--- /dev/null
+From 26ef8493e1ab771cb01d27defca2fa1315dc3980 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Wed, 8 Jan 2020 21:07:32 +0900
+Subject: btrfs: fix memory leak in qgroup accounting
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+commit 26ef8493e1ab771cb01d27defca2fa1315dc3980 upstream.
+
+When running xfstests on the current btrfs I get the following splat from
+kmemleak:
+
+unreferenced object 0xffff88821b2404e0 (size 32):
+ comm "kworker/u4:7", pid 26663, jiffies 4295283698 (age 8.776s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 00 00 00 00 10 ff fd 26 82 88 ff ff ...........&....
+ 10 ff fd 26 82 88 ff ff 20 ff fd 26 82 88 ff ff ...&.... ..&....
+ backtrace:
+ [<00000000f94fd43f>] ulist_alloc+0x25/0x60 [btrfs]
+ [<00000000fd023d99>] btrfs_find_all_roots_safe+0x41/0x100 [btrfs]
+ [<000000008f17bd32>] btrfs_find_all_roots+0x52/0x70 [btrfs]
+ [<00000000b7660afb>] btrfs_qgroup_rescan_worker+0x343/0x680 [btrfs]
+ [<0000000058e66778>] btrfs_work_helper+0xac/0x1e0 [btrfs]
+ [<00000000f0188930>] process_one_work+0x1cf/0x350
+ [<00000000af5f2f8e>] worker_thread+0x28/0x3c0
+ [<00000000b55a1add>] kthread+0x109/0x120
+ [<00000000f88cbd17>] ret_from_fork+0x35/0x40
+
+This corresponds to:
+
+ (gdb) l *(btrfs_find_all_roots_safe+0x41)
+ 0x8d7e1 is in btrfs_find_all_roots_safe (fs/btrfs/backref.c:1413).
+ 1408
+ 1409 tmp = ulist_alloc(GFP_NOFS);
+ 1410 if (!tmp)
+ 1411 return -ENOMEM;
+ 1412 *roots = ulist_alloc(GFP_NOFS);
+ 1413 if (!*roots) {
+ 1414 ulist_free(tmp);
+ 1415 return -ENOMEM;
+ 1416 }
+ 1417
+
+Following the lifetime of the allocated 'roots' ulist, it gets freed
+again in btrfs_qgroup_account_extent().
+
+But this does not happen if the function is called with the
+'BTRFS_FS_QUOTA_ENABLED' flag cleared, then btrfs_qgroup_account_extent()
+does a short leave and directly returns.
+
+Instead of directly returning we should jump to the 'out_free' in order to
+free all resources as expected.
+
+CC: stable@vger.kernel.org # 4.14+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+[ add comment ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/qgroup.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -1928,8 +1928,12 @@ btrfs_qgroup_account_extent(struct btrfs
+ u64 nr_old_roots = 0;
+ int ret = 0;
+
++ /*
++ * If quotas get disabled meanwhile, the resouces need to be freed and
++ * we can't just exit here.
++ */
+ if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags))
+- return 0;
++ goto out_free;
+
+ if (new_roots) {
+ if (!maybe_fs_roots(new_roots))
--- /dev/null
+From 6d9e8c651dd979aa666bee15f086745f3ea9c4b3 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wenyang@linux.alibaba.com>
+Date: Mon, 13 Jan 2020 16:29:23 -0800
+Subject: mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()
+
+From: Wen Yang <wenyang@linux.alibaba.com>
+
+commit 6d9e8c651dd979aa666bee15f086745f3ea9c4b3 upstream.
+
+Patch series "use div64_ul() instead of div_u64() if the divisor is
+unsigned long".
+
+We were first inspired by commit b0ab99e7736a ("sched: Fix possible divide
+by zero in avg_atom () calculation"), then refer to the recently analyzed
+mm code, we found this suspicious place.
