--- /dev/null
+From 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 15 Jan 2020 20:49:04 +0300
+Subject: Bluetooth: Fix race condition in hci_release_sock()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 11eb85ec42dc8c7a7ec519b90ccf2eeae9409de8 upstream.
+
+Syzbot managed to trigger a use after free "KASAN: use-after-free Write
+in hci_sock_bind". I have reviewed the code manually and one possibly
+cause I have found is that we are not holding lock_sock(sk) when we do
+the hci_dev_put(hdev) in hci_sock_release(). My theory is that the bind
+and the release are racing against each other which results in this use
+after free.
+
+Reported-by: syzbot+eba992608adf3d796bcc@syzkaller.appspotmail.com
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -831,6 +831,8 @@ static int hci_sock_release(struct socke
+ if (!sk)
+ return 0;
+
++ lock_sock(sk);
++
+ switch (hci_pi(sk)->channel) {
+ case HCI_CHANNEL_MONITOR:
+ atomic_dec(&monitor_promisc);
+@@ -878,6 +880,7 @@ static int hci_sock_release(struct socke
+ skb_queue_purge(&sk->sk_receive_queue);
+ skb_queue_purge(&sk->sk_write_queue);
+
++ release_sock(sk);
+ sock_put(sk);
+ return 0;
+ }
--- /dev/null
+From 3bc0bb36fa30e95ca829e9cf480e1ef7f7638333 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
+Date: Thu, 9 Jan 2020 16:05:59 +0100
+Subject: cgroup: Prevent double killing of css when enabling threaded cgroup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Koutný <mkoutny@suse.com>
+
+commit 3bc0bb36fa30e95ca829e9cf480e1ef7f7638333 upstream.
+
+The test_cgcore_no_internal_process_constraint_on_threads selftest when
+running with subsystem controlling noise triggers two warnings:
+
+> [ 597.443115] WARNING: CPU: 1 PID: 28167 at kernel/cgroup/cgroup.c:3131 cgroup_apply_control_enable+0xe0/0x3f0
+> [ 597.443413] WARNING: CPU: 1 PID: 28167 at kernel/cgroup/cgroup.c:3177 cgroup_apply_control_disable+0xa6/0x160
+
+Both stem from a call to cgroup_type_write. The first warning was also
+triggered by syzkaller.
+
+When we're switching cgroup to threaded mode shortly after a subsystem
+was disabled on it, we can see the respective subsystem css dying there.
+
+The warning in cgroup_apply_control_enable is harmless in this case
+since we're not adding new subsys anyway.
+The warning in cgroup_apply_control_disable indicates an attempt to kill
+css of recently disabled subsystem repeatedly.
+
+The commit prevents these situations by making cgroup_type_write wait
+for all dying csses to go away before re-applying subtree controls.
+When at it, the locations of WARN_ON_ONCE calls are moved so that
+warning is triggered only when we are about to misuse the dying css.
+
+Reported-by: syzbot+5493b2a54d31d6aea629@syzkaller.appspotmail.com
+Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup/cgroup.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -2940,8 +2940,6 @@ static int cgroup_apply_control_enable(s
+ for_each_subsys(ss, ssid) {
+ struct cgroup_subsys_state *css = cgroup_css(dsct, ss);
+
+- WARN_ON_ONCE(css && percpu_ref_is_dying(&css->refcnt));
+-
+ if (!(cgroup_ss_mask(dsct) & (1 << ss->id)))
+ continue;
+
+@@ -2951,6 +2949,8 @@ static int cgroup_apply_control_enable(s
+ return PTR_ERR(css);
+ }
+
++ WARN_ON_ONCE(percpu_ref_is_dying(&css->refcnt));
++
+ if (css_visible(css)) {
+ ret = css_populate_dir(css);
+ if (ret)
+@@ -2986,11 +2986,11 @@ static void cgroup_apply_control_disable
+ for_each_subsys(ss, ssid) {
+ struct cgroup_subsys_state *css = cgroup_css(dsct, ss);
+
+- WARN_ON_ONCE(css && percpu_ref_is_dying(&css->refcnt));
+-
+ if (!css)
+ continue;
+
++ WARN_ON_ONCE(percpu_ref_is_dying(&css->refcnt));
++
+ if (css->parent &&
+ !(cgroup_ss_mask(dsct) & (1 << ss->id))) {
+ kill_css(css);
+@@ -3277,7 +3277,8 @@ static ssize_t cgroup_type_write(struct
+ if (strcmp(strstrip(buf), "threaded"))
+ return -EINVAL;
+
+- cgrp = cgroup_kn_lock_live(of->kn, false);
++ /* drain dying csses before we re-apply (threaded) subtree control */
++ cgrp = cgroup_kn_lock_live(of->kn, true);
+ if (!cgrp)
+ return -ENOENT;
+
--- /dev/null
+From 9803387c55f7d2ce69aa64340c5fdc6b3027dbc8 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 15 Dec 2019 01:09:03 -0500
+Subject: ext4: validate the debug_want_extra_isize mount option at parse time
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 9803387c55f7d2ce69aa64340c5fdc6b3027dbc8 upstream.
