--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:47:21 2007
+From: Ulrich Drepper <drepper@redhat.com>
+Date: Tue, 31 Jul 2007 00:38:16 -0700
+Subject: CPU online file permission
+To: torvalds@linux-foundation.org
+Cc: akpm@linux-foundation.org, drepper@redhat.com, stable@kernel.org
+Message-ID: <200707310738.l6V7cGTs021998@imap1.linux-foundation.org>
+
+
+From: Ulrich Drepper <drepper@redhat.com>
+
+Is there a reason why the "online" file in the subdirectories for the CPUs
+in /sys/devices/system isn't world-readable? I cannot imagine it to be
+security relevant especially now that a getcpu() syscall can be used to
+determine what CPUa thread runs on.
+
+The file is useful to correctly implement the sysconf() function to return
+the number of online CPUs. In the presence of hotplug we currently cannot
+provide this information. The patch below should to it.
+
+Signed-off-by: Ulrich Drepper <drepper@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/base/cpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/cpu.c
++++ b/drivers/base/cpu.c
+@@ -53,7 +53,7 @@ static ssize_t store_online(struct sys_d
+ ret = count;
+ return ret;
+ }
+-static SYSDEV_ATTR(online, 0600, show_online, store_online);
++static SYSDEV_ATTR(online, 0644, show_online, store_online);
+
+ static void __devinit register_cpu_control(struct cpu *cpu)
+ {
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Jul 21 04:37:49 2007
+From: Milan Broz <mbroz@redhat.com>
+Date: Sat, 21 Jul 2007 04:37:27 -0700
+Subject: dm io: fix panic on large request
+To: torvalds@linux-foundation.org
+Cc: christophe@saout.de, stable@kernel.org, cebbert@redhat.com, akpm@linux-foundation.org, kaber@trash.net, agk@redhat.com, mbroz@redhat.com
+Message-ID: <200707211137.l6LBbR52014349@imap1.linux-foundation.org>
+
+
+From: Milan Broz <mbroz@redhat.com>
+
+Flush workqueue before releasing bioset and mopools in dm-crypt. There can
+be finished but not yet released request.
+
+Call chain causing oops:
+ run workqueue
+ dec_pending
+ bio_endio(...);
+ <remove device request - remove mempool>
+ mempool_free(io, cc->io_pool);
+
+This usually happens when cryptsetup create temporary
+luks mapping in the beggining of crypt device activation.
+
+When dm-core calls destructor crypt_dtr, no new request
+are possible.
+
+Signed-off-by: Milan Broz <mbroz@redhat.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Cc: Patrick McHardy <kaber@trash.net>
+Acked-by: Alasdair G Kergon <agk@redhat.com>
+Cc: Christophe Saout <christophe@saout.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/dm-crypt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -920,6 +920,8 @@ static void crypt_dtr(struct dm_target *
+ {
+ struct crypt_config *cc = (struct crypt_config *) ti->private;
+
++ flush_workqueue(_kcryptd_workqueue);
++
+ bioset_free(cc->bs);
+ mempool_destroy(cc->page_pool);
+ mempool_destroy(cc->io_pool);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:48:13 2007
+From: Mingming Cao <cmm@us.ibm.com>
+Date: Tue, 31 Jul 2007 00:37:46 -0700
+Subject: "ext4_ext_put_in_cache" uses __u32 to receive physical block number
+To: torvalds@linux-foundation.org
+Cc: akpm@linux-foundation.org, linux-ext4@vger.kernel.org, cmm@us.ibm.com, stable@kernel.org, yanzheng@21cn.com
+Message-ID: <200707310737.l6V7bk50021902@imap1.linux-foundation.org>
+
+
+From: Mingming Cao <cmm@us.ibm.com>
+
+Yan Zheng wrote:
+
+> I think I found a bug in ext4/extents.c, "ext4_ext_put_in_cache" uses
+> "__u32" to receive physical block number. "ext4_ext_put_in_cache" is
+> used in "ext4_ext_get_blocks", it sets ext4 inode's extent cache
+> according most recently tree lookup (higher 16 bits of saved physical
+> block number are always zero). when serving a mapping request,
+> "ext4_ext_get_blocks" first check whether the logical block is in
+> inode's extent cache. if the logical block is in the cache and the
+> cached region isn't a gap, "ext4_ext_get_blocks" gets physical block
+> number by using cached region's physical block number and offset in
+> the cached region. as described above, "ext4_ext_get_blocks" may
+> return wrong result when there are physical block numbers bigger than
+> 0xffffffff.
