From: Greg Kroah-Hartman Date: Tue, 1 Oct 2024 07:47:24 +0000 (+0200) Subject: 6.10-stable patches X-Git-Tag: v6.6.54~124 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5b75792d99fda79bbd88d9f0104465abf39ffb00;p=thirdparty%2Fkernel%2Fstable-queue.git 6.10-stable patches added patches: drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch fuse-use-exclusive-lock-when-fuse_i_cache_io_mode-is-set.patch io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch io_uring-rw-treat-eopnotsupp-for-iocb_nowait-like-eagain.patch io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch --- diff --git a/queue-6.10/drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch b/queue-6.10/drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch new file mode 100644 index 00000000000..42bb3dffc94 --- /dev/null +++ b/queue-6.10/drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch @@ -0,0 +1,34 @@ +From 4437936c6b696b98f3fe1d8679a2788c41b4df77 Mon Sep 17 00:00:00 2001 +From: Fangzhi Zuo +Date: Mon, 12 Aug 2024 12:13:44 -0400 +Subject: drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination + +From: Fangzhi Zuo + +commit 4437936c6b696b98f3fe1d8679a2788c41b4df77 upstream. + +Synaptics Cascaded Panamera topology needs to unconditionally +acquire root aux for dsc decoding. + +Reviewed-by: Roman Li +Signed-off-by: Fangzhi Zuo +Signed-off-by: Zaeem Mohamed +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: Mario Limonciello +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -251,7 +251,7 @@ static bool validate_dsc_caps_on_connect + aconnector->dsc_aux = &aconnector->mst_root->dm_dp_aux.aux; + + /* synaptics cascaded MST hub case */ +- if (!aconnector->dsc_aux && is_synaptics_cascaded_panamera(aconnector->dc_link, port)) ++ if (is_synaptics_cascaded_panamera(aconnector->dc_link, port)) + aconnector->dsc_aux = port->mgr->aux; + + if (!aconnector->dsc_aux) diff --git a/queue-6.10/fuse-use-exclusive-lock-when-fuse_i_cache_io_mode-is-set.patch b/queue-6.10/fuse-use-exclusive-lock-when-fuse_i_cache_io_mode-is-set.patch new file mode 100644 index 00000000000..a78bb02bfab --- /dev/null +++ b/queue-6.10/fuse-use-exclusive-lock-when-fuse_i_cache_io_mode-is-set.patch @@ -0,0 +1,39 @@ +From 2f3d8ff457982f4055fe8f7bf19d3821ba22c376 Mon Sep 17 00:00:00 2001 +From: yangyun +Date: Sat, 14 Sep 2024 16:51:31 +0800 +Subject: fuse: use exclusive lock when FUSE_I_CACHE_IO_MODE is set + +From: yangyun + +commit 2f3d8ff457982f4055fe8f7bf19d3821ba22c376 upstream. + +This may be a typo. The comment has said shared locks are +not allowed when this bit is set. If using shared lock, the +wait in `fuse_file_cached_io_open` may be forever. + +Fixes: 205c1d802683 ("fuse: allow parallel dio writes with FUSE_DIRECT_IO_ALLOW_MMAP") +CC: stable@vger.kernel.org # v6.9 +Signed-off-by: yangyun +Reviewed-by: Bernd Schubert +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index b8afeca12487..1b5cd46c8225 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1345,7 +1345,7 @@ static bool fuse_dio_wr_exclusive_lock(struct kiocb *iocb, struct iov_iter *from + + /* shared locks are not allowed with parallel page cache IO */ + if (test_bit(FUSE_I_CACHE_IO_MODE, &fi->state)) +- return false; ++ return true; + + /* Parallel dio beyond EOF is not supported, at least for now. */ + if (fuse_io_past_eof(iocb, from)) +-- +2.46.2 + diff --git a/queue-6.10/io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch b/queue-6.10/io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch new file mode 100644 index 00000000000..c172c56917b --- /dev/null +++ b/queue-6.10/io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch @@ -0,0 +1,66 @@ +From 04beb6e0e08c30c6f845f50afb7d7953603d7a6f Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 18 Sep 2024 11:58:19 -0600 +Subject: io_uring: check for presence of task_work rather than TIF_NOTIFY_SIGNAL + +From: Jens Axboe + +commit 04beb6e0e08c30c6f845f50afb7d7953603d7a6f upstream. + +If some part of the kernel adds task_work that needs executing, in terms +of signaling it'll generally use TWA_SIGNAL or TWA_RESUME. Those two +directly translate to TIF_NOTIFY_SIGNAL or TIF_NOTIFY_RESUME, and can +be used for a variety of use case outside of task_work. + +However, io_cqring_wait_schedule() only tests explicitly for +TIF_NOTIFY_SIGNAL. This means it can miss if