+++ /dev/null
-From 0218f1372ad4887ffc6df3e68d92b55b9d12a11c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 17 Apr 2023 12:55:51 -0400
-Subject: IMA: use vfs_getattr_nosec to get the i_version
-
-From: Jeff Layton <jlayton@kernel.org>
-
-[ Upstream commit db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7 ]
-
-IMA currently accesses the i_version out of the inode directly when it
-does a measurement. This is fine for most simple filesystems, but can be
-problematic with more complex setups (e.g. overlayfs).
-
-Make IMA instead call vfs_getattr_nosec to get this info. This allows
-the filesystem to determine whether and how to report the i_version, and
-should allow IMA to work properly with a broader class of filesystems in
-the future.
-
-Reported-and-Tested-by: Stefan Berger <stefanb@linux.ibm.com>
-Reviewed-by: Christian Brauner <brauner@kernel.org>
-Signed-off-by: Jeff Layton <jlayton@kernel.org>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- security/integrity/ima/ima_api.c | 9 ++++++---
- security/integrity/ima/ima_main.c | 12 ++++++++----
- 2 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
-index 70efd4aa1bd11..cf24e441a9fa7 100644
---- a/security/integrity/ima/ima_api.c
-+++ b/security/integrity/ima/ima_api.c
-@@ -13,7 +13,6 @@
- #include <linux/fs.h>
- #include <linux/xattr.h>
- #include <linux/evm.h>
--#include <linux/iversion.h>
-
- #include "ima.h"
-
-@@ -214,10 +213,11 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
- struct inode *inode = file_inode(file);
- struct inode *real_inode = d_real_inode(file_dentry(file));
- const char *filename = file->f_path.dentry->d_name.name;
-+ struct kstat stat;
- int result = 0;
- int length;
- void *tmpbuf;
-- u64 i_version;
-+ u64 i_version = 0;
- struct {
- struct ima_digest_data hdr;
- char digest[IMA_MAX_DIGEST_SIZE];
-@@ -239,7 +239,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
- * which do not support i_version, support is limited to an initial
- * measurement/appraisal/audit.
- */
-- i_version = inode_query_iversion(inode);
-+ result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE,
-+ AT_STATX_SYNC_AS_STAT);
-+ if (!result && (stat.result_mask & STATX_CHANGE_COOKIE))
-+ i_version = stat.change_cookie;
- hash.hdr.algo = algo;
-
- /* Initialize hash digest to 0's in case of failure */
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index 8e0fe0ce61646..b2e83245d17aa 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -24,7 +24,6 @@
- #include <linux/slab.h>
- #include <linux/xattr.h>
- #include <linux/ima.h>
--#include <linux/iversion.h>
- #include <linux/fs.h>
- #include <linux/iversion.h>
-
-@@ -159,11 +158,16 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
-
- mutex_lock(&iint->mutex);
- if (atomic_read(&inode->i_writecount) == 1) {
-+ struct kstat stat;
-+
- update = test_and_clear_bit(IMA_UPDATE_XATTR,
- &iint->atomic_flags);
-- if (!IS_I_VERSION(inode) ||
-- !inode_eq_iversion(inode, iint->version) ||
-- (iint->flags & IMA_NEW_FILE)) {
-+ if ((iint->flags & IMA_NEW_FILE) ||
-+ vfs_getattr_nosec(&file->f_path, &stat,
-+ STATX_CHANGE_COOKIE,
-+ AT_STATX_SYNC_AS_STAT) ||
-+ !(stat.result_mask & STATX_CHANGE_COOKIE) ||
-+ stat.change_cookie != iint->version) {
- iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
- iint->measured_pcrs = 0;
- if (update)
---
-2.43.0
-
r8152-add-usb-device-driver-for-config-selection.patch
r8152-add-vendor-device-id-pair-for-d-link-dub-e250.patch
r8152-add-vendor-device-id-pair-for-asus-usb-c2500.patch
-vfs-plumb-i_version-handling-into-struct-kstat.patch
-ima-use-vfs_getattr_nosec-to-get-the-i_version.patch
netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch
afs-fix-refcount-underflow-from-error-handling-race.patch
hid-lenovo-restrict-detection-of-patched-firmware-on.patch
+++ /dev/null
-From c271cde72b2e037c3e9955790d124d763030abe3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 4 Dec 2016 09:29:46 -0500
-Subject: vfs: plumb i_version handling into struct kstat
-
-From: Jeff Layton <jlayton@redhat.com>
-
-[ Upstream commit a1175d6b1bdaf4f74eda47ab18eb44194f9cb796 ]
-
-The NFS server has a lot of special handling for different types of
-change attribute access, depending on the underlying filesystem. In
-most cases, it's doing a getattr anyway and then fetching that value
-after the fact.
