From: Greg Kroah-Hartman Date: Sun, 16 Sep 2018 13:39:26 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.18.9~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ffc49f54e5719b12d3ada094bc4be72945c61f14;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: cfq-give-a-chance-for-arming-slice-idle-timer-in-case-of-group_idle.patch kthread-fix-boot-hang-regression-on-mips-openrisc.patch kthread-fix-use-after-free-if-kthread-fork-fails.patch staging-rt5208-fix-a-sleep-in-atomic-bug-in-xd_copy_page.patch staging-rts5208-fix-read-overflow-in-memcpy.patch --- diff --git a/queue-3.18/cfq-give-a-chance-for-arming-slice-idle-timer-in-case-of-group_idle.patch b/queue-3.18/cfq-give-a-chance-for-arming-slice-idle-timer-in-case-of-group_idle.patch new file mode 100644 index 00000000000..e26b53c3ecb --- /dev/null +++ b/queue-3.18/cfq-give-a-chance-for-arming-slice-idle-timer-in-case-of-group_idle.patch @@ -0,0 +1,72 @@ +From b3193bc0dca9bb69c8ba1ec1a318105c76eb4172 Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Wed, 9 Aug 2017 18:28:32 +0530 +Subject: cfq: Give a chance for arming slice idle timer in case of group_idle + +From: Ritesh Harjani + +commit b3193bc0dca9bb69c8ba1ec1a318105c76eb4172 upstream. + +In below scenario blkio cgroup does not work as per their assigned +weights :- +1. When the underlying device is nonrotational with a single HW queue +with depth of >= CFQ_HW_QUEUE_MIN +2. When the use case is forming two blkio cgroups cg1(weight 1000) & +cg2(wight 100) and two processes(file1 and file2) doing sync IO in +their respective blkio cgroups. + +For above usecase result of fio (without this patch):- +file1: (groupid=0, jobs=1): err= 0: pid=685: Thu Jan 1 19:41:49 1970 + write: IOPS=1315, BW=41.1MiB/s (43.1MB/s)(1024MiB/24906msec) +<...> +file2: (groupid=0, jobs=1): err= 0: pid=686: Thu Jan 1 19:41:49 1970 + write: IOPS=1295, BW=40.5MiB/s (42.5MB/s)(1024MiB/25293msec) +<...> +// both the process BW is equal even though they belong to diff. +cgroups with weight of 1000(cg1) and 100(cg2) + +In above case (for non rotational NCQ devices), +as soon as the request from cg1 is completed and even +though it is provided with higher set_slice=10, because of CFQ +algorithm when the driver tries to fetch the request, CFQ expires +this group without providing any idle time nor weight priority +and schedules another cfq group (in this case cg2). +And thus both cfq groups(cg1 & cg2) keep alternating to get the +disk time and hence loses the cgroup weight based scheduling. + +Below patch gives a chance to cfq algorithm (cfq_arm_slice_timer) +to arm the slice timer in case group_idle is enabled. +In case if group_idle is also not required (including for nonrotational +NCQ drives), we need to explicitly set group_idle = 0 from sysfs for +such cases. + +With this patch result of fio(for above usecase) :- +file1: (groupid=0, jobs=1): err= 0: pid=690: Thu Jan 1 00:06:08 1970 + write: IOPS=1706, BW=53.3MiB/s (55.9MB/s)(1024MiB/19197msec) +<..> +file2: (groupid=0, jobs=1): err= 0: pid=691: Thu Jan 1 00:06:08 1970 + write: IOPS=1043, BW=32.6MiB/s (34.2MB/s)(1024MiB/31401msec) +<..> +// In this processes BW is as per their respective cgroups weight. + +Signed-off-by: Ritesh Harjani +Signed-off-by: Jens Axboe +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + block/cfq-iosched.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/block/cfq-iosched.c ++++ b/block/cfq-iosched.c +@@ -2728,7 +2728,8 @@ static void cfq_arm_slice_timer(struct c + * for devices that support queuing, otherwise we still have a problem + * with sync vs async workloads. + */ +- if (blk_queue_nonrot(cfqd->queue) && cfqd->hw_tag) ++ if (blk_queue_nonrot(cfqd->queue) && cfqd->hw_tag && ++ !cfqd->cfq_group_idle) + return; + + WARN_ON(!RB_EMPTY_ROOT(&cfqq->sort_list)); diff --git a/queue-3.18/kthread-fix-boot-hang-regression-on-mips-openrisc.patch b/queue-3.18/kthread-fix-boot-hang-regression-on-mips-openrisc.patch new file mode 100644 index 00000000000..28ac5a439d8 --- /dev/null +++ b/queue-3.18/kthread-fix-boot-hang-regression-on-mips-openrisc.patch @@ -0,0 +1,73 @@ +From b0f5a8f32e8bbdaae1abb8abe2d3cbafaba57e08 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Mon, 29 May 2017 09:22:07 +0200 +Subject: kthread: fix boot hang (regression) on