Merge tag 'asoc-v5.1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next

ASoC: Updates for v5.1

Lots and lots of new drivers so far, a highlight being the MediaTek
BTCVSD which is a driver for a Bluetooth radio chip - the first such
driver we've had upstream.  Hopefully we will soon also see a baseband
with an upstream driver!

 - Support for only powering up channels that are actively being used.
 - Quite a few improvements to simplify the generic card drivers,
   especially the merge of the SCU cards into the main generic drivers.
 - Lots of fixes for probing on Intel systems, trying to rationalize
   things to look more standard from a framework point of view.
 - New drivers for Asahi Kasei Microdevices AK4497, Cirrus Logic CS4341,
   Google ChromeOS embedded controllers, Ingenic JZ4725B, MediaTek
   BTCVSD, MT8183 and MT6358, NXP MICFIL, Rockchip RK3328, Spreadtrum
   DMA controllers, Qualcomm WCD9335, Xilinx S/PDIF and PCM formatters.

18 files changed, 180 insertions, 45 deletions

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 715f9fcf4712..befe570be5ba 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -467,7 +467,7 @@ static const struct btf_kind_operations *btf_type_ops(const struct btf_type *t)
         return kind_ops[BTF_INFO_KIND(t->info)];
 }
 
-bool btf_name_offset_valid(const struct btf *btf, u32 offset)
+static bool btf_name_offset_valid(const struct btf *btf, u32 offset)
 {
         return BTF_STR_OFFSET_VALID(offset) &&
                 offset < btf->hdr.str_len;
@@ -1219,8 +1219,6 @@ static void btf_bitfield_seq_show(void *data, u8 bits_offset,
         u8 nr_copy_bits;
         u64 print_num;
 
-        data += BITS_ROUNDDOWN_BYTES(bits_offset);
-        bits_offset = BITS_PER_BYTE_MASKED(bits_offset);
         nr_copy_bits = nr_bits + bits_offset;
         nr_copy_bytes = BITS_ROUNDUP_BYTES(nr_copy_bits);
 
@@ -1255,7 +1253,9 @@ static void btf_int_bits_seq_show(const struct btf *btf,
          * BTF_INT_OFFSET() cannot exceed 64 bits.
          */
         total_bits_offset = bits_offset + BTF_INT_OFFSET(int_data);
-        btf_bitfield_seq_show(data, total_bits_offset, nr_bits, m);
+        data += BITS_ROUNDDOWN_BYTES(total_bits_offset);
+        bits_offset = BITS_PER_BYTE_MASKED(total_bits_offset);
+        btf_bitfield_seq_show(data, bits_offset, nr_bits, m);
 }
 
 static void btf_int_seq_show(const struct btf *btf, const struct btf_type *t,
@@ -2001,12 +2001,12 @@ static void btf_struct_seq_show(const struct btf *btf, const struct btf_type *t,
 
                 member_offset = btf_member_bit_offset(t, member);
                 bitfield_size = btf_member_bitfield_size(t, member);
+                bytes_offset = BITS_ROUNDDOWN_BYTES(member_offset);
+                bits8_offset = BITS_PER_BYTE_MASKED(member_offset);
                 if (bitfield_size) {
-                        btf_bitfield_seq_show(data, member_offset,
+                        btf_bitfield_seq_show(data + bytes_offset, bits8_offset,
                                               bitfield_size, m);
                 } else {
-                        bytes_offset = BITS_ROUNDDOWN_BYTES(member_offset);
-                        bits8_offset = BITS_PER_BYTE_MASKED(member_offset);
                         ops = btf_type_ops(member_type);
                         ops->seq_show(btf, member_type, member->type,
                                       data + bytes_offset, bits8_offset, m);
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 9425c2fb872f..ab612fe9862f 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -718,6 +718,7 @@ cgroup_dev_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_trace_printk:
                 if (capable(CAP_SYS_ADMIN))
                         return bpf_get_trace_printk_proto();
+                /* fall through */
         default:
                 return NULL;
         }
diff --git a/kernel/bpf/map_in_map.c b/kernel/bpf/map_in_map.c
index 99d243e1ad6e..52378d3e34b3 100644
--- a/kernel/bpf/map_in_map.c
+++ b/kernel/bpf/map_in_map.c
@@ -12,6 +12,7 @@
 struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd)
 {
         struct bpf_map *inner_map, *inner_map_meta;
+        u32 inner_map_meta_size;
         struct fd f;
 
         f = fdget(inner_map_ufd);
@@ -36,7 +37,12 @@ struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd)
                 return ERR_PTR(-EINVAL);
         }
 