task_work got added for +the task, but used a different kind of signaling mechanism (or none at +all). Normally this doesn't matter as any task_work will be run once +the task exits to userspace, except if: + +1) The ring is setup with DEFER_TASKRUN +2) The local work item may generate normal task_work + +For condition 2, this can happen when closing a file and it's the final +put of that file, for example. This can cause stalls where a task is +waiting to make progress inside io_cqring_wait(), but there's nothing else +that will wake it up. Hence change the "should we schedule or loop around" +check to check for the presence of task_work explicitly, rather than just +TIF_NOTIFY_SIGNAL as the mechanism. While in there, also change the +ordering of what type of task_work first in terms of ordering, to both +make it consistent with other task_work runs in io_uring, but also to +better handle the case of defer task_work generating normal task_work, +like in the above example. + +Reported-by: Jan Hendrik Farr +Link: https://github.com/axboe/liburing/issues/1235 +Cc: stable@vger.kernel.org +Fixes: 846072f16eed ("io_uring: mimimise io_cqring_wait_schedule") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2401,7 +2401,7 @@ static inline int io_cqring_wait_schedul + return 1; + if (unlikely(!llist_empty(&ctx->work_llist))) + return 1; +- if (unlikely(test_thread_flag(TIF_NOTIFY_SIGNAL))) ++ if (unlikely(task_work_pending(current))) + return 1; + if (unlikely(task_sigpending(current))) + return -EINTR; +@@ -2502,9 +2502,9 @@ static int io_cqring_wait(struct io_ring + * If we got woken because of task_work being processed, run it + * now rather than let the caller do another wait loop. + */ +- io_run_task_work(); + if (!llist_empty(&ctx->work_llist)) + io_run_local_work(ctx, nr_wait); ++ io_run_task_work(); + + /* + * Non-local task_work will be run on exit to userspace, but diff --git a/queue-6.10/io_uring-rw-treat-eopnotsupp-for-iocb_nowait-like-eagain.patch b/queue-6.10/io_uring-rw-treat-eopnotsupp-for-iocb_nowait-like-eagain.patch new file mode 100644 index 00000000000..17c75d82032 --- /dev/null +++ b/queue-6.10/io_uring-rw-treat-eopnotsupp-for-iocb_nowait-like-eagain.patch @@ -0,0 +1,46 @@ +From c0a9d496e0fece67db777bd48550376cf2960c47 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 10 Sep 2024 08:30:57 -0600 +Subject: io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN + +From: Jens Axboe + +commit c0a9d496e0fece67db777bd48550376cf2960c47 upstream. + +Some file systems, ocfs2 in this case, will return -EOPNOTSUPP for +an IOCB_NOWAIT read/write attempt. While this can be argued to be +correct, the usual return value for something that requires blocking +issue is -EAGAIN. + +A refactoring io_uring commit dropped calling kiocb_done() for +negative return values, which is otherwise where we already do that +transformation. To ensure we catch it in both spots, check it in +__io_read() itself as well. + +Reported-by: Robert Sander +Link: https://fosstodon.org/@gurubert@mastodon.gurubert.de/113112431889638440 +Cc: stable@vger.kernel.org +Fixes: a08d195b586a ("io_uring/rw: split io_read() into a helper") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/rw.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/io_uring/rw.c ++++ b/io_uring/rw.c +@@ -856,6 +856,14 @@ static int __io_read(struct io_kiocb *re + + ret = io_iter_do_read(rw, &io->iter); + ++ /* ++ * Some file systems like to return -EOPNOTSUPP for an IOCB_NOWAIT ++ * issue, even though they should be returning -EAGAIN. To be safe, ++ * retry from blocking context for either. ++ */ ++ if (ret == -EOPNOTSUPP && force_nonblock) ++ ret = -EAGAIN; ++ + if (ret == -EAGAIN || (req->flags & REQ_F_REISSUE)) { + req->flags &= ~REQ_F_REISSUE; + /* If we can poll, just do that. */ diff --git a/queue-6.10/io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch b/queue-6.10/io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch new file mode 100644 index 00000000000..e7dc4ab4827 --- /dev/null +++ b/queue-6.10/io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch @@ -0,0 +1,57 @@ +From f011c9cf04c06f16b24f583d313d3c012e589e50 Mon Sep 17 00:00:00 2001 +From: Felix Moessbauer +Date: Mon, 9 Sep 2024 17:00:36 +0200 +Subject: io_uring/sqpoll: do not allow pinning outside of cpuset + +From: Felix