From: Greg Kroah-Hartman Date: Mon, 18 Dec 2023 11:57:53 +0000 (+0100) Subject: drop the vfs and ima patches from 5.10-6.1 X-Git-Tag: v5.15.144~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0a9a1101ec0431638957322fef21a9b5a5b8a8b;p=thirdparty%2Fkernel%2Fstable-queue.git drop the vfs and ima patches from 5.10-6.1 --- diff --git a/queue-5.10/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch b/queue-5.10/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch deleted file mode 100644 index d9912c23e5b..00000000000 --- a/queue-5.10/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 0218f1372ad4887ffc6df3e68d92b55b9d12a11c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Apr 2023 12:55:51 -0400 -Subject: IMA: use vfs_getattr_nosec to get the i_version - -From: Jeff Layton - -[ Upstream commit db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7 ] - -IMA currently accesses the i_version out of the inode directly when it -does a measurement. This is fine for most simple filesystems, but can be -problematic with more complex setups (e.g. overlayfs). - -Make IMA instead call vfs_getattr_nosec to get this info. This allows -the filesystem to determine whether and how to report the i_version, and -should allow IMA to work properly with a broader class of filesystems in -the future. - -Reported-and-Tested-by: Stefan Berger -Reviewed-by: Christian Brauner -Signed-off-by: Jeff Layton -Signed-off-by: Mimi Zohar -Signed-off-by: Sasha Levin ---- - security/integrity/ima/ima_api.c | 9 ++++++--- - security/integrity/ima/ima_main.c | 12 ++++++++---- - 2 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c -index 70efd4aa1bd11..cf24e441a9fa7 100644 ---- a/security/integrity/ima/ima_api.c -+++ b/security/integrity/ima/ima_api.c -@@ -13,7 +13,6 @@ - #include - #include - #include --#include - - #include "ima.h" - -@@ -214,10 +213,11 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, - struct inode *inode = file_inode(file); - struct inode *real_inode = d_real_inode(file_dentry(file)); - const char *filename = file->f_path.dentry->d_name.name; -+ struct kstat stat; - int result = 0; - int length; - void *tmpbuf; -- u64 i_version; -+ u64 i_version = 0; - struct { - struct ima_digest_data hdr; - char digest[IMA_MAX_DIGEST_SIZE]; -@@ -239,7 +239,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, - * which do not support i_version, support is limited to an initial - * measurement/appraisal/audit. - */ -- i_version = inode_query_iversion(inode); -+ result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, -+ AT_STATX_SYNC_AS_STAT); -+ if (!result && (stat.result_mask & STATX_CHANGE_COOKIE)) -+ i_version = stat.change_cookie; - hash.hdr.algo = algo; - - /* Initialize hash digest to 0's in case of failure */ -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index 8e0fe0ce61646..b2e83245d17aa 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -24,7 +24,6 @@ - #include - #include - #include --#include - #include - #include - -@@ -159,11 +158,16 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, - - mutex_lock(&iint->mutex); - if (atomic_read(&inode->i_writecount) == 1) { -+ struct kstat stat; -+ - update = test_and_clear_bit(IMA_UPDATE_XATTR, - &iint->atomic_flags); -- if (!IS_I_VERSION(inode) || -- !inode_eq_iversion(inode, iint->version) || -- (iint->flags & IMA_NEW_FILE)) { -+ if ((iint->flags & IMA_NEW_FILE) || -+ vfs_getattr_nosec(&file->f_path, &stat, -+ STATX_CHANGE_COOKIE, -+ AT_STATX_SYNC_AS_STAT) || -+ !(stat.result_mask & STATX_CHANGE_COOKIE) || -+ stat.change_cookie != iint->version) { - iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); - iint->measured_pcrs = 0; - if (update) --- -2.43.0 - diff --git a/queue-5.10/series b/queue-5.10/series index 07c81ca7e5e..96fd03dd9c5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -6,8 +6,6 @@ r8152-add-pid-for-the-lenovo-onelink-dock.patch r8152-add-usb-device-driver-for-config-selection.patch r8152-add-vendor-device-id-pair-for-d-link-dub-e250.patch r8152-add-vendor-device-id-pair-for-asus-usb-c2500.patch -vfs-plumb-i_version-handling-into-struct-kstat.patch -ima-use-vfs_getattr_nosec-to-get-the-i_version.patch netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch afs-fix-refcount-underflow-from-error-handling-race.patch hid-lenovo-restrict-detection-of-patched-firmware-on.patch diff --git a/queue-5.10/vfs-plumb-i_version-handling-into-struct-kstat.patch b/queue-5.10/vfs-plumb-i_version-handling-into-struct-kstat.patch deleted file mode 100644 index 586e3a17ffb..00000000000 --- a/queue-5.10/vfs-plumb-i_version-handling-into-struct-kstat.patch +++ /dev/null @@ -1,112 +0,0 @@ -From c271cde72b2e037c3e9955790d124d763030abe3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 4 Dec 2016 09:29:46 -0500 -Subject: vfs: plumb i_version handling into struct kstat - -From: Jeff Layton - -[ Upstream commit a1175d6b1bdaf4f74eda47ab18eb44194f9cb796 ] - -The NFS server has a lot of