--- /dev/null
+From 4437936c6b696b98f3fe1d8679a2788c41b4df77 Mon Sep 17 00:00:00 2001
+From: Fangzhi Zuo <Jerry.Zuo@amd.com>
+Date: Mon, 12 Aug 2024 12:13:44 -0400
+Subject: drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination
+
+From: Fangzhi Zuo <Jerry.Zuo@amd.com>
+
+commit 4437936c6b696b98f3fe1d8679a2788c41b4df77 upstream.
+
+Synaptics Cascaded Panamera topology needs to unconditionally
+acquire root aux for dsc decoding.
+
+Reviewed-by: Roman Li <roman.li@amd.com>
+Signed-off-by: Fangzhi Zuo <Jerry.Zuo@amd.com>
+Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: Mario Limonciello <superm1@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -251,7 +251,7 @@ static bool validate_dsc_caps_on_connect
+ aconnector->dsc_aux = &aconnector->mst_root->dm_dp_aux.aux;
+
+ /* synaptics cascaded MST hub case */
+- if (!aconnector->dsc_aux && is_synaptics_cascaded_panamera(aconnector->dc_link, port))
++ if (is_synaptics_cascaded_panamera(aconnector->dc_link, port))
+ aconnector->dsc_aux = port->mgr->aux;
+
+ if (!aconnector->dsc_aux)
--- /dev/null
+From 2f3d8ff457982f4055fe8f7bf19d3821ba22c376 Mon Sep 17 00:00:00 2001
+From: yangyun <yangyun50@huawei.com>
+Date: Sat, 14 Sep 2024 16:51:31 +0800
+Subject: fuse: use exclusive lock when FUSE_I_CACHE_IO_MODE is set
+
+From: yangyun <yangyun50@huawei.com>
+
+commit 2f3d8ff457982f4055fe8f7bf19d3821ba22c376 upstream.
+
+This may be a typo. The comment has said shared locks are
+not allowed when this bit is set. If using shared lock, the
+wait in `fuse_file_cached_io_open` may be forever.
+
+Fixes: 205c1d802683 ("fuse: allow parallel dio writes with FUSE_DIRECT_IO_ALLOW_MMAP")
+CC: stable@vger.kernel.org # v6.9
+Signed-off-by: yangyun <yangyun50@huawei.com>
+Reviewed-by: Bernd Schubert <bschubert@ddn.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index b8afeca12487..1b5cd46c8225 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1345,7 +1345,7 @@ static bool fuse_dio_wr_exclusive_lock(struct kiocb *iocb, struct iov_iter *from
+
+ /* shared locks are not allowed with parallel page cache IO */
+ if (test_bit(FUSE_I_CACHE_IO_MODE, &fi->state))
+- return false;
++ return true;
+
+ /* Parallel dio beyond EOF is not supported, at least for now. */
+ if (fuse_io_past_eof(iocb, from))
+--
+2.46.2
+
--- /dev/null
+From 04beb6e0e08c30c6f845f50afb7d7953603d7a6f Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 18 Sep 2024 11:58:19 -0600
+Subject: io_uring: check for presence of task_work rather than TIF_NOTIFY_SIGNAL
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 04beb6e0e08c30c6f845f50afb7d7953603d7a6f upstream.
+
+If some part of the kernel adds task_work that needs executing, in terms
+of signaling it'll generally use TWA_SIGNAL or TWA_RESUME. Those two
+directly translate to TIF_NOTIFY_SIGNAL or TIF_NOTIFY_RESUME, and can
+be used for a variety of use case outside of task_work.
+
+However, io_cqring_wait_schedule() only tests explicitly for
+TIF_NOTIFY_SIGNAL. This means it can miss if task_work got added for
+the task, but used a different kind of signaling mechanism (or none at
+all). Normally this doesn't matter as any task_work will be run once
+the task exits to userspace, except if:
+
+1) The ring is setup with DEFER_TASKRUN
+2) The local work item may generate normal task_work
+
+For condition 2, this can happen when closing a file and it's the final
+put of that file, for example. This can cause stalls where a task is
+waiting to make progress inside io_cqring_wait(), but there's nothing else
+that will wake it up. Hence change the "should we schedule or loop around"
+check to check for the presence of task_work explicitly, rather than just
+TIF_NOTIFY_SIGNAL as the mechanism. While in there, also change the
+ordering of what type of task_work first in terms of ordering, to both
+make it consistent with other task_work runs in io_uring, but also to
+better handle the case of defer task_work generating normal task_work,
+like in the above example.