+>
+
+You are right. Thanks for reporting this!
+
+Signed-off-by: Mingming Cao <cmm@us.ibm.com>
+Cc: Yan Zheng <yanzheng@21cn.com>
+Cc: <linux-ext4@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext4/extents.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1445,7 +1445,7 @@ int ext4_ext_walk_space(struct inode *in
+
+ static void
+ ext4_ext_put_in_cache(struct inode *inode, __u32 block,
+- __u32 len, __u32 start, int type)
++ __u32 len, ext4_fsblk_t start, int type)
+ {
+ struct ext4_ext_cache *cex;
+ BUG_ON(len == 0);
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Jul 19 00:28:56 2007
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Thu, 19 Jul 2007 09:28:42 +0200 (CEST)
+Subject: firewire: fix memory leak of fw_request instances
+To: stable@kernel.org
+Cc: Kristian Høgsberg <krh@redhat.com>, linux-kernel@vger.kernel.org
+Message-ID: <tkrat.25648a77ea40c9e3@s5r6.in-berlin.de>
+Content-Disposition: INLINE
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+Found and debugged by Jay Fenlason <fenlason@redhat.com>.
+The bug was especially noticeable with direct I/O over fw-sbp2.
+
+Same as commit 9c9bdf4d50730fd04b06077e22d7a83b585f26b5.
+
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Kristian Høgsberg <krh@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/firewire/fw-transaction.c | 4 +++-
+ drivers/firewire/fw-transaction.h | 4 ++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/firewire/fw-transaction.c
++++ b/drivers/firewire/fw-transaction.c
+@@ -605,8 +605,10 @@ fw_send_response(struct fw_card *card, s
+ * check is sufficient to ensure we don't send response to
+ * broadcast packets or posted writes.
+ */
+- if (request->ack != ACK_PENDING)
++ if (request->ack != ACK_PENDING) {
++ kfree(request);
+ return;
++ }
+
+ if (rcode == RCODE_COMPLETE)
+ fw_fill_response(&request->response, request->request_header,
+--- a/drivers/firewire/fw-transaction.h
++++ b/drivers/firewire/fw-transaction.h
+@@ -124,6 +124,10 @@ typedef void (*fw_transaction_callback_t
+ size_t length,
+ void *callback_data);
+
++/*
++ * Important note: The callback must guarantee that either fw_send_response()
++ * or kfree() is called on the @request.
++ */
+ typedef void (*fw_address_callback_t)(struct fw_card *card,
+ struct fw_request *request,
+ int tcode, int destination, int source,
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:47:11 2007
+From: Alexey Dobriyan <adobriyan@sw.ru>
+Date: Tue, 31 Jul 2007 00:38:50 -0700
+Subject: Fix leak on /proc/lockdep_stats
+To: torvalds@linux-foundation.org
+Cc: adobriyan@sw.ru, akpm@linux-foundation.org, stable@kernel.org
+Message-ID: <200707310738.l6V7co6e022182@imap1.linux-foundation.org>
+
+
+From: Alexey Dobriyan <adobriyan@sw.ru>
+
+Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/lockdep_proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/lockdep_proc.c
++++ b/kernel/lockdep_proc.c
+@@ -339,7 +339,7 @@ static const struct file_operations proc
+ .open = lockdep_stats_open,
+ .read = seq_read,
+ .llseek = seq_lseek,
+- .release = seq_release,
++ .release = single_release,
+ };
+
+ static int __init lockdep_proc_init(void)
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:48:04 2007
+From: Alexey Dobriyan <adobriyan@sw.ru>
+Date: Tue, 31 Jul 2007 00:38:50 -0700
+Subject: Fix leaks on /proc/{*/sched, sched_debug, timer_list, timer_stats}
+To: torvalds@linux-foundation.org
+Cc: adobriyan@sw.ru, akpm@linux-foundation.org, mingo@elte.hu, stable@kernel.org
+Message-ID: <200707310738.l6V7cokR022178@imap1.linux-foundation.org>
+
+
+From: Alexey Dobriyan <adobriyan@sw.ru>
+
+On every open/close one struct seq_operations leaks.
