@suse.de>
+
+commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream
+
+Olaf Kirch noticed that the i915_set_status_page() function of the i915
+kernel driver calls ioremap with an address offset that is supplied by
+userspace via ioctl. The function zeroes the mapped memory via memset
+and tells the hardware about the address. Turns out that access to that
+ioctl is not restricted to root so users could probably exploit that to
+do nasty things. We haven't tried to write actual exploit code though.
+
+It only affects the Intel G33 series and newer.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/drm/i915_dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/drm/i915_dma.c
++++ b/drivers/char/drm/i915_dma.c
+@@ -836,7 +836,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
+ DRM_IOCTL_DEF(DRM_I915_SET_VBLANK_PIPE, i915_vblank_pipe_set, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY ),
+ DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ),
+ DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
+- DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
++ DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
+ };
+
+ int i915_max_ioctl = DRM_ARRAY_SIZE(i915_ioctls);
projects / thirdparty / kernel / stable-queue.git / commitdiff