-
-Rather that do that, add a new STATX_CHANGE_COOKIE flag that is a
-kernel-only symbol (for now). If requested and getattr can implement it,
-it can fill out this field. For IS_I_VERSION inodes, add a generic
-implementation in vfs_getattr_nosec. Take care to mask
-STATX_CHANGE_COOKIE off in requests from userland and in the result
-mask.
-
-Since not all filesystems can give the same guarantees of monotonicity,
-claim a STATX_ATTR_CHANGE_MONOTONIC flag that filesystems can set to
-indicate that they offer an i_version value that can never go backward.
-
-Eventually if we decide to make the i_version available to userland, we
-can just designate a field for it in struct statx, and move the
-STATX_CHANGE_COOKIE definition to the uapi header.
-
-Reviewed-by: NeilBrown <neilb@suse.de>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Jeff Layton <jlayton@kernel.org>
-Stable-dep-of: db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/stat.c | 17 +++++++++++++++--
- include/linux/stat.h | 9 +++++++++
- 2 files changed, 24 insertions(+), 2 deletions(-)
-
-diff --git a/fs/stat.c b/fs/stat.c
-index 04550c0ba5407..3ac06528ad4cf 100644
---- a/fs/stat.c
-+++ b/fs/stat.c
-@@ -17,6 +17,7 @@
- #include <linux/syscalls.h>
- #include <linux/pagemap.h>
- #include <linux/compat.h>
-+#include <linux/iversion.h>
-
- #include <linux/uaccess.h>
- #include <asm/unistd.h>
-@@ -91,6 +92,11 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat,
- stat->attributes_mask |= (STATX_ATTR_AUTOMOUNT |
- STATX_ATTR_DAX);
-
-+ if ((request_mask & STATX_CHANGE_COOKIE) && IS_I_VERSION(inode)) {
-+ stat->result_mask |= STATX_CHANGE_COOKIE;
-+ stat->change_cookie = inode_query_iversion(inode);
-+ }
-+
- if (inode->i_op->getattr)
- return inode->i_op->getattr(path, stat, request_mask,
- query_flags);
-@@ -545,9 +551,11 @@ cp_statx(const struct kstat *stat, struct statx __user *buffer)
-
- memset(&tmp, 0, sizeof(tmp));
-
-- tmp.stx_mask = stat->result_mask;
-+ /* STATX_CHANGE_COOKIE is kernel-only for now */
-+ tmp.stx_mask = stat->result_mask & ~STATX_CHANGE_COOKIE;
- tmp.stx_blksize = stat->blksize;
-- tmp.stx_attributes = stat->attributes;
-+ /* STATX_ATTR_CHANGE_MONOTONIC is kernel-only for now */
-+ tmp.stx_attributes = stat->attributes & ~STATX_ATTR_CHANGE_MONOTONIC;
- tmp.stx_nlink = stat->nlink;
- tmp.stx_uid = from_kuid_munged(current_user_ns(), stat->uid);
- tmp.stx_gid = from_kgid_munged(current_user_ns(), stat->gid);
-@@ -584,6 +592,11 @@ int do_statx(int dfd, const char __user *filename, unsigned flags,
- if ((flags & AT_STATX_SYNC_TYPE) == AT_STATX_SYNC_TYPE)
- return -EINVAL;
-
-+ /* STATX_CHANGE_COOKIE is kernel-only for now. Ignore requests
-+ * from userland.
