Add the BFQ-v7r8 I/O scheduler to 3.4.
The general structure is borrowed from CFQ, as much of the code for
handling I/O contexts. Over time, several useful features have been
ported from CFQ as well (details in the changelog in README.BFQ). A
(bfq_)queue is associated to each task doing I/O on a device, and each
time a scheduling decision has to be made a queue is selected and served
until it expires.
- Slices are given in the service domain: tasks are assigned
budgets, measured in number of sectors. Once got the disk, a task
must however consume its assigned budget within a configurable
maximum time (by default, the maximum possible value of the
budgets is automatically computed to comply with this timeout).
This allows the desired latency vs "throughput boosting" tradeoff
to be set.
- Budgets are scheduled according to a variant of WF2Q+, implemented
using an augmented rb-tree to take eligibility into account while
preserving an O(log N) overall complexity.
- A low-latency tunable is provided; if enabled, both interactive
and soft real-time applications are guaranteed a very low latency.
- Latency guarantees are preserved also in the presence of NCQ.
- Also with flash-based devices, a high throughput is achieved
while still preserving latency guarantees.
- BFQ features Early Queue Merge (EQM), a sort of fusion of the
cooperating-queue-merging and the preemption mechanisms present
in CFQ. EQM is in fact a unified mechanism that tries to get a
sequential read pattern, and hence a high throughput, with any
set of processes performing interleaved I/O over a contiguous
sequence of sectors.
- BFQ supports full hierarchical scheduling, exporting a cgroups
interface. Since each node has a full scheduler, each group can
be assigned its own weight.
- If the cgroups interface is not used, only I/O priorities can be
assigned to processes, with ioprio values mapped to weights
with the relation weight = IOPRIO_BE_NR - ioprio.
- ioprio classes are served in strict priority order, i.e., lower
priority queues are not served as long as there are higher
priority queues. Among queues in the same class the bandwidth is
distributed in proportion to the weight of each queue. A very
thin extra bandwidth is however guaranteed to the Idle class, to
prevent it from starving.
Change-Id: I62eb1769f7d6b4e542a10a9c7751a454d31c04de
Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Update Kconfig.iosched and do the related Makefile changes to include
kernel configuration options for BFQ. Also add the bfqio controller
to the cgroups subsystem.
Change-Id: I540ea28658b44c16b998f36eb9c97205f4f288f3
Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
These warnings are encountered when building with GCC 4.9.
Change-Id: I58b0c4f8c2d1724e42bb8037104ef93337c46f3d
Signed-off-by: Zhao Wei Liew <zhaoweiliew@gmail.com>
Generated straight from flo_defconfig and added CM localversion.
Change-Id: I666e01bc84447c41970dee677127623e86b8821e
Signed-off-by: Zhao Wei Liew <zhaoweiliew@gmail.com>
Augment the compat ioctl table with entries for
PM control of TTY devices. These compat entries
were not present since other TTY/serial core drivers
were not using them.
Backported from msm-3.18.
Change-Id: I96a0e54c001d780a2a427380655f1fbb0091aef7
Signed-off-by: Naveen Kaje <nkaje@codeaurora.org>
We had for some reason overlooked the AIO interface, and it didn't use
the proper rw_verify_area() helper function that checks (for example)
mandatory locking on the file, and that the size of the access doesn't
cause us to overflow the provided offset limits etc.
Instead, AIO did just the security_file_permission() thing (that
rw_verify_area() also does) directly.
This fixes it to do all the proper helper functions, which not only
means that now mandatory file locking works with AIO too, we can
actually remove lines of code.
Bug: 28939037
Reported-by: Manish Honap <manish_honap_vit@yahoo.co.in>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit a70b52ec1a)
Change-Id: I2e182e973b44ba97c45c80d52d8a0b7c32a72750
Add:
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
to android-base.cfg
The kernel.perf_event_paranoid sysctl is set to 3 by default.
No unprivileged use of the perf_event_open syscall will be
permitted unless it is changed.
Bug: 29054680
Change-Id: Ie7512259150e146d8e382dc64d40e8faaa438917
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
https://lkml.org/lkml/2016/1/11/587
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Bug: 29054680
Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
perf_event_paranoid was only documented in source code and a perf error
message. Copy the documentation from the error message to
Documentation/sysctl/kernel.txt.
BACKPORT notes:
The error printing from upstream does not exist in the 3.4 kernel.
