From e1bdaaf0d294ce035a9d64eb814efd61502ee8f0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 7 Aug 2023 10:50:14 +0200
Subject: [PATCH] 6.4-stable patches

added patches:
	bluetooth-l2cap-fix-use-after-free-in-l2cap_sock_ready_cb.patch
	debugobjects-recheck-debug_objects_enabled-before-reporting.patch
	fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_load_attr_list.patch
	fs-sysv-null-check-to-prevent-null-ptr-deref-bug.patch
	kasan-kmsan-remove-__gfp_kswapd_reclaim-usage-from-kasan-kmsan.patch
	mm-kmem-fix-a-null-pointer-dereference-in-obj_stock_flush_required.patch
---
 ...se-after-free-in-l2cap_sock_ready_cb.patch | 150 +++++++++++++++++
 ...bug_objects_enabled-before-reporting.patch |  69 ++++++++
 ...rn-allocation-at-ntfs_load_attr_list.patch |  41 +++++
 ...-check-to-prevent-null-ptr-deref-bug.patch |  35 ++++
 ...swapd_reclaim-usage-from-kasan-kmsan.patch | 115 +++++++++++++
 ...eference-in-obj_stock_flush_required.patch | 153 ++++++++++++++++++
 queue-6.4/series                              |   6 +
 7 files changed, 569 insertions(+)
 create mode 100644 queue-6.4/bluetooth-l2cap-fix-use-after-free-in-l2cap_sock_ready_cb.patch
 create mode 100644 queue-6.4/debugobjects-recheck-debug_objects_enabled-before-reporting.patch
 create mode 100644 queue-6.4/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_load_attr_list.patch
 create mode 100644 queue-6.4/fs-sysv-null-check-to-prevent-null-ptr-deref-bug.patch
 create mode 100644 queue-6.4/kasan-kmsan-remove-__gfp_kswapd_reclaim-usage-from-kasan-kmsan.patch
 create mode 100644 queue-6.4/mm-kmem-fix-a-null-pointer-dereference-in-obj_stock_flush_required.patch

diff --git a/queue-6.4/bluetooth-l2cap-fix-use-after-free-in-l2cap_sock_ready_cb.patch b/queue-6.4/bluetooth-l2cap-fix-use-after-free-in-l2cap_sock_ready_cb.patch
new file mode 100644
index 00000000000..f9dfdf4cdee
--- /dev/null
+++ b/queue-6.4/bluetooth-l2cap-fix-use-after-free-in-l2cap_sock_ready_cb.patch
@@ -0,0 +1,150 @@
+From 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 Mon Sep 17 00:00:00 2001
+From: Sungwoo Kim <iam@sung-woo.kim>
+Date: Wed, 31 May 2023 01:39:56 -0400
+Subject: Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
+
+From: Sungwoo Kim <iam@sung-woo.kim>
+
+commit 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 upstream.
+
+l2cap_sock_release(sk) frees sk. However, sk's children are still alive
+and point to the already free'd sk's address.
+To fix this, l2cap_sock_release(sk) also cleans sk's children.
