)]}'
{
  "commit": "2e4a75cdcb89ff53bb182dda3a6dcdc14befe007",
  "tree": "55a3effb9e6c78b0a6521e0f76562db470555783",
  "parents": [
    "e105eabb5b843c6c59f921f54122221f82ca09e6"
  ],
  "author": {
    "name": "Marcin Slusarz",
    "email": "marcin.slusarz@gmail.com",
    "time": "Fri Oct 03 15:23:36 2008 -0700"
  },
  "committer": {
    "name": "Linus Torvalds",
    "email": "torvalds@linux-foundation.org",
    "time": "Fri Oct 03 18:22:17 2008 -0700"
  },
  "message": "rtc: fix kernel panic on second use of SIGIO nofitication\n\nWhen userspace uses SIGIO notification and forgets to disable it before\nclosing file descriptor, rtc-\u003easync_queue contains stale pointer to struct\nfile.  When user space enables again SIGIO notification in different\nprocess, kernel dereferences this (poisoned) pointer and crashes.\n\nSo disable SIGIO notification on close.\n\nKernel panic:\n(second run of qemu (requires echo 1024 \u003e /sys/class/rtc/rtc0/max_user_freq))\n\ngeneral protection fault: 0000 [1] PREEMPT\nCPU 0\nModules linked in: af_packet snd_pcm_oss snd_mixer_oss snd_seq_oss snd_seq_midi_event snd_seq usbhid tuner tea5767 tda8290 tuner_xc2028 xc5000 tda9887 tuner_simple tuner_types mt20xx tea5761 tda9875 uhci_hcd ehci_hcd usbcore bttv snd_via82xx snd_ac97_codec ac97_bus snd_pcm snd_timer ir_common compat_ioctl32 snd_page_alloc videodev v4l1_compat snd_mpu401_uart snd_rawmidi v4l2_common videobuf_dma_sg videobuf_core snd_seq_device snd btcx_risc soundcore tveeprom i2c_viapro\nPid: 5781, comm: qemu-system-x86 Not tainted 2.6.27-rc6 #363\nRIP: 0010:[\u003cffffffff8024f891\u003e]  [\u003cffffffff8024f891\u003e] __lock_acquire+0x3db/0x73f\nRSP: 0000:ffffffff80674cb8  EFLAGS: 00010002\nRAX: ffff8800224c62f0 RBX: 0000000000000046 RCX: 0000000000000002\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800224c62f0\nRBP: ffffffff80674d08 R08: 0000000000000002 R09: 0000000000000001\nR10: ffffffff80238941 R11: 0000000000000001 R12: 0000000000000000\nR13: 6b6b6b6b6b6b6b6b R14: ffff88003a450080 R15: 0000000000000000\nFS:  00007f98b69516f0(0000) GS:ffffffff80623200(0000) knlGS:00000000f7cc86d0\nCS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b\nCR2: 0000000000a87000 CR3: 0000000022598000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nProcess qemu-system-x86 (pid: 5781, threadinfo ffff880028812000, task ffff88003a450080)\nStack:  ffffffff80674cf8 0000000180238440 0000000200000002 0000000000000000\n ffff8800224c62f0 0000000000000046 0000000000000000 0000000000000002\n 0000000000000002 0000000000000000 ffffffff80674d68 ffffffff8024fc7a\nCall Trace:\n \u003cIRQ\u003e  [\u003cffffffff8024fc7a\u003e] lock_acquire+0x85/0xa9\n [\u003cffffffff8029cb62\u003e] ? send_sigio+0x2a/0x184\n [\u003cffffffff80491d1f\u003e] _read_lock+0x3e/0x4a\n [\u003cffffffff8029cb62\u003e] ? send_sigio+0x2a/0x184\n [\u003cffffffff8029cb62\u003e] send_sigio+0x2a/0x184\n [\u003cffffffff8024fb97\u003e] ? __lock_acquire+0x6e1/0x73f\n [\u003cffffffff8029cd4d\u003e] ? kill_fasync+0x2c/0x4e\n [\u003cffffffff8029cd10\u003e] __kill_fasync+0x54/0x65\n [\u003cffffffff8029cd5b\u003e] kill_fasync+0x3a/0x4e\n [\u003cffffffff80402896\u003e] rtc_update_irq+0x9c/0xa5\n [\u003cffffffff80404640\u003e] cmos_interrupt+0xae/0xc0\n [\u003cffffffff8025d1c1\u003e] handle_IRQ_event+0x25/0x5a\n [\u003cffffffff8025e5e4\u003e] handle_edge_irq+0xdd/0x123\n [\u003cffffffff8020da34\u003e] do_IRQ+0xe4/0x144\n [\u003cffffffff8020bad6\u003e] ret_from_intr+0x0/0xf\n \u003cEOI\u003e  [\u003cffffffff8026fdc2\u003e] ? __alloc_pages_internal+0xe7/0x3ad\n [\u003cffffffff8033fe67\u003e] ? clear_page_c+0x7/0x10\n [\u003cffffffff8026fc10\u003e] ? get_page_from_freelist+0x385/0x450\n [\u003cffffffff8026fdc2\u003e] ? __alloc_pages_internal+0xe7/0x3ad\n [\u003cffffffff80280aac\u003e] ? anon_vma_prepare+0x2e/0xf6\n [\u003cffffffff80279400\u003e] ? handle_mm_fault+0x227/0x6a5\n [\u003cffffffff80494716\u003e] ? do_page_fault+0x494/0x83f\n [\u003cffffffff8049251d\u003e] ? error_exit+0x0/0xa9\n\nCode: cc 41 39 45 28 74 24 e8 5e 1d 0f 00 85 c0 0f 84 6a 03 00 00 83 3d 8f a9 aa 00 00 be 47 03 00 00 0f 84 6a 02 00 00 e9 53 03 00 00 \u003c41\u003e ff 85 38 01 00 00 45 8b be 90 06 00 00 41 83 ff 2f 76 24 e8\nRIP  [\u003cffffffff8024f891\u003e] __lock_acquire+0x3db/0x73f\n RSP \u003cffffffff80674cb8\u003e\n---[ end trace 431877d860448760 ]---\nKernel panic - not syncing: Aiee, killing interrupt handler!\n\nSigned-off-by: Marcin Slusarz \u003cmarcin.slusarz@gmail.com\u003e\nAcked-by: Alessandro Zummo \u003calessandro.zummo@towertech.it\u003e\nAcked-by: David Brownell \u003cdbrownell@users.sourceforge.net\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "f118252f3a9f2b921cef3fff96fd1ef890d65b3c",
      "old_mode": 33188,
      "old_path": "drivers/rtc/rtc-dev.c",
      "new_id": "52e2743b04ecf77bb6a975d6c8609fa042025dea",
      "new_mode": 33188,
      "new_path": "drivers/rtc/rtc-dev.c"
    }
  ]
}