-+ */
-+ mask &= ~STATX_CHANGE_COOKIE;
-+
- error = vfs_statx(dfd, filename, flags, &stat, mask);
- if (error)
- return error;
-diff --git a/include/linux/stat.h b/include/linux/stat.h
-index fff27e6038141..cd64f44642b1a 100644
---- a/include/linux/stat.h
-+++ b/include/linux/stat.h
-@@ -46,6 +46,15 @@ struct kstat {
- struct timespec64 btime; /* File creation time */
- u64 blocks;
- u64 mnt_id;
-+ u64 change_cookie;
- };
-
-+/* These definitions are internal to the kernel for now. Mainly used by nfsd. */
-+
-+/* mask values */
-+#define STATX_CHANGE_COOKIE 0x40000000U /* Want/got stx_change_attr */
-+
-+/* file attribute values */
-+#define STATX_ATTR_CHANGE_MONOTONIC 0x8000000000000000ULL /* version monotonically increases */
-+
- #endif
---
-2.43.0
-
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/afs/rxrpc.c | 2 +-
+ fs/afs/rxrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
-index e3de7fea36435..f7305f2791fef 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
-@@ -420,7 +420,7 @@ void afs_make_call(struct afs_addr_cursor *ac, struct afs_call *call, gfp_t gfp)
+@@ -420,7 +420,7 @@ error_kill_call:
if (call->async) {
if (cancel_work_sync(&call->async_work))
afs_put_call(call);
}
ac->error = ret;
---
-2.43.0
-
+++ /dev/null
-From 353023c6542fa48ee9c2dcc5b9a4c7627d9ab187 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 17 Apr 2023 12:55:51 -0400
-Subject: IMA: use vfs_getattr_nosec to get the i_version
-
-From: Jeff Layton <jlayton@kernel.org>
-
-[ Upstream commit db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7 ]
-
-IMA currently accesses the i_version out of the inode directly when it
-does a measurement. This is fine for most simple filesystems, but can be
-problematic with more complex setups (e.g. overlayfs).
-
-Make IMA instead call vfs_getattr_nosec to get this info. This allows
-the filesystem to determine whether and how to report the i_version, and
-should allow IMA to work properly with a broader class of filesystems in
-the future.
-
-Reported-and-Tested-by: Stefan Berger <stefanb@linux.ibm.com>
-Reviewed-by: Christian Brauner <brauner@kernel.org>
-Signed-off-by: Jeff Layton <jlayton@kernel.org>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- security/integrity/ima/ima_api.c | 9 ++++++---
- security/integrity/ima/ima_main.c | 12 ++++++++----
- 2 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
-index 04b9e465463b6..f8e2a9e0c7e97 100644
---- a/security/integrity/ima/ima_api.c
-+++ b/security/integrity/ima/ima_api.c
-@@ -13,7 +13,6 @@
- #include <linux/fs.h>
- #include <linux/xattr.h>
- #include <linux/evm.h>
--#include <linux/iversion.h>
-
- #include "ima.h"
-
-@@ -218,10 +217,11 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
- struct inode *inode = file_inode(file);
- struct inode *real_inode = d_real_inode(file_dentry(file));
- const char *filename = file->f_path.dentry->d_name.name;
-+ struct kstat stat;
- int result = 0;
- int length;
- void *tmpbuf;
-- u64 i_version;
-+ u64 i_version = 0;
- struct {
- struct ima_digest_data hdr;
- char digest[IMA_MAX_DIGEST_SIZE];
-@@ -243,7 +243,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
- * which do not support i_version, support is limited to an initial
- * measurement/appraisal/audit.