+
+Reported-by: Jan Hendrik Farr <kernel@jfarr.cc>
+Link: https://github.com/axboe/liburing/issues/1235
+Cc: stable@vger.kernel.org
+Fixes: 846072f16eed ("io_uring: mimimise io_cqring_wait_schedule")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -2401,7 +2401,7 @@ static inline int io_cqring_wait_schedul
+ return 1;
+ if (unlikely(!llist_empty(&ctx->work_llist)))
+ return 1;
+- if (unlikely(test_thread_flag(TIF_NOTIFY_SIGNAL)))
++ if (unlikely(task_work_pending(current)))
+ return 1;
+ if (unlikely(task_sigpending(current)))
+ return -EINTR;
+@@ -2502,9 +2502,9 @@ static int io_cqring_wait(struct io_ring
+ * If we got woken because of task_work being processed, run it
+ * now rather than let the caller do another wait loop.
+ */
+- io_run_task_work();
+ if (!llist_empty(&ctx->work_llist))
+ io_run_local_work(ctx, nr_wait);
++ io_run_task_work();
+
+ /*
+ * Non-local task_work will be run on exit to userspace, but
--- /dev/null
+From c0a9d496e0fece67db777bd48550376cf2960c47 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 10 Sep 2024 08:30:57 -0600
+Subject: io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit c0a9d496e0fece67db777bd48550376cf2960c47 upstream.
+
+Some file systems, ocfs2 in this case, will return -EOPNOTSUPP for
+an IOCB_NOWAIT read/write attempt. While this can be argued to be
+correct, the usual return value for something that requires blocking
+issue is -EAGAIN.
+
+A refactoring io_uring commit dropped calling kiocb_done() for
+negative return values, which is otherwise where we already do that
+transformation. To ensure we catch it in both spots, check it in
+__io_read() itself as well.
+
+Reported-by: Robert Sander <r.sander@heinlein-support.de>
+Link: https://fosstodon.org/@gurubert@mastodon.gurubert.de/113112431889638440
+Cc: stable@vger.kernel.org
+Fixes: a08d195b586a ("io_uring/rw: split io_read() into a helper")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/rw.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/io_uring/rw.c
++++ b/io_uring/rw.c
+@@ -856,6 +856,14 @@ static int __io_read(struct io_kiocb *re
+
+ ret = io_iter_do_read(rw, &io->iter);
+
++ /*
++ * Some file systems like to return -EOPNOTSUPP for an IOCB_NOWAIT
++ * issue, even though they should be returning -EAGAIN. To be safe,
++ * retry from blocking context for either.
++ */
++ if (ret == -EOPNOTSUPP && force_nonblock)
++ ret = -EAGAIN;
++
+ if (ret == -EAGAIN || (req->flags & REQ_F_REISSUE)) {
+ req->flags &= ~REQ_F_REISSUE;
+ /* If we can poll, just do that. */
--- /dev/null
+From f011c9cf04c06f16b24f583d313d3c012e589e50 Mon Sep 17 00:00:00 2001
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+Date: Mon, 9 Sep 2024 17:00:36 +0200
+Subject: io_uring/sqpoll: do not allow pinning outside of cpuset
+
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+
+commit f011c9cf04c06f16b24f583d313d3c012e589e50 upstream.
+
+The submit queue polling threads are userland threads that just never
+exit to the userland. When creating the thread with IORING_SETUP_SQ_AFF,
+the affinity of the poller thread is set to the cpu specified in
+sq_thread_cpu. However, this CPU can be outside of the cpuset defined
+by the cgroup cpuset controller. This violates the rules defined by the
+cpuset controller and is a potential issue for realtime applications.