+
+ 201 if (min) {
+ 202 min *= this_bw;
+ 203 do_div(min, tot_bw);
+ 204 }
+
+And we also disassembled and confirmed it:
+
+ /usr/src/debug/kernel-4.9.168-016.ali3000/linux-4.9.168-016.ali3000.alios7.x86_64/mm/page-writeback.c: 201
+ 0xffffffff811c37da <__wb_calc_thresh+234>: xor %r10d,%r10d
+ 0xffffffff811c37dd <__wb_calc_thresh+237>: test %rax,%rax
+ 0xffffffff811c37e0 <__wb_calc_thresh+240>: je 0xffffffff811c3800 <__wb_calc_thresh+272>
+ /usr/src/debug/kernel-4.9.168-016.ali3000/linux-4.9.168-016.ali3000.alios7.x86_64/mm/page-writeback.c: 202
+ 0xffffffff811c37e2 <__wb_calc_thresh+242>: imul %r8,%rax
+ /usr/src/debug/kernel-4.9.168-016.ali3000/linux-4.9.168-016.ali3000.alios7.x86_64/mm/page-writeback.c: 203
+ 0xffffffff811c37e6 <__wb_calc_thresh+246>: mov %r9d,%r10d ---> truncates it to 32 bits here
+ 0xffffffff811c37e9 <__wb_calc_thresh+249>: xor %edx,%edx
+ 0xffffffff811c37eb <__wb_calc_thresh+251>: div %r10
+ 0xffffffff811c37ee <__wb_calc_thresh+254>: imul %rbx,%rax
+ 0xffffffff811c37f2 <__wb_calc_thresh+258>: shr $0x2,%rax
+ 0xffffffff811c37f6 <__wb_calc_thresh+262>: mul %rcx
+ 0xffffffff811c37f9 <__wb_calc_thresh+265>: shr $0x2,%rdx
+ 0xffffffff811c37fd <__wb_calc_thresh+269>: mov %rdx,%r10
+
+This series uses div64_ul() instead of div_u64() if the divisor is
+unsigned long, to avoid truncation to 32-bit on 64-bit platforms.
+
+This patch (of 3):
+
+The variables 'min' and 'max' are unsigned long and do_div truncates
+them to 32 bits, which means it can test non-zero and be truncated to
+zero for division. Fix this issue by using div64_ul() instead.
+
+Link: http://lkml.kernel.org/r/20200102081442.8273-2-wenyang@linux.alibaba.com
+Fixes: 693108a8a667 ("writeback: make bdi->min/max_ratio handling cgroup writeback aware")
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Qian Cai <cai@lca.pw>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page-writeback.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -201,11 +201,11 @@ static void wb_min_max_ratio(struct bdi_
+ if (this_bw < tot_bw) {
+ if (min) {
+ min *= this_bw;
+- do_div(min, tot_bw);
++ min = div64_ul(min, tot_bw);
+ }
+ if (max < 100) {
+ max *= this_bw;
+- do_div(max, tot_bw);
++ max = div64_ul(max, tot_bw);
+ }
+ }
+
--- /dev/null
+From 991589974d9c9ecb24ee3799ec8c415c730598a2 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill@shutemov.name>
+Date: Mon, 13 Jan 2020 16:29:13 -0800
+Subject: mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment
+
+From: Kirill A. Shutemov <kirill@shutemov.name>
+
+commit 991589974d9c9ecb24ee3799ec8c415c730598a2 upstream.
+
+Shmem/tmpfs tries to provide THP-friendly mappings if huge pages are
+enabled. But it doesn't work well with above-47bit hint address.
+
+Normally, the kernel doesn't create userspace mappings above 47-bit,
+even if the machine allows this (such as with 5-level paging on x86-64).
+Not all user space is ready to handle wide addresses. It's known that
+at least some JIT compilers use higher bits in pointers to encode their
+information.
+
+Userspace can ask for allocation from full address space by specifying
+hint address (with or without MAP_FIXED) above 47-bits. If the
+application doesn't need a particular address, but wants to allocate
+from whole address space it can specify -1 as a hint address.
+
+Unfortunately, this trick breaks THP alignment in shmem/tmp:
+shmem_get_unmapped_area() would not try to allocate PMD-aligned area if
+*any* hint address specified.
