--- /dev/null
+From 0fe33aae0e94b4097dd433c9399e16e17d638cd8 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Wed, 15 Aug 2012 12:55:22 +0200
+Subject: audit: don't free_chunk() after fsnotify_add_mark()
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit 0fe33aae0e94b4097dd433c9399e16e17d638cd8 upstream.
+
+Don't do free_chunk() after fsnotify_add_mark(). That one does a delayed unref
+via the destroy list and this results in use-after-free.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Acked-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit_tree.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/audit_tree.c
++++ b/kernel/audit_tree.c
+@@ -259,7 +259,7 @@ static void untag_chunk(struct node *p)
+
+ fsnotify_duplicate_mark(&new->mark, entry);
+ if (fsnotify_add_mark(&new->mark, new->mark.group, new->mark.i.inode, NULL, 1)) {
+- free_chunk(new);
++ fsnotify_put_mark(&new->mark);
+ goto Fallback;
+ }
+
+@@ -322,7 +322,7 @@ static int create_chunk(struct inode *in
+
+ entry = &chunk->mark;
+ if (fsnotify_add_mark(entry, audit_tree_group, inode, NULL, 0)) {
+- free_chunk(chunk);
++ fsnotify_put_mark(entry);
+ return -ENOSPC;
+ }
+
+@@ -396,7 +396,7 @@ static int tag_chunk(struct inode *inode
+ fsnotify_duplicate_mark(chunk_entry, old_entry);
+ if (fsnotify_add_mark(chunk_entry, chunk_entry->group, chunk_entry->i.inode, NULL, 1)) {
+ spin_unlock(&old_entry->lock);
+- free_chunk(chunk);
++ fsnotify_put_mark(chunk_entry);
+ fsnotify_put_mark(old_entry);
+ return -ENOSPC;
+ }
--- /dev/null
+From a2140fc0cb0325bb6384e788edd27b9a568714e2 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Wed, 15 Aug 2012 12:55:22 +0200
+Subject: audit: fix refcounting in audit-tree
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit a2140fc0cb0325bb6384e788edd27b9a568714e2 upstream.
+
+Refcounting of fsnotify_mark in audit tree is broken. E.g:
+
+ refcount
+create_chunk
+ alloc_chunk 1
+ fsnotify_add_mark 2
+
+untag_chunk
+ fsnotify_get_mark 3
+ fsnotify_destroy_mark
+ audit_tree_freeing_mark 2
+ fsnotify_put_mark 1
+ fsnotify_put_mark 0
+ via destroy_list
+ fsnotify_mark_destroy -1
+
+This was reported by various people as triggering Oops when stopping auditd.
+
+We could just remove the put_mark from audit_tree_freeing_mark() but that would
+break freeing via inode destruction. So this patch simply omits a put_mark
+after calling destroy_mark or adds a get_mark before.
+
+The additional get_mark is necessary where there's no other put_mark after
+fsnotify_destroy_mark() since it assumes that the caller is holding a reference
+(or the inode is keeping the mark pinned, not the case here AFAICS).
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Reported-by: Valentin Avram <aval13@gmail.com>
+Reported-by: Peter Moody <pmoody@google.com>
+Acked-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit_tree.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/kernel/audit_tree.c
++++ b/kernel/audit_tree.c
+@@ -250,7 +250,6 @@ static void untag_chunk(struct node *p)
+ spin_unlock(&hash_lock);
+ spin_unlock(&entry->lock);
+ fsnotify_destroy_mark(entry);
+- fsnotify_put_mark(entry);
+ goto out;
+ }
+
+@@ -293,7 +292,6 @@ static void untag_chunk(struct node *p)
+ spin_unlock(&hash_lock);
+ spin_unlock(&entry->lock);
+ fsnotify_destroy_mark(entry);
+- fsnotify_put_mark(entry);
+ goto out;
+
+ Fallback:
+@@ -332,6 +330,7 @@ static int create_chunk(struct inode *in
+ spin_unlock(&hash_lock);
+ chunk->dead = 1;
+ spin_unlock(&entry->lock);
++ fsnotify_get_mark(entry);
+ fsnotify_destroy_mark(entry);
+ fsnotify_put_mark(entry);
+ return 0;
+@@ -412,6 +411,7 @@ static int tag_chunk(struct inode *inode
+ spin_unlock(&chunk_entry->lock);
+ spin_unlock(&old_entry->lock);
+
++ fsnotify_get_mark(chunk_entry);
+ fsnotify_destroy_mark(chunk_entry);
+
+ fsnotify_put_mark(chunk_entry);
+@@ -445,7 +445,6 @@ static int tag_chunk(struct inode *inode
+ spin_unlock(&old_entry->lock);
+ fsnotify_destroy_mark(old_entry);
+ fsnotify_put_mark(old_entry); /* pair to fsnotify_find mark_entry */
+- fsnotify_put_mark(old_entry); /* and kill it */
+ return 0;
+ }
+
--- /dev/null
+From f5869a8308f77e3dfdc2e3640842b285aa788ff8 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Mon, 20 Aug 2012 14:44:52 +0000
+Subject: drm: stop vmgfx driver explosion
+
+From: Alan Cox <alan@linux.intel.com>
+
+commit f5869a8308f77e3dfdc2e3640842b285aa788ff8 upstream.