-        inner_map_meta = kzalloc(sizeof(*inner_map_meta), GFP_USER);
+        inner_map_meta_size = sizeof(*inner_map_meta);
+        /* In some cases verifier needs to access beyond just base map. */
+        if (inner_map->ops == &array_map_ops)
+                inner_map_meta_size = sizeof(struct bpf_array);
+
+        inner_map_meta = kzalloc(inner_map_meta_size, GFP_USER);
         if (!inner_map_meta) {
                 fdput(f);
                 return ERR_PTR(-ENOMEM);
@@ -46,9 +52,16 @@ struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd)
         inner_map_meta->key_size = inner_map->key_size;
         inner_map_meta->value_size = inner_map->value_size;
         inner_map_meta->map_flags = inner_map->map_flags;
-        inner_map_meta->ops = inner_map->ops;
         inner_map_meta->max_entries = inner_map->max_entries;
 
+        /* Misc members not needed in bpf_map_meta_equal() check. */
+        inner_map_meta->ops = inner_map->ops;
+        if (inner_map->ops == &array_map_ops) {
+                inner_map_meta->unpriv_array = inner_map->unpriv_array;
+                container_of(inner_map_meta, struct bpf_array, map)->index_mask =
+                     container_of(inner_map, struct bpf_array, map)->index_mask;
+        }
+
         fdput(f);
         return inner_map_meta;
 }
diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 90daf285de03..d43b14535827 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -180,11 +180,14 @@ static inline int stack_map_parse_build_id(void *page_addr,
 
                 if (nhdr->n_type == BPF_BUILD_ID &&
                     nhdr->n_namesz == sizeof("GNU") &&
-                    nhdr->n_descsz == BPF_BUILD_ID_SIZE) {
+                    nhdr->n_descsz > 0 &&
+                    nhdr->n_descsz <= BPF_BUILD_ID_SIZE) {
                         memcpy(build_id,
                                note_start + note_offs +
                                ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr),
-                               BPF_BUILD_ID_SIZE);
+                               nhdr->n_descsz);
+                        memset(build_id + nhdr->n_descsz, 0,
+                               BPF_BUILD_ID_SIZE - nhdr->n_descsz);
                         return 0;
                 }
                 new_offs = note_offs + sizeof(Elf32_Nhdr) +
@@ -260,7 +263,7 @@ static int stack_map_get_build_id(struct vm_area_struct *vma,
                 return -EFAULT; /* page not mapped */
 
         ret = -EINVAL;
-        page_addr = page_address(page);
+        page_addr = kmap_atomic(page);
         ehdr = (Elf32_Ehdr *)page_addr;
 
         /* compare magic x7f "ELF" */
@@ -276,6 +279,7 @@ static int stack_map_get_build_id(struct vm_area_struct *vma,
         else if (ehdr->e_ident[EI_CLASS] == ELFCLASS64)
                 ret = stack_map_get_build_id_64(page_addr, build_id);
 out:
+        kunmap_atomic(page_addr);
         put_page(page);
         return ret;
 }
@@ -310,6 +314,7 @@ static void stack_map_get_build_id_offset(struct bpf_stack_build_id *id_offs,
                 for (i = 0; i < trace_nr; i++) {
                         id_offs[i].status = BPF_STACK_BUILD_ID_IP;
                         id_offs[i].ip = ips[i];
+                        memset(id_offs[i].build_id, 0, BPF_BUILD_ID_SIZE);
                 }
                 return;
         }
@@ -320,6 +325,7 @@ static void stack_map_get_build_id_offset(struct bpf_stack_build_id *id_offs,
                         /* per entry fall back to ips */
                         id_offs[i].status = BPF_STACK_BUILD_ID_IP;
                         id_offs[i].ip = ips[i];
+                        memset(id_offs[i].build_id, 0, BPF_BUILD_ID_SIZE);
                         continue;
                 }
                 id_offs[i].offset = (vma->vm_pgoff << PAGE_SHIFT) + ips[i]
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f6bc62a9ee8e..56674a7c3778 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3103,6 +3103,40 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
         }
 }
 