+
+==================================================================
+BUG: KASAN: use-after-free in l2cap_sock_ready_cb+0xb7/0x100 net/bluetooth/l2cap_sock.c:1650
+Read of size 8 at addr ffff888104617aa8 by task kworker/u3:0/276
+
+CPU: 0 PID: 276 Comm: kworker/u3:0 Not tainted 6.2.0-00001-gef397bd4d5fb-dirty #59
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Workqueue: hci2 hci_rx_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x72/0x95 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:306 [inline]
+ print_report+0x175/0x478 mm/kasan/report.c:417
+ kasan_report+0xb1/0x130 mm/kasan/report.c:517
+ l2cap_sock_ready_cb+0xb7/0x100 net/bluetooth/l2cap_sock.c:1650
+ l2cap_chan_ready+0x10e/0x1e0 net/bluetooth/l2cap_core.c:1386
+ l2cap_config_req+0x753/0x9f0 net/bluetooth/l2cap_core.c:4480
+ l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5739 [inline]
+ l2cap_sig_channel net/bluetooth/l2cap_core.c:6509 [inline]
+ l2cap_recv_frame+0xe2e/0x43c0 net/bluetooth/l2cap_core.c:7788
+ l2cap_recv_acldata+0x6ed/0x7e0 net/bluetooth/l2cap_core.c:8506
+ hci_acldata_packet net/bluetooth/hci_core.c:3813 [inline]
+ hci_rx_work+0x66e/0xbc0 net/bluetooth/hci_core.c:4048
+ process_one_work+0x4ea/0x8e0 kernel/workqueue.c:2289
+ worker_thread+0x364/0x8e0 kernel/workqueue.c:2436
+ kthread+0x1b9/0x200 kernel/kthread.c:376
+ ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
+ </TASK>
+
+Allocated by task 288:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ ____kasan_kmalloc mm/kasan/common.c:374 [inline]
+ __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:383
+ kasan_kmalloc include/linux/kasan.h:211 [inline]
+ __do_kmalloc_node mm/slab_common.c:968 [inline]
+ __kmalloc+0x5a/0x140 mm/slab_common.c:981
+ kmalloc include/linux/slab.h:584 [inline]
+ sk_prot_alloc+0x113/0x1f0 net/core/sock.c:2040
+ sk_alloc+0x36/0x3c0 net/core/sock.c:2093
+ l2cap_sock_alloc.constprop.0+0x39/0x1c0 net/bluetooth/l2cap_sock.c:1852
+ l2cap_sock_create+0x10d/0x220 net/bluetooth/l2cap_sock.c:1898
+ bt_sock_create+0x183/0x290 net/bluetooth/af_bluetooth.c:132
+ __sock_create+0x226/0x380 net/socket.c:1518
+ sock_create net/socket.c:1569 [inline]
+ __sys_socket_create net/socket.c:1606 [inline]
+ __sys_socket_create net/socket.c:1591 [inline]
+ __sys_socket+0x112/0x200 net/socket.c:1639
+ __do_sys_socket net/socket.c:1652 [inline]
+ __se_sys_socket net/socket.c:1650 [inline]
+ __x64_sys_socket+0x40/0x50 net/socket.c:1650
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Freed by task 288:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:523
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ ____kasan_slab_free mm/kasan/common.c:200 [inline]
+ __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ slab_free_hook mm/slub.c:1781 [inline]
+ slab_free_freelist_hook mm/slub.c:1807 [inline]
+ slab_free mm/slub.c:3787 [inline]
+ __kmem_cache_free+0x88/0x1f0 mm/slub.c:3800
+ sk_prot_free net/core/sock.c:2076 [inline]
+ __sk_destruct+0x347/0x430 net/core/sock.c:2168
+ sk_destruct+0x9c/0xb0 net/core/sock.c:2183
+ __sk_free+0x82/0x220 net/core/sock.c:2194
+ sk_free+0x7c/0xa0 net/core/sock.c:2205
+ sock_put include/net/sock.h:1991 [inline]
+ l2cap_sock_kill+0x256/0x2b0 net/bluetooth/l2cap_sock.c:1257
+ l2cap_sock_release+0x1a7/0x220 net/bluetooth/l2cap_sock.c:1428
+ __sock_release+0x80/0x150 net/socket.c:650
+ sock_close+0x19/0x30 net/socket.c:1368
+ __fput+0x17a/0x5c0 fs/file_table.c:320
+ task_work_run+0x132/0x1c0 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+ exit_to_user_mode_prepare+0x113/0x120 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:296
+ do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+The buggy address belongs to the object at ffff888104617800
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 680 bytes inside of
+ 1024-byte region [ffff888104617800, ffff888104617c00)
+
+The buggy address belongs to the physical page:
+page:00000000dbca6a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888104614000 pfn:0x104614
+head:00000000dbca6a80 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
+flags: 0x200000000010200(slab|head|node=0|zone=2)
+raw: 0200000000010200 ffff888100041dc0 ffffea0004212c10 ffffea0004234b10
+raw: ffff888104614000 0000000000080002 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888104617980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888104617a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888104617a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                  ^
+ ffff888104617b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888104617b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Ack: This bug is found by FuzzBT with a modified Syzkaller. Other
+contributors are Ruoyu Wu and Hui Peng.
+Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -46,6 +46,7 @@ static const struct proto_ops l2cap_sock
+ static void l2cap_sock_init(struct sock *sk, struct sock *parent);
+ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
+ 				     int proto, gfp_t prio, int kern);
++static void l2cap_sock_cleanup_listen(struct sock *parent);
+ 
+ bool l2cap_is_socket(struct socket *sock)
+ {
+@@ -1415,6 +1416,7 @@ static int l2cap_sock_release(struct soc
+ 	if (!sk)
+ 		return 0;
+ 
++	l2cap_sock_cleanup_listen(sk);
+ 	bt_sock_unlink(&l2cap_sk_list, sk);
+ 
+ 	err = l2cap_sock_shutdown(sock, SHUT_RDWR);
diff --git a/queue-6.4/debugobjects-recheck-debug_objects_enabled-before-reporting.patch b/queue-6.4/debugobjects-recheck-debug_objects_enabled-before-reporting.patch
new file mode 100644
index 00000000000..bda92426f2a
--- /dev/null
+++ b/queue-6.4/debugobjects-recheck-debug_objects_enabled-before-reporting.patch
@@ -0,0 +1,69 @@
+From 8b64d420fe2450f82848178506d3e3a0bd195539 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 7 Jun 2023 19:19:02 +0900
+Subject: debugobjects: Recheck debug_objects_enabled before reporting
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 8b64d420fe2450f82848178506d3e3a0bd195539 upstream.
+
+syzbot is reporting false a positive ODEBUG message immediately after
+ODEBUG was disabled due to OOM.
+
+  [ 1062.309646][T22911] ODEBUG: Out of memory. ODEBUG disabled
+  [ 1062.886755][ T5171] ------------[ cut here ]------------
+  [ 1062.892770][ T5171] ODEBUG: assert_init not available (active state 0) object: ffffc900056afb20 object type: timer_list hint: process_timeout+0x0/0x40
+
+  CPU 0 [ T5171]                CPU 1 [T22911]
+  --------------                --------------
+  debug_object_assert_init() {
+    if (!debug_objects_enabled)
+      return;
+    db = get_bucket(addr);
+                                lookup_object_or_alloc() {
+                                  debug_objects_enabled = 0;
+                                  return NULL;
+                                }
+                                debug_objects_oom() {
+                                  pr_warn("Out of memory. ODEBUG disabled\n");
+                                  // all buckets get emptied here, and
+                                }
+    lookup_object_or_alloc(addr, db, descr, false, true) {
+      // this bucket is already empty.
+      return ERR_PTR(-ENOENT);
+    }
+    // Emits false positive warning.
+    debug_print_object(&o, "assert_init");
+  }
+
+Recheck debug_object_enabled in debug_print_object() to avoid that.
+
+Reported-by: syzbot <syzbot+7937ba6a50bdd00fffdf@syzkaller.appspotmail.com>
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/492fe2ae-5141-d548-ebd5-62f5fe2e57f7@I-love.SAKURA.ne.jp
+Closes: https://syzkaller.appspot.com/bug?extid=7937ba6a50bdd00fffdf
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/debugobjects.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/lib/debugobjects.c
++++ b/lib/debugobjects.c
+@@ -498,6 +498,15 @@ static void debug_print_object(struct de
+ 	const struct debug_obj_descr *descr = obj->descr;
+ 	static int limit;
+ 
++	/*
++	 * Don't report if lookup_object_or_alloc() by the current thread
++	 * failed because lookup_object_or_alloc()/debug_objects_oom() by a
++	 * concurrent thread turned off debug_objects_enabled and cleared
++	 * the hash buckets.
++	 */
++	if (!debug_objects_enabled)
++		return;
++
+ 	if (limit < 5 && descr != descr_test) {
+ 		void *hint = descr->debug_hint ?
+ 			descr->debug_hint(obj->object) : NULL;
diff --git a/queue-6.4/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_load_attr_list.patch b/queue-6.4/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_load_attr_list.patch
new file mode 100644
index 00000000000..c8b6d70afe5
--- /dev/null
+++ b/queue-6.4/fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_load_attr_list.patch
@@ -0,0 +1,41 @@
+From ea303f72d70ce2f0b0aa94ab127085289768c5a6 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Tue, 28 Mar 2023 20:05:16 +0900
+Subject: fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_load_attr_list()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit ea303f72d70ce2f0b0aa94ab127085289768c5a6 upstream.
+
+syzbot is reporting too large allocation at ntfs_load_attr_list(), for
+a crafted filesystem can have huge data_size.