MIPS/OpenRISC + +From: Vegard Nossum + +commit b0f5a8f32e8bbdaae1abb8abe2d3cbafaba57e08 upstream. + +This fixes a regression in commit 4d6501dce079 where I didn't notice +that MIPS and OpenRISC were reinitialising p->{set,clear}_child_tid to +NULL after our initialisation in copy_process(). + +We can simply get rid of the arch-specific initialisation here since it +is now always done in copy_process() before hitting copy_thread{,_tls}(). + +Review notes: + + - As far as I can tell, copy_process() is the only user of + copy_thread_tls(), which is the only caller of copy_thread() for + architectures that don't implement copy_thread_tls(). + + - After this patch, there is no arch-specific code touching + p->set_child_tid or p->clear_child_tid whatsoever. + + - It may look like MIPS/OpenRISC wanted to always have these fields be + NULL, but that's not true, as copy_process() would unconditionally + set them again _after_ calling copy_thread_tls() before commit + 4d6501dce079. + +Fixes: 4d6501dce079c1eb6bf0b1d8f528a5e81770109e ("kthread: Fix use-after-free if kthread fork fails") +Reported-by: Guenter Roeck +Tested-by: Guenter Roeck # MIPS only +Acked-by: Stafford Horne +Acked-by: Oleg Nesterov +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: Jonas Bonn +Cc: Stefan Kristiansson +Cc: openrisc@lists.librecores.org +Cc: Jamie Iles +Cc: Thomas Gleixner +Signed-off-by: Vegard Nossum +Signed-off-by: Linus Torvalds +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 1 - + arch/openrisc/kernel/process.c | 2 -- + 2 files changed, 3 deletions(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -87,7 +87,6 @@ int copy_thread(unsigned long clone_flag + struct thread_info *ti = task_thread_info(p); + struct pt_regs *childregs, *regs = current_pt_regs(); + unsigned long childksp; +- p->set_child_tid = p->clear_child_tid = NULL; + + childksp = (unsigned long)task_stack_page(p) + THREAD_SIZE - 32; + +--- a/arch/openrisc/kernel/process.c ++++ b/arch/openrisc/kernel/process.c +@@ -152,8 +152,6 @@ copy_thread(unsigned long clone_flags, u + + top_of_kernel_stack = sp; + +- p->set_child_tid = p->clear_child_tid = NULL; +- + /* Locate userspace context on stack... */ + sp -= STACK_FRAME_OVERHEAD; /* redzone */ + sp -= sizeof(struct pt_regs); diff --git a/queue-3.18/kthread-fix-use-after-free-if-kthread-fork-fails.patch b/queue-3.18/kthread-fix-use-after-free-if-kthread-fork-fails.patch new file mode 100644 index 00000000000..ce10bac8bd1 --- /dev/null +++ b/queue-3.18/kthread-fix-use-after-free-if-kthread-fork-fails.patch @@ -0,0 +1,94 @@ +From 4d6501dce079c1eb6bf0b1d8f528a5e81770109e Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Tue, 9 May 2017 09:39:59 +0200 +Subject: kthread: Fix use-after-free if kthread fork fails + +From: Vegard Nossum + +commit 4d6501dce079c1eb6bf0b1d8f528a5e81770109e upstream. + +If a kthread forks (e.g. usermodehelper since commit 1da5c46fa965) but +fails in copy_process() between calling dup_task_struct() and setting +p->set_child_tid, then the value of p->set_child_tid will be inherited +from the parent and get prematurely freed by free_kthread_struct(). + + kthread() + - worker_thread() + - process_one_work() + | - call_usermodehelper_exec_work() + | - kernel_thread() + | - _do_fork() + | - copy_process() + | - dup_task_struct() + | - arch_dup_task_struct() + | - tsk->set_child_tid = current->set_child_tid // implied + | - ... + | - goto bad_fork_* + | - ... + | - free_task(tsk) + | - free_kthread_struct(tsk) + | - kfree(tsk->set_child_tid) + - ... + - schedule() + - __schedule() + - wq_worker_sleeping() + - kthread_data(task)->flags // UAF + +The problem started showing up with commit 1da5c46fa965 since it reused +->set_child_tid for the kthread worker data. + +A better long-term solution might be to get rid of the ->set_child_tid +abuse. The comment in set_kthread_struct() also looks slightly wrong. + +Debugged-by: Jamie Iles +Fixes: 1da5c46fa965 ("kthread: Make struct kthread kmalloc'ed") +Signed-off-by: Vegard Nossum +Acked-by: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Greg Kroah-Hartman +Cc: Andy Lutomirski +Cc: Frederic Weisbecker +Cc: Jamie Iles +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20170509073959.17858-1-vegard.nossum@oracle.