+
+This can be fixed by requesting the aligned area if the we failed to
+allocated at user-specified hint address. The request with inflated
+length will also take the user-specified hint address. This way we will
+not lose an allocation request from the full address space.
+
+[kirill@shutemov.name: fold in a fixup]
+ Link: http://lkml.kernel.org/r/20191223231309.t6bh5hkbmokihpfu@box
+Link: http://lkml.kernel.org/r/20191220142548.7118-3-kirill.shutemov@linux.intel.com
+Fixes: b569bab78d8d ("x86/mm: Prepare to expose larger address space to userspace")
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: "Willhalm, Thomas" <thomas.willhalm@intel.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: "Bruggeman, Otto G" <otto.g.bruggeman@intel.com>
+Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shmem.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2052,9 +2052,10 @@ unsigned long shmem_get_unmapped_area(st
+ /*
+ * Our priority is to support MAP_SHARED mapped hugely;
+ * and support MAP_PRIVATE mapped hugely too, until it is COWed.
+- * But if caller specified an address hint, respect that as before.
++ * But if caller specified an address hint and we allocated area there
++ * successfully, respect that as before.
+ */
+- if (uaddr)
++ if (uaddr == addr)
+ return addr;
+
+ if (shmem_huge != SHMEM_HUGE_FORCE) {
+@@ -2088,7 +2089,7 @@ unsigned long shmem_get_unmapped_area(st
+ if (inflated_len < len)
+ return addr;
+
+- inflated_addr = get_area(NULL, 0, inflated_len, 0, flags);
++ inflated_addr = get_area(NULL, uaddr, inflated_len, 0, flags);
+ if (IS_ERR_VALUE(inflated_addr))
+ return addr;
+ if (inflated_addr & ~PAGE_MASK)
--- /dev/null
+From 8605131747e7e1fd8f6c9f97a00287aae2b2c640 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Wed, 18 Dec 2019 11:17:41 +0100
+Subject: net: stmmac: 16KB buffer must be 16 byte aligned
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+commit 8605131747e7e1fd8f6c9f97a00287aae2b2c640 upstream.
+
+The 16KB RX Buffer must also be 16 byte aligned. Fix it.
+
+Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/stmicro/stmmac/common.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/common.h
++++ b/drivers/net/ethernet/stmicro/stmmac/common.h
+@@ -338,9 +338,8 @@ struct dma_features {
+ unsigned int rx_fifo_size;
+ };
+
+-/* GMAC TX FIFO is 8K, Rx FIFO is 16K */
+-#define BUF_SIZE_16KiB 16384
+-/* RX Buffer size must be < 8191 and multiple of 4/8/16 bytes */
++/* RX Buffer size must be multiple of 4/8/16 bytes */
++#define BUF_SIZE_16KiB 16368
+ #define BUF_SIZE_8KiB 8188
+ #define BUF_SIZE_4KiB 4096
+ #define BUF_SIZE_2KiB 2048
--- /dev/null
+From b2f3a481c4cd62f78391b836b64c0a6e72b503d2 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Wed, 18 Dec 2019 11:17:42 +0100
+Subject: net: stmmac: Enable 16KB buffer size
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+commit b2f3a481c4cd62f78391b836b64c0a6e72b503d2 upstream.
+
+XGMAC supports maximum MTU that can go to 16KB. Lets add this check in
+the calculation of RX buffer size.
+
+Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver")
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1043,7 +1043,9 @@ static int stmmac_set_bfsize(int mtu, in
+ {
+ int ret = bufsize;
+
+- if (mtu >= BUF_SIZE_4KiB)
++ if (mtu >= BUF_SIZE_8KiB)
++ ret = BUF_SIZE_16KiB;
++ else if (mtu >= BUF_SIZE_4KiB)
+ ret = BUF_SIZE_8KiB;
+ else if (mtu >= BUF_SIZE_2KiB)
+ ret = BUF_SIZE_4KiB;
--- /dev/null
+From 55347ec340af401437680fd0e88df6739a967f9f Mon Sep 17 00:00:00 2001
+From: Yuya Fujita <fujita.yuya@fujitsu.com>
+Date: Thu, 19 Dec 2019 08:08:32 +0000
+Subject: perf hists: Fix variable name's inconsistency in hists__for_each() macro
+
+From: Yuya Fujita <fujita.yuya@fujitsu.com>
+
+commit 55347ec340af401437680fd0e88df6739a967f9f upstream.