Only backporting the documentation update from this commit.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk
[ Remove reference to external Documentation file, provide info inline, as before ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Bug: 29054680
Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Bug: 28980217
Change-Id: Iff69ca708e0022ce9301efae798798b9bfcf9e25
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6)
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Bug: 28980217
Change-Id: I2bef279bbaa1f20ea831d364b3a4a09a27f07025
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit e4ec8cc8039a7063e24204299b462bd1383184a5)
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Bug: 28980557
Change-Id: Ib66cfcc1e36025255d7f518f3df2c39a21858886
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e)
ALSA timer ioctls have an open race and this may lead to a
use-after-free of timer instance object. A simplistic fix is to make
each ioctl exclusive. We have already tread_sem for controlling the
tread, and extend this as a global mutex to be applied to each ioctl.
The downside is, of course, the worse concurrency. But these ioctls
aren't to be parallel accessible, in anyway, so it should be fine to
serialize there.
Bug: 28694392
Change-Id: I1ac52f1cba5e7408fd88c8fc1c30ca2e83967ebb
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit af368027a49a751d6ff4ee9e3f9961f35bb4fede)
[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]
This patch addresses multiple problems :
UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
while socket is not locked : Other threads can change np->opt
concurrently. Dmitry posted a syzkaller
(http://github.com/google/syzkaller) program desmonstrating
use-after-free.
Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
and dccp_v6_request_recv_sock() also need to use RCU protection
to dereference np->opt once (before calling ipv6_dup_options())
This patch adds full RCU protection to np->opt
BUG: 28746669
Change-Id: I207da29ac48bb6dd7c40d65f9e27c4e3ff508da0
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Pierre Imai <imaipi@google.com>
Bug: 28744625
In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
http://www.spinics.net/lists/netdev/msg367669.html
and needs to go on top of Linus' fix to cdc-ncm.
(cherry picked from commit 1666984c8625b3db19a9abc298931d35ab7bc64b)
Change-Id: Id1708db3833ade7f1406b941f0bc20671c9c3b3b
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: 28759139
Change-Id: I561a14b514d714838ef539a94275b117d7f475f4
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
the stack object “map” has a total size of 32 bytes. Its last 4
bytes are padding generated by compiler. These padding bytes are
not initialized and sent out via “nla_put”
Bug: 28620102
Change-Id: I13da380c6fe8abca49e3cf9f05293c02b44d2e5e
Signed-off-by: kangjie <kangjielu@gmail.com>
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
are padding bytes which are not initialized and leaked to userland
via “copy_to_user”.
Bug: 28619695
Change-Id: I170754d659d0891c075f85211b5e3970b114f097
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If we add the mem entry pointer in the process idr and rb tree
too early, other threads can do operations on the entry by
guessing the ID or GPU address before the object gets returned
by the creating operation.
Allocate an ID for the object but don't assign the pointer until
right before the creating function returns ensuring that another
operation can't access it until it is ready.
Bug: 28026365
CRs-Fixed: 1002974
Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
Signed-off-by: Santhosh Punugu <spunug@codeaurora.org>
Validate pointers send from user space and pointers
embedded within the mesasge sent from user space.
Bug: 28769920
Change-Id: I1be54924ef3d301908af6e8d4e6506f2aa7f6428
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Gilad Avidov <giladavidov@google.com>
Validate the caller is the right type for the IOCTL being
issued and inputs are valid.
Bug: 28747998
Change-Id: Iad71f0f5ed4d53c5d011bd55cdf74ec053d09af5
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
Validate cmd_req_buf pointer offset in qseecom_send_modfy_cmd, and
make sure cmd buffer address to be within shared bufffer.
Bug: 28804057
Change-Id: I431511a92ab2cccbc2daebc0cf76cc3872689a97
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
Bug: 28751152
Change-Id: I79b7e5f875fadcaeceb05f9163ae3666d4b6b7e1
CRs-Fixed: 563086
Signed-off-by: Mohammad Johny Shaik <mjshai@codeaurora.org>
Printing a string with that does not have null terminated character,
would lead to overflow, as the print continues until it finds a null
terminated character.
Avoid this issue by explicitly assigning a string with null termination.
Bug: 28749708
Change-Id: I9528db2ba046c514d829097d08c09540588bb1a2
Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
Add check in order to fix possible integer underflow
during HDLC encoding which may lead to buffer
overflow. Also added check for packet length to
avoid buffer overflow.
Bug: 28767796
Change-Id: Ic91b5ee629066f013022ea139b4a23ec661aa77a
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>
The permissions of /proc/iomem currently are -r--r--r--. Everyone can
see its content. As iomem contains information about the physical memory
content of the device, restrict the information only to root.
Change-Id: If0be35c3fac5274151bea87b738a48e6ec0ae891
bug: 28814213
CRs-Fixed: 786116
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
This change fixes several incorrect or missing array index bound checks.