- */
-- i_version = inode_query_iversion(inode);
-+ result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE,
-+ AT_STATX_SYNC_AS_STAT);
-+ if (!result && (stat.result_mask & STATX_CHANGE_COOKIE))
-+ i_version = stat.change_cookie;
- hash.hdr.algo = algo;
-
- /* Initialize hash digest to 0's in case of failure */
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index 7cd9df8499296..f64d86dfff36f 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -24,7 +24,6 @@
- #include <linux/slab.h>
- #include <linux/xattr.h>
- #include <linux/ima.h>
--#include <linux/iversion.h>
- #include <linux/fs.h>
- #include <linux/iversion.h>
-
-@@ -164,11 +163,16 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
-
- mutex_lock(&iint->mutex);
- if (atomic_read(&inode->i_writecount) == 1) {
-+ struct kstat stat;
-+
- update = test_and_clear_bit(IMA_UPDATE_XATTR,
- &iint->atomic_flags);
-- if (!IS_I_VERSION(inode) ||
-- !inode_eq_iversion(inode, iint->version) ||
-- (iint->flags & IMA_NEW_FILE)) {
-+ if ((iint->flags & IMA_NEW_FILE) ||
-+ vfs_getattr_nosec(&file->f_path, &stat,
-+ STATX_CHANGE_COOKIE,
-+ AT_STATX_SYNC_AS_STAT) ||
-+ !(stat.result_mask & STATX_CHANGE_COOKIE) ||
-+ stat.change_cookie != iint->version) {
- iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
- iint->measured_pcrs = 0;
- if (update)
---
-2.43.0
-
r8152-add-usb-device-driver-for-config-selection.patch
r8152-add-vendor-device-id-pair-for-d-link-dub-e250.patch
r8152-add-vendor-device-id-pair-for-asus-usb-c2500.patch
-vfs-plumb-i_version-handling-into-struct-kstat.patch
-ima-use-vfs_getattr_nosec-to-get-the-i_version.patch
netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch
mm-memory_hotplug-handle-memblock_add_node-failures-.patch
memblock-allow-to-specify-flags-with-memblock_add_no.patch
+++ /dev/null
-From 21586e51e3f9c2fbfe73b980f4366d16e74fecbc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 4 Dec 2016 09:29:46 -0500
-Subject: vfs: plumb i_version handling into struct kstat
-
-From: Jeff Layton <jlayton@redhat.com>
-
-[ Upstream commit a1175d6b1bdaf4f74eda47ab18eb44194f9cb796 ]
-
-The NFS server has a lot of special handling for different types of
-change attribute access, depending on the underlying filesystem. In
-most cases, it's doing a getattr anyway and then fetching that value
-after the fact.
-
-Rather that do that, add a new STATX_CHANGE_COOKIE flag that is a
-kernel-only symbol (for now). If requested and getattr can implement it,
-it can fill out this field. For IS_I_VERSION inodes, add a generic
-implementation in vfs_getattr_nosec. Take care to mask
-STATX_CHANGE_COOKIE off in requests from userland and in the result
-mask.
-
-Since not all filesystems can give the same guarantees of monotonicity,
-claim a STATX_ATTR_CHANGE_MONOTONIC flag that filesystems can set to
-indicate that they offer an i_version value that can never go backward.
-
-Eventually if we decide to make the i_version available to userland, we
-can just designate a field for it in struct statx, and move the
-STATX_CHANGE_COOKIE definition to the uapi header.
