PKGBUILDs/core/linux-kirkwood/0001-block-bfq-attempt-to-fix-use-after-free-which-3.3.0-to-3.8.0.patch

From 599be431332e31a25ebe203155fa18d34781c3d3 Mon Sep 17 00:00:00 2001
From: Arianna Avanzini <avanzini.arianna@gmail.com>
Date: Tue, 5 Mar 2013 10:41:49 +0100
Subject: [PATCH] block, bfq: attempt to fix use-after-free which affects SLUB
 behavior (3.3.0 to 3.8.0)

It may happen that a call to bfq_del_bfqq_busy() puts the last
reference taken on a queue and frees it. Subsequent accesses to that
same queue would result in a use-after-free. Make sure that a queue
that has just been deleted from busy is no more touched.
---
 block/bfq-iosched.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
index 9378b7d..e9a6514 100644
--- a/block/bfq-iosched.c
+++ b/block/bfq-iosched.c
@@ -1244,14 +1244,23 @@ static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq)
 
 	__bfq_bfqd_reset_active(bfqd);
 
+	/*
+	 * If this bfqq is shared between multiple processes, check
+	 * to make sure that those processes are still issuing I/Os
+	 * within the mean seek distance. If not, it may be time to
+	 * break the queues apart again.
+	 */
+	if (bfq_bfqq_coop(bfqq) && BFQQ_SEEKY(bfqq))
+		bfq_mark_bfqq_split_coop(bfqq);
+
 	if (RB_EMPTY_ROOT(&bfqq->sort_list)) {
-		bfq_del_bfqq_busy(bfqd, bfqq, 1);
 		/*
 		 * overloading budget_timeout field to store when
 		 * the queue remains with no backlog, used by
 		 * the weight-raising mechanism
 		 */
 		bfqq->budget_timeout = jiffies ;
+		bfq_del_bfqq_busy(bfqd, bfqq, 1);
 	} else {
 		bfq_activate_bfqq(bfqd, bfqq);
 		/*
@@ -1259,15 +1268,6 @@ static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq)
 		 */
 		bfq_rq_pos_tree_add(bfqd, bfqq);
 	}
-
-	/*
-	 * If this bfqq is shared between multiple processes, check
-	 * to make sure that those processes are still issuing I/Os
-	 * within the mean seek distance. If not, it may be time to
-	 * break the queues apart again.
-	 */
-	if (bfq_bfqq_coop(bfqq) && BFQQ_SEEKY(bfqq))
-		bfq_mark_bfqq_split_coop(bfqq);
 }
 
 /**
-- 
1.8.1.4
core/linux-kirkwood add BFQ patch files (source host seems to be down) 2013-05-02 20:23:19 +00:00			`From 599be431332e31a25ebe203155fa18d34781c3d3 Mon Sep 17 00:00:00 2001`
			`From: Arianna Avanzini <avanzini.arianna@gmail.com>`
			`Date: Tue, 5 Mar 2013 10:41:49 +0100`
			`Subject: [PATCH] block, bfq: attempt to fix use-after-free which affects SLUB`
			`behavior (3.3.0 to 3.8.0)`

			`It may happen that a call to bfq_del_bfqq_busy() puts the last`
			`reference taken on a queue and frees it. Subsequent accesses to that`
			`same queue would result in a use-after-free. Make sure that a queue`
			`that has just been deleted from busy is no more touched.`
			`---`
			`block/bfq-iosched.c \| 20 ++++++++++----------`
			`1 file changed, 10 insertions(+), 10 deletions(-)`

			`diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c`
			`index 9378b7d..e9a6514 100644`
			`--- a/block/bfq-iosched.c`
			`+++ b/block/bfq-iosched.c`
			`@@ -1244,14 +1244,23 @@ static void __bfq_bfqq_expire(struct bfq_data bfqd, struct bfq_queue bfqq)`

			`__bfq_bfqd_reset_active(bfqd);`

			`+ /*`
			`+ * If this bfqq is shared between multiple processes, check`
			`+ * to make sure that those processes are still issuing I/Os`
			`+ * within the mean seek distance. If not, it may be time to`
			`+ * break the queues apart again.`
			`+ */`
			`+ if (bfq_bfqq_coop(bfqq) && BFQQ_SEEKY(bfqq))`
			`+ bfq_mark_bfqq_split_coop(bfqq);`
			`+`
			`if (RB_EMPTY_ROOT(&bfqq->sort_list)) {`
			`- bfq_del_bfqq_busy(bfqd, bfqq, 1);`
			`/*`
			`* overloading budget_timeout field to store when`
			`* the queue remains with no backlog, used by`
			`* the weight-raising mechanism`
			`*/`
			`bfqq->budget_timeout = jiffies ;`
			`+ bfq_del_bfqq_busy(bfqd, bfqq, 1);`
			`} else {`
			`bfq_activate_bfqq(bfqd, bfqq);`
			`/*`
			`@@ -1259,15 +1268,6 @@ static void __bfq_bfqq_expire(struct bfq_data bfqd, struct bfq_queue bfqq)`
			`*/`
			`bfq_rq_pos_tree_add(bfqd, bfqq);`
			`}`
			`-`
			`- /*`
			`- * If this bfqq is shared between multiple processes, check`
			`- * to make sure that those processes are still issuing I/Os`
			`- * within the mean seek distance. If not, it may be time to`
			`- * break the queues apart again.`
			`- */`
			`- if (bfq_bfqq_coop(bfqq) && BFQQ_SEEKY(bfqq))`
			`- bfq_mark_bfqq_split_coop(bfqq);`
			`}`

			`/**`
			`--`
			`1.8.1.4`