+
+Instead of setting s_want_extra_size and then making sure that it is a
+valid value afterwards, validate the field before we set it. This
+avoids races and other problems when remounting the file system.
+
+Link: https://lore.kernel.org/r/20191215063020.GA11512@mit.edu
+Cc: stable@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reported-and-tested-by: syzbot+4a39a025912b265cacef@syzkaller.appspotmail.com
+Signed-off-by: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 127 +++++++++++++++++++++++++++++---------------------------
+ 1 file changed, 66 insertions(+), 61 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1842,6 +1842,13 @@ static int handle_mount_opt(struct super
+ arg = JBD2_DEFAULT_MAX_COMMIT_AGE;
+ sbi->s_commit_interval = HZ * arg;
+ } else if (token == Opt_debug_want_extra_isize) {
++ if ((arg & 1) ||
++ (arg < 4) ||
++ (arg > (sbi->s_inode_size - EXT4_GOOD_OLD_INODE_SIZE))) {
++ ext4_msg(sb, KERN_ERR,
++ "Invalid want_extra_isize %d", arg);
++ return -1;
++ }
+ sbi->s_want_extra_isize = arg;
+ } else if (token == Opt_max_batch_time) {
+ sbi->s_max_batch_time = arg;
+@@ -3513,40 +3520,6 @@ int ext4_calculate_overhead(struct super
+ return 0;
+ }
+
+-static void ext4_clamp_want_extra_isize(struct super_block *sb)
+-{
+- struct ext4_sb_info *sbi = EXT4_SB(sb);
+- struct ext4_super_block *es = sbi->s_es;
+- unsigned def_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
+-
+- if (sbi->s_inode_size == EXT4_GOOD_OLD_INODE_SIZE) {
+- sbi->s_want_extra_isize = 0;
+- return;
+- }
+- if (sbi->s_want_extra_isize < 4) {
+- sbi->s_want_extra_isize = def_extra_isize;
+- if (ext4_has_feature_extra_isize(sb)) {
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_want_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_want_extra_isize);
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_min_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_min_extra_isize);
+- }
+- }
+- /* Check if enough inode space is available */
+- if ((sbi->s_want_extra_isize > sbi->s_inode_size) ||
+- (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+- sbi->s_inode_size)) {
+- sbi->s_want_extra_isize = def_extra_isize;
+- ext4_msg(sb, KERN_INFO,
+- "required extra inode space not available");
+- }
+-}
+-
+ static void ext4_set_resv_clusters(struct super_block *sb)
+ {
+ ext4_fsblk_t resv_clusters;
+@@ -3754,6 +3727,65 @@ static int ext4_fill_super(struct super_
+ */
+ sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT;
+
++ if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV) {
++ sbi->s_inode_size = EXT4_GOOD_OLD_INODE_SIZE;
++ sbi->s_first_ino = EXT4_GOOD_OLD_FIRST_INO;
++ } else {
++ sbi->s_inode_size = le16_to_cpu(es->s_inode_size);
++ sbi->s_first_ino = le32_to_cpu(es->s_first_ino);
++ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) {
++ ext4_msg(sb, KERN_ERR, "invalid first ino: %u",
++ sbi->s_first_ino);
++ goto failed_mount;
++ }
++ if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) ||
++ (!is_power_of_2(sbi->s_inode_size)) ||
++ (sbi->s_inode_size > blocksize)) {
++ ext4_msg(sb, KERN_ERR,
++ "unsupported inode size: %d",
++ sbi->s_inode_size);
++ goto failed_mount;
++ }
++ /*
++ * i_atime_extra is the last extra field available for
++ * [acm]times in struct ext4_inode. Checking for that
++ * field should suffice to ensure we have extra space
++ * for all three.
