From 6aa04aec1c4672d20384d6af299022ff9121dc27 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sun, 23 May 2021 16:05:32 -0400
Subject: [PATCH] Fixes for 4.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 queue-4.4/openrisc-fix-a-memory-leak.patch    |  42 +++++
 ...ce-fail-if-the-tracee-changed-its-pi.patch | 161 ++++++++++++++++++
 ...-error-return-code-in-qla82xx_write_.patch |  40 +++++
 queue-4.4/series                              |   3 +
 4 files changed, 246 insertions(+)
 create mode 100644 queue-4.4/openrisc-fix-a-memory-leak.patch
 create mode 100644 queue-4.4/ptrace-make-ptrace-fail-if-the-tracee-changed-its-pi.patch
 create mode 100644 queue-4.4/scsi-qla2xxx-fix-error-return-code-in-qla82xx_write_.patch
 create mode 100644 queue-4.4/series

diff --git a/queue-4.4/openrisc-fix-a-memory-leak.patch b/queue-4.4/openrisc-fix-a-memory-leak.patch
new file mode 100644
index 00000000000..0d50f36f8cc
--- /dev/null
+++ b/queue-4.4/openrisc-fix-a-memory-leak.patch
@@ -0,0 +1,42 @@
+From 1ccf314452e5baf24903c7386b8b0ec34bdb88ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:09:28 +0200
+Subject: openrisc: Fix a memory leak
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit c019d92457826bb7b2091c86f36adb5de08405f9 ]
+
+'setup_find_cpu_node()' take a reference on the node it returns.
+This reference must be decremented when not needed anymore, or there will
+be a leak.
+
+Add the missing 'of_node_put(cpu)'.
+
+Note that 'setup_cpuinfo()' that also calls this function already has a
+correct 'of_node_put(cpu)' at its end.
+
+Fixes: 9d02a4283e9c ("OpenRISC: Boot code")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/setup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/openrisc/kernel/setup.c b/arch/openrisc/kernel/setup.c
+index b4ed8b36e078..e5f5b69a7b7b 100644
+--- a/arch/openrisc/kernel/setup.c
++++ b/arch/openrisc/kernel/setup.c
+@@ -278,6 +278,8 @@ void calibrate_delay(void)
+ 	pr_cont("%lu.%02lu BogoMIPS (lpj=%lu)\n",
+ 		loops_per_jiffy / (500000 / HZ),
+ 		(loops_per_jiffy / (5000 / HZ)) % 100, loops_per_jiffy);
++
++	of_node_put(cpu);
+ }
+ 
+ void __init setup_arch(char **cmdline_p)
+-- 
+2.30.2
+
diff --git a/queue-4.4/ptrace-make-ptrace-fail-if-the-tracee-changed-its-pi.patch b/queue-4.4/ptrace-make-ptrace-fail-if-the-tracee-changed-its-pi.patch
new file mode 100644
index 00000000000..1335e141027
--- /dev/null
+++ b/queue-4.4/ptrace-make-ptrace-fail-if-the-tracee-changed-its-pi.patch
@@ -0,0 +1,161 @@
+From 3667f03d0cf74926d5ca45d1ba6dc8100dd5e773 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 15:33:08 +0200
+Subject: ptrace: make ptrace() fail if the tracee changed its pid unexpectedly
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+[ Upstream commit dbb5afad100a828c97e012c6106566d99f041db6 ]
+
+Suppose we have 2 threads, the group-leader L and a sub-theread T,
+both parked in ptrace_stop(). Debugger tries to resume both threads
+and does
+
+	ptrace(PTRACE_CONT, T);
+	ptrace(PTRACE_CONT, L);
+
+If the sub-thread T execs in between, the 2nd PTRACE_CONT doesn not
+resume the old leader L, it resumes the post-exec thread T which was
+actually now stopped in PTHREAD_EVENT_EXEC. In this case the
+PTHREAD_EVENT_EXEC event is lost, and the tracer can't know that the
+tracee changed its pid.
+
+This patch makes ptrace() fail in this case until debugger does wait()
+and consumes PTHREAD_EVENT_EXEC which reports old_pid. This affects all
+ptrace requests except the "asynchronous" PTRACE_INTERRUPT/KILL.
+
+The patch doesn't add the new PTRACE_ option to not complicate the API,
+and I _hope_ this won't cause any noticeable regression:
+
+	- If debugger uses PTRACE_O_TRACEEXEC and the thread did an exec
+	  and the tracer does a ptrace request without having consumed
+	  the exec event, it's 100% sure that the thread the ptracer
+	  thinks it is targeting does not exist anymore, or isn't the
+	  same as the one it thinks it is targeting.
+
+	- To some degree this patch adds nothing new. In the scenario
+	  above ptrace(L) can fail with -ESRCH if it is called after the
+	  execing sub-thread wakes the leader up and before it "steals"
+	  the leader's pid.