-
-Reviewed-by: NeilBrown <neilb@suse.de>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Jeff Layton <jlayton@kernel.org>
-Stable-dep-of: db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/stat.c | 17 +++++++++++++++--
- include/linux/stat.h | 9 +++++++++
- 2 files changed, 24 insertions(+), 2 deletions(-)
-
-diff --git a/fs/stat.c b/fs/stat.c
-index 246d138ec0669..e868e6382b709 100644
---- a/fs/stat.c
-+++ b/fs/stat.c
-@@ -17,6 +17,7 @@
- #include <linux/syscalls.h>
- #include <linux/pagemap.h>
- #include <linux/compat.h>
-+#include <linux/iversion.h>
-
- #include <linux/uaccess.h>
- #include <asm/unistd.h>
-@@ -118,6 +119,11 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat,
- stat->attributes_mask |= (STATX_ATTR_AUTOMOUNT |
- STATX_ATTR_DAX);
-
-+ if ((request_mask & STATX_CHANGE_COOKIE) && IS_I_VERSION(inode)) {
-+ stat->result_mask |= STATX_CHANGE_COOKIE;
-+ stat->change_cookie = inode_query_iversion(inode);
-+ }
-+
- mnt_userns = mnt_user_ns(path->mnt);
- if (inode->i_op->getattr)
- return inode->i_op->getattr(mnt_userns, path, stat,
-@@ -573,9 +579,11 @@ cp_statx(const struct kstat *stat, struct statx __user *buffer)
-
- memset(&tmp, 0, sizeof(tmp));
-
-- tmp.stx_mask = stat->result_mask;
-+ /* STATX_CHANGE_COOKIE is kernel-only for now */
-+ tmp.stx_mask = stat->result_mask & ~STATX_CHANGE_COOKIE;
- tmp.stx_blksize = stat->blksize;
-- tmp.stx_attributes = stat->attributes;
-+ /* STATX_ATTR_CHANGE_MONOTONIC is kernel-only for now */
-+ tmp.stx_attributes = stat->attributes & ~STATX_ATTR_CHANGE_MONOTONIC;
- tmp.stx_nlink = stat->nlink;
- tmp.stx_uid = from_kuid_munged(current_user_ns(), stat->uid);
- tmp.stx_gid = from_kgid_munged(current_user_ns(), stat->gid);
-@@ -612,6 +620,11 @@ int do_statx(int dfd, const char __user *filename, unsigned flags,
- if ((flags & AT_STATX_SYNC_TYPE) == AT_STATX_SYNC_TYPE)
- return -EINVAL;
-
-+ /* STATX_CHANGE_COOKIE is kernel-only for now. Ignore requests
-+ * from userland.
-+ */
-+ mask &= ~STATX_CHANGE_COOKIE;
-+
- error = vfs_statx(dfd, filename, flags, &stat, mask);
- if (error)
- return error;
-diff --git a/include/linux/stat.h b/include/linux/stat.h
-index 7df06931f25d8..c295fc03a2c98 100644
---- a/include/linux/stat.h
-+++ b/include/linux/stat.h
-@@ -50,6 +50,15 @@ struct kstat {
- struct timespec64 btime; /* File creation time */
- u64 blocks;
- u64 mnt_id;
-+ u64 change_cookie;
- };
-
-+/* These definitions are internal to the kernel for now. Mainly used by nfsd. */
-+
-+/* mask values */
-+#define STATX_CHANGE_COOKIE 0x40000000U /* Want/got stx_change_attr */
-+
-+/* file attribute values */
-+#define STATX_ATTR_CHANGE_MONOTONIC 0x8000000000000000ULL /* version monotonically increases */
-+
- #endif
---
-2.43.0
-
+++ /dev/null
-From 6169658018937657f61d2ef9127d38476faafb14 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 17 Apr 2023 12:55:51 -0400
-Subject: IMA: use vfs_getattr_nosec to get the i_version
-
-From: Jeff Layton <jlayton@kernel.org>
-
-[ Upstream commit db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7 ]
-
-IMA currently accesses the i_version out of the inode directly when it
-does a measurement. This is fine for most simple filesystems, but can be
-problematic with more complex setups (e.g. overlayfs).
-
-Make IMA instead call vfs_getattr_nosec to get this info. This allows
-the filesystem to determine whether and how to report the i_version, and
-should allow IMA to work properly with a broader class of filesystems in
-the future.
