--- /dev/null
+From d76036ab47eafa6ce52b69482e91ca3ba337d6d6 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 15 Aug 2017 13:00:36 +0200
+Subject: audit: Fix use after free in audit_remove_watch_rule()
+
+From: Jan Kara <jack@suse.cz>
+
+commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream.
+
+audit_remove_watch_rule() drops watch's reference to parent but then
+continues to work with it. That is not safe as parent can get freed once
+we drop our reference. The following is a trivial reproducer:
+
+mount -o loop image /mnt
+touch /mnt/file
+auditctl -w /mnt/file -p wax
+umount /mnt
+auditctl -D
+<crash in fsnotify_destroy_mark()>
+
+Grab our own reference in audit_remove_watch_rule() earlier to make sure
+mark does not get freed under us.
+
+Reported-by: Tony Jones <tonyj@suse.de>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Tested-by: Tony Jones <tonyj@suse.de>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit_watch.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/kernel/audit_watch.c
++++ b/kernel/audit_watch.c
+@@ -455,13 +455,15 @@ void audit_remove_watch_rule(struct audi
+ list_del(&krule->rlist);
+
+ if (list_empty(&watch->rules)) {
++ /*
++ * audit_remove_watch() drops our reference to 'parent' which
++ * can get freed. Grab our own reference to be safe.
++ */
++ audit_get_parent(parent);
+ audit_remove_watch(watch);
+-
+- if (list_empty(&parent->watches)) {
+- audit_get_parent(parent);
++ if (list_empty(&parent->watches))
+ fsnotify_destroy_mark(&parent->mark, audit_watch_group);
+- audit_put_parent(parent);
+- }
++ audit_put_parent(parent);
+ }
+ }
+
--- /dev/null
+From 4098116039911e8870d84c975e2ec22dab65a909 Mon Sep 17 00:00:00 2001
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Date: Sat, 12 Aug 2017 23:36:47 +0200
+Subject: parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo
+
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+
+commit 4098116039911e8870d84c975e2ec22dab65a909 upstream.
+
+For 64bit kernels the lmmio_space_offset of the host bridge window
+isn't set correctly on systems with dino/cujo PCI host bridges.
+This leads to not assigned memory bars and failing drivers, which
+need to use these bars.
+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Acked-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/parisc/dino.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/parisc/dino.c
++++ b/drivers/parisc/dino.c
+@@ -954,7 +954,7 @@ static int __init dino_probe(struct pari
+
+ dino_dev->hba.dev = dev;
+ dino_dev->hba.base_addr = ioremap_nocache(hpa, 4096);
+- dino_dev->hba.lmmio_space_offset = 0; /* CPU addrs == bus addrs */
++ dino_dev->hba.lmmio_space_offset = PCI_F_EXTEND;
+ spin_lock_init(&dino_dev->dinosaur_pen);
+ dino_dev->hba.iommu = ccio_get_iommu(dev);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
