--- /dev/null
+From d60229d84846a8399257006af9c5444599f64361 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 22 Nov 2019 13:13:54 +0000
+Subject: ALSA: cs4236: fix error return comparison of an unsigned integer
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit d60229d84846a8399257006af9c5444599f64361 upstream.
+
+The return from pnp_irq is an unsigned integer type resource_size_t
+and hence the error check for a positive non-error code is always
+going to be true. A check for a non-failure return from pnp_irq
+should in fact be for (resource_size_t)-1 rather than >= 0.
+
+Addresses-Coverity: ("Unsigned compared against 0")
+Fixes: a9824c868a2c ("[ALSA] Add CS4232 PnP BIOS support")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20191122131354.58042-1-colin.king@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/isa/cs423x/cs4236.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/isa/cs423x/cs4236.c
++++ b/sound/isa/cs423x/cs4236.c
+@@ -278,7 +278,8 @@ static int snd_cs423x_pnp_init_mpu(int d
+ } else {
+ mpu_port[dev] = pnp_port_start(pdev, 0);
+ if (mpu_irq[dev] >= 0 &&
+- pnp_irq_valid(pdev, 0) && pnp_irq(pdev, 0) >= 0) {
++ pnp_irq_valid(pdev, 0) &&
++ pnp_irq(pdev, 0) != (resource_size_t)-1) {
+ mpu_irq[dev] = pnp_irq(pdev, 0);
+ } else {
+ mpu_irq[dev] = -1; /* disable interrupt */
--- /dev/null
+From 0929249e3be3bb82ee6cfec0025f4dde952210b3 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 30 Oct 2019 11:09:21 +0100
+Subject: ALSA: firewire-motu: Correct a typo in the clock proc string
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0929249e3be3bb82ee6cfec0025f4dde952210b3 upstream.
+
+Just fix a typo of "S/PDIF" in the clock name string.
+
+Fixes: 4638ec6ede08 ("ALSA: firewire-motu: add proc node to show current statuc of clock and packet formats")
+Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20191030100921.3826-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/motu/motu-proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/motu/motu-proc.c
++++ b/sound/firewire/motu/motu-proc.c
+@@ -16,7 +16,7 @@ static const char *const clock_names[] =
+ [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_OPT] = "S/PDIF on optical interface",
+ [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_OPT_A] = "S/PDIF on optical interface A",
+ [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_OPT_B] = "S/PDIF on optical interface B",
+- [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_COAX] = "S/PCIF on coaxial interface",
++ [SND_MOTU_CLOCK_SOURCE_SPDIF_ON_COAX] = "S/PDIF on coaxial interface",
+ [SND_MOTU_CLOCK_SOURCE_AESEBU_ON_XLR] = "AESEBU on XLR interface",
+ [SND_MOTU_CLOCK_SOURCE_WORD_ON_BNC] = "Word clock on BNC interface",
+ };
--- /dev/null
+From 2406ff9b86aa1b77fe1a6d15f37195ac1fdb2a14 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 8 Nov 2019 17:56:26 +0100
+Subject: ALSA: pcm: Yet another missing check of non-cached buffer type
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2406ff9b86aa1b77fe1a6d15f37195ac1fdb2a14 upstream.
+
+For non-x86 architectures, SNDRV_DMA_TYPE_DEV_UC should be treated
+equivalent with SNDRV_DMA_TYPE_DEV, where the default mmap handler
+still checks only about SNDRV_DMA_TYPE_DEV. Make the check more
+proper.
+
+Note that all existing users of *_UC buffer types are x86-only, so
+this doesn't fix any bug, but just for consistency.
+
+Fixes: 42e748a0b325 ("ALSA: memalloc: Add non-cached buffer type")
+Link: https://lore.kernel.org/r/20191108165626.5947-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_native.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -3408,7 +3408,8 @@ int snd_pcm_lib_default_mmap(struct snd_
+ #endif /* CONFIG_GENERIC_ALLOCATOR */
+ #ifndef CONFIG_X86 /* for avoiding warnings arch/x86/mm/pat.c */
+ if (IS_ENABLED(CONFIG_HAS_DMA) && !substream->ops->page &&
+- substream->dma_buffer.dev.type == SNDRV_DMA_TYPE_DEV)
++ (substream->dma_buffer.dev.type == SNDRV_DMA_TYPE_DEV ||
++ substream->dma_buffer.dev.type == SNDRV_DMA_TYPE_DEV_UC))
+ return dma_mmap_coherent(substream->dma_buffer.dev.dev,
+ area,
+ substream->runtime->dma_area,
--- /dev/null
+From 8c62ed27a12c00e3db1c9f04bc0f272bdbb06734 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 2 Jan 2020 05:31:22 -0800
+Subject: apparmor: fix aa_xattrs_match() may sleep while holding a RCU lock
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 8c62ed27a12c00e3db1c9f04bc0f272bdbb06734 upstream.