+
+Variable names are inconsistent in hists__for_each macro().
+
+Due to this inconsistency, the macro replaces its second argument with
+"fmt" regardless of its original name.
+
+So far it works because only "fmt" is passed to the second argument.
+However, this behavior is not expected and should be fixed.
+
+Fixes: f0786af536bb ("perf hists: Introduce hists__for_each_format macro")
+Fixes: aa6f50af822a ("perf hists: Introduce hists__for_each_sort_list macro")
+Signed-off-by: Yuya Fujita <fujita.yuya@fujitsu.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/OSAPR01MB1588E1C47AC22043175DE1B2E8520@OSAPR01MB1588.jpnprd01.prod.outlook.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/hist.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/util/hist.h
++++ b/tools/perf/util/hist.h
+@@ -317,10 +317,10 @@ static inline void perf_hpp__prepend_sor
+ list_for_each_entry_safe(format, tmp, &(_list)->sorts, sort_list)
+
+ #define hists__for_each_format(hists, format) \
+- perf_hpp_list__for_each_format((hists)->hpp_list, fmt)
++ perf_hpp_list__for_each_format((hists)->hpp_list, format)
+
+ #define hists__for_each_sort_list(hists, format) \
+- perf_hpp_list__for_each_sort_list((hists)->hpp_list, fmt)
++ perf_hpp_list__for_each_sort_list((hists)->hpp_list, format)
+
+ extern struct perf_hpp_fmt perf_hpp__format[];
+
--- /dev/null
+From 0feba17bd7ee3b7e03d141f119049dcc23efa94e Mon Sep 17 00:00:00 2001
+From: Jin Yao <yao.jin@linux.intel.com>
+Date: Fri, 20 Dec 2019 09:37:19 +0800
+Subject: perf report: Fix incorrectly added dimensions as switch perf data file
+
+From: Jin Yao <yao.jin@linux.intel.com>
+
+commit 0feba17bd7ee3b7e03d141f119049dcc23efa94e upstream.
+
+We observed an issue that was some extra columns displayed after switching
+perf data file in browser. The steps to reproduce:
+
+1. perf record -a -e cycles,instructions -- sleep 3
+2. perf report --group
+3. In browser, we use hotkey 's' to switch to another perf.data
+4. Now in browser, the extra columns 'Self' and 'Children' are displayed.
+
+The issue is setup_sorting() executed again after repeat path, so dimensions
+are added again.
+
+This patch checks the last key returned from __cmd_report(). If it's
+K_SWITCH_INPUT_DATA, skips the setup_sorting().
+
+Fixes: ad0de0971b7f ("perf report: Enable the runtime switching of perf data file")
+Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Acked-by: Jiri Olsa <jolsa@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Feng Tang <feng.tang@intel.com>
+Cc: Jin Yao <yao.jin@intel.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/20191220013722.20592-1-yao.jin@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/builtin-report.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -742,6 +742,7 @@ int cmd_report(int argc, const char **ar
+ struct stat st;
+ bool has_br_stack = false;
+ int branch_mode = -1;
++ int last_key = 0;
+ bool branch_call_mode = false;
+ char callchain_default_opt[] = CALLCHAIN_DEFAULT_OPT;
+ const char * const report_usage[] = {
+@@ -1048,7 +1049,8 @@ repeat:
+ else
+ use_browser = 0;
+
+- if (setup_sorting(session->evlist) < 0) {
++ if ((last_key != K_SWITCH_INPUT_DATA) &&
++ (setup_sorting(session->evlist) < 0)) {
+ if (sort_order)
+ parse_options_usage(report_usage, options, "s", 1);
+ if (field_order)
+@@ -1108,6 +1110,7 @@ repeat:
+ ret = __cmd_report(&report);
+ if (ret == K_SWITCH_INPUT_DATA) {
+ perf_session__delete(session);
++ last_key = K_SWITCH_INPUT_DATA;
+ goto repeat;
+ } else
+ ret = 0;
--- /dev/null
+From 6b3ad6649a4c75504edeba242d3fd36b3096a57f Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Wed, 15 Jan 2020 14:42:34 +0100
+Subject: ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
+
+From: Christian Brauner <christian.brauner@ubuntu.com>
+
+commit 6b3ad6649a4c75504edeba242d3fd36b3096a57f upstream.
