From 82b3f164feaaa62a62bbb9f3df4fb2eca811dc8e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 1 Sep 2021 13:40:31 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch
---
 ...rim_trees-refcount-underflow-and-uaf.patch | 57 +++++++++++++++++++
 queue-5.4/series                              |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 queue-5.4/audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch

diff --git a/queue-5.4/audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch b/queue-5.4/audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch
new file mode 100644
index 00000000000..e5d288a8184
--- /dev/null
+++ b/queue-5.4/audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch
@@ -0,0 +1,57 @@
+From 67d69e9d1a6c889d98951c1d74b19332ce0565af Mon Sep 17 00:00:00 2001
+From: Richard Guy Briggs <rgb@redhat.com>
+Date: Mon, 23 Aug 2021 22:04:09 -0400
+Subject: audit: move put_tree() to avoid trim_trees refcount underflow and UAF
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+commit 67d69e9d1a6c889d98951c1d74b19332ce0565af upstream.
+
+AUDIT_TRIM is expected to be idempotent, but multiple executions resulted
+in a refcount underflow and use-after-free.
+
+git bisect fingered commit fb041bb7c0a9	("locking/refcount: Consolidate
+implementations of refcount_t") but this patch with its more thorough
+checking that wasn't in the x86 assembly code merely exposed a previously
+existing tree refcount imbalance in the case of tree trimming code that
+was refactored with prune_one() to remove a tree introduced in
+commit 8432c7006297 ("audit: Simplify locking around untag_chunk()")
+
+Move the put_tree() to cover only the prune_one() case.
+
+Passes audit-testsuite and 3 passes of "auditctl -t" with at least one
+directory watch.
+
+Cc: Jan Kara <jack@suse.cz>
+Cc: Will Deacon <will@kernel.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Seiji Nishikawa <snishika@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 8432c7006297 ("audit: Simplify locking around untag_chunk()")
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+[PM: reformatted/cleaned-up the commit description]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit_tree.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/audit_tree.c
++++ b/kernel/audit_tree.c
+@@ -595,7 +595,6 @@ static void prune_tree_chunks(struct aud
+ 		spin_lock(&hash_lock);
+ 	}
+ 	spin_unlock(&hash_lock);
+-	put_tree(victim);
+ }
+ 
+ /*
+@@ -604,6 +603,7 @@ static void prune_tree_chunks(struct aud
+ static void prune_one(struct audit_tree *victim)
+ {
+ 	prune_tree_chunks(victim, false);
++	put_tree(victim);
+ }
+ 
+ /* trim the uncommitted chunks from tree */
diff --git a/queue-5.4/series b/queue-5.4/series
index e57679e6490..b00d4bb56e0 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -45,3 +45,4 @@ btrfs-fix-null-pointer-dereference-when-deleting-device-by-invalid-id.patch
 revert-floppy-reintroduce-o_ndelay-fix.patch
 revert-parisc-add-assembly-implementations-for-memset-strlen-strcpy-strncpy-and-strcat.patch
 net-don-t-unconditionally-copy_from_user-a-struct-ifreq-for-socket-ioctls.patch
+audit-move-put_tree-to-avoid-trim_trees-refcount-underflow-and-uaf.patch
-- 
2.47.3