+
+aa_xattrs_match() is unfortunately calling vfs_getxattr_alloc() from a
+context protected by an rcu_read_lock. This can not be done as
+vfs_getxattr_alloc() may sleep regardles of the gfp_t value being
+passed to it.
+
+Fix this by breaking the rcu_read_lock on the policy search when the
+xattr match feature is requested and restarting the search if a policy
+changes occur.
+
+Fixes: 8e51f9087f40 ("apparmor: Add support for attaching profiles via xattr, presence and value")
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/apparmorfs.c | 2 -
+ security/apparmor/domain.c | 80 +++++++++++++++++++++--------------------
+ security/apparmor/policy.c | 4 +-
+ 3 files changed, 45 insertions(+), 41 deletions(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -593,7 +593,7 @@ static __poll_t ns_revision_poll(struct
+
+ void __aa_bump_ns_revision(struct aa_ns *ns)
+ {
+- ns->revision++;
++ WRITE_ONCE(ns->revision, ns->revision + 1);
+ wake_up_interruptible(&ns->wait);
+ }
+
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -317,6 +317,7 @@ static int aa_xattrs_match(const struct
+
+ if (!bprm || !profile->xattr_count)
+ return 0;
++ might_sleep();
+
+ /* transition from exec match to xattr set */
+ state = aa_dfa_null_transition(profile->xmatch, state);
+@@ -361,10 +362,11 @@ out:
+ }
+
+ /**
+- * __attach_match_ - find an attachment match
++ * find_attach - do attachment search for unconfined processes
+ * @bprm - binprm structure of transitioning task
+- * @name - to match against (NOT NULL)
++ * @ns: the current namespace (NOT NULL)
+ * @head - profile list to walk (NOT NULL)
++ * @name - to match against (NOT NULL)
+ * @info - info message if there was an error (NOT NULL)
+ *
+ * Do a linear search on the profiles in the list. There is a matching
+@@ -374,12 +376,11 @@ out:
+ *
+ * Requires: @head not be shared or have appropriate locks held
+ *
+- * Returns: profile or NULL if no match found
++ * Returns: label or NULL if no match found
+ */
+-static struct aa_profile *__attach_match(const struct linux_binprm *bprm,
+- const char *name,
+- struct list_head *head,
+- const char **info)
++static struct aa_label *find_attach(const struct linux_binprm *bprm,
++ struct aa_ns *ns, struct list_head *head,
++ const char *name, const char **info)
+ {
+ int candidate_len = 0, candidate_xattrs = 0;
+ bool conflict = false;
+@@ -388,6 +389,8 @@ static struct aa_profile *__attach_match
+ AA_BUG(!name);
+ AA_BUG(!head);
+
++ rcu_read_lock();
++restart:
+ list_for_each_entry_rcu(profile, head, base.list) {
+ if (profile->label.flags & FLAG_NULL &&
+ &profile->label == ns_unconfined(profile->ns))
+@@ -413,16 +416,32 @@ static struct aa_profile *__attach_match
+ perm = dfa_user_allow(profile->xmatch, state);
+ /* any accepting state means a valid match. */
+ if (perm & MAY_EXEC) {
+- int ret;
++ int ret = 0;
+
+ if (count < candidate_len)
+ continue;
+
+- ret = aa_xattrs_match(bprm, profile, state);
+- /* Fail matching if the xattrs don't match */
+- if (ret < 0)
+- continue;
++ if (bprm && profile->xattr_count) {
++ long rev = READ_ONCE(ns->revision);
+
++ if (!aa_get_profile_not0(profile))
++ goto restart;
++ rcu_read_unlock();
++ ret = aa_xattrs_match(bprm, profile,
++ state);
++ rcu_read_lock();
++ aa_put_profile(profile);
++ if (rev !=
++ READ_ONCE(ns->revision))
++ /* policy changed */
++ goto restart;
++ /*
++ * Fail matching if the xattrs don't
++ * match
++ */
++ if (ret < 0)
++ continue;
++ }
+ /*
+ * TODO: allow for more flexible best match
+ *