+
+Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
+introduced the ability to opt out of audit messages for accesses to various
+proc files since they are not violations of policy. While doing so it
+somehow switched the check from ns_capable() to
+has_ns_capability{_noaudit}(). That means it switched from checking the
+subjective credentials of the task to using the objective credentials. This
+is wrong since. ptrace_has_cap() is currently only used in
+ptrace_may_access() And is used to check whether the calling task (subject)
+has the CAP_SYS_PTRACE capability in the provided user namespace to operate
+on the target task (object). According to the cred.h comments this would
+mean the subjective credentials of the calling task need to be used.
+This switches ptrace_has_cap() to use security_capable(). Because we only
+call ptrace_has_cap() in ptrace_may_access() and in there we already have a
+stable reference to the calling task's creds under rcu_read_lock() there's
+no need to go through another series of dereferences and rcu locking done
+in ns_capable{_noaudit}().
+
+As one example where this might be particularly problematic, Jann pointed
+out that in combination with the upcoming IORING_OP_OPENAT feature, this
+bug might allow unprivileged users to bypass the capability checks while
+asynchronously opening files like /proc/*/mem, because the capability
+checks for this would be performed against kernel credentials.
+
+To illustrate on the former point about this being exploitable: When
+io_uring creates a new context it records the subjective credentials of the
+caller. Later on, when it starts to do work it creates a kernel thread and
+registers a callback. The callback runs with kernel creds for
+ktask->real_cred and ktask->cred. To prevent this from becoming a
+full-blown 0-day io_uring will call override_cred() and override
+ktask->cred with the subjective credentials of the creator of the io_uring
+instance. With ptrace_has_cap() currently looking at ktask->real_cred this
+override will be ineffective and the caller will be able to open arbitray
+proc files as mentioned above.
+Luckily, this is currently not exploitable but will turn into a 0-day once
+IORING_OP_OPENAT{2} land in v5.6. Fix it now!
+
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Eric Paris <eparis@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Serge Hallyn <serge@hallyn.com>
+Reviewed-by: Jann Horn <jannh@google.com>
+Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/ptrace.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -258,12 +258,17 @@ static int ptrace_check_attach(struct ta
+ return ret;
+ }
+
+-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
++static bool ptrace_has_cap(const struct cred *cred, struct user_namespace *ns,
++ unsigned int mode)
+ {
++ int ret;
++
+ if (mode & PTRACE_MODE_NOAUDIT)
+- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
++ ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NOAUDIT);
+ else
+- return has_ns_capability(current, ns, CAP_SYS_PTRACE);
++ ret = security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NONE);
++
++ return ret == 0;
+ }
+
+ /* Returns 0 on success, -errno on denial. */
+@@ -315,7 +320,7 @@ static int __ptrace_may_access(struct ta
+ gid_eq(caller_gid, tcred->sgid) &&
+ gid_eq(caller_gid, tcred->gid))
+ goto ok;
+- if (ptrace_has_cap(tcred->user_ns, mode))
++ if (ptrace_has_cap(cred, tcred->user_ns, mode))
+ goto ok;
+ rcu_read_unlock();
+ return -EPERM;
+@@ -334,7 +339,7 @@ ok:
+ mm = task->mm;
+ if (mm &&