+Kudos to /proc/slab_allocators.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
+Acked-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/time/timer_list.c | 2 +-
+ kernel/time/timer_stats.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/timer_list.c
++++ b/kernel/time/timer_list.c
+@@ -267,7 +267,7 @@ static struct file_operations timer_list
+ .open = timer_list_open,
+ .read = seq_read,
+ .llseek = seq_lseek,
+- .release = seq_release,
++ .release = single_release,
+ };
+
+ static int __init init_timer_list_procfs(void)
+--- a/kernel/time/timer_stats.c
++++ b/kernel/time/timer_stats.c
+@@ -391,7 +391,7 @@ static struct file_operations tstats_fop
+ .read = seq_read,
+ .write = tstats_write,
+ .llseek = seq_lseek,
+- .release = seq_release,
++ .release = single_release,
+ };
+
+ void __init init_timer_stats(void)
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:47:25 2007
+From: Pavel Emelianov <xemul@openvz.org>
+Date: Tue, 31 Jul 2007 00:38:48 -0700
+Subject: Fix user struct leakage with locked IPC shem segment
+To: torvalds@linux-foundation.org
+Cc: akpm@linux-foundation.org, stable@kernel.org, xemul@openvz.org
+Message-ID: <200707310738.l6V7cmIf022165@imap1.linux-foundation.org>
+
+
+From: Pavel Emelianov <xemul@openvz.org>
+
+When user locks an ipc shmem segmant with SHM_LOCK ctl and the segment is
+already locked the shmem_lock() function returns 0. After this the
+subsequent code leaks the existing user struct:
+
+== ipc/shm.c: sys_shmctl() ==
+ ...
+ err = shmem_lock(shp->shm_file, 1, user);
+ if (!err) {
+ shp->shm_perm.mode |= SHM_LOCKED;
+ shp->mlock_user = user;
+ }
+ ...
+==
+
+Other results of this are:
+1. the new shp->mlock_user is not get-ed and will point to freed
+ memory when the task dies.
+2. the RLIMIT_MEMLOCK is screwed on both user structs.
+
+The exploit looks like this:
+
+==
+ id = shmget(...);
+ setresuid(uid, 0, 0);
+ shmctl(id, SHM_LOCK, NULL);
+ setresuid(uid + 1, 0, 0);
+ shmctl(id, SHM_LOCK, NULL);
+==
+
+My solution is to return 0 to the userspace and do not change the
+segment's user.
+
+Signed-off-by: Pavel Emelianov <xemul@openvz.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ ipc/shm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -716,7 +716,7 @@ asmlinkage long sys_shmctl (int shmid, i
+ struct user_struct * user = current->user;
+ if (!is_file_hugepages(shp->shm_file)) {
+ err = shmem_lock(shp->shm_file, 1, user);
+- if (!err) {
++ if (!err && !(shp->shm_perm.mode & SHM_LOCKED)){
+ shp->shm_perm.mode |= SHM_LOCKED;
+ shp->mlock_user = user;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:48:04 2007
+From: Andreas Schwab <schwab@suse.de>
+Date: Tue, 31 Jul 2007 00:38:51 -0700
+Subject: futex: pass nr_wake2 to futex_wake_op
+To: torvalds@linux-foundation.org
+Cc: schwab@suse.de, akpm@linux-foundation.org, mingo@elte.hu, drepper@redhat.com, stable@kernel.org
+Message-ID: <200707310738.l6V7cpPP022186@imap1.linux-foundation.org>
+
+
+From: Andreas Schwab <schwab@suse.de>
+
+The fourth argument of sys_futex is ignored when op == FUTEX_WAKE_OP,
+but futex_wake_op expects it as its nr_wake2 parameter.