+static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env,
+                                    const struct bpf_insn *insn)
+{
+        return env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K;
+}
+
+static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux,
+                                       u32 alu_state, u32 alu_limit)
+{
+        /* If we arrived here from different branches with different
+         * state or limits to sanitize, then this won't work.
+         */
+        if (aux->alu_state &&
+            (aux->alu_state != alu_state ||
+             aux->alu_limit != alu_limit))
+                return -EACCES;
+
+        /* Corresponding fixup done in fixup_bpf_calls(). */
+        aux->alu_state = alu_state;
+        aux->alu_limit = alu_limit;
+        return 0;
+}
+
+static int sanitize_val_alu(struct bpf_verifier_env *env,
+                            struct bpf_insn *insn)
+{
+        struct bpf_insn_aux_data *aux = cur_aux(env);
+
+        if (can_skip_alu_sanitation(env, insn))
+                return 0;
+
+        return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0);
+}
+
 static int sanitize_ptr_alu(struct bpf_verifier_env *env,
                             struct bpf_insn *insn,
                             const struct bpf_reg_state *ptr_reg,
@@ -3117,7 +3151,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
         struct bpf_reg_state tmp;
         bool ret;
 
-        if (env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K)
+        if (can_skip_alu_sanitation(env, insn))
                 return 0;
 
         /* We already marked aux for masking from non-speculative
@@ -3133,19 +3167,8 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
 
         if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))
                 return 0;
-
-        /* If we arrived here from different branches with different
-         * limits to sanitize, then this won't work.
-         */
-        if (aux->alu_state &&
-            (aux->alu_state != alu_state ||
-             aux->alu_limit != alu_limit))
+        if (update_alu_sanitation_state(aux, alu_state, alu_limit))
                 return -EACCES;
-
-        /* Corresponding fixup done in fixup_bpf_calls(). */
-        aux->alu_state = alu_state;
-        aux->alu_limit = alu_limit;
-
 do_sim:
         /* Simulate and find potential out-of-bounds access under
          * speculative execution from truncation as a result of
@@ -3418,6 +3441,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
         s64 smin_val, smax_val;
         u64 umin_val, umax_val;
         u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
+        u32 dst = insn->dst_reg;
+        int ret;
 
         if (insn_bitness == 32) {
                 /* Relevant for 32-bit RSH: Information can propagate towards
@@ -3452,6 +3477,11 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
 
         switch (opcode) {
         case BPF_ADD:
+                ret = sanitize_val_alu(env, insn);
+                if (ret < 0) {
+                        verbose(env, "R%d tried to add from different pointers or scalars\n", dst);
+                        return ret;
+                }
                 if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
                     signed_add_overflows(dst_reg->smax_value, smax_val)) {
                         dst_reg->smin_value = S64_MIN;
@@ -3471,6 +3501,11 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
                 dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off);
                 break;
         case BPF_SUB:
+                ret = sanitize_val_alu(env, insn);
+                if (ret < 0) {
+                        verbose(env, "R%d tried to sub from different pointers or scalars\n", dst);
+                        return ret;
+                }
                 if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
                     signed_sub_overflows(dst_reg->smax_value, smin_val)) {
                         /* Overflow possible, we know nothing */
diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c
index d6361776dc5c..1fb6fd68b9c7 100644
--- a/kernel/dma/swiotlb.c
+++ b/kernel/dma/swiotlb.c
@@ -378,6 +378,8 @@ void __init swiotlb_exit(void)
                 memblock_free_late(io_tlb_start,
                                    PAGE_ALIGN(io_tlb_nslabs << IO_TLB_SHIFT));
         }
+        io_tlb_start = 0;
+        io_tlb_end = 0;
         io_tlb_nslabs = 0;
         max_segment = 0;
 }
diff --git a/kernel/exit.c b/kernel/exit.c
index 2d14979577ee..3fb7be001964 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -307,7 +307,7 @@ void rcuwait_wake_up(struct rcuwait *w)
          *        MB (A)              MB (B)
          *    [L] cond            [L] tsk
          */
-        smp_rmb(); /* (B) */
+        smp_mb(); /* (B) */
 
