--- /dev/null
+From ad6eecbfc01c987e0253371f274c3872042e4350 Mon Sep 17 00:00:00 2001
+From: "S.j. Wang" <shengjiu.wang@nxp.com>
+Date: Thu, 16 May 2019 06:04:29 +0000
+Subject: ASoC: cs42xx8: Add regcache mask dirty
+
+From: S.j. Wang <shengjiu.wang@nxp.com>
+
+commit ad6eecbfc01c987e0253371f274c3872042e4350 upstream.
+
+Add regcache_mark_dirty before regcache_sync for power
+of codec may be lost at suspend, then all the register
+need to be reconfigured.
+
+Fixes: 0c516b4ff85c ("ASoC: cs42xx8: Add codec driver
+support for CS42448/CS42888")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/cs42xx8.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/codecs/cs42xx8.c
++++ b/sound/soc/codecs/cs42xx8.c
+@@ -561,6 +561,7 @@ static int cs42xx8_runtime_resume(struct
+ msleep(5);
+
+ regcache_cache_only(cs42xx8->regmap, false);
++ regcache_mark_dirty(cs42xx8->regmap);
+
+ ret = regcache_sync(cs42xx8->regmap);
+ if (ret) {
--- /dev/null
+From 31b90956b124240aa8c63250243ae1a53585c5e2 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Mon, 10 Jun 2019 06:13:34 +0800
+Subject: bcache: fix stack corruption by PRECEDING_KEY()
+
+From: Coly Li <colyli@suse.de>
+
+commit 31b90956b124240aa8c63250243ae1a53585c5e2 upstream.
+
+Recently people report bcache code compiled with gcc9 is broken, one of
+the buggy behavior I observe is that two adjacent 4KB I/Os should merge
+into one but they don't. Finally it turns out to be a stack corruption
+caused by macro PRECEDING_KEY().
+
+See how PRECEDING_KEY() is defined in bset.h,
+437 #define PRECEDING_KEY(_k) \
+438 ({ \
+439 struct bkey *_ret = NULL; \
+440 \
+441 if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \
+442 _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \
+443 \
+444 if (!_ret->low) \
+445 _ret->high--; \
+446 _ret->low--; \
+447 } \
+448 \
+449 _ret; \
+450 })
+
+At line 442, _ret points to address of a on-stack variable combined by
+KEY(), the life range of this on-stack variable is in line 442-446,
+once _ret is returned to bch_btree_insert_key(), the returned address
+points to an invalid stack address and this address is overwritten in
+the following called bch_btree_iter_init(). Then argument 'search' of
+bch_btree_iter_init() points to some address inside stackframe of
+bch_btree_iter_init(), exact address depends on how the compiler
+allocates stack space. Now the stack is corrupted.
+
+Fixes: 0eacac22034c ("bcache: PRECEDING_KEY()")
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Rolf Fokkens <rolf@rolffokkens.nl>
+Reviewed-by: Pierre JUHEN <pierre.juhen@orange.fr>
+Tested-by: Shenghui Wang <shhuiw@foxmail.com>
+Tested-by: Pierre JUHEN <pierre.juhen@orange.fr>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Cc: Nix <nix@esperi.org.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/bset.c | 16 +++++++++++++---
+ drivers/md/bcache/bset.h | 34 ++++++++++++++++++++--------------
+ 2 files changed, 33 insertions(+), 17 deletions(-)
+
+--- a/drivers/md/bcache/bset.c
++++ b/drivers/md/bcache/bset.c
+@@ -823,12 +823,22 @@ unsigned bch_btree_insert_key(struct btr
+ struct bset *i = bset_tree_last(b)->data;
+ struct bkey *m, *prev = NULL;
+ struct btree_iter iter;
++ struct bkey preceding_key_on_stack = ZERO_KEY;
++ struct bkey *preceding_key_p = &preceding_key_on_stack;
+
+ BUG_ON(b->ops->is_extents && !KEY_SIZE(k));
+
+- m = bch_btree_iter_init(b, &iter, b->ops->is_extents
+- ? PRECEDING_KEY(&START_KEY(k))
+- : PRECEDING_KEY(k));
++ /*
++ * If k has preceding key, preceding_key_p will be set to address
++ * of k's preceding key; otherwise preceding_key_p will be set
++ * to NULL inside preceding_key().
