diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..488ede7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/kernel-4.18.0-193.1.2.el8_2.src.rpm
+SOURCES/v0.9.1.tar.gz
diff --git a/.kpatch-patch-4_18_0-193_1_2.metadata b/.kpatch-patch-4_18_0-193_1_2.metadata
new file mode 100644
index 0000000..b209f3a
--- /dev/null
+++ b/.kpatch-patch-4_18_0-193_1_2.metadata
@@ -0,0 +1,2 @@
+a559495b2ad7c5b6c78f09a67c86ab0502b1f7b0 SOURCES/kernel-4.18.0-193.1.2.el8_2.src.rpm
+6e579e182c12526fc77391b52074aee43df7691a SOURCES/v0.9.1.tar.gz
diff --git a/SOURCES/block-block-bfq-fix-use-after-free-in-bfq_idle_slice.patch b/SOURCES/block-block-bfq-fix-use-after-free-in-bfq_idle_slice.patch
new file mode 100644
index 0000000..a17e2b4
--- /dev/null
+++ b/SOURCES/block-block-bfq-fix-use-after-free-in-bfq_idle_slice.patch
@@ -0,0 +1,220 @@
+From 85e1ebd935f809b165daccae23144de5611989f3 Mon Sep 17 00:00:00 2001
+From: Artem Savkov <asavkov@redhat.com>
+Date: Mon, 25 May 2020 09:29:32 +0200
+Subject: [KPATCH 8.2 BZ1835538 PATCH] [block] block, bfq: fix use-after-free in
+ bfq_idle_slice_timer_body
+
+Kernels:
+4.18.0-193.el8
+4.18.0-193.1.2.el8_2
+
+Changes since last build:
+arches: x86_64 ppc64le
+bfq-iosched.o: changed function: bfq_idle_slice_timer
+---------------------------
+
+Modifications: none
+
+commit 9bc03301d07fb521f7566e6b5054eb27968a5e88
+Author: Ming Lei <ming.lei@redhat.com>
+Date:   Wed Apr 15 13:16:30 2020 -0400
+
+    [block] block, bfq: fix use-after-free in bfq_idle_slice_timer_body
+
+    Message-id: <20200415131630.2708071-12-ming.lei@redhat.com>
+    Patchwork-id: 302228
+    Patchwork-instance: patchwork
+    O-Subject: [RHEL8.3 11/11] block, bfq: fix use-after-free in bfq_idle_slice_timer_body
+    Bugzilla: 1835532
+    Z-Bugzilla: 1835531
+    CVE: CVE-2020-12657
+    RH-Acked-by: Vivek Goyal <vgoyal@redhat.com>
+    RH-Acked-by: Ewan Milne <emilne@redhat.com>
+
+    From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+
+    BZ: 1823596
+
+    commit 2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9
+    Author: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+    Date:   Thu Mar 19 19:18:13 2020 +0800
+
+        block, bfq: fix use-after-free in bfq_idle_slice_timer_body
+
+        In bfq_idle_slice_timer func, bfqq = bfqd->in_service_queue is
+        not in bfqd-lock critical section. The bfqq, which is not
+        equal to NULL in bfq_idle_slice_timer, may be freed after passing
+        to bfq_idle_slice_timer_body. So we will access the freed memory.
+
+        In addition, considering the bfqq may be in race, we should
+        firstly check whether bfqq is in service before doing something
+        on it in bfq_idle_slice_timer_body func. If the bfqq in race is
+        not in service, it means the bfqq has been expired through
+        __bfq_bfqq_expire func, and wait_request flags has been cleared in
+        __bfq_bfqd_reset_in_service func. So we do not need to re-clear the
+        wait_request of bfqq which is not in service.