++ */
++ if (sbi->s_inode_size >= offsetof(struct ext4_inode, i_atime_extra) +
++ sizeof(((struct ext4_inode *)0)->i_atime_extra)) {
++ sb->s_time_gran = 1;
++ } else {
++ sb->s_time_gran = NSEC_PER_SEC;
++ }
++ }
++ if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) {
++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
++ if (ext4_has_feature_extra_isize(sb)) {
++ unsigned v, max = (sbi->s_inode_size -
++ EXT4_GOOD_OLD_INODE_SIZE);
++
++ v = le16_to_cpu(es->s_want_extra_isize);
++ if (v > max) {
++ ext4_msg(sb, KERN_ERR,
++ "bad s_want_extra_isize: %d", v);
++ goto failed_mount;
++ }
++ if (sbi->s_want_extra_isize < v)
++ sbi->s_want_extra_isize = v;
++
++ v = le16_to_cpu(es->s_min_extra_isize);
++ if (v > max) {
++ ext4_msg(sb, KERN_ERR,
++ "bad s_min_extra_isize: %d", v);
++ goto failed_mount;
++ }
++ if (sbi->s_want_extra_isize < v)
++ sbi->s_want_extra_isize = v;
++ }
++ }
++
+ if (sbi->s_es->s_mount_opts[0]) {
+ char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
+ sizeof(sbi->s_es->s_mount_opts),
+@@ -3955,29 +3987,6 @@ static int ext4_fill_super(struct super_
+ has_huge_files);
+ sb->s_maxbytes = ext4_max_size(sb->s_blocksize_bits, has_huge_files);
+
+- if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV) {
+- sbi->s_inode_size = EXT4_GOOD_OLD_INODE_SIZE;
+- sbi->s_first_ino = EXT4_GOOD_OLD_FIRST_INO;
+- } else {
+- sbi->s_inode_size = le16_to_cpu(es->s_inode_size);
+- sbi->s_first_ino = le32_to_cpu(es->s_first_ino);
+- if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) {
+- ext4_msg(sb, KERN_ERR, "invalid first ino: %u",
+- sbi->s_first_ino);
+- goto failed_mount;
+- }
+- if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) ||
+- (!is_power_of_2(sbi->s_inode_size)) ||
+- (sbi->s_inode_size > blocksize)) {
+- ext4_msg(sb, KERN_ERR,
+- "unsupported inode size: %d",
+- sbi->s_inode_size);
+- goto failed_mount;
+- }
+- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE)
+- sb->s_time_gran = 1 << (EXT4_EPOCH_BITS - 2);
+- }
+-
+ sbi->s_desc_size = le16_to_cpu(es->s_desc_size);
+ if (ext4_has_feature_64bit(sb)) {
+ if (sbi->s_desc_size < EXT4_MIN_DESC_SIZE_64BIT ||
+@@ -4421,8 +4430,6 @@ no_journal:
+ } else if (ret)
+ goto failed_mount4a;
+
+- ext4_clamp_want_extra_isize(sb);
+-
+ ext4_set_resv_clusters(sb);
+
+ err = ext4_setup_system_zone(sb);
+@@ -5207,8 +5214,6 @@ static int ext4_remount(struct super_blo
+ goto restore_opts;
+ }
+
+- ext4_clamp_want_extra_isize(sb);
+-
+ if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^
+ test_opt(sb, JOURNAL_CHECKSUM)) {
+ ext4_msg(sb, KERN_ERR, "changing journal_checksum "
--- /dev/null
+From 51d0c99b391f0cac61ad7b827c26f549ee55672c Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 10 Nov 2019 11:15:37 +0100
+Subject: media: af9005: uninitialized variable printked
+
+From: Sean Young <sean@mess.org>
+
+commit 51d0c99b391f0cac61ad7b827c26f549ee55672c upstream.
+
+If usb_bulk_msg() fails, actual_length can be uninitialized.