+@@ -445,43 +464,28 @@ static struct aa_profile *__attach_match
+ candidate_xattrs = ret;
+ conflict = false;
+ }
+- } else if (!strcmp(profile->base.name, name))
++ } else if (!strcmp(profile->base.name, name)) {
+ /*
+ * old exact non-re match, without conditionals such
+ * as xattrs. no more searching required
+ */
+- return profile;
++ candidate = profile;
++ goto out;
++ }
+ }
+
+- if (conflict) {
+- *info = "conflicting profile attachments";
++ if (!candidate || conflict) {
++ if (conflict)
++ *info = "conflicting profile attachments";
++ rcu_read_unlock();
+ return NULL;
+ }
+
+- return candidate;
+-}
+-
+-/**
+- * find_attach - do attachment search for unconfined processes
+- * @bprm - binprm structure of transitioning task
+- * @ns: the current namespace (NOT NULL)
+- * @list: list to search (NOT NULL)
+- * @name: the executable name to match against (NOT NULL)
+- * @info: info message if there was an error
+- *
+- * Returns: label or NULL if no match found
+- */
+-static struct aa_label *find_attach(const struct linux_binprm *bprm,
+- struct aa_ns *ns, struct list_head *list,
+- const char *name, const char **info)
+-{
+- struct aa_profile *profile;
+-
+- rcu_read_lock();
+- profile = aa_get_profile(__attach_match(bprm, name, list, info));
++out:
++ candidate = aa_get_newest_profile(candidate);
+ rcu_read_unlock();
+
+- return profile ? &profile->label : NULL;
++ return &candidate->label;
+ }
+
+ static const char *next_name(int xtype, const char *name)
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1124,8 +1124,8 @@ ssize_t aa_remove_profiles(struct aa_ns
+ if (!name) {
+ /* remove namespace - can only happen if fqname[0] == ':' */
+ mutex_lock_nested(&ns->parent->lock, ns->level);
+- __aa_remove_ns(ns);
+ __aa_bump_ns_revision(ns);
++ __aa_remove_ns(ns);
+ mutex_unlock(&ns->parent->lock);
+ } else {
+ /* remove profile */
+@@ -1137,9 +1137,9 @@ ssize_t aa_remove_profiles(struct aa_ns
+ goto fail_ns_lock;
+ }
+ name = profile->base.hname;
++ __aa_bump_ns_revision(ns);
+ __remove_profile(profile);
+ __aa_labelset_update_subtree(ns);
+- __aa_bump_ns_revision(ns);
+ mutex_unlock(&ns->lock);
+ }
+
--- /dev/null
+From 24461d9792c2c706092805ff1b067628933441bd Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Fri, 20 Dec 2019 15:11:00 +0200
+Subject: dmaengine: virt-dma: Fix access after free in vchan_complete()
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit 24461d9792c2c706092805ff1b067628933441bd upstream.
+
+vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
+via already freed up memory.
+
+Move the vchan_vdesc_fini() after invoking the callback to avoid this.
+
+Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma descriptor")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Link: https://lore.kernel.org/r/20191220131100.21804-1-peter.ujfalusi@ti.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/virt-dma.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/dma/virt-dma.c
++++ b/drivers/dma/virt-dma.c
+@@ -104,9 +104,8 @@ static void vchan_complete(unsigned long
+ dmaengine_desc_get_callback(&vd->tx, &cb);
+
+ list_del(&vd->node);
+- vchan_vdesc_fini(vd);
+-
+ dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
++ vchan_vdesc_fini(vd);
+ }
+ }
+
--- /dev/null
+From 43cf75d96409a20ef06b756877a2e72b10a026fc Mon Sep 17 00:00:00 2001
+From: chenqiwu <chenqiwu@xiaomi.com>
+Date: Thu, 19 Dec 2019 14:29:53 +0800
+Subject: exit: panic before exit_mm() on global init exit
+
+From: chenqiwu <chenqiwu@xiaomi.com>
+
+commit 43cf75d96409a20ef06b756877a2e72b10a026fc upstream.