         /*
          * Avoid using task_rcu_dereference() magic as long as we are careful,
@@ -866,6 +866,7 @@ void __noreturn do_exit(long code)
         exit_task_namespaces(tsk);
         exit_task_work(tsk);
         exit_thread(tsk);
+        exit_umh(tsk);
 
         /*
          * Flush inherited counters to the parent - before the parent
diff --git a/kernel/fork.c b/kernel/fork.c
index a60459947f18..b69248e6f0e0 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -217,6 +217,7 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
                 memset(s->addr, 0, THREAD_SIZE);
 
                 tsk->stack_vm_area = s;
+                tsk->stack = s->addr;
                 return s->addr;
         }
 
@@ -1833,8 +1834,6 @@ static __latent_entropy struct task_struct *copy_process(
 
         posix_cpu_timers_init(p);
 
-        p->start_time = ktime_get_ns();
-        p->real_start_time = ktime_get_boot_ns();
         p->io_context = NULL;
         audit_set_context(p, NULL);
         cgroup_fork(p);
@@ -2001,6 +2000,17 @@ static __latent_entropy struct task_struct *copy_process(
                 goto bad_fork_free_pid;
 
         /*
+         * From this point on we must avoid any synchronous user-space
+         * communication until we take the tasklist-lock. In particular, we do
+         * not want user-space to be able to predict the process start-time by
+         * stalling fork(2) after we recorded the start_time but before it is
+         * visible to the system.
+         */
+
+        p->start_time = ktime_get_ns();
+        p->real_start_time = ktime_get_boot_ns();
+
+        /*
          * Make it visible to the rest of the system, but dont wake it up yet.
          * Need tasklist lock for parent etc handling!
          */
diff --git a/kernel/futex.c b/kernel/futex.c
index be3bff2315ff..fdd312da0992 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1452,11 +1452,7 @@ static void mark_wake_futex(struct wake_q_head *wake_q, struct futex_q *q)
         if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n"))
                 return;
 
-        /*
-         * Queue the task for later wakeup for after we've released
-         * the hb->lock. wake_q_add() grabs reference to p.
-         */
-        wake_q_add(wake_q, p);
+        get_task_struct(p);
         __unqueue_futex(q);
         /*
          * The waiting task can free the futex_q as soon as q->lock_ptr = NULL
@@ -1466,6 +1462,13 @@ static void mark_wake_futex(struct wake_q_head *wake_q, struct futex_q *q)
          * plist_del in __unqueue_futex().
          */
         smp_store_release(&q->lock_ptr, NULL);
+
+        /*
+         * Queue the task for later wakeup for after we've released
+         * the hb->lock. wake_q_add() grabs reference to p.
+         */
+        wake_q_add(wake_q, p);
+        put_task_struct(p);
 }
 
 /*
diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c
index ee062b7939d3..ef8ad36cadcf 100644
--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -457,7 +457,7 @@ static int alloc_descs(unsigned int start, unsigned int cnt, int node,
 