+
+The only user of this operation in glibc is always passing 1, so this
+bug had no consequences so far.
+
+Signed-off-by: Andreas Schwab <schwab@suse.de>
+Cc: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Ulrich Drepper <drepper@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/futex.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2061,8 +2061,10 @@ asmlinkage long sys_futex(u32 __user *ua
+ }
+ /*
+ * requeue parameter in 'utime' if cmd == FUTEX_REQUEUE.
++ * number of waiters to wake in 'utime' if cmd == FUTEX_WAKE_OP.
+ */
+- if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE)
++ if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE ||
++ cmd == FUTEX_WAKE_OP)
+ val2 = (u32) (unsigned long) utime;
+
+ return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);
--- /dev/null
+From stable-bounces@linux.kernel.org Thu Jul 19 00:27:57 2007
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Thu, 19 Jul 2007 09:27:37 +0200 (CEST)
+Subject: fw-ohci: fix "scheduling while atomic"
+To: stable@kernel.org
+Cc: Kristian Høgsberg <krh@redhat.com>, linux-kernel@vger.kernel.org
+Message-ID: <tkrat.bf75c55e27c90af7@s5r6.in-berlin.de>
+Content-Disposition: INLINE
+
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+context_stop is called by bus_reset_tasklet, among else.
+
+Fixes http://bugzilla.kernel.org/show_bug.cgi?id=8735.
+Same as commit b980f5a224f3df6c884dbf5ae48797ce352ba139.
+
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/firewire/fw-ohci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firewire/fw-ohci.c
++++ b/drivers/firewire/fw-ohci.c
+@@ -586,7 +586,7 @@ static void context_stop(struct context
+ break;
+
+ fw_notify("context_stop: still active (0x%08x)\n", reg);
+- msleep(1);
++ mdelay(1);
+ }
+ }
+
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Jul 21 08:11:18 2007
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sat, 21 Jul 2007 17:11:12 +0200 (CEST)
+Subject: i386: HPET, check if the counter works
+To: tglx@linutronix.de, ak@suse.de, johnstul@us.ibm.com, stable@kernel.org, torvalds@osdl.org
+Message-ID: <20070721151112.29090147AA@wotan.suse.de>
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+Some systems have a HPET which is not incrementing, which leads to a
+complete hang. Detect it during HPET setup.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andi Kleen <ak@suse.de>
+Cc: john stultz <johnstul@us.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/kernel/hpet.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/arch/i386/kernel/hpet.c
++++ b/arch/i386/kernel/hpet.c
+@@ -226,7 +226,8 @@ int __init hpet_enable(void)
+ {
+ unsigned long id;
+ uint64_t hpet_freq;
+- u64 tmp;
++ u64 tmp, start, now;
++ cycle_t t1;
+
+ if (!is_hpet_capable())
+ return 0;
+@@ -273,6 +274,27 @@ int __init hpet_enable(void)
+ /* Start the counter */
+ hpet_start_counter();
+
++ /* Verify whether hpet counter works */
++ t1 = read_hpet();
++ rdtscll(start);
++
++ /*
++ * We don't know the TSC frequency yet, but waiting for
++ * 200000 TSC cycles is safe:
++ * 4 GHz == 50us
++ * 1 GHz == 200us
++ */
++ do {
++ rep_nop();
++ rdtscll(now);
++ } while ((now - start) < 200000UL);
++
++ if (t1 == read_hpet()) {
++ printk(KERN_WARNING
++ "HPET counter not counting. HPET disabled\n");
++ goto out_nohpet;
++ }
++
+ /* Initialize and register HPET clocksource
+ *