+
+Currently, when global init and all threads in its thread-group have exited
+we panic via:
+do_exit()
+-> exit_notify()
+ -> forget_original_parent()
+ -> find_child_reaper()
+This makes it hard to extract a useable coredump for global init from a
+kernel crashdump because by the time we panic exit_mm() will have already
+released global init's mm.
+This patch moves the panic futher up before exit_mm() is called. As was the
+case previously, we only panic when global init and all its threads in the
+thread-group have exited.
+
+Signed-off-by: chenqiwu <chenqiwu@xiaomi.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+[christian.brauner@ubuntu.com: fix typo, rewrite commit message]
+Link: https://lore.kernel.org/r/1576736993-10121-1-git-send-email-qiwuchen55@gmail.com
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/exit.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -517,10 +517,6 @@ static struct task_struct *find_child_re
+ }
+
+ write_unlock_irq(&tasklist_lock);
+- if (unlikely(pid_ns == &init_pid_ns)) {
+- panic("Attempted to kill init! exitcode=0x%08x\n",
+- father->signal->group_exit_code ?: father->exit_code);
+- }
+
+ list_for_each_entry_safe(p, n, dead, ptrace_entry) {
+ list_del_init(&p->ptrace_entry);
+@@ -766,6 +762,14 @@ void __noreturn do_exit(long code)
+ acct_update_integrals(tsk);
+ group_dead = atomic_dec_and_test(&tsk->signal->live);
+ if (group_dead) {
++ /*
++ * If the last thread of global init has exited, panic
++ * immediately to get a useable coredump.
++ */
++ if (unlikely(is_global_init(tsk)))
++ panic("Attempted to kill init! exitcode=0x%08x\n",
++ tsk->signal->group_exit_code ?: (int)code);
++
+ #ifdef CONFIG_POSIX_TIMERS
+ hrtimer_cancel(&tsk->signal->real_timer);
+ exit_itimers(tsk->signal);
--- /dev/null
+From cc976614f59bd8e45de8ce988a6bcb5de711d994 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <masahiroy@kernel.org>
+Date: Mon, 30 Dec 2019 22:20:06 +0900
+Subject: gen_initramfs_list.sh: fix 'bad variable name' error
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+commit cc976614f59bd8e45de8ce988a6bcb5de711d994 upstream.
+
+Prior to commit 858805b336be ("kbuild: add $(BASH) to run scripts with
+bash-extension"), this shell script was almost always run by bash since
+bash is usually installed on the system by default.
+
+Now, this script is run by sh, which might be a symlink to dash. On such
+distributions, the following code emits an error:
+
+ local dev=`LC_ALL=C ls -l "${location}"`
+
+You can reproduce the build error, for example by setting
+CONFIG_INITRAMFS_SOURCE="/dev".
+
+ GEN usr/initramfs_data.cpio.gz
+ ./usr/gen_initramfs_list.sh: 131: local: 1: bad variable name
+ make[1]: *** [usr/Makefile:61: usr/initramfs_data.cpio.gz] Error 2
+
+This is because `LC_ALL=C ls -l "${location}"` contains spaces.
+Surrounding it with double-quotes fixes the error.
+
+Fixes: 858805b336be ("kbuild: add $(BASH) to run scripts with bash-extension")
+Reported-by: Jory A. Pratt <anarchy@gentoo.org>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ usr/gen_initramfs_list.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/usr/gen_initramfs_list.sh
++++ b/usr/gen_initramfs_list.sh
+@@ -128,7 +128,7 @@ parse() {
+ str="${ftype} ${name} ${location} ${str}"
+ ;;
+ "nod")
+- local dev=`LC_ALL=C ls -l "${location}"`
++ local dev="`LC_ALL=C ls -l "${location}"`"
+ local maj=`field 5 ${dev}`
+ local min=`field 6 ${dev}`
+ maj=${maj%,}
--- /dev/null
+From 0b8c0ec7eedcd8f9f1a1f238d87f9b512b09e71a Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 2 Dec 2019 08:50:00 -0700
+Subject: io_uring: use current task creds instead of allocating a new one
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 0b8c0ec7eedcd8f9f1a1f238d87f9b512b09e71a upstream.
