--- /dev/null
+From b3193bc0dca9bb69c8ba1ec1a318105c76eb4172 Mon Sep 17 00:00:00 2001
+From: Ritesh Harjani <riteshh@codeaurora.org>
+Date: Wed, 9 Aug 2017 18:28:32 +0530
+Subject: cfq: Give a chance for arming slice idle timer in case of group_idle
+
+From: Ritesh Harjani <riteshh@codeaurora.org>
+
+commit b3193bc0dca9bb69c8ba1ec1a318105c76eb4172 upstream.
+
+In below scenario blkio cgroup does not work as per their assigned
+weights :-
+1. When the underlying device is nonrotational with a single HW queue
+with depth of >= CFQ_HW_QUEUE_MIN
+2. When the use case is forming two blkio cgroups cg1(weight 1000) &
+cg2(wight 100) and two processes(file1 and file2) doing sync IO in
+their respective blkio cgroups.
+
+For above usecase result of fio (without this patch):-
+file1: (groupid=0, jobs=1): err= 0: pid=685: Thu Jan 1 19:41:49 1970
+ write: IOPS=1315, BW=41.1MiB/s (43.1MB/s)(1024MiB/24906msec)
+<...>
+file2: (groupid=0, jobs=1): err= 0: pid=686: Thu Jan 1 19:41:49 1970
+ write: IOPS=1295, BW=40.5MiB/s (42.5MB/s)(1024MiB/25293msec)
+<...>
+// both the process BW is equal even though they belong to diff.
+cgroups with weight of 1000(cg1) and 100(cg2)
+
+In above case (for non rotational NCQ devices),
+as soon as the request from cg1 is completed and even
+though it is provided with higher set_slice=10, because of CFQ
+algorithm when the driver tries to fetch the request, CFQ expires
+this group without providing any idle time nor weight priority
+and schedules another cfq group (in this case cg2).
+And thus both cfq groups(cg1 & cg2) keep alternating to get the
+disk time and hence loses the cgroup weight based scheduling.
+
+Below patch gives a chance to cfq algorithm (cfq_arm_slice_timer)
+to arm the slice timer in case group_idle is enabled.
+In case if group_idle is also not required (including for nonrotational
+NCQ drives), we need to explicitly set group_idle = 0 from sysfs for
+such cases.
+
+With this patch result of fio(for above usecase) :-
+file1: (groupid=0, jobs=1): err= 0: pid=690: Thu Jan 1 00:06:08 1970
+ write: IOPS=1706, BW=53.3MiB/s (55.9MB/s)(1024MiB/19197msec)
+<..>
+file2: (groupid=0, jobs=1): err= 0: pid=691: Thu Jan 1 00:06:08 1970
+ write: IOPS=1043, BW=32.6MiB/s (34.2MB/s)(1024MiB/31401msec)
+<..>
+// In this processes BW is as per their respective cgroups weight.
+
+Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/cfq-iosched.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/block/cfq-iosched.c
++++ b/block/cfq-iosched.c
+@@ -2728,7 +2728,8 @@ static void cfq_arm_slice_timer(struct c
+ * for devices that support queuing, otherwise we still have a problem
+ * with sync vs async workloads.
+ */
+- if (blk_queue_nonrot(cfqd->queue) && cfqd->hw_tag)
++ if (blk_queue_nonrot(cfqd->queue) && cfqd->hw_tag &&
++ !cfqd->cfq_group_idle)
+ return;
+
+ WARN_ON(!RB_EMPTY_ROOT(&cfqq->sort_list));
--- /dev/null
+From b0f5a8f32e8bbdaae1abb8abe2d3cbafaba57e08 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Mon, 29 May 2017 09:22:07 +0200
+Subject: kthread: fix boot hang (regression) on MIPS/OpenRISC
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit b0f5a8f32e8bbdaae1abb8abe2d3cbafaba57e08 upstream.
+
+This fixes a regression in commit 4d6501dce079 where I didn't notice
+that MIPS and OpenRISC were reinitialising p->{set,clear}_child_tid to
+NULL after our initialisation in copy_process().