-
-Reported-and-Tested-by: Stefan Berger <stefanb@linux.ibm.com>
-Reviewed-by: Christian Brauner <brauner@kernel.org>
-Signed-off-by: Jeff Layton <jlayton@kernel.org>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- security/integrity/ima/ima_api.c | 9 ++++++---
- security/integrity/ima/ima_main.c | 12 ++++++++----
- 2 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
-index 026c8c9db9920..7a244e8ce65a5 100644
---- a/security/integrity/ima/ima_api.c
-+++ b/security/integrity/ima/ima_api.c
-@@ -13,7 +13,6 @@
- #include <linux/fs.h>
- #include <linux/xattr.h>
- #include <linux/evm.h>
--#include <linux/iversion.h>
- #include <linux/fsverity.h>
-
- #include "ima.h"
-@@ -246,10 +245,11 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
- struct inode *real_inode = d_real_inode(file_dentry(file));
- const char *filename = file->f_path.dentry->d_name.name;
- struct ima_max_digest_data hash;
-+ struct kstat stat;
- int result = 0;
- int length;
- void *tmpbuf;
-- u64 i_version;
-+ u64 i_version = 0;
-
- /*
- * Always collect the modsig, because IMA might have already collected
-@@ -268,7 +268,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
- * to an initial measurement/appraisal/audit, but was modified to
- * assume the file changed.
- */
-- i_version = inode_query_iversion(inode);
-+ result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE,
-+ AT_STATX_SYNC_AS_STAT);
-+ if (!result && (stat.result_mask & STATX_CHANGE_COOKIE))
-+ i_version = stat.change_cookie;
- hash.hdr.algo = algo;
- hash.hdr.length = hash_digest_size[algo];
-
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index 185666d90eebc..bba421f617312 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -24,7 +24,6 @@
- #include <linux/slab.h>
- #include <linux/xattr.h>
- #include <linux/ima.h>
--#include <linux/iversion.h>
- #include <linux/fs.h>
- #include <linux/iversion.h>
-
-@@ -164,11 +163,16 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
-
- mutex_lock(&iint->mutex);
- if (atomic_read(&inode->i_writecount) == 1) {
-+ struct kstat stat;
-+
- update = test_and_clear_bit(IMA_UPDATE_XATTR,
- &iint->atomic_flags);
-- if (!IS_I_VERSION(inode) ||
-- !inode_eq_iversion(inode, iint->version) ||
-- (iint->flags & IMA_NEW_FILE)) {
-+ if ((iint->flags & IMA_NEW_FILE) ||
-+ vfs_getattr_nosec(&file->f_path, &stat,
-+ STATX_CHANGE_COOKIE,
-+ AT_STATX_SYNC_AS_STAT) ||
-+ !(stat.result_mask & STATX_CHANGE_COOKIE) ||
-+ stat.change_cookie != iint->version) {
- iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
- iint->measured_pcrs = 0;
- if (update)
---
-2.43.0
-
r8152-add-usb-device-driver-for-config-selection.patch
r8152-add-vendor-device-id-pair-for-d-link-dub-e250.patch
r8152-add-vendor-device-id-pair-for-asus-usb-c2500.patch
-vfs-plumb-i_version-handling-into-struct-kstat.patch
-ima-use-vfs_getattr_nosec-to-get-the-i_version.patch
powerpc-ftrace-fix-stack-teardown-in-ftrace_no_trace.patch
ext4-fix-warning-in-ext4_dio_write_end_io.patch
ksmbd-fix-memory-leak-in-smb2_lock.patch
+++ /dev/null
-From 64bb46638404acd0de4374537409e7c04a3bacf8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 4 Dec 2016 09:29:46 -0500
-Subject: vfs: plumb i_version handling into struct kstat
-
-From: Jeff Layton <jlayton@redhat.com>
-
-[ Upstream commit a1175d6b1bdaf4f74eda47ab18eb44194f9cb796 ]
-
-The NFS server has a lot of special handling for different types of
-change attribute access, depending on the underlying filesystem. In
-most cases, it's doing a getattr anyway and then fetching that value
-after the fact.
-
-Rather that do that, add a new STATX_CHANGE_COOKIE flag that is a
-kernel-only symbol (for now). If requested and getattr can implement it,
-it can fill out this field. For IS_I_VERSION inodes, add a generic
-implementation in vfs_getattr_nosec. Take care to mask
-STATX_CHANGE_COOKIE off in requests from userland and in the result
-mask.