+
+syzbot reports:
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 0 PID: 9217 Comm: io_uring-sq Not tainted 5.4.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
+RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
+RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
+Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
+24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
+c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
+RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
+RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
+RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
+R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
+R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ io_sq_thread+0x1c7/0xa20 fs/io_uring.c:3274
+ kthread+0x361/0x430 kernel/kthread.c:255
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
+Modules linked in:
+---[ end trace f2e1a4307fbe2245 ]---
+RIP: 0010:creds_are_invalid kernel/cred.c:792 [inline]
+RIP: 0010:__validate_creds include/linux/cred.h:187 [inline]
+RIP: 0010:override_creds+0x9f/0x170 kernel/cred.c:550
+Code: ac 25 00 81 fb 64 65 73 43 0f 85 a3 37 00 00 e8 17 ab 25 00 49 8d 7c
+24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84
+c0 74 08 3c 03 0f 8e 96 00 00 00 41 8b 5c 24 10 bf
+RSP: 0018:ffff88809c45fda0 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 0000000043736564 RCX: ffffffff814f3318
+RDX: 0000000000000002 RSI: ffffffff814f3329 RDI: 0000000000000010
+RBP: ffff88809c45fdb8 R08: ffff8880a3aac240 R09: ffffed1014755849
+R10: ffffed1014755848 R11: ffff8880a3aac247 R12: 0000000000000000
+R13: ffff888098ab1600 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd51c40664 CR3: 0000000092641000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+which is caused by slab fault injection triggering a failure in
+prepare_creds(). We don't actually need to create a copy of the creds
+as we're not modifying it, we just need a reference on the current task
+creds. This avoids the failure case as well, and propagates the const
+throughout the stack.
+
+Fixes: 181e448d8709 ("io_uring: async workers should inherit the user creds")
+Reported-by: syzbot+5320383e16029ba057ff@syzkaller.appspotmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[ only use the io_uring.c portion of the patch - gregkh]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -239,7 +239,7 @@ struct io_ring_ctx {
+
+ struct user_struct *user;
+
+- struct cred *creds;
++ const struct cred *creds;
+
+ struct completion ctx_done;
+
+@@ -3876,7 +3876,7 @@ static int io_uring_create(unsigned entr
+ ctx->account_mem = account_mem;
+ ctx->user = user;
+
+- ctx->creds = prepare_creds();
++ ctx->creds = get_current_cred();
+ if (!ctx->creds) {
+ ret = -ENOMEM;
+ goto err;
--- /dev/null
+From a7c46c0c0e3d62f2764cd08b90934cd2aaaf8545 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Sat, 4 Jan 2020 13:00:12 -0800
+Subject: mm/gup: fix memory leak in __gup_benchmark_ioctl
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit a7c46c0c0e3d62f2764cd08b90934cd2aaaf8545 upstream.
+
+In the implementation of __gup_benchmark_ioctl() the allocated pages
+should be released before returning in case of an invalid cmd. Release
+pages via kvfree().
+
+[akpm@linux-foundation.org: rework code flow, return -EINVAL rather than -1]
+Link: http://lkml.kernel.org/r/20191211174653.4102-1-navid.emamdoost@gmail.com
+Fixes: 714a3a1ebafe ("mm/gup_benchmark.c: add additional pinning methods")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: David Hildenbrand <david@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/gup_benchmark.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/gup_benchmark.c
++++ b/mm/gup_benchmark.c
+@@ -26,6 +26,7 @@ static int __gup_benchmark_ioctl(unsigne
+ unsigned long i, nr_pages, addr, next;
+ int nr;
+ struct page **pages;
++ int ret = 0;
+
+ if (gup->size > ULONG_MAX)
+ return -EINVAL;
+@@ -63,7 +64,9 @@ static int __gup_benchmark_ioctl(unsigne
+ NULL);
+ break;
+ default:
+- return -1;
++ kvfree(pages);
++ ret = -EINVAL;
++ goto out;
+ }
+
+ if (nr <= 0)
+@@ -85,7 +88,8 @@ static int __gup_benchmark_ioctl(unsigne
+ gup->put_delta_usec = ktime_us_delta(end_time, start_time);
+
+ kvfree(pages);
+- return 0;
++out:
++ return ret;
+ }
+
+ static long gup_benchmark_ioctl(struct file *filep, unsigned int cmd,
--- /dev/null
+From 97acd0019d5dadd9c0e111c2083c889bfe548f25 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Sat, 21 Sep 2019 20:58:51 -0700
+Subject: scsi: lpfc: Fix rpi release when deleting vport
+
+From: James Smart <jsmart2021@gmail.com>
+
+commit 97acd0019d5dadd9c0e111c2083c889bfe548f25 upstream.
