3.4-stable patches

added patches:
	fs-fix-possible-use-after-free-with-aio.patch
	media-rc-unlock-on-error-in-show_protocols.patch

diff --git a/queue-3.4/fs-fix-possible-use-after-free-with-aio.patch b/queue-3.4/fs-fix-possible-use-after-free-with-aio.patch
new file mode 100644 (file)
index 0000000..552a0ed
--- /dev/null
+++ b/queue-3.4/fs-fix-possible-use-after-free-with-aio.patch
@@ -0,0 +1,39 @@
+From 54c807e71d5ac59dee56c685f2b66e27cd54c475 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 30 Jan 2013 00:28:01 +0100
+Subject: fs: Fix possible use-after-free with AIO
+
+From: Jan Kara <jack@suse.cz>
+
+commit 54c807e71d5ac59dee56c685f2b66e27cd54c475 upstream.
+
+Running AIO is pinning inode in memory using file reference. Once AIO
+is completed using aio_complete(), file reference is put and inode can
+be freed from memory. So we have to be sure that calling aio_complete()
+is the last thing we do with the inode.
+
+Acked-by: Jeff Moyer <jmoyer@redhat.com>
+CC: Christoph Hellwig <hch@infradead.org>
+CC: Jens Axboe <axboe@kernel.dk>
+CC: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/direct-io.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/direct-io.c
++++ b/fs/direct-io.c
+@@ -305,9 +305,9 @@ static ssize_t dio_complete(struct dio *
+               dio->end_io(dio->iocb, offset, transferred,
+                           dio->private, ret, is_async);
+       } else {
++              inode_dio_done(dio->inode);
+               if (is_async)
+                       aio_complete(dio->iocb, ret, 0);
+-              inode_dio_done(dio->inode);
+       }
+ 
+       return ret;

diff --git a/queue-3.4/media-rc-unlock-on-error-in-show_protocols.patch b/queue-3.4/media-rc-unlock-on-error-in-show_protocols.patch
new file mode 100644 (file)
index 0000000..91b1f59
--- /dev/null
+++ b/queue-3.4/media-rc-unlock-on-error-in-show_protocols.patch
@@ -0,0 +1,37 @@
+From 30ebc5e44d057a1619ad63fe32c8c1670c37c4b8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 27 Nov 2012 13:35:09 -0300
+Subject: media: rc: unlock on error in show_protocols()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 30ebc5e44d057a1619ad63fe32c8c1670c37c4b8 upstream.
+
+We recently introduced a new return -ENODEV in this function but we need
+to unlock before returning.
+
+[mchehab@redhat.com: found two patches with the same fix. Merged SOB's/acks into one patch]
+Acked-by: Herton R. Krzesinski <herton.krzesinski@canonical.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Douglas Bagnall <douglas@paradise.net.nz>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/rc-main.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -778,8 +778,10 @@ static ssize_t show_protocols(struct dev
+       } else if (dev->raw) {
+               enabled = dev->raw->enabled_protocols;
+               allowed = ir_raw_get_allowed_protocols();
+-      } else
++      } else {
++              mutex_unlock(&dev->lock);
+               return -ENODEV;
++      }
+ 
+       IR_dprintk(1, "allowed - 0x%llx, enabled - 0x%llx\n",
+                  (long long)allowed,

diff --git a/queue-3.4/series b/queue-3.4/series
index 9d57ff8847a708caa14daea01363ff333ccea997..67b1408e55491ad9107dd202f105ed11b77e159a 100644 (file)
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -19,3 +19,5 @@ idr-fix-a-subtle-bug-in-idr_get_next.patch
 block-fix-synchronization-and-limit-check-in-blk_alloc_devt.patch
 firewire-add-minor-number-range-check-to-fw_device_init.patch
 sysctl-fix-null-checking-in-bin_dn_node_address.patch
+fs-fix-possible-use-after-free-with-aio.patch
+media-rc-unlock-on-error-in-show_protocols.patch