From bde81e5ee043ad659c260f7a184b9aa6693a7d98 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 18 Aug 2017 16:38:14 -0700
Subject: [PATCH] 3.18-stable patches

added patches:
	audit-fix-use-after-free-in-audit_remove_watch_rule.patch
	parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch
---
 ...fter-free-in-audit_remove_watch_rule.patch | 56 +++++++++++++++++++
 ...ails-with-64bit-kernels-on-dino-cujo.patch | 34 +++++++++++
 queue-3.18/series                             |  2 +
 3 files changed, 92 insertions(+)
 create mode 100644 queue-3.18/audit-fix-use-after-free-in-audit_remove_watch_rule.patch
 create mode 100644 queue-3.18/parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch

diff --git a/queue-3.18/audit-fix-use-after-free-in-audit_remove_watch_rule.patch b/queue-3.18/audit-fix-use-after-free-in-audit_remove_watch_rule.patch
new file mode 100644
index 00000000000..d621cede46c
--- /dev/null
+++ b/queue-3.18/audit-fix-use-after-free-in-audit_remove_watch_rule.patch
@@ -0,0 +1,56 @@
+From d76036ab47eafa6ce52b69482e91ca3ba337d6d6 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 15 Aug 2017 13:00:36 +0200
+Subject: audit: Fix use after free in audit_remove_watch_rule()
+
+From: Jan Kara <jack@suse.cz>
+
+commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream.
+
+audit_remove_watch_rule() drops watch's reference to parent but then
+continues to work with it. That is not safe as parent can get freed once
+we drop our reference. The following is a trivial reproducer:
+
+mount -o loop image /mnt
+touch /mnt/file
+auditctl -w /mnt/file -p wax
+umount /mnt
+auditctl -D
+<crash in fsnotify_destroy_mark()>
+
+Grab our own reference in audit_remove_watch_rule() earlier to make sure
+mark does not get freed under us.
+
+Reported-by: Tony Jones <tonyj@suse.de>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Tested-by: Tony Jones <tonyj@suse.de>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit_watch.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/kernel/audit_watch.c
++++ b/kernel/audit_watch.c
+@@ -455,13 +455,15 @@ void audit_remove_watch_rule(struct audi
+ 	list_del(&krule->rlist);
+ 
+ 	if (list_empty(&watch->rules)) {
++		/*
++		 * audit_remove_watch() drops our reference to 'parent' which
++		 * can get freed. Grab our own reference to be safe.
++		 */
++		audit_get_parent(parent);
+ 		audit_remove_watch(watch);
+-
+-		if (list_empty(&parent->watches)) {
+-			audit_get_parent(parent);
++		if (list_empty(&parent->watches))
+ 			fsnotify_destroy_mark(&parent->mark, audit_watch_group);
+-			audit_put_parent(parent);
+-		}
++		audit_put_parent(parent);
+ 	}
+ }
+ 
diff --git a/queue-3.18/parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch b/queue-3.18/parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch
new file mode 100644
index 00000000000..83169417995
--- /dev/null
+++ b/queue-3.18/parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch
@@ -0,0 +1,34 @@
+From 4098116039911e8870d84c975e2ec22dab65a909 Mon Sep 17 00:00:00 2001
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Date: Sat, 12 Aug 2017 23:36:47 +0200
+Subject: parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo
+
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+
+commit 4098116039911e8870d84c975e2ec22dab65a909 upstream.
+
+For 64bit kernels the lmmio_space_offset of the host bridge window
+isn't set correctly on systems with dino/cujo PCI host bridges.
+This leads to not assigned memory bars and failing drivers, which
+need to use these bars.
+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Acked-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/parisc/dino.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/parisc/dino.c
++++ b/drivers/parisc/dino.c
+@@ -954,7 +954,7 @@ static int __init dino_probe(struct pari
+ 
+ 	dino_dev->hba.dev = dev;
+ 	dino_dev->hba.base_addr = ioremap_nocache(hpa, 4096);
+-	dino_dev->hba.lmmio_space_offset = 0;	/* CPU addrs == bus addrs */
++	dino_dev->hba.lmmio_space_offset = PCI_F_EXTEND;
+ 	spin_lock_init(&dino_dev->dinosaur_pen);
+ 	dino_dev->hba.iommu = ccio_get_iommu(dev);
+ 
diff --git a/queue-3.18/series b/queue-3.18/series
index 37e89266b24..ca63ad4f41c 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -1 +1,3 @@
 netfilter-nf_ct_ext-fix-possible-panic-after-nf_ct_extend_unregister.patch
+audit-fix-use-after-free-in-audit_remove_watch_rule.patch
+parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch
-- 
2.47.3