+
+Reported-by: syzbot+9d42b7773d2fecd983ab@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/af9005.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/af9005.c
++++ b/drivers/media/usb/dvb-usb/af9005.c
+@@ -563,7 +563,7 @@ static int af9005_boot_packet(struct usb
+ u8 *buf, int size)
+ {
+ u16 checksum;
+- int act_len, i, ret;
++ int act_len = 0, i, ret;
+
+ memset(buf, 0, size);
+ buf[0] = (u8) (FW_BULKOUT_SIZE & 0xff);
--- /dev/null
+From eecc70d22ae51225de1ef629c1159f7116476b2e Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 10 Nov 2019 11:04:40 +0100
+Subject: media: digitv: don't continue if remote control state can't be read
+
+From: Sean Young <sean@mess.org>
+
+commit eecc70d22ae51225de1ef629c1159f7116476b2e upstream.
+
+This results in an uninitialized variable read.
+
+Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/digitv.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/digitv.c
++++ b/drivers/media/usb/dvb-usb/digitv.c
+@@ -233,18 +233,22 @@ static struct rc_map_table rc_map_digitv
+
+ static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ {
+- int i;
++ int ret, i;
+ u8 key[5];
+ u8 b[4] = { 0 };
+
+ *event = 0;
+ *state = REMOTE_NO_KEY_PRESSED;
+
+- digitv_ctrl_msg(d,USB_READ_REMOTE,0,NULL,0,&key[1],4);
++ ret = digitv_ctrl_msg(d, USB_READ_REMOTE, 0, NULL, 0, &key[1], 4);
++ if (ret)
++ return ret;
+
+ /* Tell the device we've read the remote. Not sure how necessary
+ this is, but the Nebula SDK does it. */
+- digitv_ctrl_msg(d,USB_WRITE_REMOTE,0,b,4,NULL,0);
++ ret = digitv_ctrl_msg(d, USB_WRITE_REMOTE, 0, b, 4, NULL, 0);
++ if (ret)
++ return ret;
+
+ /* if something is inside the buffer, simulate key press */
+ if (key[1] != 0)
--- /dev/null
+From 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Tue, 12 Nov 2019 10:22:28 +0100
+Subject: media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 569bc8d6a6a50acb5fcf07fb10b8d2d461fdbf93 upstream.
+
+This fixes a syzbot failure since actlen could be uninitialized,
+but it was still used.
+
+Syzbot link:
+
+https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1
+
+Reported-and-tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Acked-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dvb-usb-urb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/dvb-usb-urb.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-urb.c
+@@ -12,7 +12,7 @@
+ int dvb_usb_generic_rw(struct dvb_usb_device *d, u8 *wbuf, u16 wlen, u8 *rbuf,
+ u16 rlen, int delay_ms)
+ {
+- int actlen,ret = -ENOMEM;
++ int actlen = 0, ret = -ENOMEM;
+
+ if (!d || wbuf == NULL || wlen == 0)
+ return -EINVAL;
--- /dev/null
+From de89d0864f66c2a1b75becfdd6bf3793c07ce870 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Tue, 12 Nov 2019 10:22:24 +0100
+Subject: media: gspca: zero usb_buf
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit de89d0864f66c2a1b75becfdd6bf3793c07ce870 upstream.
+
+Allocate gspca_dev->usb_buf with kzalloc instead of kmalloc to
+ensure it is property zeroed. This fixes various syzbot errors
+about uninitialized data.
+
+Syzbot links:
+
+https://syzkaller.appspot.com/bug?extid=32310fc2aea76898d074
+https://syzkaller.appspot.com/bug?extid=99706d6390be1ac542a2
+https://syzkaller.appspot.com/bug?extid=64437af5c781a7f0e08e
+
+Reported-and-tested-by: syzbot+32310fc2aea76898d074@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+99706d6390be1ac542a2@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+64437af5c781a7f0e08e@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/gspca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -1473,7 +1473,7 @@ int gspca_dev_probe2(struct usb_interfac
+ pr_err("couldn't kzalloc gspca struct\n");
+ return -ENOMEM;
+ }
+- gspca_dev->usb_buf = kmalloc(USB_BUF_SZ, GFP_KERNEL);
++ gspca_dev->usb_buf = kzalloc(USB_BUF_SZ, GFP_KERNEL);
+ if (!gspca_dev->usb_buf) {
+ pr_err("out of memory\n");
+ ret = -ENOMEM;
--- /dev/null
+From 26cff637121d8bb866ebd6515c430ac890e6ec80 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 10 Nov 2019 11:25:13 +0100
+Subject: media: vp7045: do not read uninitialized values if usb transfer fails
+
+From: Sean Young <sean@mess.org>
+
+commit 26cff637121d8bb866ebd6515c430ac890e6ec80 upstream.