+
+Test-case:
+
+	#include <stdio.h>
+	#include <unistd.h>
+	#include <signal.h>
+	#include <sys/ptrace.h>
+	#include <sys/wait.h>
+	#include <errno.h>
+	#include <pthread.h>
+	#include <assert.h>
+
+	void *tf(void *arg)
+	{
+		execve("/usr/bin/true", NULL, NULL);
+		assert(0);
+
+		return NULL;
+	}
+
+	int main(void)
+	{
+		int leader = fork();
+		if (!leader) {
+			kill(getpid(), SIGSTOP);
+
+			pthread_t th;
+			pthread_create(&th, NULL, tf, NULL);
+			for (;;)
+				pause();
+
+			return 0;
+		}
+
+		waitpid(leader, NULL, WSTOPPED);
+
+		ptrace(PTRACE_SEIZE, leader, 0,
+				PTRACE_O_TRACECLONE | PTRACE_O_TRACEEXEC);
+		waitpid(leader, NULL, 0);
+
+		ptrace(PTRACE_CONT, leader, 0,0);
+		waitpid(leader, NULL, 0);
+
+		int status, thread = waitpid(-1, &status, 0);
+		assert(thread > 0 && thread != leader);
+		assert(status == 0x80137f);
+
+		ptrace(PTRACE_CONT, thread, 0,0);
+		/*
+		 * waitid() because waitpid(leader, &status, WNOWAIT) does not
+		 * report status. Why ????
+		 *
+		 * Why WEXITED? because we have another kernel problem connected
+		 * to mt-exec.
+		 */
+		siginfo_t info;
+		assert(waitid(P_PID, leader, &info, WSTOPPED|WEXITED|WNOWAIT) == 0);
+		assert(info.si_pid == leader && info.si_status == 0x0405);
+
+		/* OK, it sleeps in ptrace(PTRACE_EVENT_EXEC == 0x04) */
+		assert(ptrace(PTRACE_CONT, leader, 0,0) == -1);
+		assert(errno == ESRCH);
+
+		assert(leader == waitpid(leader, &status, WNOHANG));
+		assert(status == 0x04057f);
+
+		assert(ptrace(PTRACE_CONT, leader, 0,0) == 0);
+
+		return 0;
+	}
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Reported-by: Simon Marchi <simon.marchi@efficios.com>
+Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Acked-by: Pedro Alves <palves@redhat.com>
+Acked-by: Simon Marchi <simon.marchi@efficios.com>
+Acked-by: Jan Kratochvil <jan.kratochvil@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/ptrace.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index da8c358930fb..5a1d8cc7ef4e 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -129,6 +129,21 @@ void __ptrace_unlink(struct task_struct *child)
+ 	spin_unlock(&child->sighand->siglock);
+ }
+ 
++static bool looks_like_a_spurious_pid(struct task_struct *task)
++{
++	if (task->exit_code != ((PTRACE_EVENT_EXEC << 8) | SIGTRAP))
++		return false;
++
++	if (task_pid_vnr(task) == task->ptrace_message)
++		return false;
++	/*
++	 * The tracee changed its pid but the PTRACE_EVENT_EXEC event
++	 * was not wait()'ed, most probably debugger targets the old
++	 * leader which was destroyed in de_thread().
++	 */
++	return true;
++}
++
+ /* Ensure that nothing can wake it up, even SIGKILL */
+ static bool ptrace_freeze_traced(struct task_struct *task)
+ {
+@@ -139,7 +154,8 @@ static bool ptrace_freeze_traced(struct task_struct *task)
+ 		return ret;
+ 
+ 	spin_lock_irq(&task->sighand->siglock);
+-	if (task_is_traced(task) && !__fatal_signal_pending(task)) {
++	if (task_is_traced(task) && !looks_like_a_spurious_pid(task) &&
++	    !__fatal_signal_pending(task)) {
+ 		task->state = __TASK_TRACED;
+ 		ret = true;
+ 	}
+-- 
+2.30.2
+
diff --git a/queue-4.4/scsi-qla2xxx-fix-error-return-code-in-qla82xx_write_.patch b/queue-4.4/scsi-qla2xxx-fix-error-return-code-in-qla82xx_write_.patch
new file mode 100644
index 00000000000..bcdba3b1c9d
--- /dev/null
+++ b/queue-4.4/scsi-qla2xxx-fix-error-return-code-in-qla82xx_write_.patch
@@ -0,0 +1,40 @@
+From dba8b8e50fd37112c30f7e835847bd0dd345b253 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 17:09:52 +0800
+Subject: scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 5cb289bf2d7c34ca1abd794ce116c4f19185a1d4 ]
+
+Fix to return a negative error code from the error handling case instead of
+0 as done elsewhere in this function.
+
+Link: https://lore.kernel.org/r/20210514090952.6715-1-thunder.leizhen@huawei.com
+Fixes: a9083016a531 ("[SCSI] qla2xxx: Add ISP82XX support.")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_nx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_nx.c b/drivers/scsi/qla2xxx/qla_nx.c
+index 65f8d2d94159..46f7e3988009 100644
+--- a/drivers/scsi/qla2xxx/qla_nx.c
++++ b/drivers/scsi/qla2xxx/qla_nx.c
+@@ -1103,7 +1103,8 @@ qla82xx_write_flash_dword(struct qla_hw_data *ha, uint32_t flashaddr,
+ 		return ret;
+ 	}
+ 
+-	if (qla82xx_flash_set_write_enable(ha))
++	ret = qla82xx_flash_set_write_enable(ha);
++	if (ret < 0)
+ 		goto done_write;
+ 
+ 	qla82xx_wr_32(ha, QLA82XX_ROMUSB_ROM_WDATA, data);
+-- 
+2.30.2
+
diff --git a/queue-4.4/series b/queue-4.4/series
new file mode 100644
index 00000000000..10780d80075
--- /dev/null
+++ b/queue-4.4/series
@@ -0,0 +1,3 @@
+openrisc-fix-a-memory-leak.patch
+scsi-qla2xxx-fix-error-return-code-in-qla82xx_write_.patch
+ptrace-make-ptrace-fail-if-the-tracee-changed-its-pi.patch
-- 
2.47.3