+ ((get_dumpable(mm) != SUID_DUMP_USER) &&
+- !ptrace_has_cap(mm->user_ns, mode)))
++ !ptrace_has_cap(cred, mm->user_ns, mode)))
+ return -EPERM;
+
+ return security_ptrace_access_check(task, mode);
usb-serial-quatech2-handle-unbound-ports.patch
scsi-fnic-fix-invalid-stack-access.patch
scsi-mptfusion-fix-double-fetch-bug-in-ioctl.patch
+ptrace-reintroduce-usage-of-subjective-credentials-in-ptrace_has_cap.patch
+usb-core-hub-improved-device-recognition-on-remote-wakeup.patch
+x86-resctrl-fix-an-imbalance-in-domain_remove_cpu.patch
+x86-efistub-disable-paging-at-mixed-mode-entry.patch
+perf-hists-fix-variable-name-s-inconsistency-in-hists__for_each-macro.patch
+perf-report-fix-incorrectly-added-dimensions-as-switch-perf-data-file.patch
+mm-shmem.c-thp-shmem-fix-conflict-of-above-47bit-hint-address-and-pmd-alignment.patch
+btrfs-fix-memory-leak-in-qgroup-accounting.patch
+mm-page-writeback.c-avoid-potential-division-by-zero-in-wb_min_max_ratio.patch
+net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch
+net-stmmac-enable-16kb-buffer-size.patch
--- /dev/null
+From 9c06ac4c83df6d6fbdbf7488fbad822b4002ba19 Mon Sep 17 00:00:00 2001
+From: Keiya Nobuta <nobuta.keiya@fujitsu.com>
+Date: Thu, 9 Jan 2020 14:14:48 +0900
+Subject: usb: core: hub: Improved device recognition on remote wakeup
+
+From: Keiya Nobuta <nobuta.keiya@fujitsu.com>
+
+commit 9c06ac4c83df6d6fbdbf7488fbad822b4002ba19 upstream.
+
+If hub_activate() is called before D+ has stabilized after remote
+wakeup, the following situation might occur:
+
+ __ ___________________
+ / \ /
+D+ __/ \__/
+
+Hub _______________________________
+ | ^ ^ ^
+ | | | |
+Host _____v__|___|___________|______
+ | | | |
+ | | | \-- Interrupt Transfer (*3)
+ | | \-- ClearPortFeature (*2)
+ | \-- GetPortStatus (*1)
+ \-- Host detects remote wakeup
+
+- D+ goes high, Host starts running by remote wakeup
+- D+ is not stable, goes low
+- Host requests GetPortStatus at (*1) and gets the following hub status:
+ - Current Connect Status bit is 0
+ - Connect Status Change bit is 1
+- D+ stabilizes, goes high
+- Host requests ClearPortFeature and thus Connect Status Change bit is
+ cleared at (*2)
+- After waiting 100 ms, Host starts the Interrupt Transfer at (*3)
+- Since the Connect Status Change bit is 0, Hub returns NAK.
+
+In this case, port_event() is not called in hub_event() and Host cannot
+recognize device. To solve this issue, flag change_bits even if only
+Connect Status Change bit is 1 when got in the first GetPortStatus.
+
+This issue occurs rarely because it only if D+ changes during a very
+short time between GetPortStatus and ClearPortFeature. However, it is
+fatal if it occurs in embedded system.
+
+Signed-off-by: Keiya Nobuta <nobuta.keiya@fujitsu.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20200109051448.28150-1-nobuta.keiya@fujitsu.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1164,6 +1164,7 @@ static void hub_activate(struct usb_hub
+ * PORT_OVER_CURRENT is not. So check for any of them.
+ */
+ if (udev || (portstatus & USB_PORT_STAT_CONNECTION) ||
++ (portchange & USB_PORT_STAT_C_CONNECTION) ||
+ (portstatus & USB_PORT_STAT_OVERCURRENT) ||
+ (portchange & USB_PORT_STAT_C_OVERCURRENT))
+ set_bit(port1, hub->change_bits);
--- /dev/null
+From 4911ee401b7ceff8f38e0ac597cbf503d71e690c Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Tue, 24 Dec 2019 14:29:09 +0100
+Subject: x86/efistub: Disable paging at mixed mode entry
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 4911ee401b7ceff8f38e0ac597cbf503d71e690c upstream.
