From 55954a1b8b35df794a4dcbd57df8c01c9d2608b8 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 6 Mar 2023 18:55:47 +0100
Subject: [PATCH] 5.15-stable patches

added patches:
	brd-return-0-error-from-brd_insert_page.patch
	ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch
---
 ...-return-0-error-from-brd_insert_page.patch |  93 +++++++++++++++
 ...p-parameters-with-mmap_file-lsm-hook.patch | 107 ++++++++++++++++++
 queue-5.15/series                             |   2 +
 3 files changed, 202 insertions(+)
 create mode 100644 queue-5.15/brd-return-0-error-from-brd_insert_page.patch
 create mode 100644 queue-5.15/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch

diff --git a/queue-5.15/brd-return-0-error-from-brd_insert_page.patch b/queue-5.15/brd-return-0-error-from-brd_insert_page.patch
new file mode 100644
index 00000000000..fd29ae6706f
--- /dev/null
+++ b/queue-5.15/brd-return-0-error-from-brd_insert_page.patch
@@ -0,0 +1,93 @@
+From db0ccc44a20b4bb3039c0f6885a1f9c3323c7673 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 16 Feb 2023 07:57:32 -0700
+Subject: brd: return 0/-error from brd_insert_page()
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit db0ccc44a20b4bb3039c0f6885a1f9c3323c7673 upstream.
+
+It currently returns a page, but callers just check for NULL/page to
+gauge success. Clean this up and return the appropriate error directly
+instead.
+
+Cc: stable@vger.kernel.org # 5.10+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/brd.c |   26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/drivers/block/brd.c
++++ b/drivers/block/brd.c
+@@ -78,11 +78,9 @@ static struct page *brd_lookup_page(stru
+ }
+ 
+ /*
+- * Look up and return a brd's page for a given sector.
+- * If one does not exist, allocate an empty page, and insert that. Then
+- * return it.
++ * Insert a new page for a given sector, if one does not already exist.
+  */
+-static struct page *brd_insert_page(struct brd_device *brd, sector_t sector)
++static int brd_insert_page(struct brd_device *brd, sector_t sector)
+ {
+ 	pgoff_t idx;
+ 	struct page *page;
+@@ -90,7 +88,7 @@ static struct page *brd_insert_page(stru
+ 
+ 	page = brd_lookup_page(brd, sector);
+ 	if (page)
+-		return page;
++		return 0;
+ 
+ 	/*
+ 	 * Must use NOIO because we don't want to recurse back into the
+@@ -99,11 +97,11 @@ static struct page *brd_insert_page(stru
+ 	gfp_flags = GFP_NOIO | __GFP_ZERO | __GFP_HIGHMEM;
+ 	page = alloc_page(gfp_flags);
+ 	if (!page)
+-		return NULL;
++		return -ENOMEM;
+ 
+ 	if (radix_tree_preload(GFP_NOIO)) {
+ 		__free_page(page);
+-		return NULL;
++		return -ENOMEM;
+ 	}
+ 
+ 	spin_lock(&brd->brd_lock);
+@@ -120,8 +118,7 @@ static struct page *brd_insert_page(stru
+ 	spin_unlock(&brd->brd_lock);
+ 
+ 	radix_tree_preload_end();
+-
+-	return page;
++	return 0;
+ }
+ 
+ /*
+@@ -174,16 +171,17 @@ static int copy_to_brd_setup(struct brd_
+ {
+ 	unsigned int offset = (sector & (PAGE_SECTORS-1)) << SECTOR_SHIFT;
+ 	size_t copy;
++	int ret;
+ 
+ 	copy = min_t(size_t, n, PAGE_SIZE - offset);
+-	if (!brd_insert_page(brd, sector))
+-		return -ENOSPC;
++	ret = brd_insert_page(brd, sector);
++	if (ret)
++		return ret;
+ 	if (copy < n) {
+ 		sector += copy >> SECTOR_SHIFT;
+-		if (!brd_insert_page(brd, sector))
+-			return -ENOSPC;
++		ret = brd_insert_page(brd, sector);
+ 	}
+-	return 0;
++	return ret;
+ }
+ 
+ /*
diff --git a/queue-5.15/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch b/queue-5.15/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch
new file mode 100644
index 00000000000..c7dd638fd78
--- /dev/null
+++ b/queue-5.15/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch
@@ -0,0 +1,107 @@
+From 4971c268b85e1c7a734a61622fc0813c86e2362e Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 31 Jan 2023 18:42:43 +0100
+Subject: ima: Align ima_file_mmap() parameters with mmap_file LSM hook
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 4971c268b85e1c7a734a61622fc0813c86e2362e upstream.