+
+        KASAN log is given as follows:
+        [13058.354613] ==================================================================
+        [13058.354640] BUG: KASAN: use-after-free in bfq_idle_slice_timer+0xac/0x290
+        [13058.354644] Read of size 8 at addr ffffa02cf3e63f78 by task fork13/19767
+        [13058.354646]
+        [13058.354655] CPU: 96 PID: 19767 Comm: fork13
+        [13058.354661] Call trace:
+        [13058.354667]  dump_backtrace+0x0/0x310
+        [13058.354672]  show_stack+0x28/0x38
+        [13058.354681]  dump_stack+0xd8/0x108
+        [13058.354687]  print_address_description+0x68/0x2d0
+        [13058.354690]  kasan_report+0x124/0x2e0
+        [13058.354697]  __asan_load8+0x88/0xb0
+        [13058.354702]  bfq_idle_slice_timer+0xac/0x290
+        [13058.354707]  __hrtimer_run_queues+0x298/0x8b8
+        [13058.354710]  hrtimer_interrupt+0x1b8/0x678
+        [13058.354716]  arch_timer_handler_phys+0x4c/0x78
+        [13058.354722]  handle_percpu_devid_irq+0xf0/0x558
+        [13058.354731]  generic_handle_irq+0x50/0x70
+        [13058.354735]  __handle_domain_irq+0x94/0x110
+        [13058.354739]  gic_handle_irq+0x8c/0x1b0
+        [13058.354742]  el1_irq+0xb8/0x140
+        [13058.354748]  do_wp_page+0x260/0xe28
+        [13058.354752]  __handle_mm_fault+0x8ec/0x9b0
+        [13058.354756]  handle_mm_fault+0x280/0x460
+        [13058.354762]  do_page_fault+0x3ec/0x890
+        [13058.354765]  do_mem_abort+0xc0/0x1b0
+        [13058.354768]  el0_da+0x24/0x28
+        [13058.354770]
+        [13058.354773] Allocated by task 19731:
+        [13058.354780]  kasan_kmalloc+0xe0/0x190
+        [13058.354784]  kasan_slab_alloc+0x14/0x20
+        [13058.354788]  kmem_cache_alloc_node+0x130/0x440
+        [13058.354793]  bfq_get_queue+0x138/0x858
+        [13058.354797]  bfq_get_bfqq_handle_split+0xd4/0x328
+        [13058.354801]  bfq_init_rq+0x1f4/0x1180
+        [13058.354806]  bfq_insert_requests+0x264/0x1c98
+        [13058.354811]  blk_mq_sched_insert_requests+0x1c4/0x488
+        [13058.354818]  blk_mq_flush_plug_list+0x2d4/0x6e0
+        [13058.354826]  blk_flush_plug_list+0x230/0x548
+        [13058.354830]  blk_finish_plug+0x60/0x80
+        [13058.354838]  read_pages+0xec/0x2c0
+        [13058.354842]  __do_page_cache_readahead+0x374/0x438
+        [13058.354846]  ondemand_readahead+0x24c/0x6b0
+        [13058.354851]  page_cache_sync_readahead+0x17c/0x2f8
+        [13058.354858]  generic_file_buffered_read+0x588/0xc58
+        [13058.354862]  generic_file_read_iter+0x1b4/0x278
+        [13058.354965]  ext4_file_read_iter+0xa8/0x1d8 [ext4]
+        [13058.354972]  __vfs_read+0x238/0x320
+        [13058.354976]  vfs_read+0xbc/0x1c0
+        [13058.354980]  ksys_read+0xdc/0x1b8
+        [13058.354984]  __arm64_sys_read+0x50/0x60
+        [13058.354990]  el0_svc_common+0xb4/0x1d8
+        [13058.354994]  el0_svc_handler+0x50/0xa8
+        [13058.354998]  el0_svc+0x8/0xc
+        [13058.354999]
+        [13058.355001] Freed by task 19731:
+        [13058.355007]  __kasan_slab_free+0x120/0x228
+        [13058.355010]  kasan_slab_free+0x10/0x18
+        [13058.355014]  kmem_cache_free+0x288/0x3f0
+        [13058.355018]  bfq_put_queue+0x134/0x208
+        [13058.355022]  bfq_exit_icq_bfqq+0x164/0x348
+        [13058.355026]  bfq_exit_icq+0x28/0x40
+        [13058.355030]  ioc_exit_icq+0xa0/0x150
+        [13058.355035]  put_io_context_active+0x250/0x438
+        [13058.355038]  exit_io_context+0xd0/0x138
+        [13058.355045]  do_exit+0x734/0xc58
+        [13058.355050]  do_group_exit+0x78/0x220