+
+The EFI mixed mode entry code goes through the ordinary startup_32()
+routine before jumping into the kernel's EFI boot code in 64-bit
+mode. The 32-bit startup code must be entered with paging disabled,
+but this is not documented as a requirement for the EFI handover
+protocol, and so we should disable paging explicitly when entering
+the kernel from 32-bit EFI firmware.
+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Cc: <stable@vger.kernel.org>
+Cc: Arvind Sankar <nivedita@alum.mit.edu>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: https://lkml.kernel.org/r/20191224132909.102540-4-ardb@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/compressed/head_64.S | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/boot/compressed/head_64.S
++++ b/arch/x86/boot/compressed/head_64.S
+@@ -227,6 +227,11 @@ ENTRY(efi32_stub_entry)
+ leal efi32_config(%ebp), %eax
+ movl %eax, efi_config(%ebp)
+
++ /* Disable paging */
++ movl %cr0, %eax
++ btrl $X86_CR0_PG_BIT, %eax
++ movl %eax, %cr0
++
+ jmp startup_32
+ ENDPROC(efi32_stub_entry)
+ #endif
--- /dev/null
+From e278af89f1ba0a9ef20947db6afc2c9afa37e85b Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Tue, 10 Dec 2019 22:30:42 -0500
+Subject: x86/resctrl: Fix an imbalance in domain_remove_cpu()
+
+From: Qian Cai <cai@lca.pw>
+
+commit e278af89f1ba0a9ef20947db6afc2c9afa37e85b upstream.
+
+A system that supports resource monitoring may have multiple resources
+while not all of these resources are capable of monitoring. Monitoring
+related state is initialized only for resources that are capable of
+monitoring and correspondingly this state should subsequently only be
+removed from these resources that are capable of monitoring.
+
+domain_add_cpu() calls domain_setup_mon_state() only when r->mon_capable
+is true where it will initialize d->mbm_over. However,
+domain_remove_cpu() calls cancel_delayed_work(&d->mbm_over) without
+checking r->mon_capable resulting in an attempt to cancel d->mbm_over on
+all resources, even those that never initialized d->mbm_over because
+they are not capable of monitoring. Hence, it triggers a debugobjects
+warning when offlining CPUs because those timer debugobjects are never
+initialized:
+
+ ODEBUG: assert_init not available (active state 0) object type:
+ timer_list hint: 0x0
+ WARNING: CPU: 143 PID: 789 at lib/debugobjects.c:484
+ debug_print_object
+ Hardware name: HP Synergy 680 Gen9/Synergy 680 Gen9 Compute Module, BIOS I40 05/23/2018
+ RIP: 0010:debug_print_object
+ Call Trace:
+ debug_object_assert_init
+ del_timer
+ try_to_grab_pending
+ cancel_delayed_work
+ resctrl_offline_cpu
+ cpuhp_invoke_callback
+ cpuhp_thread_fun
+ smpboot_thread_fn
+ kthread
+ ret_from_fork
+
+Fixes: e33026831bdb ("x86/intel_rdt/mbm: Handle counter overflow")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Reinette Chatre <reinette.chatre@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: john.stultz@linaro.org
+Cc: sboyd@kernel.org
+Cc: <stable@vger.kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: tj@kernel.org
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Vikas Shivappa <vikas.shivappa@linux.intel.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20191211033042.2188-1-cai@lca.pw
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/intel_rdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/intel_rdt.c
++++ b/arch/x86/kernel/cpu/intel_rdt.c
+@@ -526,7 +526,7 @@ static void domain_remove_cpu(int cpu, s
+ if (static_branch_unlikely(&rdt_mon_enable_key))
+ rmdir_mondata_subdir_allrdtgrp(r, d->id);
+ list_del(&d->list);
+- if (is_mbm_enabled())
++ if (r->mon_capable && is_mbm_enabled())
+ cancel_delayed_work(&d->mbm_over);
+ if (is_llc_occupancy_enabled() && has_busy_rmid(r, d)) {
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