+ * hpet period is in femto seconds per cycle
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:48:18 2007
+From: Herton Ronaldo Krzesinski <herton@mandriva.com.br>
+Date: Tue, 31 Jul 2007 00:38:52 -0700
+Subject: Include serial_reg.h with userspace headers
+To: torvalds@linux-foundation.org
+Cc: herton@mandriva.com.br, gustavodn@mandriva.com.br, akpm@linux-foundation.org, dwmw2@infradead.org, stable@kernel.org, rmk@arm.linux.org.uk
+Message-ID: <200707310738.l6V7cqpK022190@imap1.linux-foundation.org>
+
+
+From: Herton Ronaldo Krzesinski <herton@mandriva.com.br>
+
+As reported by Gustavo de Nardin <gustavodn@mandriva.com.br>, while trying to
+compile xosview (http://xosview.sourceforge.net/) with upstream kernel
+headers being used you get the following errors:
+serialmeter.cc:48:30: error: linux/serial_reg.h: No such file or directory
+serialmeter.cc: In member function 'virtual void
+SerialMeter::checkResources()':
+serialmeter.cc:71: error: 'UART_LSR' was not declared in this scope
+serialmeter.cc:71: error: 'UART_MSR' was not declared in this scope
+...
+
+Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br>
+Cc: Gustavo de Nardin <gustavodn@mandriva.com.br>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Russell King <rmk@arm.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/Kbuild | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/linux/Kbuild
++++ b/include/linux/Kbuild
+@@ -137,6 +137,7 @@ header-y += radeonfb.h
+ header-y += raw.h
+ header-y += resource.h
+ header-y += rose.h
++header-y += serial_reg.h
+ header-y += smbno.h
+ header-y += snmp.h
+ header-y += sockios.h
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:47:41 2007
+From: Arne Redlich <agr@powerkom-dd.de>
+Date: Tue, 31 Jul 2007 00:37:57 -0700
+Subject: md: handle writes to broken raid10 arrays gracefully
+To: torvalds@linux-foundation.org
+Cc: neilb@suse.de, akpm@linux-foundation.org, stable@kernel.org, agr@powerkom-dd.de
+Message-ID: <200707310737.l6V7bvG2021938@imap1.linux-foundation.org>
+
+
+From: Arne Redlich <agr@powerkom-dd.de>
+
+When writing to a broken array, raid10 currently happily emits empty bio
+lists. IOW, the master bio will never be completed, sending writers to
+UNINTERRUPTIBLE_SLEEP forever.
+
+Signed-off-by: Arne Redlich <agr@powerkom-dd.de>
+Acked-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/raid10.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -917,6 +917,13 @@ static int make_request(request_queue_t
+ bio_list_add(&bl, mbio);
+ }
+
++ if (unlikely(!atomic_read(&r10_bio->remaining))) {
++ /* the array is dead */
++ md_write_end(mddev);
++ raid_end_bio_io(r10_bio);
++ return 0;
++ }
++
+ bitmap_startwrite(mddev->bitmap, bio->bi_sector, r10_bio->sectors, 0);
+ spin_lock_irqsave(&conf->device_lock, flags);
+ bio_list_merge(&conf->pending_bio_list, &bl);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:47:46 2007
+From: Maik Hampel <m.hampel@gmx.de>
+Date: Tue, 31 Jul 2007 00:37:57 -0700
+Subject: md: raid10: fix use-after-free of bio
+To: torvalds@linux-foundation.org
+Cc: neilb@suse.de, akpm@linux-foundation.org, m.hampel@gmx.de, stable@kernel.org
+Message-ID: <200707310737.l6V7bvqd021934@imap1.linux-foundation.org>
+
+
+From: Maik Hampel <m.hampel@gmx.de>
+
+In case of read errors raid10d tries to print a nice error message,
+unfortunately using data from an already put bio.