+
+A prior use-after-free mailbox fix solved it's problem by null'ing a ndlp
+pointer. However, further testing has shown that this change causes a
+later state change to occasionally be skipped, which results in a reference
+count never being decremented thus the rpi is never released, which causes
+a vport delete to never succeed.
+
+Revise the fix in the prior patch to no longer null the ndlp. Instead the
+RELEASE_RPI flag is set which will drive the release of the rpi.
+
+Given the new code was added at a deep indentation level, refactor the code
+block using a new routine that avoids the indentation issues.
+
+Fixes: 9b1640686470 ("scsi: lpfc: Fix use-after-free mailbox cmd completion")
+Link: https://lore.kernel.org/r/20190922035906.10977-6-jsmart2021@gmail.com
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 88 ++++++++++++++++++++++++++-------------
+ drivers/scsi/lpfc/lpfc_sli.c | 2
+ 2 files changed, 61 insertions(+), 29 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -4844,6 +4844,44 @@ lpfc_nlp_logo_unreg(struct lpfc_hba *phb
+ }
+
+ /*
++ * Sets the mailbox completion handler to be used for the
++ * unreg_rpi command. The handler varies based on the state of
++ * the port and what will be happening to the rpi next.
++ */
++static void
++lpfc_set_unreg_login_mbx_cmpl(struct lpfc_hba *phba, struct lpfc_vport *vport,
++ struct lpfc_nodelist *ndlp, LPFC_MBOXQ_t *mbox)
++{
++ unsigned long iflags;
++
++ if (ndlp->nlp_flag & NLP_ISSUE_LOGO) {
++ mbox->ctx_ndlp = ndlp;
++ mbox->mbox_cmpl = lpfc_nlp_logo_unreg;
++
++ } else if (phba->sli_rev == LPFC_SLI_REV4 &&
++ (!(vport->load_flag & FC_UNLOADING)) &&
++ (bf_get(lpfc_sli_intf_if_type, &phba->sli4_hba.sli_intf) >=
++ LPFC_SLI_INTF_IF_TYPE_2) &&
++ (kref_read(&ndlp->kref) > 0)) {
++ mbox->ctx_ndlp = lpfc_nlp_get(ndlp);
++ mbox->mbox_cmpl = lpfc_sli4_unreg_rpi_cmpl_clr;
++ } else {
++ if (vport->load_flag & FC_UNLOADING) {
++ if (phba->sli_rev == LPFC_SLI_REV4) {
++ spin_lock_irqsave(&vport->phba->ndlp_lock,
++ iflags);
++ ndlp->nlp_flag |= NLP_RELEASE_RPI;
++ spin_unlock_irqrestore(&vport->phba->ndlp_lock,
++ iflags);
++ }
++ lpfc_nlp_get(ndlp);
++ }
++ mbox->ctx_ndlp = ndlp;
++ mbox->mbox_cmpl = lpfc_sli_def_mbox_cmpl;
++ }
++}
++
++/*
+ * Free rpi associated with LPFC_NODELIST entry.