+
+Reported-by: syzbot <syzbot+89dbb3a789a5b9711793@syzkaller.appspotmail.com>
+Link: https://syzkaller.appspot.com/bug?extid=89dbb3a789a5b9711793
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/attrlist.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ntfs3/attrlist.c
++++ b/fs/ntfs3/attrlist.c
+@@ -52,7 +52,7 @@ int ntfs_load_attr_list(struct ntfs_inod
+ 
+ 	if (!attr->non_res) {
+ 		lsize = le32_to_cpu(attr->res.data_size);
+-		le = kmalloc(al_aligned(lsize), GFP_NOFS);
++		le = kmalloc(al_aligned(lsize), GFP_NOFS | __GFP_NOWARN);
+ 		if (!le) {
+ 			err = -ENOMEM;
+ 			goto out;
+@@ -80,7 +80,7 @@ int ntfs_load_attr_list(struct ntfs_inod
+ 		if (err < 0)
+ 			goto out;
+ 
+-		le = kmalloc(al_aligned(lsize), GFP_NOFS);
++		le = kmalloc(al_aligned(lsize), GFP_NOFS | __GFP_NOWARN);
+ 		if (!le) {
+ 			err = -ENOMEM;
+ 			goto out;
diff --git a/queue-6.4/fs-sysv-null-check-to-prevent-null-ptr-deref-bug.patch b/queue-6.4/fs-sysv-null-check-to-prevent-null-ptr-deref-bug.patch
new file mode 100644
index 00000000000..0fdd9ca2092
--- /dev/null
+++ b/queue-6.4/fs-sysv-null-check-to-prevent-null-ptr-deref-bug.patch
@@ -0,0 +1,35 @@
+From ea2b62f305893992156a798f665847e0663c9f41 Mon Sep 17 00:00:00 2001
+From: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
+Date: Tue, 30 May 2023 18:31:41 -0700
+Subject: fs/sysv: Null check to prevent null-ptr-deref bug
+
+From: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
+
+commit ea2b62f305893992156a798f665847e0663c9f41 upstream.
+
+sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
+that leads to the null-ptr-deref bug.
+
+Reported-by: syzbot+aad58150cbc64ba41bdc@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=aad58150cbc64ba41bdc
+Signed-off-by: Prince Kumar Maurya <princekumarmaurya06@gmail.com>
+Message-Id: <20230531013141.19487-1-princekumarmaurya06@gmail.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/sysv/itree.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/sysv/itree.c
++++ b/fs/sysv/itree.c
+@@ -145,6 +145,10 @@ static int alloc_branch(struct inode *in
+ 		 */
+ 		parent = block_to_cpu(SYSV_SB(inode->i_sb), branch[n-1].key);
+ 		bh = sb_getblk(inode->i_sb, parent);
++		if (!bh) {
++			sysv_free_block(inode->i_sb, branch[n].key);
++			break;
++		}
+ 		lock_buffer(bh);
+ 		memset(bh->b_data, 0, blocksize);
+ 		branch[n].bh = bh;
diff --git a/queue-6.4/kasan-kmsan-remove-__gfp_kswapd_reclaim-usage-from-kasan-kmsan.patch b/queue-6.4/kasan-kmsan-remove-__gfp_kswapd_reclaim-usage-from-kasan-kmsan.patch
new file mode 100644
index 00000000000..2ee4792bb09
--- /dev/null
+++ b/queue-6.4/kasan-kmsan-remove-__gfp_kswapd_reclaim-usage-from-kasan-kmsan.patch
@@ -0,0 +1,115 @@
+From 726ccdba1521007fab4b2b7565d255fa0f2b770c Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sun, 28 May 2023 00:25:31 +0900
+Subject: kasan,kmsan: remove __GFP_KSWAPD_RECLAIM usage from kasan/kmsan
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 726ccdba1521007fab4b2b7565d255fa0f2b770c upstream.
+
+syzbot is reporting lockdep warning in __stack_depot_save(), for
+the caller of __stack_depot_save() (i.e. __kasan_record_aux_stack() in
+this report) is responsible for masking __GFP_KSWAPD_RECLAIM flag in
+order not to wake kswapd which in turn wakes kcompactd.
+
+Since kasan/kmsan functions might be called with arbitrary locks held,
+mask __GFP_KSWAPD_RECLAIM flag from all GFP_NOWAIT/GFP_ATOMIC allocations
+in kasan/kmsan.