+
+We can simply get rid of the arch-specific initialisation here since it
+is now always done in copy_process() before hitting copy_thread{,_tls}().
+
+Review notes:
+
+ - As far as I can tell, copy_process() is the only user of
+ copy_thread_tls(), which is the only caller of copy_thread() for
+ architectures that don't implement copy_thread_tls().
+
+ - After this patch, there is no arch-specific code touching
+ p->set_child_tid or p->clear_child_tid whatsoever.
+
+ - It may look like MIPS/OpenRISC wanted to always have these fields be
+ NULL, but that's not true, as copy_process() would unconditionally
+ set them again _after_ calling copy_thread_tls() before commit
+ 4d6501dce079.
+
+Fixes: 4d6501dce079c1eb6bf0b1d8f528a5e81770109e ("kthread: Fix use-after-free if kthread fork fails")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net> # MIPS only
+Acked-by: Stafford Horne <shorne@gmail.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: Jonas Bonn <jonas@southpole.se>
+Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
+Cc: openrisc@lists.librecores.org
+Cc: Jamie Iles <jamie.iles@oracle.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/process.c | 1 -
+ arch/openrisc/kernel/process.c | 2 --
+ 2 files changed, 3 deletions(-)
+
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -87,7 +87,6 @@ int copy_thread(unsigned long clone_flag
+ struct thread_info *ti = task_thread_info(p);
+ struct pt_regs *childregs, *regs = current_pt_regs();
+ unsigned long childksp;
+- p->set_child_tid = p->clear_child_tid = NULL;
+
+ childksp = (unsigned long)task_stack_page(p) + THREAD_SIZE - 32;
+
+--- a/arch/openrisc/kernel/process.c
++++ b/arch/openrisc/kernel/process.c
+@@ -152,8 +152,6 @@ copy_thread(unsigned long clone_flags, u
+
+ top_of_kernel_stack = sp;
+
+- p->set_child_tid = p->clear_child_tid = NULL;
+-
+ /* Locate userspace context on stack... */
+ sp -= STACK_FRAME_OVERHEAD; /* redzone */
+ sp -= sizeof(struct pt_regs);
--- /dev/null
+From 4d6501dce079c1eb6bf0b1d8f528a5e81770109e Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Tue, 9 May 2017 09:39:59 +0200
+Subject: kthread: Fix use-after-free if kthread fork fails
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 4d6501dce079c1eb6bf0b1d8f528a5e81770109e upstream.
+
+If a kthread forks (e.g. usermodehelper since commit 1da5c46fa965) but
+fails in copy_process() between calling dup_task_struct() and setting
+p->set_child_tid, then the value of p->set_child_tid will be inherited
+from the parent and get prematurely freed by free_kthread_struct().
+
+ kthread()
+ - worker_thread()
+ - process_one_work()
+ | - call_usermodehelper_exec_work()
+ | - kernel_thread()
+ | - _do_fork()
+ | - copy_process()
+ | - dup_task_struct()
+ | - arch_dup_task_struct()
+ | - tsk->set_child_tid = current->set_child_tid // implied
+ | - ...
+ | - goto bad_fork_*
+ | - ...
+ | - free_task(tsk)
+ | - free_kthread_struct(tsk)
+ | - kfree(tsk->set_child_tid)
+ - ...
+ - schedule()
+ - __schedule()
+ - wq_worker_sleeping()
+ - kthread_data(task)->flags // UAF
+
+The problem started showing up with commit 1da5c46fa965 since it reused
+->set_child_tid for the kthread worker data.
+
+A better long-term solution might be to get rid of the ->set_child_tid
+abuse. The comment in set_kthread_struct() also looks slightly wrong.
+
+Debugged-by: Jamie Iles <jamie.iles@oracle.com>
+Fixes: 1da5c46fa965 ("kthread: Make struct kthread kmalloc'ed")
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jamie Iles <jamie.iles@oracle.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20170509073959.17858-1-vegard.nossum@oracle.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1243,6 +1243,18 @@ static struct task_struct *copy_process(
+ if (!p)
+ goto fork_out;
+
++ /*
++ * This _must_ happen before we call free_task(), i.e. before we jump
++ * to any of the bad_fork_* labels. This is to avoid freeing
++ * p->set_child_tid which is (ab)used as a kthread's data pointer for
++ * kernel threads (PF_KTHREAD).