++ */
++ if (b->ops->is_extents)
++ preceding_key(&START_KEY(k), &preceding_key_p);
++ else
++ preceding_key(k, &preceding_key_p);
++
++ m = bch_btree_iter_init(b, &iter, preceding_key_p);
+
+ if (b->ops->insert_fixup(b, k, &iter, replace_key))
+ return status;
+--- a/drivers/md/bcache/bset.h
++++ b/drivers/md/bcache/bset.h
+@@ -417,20 +417,26 @@ static inline bool bch_cut_back(const st
+ return __bch_cut_back(where, k);
+ }
+
+-#define PRECEDING_KEY(_k) \
+-({ \
+- struct bkey *_ret = NULL; \
+- \
+- if (KEY_INODE(_k) || KEY_OFFSET(_k)) { \
+- _ret = &KEY(KEY_INODE(_k), KEY_OFFSET(_k), 0); \
+- \
+- if (!_ret->low) \
+- _ret->high--; \
+- _ret->low--; \
+- } \
+- \
+- _ret; \
+-})
++/*
++ * Pointer '*preceding_key_p' points to a memory object to store preceding
++ * key of k. If the preceding key does not exist, set '*preceding_key_p' to
++ * NULL. So the caller of preceding_key() needs to take care of memory
++ * which '*preceding_key_p' pointed to before calling preceding_key().
++ * Currently the only caller of preceding_key() is bch_btree_insert_key(),
++ * and it points to an on-stack variable, so the memory release is handled
++ * by stackframe itself.
++ */
++static inline void preceding_key(struct bkey *k, struct bkey **preceding_key_p)
++{
++ if (KEY_INODE(k) || KEY_OFFSET(k)) {
++ (**preceding_key_p) = KEY(KEY_INODE(k), KEY_OFFSET(k), 0);
++ if (!(*preceding_key_p)->low)
++ (*preceding_key_p)->high--;
++ (*preceding_key_p)->low--;
++ } else {
++ (*preceding_key_p) = NULL;
++ }
++}
+
+ static inline bool bch_ptr_invalid(struct btree_keys *b, const struct bkey *k)
+ {
--- /dev/null
+From 18fa84a2db0e15b02baa5d94bdb5bd509175d2f6 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 29 May 2019 13:46:25 -0700
+Subject: cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 18fa84a2db0e15b02baa5d94bdb5bd509175d2f6 upstream.
+
+A PF_EXITING task can stay associated with an offline css. If such
+task calls task_get_css(), it can get stuck indefinitely. This can be
+triggered by BSD process accounting which writes to a file with
+PF_EXITING set when racing against memcg disable as in the backtrace
+at the end.
+
+After this change, task_get_css() may return a css which was already
+offline when the function was called. None of the existing users are
+affected by this change.
+
+ INFO: rcu_sched self-detected stall on CPU
+ INFO: rcu_sched detected stalls on CPUs/tasks:
+ ...
+ NMI backtrace for cpu 0
+ ...
+ Call Trace:
+ <IRQ>
+ dump_stack+0x46/0x68
+ nmi_cpu_backtrace.cold.2+0x13/0x57
+ nmi_trigger_cpumask_backtrace+0xba/0xca
+ rcu_dump_cpu_stacks+0x9e/0xce
+ rcu_check_callbacks.cold.74+0x2af/0x433
+ update_process_times+0x28/0x60
+ tick_sched_timer+0x34/0x70
+ __hrtimer_run_queues+0xee/0x250
+ hrtimer_interrupt+0xf4/0x210
+ smp_apic_timer_interrupt+0x56/0x110
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+ RIP: 0010:balance_dirty_pages_ratelimited+0x28f/0x3d0
+ ...
+ btrfs_file_write_iter+0x31b/0x563
+ __vfs_write+0xfa/0x140
+ __kernel_write+0x4f/0x100
+ do_acct_process+0x495/0x580
+ acct_process+0xb9/0xdb
+ do_exit+0x748/0xa00
+ do_group_exit+0x3a/0xa0
+ get_signal+0x254/0x560
+ do_signal+0x23/0x5c0
+ exit_to_usermode_loop+0x5d/0xa0
+ prepare_exit_to_usermode+0x53/0x80
+ retint_user+0x8/0x8
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: stable@vger.kernel.org # v4.2+
+Fixes: ec438699a9ae ("cgroup, block: implement task_get_css() and use it in bio_associate_current()")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/cgroup.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/include/linux/cgroup.h
++++ b/include/linux/cgroup.h
+@@ -453,7 +453,7 @@ static inline struct cgroup_subsys_state
+ *
+ * Find the css for the (@task, @subsys_id) combination, increment a
+ * reference on and return it. This function is guaranteed to return a
+- * valid css.