+
+Note that kmsan_save_stack_with_flags() is changed to mask both
+__GFP_DIRECT_RECLAIM flag and __GFP_KSWAPD_RECLAIM flag, for
+wakeup_kswapd() from wake_all_kswapds() from __alloc_pages_slowpath()
+calls wakeup_kcompactd() if __GFP_KSWAPD_RECLAIM flag is set and
+__GFP_DIRECT_RECLAIM flag is not set.
+
+Link: https://lkml.kernel.org/r/656cb4f5-998b-c8d7-3c61-c2d37aa90f9a@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+ece2915262061d6e0ac1@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=ece2915262061d6e0ac1
+Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
+Reviewed-by: Alexander Potapenko <glider@google.com>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Marco Elver <elver@google.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kasan/generic.c         |    4 ++--
+ mm/kasan/tags.c            |    2 +-
+ mm/kmsan/core.c            |    6 +++---
+ mm/kmsan/instrumentation.c |    2 +-
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/mm/kasan/generic.c
++++ b/mm/kasan/generic.c
+@@ -489,7 +489,7 @@ static void __kasan_record_aux_stack(voi
+ 		return;
+ 
+ 	alloc_meta->aux_stack[1] = alloc_meta->aux_stack[0];
+-	alloc_meta->aux_stack[0] = kasan_save_stack(GFP_NOWAIT, can_alloc);
++	alloc_meta->aux_stack[0] = kasan_save_stack(0, can_alloc);
+ }
+ 
+ void kasan_record_aux_stack(void *addr)
+@@ -519,7 +519,7 @@ void kasan_save_free_info(struct kmem_ca
+ 	if (!free_meta)
+ 		return;
+ 
+-	kasan_set_track(&free_meta->free_track, GFP_NOWAIT);
++	kasan_set_track(&free_meta->free_track, 0);
+ 	/* The object was freed and has free track set. */
+ 	*(u8 *)kasan_mem_to_shadow(object) = KASAN_SLAB_FREETRACK;
+ }
+--- a/mm/kasan/tags.c
++++ b/mm/kasan/tags.c
+@@ -140,5 +140,5 @@ void kasan_save_alloc_info(struct kmem_c
+ 
+ void kasan_save_free_info(struct kmem_cache *cache, void *object)
+ {
+-	save_stack_info(cache, object, GFP_NOWAIT, true);
++	save_stack_info(cache, object, 0, true);
+ }
+--- a/mm/kmsan/core.c
++++ b/mm/kmsan/core.c
+@@ -74,7 +74,7 @@ depot_stack_handle_t kmsan_save_stack_wi
+ 	nr_entries = stack_trace_save(entries, KMSAN_STACK_DEPTH, 0);
+ 
+ 	/* Don't sleep. */
+-	flags &= ~__GFP_DIRECT_RECLAIM;
++	flags &= ~(__GFP_DIRECT_RECLAIM | __GFP_KSWAPD_RECLAIM);
+ 
+ 	handle = __stack_depot_save(entries, nr_entries, flags, true);
+ 	return stack_depot_set_extra_bits(handle, extra);
+@@ -245,7 +245,7 @@ depot_stack_handle_t kmsan_internal_chai
+ 	extra_bits = kmsan_extra_bits(depth, uaf);
+ 
+ 	entries[0] = KMSAN_CHAIN_MAGIC_ORIGIN;
+-	entries[1] = kmsan_save_stack_with_flags(GFP_ATOMIC, 0);
++	entries[1] = kmsan_save_stack_with_flags(__GFP_HIGH, 0);
+ 	entries[2] = id;
+ 	/*
+ 	 * @entries is a local var in non-instrumented code, so KMSAN does not
+@@ -253,7 +253,7 @@ depot_stack_handle_t kmsan_internal_chai
+ 	 * positives when __stack_depot_save() passes it to instrumented code.