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1243,6 +1243,18 @@ static struct task_struct *copy_process( + if (!p) + goto fork_out; + ++ /* ++ * This _must_ happen before we call free_task(), i.e. before we jump ++ * to any of the bad_fork_* labels. This is to avoid freeing ++ * p->set_child_tid which is (ab)used as a kthread's data pointer for ++ * kernel threads (PF_KTHREAD). ++ */ ++ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; ++ /* ++ * Clear TID on mm_release()? ++ */ ++ p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL; ++ + ftrace_graph_init_task(p); + + rt_mutex_init_task(p); +@@ -1406,11 +1418,6 @@ static struct task_struct *copy_process( + goto bad_fork_cleanup_io; + } + +- p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; +- /* +- * Clear TID on mm_release()? +- */ +- p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL; + #ifdef CONFIG_BLOCK + p->plug = NULL; + #endif diff --git a/queue-3.18/series b/queue-3.18/series index f17ce1d4aa4..aaea9bc4d22 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -31,3 +31,8 @@ enic-do-not-call-enic_change_mtu-in-enic_probe.patch fixes-commit-86af955d02bb-mm-numa-avoid-waiting-on-freed-migrated-pages.patch asoc-wm8994-fix-missing-break-in-switch.patch i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch +cfq-give-a-chance-for-arming-slice-idle-timer-in-case-of-group_idle.patch +kthread-fix-use-after-free-if-kthread-fork-fails.patch +kthread-fix-boot-hang-regression-on-mips-openrisc.patch +staging-rt5208-fix-a-sleep-in-atomic-bug-in-xd_copy_page.patch +staging-rts5208-fix-read-overflow-in-memcpy.patch diff --git a/queue-3.18/staging-rt5208-fix-a-sleep-in-atomic-bug-in-xd_copy_page.patch b/queue-3.18/staging-rt5208-fix-a-sleep-in-atomic-bug-in-xd_copy_page.patch new file mode 100644 index 00000000000..cc4d50437d5 --- /dev/null +++ b/queue-3.18/staging-rt5208-fix-a-sleep-in-atomic-bug-in-xd_copy_page.patch @@ -0,0 +1,41 @@ +From 498c4b4e9c23855d17ecc2a108d949bb68020481 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Mon, 5 Jun 2017 15:30:16 +0800 +Subject: staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page + +From: Jia-Ju Bai + +commit 498c4b4e9c23855d17ecc2a108d949bb68020481 upstream. + +The driver may sleep under a spin lock, and the function call path is: +rtsx_exclusive_enter_ss (acquire the lock by spin_lock) + rtsx_enter_ss + rtsx_power_off_card + xd_cleanup_work + xd_delay_write + xd_finish_write + xd_copy_page + wait_timeout + schedule_timeout --> may sleep + +To fix it, "wait_timeout" is replaced with mdelay in xd_copy_page. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rts5208/xd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rts5208/xd.c ++++ b/drivers/staging/rts5208/xd.c +@@ -1095,7 +1095,7 @@ static int xd_copy_page(struct rtsx_chip + reg = 0; + rtsx_read_register(chip, XD_CTL, ®); + if (reg & (XD_ECC1_ERROR | XD_ECC2_ERROR)) { +- wait_timeout(100); ++ mdelay(100); + + if (detect_card_cd(chip, + XD_CARD) != STATUS_SUCCESS) { diff --git a/queue-3.18/staging-rts5208-fix-read-overflow-in-memcpy.patch b/queue-3.18/staging-rts5208-fix-read-overflow-in-memcpy.patch new file mode 100644 index 00000000000..7cf0b1c1321 --- /dev/null +++ b/queue-3.18/staging-rts5208-fix-read-overflow-in-memcpy.patch @@ -0,0 +1,34 @@ +From 88a5b39b69ab1828fd4130e2baadd184109cea69 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Mon, 5 Jun 2017 21:52:34 -0700 +Subject: staging/rts5208: Fix read overflow in memcpy + +From: Daniel Micay + +commit 88a5b39b69ab1828fd4130e2baadd184109cea69 upstream. + +Noticed by FORTIFY_SOURCE, this swaps memcpy() for strncpy() to zero-value +fill the end of the buffer instead of over-reading a string from .rodata. + +Signed-off-by: Daniel Micay +[kees: wrote commit log] +Signed-off-by: Kees Cook +Cc: Greg Kroah-Hartman +Cc: Wayne Porter +Signed-off-by: Amit Pundir + +--- + drivers/staging/rts5208/rtsx_scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rts5208/rtsx_scsi.c ++++ b/drivers/staging/rts5208/rtsx_scsi.c +@@ -539,7 +539,7 @@ static int inquiry(struct scsi_cmnd *srb + + if (sendbytes > 8) { + memcpy(buf, inquiry_buf, 8); +- memcpy(buf + 8, inquiry_string, sendbytes - 8); ++ strncpy(buf + 8, inquiry_string, sendbytes - 8); + if (pro_formatter_flag) { + /* Additional Length */ + buf[4] = 0x33;