+
+It is not a fatal error if reading the mac address or the remote control
+decoder state fails.
+
+Reported-by: syzbot+ec869945d3dde5f33b43@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/vp7045.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/vp7045.c
++++ b/drivers/media/usb/dvb-usb/vp7045.c
+@@ -99,10 +99,14 @@ static int vp7045_power_ctrl(struct dvb_
+
+ static int vp7045_rc_query(struct dvb_usb_device *d)
+ {
++ int ret;
+ u8 key;
+- vp7045_usb_op(d,RC_VAL_READ,NULL,0,&key,1,20);
+
+- deb_rc("remote query key: %x %d\n",key,key);
++ ret = vp7045_usb_op(d, RC_VAL_READ, NULL, 0, &key, 1, 20);
++ if (ret)
++ return ret;
++
++ deb_rc("remote query key: %x\n", key);
+
+ if (key != 0x44) {
+ /*
+@@ -118,15 +122,18 @@ static int vp7045_rc_query(struct dvb_us
+
+ static int vp7045_read_eeprom(struct dvb_usb_device *d,u8 *buf, int len, int offset)
+ {
+- int i = 0;
+- u8 v,br[2];
++ int i, ret;
++ u8 v, br[2];
+ for (i=0; i < len; i++) {
+ v = offset + i;
+- vp7045_usb_op(d,GET_EE_VALUE,&v,1,br,2,5);
++ ret = vp7045_usb_op(d, GET_EE_VALUE, &v, 1, br, 2, 5);
++ if (ret)
++ return ret;
++
+ buf[i] = br[1];
+ }
+- deb_info("VP7045 EEPROM read (offs: %d, len: %d) : ",offset, i);
+- debug_dump(buf,i,deb_info);
++ deb_info("VP7045 EEPROM read (offs: %d, len: %d) : ", offset, i);
++ debug_dump(buf, i, deb_info);
+ return 0;
+ }
+
--- /dev/null
+From c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 30 Jan 2020 22:11:07 -0800
+Subject: mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit c7a91bc7c2e17e0a9c8b9745a2cb118891218fd1 upstream.
+
+What we are trying to do is change the '=' character to a NUL terminator
+and then at the end of the function we restore it back to an '='. The
+problem is there are two error paths where we jump to the end of the
+function before we have replaced the '=' with NUL.
+
+We end up putting the '=' in the wrong place (possibly one element
+before the start of the buffer).
+
+Link: http://lkml.kernel.org/r/20200115055426.vdjwvry44nfug7yy@kili.mountain
+Reported-by: syzbot+e64a13c5369a194d67df@syzkaller.appspotmail.com
+Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Dmitry Vyukov <dvyukov@google.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2808,6 +2808,9 @@ int mpol_parse_str(char *str, struct mem
+ char *flags = strchr(str, '=');
+ int err = 1;
+
++ if (flags)
++ *flags++ = '\0'; /* terminate mode string */
++
+ if (nodelist) {
+ /* NUL-terminate mode or flags string */
+ *nodelist++ = '\0';
+@@ -2818,9 +2821,6 @@ int mpol_parse_str(char *str, struct mem
+ } else
+ nodes_clear(nodes);
+
+- if (flags)
+- *flags++ = '\0'; /* terminate mode string */
+-
+ for (mode = 0; mode < MPOL_MAX; mode++) {
+ if (!strcmp(str, policy_modes[mode])) {
+ break;
--- /dev/null
+From 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 12 Dec 2019 11:30:03 +0100
+Subject: reiserfs: Fix memory leak of journal device string
+
+From: Jan Kara <jack@suse.cz>
+
+commit 5474ca7da6f34fa95e82edc747d5faa19cbdfb5c upstream.