++ * valid css. The returned css may already have been offlined.
+ */
+ static inline struct cgroup_subsys_state *
+ task_get_css(struct task_struct *task, int subsys_id)
+@@ -463,7 +463,13 @@ task_get_css(struct task_struct *task, i
+ rcu_read_lock();
+ while (true) {
+ css = task_css(task, subsys_id);
+- if (likely(css_tryget_online(css)))
++ /*
++ * Can't use css_tryget_online() here. A task which has
++ * PF_EXITING set may stay associated with an offline css.
++ * If such task calls this function, css_tryget_online()
++ * will keep failing.
++ */
++ if (likely(css_tryget(css)))
+ break;
+ cpu_relax();
+ }
--- /dev/null
+From be99ca2716972a712cde46092c54dee5e6192bf8 Mon Sep 17 00:00:00 2001
+From: Wengang Wang <wen.gang.wang@oracle.com>
+Date: Thu, 13 Jun 2019 15:56:01 -0700
+Subject: fs/ocfs2: fix race in ocfs2_dentry_attach_lock()
+
+From: Wengang Wang <wen.gang.wang@oracle.com>
+
+commit be99ca2716972a712cde46092c54dee5e6192bf8 upstream.
+
+ocfs2_dentry_attach_lock() can be executed in parallel threads against the
+same dentry. Make that race safe. The race is like this:
+
+ thread A thread B
+
+(A1) enter ocfs2_dentry_attach_lock,
+seeing dentry->d_fsdata is NULL,
+and no alias found by
+ocfs2_find_local_alias, so kmalloc
+a new ocfs2_dentry_lock structure
+to local variable "dl", dl1
+
+ .....
+
+ (B1) enter ocfs2_dentry_attach_lock,
+ seeing dentry->d_fsdata is NULL,
+ and no alias found by
+ ocfs2_find_local_alias so kmalloc
+ a new ocfs2_dentry_lock structure
+ to local variable "dl", dl2.
+
+ ......
+
+(A2) set dentry->d_fsdata with dl1,
+call ocfs2_dentry_lock() and increase
+dl1->dl_lockres.l_ro_holders to 1 on
+success.
+ ......
+
+ (B2) set dentry->d_fsdata with dl2
+ call ocfs2_dentry_lock() and increase
+ dl2->dl_lockres.l_ro_holders to 1 on
+ success.
+
+ ......
+
+(A3) call ocfs2_dentry_unlock()
+and decrease
+dl2->dl_lockres.l_ro_holders to 0
+on success.
+ ....
+
+ (B3) call ocfs2_dentry_unlock(),
+ decreasing
+ dl2->dl_lockres.l_ro_holders, but
+ see it's zero now, panic
+
+Link: http://lkml.kernel.org/r/20190529174636.22364-1-wen.gang.wang@oracle.com
+Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
+Reported-by: Daniel Sobe <daniel.sobe@nxp.com>
+Tested-by: Daniel Sobe <daniel.sobe@nxp.com>
+Reviewed-by: Changwei Ge <gechangwei@live.cn>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/dcache.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/ocfs2/dcache.c
++++ b/fs/ocfs2/dcache.c
+@@ -310,6 +310,18 @@ int ocfs2_dentry_attach_lock(struct dent
+
+ out_attach:
+ spin_lock(&dentry_attach_lock);
++ if (unlikely(dentry->d_fsdata && !alias)) {
++ /* d_fsdata is set by a racing thread which is doing
++ * the same thing as this thread is doing. Leave the racing
++ * thread going ahead and we return here.
++ */
++ spin_unlock(&dentry_attach_lock);
++ iput(dl->dl_inode);
++ ocfs2_lock_res_free(&dl->dl_lockres);
++ kfree(dl);
++ return 0;
++ }
++
+ dentry->d_fsdata = dl;
+ dl->dl_count++;
+ spin_unlock(&dentry_attach_lock);
--- /dev/null
+From ca21f851cc9643af049226d57fabc3c883ea648e Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 11 Jun 2019 17:48:18 +0100
+Subject: i2c: acorn: fix i2c warning
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit ca21f851cc9643af049226d57fabc3c883ea648e upstream.