+        [13058.355054]  __wake_up_parent+0x0/0x50
+        [13058.355058]  el0_svc_common+0xb4/0x1d8
+        [13058.355062]  el0_svc_handler+0x50/0xa8
+        [13058.355066]  el0_svc+0x8/0xc
+        [13058.355067]
+        [13058.355071] The buggy address belongs to the object at ffffa02cf3e63e70#012 which belongs to the cache bfq_queue of size 464
+        [13058.355075] The buggy address is located 264 bytes inside of#012 464-byte region [ffffa02cf3e63e70, ffffa02cf3e64040)
+        [13058.355077] The buggy address belongs to the page:
+        [13058.355083] page:ffff7e80b3cf9800 count:1 mapcount:0 mapping:ffff802db5c90780 index:0xffffa02cf3e606f0 compound_mapcount: 0
+        [13058.366175] flags: 0x2ffffe0000008100(slab|head)
+        [13058.370781] raw: 2ffffe0000008100 ffff7e80b53b1408 ffffa02d730c1c90 ffff802db5c90780
+        [13058.370787] raw: ffffa02cf3e606f0 0000000000370023 00000001ffffffff 0000000000000000
+        [13058.370789] page dumped because: kasan: bad access detected
+        [13058.370791]
+        [13058.370792] Memory state around the buggy address:
+        [13058.370797]  ffffa02cf3e63e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb
+        [13058.370801]  ffffa02cf3e63e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+        [13058.370805] >ffffa02cf3e63f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+        [13058.370808]                                                                 ^
+        [13058.370811]  ffffa02cf3e63f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+        [13058.370815]  ffffa02cf3e64000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+        [13058.370817] ==================================================================
+        [13058.370820] Disabling lock debugging due to kernel taint
+
+        Here, we directly pass the bfqd to bfq_idle_slice_timer_body func.
+        --
+        V2->V3: rewrite the comment as suggested by Paolo Valente
+        V1->V2: add one comment, and add Fixes and Reported-by tag.
+
+        Fixes: aee69d78d ("block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler")
+        Acked-by: Paolo Valente <paolo.valente@linaro.org>
+        Reported-by: Wang Wang <wangwang2@huawei.com>
+        Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+        Signed-off-by: Feilong Lin <linfeilong@huawei.com>
+        Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+    Signed-off-by: Ming Lei <ming.lei@redhat.com>
+    Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Acked-by: Julien Thierry <jthierry@redhat.com>
+Acked-by: Yannick Cote <ycote@redhat.com>
+Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+---
+ block/bfq-iosched.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 9b492dfb7602..be2c1708c82d 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -6188,20 +6188,28 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ 	return bfqq;
+ }
+ 
+-static void bfq_idle_slice_timer_body(struct bfq_queue *bfqq)
++static void
++bfq_idle_slice_timer_body(struct bfq_data *bfqd, struct bfq_queue *bfqq)
+ {
+-	struct bfq_data *bfqd = bfqq->bfqd;
+ 	enum bfqq_expiration reason;
+ 	unsigned long flags;
+ 
+ 	spin_lock_irqsave(&bfqd->lock, flags);
+-	bfq_clear_bfqq_wait_request(bfqq);
+ 
++	/*
++	 * Considering that bfqq may be in race, we should firstly check
++	 * whether bfqq is in service before doing something on it. If
++	 * the bfqq in race is not in service, it has already been expired
++	 * through __bfq_bfqq_expire func and its wait_request flags has
++	 * been cleared in __bfq_bfqd_reset_in_service func.