Moessbauer + +commit f011c9cf04c06f16b24f583d313d3c012e589e50 upstream. + +The submit queue polling threads are userland threads that just never +exit to the userland. When creating the thread with IORING_SETUP_SQ_AFF, +the affinity of the poller thread is set to the cpu specified in +sq_thread_cpu. However, this CPU can be outside of the cpuset defined +by the cgroup cpuset controller. This violates the rules defined by the +cpuset controller and is a potential issue for realtime applications. + +In b7ed6d8ffd6 we fixed the default affinity of the poller thread, in +case no explicit pinning is required by inheriting the one of the +creating task. In case of explicit pinning, the check is more +complicated, as also a cpu outside of the parent cpumask is allowed. +We implemented this by using cpuset_cpus_allowed (that has support for +cgroup cpusets) and testing if the requested cpu is in the set. + +Fixes: 37d1e2e3642e ("io_uring: move SQPOLL thread io-wq forked worker") +Cc: stable@vger.kernel.org # 6.1+ +Signed-off-by: Felix Moessbauer +Link: https://lore.kernel.org/r/20240909150036.55921-1-felix.moessbauer@siemens.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/sqpoll.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/io_uring/sqpoll.c ++++ b/io_uring/sqpoll.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -460,10 +461,12 @@ __cold int io_sq_offload_create(struct i + return 0; + + if (p->flags & IORING_SETUP_SQ_AFF) { ++ struct cpumask allowed_mask; + int cpu = p->sq_thread_cpu; + + ret = -EINVAL; +- if (cpu >= nr_cpu_ids || !cpu_online(cpu)) ++ cpuset_cpus_allowed(current, &allowed_mask); ++ if (!cpumask_test_cpu(cpu, &allowed_mask)) + goto err_sqpoll; + sqd->sq_cpu = cpu; + } else { diff --git a/queue-6.10/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch b/queue-6.10/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch new file mode 100644 index 00000000000..0022d53d829 --- /dev/null +++ b/queue-6.10/mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch @@ -0,0 +1,77 @@ +From ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 Mon Sep 17 00:00:00 2001 +From: Shu Han +Date: Tue, 17 Sep 2024 17:41:04 +0800 +Subject: mm: call the security_mmap_file() LSM hook in remap_file_pages() + +From: Shu Han + +commit ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 upstream. + +The remap_file_pages syscall handler calls do_mmap() directly, which +doesn't contain the LSM security check. And if the process has called +personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for +RW pages, this will actually result in remapping the pages to RWX, +bypassing a W^X policy enforced by SELinux. + +So we should check prot by security_mmap_file LSM hook in the +remap_file_pages syscall handler before do_mmap() is called. Otherwise, it +potentially permits an attacker to bypass a W^X policy enforced by +SELinux. + +The bypass is similar to CVE-2016-10044, which bypass the same thing via +AIO and can be found in [1]. + +The PoC: + +$ cat > test.c + +int main(void) { + size_t pagesz = sysconf(_SC_PAGE_SIZE); + int mfd = syscall(SYS_memfd_create, "test", 0); + const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, + MAP_SHARED, mfd, 0); + unsigned int old = syscall(SYS_personality, 0xffffffff); + syscall(SYS_personality, READ_IMPLIES_EXEC | old); + syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); + syscall(SYS_personality, old); + // show the RWX page exists even if W^X policy is enforced + int fd = open("/proc/self/maps", O_RDONLY); + unsigned char buf2[1024]; + while (1) { + int ret = read(fd, buf2, 1024); + if (ret <= 0) break; + write(1, buf2, ret); + } + close(fd); +} + +$ gcc test.c -o test +$ ./test | grep rwx +7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) + +Link: https://project-zero.issues.chromium.org/issues/42452389 [1] +Cc: stable@vger.kernel.org +Signed-off-by: Shu Han +Acked-by: Stephen Smalley +[PM: subject line tweaks] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + mm/mmap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -3127,8 +3127,12 @@ SYSCALL_DEFINE5(remap_file_pages, unsign + flags |= MAP_LOCKED; + + file = get_file(vma->vm_file); ++ ret = security_mmap_file(vma->vm_file, prot, flags); ++ if (ret) ++ goto out_fput; + ret = do_mmap(vma->vm_file, start, size, + prot, flags, 