--- /dev/null
+From 4437936c6b696b98f3fe1d8679a2788c41b4df77 Mon Sep 17 00:00:00 2001
+From: Fangzhi Zuo <Jerry.Zuo@amd.com>
+Date: Mon, 12 Aug 2024 12:13:44 -0400
+Subject: drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination
+
+From: Fangzhi Zuo <Jerry.Zuo@amd.com>
+
+commit 4437936c6b696b98f3fe1d8679a2788c41b4df77 upstream.
+
+Synaptics Cascaded Panamera topology needs to unconditionally
+acquire root aux for dsc decoding.
+
+Reviewed-by: Roman Li <roman.li@amd.com>
+Signed-off-by: Fangzhi Zuo <Jerry.Zuo@amd.com>
+Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: Mario Limonciello <superm1@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -246,7 +246,7 @@ static bool validate_dsc_caps_on_connect
+ aconnector->dsc_aux = &aconnector->mst_root->dm_dp_aux.aux;
+
+ /* synaptics cascaded MST hub case */
+- if (!aconnector->dsc_aux && is_synaptics_cascaded_panamera(aconnector->dc_link, port))
++ if (is_synaptics_cascaded_panamera(aconnector->dc_link, port))
+ aconnector->dsc_aux = port->mgr->aux;
+
+ if (!aconnector->dsc_aux)
--- /dev/null
+From 04beb6e0e08c30c6f845f50afb7d7953603d7a6f Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 18 Sep 2024 11:58:19 -0600
+Subject: io_uring: check for presence of task_work rather than TIF_NOTIFY_SIGNAL
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 04beb6e0e08c30c6f845f50afb7d7953603d7a6f upstream.
+
+If some part of the kernel adds task_work that needs executing, in terms
+of signaling it'll generally use TWA_SIGNAL or TWA_RESUME. Those two
+directly translate to TIF_NOTIFY_SIGNAL or TIF_NOTIFY_RESUME, and can
+be used for a variety of use case outside of task_work.
+
+However, io_cqring_wait_schedule() only tests explicitly for
+TIF_NOTIFY_SIGNAL. This means it can miss if task_work got added for
+the task, but used a different kind of signaling mechanism (or none at
+all). Normally this doesn't matter as any task_work will be run once
+the task exits to userspace, except if:
+
+1) The ring is setup with DEFER_TASKRUN
+2) The local work item may generate normal task_work
+
+For condition 2, this can happen when closing a file and it's the final
+put of that file, for example. This can cause stalls where a task is
+waiting to make progress inside io_cqring_wait(), but there's nothing else
+that will wake it up. Hence change the "should we schedule or loop around"
+check to check for the presence of task_work explicitly, rather than just
+TIF_NOTIFY_SIGNAL as the mechanism. While in there, also change the
+ordering of what type of task_work first in terms of ordering, to both
+make it consistent with other task_work runs in io_uring, but also to
+better handle the case of defer task_work generating normal task_work,
+like in the above example.
+
+Reported-by: Jan Hendrik Farr <kernel@jfarr.cc>
+Link: https://github.com/axboe/liburing/issues/1235
+Cc: stable@vger.kernel.org
+Fixes: 846072f16eed ("io_uring: mimimise io_cqring_wait_schedule")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -2514,7 +2514,7 @@ static inline int io_cqring_wait_schedul
+ return 1;
+ if (unlikely(!llist_empty(&ctx->work_llist)))
+ return 1;
+- if (unlikely(test_thread_flag(TIF_NOTIFY_SIGNAL)))
++ if (unlikely(task_work_pending(current)))
+ return 1;
+ if (unlikely(task_sigpending(current)))
+ return -EINTR;
+@@ -2610,9 +2610,9 @@ static int io_cqring_wait(struct io_ring
+ * If we got woken because of task_work being processed, run it
+ * now rather than let the caller do another wait loop.
+ */
+- io_run_task_work();
+ if (!llist_empty(&ctx->work_llist))
+ io_run_local_work(ctx, nr_wait);
++ io_run_task_work();
+
+ /*
+ * Non-local task_work will be run on exit to userspace, but
--- /dev/null
+From f011c9cf04c06f16b24f583d313d3c012e589e50 Mon Sep 17 00:00:00 2001
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+Date: Mon, 9 Sep 2024 17:00:36 +0200
+Subject: io_uring/sqpoll: do not allow pinning outside of cpuset
+
+From: Felix Moessbauer <felix.moessbauer@siemens.com>
+
+commit f011c9cf04c06f16b24f583d313d3c012e589e50 upstream.