+
+If you do a page flip with no flags set then event is NULL. If event is
+NULL then the vmw_gfx driver likes to go digging into NULL and extracts
+NULL->base.file_priv.
+
+On a modern kernel with NULL mapping protection it's just another oops,
+without it there are some "intriguing" possibilities.
+
+What it should do is an open question but that for the driver owners to
+sort out.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -1688,15 +1688,19 @@ int vmw_du_page_flip(struct drm_crtc *cr
+ struct vmw_private *dev_priv = vmw_priv(crtc->dev);
+ struct drm_framebuffer *old_fb = crtc->fb;
+ struct vmw_framebuffer *vfb = vmw_framebuffer_to_vfb(fb);
+- struct drm_file *file_priv = event->base.file_priv;
++ struct drm_file *file_priv ;
+ struct vmw_fence_obj *fence = NULL;
+ struct drm_clip_rect clips;
+ int ret;
+
++ if (event == NULL)
++ return -EINVAL;
++
+ /* require ScreenObject support for page flipping */
+ if (!dev_priv->sou_priv)
+ return -ENOSYS;
+
++ file_priv = event->base.file_priv;
+ if (!vmw_kms_screen_object_flippable(dev_priv, crtc))
+ return -EINVAL;
+
--- /dev/null
+From 676bc2e1e4f9072f7a640d5b7c99ffdf9709a6e7 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 21 Aug 2012 09:55:01 -0400
+Subject: Revert "drm/radeon: fix bo creation retry path"
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 676bc2e1e4f9072f7a640d5b7c99ffdf9709a6e7 upstream.
+
+This reverts commit d1c7871ddb1f588b8eb35affd9ee1a3d5e11cd0c.
+
+ttm_bo_init() destroys the BO on failure. So this patch makes
+the retry path work with freed memory. This ends up causing
+kernel panics when this path is hit.
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_object.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_object.c
++++ b/drivers/gpu/drm/radeon/radeon_object.c
+@@ -138,6 +138,7 @@ int radeon_bo_create(struct radeon_devic
+ acc_size = ttm_bo_dma_acc_size(&rdev->mman.bdev, size,
+ sizeof(struct radeon_bo));
+
++retry:
+ bo = kzalloc(sizeof(struct radeon_bo), GFP_KERNEL);
+ if (bo == NULL)
+ return -ENOMEM;
+@@ -151,8 +152,6 @@ int radeon_bo_create(struct radeon_devic
+ bo->surface_reg = -1;
+ INIT_LIST_HEAD(&bo->list);
+ INIT_LIST_HEAD(&bo->va);
+-
+-retry:
+ radeon_ttm_placement_from_domain(bo, domain);
+ /* Kernel allocation are uninterruptible */
+ mutex_lock(&rdev->vram_mutex);
bluetooth-set-name_state-to-unknown-when-entry-name-is-empty.patch
bluetooth-fix-legacy-pairing-with-some-devices.patch
nfs-alias-the-nfs-module-to-nfs4.patch
+audit-don-t-free_chunk-after-fsnotify_add_mark.patch
+audit-fix-refcounting-in-audit-tree.patch
+drm-stop-vmgfx-driver-explosion.patch
+revert-drm-radeon-fix-bo-creation-retry-path.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