0, pgoff, &populate, NULL); ++out_fput: + fput(file); + out: + mmap_write_unlock(mm); diff --git a/queue-6.10/mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch b/queue-6.10/mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch new file mode 100644 index 00000000000..67a03433b7a --- /dev/null +++ b/queue-6.10/mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch @@ -0,0 +1,92 @@ +From 8001070cfbec5cd4ea00b8b48ea51df91122f265 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Tue, 24 Sep 2024 22:00:53 +0900 +Subject: mm: migrate: annotate data-race in migrate_folio_unmap() + +From: Jeongjun Park + +commit 8001070cfbec5cd4ea00b8b48ea51df91122f265 upstream. + +I found a report from syzbot [1] + +This report shows that the value can be changed, but in reality, the +value of __folio_set_movable() cannot be changed because it holds the +folio refcount. + +Therefore, it is appropriate to add an annotate to make KCSAN +ignore that data-race. + +[1] + +================================================================== +BUG: KCSAN: data-race in __filemap_remove_folio / migrate_pages_batch + +write to 0xffffea0004b81dd8 of 8 bytes by task 6348 on cpu 0: + page_cache_delete mm/filemap.c:153 [inline] + __filemap_remove_folio+0x1ac/0x2c0 mm/filemap.c:233 + filemap_remove_folio+0x6b/0x1f0 mm/filemap.c:265 + truncate_inode_folio+0x42/0x50 mm/truncate.c:178 + shmem_undo_range+0x25b/0xa70 mm/shmem.c:1028 + shmem_truncate_range mm/shmem.c:1144 [inline] + shmem_evict_inode+0x14d/0x530 mm/shmem.c:1272 + evict+0x2f0/0x580 fs/inode.c:731 + iput_final fs/inode.c:1883 [inline] + iput+0x42a/0x5b0 fs/inode.c:1909 + dentry_unlink_inode+0x24f/0x260 fs/dcache.c:412 + __dentry_kill+0x18b/0x4c0 fs/dcache.c:615 + dput+0x5c/0xd0 fs/dcache.c:857 + __fput+0x3fb/0x6d0 fs/file_table.c:439 + ____fput+0x1c/0x30 fs/file_table.c:459 + task_work_run+0x13a/0x1a0 kernel/task_work.c:228 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop kernel/entry/common.c:114 [inline] + exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] + syscall_exit_to_user_mode+0xbe/0x130 kernel/entry/common.c:218 + do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffffea0004b81dd8 of 8 bytes by task 6342 on cpu 1: + __folio_test_movable include/linux/page-flags.h:699 [inline] + migrate_folio_unmap mm/migrate.c:1199 [inline] + migrate_pages_batch+0x24c/0x1940 mm/migrate.c:1797 + migrate_pages_sync mm/migrate.c:1963 [inline] + migrate_pages+0xff1/0x1820 mm/migrate.c:2072 + do_mbind mm/mempolicy.c:1390 [inline] + kernel_mbind mm/mempolicy.c:1533 [inline] + __do_sys_mbind mm/mempolicy.c:1607 [inline] + __se_sys_mbind+0xf76/0x1160 mm/mempolicy.c:1603 + __x64_sys_mbind+0x78/0x90 mm/mempolicy.c:1603 + x64_sys_call+0x2b4d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:238 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +value changed: 0xffff888127601078 -> 0x0000000000000000 + +Link: https://lkml.kernel.org/r/20240924130053.107490-1-aha310510@gmail.com +Fixes: 7e2a5e5ab217 ("mm: migrate: use __folio_test_movable()") +Signed-off-by: Jeongjun Park +Reported-by: syzbot +Acked-by: David Hildenbrand +Cc: Kefeng Wang +Cc: Matthew Wilcox +Cc: Zi Yan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -1129,7 +1129,7 @@ static int migrate_folio_unmap(new_folio + int rc = -EAGAIN; + int old_page_state = 0; + struct anon_vma *anon_vma = NULL; +- bool is_lru = !__folio_test_movable(src); ++ bool is_lru = data_race(!__folio_test_movable(src)); + bool locked = false; + bool dst_locked = false; + diff --git a/queue-6.10/series b/queue-6.10/series index 72f0d4ca9aa..bd7060fbd14 100644 --- a/queue-6.10/series +++ b/queue-6.10/series @@ -455,3 +455,10 @@ netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch netfilter-nf_tables-use-rcu-chain-hook-list-iterator.patch netfilter-nf_tables-missing-objects-with-no-memcg-ac.patch selftests-netfilter-avoid-hanging-ipvs.sh.patch +io_uring-sqpoll-do-not-allow-pinning-outside-of-cpuset.patch +io_uring-rw-treat-eopnotsupp-for-iocb_nowait-like-eagain.patch +io_uring-check-for-presence-of-task_work-rather-than-tif_notify_signal.patch +fuse-use-exclusive-lock-when-fuse_i_cache_io_mode-is-set.patch +mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch +mm-call-the-security_mmap_file-lsm-hook-in-remap_file_pages.patch +drm-amd-display-fix-synaptics-cascaded-panamera-dsc-determination.patch