--- /dev/null
+From 469bcef53c546bb792aa66303933272991b7831d Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Tue, 4 Jul 2017 11:10:39 +0200
+Subject: irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup()
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 469bcef53c546bb792aa66303933272991b7831d upstream.
+
+aic_common_irq_fixup() is calling twice of_node_put() on the same node
+thus leading to an unbalanced refcount on the root node.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Reported-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Fixes: b2f579b58e93 ("irqchip: atmel-aic: Add irq fixup infrastructure")
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-atmel-aic-common.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/irqchip/irq-atmel-aic-common.c
++++ b/drivers/irqchip/irq-atmel-aic-common.c
+@@ -176,7 +176,6 @@ void __init aic_common_irq_fixup(const s
+ return;
+
+ match = of_match_node(matches, root);
+- of_node_put(root);
+
+ if (match) {
+ void (*fixup)(struct device_node *) = match->data;
--- /dev/null
+From 277867ade8262583f4280cadbe90e0031a3706a7 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Tue, 4 Jul 2017 11:10:40 +0200
+Subject: irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup()
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 277867ade8262583f4280cadbe90e0031a3706a7 upstream.
+
+of_find_compatible_node() is calling of_node_put() on its first argument
+thus leading to an unbalanced of_node_get/put() issue if the node has not
+been retained before that.
+
+Instead of passing the root node, pass NULL, which does exactly the same:
+iterate over all DT nodes, starting from the root node.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Reported-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Fixes: 3d61467f9bab ("irqchip: atmel-aic: Implement RTC irq fixup")
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-atmel-aic-common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/irqchip/irq-atmel-aic-common.c
++++ b/drivers/irqchip/irq-atmel-aic-common.c
+@@ -148,9 +148,9 @@ void __init aic_common_rtc_irq_fixup(str
+ struct device_node *np;
+ void __iomem *regs;
+
+- np = of_find_compatible_node(root, NULL, "atmel,at91rm9200-rtc");
++ np = of_find_compatible_node(NULL, NULL, "atmel,at91rm9200-rtc");
+ if (!np)
+- np = of_find_compatible_node(root, NULL,
++ np = of_find_compatible_node(NULL, NULL,
+ "atmel,at91sam9x5-rtc");
+
+ if (!np)
--- /dev/null
+From 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 Mon Sep 17 00:00:00 2001
+From: zhong jiang <zhongjiang@huawei.com>
+Date: Fri, 18 Aug 2017 15:16:24 -0700
+Subject: mm/mempolicy: fix use after free when calling get_mempolicy
+
+From: zhong jiang <zhongjiang@huawei.com>
+
+commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 upstream.
+
+I hit a use after free issue when executing trinity and repoduced it
+with KASAN enabled. The related call trace is as follows.
+
+ BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766
+ Read of size 2 by task syz-executor1/798
+
+ INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799
+ __slab_alloc+0x768/0x970
+ kmem_cache_alloc+0x2e7/0x450
+ mpol_new.part.2+0x74/0x160
+ mpol_new+0x66/0x80
+ SyS_mbind+0x267/0x9f0
+ system_call_fastpath+0x16/0x1b
+ INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799
+ __slab_free+0x495/0x8e0
+ kmem_cache_free+0x2f3/0x4c0
+ __mpol_put+0x2b/0x40
+ SyS_mbind+0x383/0x9f0
+ system_call_fastpath+0x16/0x1b
+ INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080
+ INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600
+
+ Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
+ Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+ Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk.
+ Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb ........
+ Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
+ Memory state around the buggy address:
+ ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc
+
+!shared memory policy is not protected against parallel removal by other
+thread which is normally protected by the mmap_sem. do_get_mempolicy,
+however, drops the lock midway while we can still access it later.
+
+Early premature up_read is a historical artifact from times when
+put_user was called in this path see https://lwn.net/Articles/124754/
+but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_*
+layering in the memory policy layer."). but when we have the the
+current mempolicy ref count model. The issue was introduced
+accordingly.
+
+Fix the issue by removing the premature release.
+
+Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com
+Signed-off-by: zhong jiang <zhongjiang@huawei.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -944,11 +944,6 @@ static long do_get_mempolicy(int *policy
+ *policy |= (pol->flags & MPOL_MODE_FLAGS);
+ }
+
+- if (vma) {
+- up_read(¤t->mm->mmap_sem);
+- vma = NULL;
+- }
+-
+ err = 0;
+ if (nmask) {
+ if (mpol_store_user_nodemask(pol)) {
audit-fix-use-after-free-in-audit_remove_watch_rule.patch
parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch
alsa-usb-audio-apply-sample-rate-quirk-to-sennheiser-headset.patch
+mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch
+irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch
+irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