         /* Validate affinity mask(s) */
         if (affinity) {
-                for (i = 0; i < cnt; i++, i++) {
+                for (i = 0; i < cnt; i++) {
                         if (cpumask_empty(&affinity[i].mask))
                                 return -EINVAL;
                 }
diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
index a4888ce4667a..84b54a17b95d 100644
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -393,6 +393,9 @@ int irq_setup_affinity(struct irq_desc *desc)
         }
 
         cpumask_and(&mask, cpu_online_mask, set);
+        if (cpumask_empty(&mask))
+                cpumask_copy(&mask, cpu_online_mask);
+
         if (node != NUMA_NO_NODE) {
                 const struct cpumask *nodemask = cpumask_of_node(node);
 
diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c
index 09b180063ee1..50d9af615dc4 100644
--- a/kernel/locking/rwsem-xadd.c
+++ b/kernel/locking/rwsem-xadd.c
@@ -198,15 +198,22 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem,
                 woken++;
                 tsk = waiter->task;
 
-                wake_q_add(wake_q, tsk);
+                get_task_struct(tsk);
                 list_del(&waiter->list);
                 /*
-                 * Ensure that the last operation is setting the reader
+                 * Ensure calling get_task_struct() before setting the reader
                  * waiter to nil such that rwsem_down_read_failed() cannot
                  * race with do_exit() by always holding a reference count
                  * to the task to wakeup.
                  */
                 smp_store_release(&waiter->task, NULL);
+                /*
+                 * Ensure issuing the wakeup (either by us or someone else)
+                 * after setting the reader waiter to nil.
+                 */
+                wake_q_add(wake_q, tsk);
+                /* wake_q_add() already take the task ref */
+                put_task_struct(tsk);
         }
 
         adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment;
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index a674c7db2f29..d8d76a65cfdd 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -396,6 +396,18 @@ static bool set_nr_if_polling(struct task_struct *p)
 #endif
 #endif
 
+/**
+ * wake_q_add() - queue a wakeup for 'later' waking.
+ * @head: the wake_q_head to add @task to
+ * @task: the task to queue for 'later' wakeup
+ *
+ * Queue a task for later wakeup, most likely by the wake_up_q() call in the
+ * same context, _HOWEVER_ this is not guaranteed, the wakeup can come
+ * instantly.
+ *
+ * This function must be used as-if it were wake_up_process(); IOW the task
+ * must be ready to be woken at this location.
+ */
 void wake_q_add(struct wake_q_head *head, struct task_struct *task)
 {
         struct wake_q_node *node = &task->wake_q;
@@ -405,10 +417,11 @@ void wake_q_add(struct wake_q_head *head, struct task_struct *task)
          * its already queued (either by us or someone else) and will get the
          * wakeup due to that.
          *
-         * This cmpxchg() executes a full barrier, which pairs with the full
-         * barrier executed by the wakeup in wake_up_q().
+         * In order to ensure that a pending wakeup will observe our pending
+         * state, even in the failed case, an explicit smp_mb() must be used.
          */
-        if (cmpxchg(&node->next, NULL, WAKE_Q_TAIL))
+        smp_mb__before_atomic();
+        if (cmpxchg_relaxed(&node->next, NULL, WAKE_Q_TAIL))
                 return;
 
         get_task_struct(task);
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index d7f538847b84..e815781ed751 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -976,6 +976,9 @@ static int seccomp_notify_release(struct inode *inode, struct file *file)
         struct seccomp_filter *filter = file->private_data;
         struct seccomp_knotif *knotif;
 
+        if (!filter)
+                return 0;
+
         mutex_lock(&filter->notify_lock);
 