++ */
++ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
++ /*
++ * Clear TID on mm_release()?
++ */
++ p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
++
+ ftrace_graph_init_task(p);
+
+ rt_mutex_init_task(p);
+@@ -1406,11 +1418,6 @@ static struct task_struct *copy_process(
+ goto bad_fork_cleanup_io;
+ }
+
+- p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
+- /*
+- * Clear TID on mm_release()?
+- */
+- p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
+ #ifdef CONFIG_BLOCK
+ p->plug = NULL;
+ #endif
fixes-commit-86af955d02bb-mm-numa-avoid-waiting-on-freed-migrated-pages.patch
asoc-wm8994-fix-missing-break-in-switch.patch
i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch
+cfq-give-a-chance-for-arming-slice-idle-timer-in-case-of-group_idle.patch
+kthread-fix-use-after-free-if-kthread-fork-fails.patch
+kthread-fix-boot-hang-regression-on-mips-openrisc.patch
+staging-rt5208-fix-a-sleep-in-atomic-bug-in-xd_copy_page.patch
+staging-rts5208-fix-read-overflow-in-memcpy.patch
--- /dev/null
+From 498c4b4e9c23855d17ecc2a108d949bb68020481 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Mon, 5 Jun 2017 15:30:16 +0800
+Subject: staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+commit 498c4b4e9c23855d17ecc2a108d949bb68020481 upstream.
+
+The driver may sleep under a spin lock, and the function call path is:
+rtsx_exclusive_enter_ss (acquire the lock by spin_lock)
+ rtsx_enter_ss
+ rtsx_power_off_card
+ xd_cleanup_work
+ xd_delay_write
+ xd_finish_write
+ xd_copy_page
+ wait_timeout
+ schedule_timeout --> may sleep
+
+To fix it, "wait_timeout" is replaced with mdelay in xd_copy_page.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rts5208/xd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rts5208/xd.c
++++ b/drivers/staging/rts5208/xd.c
+@@ -1095,7 +1095,7 @@ static int xd_copy_page(struct rtsx_chip
+ reg = 0;
+ rtsx_read_register(chip, XD_CTL, ®);
+ if (reg & (XD_ECC1_ERROR | XD_ECC2_ERROR)) {
+- wait_timeout(100);
++ mdelay(100);
+
+ if (detect_card_cd(chip,
+ XD_CARD) != STATUS_SUCCESS) {
--- /dev/null
+From 88a5b39b69ab1828fd4130e2baadd184109cea69 Mon Sep 17 00:00:00 2001
+From: Daniel Micay <danielmicay@gmail.com>
+Date: Mon, 5 Jun 2017 21:52:34 -0700
+Subject: staging/rts5208: Fix read overflow in memcpy
+
+From: Daniel Micay <danielmicay@gmail.com>
+
+commit 88a5b39b69ab1828fd4130e2baadd184109cea69 upstream.
+
+Noticed by FORTIFY_SOURCE, this swaps memcpy() for strncpy() to zero-value
+fill the end of the buffer instead of over-reading a string from .rodata.
+
+Signed-off-by: Daniel Micay <danielmicay@gmail.com>
+[kees: wrote commit log]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Wayne Porter <wporter82@gmail.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+
+---
+ drivers/staging/rts5208/rtsx_scsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rts5208/rtsx_scsi.c
++++ b/drivers/staging/rts5208/rtsx_scsi.c
+@@ -539,7 +539,7 @@ static int inquiry(struct scsi_cmnd *srb
+
+ if (sendbytes > 8) {
+ memcpy(buf, inquiry_buf, 8);
+- memcpy(buf + 8, inquiry_string, sendbytes - 8);
++ strncpy(buf + 8, inquiry_string, sendbytes - 8);
+ if (pro_formatter_flag) {
+ /* Additional Length */
+ buf[4] = 0x33;
projects / thirdparty / kernel / stable-queue.git / commitdiff