+
+The submit queue polling threads are userland threads that just never
+exit to the userland. When creating the thread with IORING_SETUP_SQ_AFF,
+the affinity of the poller thread is set to the cpu specified in
+sq_thread_cpu. However, this CPU can be outside of the cpuset defined
+by the cgroup cpuset controller. This violates the rules defined by the
+cpuset controller and is a potential issue for realtime applications.
+
+In b7ed6d8ffd6 we fixed the default affinity of the poller thread, in
+case no explicit pinning is required by inheriting the one of the
+creating task. In case of explicit pinning, the check is more
+complicated, as also a cpu outside of the parent cpumask is allowed.
+We implemented this by using cpuset_cpus_allowed (that has support for
+cgroup cpusets) and testing if the requested cpu is in the set.
+
+Fixes: 37d1e2e3642e ("io_uring: move SQPOLL thread io-wq forked worker")
+Cc: stable@vger.kernel.org # 6.1+
+Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
+Link: https://lore.kernel.org/r/20240909150036.55921-1-felix.moessbauer@siemens.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/sqpoll.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/io_uring/sqpoll.c
++++ b/io_uring/sqpoll.c
+@@ -10,6 +10,7 @@
+ #include <linux/slab.h>
+ #include <linux/audit.h>
+ #include <linux/security.h>
++#include <linux/cpuset.h>
+ #include <linux/io_uring.h>
+
+ #include <uapi/linux/io_uring.h>
+@@ -401,10 +402,12 @@ __cold int io_sq_offload_create(struct i
+ return 0;
+
+ if (p->flags & IORING_SETUP_SQ_AFF) {
++ struct cpumask allowed_mask;
+ int cpu = p->sq_thread_cpu;
+
+ ret = -EINVAL;
+- if (cpu >= nr_cpu_ids || !cpu_online(cpu))
++ cpuset_cpus_allowed(current, &allowed_mask);
++ if (!cpumask_test_cpu(cpu, &allowed_mask))
+ goto err_sqpoll;
+ sqd->sq_cpu = cpu;
+ } else {
--- /dev/null
+From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001
+From: Shu Han <ebpqwerty472123@gmail.com>
+Date: Tue, 17 Sep 2024 17:41:04 +0800
+Subject: mm: call the security_mmap_file() LSM hook in remap_file_pages()
+
+From: Shu Han <ebpqwerty472123@gmail.com>
+
+commit ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 upstream.
+
+The remap_file_pages syscall handler calls do_mmap() directly, which
+doesn't contain the LSM security check. And if the process has called
+personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for
+RW pages, this will actually result in remapping the pages to RWX,
+bypassing a W^X policy enforced by SELinux.
+
+So we should check prot by security_mmap_file LSM hook in the
+remap_file_pages syscall handler before do_mmap() is called. Otherwise, it
+potentially permits an attacker to bypass a W^X policy enforced by
+SELinux.
+
+The bypass is similar to CVE-2016-10044, which bypass the same thing via
+AIO and can be found in [1].
+
+The PoC:
+
+$ cat > test.c
+
+int main(void) {
+ size_t pagesz = sysconf(_SC_PAGE_SIZE);
+ int mfd = syscall(SYS_memfd_create, "test", 0);
+ const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,
+ MAP_SHARED, mfd, 0);
+ unsigned int old = syscall(SYS_personality, 0xffffffff);
+ syscall(SYS_personality, READ_IMPLIES_EXEC | old);
+ syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);
+ syscall(SYS_personality, old);
+ // show the RWX page exists even if W^X policy is enforced
+ int fd = open("/proc/self/maps", O_RDONLY);
+ unsigned char buf2[1024];
+ while (1) {
+ int ret = read(fd, buf2, 1024);
+ if (ret <= 0) break;
+ write(1, buf2, ret);
+ }
+ close(fd);
+}
+
+$ gcc test.c -o test
+$ ./test | grep rwx
+7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)
+
+Link: https://project-zero.issues.chromium.org/issues/42452389 [1]
+Cc: stable@vger.kernel.org
+Signed-off-by: Shu Han <ebpqwerty472123@gmail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+[PM: subject line tweaks]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mmap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -3025,8 +3025,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
+ flags |= MAP_LOCKED;
+
+ file = get_file(vma->vm_file);
++ ret = security_mmap_file(vma->vm_file, prot, flags);
++ if (ret)
++ goto out_fput;
+ ret = do_mmap(vma->vm_file, start, size,
+ prot, flags, 0, pgoff, &populate, NULL);
++out_fput:
+ fput(file);
+ out:
+ mmap_write_unlock(mm);
netfilter-nf_tables-keep-deleted-flowtable-hooks-unt.patch
netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch
netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch
+io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch
+io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch
+mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch
+drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