Bug: 28814502
Change-Id: Icd96555c01330ec11e94c6173d8df1973fe39c33
Signed-off-by: Petar Sivenov <psiven@codeaurora.org>
Since commit 6a1c53124a the user writeable TLS register was zeroed to
prevent it from being used as a covert channel between two tasks.
There are more and more applications coming to Windows RT,
Wine could support them, but mostly they expect to have
the thread environment block (TEB) in TPIDRURW.
This patch preserves that register per thread instead of clearing it.
Unlike the TPIDRURO, which is already switched, the TPIDRURW
can be updated from userspace so needs careful treatment in the case that we
modify TPIDRURW and call fork(). To avoid this we must always read
TPIDRURW in copy_thread.
Change-Id: Ib1e25be7b9faa846ba5335aad2574e21a1246066
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jonathan Austin <jonathan.austin@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Git-commit: a4780adeef
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[joonwoop@codeaurora.org: fixed merge conflict]
CRs-fixed: 561044
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
Bug: 28749743
snd_compr_tstamp is initialized using aggregate initialization
that does not zero out the padded bytes. Initialize timestamp
structure to zero using memset to avoid this.
Bug: 28770164
CRs-Fixed: 568717
Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
At certain point in diag driver there can be integer underflow
thus can lead to memory leak. Added a safeguard for that.
Bug: 28750726
Change-Id: I8cc6a8336cd2c5c88c49748c0be2df1696894f2b
Signed-off-by: Yuan Lin <yualin@google.com>
Check for invalid parameters passed in user invocation
and validate the return values using appropriate macros.
Bug: 28767593
Change-Id: I9a067f2ab151084b46e9d4d5fb945320a27bb7ba
Signed-off-by: Yuan Lin <yualin@google.com>
Added bounds check to user input num_streams at several location,
without checking a position outside array could be dereferenced
Bug: 28749629
Change-Id: I6e82d8b51e4ec6772316c7daef243240c029db96
Signed-off-by: Jim Rasche <jrasche@codeaurora.org>
I2C command length is of 11 bytes, it includes 10 bytes of data and
1 byte of WR command. Use 11 bytes char array to create command.
Bug: 28770207
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: I5292f238d612810a514b6a8bba9e70e07eb2627f
Some security vulnerabilities were found.
To fix them, additional verifications of some input parameters
are required.
bug: 28814690
CRs-Fixed: 554575, 554560, 555030
Change-Id: Ie87a433bcda89c3e462cfd511c168e8306056020
Signed-off-by: Baruch Eruchimovitch <baruche@codeaurora.org>
Diag driver holds on to the socket process task structure even
after signaling the process to exit. This patch clears the internal
handle after signaling.
bug: 28803962
Change-Id: I642fb595fc2caebc6f2f5419efed4fb560e4e4db
Signed-off-by: Ravi Aravamudhan <aravamud@codeaurora.org>
The index of used stats register is derived from a stream handle least
significant byte and thus can be up to 255. However the stats registers
are up to 8 depending of the target. Thus a bound check is done before
use of the received stats register index value.
Bug: 28749728
Change-Id: I23f1add81eb8e0844103a3a3f59f4e4c2af14ffd
Add a check for the stats index MAX using
MSM_ISP_STATS_MAX before accessing stream info
using that index to avoid any invalid memory access.
Bug: 28749728
Change-Id: I29d9b62cec045598645fbc0e6e62c500eb74bb97
The value csi_lane_mask which is uint16_t is controllable from userspace.
The while loop can loop for 2^16 - 1, Hence extract the required
bit combination from the userspace argument, used it for further
processing.
Bug: 28749721
CRs-Fixed: 511976
Change-Id: I80b0fe7ac273352503d9705510f05debe6cbb10a
Signed-off-by: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
Added checks for DCI request packets to be greater than the minimum
packet length. We would drop the request and print an error otherwise.
CRs-Fixed: 483310
Bug: 28767589
Change-Id: Ib7a713be3d6f5a6e0ec3ac280aebd800058447c7
Signed-off-by: Ravi Aravamudhan <aravamud@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>
At certain point in diag driver there can be integer overflow
thus can lead to memory leak. Added a safegaurd for it.
Bug: 28769912
Change-Id: Ib7070218b9ea7a1b9efca02b4c456ad9501085cd
Signed-off-by: Katish Paran <kparan@codeaurora.org>
Signed-off-by: Yuan Lin <yualin@google.com>
Upper and lower bound checks are enforced for num_cid
which is passed from userspace with lower as 1 and
max of 16.
Bug: 28747684
Change-Id: Ic5456289cb2f2b4ea17610a7672eb2c5225b7954
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