+
+Commit 98de59bfe4b2f ("take calculation of final prot in
+security_mmap_file() into a helper") moved the code to update prot, to be
+the actual protections applied to the kernel, to a new helper called
+mmap_prot().
+
+However, while without the helper ima_file_mmap() was getting the updated
+prot, with the helper ima_file_mmap() gets the original prot, which
+contains the protections requested by the application.
+
+A possible consequence of this change is that, if an application calls
+mmap() with only PROT_READ, and the kernel applies PROT_EXEC in addition,
+that application would have access to executable memory without having this
+event recorded in the IMA measurement list. This situation would occur for
+example if the application, before mmap(), calls the personality() system
+call with READ_IMPLIES_EXEC as the first argument.
+
+Align ima_file_mmap() parameters with those of the mmap_file LSM hook, so
+that IMA can receive both the requested prot and the final prot. Since the
+requested protections are stored in a new variable, and the final
+protections are stored in the existing variable, this effectively restores
+the original behavior of the MMAP_CHECK hook.
+
+Cc: stable@vger.kernel.org
+Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ima.h               |    6 ++++--
+ security/integrity/ima/ima_main.c |    7 +++++--
+ security/security.c               |    7 ++++---
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+--- a/include/linux/ima.h
++++ b/include/linux/ima.h
+@@ -21,7 +21,8 @@ extern int ima_file_check(struct file *f
+ extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
+ 				    struct inode *inode);
+ extern void ima_file_free(struct file *file);
+-extern int ima_file_mmap(struct file *file, unsigned long prot);
++extern int ima_file_mmap(struct file *file, unsigned long reqprot,
++			 unsigned long prot, unsigned long flags);
+ extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);
+ extern int ima_load_data(enum kernel_load_data_id id, bool contents);
+ extern int ima_post_load_data(char *buf, loff_t size,
+@@ -91,7 +92,8 @@ static inline void ima_file_free(struct
+ 	return;
+ }
+ 
+-static inline int ima_file_mmap(struct file *file, unsigned long prot)
++static inline int ima_file_mmap(struct file *file, unsigned long reqprot,
++				unsigned long prot, unsigned long flags)
+ {
+ 	return 0;
+ }
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -395,7 +395,9 @@ out:
+ /**
+  * ima_file_mmap - based on policy, collect/store measurement.
+  * @file: pointer to the file to be measured (May be NULL)
+- * @prot: contains the protection that will be applied by the kernel.
++ * @reqprot: protection requested by the application
++ * @prot: protection that will be applied by the kernel
++ * @flags: operational flags
+  *
+  * Measure files being mmapped executable based on the ima_must_measure()
+  * policy decision.
+@@ -403,7 +405,8 @@ out:
+  * On success return 0.  On integrity appraisal error, assuming the file
+  * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
+  */
+-int ima_file_mmap(struct file *file, unsigned long prot)
++int ima_file_mmap(struct file *file, unsigned long reqprot,
++		  unsigned long prot, unsigned long flags)
+ {
+ 	u32 secid;
+ 
+--- a/security/security.c
++++ b/security/security.c
+@@ -1592,12 +1592,13 @@ static inline unsigned long mmap_prot(st
+ int security_mmap_file(struct file *file, unsigned long prot,
+ 			unsigned long flags)
+ {
++	unsigned long prot_adj = mmap_prot(file, prot);
+ 	int ret;
+-	ret = call_int_hook(mmap_file, 0, file, prot,
+-					mmap_prot(file, prot), flags);
++
++	ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags);
+ 	if (ret)
+ 		return ret;
+-	return ima_file_mmap(file, prot);
++	return ima_file_mmap(file, prot, prot_adj, flags);
+ }
+ 
+ int security_mmap_addr(unsigned long addr)
diff --git a/queue-5.15/series b/queue-5.15/series
index c07788f07e0..a64e5953e5b 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -480,3 +480,5 @@ x86-microcode-amd-add-a-cpu-parameter-to-the-reloading-functions.patch
 x86-microcode-amd-fix-mixed-steppings-support.patch
 x86-speculation-allow-enabling-stibp-with-legacy-ibrs.patch
 documentation-hw-vuln-document-the-interaction-between-ibrs-and-stibp.patch
+brd-return-0-error-from-brd_insert_page.patch
+ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch
-- 
2.47.3