+
+When a filesystem is mounted with jdev mount option, we store the
+journal device name in an allocated string in superblock. However we
+fail to ever free that string. Fix it.
+
+Reported-by: syzbot+1c6756baf4b16b94d2a6@syzkaller.appspotmail.com
+Fixes: c3aa077648e1 ("reiserfs: Properly display mount options in /proc/mounts")
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -629,6 +629,7 @@ static void reiserfs_put_super(struct su
+ reiserfs_write_unlock(s);
+ mutex_destroy(&REISERFS_SB(s)->lock);
+ destroy_workqueue(REISERFS_SB(s)->commit_wq);
++ kfree(REISERFS_SB(s)->s_jdev);
+ kfree(s->s_fs_info);
+ s->s_fs_info = NULL;
+ }
+@@ -2243,6 +2244,7 @@ error_unlocked:
+ kfree(qf_names[j]);
+ }
+ #endif
++ kfree(sbi->s_jdev);
+ kfree(sbi);
+
+ s->s_fs_info = NULL;
pm-devfreq-add-new-name-attribute-for-sysfs.patch
tools-lib-fix-builds-when-glibc-contains-strlcpy.patch
arm64-kbuild-remove-compressed-images-on-make-arch-arm64-dist-clean.patch
+ext4-validate-the-debug_want_extra_isize-mount-option-at-parse-time.patch
+mm-mempolicy.c-fix-out-of-bounds-write-in-mpol_parse_str.patch
+reiserfs-fix-memory-leak-of-journal-device-string.patch
+media-digitv-don-t-continue-if-remote-control-state-can-t-be-read.patch
+media-af9005-uninitialized-variable-printked.patch
+media-vp7045-do-not-read-uninitialized-values-if-usb-transfer-fails.patch
+media-gspca-zero-usb_buf.patch
+media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch
+tomoyo-use-atomic_t-for-statistics-counter.patch
+ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch
+bluetooth-fix-race-condition-in-hci_release_sock.patch
+cgroup-prevent-double-killing-of-css-when-enabling-threaded-cgroup.patch
--- /dev/null
+From a8772fad0172aeae339144598b809fd8d4823331 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Thu, 2 Jan 2020 12:53:49 +0900
+Subject: tomoyo: Use atomic_t for statistics counter
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit a8772fad0172aeae339144598b809fd8d4823331 upstream.
+
+syzbot is reporting that there is a race at tomoyo_stat_update() [1].
+Although it is acceptable to fail to track exact number of times policy
+was updated, convert to atomic_t because this is not a hot path.
+
+[1] https://syzkaller.appspot.com/bug?id=a4d7b973972eeed410596e6604580e0133b0fc04
+
+Reported-by: syzbot <syzbot+efea72d4a0a1d03596cd@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/tomoyo/common.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/security/tomoyo/common.c
++++ b/security/tomoyo/common.c
+@@ -2254,9 +2254,9 @@ static const char * const tomoyo_memory_
+ [TOMOYO_MEMORY_QUERY] = "query message:",
+ };
+
+-/* Timestamp counter for last updated. */
+-static unsigned int tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT];
+ /* Counter for number of updates. */
++static atomic_t tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT];
++/* Timestamp counter for last updated. */
+ static time64_t tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT];
+
+ /**
+@@ -2268,10 +2268,7 @@ static time64_t tomoyo_stat_modified[TOM
+ */
+ void tomoyo_update_stat(const u8 index)
+ {
+- /*
+- * I don't use atomic operations because race condition is not fatal.
+- */
+- tomoyo_stat_updated[index]++;
++ atomic_inc(&tomoyo_stat_updated[index]);
+ tomoyo_stat_modified[index] = ktime_get_real_seconds();
+ }
+
+@@ -2291,7 +2288,7 @@ static void tomoyo_read_stat(struct tomo
+ for (i = 0; i < TOMOYO_MAX_POLICY_STAT; i++) {
+ tomoyo_io_printf(head, "Policy %-30s %10u",
+ tomoyo_policy_headers[i],
+- tomoyo_stat_updated[i]);
++ atomic_read(&tomoyo_stat_updated[i]));
+ if (tomoyo_stat_modified[i]) {
+ struct tomoyo_time stamp;
+ tomoyo_convert_time(tomoyo_stat_modified[i], &stamp);
--- /dev/null
+From 9a655c77ff8fc65699a3f98e237db563b37c439b Mon Sep 17 00:00:00 2001
+From: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+Date: Mon, 13 Jan 2020 11:48:42 +0800
+Subject: ttyprintk: fix a potential deadlock in interrupt context issue
+
+From: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+
+commit 9a655c77ff8fc65699a3f98e237db563b37c439b upstream.