+
+Signed-off-by: Maik Hampel <m.hampel@gmx.de>
+Acked-By: NeilBrown <neilb@suse.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/md/raid10.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1565,7 +1565,6 @@ static void raid10d(mddev_t *mddev)
+ bio = r10_bio->devs[r10_bio->read_slot].bio;
+ r10_bio->devs[r10_bio->read_slot].bio =
+ mddev->ro ? IO_BLOCKED : NULL;
+- bio_put(bio);
+ mirror = read_balance(conf, r10_bio);
+ if (mirror == -1) {
+ printk(KERN_ALERT "raid10: %s: unrecoverable I/O"
+@@ -1573,8 +1572,10 @@ static void raid10d(mddev_t *mddev)
+ bdevname(bio->bi_bdev,b),
+ (unsigned long long)r10_bio->sector);
+ raid_end_bio_io(r10_bio);
++ bio_put(bio);
+ } else {
+ const int do_sync = bio_sync(r10_bio->master_bio);
++ bio_put(bio);
+ rdev = conf->mirrors[mirror].rdev;
+ if (printk_ratelimit())
+ printk(KERN_ERR "raid10: %s: redirecting sector %llu to"
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jul 31 00:48:00 2007
+From: Daniel Ritz <daniel.ritz-ml@swissonline.ch>
+Date: Tue, 31 Jul 2007 00:38:08 -0700
+Subject: pcmcia: give socket time to power down
+To: torvalds@linux-foundation.org
+Cc: nils.neumann@rwth-aachen.de, akpm@linux-foundation.org, daniel.ritz-ml@swissonline.ch, daniel.ritz@gmx.ch, stable@kernel.org
+Message-ID: <200707310738.l6V7c8Om021966@imap1.linux-foundation.org>
+
+
+From: Daniel Ritz <daniel.ritz-ml@swissonline.ch>
+
+Give sockets up to 100ms of additional time to power down. otherwise we
+might generate false warnings with KERN_ERR priority (like in bug #8262).
+
+Signed-off-by: Daniel Ritz <daniel.ritz@gmx.ch>
+Cc: Nils Neumann <nils.neumann@rwth-aachen.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pcmcia/cs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pcmcia/cs.c
++++ b/drivers/pcmcia/cs.c
+@@ -409,6 +409,9 @@ static void socket_shutdown(struct pcmci
+ #endif
+ s->functions = 0;
+
++ /* give socket some time to power down */
++ msleep(100);
++
+ s->ops->get_status(s, &status);
+ if (status & SS_POWERON) {
+ printk(KERN_ERR "PCMCIA: socket %p: *** DANGER *** unable to remove socket power\n", s);
input-lifebook-fix-an-oops-on-panasonic-cf-18.patch
splice-fix-double-page-unlock.patch
drm-i915-fix-i965-secured-batchbuffer-usage.patch
+fix-leak-on-proc-lockdep_stats.patch
+cpu-online-file-permission.patch
+fix-user-struct-leakage-with-locked-ipc-shem-segment.patch
+md-handle-writes-to-broken-raid10-arrays-gracefully.patch
+md-raid10-fix-use-after-free-of-bio.patch
+pcmcia-give-socket-time-to-power-down.patch
+fix-leaks-on-proc-sched-sched_debug-timer_list-timer_stats.patch
+futex-pass-nr_wake2-to-futex_wake_op.patch
+ext4_ext_put_in_cache-uses-__u32-to-receive-physical-block-number.patch
+include-serial_reg.h-with-userspace-headers.patch
+dm-io-fix-panic-on-large-request.patch
+i386-hpet-check-if-the-counter-works.patch
+fw-ohci-fix-scheduling-while-atomic.patch
+firewire-fix-memory-leak-of-fw_request-instances.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