+
+The Acorn i2c driver (for RiscPC) triggers the "i2c adapter has no name"
+warning in the I2C core driver, resulting in the RTC being inaccessible.
+Fix this.
+
+Fixes: 2236baa75f70 ("i2c: Sanity checks on adapter registration")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-acorn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/i2c/busses/i2c-acorn.c
++++ b/drivers/i2c/busses/i2c-acorn.c
+@@ -83,6 +83,7 @@ static struct i2c_algo_bit_data ioc_data
+
+ static struct i2c_adapter ioc_ops = {
+ .nr = 0,
++ .name = "ioc",
+ .algo_data = &ioc_data,
+ };
+
--- /dev/null
+From 3510955b327176fd4cbab5baa75b449f077722a2 Mon Sep 17 00:00:00 2001
+From: Shakeel Butt <shakeelb@google.com>
+Date: Thu, 13 Jun 2019 15:55:49 -0700
+Subject: mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node
+
+From: Shakeel Butt <shakeelb@google.com>
+
+commit 3510955b327176fd4cbab5baa75b449f077722a2 upstream.
+
+Syzbot reported following memory leak:
+
+ffffffffda RBX: 0000000000000003 RCX: 0000000000441f79
+BUG: memory leak
+unreferenced object 0xffff888114f26040 (size 32):
+ comm "syz-executor626", pid 7056, jiffies 4294948701 (age 39.410s)
+ hex dump (first 32 bytes):
+ 40 60 f2 14 81 88 ff ff 40 60 f2 14 81 88 ff ff @`......@`......
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ slab_post_alloc_hook mm/slab.h:439 [inline]
+ slab_alloc mm/slab.c:3326 [inline]
+ kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
+ kmalloc include/linux/slab.h:547 [inline]
+ __memcg_init_list_lru_node+0x58/0xf0 mm/list_lru.c:352
+ memcg_init_list_lru_node mm/list_lru.c:375 [inline]
+ memcg_init_list_lru mm/list_lru.c:459 [inline]
+ __list_lru_init+0x193/0x2a0 mm/list_lru.c:626
+ alloc_super+0x2e0/0x310 fs/super.c:269
+ sget_userns+0x94/0x2a0 fs/super.c:609
+ sget+0x8d/0xb0 fs/super.c:660
+ mount_nodev+0x31/0xb0 fs/super.c:1387
+ fuse_mount+0x2d/0x40 fs/fuse/inode.c:1236
+ legacy_get_tree+0x27/0x80 fs/fs_context.c:661
+ vfs_get_tree+0x2e/0x120 fs/super.c:1476
+ do_new_mount fs/namespace.c:2790 [inline]
+ do_mount+0x932/0xc50 fs/namespace.c:3110
+ ksys_mount+0xab/0x120 fs/namespace.c:3319
+ __do_sys_mount fs/namespace.c:3333 [inline]
+ __se_sys_mount fs/namespace.c:3330 [inline]
+ __x64_sys_mount+0x26/0x30 fs/namespace.c:3330
+ do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+This is a simple off by one bug on the error path.
+
+Link: http://lkml.kernel.org/r/20190528043202.99980-1-shakeelb@google.com
+Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists")
+Reported-by: syzbot+f90a420dfe2b1b03cb2c@syzkaller.appspotmail.com
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Cc: <stable@vger.kernel.org> [4.0+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/list_lru.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/list_lru.c
++++ b/mm/list_lru.c
+@@ -313,7 +313,7 @@ static int __memcg_init_list_lru_node(st
+ }
+ return 0;
+ fail:
+- __memcg_destroy_list_lru_node(memcg_lrus, begin, i - 1);
++ __memcg_destroy_list_lru_node(memcg_lrus, begin, i);
+ return -ENOMEM;
+ }
+
--- /dev/null
+From f6581f5b55141a95657ef5742cf6a6bfa20a109f Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 29 May 2019 13:31:57 +0200
+Subject: ptrace: restore smp_rmb() in __ptrace_may_access()
+
+From: Jann Horn <jannh@google.com>
+
+commit f6581f5b55141a95657ef5742cf6a6bfa20a109f upstream.
+
+Restore the read memory barrier in __ptrace_may_access() that was deleted
+a couple years ago. Also add comments on this barrier and the one it pairs
+with to explain why they're there (as far as I understand).