+
+tpk_write()/tpk_close() could be interrupted when holding a mutex, then
+in timer handler tpk_write() may be called again trying to acquire same
+mutex, lead to deadlock.
+
+Google syzbot reported this issue with CONFIG_DEBUG_ATOMIC_SLEEP
+enabled:
+
+BUG: sleeping function called from invalid context at
+kernel/locking/mutex.c:938
+in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/1
+1 lock held by swapper/1/0:
+...
+Call Trace:
+ <IRQ>
+ dump_stack+0x197/0x210
+ ___might_sleep.cold+0x1fb/0x23e
+ __might_sleep+0x95/0x190
+ __mutex_lock+0xc5/0x13c0
+ mutex_lock_nested+0x16/0x20
+ tpk_write+0x5d/0x340
+ resync_tnc+0x1b6/0x320
+ call_timer_fn+0x1ac/0x780
+ run_timer_softirq+0x6c3/0x1790
+ __do_softirq+0x262/0x98c
+ irq_exit+0x19b/0x1e0
+ smp_apic_timer_interrupt+0x1a3/0x610
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+
+See link https://syzkaller.appspot.com/bug?extid=2eeef62ee31f9460ad65 for
+more details.
+
+Fix it by using spinlock in process context instead of mutex and having
+interrupt disabled in critical section.
+
+Reported-by: syzbot+2eeef62ee31f9460ad65@syzkaller.appspotmail.com
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20200113034842.435-1-zhenzhong.duan@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ttyprintk.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/ttyprintk.c
++++ b/drivers/char/ttyprintk.c
+@@ -18,10 +18,11 @@
+ #include <linux/serial.h>
+ #include <linux/tty.h>
+ #include <linux/module.h>
++#include <linux/spinlock.h>
+
+ struct ttyprintk_port {
+ struct tty_port port;
+- struct mutex port_write_mutex;
++ spinlock_t spinlock;
+ };
+
+ static struct ttyprintk_port tpk_port;
+@@ -100,11 +101,12 @@ static int tpk_open(struct tty_struct *t
+ static void tpk_close(struct tty_struct *tty, struct file *filp)
+ {
+ struct ttyprintk_port *tpkp = tty->driver_data;
++ unsigned long flags;
+
+- mutex_lock(&tpkp->port_write_mutex);
++ spin_lock_irqsave(&tpkp->spinlock, flags);
+ /* flush tpk_printk buffer */
+ tpk_printk(NULL, 0);
+- mutex_unlock(&tpkp->port_write_mutex);
++ spin_unlock_irqrestore(&tpkp->spinlock, flags);
+
+ tty_port_close(&tpkp->port, tty, filp);
+ }
+@@ -116,13 +118,14 @@ static int tpk_write(struct tty_struct *
+ const unsigned char *buf, int count)
+ {
+ struct ttyprintk_port *tpkp = tty->driver_data;
++ unsigned long flags;
+ int ret;
+
+
+ /* exclusive use of tpk_printk within this tty */
+- mutex_lock(&tpkp->port_write_mutex);
++ spin_lock_irqsave(&tpkp->spinlock, flags);
+ ret = tpk_printk(buf, count);
+- mutex_unlock(&tpkp->port_write_mutex);
++ spin_unlock_irqrestore(&tpkp->spinlock, flags);
+
+ return ret;
+ }
+@@ -172,7 +175,7 @@ static int __init ttyprintk_init(void)
+ {
+ int ret = -ENOMEM;
+
+- mutex_init(&tpk_port.port_write_mutex);
++ spin_lock_init(&tpk_port.spinlock);
+
+ ttyprintk_driver = tty_alloc_driver(1,
+ TTY_DRIVER_RESET_TERMIOS |
projects / thirdparty / kernel / stable-queue.git / commitdiff
