From c46f272ee790ce689cf54854362e61bc5d1e1bcf Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 15 Jan 2013 05:33:21 -0800
Subject: [PATCH] 3.7-stable patches

added patches:
	edac-fix-kernel-panic-on-module-unloading.patch
---
 ...fix-kernel-panic-on-module-unloading.patch | 39 +++++++++++++++++++
 queue-3.7/series                              |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 queue-3.7/edac-fix-kernel-panic-on-module-unloading.patch

diff --git a/queue-3.7/edac-fix-kernel-panic-on-module-unloading.patch b/queue-3.7/edac-fix-kernel-panic-on-module-unloading.patch
new file mode 100644
index 00000000000..22ca75e1a04
--- /dev/null
+++ b/queue-3.7/edac-fix-kernel-panic-on-module-unloading.patch
@@ -0,0 +1,39 @@
+From 311bd84247ee0bedae6cdfbfc5e2c3450f9decd1 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Date: Fri, 14 Dec 2012 15:03:10 +0400
+Subject: EDAC: Fix kernel panic on module unloading
+
+From: Konstantin Khlebnikov <khlebnikov@openvz.org>
+
+commit 311bd84247ee0bedae6cdfbfc5e2c3450f9decd1 upstream.
+
+This patch fixes use-after-free and double-free bugs in
+edac_mc_sysfs_exit(). mci_pdev has single reference and put_device()
+calls mc_attr_release() which calls kfree(). The following
+device_del() works with already released memory. An another kfree() in
+edac_mc_sysfs_exit() releses the same memory again. Great.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Cc: Denis Kirjanov <kirjanov@gmail.com>
+Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
+Link: http://lkml.kernel.org/r/20121214110310.11019.21098.stgit@zurg
+Signed-off-by: Borislav Petkov <bp@alien8.de>
+[ a partial 3.7.y backport ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/edac_mc_sysfs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/edac_mc_sysfs.c
++++ b/drivers/edac/edac_mc_sysfs.c
+@@ -1145,7 +1145,7 @@ int __init edac_mc_sysfs_init(void)
+ 
+ void __exit edac_mc_sysfs_exit(void)
+ {
+-	put_device(mci_pdev);
+ 	device_del(mci_pdev);
++	put_device(mci_pdev);
+ 	edac_put_sysfs_subsys();
+ }
diff --git a/queue-3.7/series b/queue-3.7/series
index 3dea509f7d4..450e59378a9 100644
--- a/queue-3.7/series
+++ b/queue-3.7/series
@@ -184,3 +184,4 @@ regulator-max8998-ensure-enough-delay-time-for-max8998_set_voltage_buck_time_sel
 revert-mips-optimise-tlb-handlers-for-mips32-64-r2-cores.patch
 dm-thin-fix-race-between-simultaneous-io-and-discards-to-same-block.patch
 revert-rt2x00-don-t-let-mac80211-send-a-bar-when-an-ampdu-subframe-fails.patch
+edac-fix-kernel-panic-on-module-unloading.patch
-- 
2.47.3