+
+Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks")
+Cc: stable@vger.kernel.org
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cred.c | 9 +++++++++
+ kernel/ptrace.c | 10 ++++++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -447,6 +447,15 @@ int commit_creds(struct cred *new)
+ if (task->mm)
+ set_dumpable(task->mm, suid_dumpable);
+ task->pdeath_signal = 0;
++ /*
++ * If a task drops privileges and becomes nondumpable,
++ * the dumpability change must become visible before
++ * the credential change; otherwise, a __ptrace_may_access()
++ * racing with this change may be able to attach to a task it
++ * shouldn't be able to attach to (as if the task had dropped
++ * privileges without becoming nondumpable).
++ * Pairs with a read barrier in __ptrace_may_access().
++ */
+ smp_wmb();
+ }
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -292,6 +292,16 @@ static int __ptrace_may_access(struct ta
+ return -EPERM;
+ ok:
+ rcu_read_unlock();
++ /*
++ * If a task drops privileges and becomes nondumpable (through a syscall
++ * like setresuid()) while we are trying to access it, we must ensure
++ * that the dumpability is read after the credentials; otherwise,
++ * we may be able to attach to a task that we shouldn't be able to
++ * attach to (as if the task had dropped privileges without becoming
++ * nondumpable).
++ * Pairs with a write barrier in commit_creds().
++ */
++ smp_rmb();
+ mm = task->mm;
+ if (mm &&
+ ((get_dumpable(mm) != SUID_DUMP_USER) &&
revert-bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch
alsa-seq-cover-unsubscribe_port-in-list_mutex.patch
libata-extend-quirks-for-the-st1000lm024-drives-with-nolpm-quirk.patch
+mm-list_lru.c-fix-memory-leak-in-__memcg_init_list_lru_node.patch
+fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch
+signal-ptrace-don-t-leak-unitialized-kernel-memory-with-ptrace_peek_siginfo.patch
+ptrace-restore-smp_rmb-in-__ptrace_may_access.patch
+i2c-acorn-fix-i2c-warning.patch
+bcache-fix-stack-corruption-by-preceding_key.patch
+cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch
+asoc-cs42xx8-add-regcache-mask-dirty.patch
--- /dev/null
+From f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 28 May 2019 18:46:37 -0500
+Subject: signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 upstream.
+
+Recently syzbot in conjunction with KMSAN reported that
+ptrace_peek_siginfo can copy an uninitialized siginfo to userspace.
+Inspecting ptrace_peek_siginfo confirms this.
+
+The problem is that off when initialized from args.off can be
+initialized to a negaive value. At which point the "if (off >= 0)"
+test to see if off became negative fails because off started off
+negative.
+
+Prevent the core problem by adding a variable found that is only true
+if a siginfo is found and copied to a temporary in preparation for
+being copied to userspace.
+
+Prevent args.off from being truncated when being assigned to off by
+testing that off is <= the maximum possible value of off. Convert off
+to an unsigned long so that we should not have to truncate args.off,
+we have well defined overflow behavior so if we add another check we
+won't risk fighting undefined compiler behavior, and so that we have a
+type whose maximum value is easy to test for.
+
+Cc: Andrei Vagin <avagin@gmail.com>
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com
+Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/ptrace.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -673,6 +673,10 @@ static int ptrace_peek_siginfo(struct ta
+ if (arg.nr < 0)
+ return -EINVAL;
+
++ /* Ensure arg.off fits in an unsigned long */
++ if (arg.off > ULONG_MAX)
++ return 0;
++
+ if (arg.flags & PTRACE_PEEKSIGINFO_SHARED)
+ pending = &child->signal->shared_pending;
+ else
+@@ -680,7 +684,8 @@ static int ptrace_peek_siginfo(struct ta
+
+ for (i = 0; i < arg.nr; ) {
+ siginfo_t info;
+- s32 off = arg.off + i;
++ unsigned long off = arg.off + i;
++ bool found = false;
+
+ spin_lock_irq(&child->sighand->siglock);
+ list_for_each_entry(q, &pending->list, list) {
+@@ -691,7 +696,7 @@ static int ptrace_peek_siginfo(struct ta
+ }
+ spin_unlock_irq(&child->sighand->siglock);
+
+- if (off >= 0) /* beyond the end of the list */
++ if (!found) /* beyond the end of the list */
+ break;
+
+ #ifdef CONFIG_COMPAT
projects / thirdparty / kernel / stable-queue.git / commitdiff