+ 	 */
+ 	kmsan_internal_unpoison_memory(entries, sizeof(entries), false);
+-	handle = __stack_depot_save(entries, ARRAY_SIZE(entries), GFP_ATOMIC,
++	handle = __stack_depot_save(entries, ARRAY_SIZE(entries), __GFP_HIGH,
+ 				    true);
+ 	return stack_depot_set_extra_bits(handle, extra_bits);
+ }
+--- a/mm/kmsan/instrumentation.c
++++ b/mm/kmsan/instrumentation.c
+@@ -282,7 +282,7 @@ void __msan_poison_alloca(void *address,
+ 
+ 	/* stack_depot_save() may allocate memory. */
+ 	kmsan_enter_runtime();
+-	handle = stack_depot_save(entries, ARRAY_SIZE(entries), GFP_ATOMIC);
++	handle = stack_depot_save(entries, ARRAY_SIZE(entries), __GFP_HIGH);
+ 	kmsan_leave_runtime();
+ 
+ 	kmsan_internal_set_shadow_origin(address, size, -1, handle,
diff --git a/queue-6.4/mm-kmem-fix-a-null-pointer-dereference-in-obj_stock_flush_required.patch b/queue-6.4/mm-kmem-fix-a-null-pointer-dereference-in-obj_stock_flush_required.patch
new file mode 100644
index 00000000000..40dbbb2c67c
--- /dev/null
+++ b/queue-6.4/mm-kmem-fix-a-null-pointer-dereference-in-obj_stock_flush_required.patch
@@ -0,0 +1,153 @@
+From 3b8abb3239530c423c0b97e42af7f7e856e1ee96 Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <roman.gushchin@linux.dev>
+Date: Tue, 2 May 2023 09:08:38 -0700
+Subject: mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()
+
+From: Roman Gushchin <roman.gushchin@linux.dev>
+
+commit 3b8abb3239530c423c0b97e42af7f7e856e1ee96 upstream.
+
+KCSAN found an issue in obj_stock_flush_required():
+stock->cached_objcg can be reset between the check and dereference:
+
+==================================================================
+BUG: KCSAN: data-race in drain_all_stock / drain_obj_stock
+
+write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:
+ drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306
+ refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340
+ obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408
+ memcg_slab_free_hook mm/slab.h:587 [inline]
+ __cache_free mm/slab.c:3373 [inline]
+ __do_kmem_cache_free mm/slab.c:3577 [inline]
+ kmem_cache_free+0x105/0x280 mm/slab.c:3602
+ __d_free fs/dcache.c:298 [inline]
+ dentry_free fs/dcache.c:375 [inline]
+ __dentry_kill+0x422/0x4a0 fs/dcache.c:621
+ dentry_kill+0x8d/0x1e0
+ dput+0x118/0x1f0 fs/dcache.c:913
+ __fput+0x3bf/0x570 fs/file_table.c:329
+ ____fput+0x15/0x20 fs/file_table.c:349
+ task_work_run+0x123/0x160 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171
+ exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296
+ do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:
+ obj_stock_flush_required mm/memcontrol.c:3319 [inline]
+ drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361
+ try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703
+ try_charge mm/memcontrol.c:2837 [inline]
+ mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290
+ sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025
+ sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525
+ udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692
+ udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817
+ sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668
+ __sys_setsockopt+0x1c3/0x230 net/socket.c:2271
+ __do_sys_setsockopt net/socket.c:2282 [inline]
+ __se_sys_setsockopt net/socket.c:2279 [inline]
+ __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0xffff8881382d52c0 -> 0xffff888138893740
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
+
+Fix it by using READ_ONCE()/WRITE_ONCE() for all accesses to
+stock->cached_objcg.
+
+Link: https://lkml.kernel.org/r/20230502160839.361544-1-roman.gushchin@linux.dev
+Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
+Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
+Reported-by: syzbot+774c29891415ab0fd29d@syzkaller.appspotmail.com
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+  Link: https://lore.kernel.org/linux-mm/CACT4Y+ZfucZhM60YPphWiCLJr6+SGFhT+jjm8k1P-a_8Kkxsjg@mail.gmail.com/T/#t
+Reviewed-by: Yosry Ahmed <yosryahmed@google.com>
+Acked-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c |   19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -3208,12 +3208,12 @@ void mod_objcg_state(struct obj_cgroup *
+ 	 * accumulating over a page of vmstat data or when pgdat or idx
+ 	 * changes.
