From: Greg Kroah-Hartman Date: Fri, 1 Mar 2013 00:50:53 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.8.2~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=12976690eb5967d0dcdba06208a8d4252f34f132;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: fs-fix-possible-use-after-free-with-aio.patch media-rc-unlock-on-error-in-show_protocols.patch --- diff --git a/queue-3.4/fs-fix-possible-use-after-free-with-aio.patch b/queue-3.4/fs-fix-possible-use-after-free-with-aio.patch new file mode 100644 index 00000000000..552a0ede4de --- /dev/null +++ b/queue-3.4/fs-fix-possible-use-after-free-with-aio.patch @@ -0,0 +1,39 @@ +From 54c807e71d5ac59dee56c685f2b66e27cd54c475 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 30 Jan 2013 00:28:01 +0100 +Subject: fs: Fix possible use-after-free with AIO + +From: Jan Kara + +commit 54c807e71d5ac59dee56c685f2b66e27cd54c475 upstream. + +Running AIO is pinning inode in memory using file reference. Once AIO +is completed using aio_complete(), file reference is put and inode can +be freed from memory. So we have to be sure that calling aio_complete() +is the last thing we do with the inode. + +Acked-by: Jeff Moyer +CC: Christoph Hellwig +CC: Jens Axboe +CC: Jeff Moyer +Signed-off-by: Jan Kara +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/direct-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/direct-io.c ++++ b/fs/direct-io.c +@@ -305,9 +305,9 @@ static ssize_t dio_complete(struct dio * + dio->end_io(dio->iocb, offset, transferred, + dio->private, ret, is_async); + } else { ++ inode_dio_done(dio->inode); + if (is_async) + aio_complete(dio->iocb, ret, 0); +- inode_dio_done(dio->inode); + } + + return ret; diff --git a/queue-3.4/media-rc-unlock-on-error-in-show_protocols.patch b/queue-3.4/media-rc-unlock-on-error-in-show_protocols.patch new file mode 100644 index 00000000000..91b1f590a6e --- /dev/null +++ b/queue-3.4/media-rc-unlock-on-error-in-show_protocols.patch @@ -0,0 +1,37 @@ +From 30ebc5e44d057a1619ad63fe32c8c1670c37c4b8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 27 Nov 2012 13:35:09 -0300 +Subject: media: rc: unlock on error in show_protocols() + +From: Dan Carpenter + +commit 30ebc5e44d057a1619ad63fe32c8c1670c37c4b8 upstream. + +We recently introduced a new return -ENODEV in this function but we need +to unlock before returning. + +[mchehab@redhat.com: found two patches with the same fix. Merged SOB's/acks into one patch] +Acked-by: Herton R. Krzesinski +Signed-off-by: Dan Carpenter +Signed-off-by: Douglas Bagnall +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/rc-main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -778,8 +778,10 @@ static ssize_t show_protocols(struct dev + } else if (dev->raw) { + enabled = dev->raw->enabled_protocols; + allowed = ir_raw_get_allowed_protocols(); +- } else ++ } else { ++ mutex_unlock(&dev->lock); + return -ENODEV; ++ } + + IR_dprintk(1, "allowed - 0x%llx, enabled - 0x%llx\n", + (long long)allowed, diff --git a/queue-3.4/series b/queue-3.4/series index 9d57ff8847a..67b1408e554 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -19,3 +19,5 @@ idr-fix-a-subtle-bug-in-idr_get_next.patch block-fix-synchronization-and-limit-check-in-blk_alloc_devt.patch firewire-add-minor-number-range-check-to-fw_device_init.patch sysctl-fix-null-checking-in-bin_dn_node_address.patch +fs-fix-possible-use-after-free-with-aio.patch +media-rc-unlock-on-error-in-show_protocols.patch