+ * This routine is called from lpfc_freenode(), when we are removing
+ * a LPFC_NODELIST entry. It is also called if the driver initiates a
+@@ -4893,33 +4931,12 @@ lpfc_unreg_rpi(struct lpfc_vport *vport,
+
+ lpfc_unreg_login(phba, vport->vpi, rpi, mbox);
+ mbox->vport = vport;
+- if (ndlp->nlp_flag & NLP_ISSUE_LOGO) {
+- mbox->ctx_ndlp = ndlp;
+- mbox->mbox_cmpl = lpfc_nlp_logo_unreg;
+- } else {
+- if (phba->sli_rev == LPFC_SLI_REV4 &&
+- (!(vport->load_flag & FC_UNLOADING)) &&
+- (bf_get(lpfc_sli_intf_if_type,
+- &phba->sli4_hba.sli_intf) >=
+- LPFC_SLI_INTF_IF_TYPE_2) &&
+- (kref_read(&ndlp->kref) > 0)) {
+- mbox->ctx_ndlp = lpfc_nlp_get(ndlp);
+- mbox->mbox_cmpl =
+- lpfc_sli4_unreg_rpi_cmpl_clr;
+- /*
+- * accept PLOGIs after unreg_rpi_cmpl
+- */
+- acc_plogi = 0;
+- } else if (vport->load_flag & FC_UNLOADING) {
+- mbox->ctx_ndlp = NULL;
+- mbox->mbox_cmpl =
+- lpfc_sli_def_mbox_cmpl;
+- } else {
+- mbox->ctx_ndlp = ndlp;
+- mbox->mbox_cmpl =
+- lpfc_sli_def_mbox_cmpl;
+- }
+- }
++ lpfc_set_unreg_login_mbx_cmpl(phba, vport, ndlp, mbox);
++ if (mbox->mbox_cmpl == lpfc_sli4_unreg_rpi_cmpl_clr)
++ /*
++ * accept PLOGIs after unreg_rpi_cmpl
++ */
++ acc_plogi = 0;
+ if (((ndlp->nlp_DID & Fabric_DID_MASK) !=
+ Fabric_DID_MASK) &&
+ (!(vport->fc_flag & FC_OFFLINE_MODE)))
+@@ -5060,6 +5077,7 @@ lpfc_cleanup_node(struct lpfc_vport *vpo
+ struct lpfc_hba *phba = vport->phba;
+ LPFC_MBOXQ_t *mb, *nextmb;
+ struct lpfc_dmabuf *mp;
++ unsigned long iflags;
+
+ /* Cleanup node for NPort <nlp_DID> */
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_NODE,
+@@ -5141,8 +5159,20 @@ lpfc_cleanup_node(struct lpfc_vport *vpo
+ lpfc_cleanup_vports_rrqs(vport, ndlp);
+ if (phba->sli_rev == LPFC_SLI_REV4)
+ ndlp->nlp_flag |= NLP_RELEASE_RPI;
+- lpfc_unreg_rpi(vport, ndlp);
+-
++ if (!lpfc_unreg_rpi(vport, ndlp)) {
++ /* Clean up unregistered and non freed rpis */
++ if ((ndlp->nlp_flag & NLP_RELEASE_RPI) &&
++ !(ndlp->nlp_rpi == LPFC_RPI_ALLOC_ERROR)) {
++ lpfc_sli4_free_rpi(vport->phba,
++ ndlp->nlp_rpi);
++ spin_lock_irqsave(&vport->phba->ndlp_lock,
++ iflags);
++ ndlp->nlp_flag &= ~NLP_RELEASE_RPI;
++ ndlp->nlp_rpi = LPFC_RPI_ALLOC_ERROR;
++ spin_unlock_irqrestore(&vport->phba->ndlp_lock,
++ iflags);
++ }
++ }
+ return 0;
+ }
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -2526,6 +2526,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *
+ } else {
+ __lpfc_sli_rpi_release(vport, ndlp);
+ }
++ if (vport->load_flag & FC_UNLOADING)
++ lpfc_nlp_put(ndlp);
+ pmb->ctx_ndlp = NULL;
+ }
+ }
tracing-have-the-histogram-compare-functions-convert-to-u64-first.patch
tracing-fix-endianness-bug-in-histogram-trigger.patch
samples-trace_printk-wait-for-irq-work-to-finish.patch
+io_uring-use-current-task-creds-instead-of-allocating-a-new-one.patch
+mm-gup-fix-memory-leak-in-__gup_benchmark_ioctl.patch
+apparmor-fix-aa_xattrs_match-may-sleep-while-holding-a-rcu-lock.patch
+dmaengine-virt-dma-fix-access-after-free-in-vchan_complete.patch
+gen_initramfs_list.sh-fix-bad-variable-name-error.patch
+alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch
+alsa-pcm-yet-another-missing-check-of-non-cached-buffer-type.patch
+alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch
+scsi-lpfc-fix-rpi-release-when-deleting-vport.patch
+exit-panic-before-exit_mm-on-global-init-exit.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