++	 */
+ 	if (bfqq != bfqd->in_service_queue) {
+ 		spin_unlock_irqrestore(&bfqd->lock, flags);
+ 		return;
+ 	}
+ 
++	bfq_clear_bfqq_wait_request(bfqq);
++
+ 	if (bfq_bfqq_budget_timeout(bfqq))
+ 		/*
+ 		 * Also here the queue can be safely expired
+@@ -6246,7 +6254,7 @@ static enum hrtimer_restart bfq_idle_slice_timer(struct hrtimer *timer)
+ 	 * early.
+ 	 */
+ 	if (bfqq)
+-		bfq_idle_slice_timer_body(bfqq);
++		bfq_idle_slice_timer_body(bfqd, bfqq);
+ 
+ 	return HRTIMER_NORESTART;
+ }
+-- 
+2.21.3
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
new file mode 100644
index 0000000..cc320f7
--- /dev/null
+++ b/SPECS/kpatch-patch.spec
@@ -0,0 +1,159 @@
+# Set to 1 if building an empty subscription-only package.
+%define empty_package		0
+
+#######################################################
+# Only need to update these variables and the changelog
+%define kernel_ver	4.18.0-193.1.2.el8_2
+%define kpatch_ver	0.9.1
+%define rpm_ver		1
+%define rpm_rel		1
+
+%if !%{empty_package}
+# Patch sources below. DO NOT REMOVE THIS LINE.
+#
+# https://bugzilla.redhat.com/1835531
+Source100: block-block-bfq-fix-use-after-free-in-bfq_idle_slice.patch
+# End of patch sources. DO NOT REMOVE THIS LINE.
+%endif
+
+%define sanitized_rpm_rel	%{lua: print((string.gsub(rpm.expand("%rpm_rel"), "%.", "_")))}
+%define sanitized_kernel_ver   %{lua: print((string.gsub(string.gsub(rpm.expand("%kernel_ver"), '.el8_?\%d?', ""), "%.", "_")))}
+%define kernel_ver_arch        %{kernel_ver}.%{_arch}
+
+Name:		kpatch-patch-%{sanitized_kernel_ver}
+Version:	%{rpm_ver}
+Release:	%{rpm_rel}%{?dist}
+
+%if %{empty_package}
+Summary:	Initial empty kpatch-patch for kernel-%{kernel_ver_arch}
+%else
+Summary:	Live kernel patching module for kernel-%{kernel_ver_arch}
+%endif
+
+Group:		System Environment/Kernel
+License:	GPLv2
+ExclusiveArch:	x86_64 ppc64le
+
+Conflicts:	%{name} < %{version}-%{release}
+
+Provides:	kpatch-patch = %{kernel_ver_arch}
+Provides:	kpatch-patch = %{kernel_ver}
+
+%if !%{empty_package}
+Requires:	systemd
+%endif
+Requires:	kpatch >= 0.6.1-1
+Requires:	kernel-uname-r = %{kernel_ver_arch}
+
+%if !%{empty_package}
+BuildRequires:	patchutils
+BuildRequires:	kernel-devel = %{kernel_ver}
+BuildRequires:	kernel-debuginfo = %{kernel_ver}
+
+# kernel build requirements, generated from:
+#   % rpmspec -q --buildrequires kernel.spec | sort | awk '{print "BuildRequires:\t" $0}'
+# with arch-specific packages moved into conditional block
+BuildRequires:	asciidoc audit-libs-devel bash bc binutils binutils-devel bison bzip2 diffutils elfutils elfutils-devel findutils flex gawk gcc gettext git gzip hmaccalc hostname kmod m4 make ncurses-devel net-tools newt-devel numactl-devel openssl openssl-devel patch pciutils-devel perl-Carp perl-devel perl(ExtUtils::Embed) perl-generators perl-interpreter python3-devel python3-docutils redhat-rpm-config rpm-build sh-utils tar xmlto xz xz-devel zlib-devel java-devel kabi-dw
+
