From 9c945434415c8211b66bec637a635337adf05bca Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 1 Oct 2024 09:56:56 +0200 Subject: [PATCH] 6.6-stable patches added patches: drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch --- ...-cascaded-panamera-dsc-determination.patch | 34 ++++++++ ...k_work-rather-than-tif_notify_signal.patch | 66 ++++++++++++++++ ...-not-allow-pinning-outside-of-cpuset.patch | 57 ++++++++++++++ ...ap_file-lsm-hook-in-remap_file_pages.patch | 77 +++++++++++++++++++ queue-6.6/series | 4 + 5 files changed, 238 insertions(+) create mode 100644 queue-6.6/drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch create mode 100644 queue-6.6/io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch create mode 100644 queue-6.6/io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch create mode 100644 queue-6.6/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch diff --git a/queue-6.6/drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch b/queue-6.6/drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch new file mode 100644 index 00000000000..094d9246ebe --- /dev/null +++ b/queue-6.6/drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch @@ -0,0 +1,34 @@ +From 4437936c6b696b98f3fe1d8679a2788c41b4df77 Mon Sep 17 00:00:00 2001 +From: Fangzhi Zuo +Date: Mon, 12 Aug 2024 12:13:44 -0400 +Subject: drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination + +From: Fangzhi Zuo + +commit 4437936c6b696b98f3fe1d8679a2788c41b4df77 upstream. + +Synaptics Cascaded Panamera topology needs to unconditionally +acquire root aux for dsc decoding. + +Reviewed-by: Roman Li +Signed-off-by: Fangzhi Zuo +Signed-off-by: Zaeem Mohamed +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: Mario Limonciello +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -246,7 +246,7 @@ static bool validate_dsc_caps_on_connect + aconnector->dsc_aux = &aconnector->mst_root->dm_dp_aux.aux; + + /* synaptics cascaded MST hub case */ +- if (!aconnector->dsc_aux && is_synaptics_cascaded_panamera(aconnector->dc_link, port)) ++ if (is_synaptics_cascaded_panamera(aconnector->dc_link, port)) + aconnector->dsc_aux = port->mgr->aux; + + if (!aconnector->dsc_aux) diff --git a/queue-6.6/io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch b/queue-6.6/io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch new file mode 100644 index 00000000000..db6e7ced742 --- /dev/null +++ b/queue-6.6/io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch @@ -0,0 +1,66 @@ +From 04beb6e0e08c30c6f845f50afb7d7953603d7a6f Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 18 Sep 2024 11:58:19 -0600 +Subject: io_uring: check for presence of task_work rather than TIF_NOTIFY_SIGNAL + +From: Jens Axboe + +commit 04beb6e0e08c30c6f845f50afb7d7953603d7a6f upstream. + +If some part of the kernel adds task_work that needs executing, in terms +of signaling it'll generally use TWA_SIGNAL or TWA_RESUME. Those two +directly translate to TIF_NOTIFY_SIGNAL or TIF_NOTIFY_RESUME, and can +be used for a variety of use case outside of task_work. + +However, io_cqring_wait_schedule() only tests explicitly for +TIF_NOTIFY_SIGNAL. This means it can miss if task_work got added for +the task, but used a different kind of signaling mechanism (or none at +all). Normally this doesn't matter as any task_work will be run once +the task exits to userspace, except if: + +1) The ring is setup with DEFER_TASKRUN +2) The local work item may generate normal task_work + +For condition 2, this can happen when closing a file and it's the final +put of that file, for example. This can cause stalls where a task is +waiting to make progress inside io_cqring_wait(), but there's nothing else +that will wake it up. Hence change the "should we schedule or loop around" +check to check for the presence of task_work explicitly, rather than just +TIF_NOTIFY_SIGNAL as the mechanism. While in there, also change the +ordering of what type of task_work first in terms of ordering, to both +make it consistent with other task_work runs in io_uring, but also to +better handle the case of defer task_work generating normal task_work, +like in the above example. + +Reported-by: Jan Hendrik Farr +Link: https://github.com/axboe/liburing/issues/1235 +Cc: stable@vger.kernel.org +Fixes: 846072f16eed ("io_uring: mimimise io_cqring_wait_schedule") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2514,7 +2514,7 @@ static inline int io_cqring_wait_schedul + return 1; + if (unlikely(!llist_empty(&ctx->work_llist))) + return 1; +- if (unlikely(test_thread_flag(TIF_NOTIFY_SIGNAL))) ++ if (unlikely(task_work_pending(current))) + return 1; + if (unlikely(task_sigpending(current))) + return -EINTR; +@@ -2610,9 +2610,9 @@ static int io_cqring_wait(struct io_ring + * If we got woken because of task_work being processed, run it + * now rather than let the caller do another wait loop. + */ +- io_run_task_work(); + if (!llist_empty(&ctx->work_llist)) + io_run_local_work(ctx, nr_wait); ++ io_run_task_work(); + + /* + * Non-local task_work will be run on exit to userspace, but diff --git a/queue-6.6/io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch b/queue-6.6/io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch new file mode 100644 index 00000000000..05767ffa637 --- /dev/null +++ b/queue-6.6/io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch @@ -0,0 +1,57 @@ +From f011c9cf04c06f16b24f583d313d3c012e589e50 Mon Sep 17 00:00:00 2001 +From: Felix Moessbauer +Date: Mon, 9 Sep 2024 17:00:36 +0200 +Subject: io_uring/sqpoll: do not allow pinning outside of cpuset + +From: Felix Moessbauer + +commit f011c9cf04c06f16b24f583d313d3c012e589e50 upstream. + +The submit queue polling threads are userland threads that just never +exit to the userland. When creating the thread with IORING_SETUP_SQ_AFF, +the affinity of the poller thread is set to the cpu specified in +sq_thread_cpu. However, this CPU can be outside of the cpuset defined +by the cgroup cpuset controller. This violates the rules defined by the +cpuset controller and is a potential issue for realtime applications. + +In b7ed6d8ffd6 we fixed the default affinity of the poller thread, in +case no explicit pinning is required by inheriting the one of the +creating task. In case of explicit pinning, the check is more +complicated, as also a cpu outside of the parent cpumask is allowed. +We implemented this by using cpuset_cpus_allowed (that has support for +cgroup cpusets) and testing if the requested cpu is in the set. + +Fixes: 37d1e2e3642e ("io_uring: move SQPOLL thread io-wq forked worker") +Cc: stable@vger.kernel.org # 6.1+ +Signed-off-by: Felix Moessbauer +Link: https://lore.kernel.org/r/20240909150036.55921-1-felix.moessbauer@siemens.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/sqpoll.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/io_uring/sqpoll.c ++++ b/io_uring/sqpoll.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -401,10 +402,12 @@ __cold int io_sq_offload_create(struct i + return 0; + + if (p->flags & IORING_SETUP_SQ_AFF) { ++ struct cpumask allowed_mask; + int cpu = p->sq_thread_cpu; + + ret = -EINVAL; +- if (cpu >= nr_cpu_ids || !cpu_online(cpu)) ++ cpuset_cpus_allowed(current, &allowed_mask); ++ if (!cpumask_test_cpu(cpu, &allowed_mask)) + goto err_sqpoll; + sqd->sq_cpu = cpu; + } else { diff --git a/queue-6.6/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch b/queue-6.6/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch new file mode 100644 index 00000000000..a81ed7f03b5 --- /dev/null +++ b/queue-6.6/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch @@ -0,0 +1,77 @@ +From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001 +From: Shu Han +Date: Tue, 17 Sep 2024 17:41:04 +0800 +Subject: mm: call the security_mmap_file() LSM hook in remap_file_pages() + +From: Shu Han + +commit ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 upstream. + +The remap_file_pages syscall handler calls do_mmap() directly, which +doesn't contain the LSM security check. And if the process has called +personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for +RW pages, this will actually result in remapping the pages to RWX, +bypassing a W^X policy enforced by SELinux. + +So we should check prot by security_mmap_file LSM hook in the +remap_file_pages syscall handler before do_mmap() is called. Otherwise, it +potentially permits an attacker to bypass a W^X policy enforced by +SELinux. + +The bypass is similar to CVE-2016-10044, which bypass the same thing via +AIO and can be found in [1]. + +The PoC: + +$ cat > test.c + +int main(void) { + size_t pagesz = sysconf(_SC_PAGE_SIZE); + int mfd = syscall(SYS_memfd_create, "test", 0); + const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, + MAP_SHARED, mfd, 0); + unsigned int old = syscall(SYS_personality, 0xffffffff); + syscall(SYS_personality, READ_IMPLIES_EXEC | old); + syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); + syscall(SYS_personality, old); + // show the RWX page exists even if W^X policy is enforced + int fd = open("/proc/self/maps", O_RDONLY); + unsigned char buf2[1024]; + while (1) { + int ret = read(fd, buf2, 1024); + if (ret <= 0) break; + write(1, buf2, ret); + } + close(fd); +} + +$ gcc test.c -o test +$ ./test | grep rwx +7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) + +Link: https://project-zero.issues.chromium.org/issues/42452389 [1] +Cc: stable@vger.kernel.org +Signed-off-by: Shu Han +Acked-by: Stephen Smalley +[PM: subject line tweaks] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + mm/mmap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -3025,8 +3025,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsign + flags |= MAP_LOCKED; + + file = get_file(vma->vm_file); ++ ret = security_mmap_file(vma->vm_file, prot, flags); ++ if (ret) ++ goto out_fput; + ret = do_mmap(vma->vm_file, start, size, + prot, flags, 0, pgoff, &populate, NULL); ++out_fput: + fput(file); + out: + mmap_write_unlock(mm); diff --git a/queue-6.6/series b/queue-6.6/series index 76d4be330c0..4fb0d5c5fbc 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -387,3 +387,7 @@ net-stmmac-set-pp_flag_dma_sync_dev-only-if-xdp-is-e.patch netfilter-nf_tables-keep-deleted-flowtable-hooks-unt.patch netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch +io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch +io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch +mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch +drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch -- 2.47.3