+
+In b7ed6d8ffd6 we fixed the default affinity of the poller thread, in
+case no explicit pinning is required by inheriting the one of the
+creating task. In case of explicit pinning, the check is more
+complicated, as also a cpu outside of the parent cpumask is allowed.
+We implemented this by using cpuset_cpus_allowed (that has support for
+cgroup cpusets) and testing if the requested cpu is in the set.
+
+Fixes: 37d1e2e3642e ("io_uring: move SQPOLL thread io-wq forked worker")
+Cc: stable@vger.kernel.org # 6.1+
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+Link: https://lore.kernel.org/r/20240909150036.55921-1-felix.moessbauer@siemens.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/sqpoll.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/io_uring/sqpoll.c
++++ b/io_uring/sqpoll.c
+@@ -10,6 +10,7 @@
+ #include <linux/slab.h>
+ #include <linux/audit.h>
+ #include <linux/security.h>
++#include <linux/cpuset.h>
+ #include <linux/io_uring.h>
+
+ #include <uapi/linux/io_uring.h>
+@@ -460,10 +461,12 @@ __cold int io_sq_offload_create(struct i
+ return 0;
+
+ if (p->flags & IORING_SETUP_SQ_AFF) {
++ struct cpumask allowed_mask;
+ int cpu = p->sq_thread_cpu;
+
+ ret = -EINVAL;
+- if (cpu >= nr_cpu_ids || !cpu_online(cpu))
++ cpuset_cpus_allowed(current, &allowed_mask);
++ if (!cpumask_test_cpu(cpu, &allowed_mask))
+ goto err_sqpoll;
+ sqd->sq_cpu = cpu;
+ } else {
--- /dev/null
+From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001
+From: Shu Han <ebpqwerty472123@gmail.com>
+Date: Tue, 17 Sep 2024 17:41:04 +0800
+Subject: mm: call the security_mmap_file() LSM hook in remap_file_pages()
+
+From: Shu Han <ebpqwerty472123@gmail.com>
+
+commit ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 upstream.
+
+The remap_file_pages syscall handler calls do_mmap() directly, which
+doesn't contain the LSM security check. And if the process has called
+personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for
+RW pages, this will actually result in remapping the pages to RWX,
+bypassing a W^X policy enforced by SELinux.
+
+So we should check prot by security_mmap_file LSM hook in the
+remap_file_pages syscall handler before do_mmap() is called. Otherwise, it
+potentially permits an attacker to bypass a W^X policy enforced by
+SELinux.
+
+The bypass is similar to CVE-2016-10044, which bypass the same thing via
+AIO and can be found in [1].
+
+The PoC:
+
+$ cat > test.c
+
+int main(void) {
+ size_t pagesz = sysconf(_SC_PAGE_SIZE);
+ int mfd = syscall(SYS_memfd_create, "test", 0);
+ const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,
+ MAP_SHARED, mfd, 0);
+ unsigned int old = syscall(SYS_personality, 0xffffffff);
+ syscall(SYS_personality, READ_IMPLIES_EXEC | old);
+ syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);
+ syscall(SYS_personality, old);
+ // show the RWX page exists even if W^X policy is enforced
+ int fd = open("/proc/self/maps", O_RDONLY);
+ unsigned char buf2[1024];
+ while (1) {
+ int ret = read(fd, buf2, 1024);
+ if (ret <= 0) break;
+ write(1, buf2, ret);
+ }
+ close(fd);
+}
+
+$ gcc test.c -o test
+$ ./test | grep rwx
+7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)
+
+Link: https://project-zero.issues.chromium.org/issues/42452389 [1]
+Cc: stable@vger.kernel.org
+Signed-off-by: Shu Han <ebpqwerty472123@gmail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+[PM: subject line tweaks]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mmap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -3127,8 +3127,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
+ flags |= MAP_LOCKED;
+
+ file = get_file(vma->vm_file);
++ ret = security_mmap_file(vma->vm_file, prot, flags);
++ if (ret)
++ goto out_fput;
+ ret = do_mmap(vma->vm_file, start, size,
+ prot, flags, 0, pgoff, &populate, NULL);
++out_fput:
+ fput(file);
+ out:
+ mmap_write_unlock(mm);
--- /dev/null
+From 8001070cfbec5cd4ea00b8b48ea51df91122f265 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Tue, 24 Sep 2024 22:00:53 +0900
+Subject: mm: migrate: annotate data-race in migrate_folio_unmap()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit 8001070cfbec5cd4ea00b8b48ea51df91122f265 upstream.