+%ifarch x86_64
+BuildRequires:	pesign >= 0.10-4
+%endif
+
+%ifarch ppc64le
+BuildRequires:	gcc-plugin-devel
+%endif
+
+Source:		https://github.com/dynup/kpatch/archive/v%{kpatch_ver}.tar.gz
+
+Source10:	kernel-%{kernel_ver}.src.rpm
+
+# kpatch-build patches
+# Patch1: ZZZ.patch
+
+%global _dupsign_opts --keyname=rhelkpatch1
+
+%define builddir	%{_builddir}/kpatch-%{kpatch_ver}
+%define kpatch		%{_sbindir}/kpatch
+%define kmoddir 	%{_usr}/lib/kpatch/%{kernel_ver_arch}
+%define kinstdir	%{_sharedstatedir}/kpatch/%{kernel_ver_arch}
+%define patchmodname	kpatch-%{sanitized_kernel_ver}-%{version}-%{sanitized_rpm_rel}
+%define patchmod	%{patchmodname}.ko
+
+%define _missing_build_ids_terminate_build 1
+%define _find_debuginfo_opts -r
+%undefine _include_minidebuginfo
+%undefine _find_debuginfo_dwz_opts
+
+%description
+This is a kernel live patch module which can be loaded by the kpatch
+command line utility to modify the code of a running kernel.  This patch
+module is targeted for kernel-%{kernel_ver}.
+
+%prep
+%autosetup -n kpatch-%{kpatch_ver} -p1
+
+%build
+kdevdir=/usr/src/kernels/%{kernel_ver_arch}
+vmlinux=/usr/lib/debug/lib/modules/%{kernel_ver_arch}/vmlinux
+
+# kpatch-build
+make -C kpatch-build
+
+# patch module
+for i in %{sources}; do
+	[[ $i == *.patch ]] && patch_sources="$patch_sources $i"
+done
+export CACHEDIR="%{builddir}/.kpatch"
+kpatch-build/kpatch-build -n %{patchmodname} -r %{SOURCE10} -v $vmlinux --skip-cleanup $patch_sources || { cat "${CACHEDIR}/build.log"; exit 1; }
+
+
+%install
+installdir=%{buildroot}/%{kmoddir}
+install -d $installdir
+install -m 755 %{builddir}/%{patchmod} $installdir
+
+
+%files
+%{_usr}/lib/kpatch
+
+
+%post
+%{kpatch} install -k %{kernel_ver_arch} %{kmoddir}/%{patchmod}
+chcon -t modules_object_t %{kinstdir}/%{patchmod}
+sync
+if [[ %{kernel_ver_arch} = $(uname -r) ]]; then
+	cver="%{rpm_ver}_%{rpm_rel}"
+	pname=$(echo "kpatch_%{sanitized_kernel_ver}" | sed 's/-/_/')
+
+	lver=$({ %{kpatch} list | sed -nr "s/^${pname}_([0-9_]+)\ \[enabled\]$/\1/p"; echo "${cver}"; } | sort -V | tail -1)
+
+	if [ "${lver}" != "${cver}" ]; then
+		echo "WARNING: at least one loaded kpatch-patch (${pname}_${lver}) has a newer version than the one being installed."
+		echo "WARNING: You will have to reboot to load a downgraded kpatch-patch"
+	else
+		%{kpatch} load %{patchmod}
+	fi
+fi
+exit 0
+
+
+%postun
+%{kpatch} uninstall -k %{kernel_ver_arch} %{patchmod}
+sync
+exit 0
+
+%else
+%description
+This is an empty kpatch-patch package which does not contain any real patches.
+It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
+
+%files
+%doc
+%endif
+
+%changelog
+* Mon May 25 2020 Artem Savkov <asavkov@redhat.com> [1-1.el8]
+- use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body [1835531] {CVE-2020-12657}
+
+* Mon May 11 2020 Artem Savkov <asavkov@redhat.com> [0-0.el8]
+- An empty patch to subscribe to kpatch stream for kernel-4.18.0-193.1.2.el8_2 [1834315]