         /*
@@ -1300,6 +1303,7 @@ out:
 out_put_fd:
         if (flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) {
                 if (ret < 0) {
+                        listener_f->private_data = NULL;
                         fput(listener_f);
                         put_unused_fd(listener);
                 } else {
diff --git a/kernel/sys.c b/kernel/sys.c
index a48cbf1414b8..f7eb62eceb24 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1207,7 +1207,8 @@ DECLARE_RWSEM(uts_sem);
 /*
  * Work around broken programs that cannot handle "Linux 3.0".
  * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
- * And we map 4.x to 2.6.60+x, so 4.0 would be 2.6.60.
+ * And we map 4.x and later versions to 2.6.60+x, so 4.0/5.0/6.0/... would be
+ * 2.6.60.
  */
 static int override_release(char __user *release, size_t len)
 {
diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c
index 8f0644af40be..80f955210861 100644
--- a/kernel/time/posix-cpu-timers.c
+++ b/kernel/time/posix-cpu-timers.c
@@ -685,6 +685,7 @@ static int posix_cpu_timer_set(struct k_itimer *timer, int timer_flags,
          * set up the signal and overrun bookkeeping.
          */
         timer->it.cpu.incr = timespec64_to_ns(&new->it_interval);
+        timer->it_interval = ns_to_ktime(timer->it.cpu.incr);
 
         /*
          * This acts as a modification timestamp for the timer,
diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
index 5c19b8c41c7e..d5fb09ebba8b 100644
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -607,11 +607,17 @@ static int trace_kprobe_create(int argc, const char *argv[])
         char buf[MAX_EVENT_NAME_LEN];
         unsigned int flags = TPARG_FL_KERNEL;
 
-        /* argc must be >= 1 */
-        if (argv[0][0] == 'r') {
+        switch (argv[0][0]) {
+        case 'r':
                 is_return = true;
                 flags |= TPARG_FL_RETURN;
-        } else if (argv[0][0] != 'p' || argc < 2)
+                break;
+        case 'p':
+                break;
+        default:
+                return -ECANCELED;
+        }
+        if (argc < 2)
                 return -ECANCELED;
 
         event = strchr(&argv[0][1], ':');
diff --git a/kernel/umh.c b/kernel/umh.c
index 0baa672e023c..d937cbad903a 100644
--- a/kernel/umh.c
+++ b/kernel/umh.c
@@ -37,6 +37,8 @@ static kernel_cap_t usermodehelper_bset = CAP_FULL_SET;
 static kernel_cap_t usermodehelper_inheritable = CAP_FULL_SET;
 static DEFINE_SPINLOCK(umh_sysctl_lock);
 static DECLARE_RWSEM(umhelper_sem);
+static LIST_HEAD(umh_list);
+static DEFINE_MUTEX(umh_list_lock);
 
 static void call_usermodehelper_freeinfo(struct subprocess_info *info)
 {
@@ -100,10 +102,12 @@ static int call_usermodehelper_exec_async(void *data)
         commit_creds(new);
 
         sub_info->pid = task_pid_nr(current);
-        if (sub_info->file)
+        if (sub_info->file) {
                 retval = do_execve_file(sub_info->file,
                                         sub_info->argv, sub_info->envp);
-        else
+                if (!retval)
+                        current->flags |= PF_UMH;
+        } else
                 retval = do_execve(getname_kernel(sub_info->path),
                                    (const char __user *const __user *)sub_info->argv,
                                    (const char __user *const __user *)sub_info->envp);
@@ -517,6 +521,11 @@ int fork_usermode_blob(void *data, size_t len, struct umh_info *info)
                 goto out;
 
         err = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC);
+        if (!err) {
+                mutex_lock(&umh_list_lock);
+                list_add(&info->list, &umh_list);
+                mutex_unlock(&umh_list_lock);
+        }
 out:
         fput(file);
         return err;
@@ -679,6 +688,26 @@ static int proc_cap_handler(struct ctl_table *table, int write,
         return 0;
 }
 
+void __exit_umh(struct task_struct *tsk)
+{
+        struct umh_info *info;
+        pid_t pid = tsk->pid;
+
+        mutex_lock(&umh_list_lock);
+        list_for_each_entry(info, &umh_list, list) {
+                if (info->pid == pid) {
+                        list_del(&info->list);
+                        mutex_unlock(&umh_list_lock);
+                        goto out;
+                }
+        }
+        mutex_unlock(&umh_list_lock);
+        return;
+out:
+        if (info->cleanup)
+                info->cleanup(info);
+}
+
 struct ctl_table usermodehelper_table[] = {
         {
                 .procname       = "bset",