From 59806cdae568498f62b13685d47ab18749536446 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Fri, 26 Jun 2020 23:40:42 -0400
Subject: [PATCH] Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...ry-to-replace-stale-label-in-ptracem.patch | 47 +++++++++++++++++++
 queue-4.14/series                             |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 queue-4.14/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch

diff --git a/queue-4.14/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch b/queue-4.14/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch
new file mode 100644
index 00000000000..abc7610e34e
--- /dev/null
+++ b/queue-4.14/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch
@@ -0,0 +1,47 @@
+From d7dc0fe419e6502d788240150474399cf7cca50a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Sep 2018 03:49:26 +0200
+Subject: apparmor: don't try to replace stale label in ptraceme check
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit ca3fde5214e1d24f78269b337d3f22afd6bf445e ]
+
+begin_current_label_crit_section() must run in sleepable context because
+when label_is_stale() is true, aa_replace_current_label() runs, which uses
+prepare_creds(), which can sleep.
+
+Until now, the ptraceme access check (which runs with tasklist_lock held)
+violated this rule.
+
+Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels")
+Reported-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/lsm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 4f08023101f3c..1c6b389ad8f94 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -123,11 +123,11 @@ static int apparmor_ptrace_traceme(struct task_struct *parent)
+ 	struct aa_label *tracer, *tracee;
+ 	int error;
+ 
+-	tracee = begin_current_label_crit_section();
++	tracee = __begin_current_label_crit_section();
+ 	tracer = aa_get_task_label(parent);
+ 	error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
+ 	aa_put_label(tracer);
+-	end_current_label_crit_section(tracee);
++	__end_current_label_crit_section(tracee);
+ 
+ 	return error;
+ }
+-- 
+2.25.1
+
diff --git a/queue-4.14/series b/queue-4.14/series
index 79ee29a6c6c..0a391241b53 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -3,3 +3,4 @@ net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch
 block-bio-integrity-don-t-free-buf-if-bio_integrity_add_page-failed.patch
 net-sched-export-__netdev_watchdog_up.patch
 fix-a-braino-in-sparc32-fix-register-window-handling.patch
+apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch
-- 
2.47.3