-
-Since not all filesystems can give the same guarantees of monotonicity,
-claim a STATX_ATTR_CHANGE_MONOTONIC flag that filesystems can set to
-indicate that they offer an i_version value that can never go backward.
-
-Eventually if we decide to make the i_version available to userland, we
-can just designate a field for it in struct statx, and move the
-STATX_CHANGE_COOKIE definition to the uapi header.
-
-Reviewed-by: NeilBrown <neilb@suse.de>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Jeff Layton <jlayton@kernel.org>
-Stable-dep-of: db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/stat.c | 17 +++++++++++++++--
- include/linux/stat.h | 9 +++++++++
- 2 files changed, 24 insertions(+), 2 deletions(-)
-
-diff --git a/fs/stat.c b/fs/stat.c
-index ef50573c72a26..06fd3fc1ab84b 100644
---- a/fs/stat.c
-+++ b/fs/stat.c
-@@ -18,6 +18,7 @@
- #include <linux/syscalls.h>
- #include <linux/pagemap.h>
- #include <linux/compat.h>
-+#include <linux/iversion.h>
-
- #include <linux/uaccess.h>
- #include <asm/unistd.h>
-@@ -119,6 +120,11 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat,
- stat->attributes_mask |= (STATX_ATTR_AUTOMOUNT |
- STATX_ATTR_DAX);
-
-+ if ((request_mask & STATX_CHANGE_COOKIE) && IS_I_VERSION(inode)) {
-+ stat->result_mask |= STATX_CHANGE_COOKIE;
-+ stat->change_cookie = inode_query_iversion(inode);
-+ }
-+
- mnt_userns = mnt_user_ns(path->mnt);
- if (inode->i_op->getattr)
- return inode->i_op->getattr(mnt_userns, path, stat,
-@@ -599,9 +605,11 @@ cp_statx(const struct kstat *stat, struct statx __user *buffer)
-
- memset(&tmp, 0, sizeof(tmp));
-
-- tmp.stx_mask = stat->result_mask;
-+ /* STATX_CHANGE_COOKIE is kernel-only for now */
-+ tmp.stx_mask = stat->result_mask & ~STATX_CHANGE_COOKIE;
- tmp.stx_blksize = stat->blksize;
-- tmp.stx_attributes = stat->attributes;
-+ /* STATX_ATTR_CHANGE_MONOTONIC is kernel-only for now */
-+ tmp.stx_attributes = stat->attributes & ~STATX_ATTR_CHANGE_MONOTONIC;
- tmp.stx_nlink = stat->nlink;
- tmp.stx_uid = from_kuid_munged(current_user_ns(), stat->uid);
- tmp.stx_gid = from_kgid_munged(current_user_ns(), stat->gid);
-@@ -640,6 +648,11 @@ int do_statx(int dfd, struct filename *filename, unsigned int flags,
- if ((flags & AT_STATX_SYNC_TYPE) == AT_STATX_SYNC_TYPE)
- return -EINVAL;
-
-+ /* STATX_CHANGE_COOKIE is kernel-only for now. Ignore requests
-+ * from userland.
-+ */
-+ mask &= ~STATX_CHANGE_COOKIE;
-+
- error = vfs_statx(dfd, filename, flags, &stat, mask);
- if (error)
- return error;
-diff --git a/include/linux/stat.h b/include/linux/stat.h
-index ff277ced50e9f..52150570d37a5 100644
---- a/include/linux/stat.h
-+++ b/include/linux/stat.h
-@@ -52,6 +52,15 @@ struct kstat {
- u64 mnt_id;
- u32 dio_mem_align;
- u32 dio_offset_align;
-+ u64 change_cookie;
- };
-
-+/* These definitions are internal to the kernel for now. Mainly used by nfsd. */
-+
-+/* mask values */
-+#define STATX_CHANGE_COOKIE 0x40000000U /* Want/got stx_change_attr */
-+
-+/* file attribute values */
-+#define STATX_ATTR_CHANGE_MONOTONIC 0x8000000000000000ULL /* version monotonically increases */
-+
- #endif
---
-2.43.0
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