+
+I found a report from syzbot [1]
+
+This report shows that the value can be changed, but in reality, the
+value of __folio_set_movable() cannot be changed because it holds the
+folio refcount.
+
+Therefore, it is appropriate to add an annotate to make KCSAN
+ignore that data-race.
+
+[1]
+
+==================================================================
+BUG: KCSAN: data-race in __filemap_remove_folio / migrate_pages_batch
+
+write to 0xffffea0004b81dd8 of 8 bytes by task 6348 on cpu 0:
+ page_cache_delete mm/filemap.c:153 [inline]
+ __filemap_remove_folio+0x1ac/0x2c0 mm/filemap.c:233
+ filemap_remove_folio+0x6b/0x1f0 mm/filemap.c:265
+ truncate_inode_folio+0x42/0x50 mm/truncate.c:178
+ shmem_undo_range+0x25b/0xa70 mm/shmem.c:1028
+ shmem_truncate_range mm/shmem.c:1144 [inline]
+ shmem_evict_inode+0x14d/0x530 mm/shmem.c:1272
+ evict+0x2f0/0x580 fs/inode.c:731
+ iput_final fs/inode.c:1883 [inline]
+ iput+0x42a/0x5b0 fs/inode.c:1909
+ dentry_unlink_inode+0x24f/0x260 fs/dcache.c:412
+ __dentry_kill+0x18b/0x4c0 fs/dcache.c:615
+ dput+0x5c/0xd0 fs/dcache.c:857
+ __fput+0x3fb/0x6d0 fs/file_table.c:439
+ ____fput+0x1c/0x30 fs/file_table.c:459
+ task_work_run+0x13a/0x1a0 kernel/task_work.c:228
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
+ exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
+ syscall_exit_to_user_mode+0xbe/0x130 kernel/entry/common.c:218
+ do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+read to 0xffffea0004b81dd8 of 8 bytes by task 6342 on cpu 1:
+ __folio_test_movable include/linux/page-flags.h:699 [inline]
+ migrate_folio_unmap mm/migrate.c:1199 [inline]
+ migrate_pages_batch+0x24c/0x1940 mm/migrate.c:1797
+ migrate_pages_sync mm/migrate.c:1963 [inline]
+ migrate_pages+0xff1/0x1820 mm/migrate.c:2072
+ do_mbind mm/mempolicy.c:1390 [inline]
+ kernel_mbind mm/mempolicy.c:1533 [inline]
+ __do_sys_mbind mm/mempolicy.c:1607 [inline]
+ __se_sys_mbind+0xf76/0x1160 mm/mempolicy.c:1603
+ __x64_sys_mbind+0x78/0x90 mm/mempolicy.c:1603
+ x64_sys_call+0x2b4d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:238
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+value changed: 0xffff888127601078 -> 0x0000000000000000
+
+Link: https://lkml.kernel.org/r/20240924130053.107490-1-aha310510@gmail.com
+Fixes: 7e2a5e5ab217 ("mm: migrate: use __folio_test_movable()")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/migrate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -1129,7 +1129,7 @@ static int migrate_folio_unmap(new_folio
+ int rc = -EAGAIN;
+ int old_page_state = 0;
+ struct anon_vma *anon_vma = NULL;
+- bool is_lru = !__folio_test_movable(src);
++ bool is_lru = data_race(!__folio_test_movable(src));
+ bool locked = false;
+ bool dst_locked = false;
+
netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch
netfilter-nf_tables-missing-objects-with-no-memcg-ac.patch
selftests-netfilter-avoid-hanging-ipvs.sh.patch
+io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch
+io_uring-rw-treat-eopnotsupp-for-iocb_nowait-like-eagain.patch
+io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch
+fuse-use-exclusive-lock-when-fuse_i_cache_io_mode-is-set.patch
+mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch
+mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch
+drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