+ 	 */
+-	if (stock->cached_objcg != objcg) {
++	if (READ_ONCE(stock->cached_objcg) != objcg) {
+ 		old = drain_obj_stock(stock);
+ 		obj_cgroup_get(objcg);
+ 		stock->nr_bytes = atomic_read(&objcg->nr_charged_bytes)
+ 				? atomic_xchg(&objcg->nr_charged_bytes, 0) : 0;
+-		stock->cached_objcg = objcg;
++		WRITE_ONCE(stock->cached_objcg, objcg);
+ 		stock->cached_pgdat = pgdat;
+ 	} else if (stock->cached_pgdat != pgdat) {
+ 		/* Flush the existing cached vmstat data */
+@@ -3267,7 +3267,7 @@ static bool consume_obj_stock(struct obj
+ 	local_lock_irqsave(&memcg_stock.stock_lock, flags);
+ 
+ 	stock = this_cpu_ptr(&memcg_stock);
+-	if (objcg == stock->cached_objcg && stock->nr_bytes >= nr_bytes) {
++	if (objcg == READ_ONCE(stock->cached_objcg) && stock->nr_bytes >= nr_bytes) {
+ 		stock->nr_bytes -= nr_bytes;
+ 		ret = true;
+ 	}
+@@ -3279,7 +3279,7 @@ static bool consume_obj_stock(struct obj
+ 
+ static struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *stock)
+ {
+-	struct obj_cgroup *old = stock->cached_objcg;
++	struct obj_cgroup *old = READ_ONCE(stock->cached_objcg);
+ 
+ 	if (!old)
+ 		return NULL;
+@@ -3332,7 +3332,7 @@ static struct obj_cgroup *drain_obj_stoc
+ 		stock->cached_pgdat = NULL;
+ 	}
+ 
+-	stock->cached_objcg = NULL;
++	WRITE_ONCE(stock->cached_objcg, NULL);
+ 	/*
+ 	 * The `old' objects needs to be released by the caller via
+ 	 * obj_cgroup_put() outside of memcg_stock_pcp::stock_lock.
+@@ -3343,10 +3343,11 @@ static struct obj_cgroup *drain_obj_stoc
+ static bool obj_stock_flush_required(struct memcg_stock_pcp *stock,
+ 				     struct mem_cgroup *root_memcg)
+ {
++	struct obj_cgroup *objcg = READ_ONCE(stock->cached_objcg);
+ 	struct mem_cgroup *memcg;
+ 
+-	if (stock->cached_objcg) {
+-		memcg = obj_cgroup_memcg(stock->cached_objcg);
++	if (objcg) {
++		memcg = obj_cgroup_memcg(objcg);
+ 		if (memcg && mem_cgroup_is_descendant(memcg, root_memcg))
+ 			return true;
+ 	}
+@@ -3365,10 +3366,10 @@ static void refill_obj_stock(struct obj_
+ 	local_lock_irqsave(&memcg_stock.stock_lock, flags);
+ 
+ 	stock = this_cpu_ptr(&memcg_stock);
+-	if (stock->cached_objcg != objcg) { /* reset if necessary */
++	if (READ_ONCE(stock->cached_objcg) != objcg) { /* reset if necessary */
+ 		old = drain_obj_stock(stock);
+ 		obj_cgroup_get(objcg);
+-		stock->cached_objcg = objcg;
++		WRITE_ONCE(stock->cached_objcg, objcg);
+ 		stock->nr_bytes = atomic_read(&objcg->nr_charged_bytes)
+ 				? atomic_xchg(&objcg->nr_charged_bytes, 0) : 0;
+ 		allow_uncharge = true;	/* Allow uncharge when objcg changes */
diff --git a/queue-6.4/series b/queue-6.4/series
index 11ef3ddf3d6..ff4a15295e3 100644
--- a/queue-6.4/series
+++ b/queue-6.4/series
@@ -132,3 +132,9 @@ revert-page-cache-fix-page_cache_next-prev_miss-off-by-one.patch
 sunvnet-fix-sparc64-build-error-after-gso-code-split.patch
 clk-imx93-propagate-correct-error-in-imx93_clocks_probe.patch
 file-reinstate-f_pos-locking-optimization-for-regular-files.patch
+mm-kmem-fix-a-null-pointer-dereference-in-obj_stock_flush_required.patch
+fs-ntfs3-use-__gfp_nowarn-allocation-at-ntfs_load_attr_list.patch
+kasan-kmsan-remove-__gfp_kswapd_reclaim-usage-from-kasan-kmsan.patch
+fs-sysv-null-check-to-prevent-null-ptr-deref-bug.patch
+bluetooth-l2cap-fix-use-after-free-in-l2cap_sock_ready_cb.patch
+debugobjects-recheck-debug_objects_enabled-before-reporting.patch
-- 
2.47.3