special handling for different types of -change attribute access, depending on the underlying filesystem. In -most cases, it's doing a getattr anyway and then fetching that value -after the fact. - -Rather that do that, add a new STATX_CHANGE_COOKIE flag that is a -kernel-only symbol (for now). If requested and getattr can implement it, -it can fill out this field. For IS_I_VERSION inodes, add a generic -implementation in vfs_getattr_nosec. Take care to mask -STATX_CHANGE_COOKIE off in requests from userland and in the result -mask. - -Since not all filesystems can give the same guarantees of monotonicity, -claim a STATX_ATTR_CHANGE_MONOTONIC flag that filesystems can set to -indicate that they offer an i_version value that can never go backward. - -Eventually if we decide to make the i_version available to userland, we -can just designate a field for it in struct statx, and move the -STATX_CHANGE_COOKIE definition to the uapi header. - -Reviewed-by: NeilBrown -Reviewed-by: Jan Kara -Signed-off-by: Jeff Layton -Stable-dep-of: db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version") -Signed-off-by: Sasha Levin ---- - fs/stat.c | 17 +++++++++++++++-- - include/linux/stat.h | 9 +++++++++ - 2 files changed, 24 insertions(+), 2 deletions(-) - -diff --git a/fs/stat.c b/fs/stat.c -index 04550c0ba5407..3ac06528ad4cf 100644 ---- a/fs/stat.c -+++ b/fs/stat.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -91,6 +92,11 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, - stat->attributes_mask |= (STATX_ATTR_AUTOMOUNT | - STATX_ATTR_DAX); - -+ if ((request_mask & STATX_CHANGE_COOKIE) && IS_I_VERSION(inode)) { -+ stat->result_mask |= STATX_CHANGE_COOKIE; -+ stat->change_cookie = inode_query_iversion(inode); -+ } -+ - if (inode->i_op->getattr) - return inode->i_op->getattr(path, stat, request_mask, - query_flags); -@@ -545,9 +551,11 @@ cp_statx(const struct kstat *stat, struct statx __user *buffer) - - memset(&tmp, 0, sizeof(tmp)); - -- tmp.stx_mask = stat->result_mask; -+ /* STATX_CHANGE_COOKIE is kernel-only for now */ -+ tmp.stx_mask = stat->result_mask & ~STATX_CHANGE_COOKIE; - tmp.stx_blksize = stat->blksize; -- tmp.stx_attributes = stat->attributes; -+ /* STATX_ATTR_CHANGE_MONOTONIC is kernel-only for now */ -+ tmp.stx_attributes = stat->attributes & ~STATX_ATTR_CHANGE_MONOTONIC; - tmp.stx_nlink = stat->nlink; - tmp.stx_uid = from_kuid_munged(current_user_ns(), stat->uid); - tmp.stx_gid = from_kgid_munged(current_user_ns(), stat->gid); -@@ -584,6 +592,11 @@ int do_statx(int dfd, const char __user *filename, unsigned flags, - if ((flags & AT_STATX_SYNC_TYPE) == AT_STATX_SYNC_TYPE) - return -EINVAL; - -+ /* STATX_CHANGE_COOKIE is kernel-only for now. Ignore requests -+ * from userland. -+ */ -+ mask &= ~STATX_CHANGE_COOKIE; -+ - error = vfs_statx(dfd, filename, flags, &stat, mask); - if (error) - return error; -diff --git a/include/linux/stat.h b/include/linux/stat.h -index fff27e6038141..cd64f44642b1a 100644 ---- a/include/linux/stat.h -+++ b/include/linux/stat.h -@@ -46,6 +46,15 @@ struct kstat { - struct timespec64 btime; /* File creation time */ - u64 blocks; - u64 mnt_id; -+ u64 change_cookie; - }; - -+/* These definitions are internal to the kernel for now. Mainly used by nfsd. */ -+ -+/* mask values */ -+#define STATX_CHANGE_COOKIE 0x40000000U /* Want/got stx_change_attr */ -+ -+/* file attribute values */ -+#define STATX_ATTR_CHANGE_MONOTONIC 0x8000000000000000ULL /* version monotonically increases */ -+ - #endif --- -2.43.0 - diff --git a/queue-5.15/afs-fix-refcount-underflow-from-error-handling-race.patch b/queue-5.15/afs-fix-refcount-underflow-from-error-handling-race.patch index 6a28be3e22f..24eb1f9f1f6 100644 --- a/queue-5.15/afs-fix-refcount-underflow-from-error-handling-race.patch +++ b/queue-5.15/afs-fix-refcount-underflow-from-error-handling-race.patch @@ -125,14 +125,12 @@ Link: https://lore.kernel.org/r/2633992.1702073229@warthog.procyon.org.uk/ # v1 Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- - fs/afs/rxrpc.c | 2 +- + fs/afs/rxrpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c -index e3de7fea36435..f7305f2791fef 100644 --- a/fs/afs/rxrpc.c +++ b/fs/afs/rxrpc.c -@@ -420,7 +420,7 @@ void afs_make_call(struct afs_addr_cursor *ac, struct afs_call *call, gfp_t gfp) +@@ -420,7 +420,7 @@ error_kill_call: if (call->async) { if (cancel_work_sync(&call->async_work)) afs_put_call(call); @@ -141,6 +139,3 @@ index e3de7fea36435..f7305f2791fef 100644 } ac->error = ret; --- -2.43.0 - diff --git a/queue-5.15/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch b/queue-5.15/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch deleted file mode 100644 index 944e1c8414c..00000000000 --- a/queue-5.15/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 353023c6542fa48ee9c2dcc5b9a4c7627d9ab187 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Apr 2023 12:55:51 -0400 -Subject: IMA: use vfs_getattr_nosec to get the i_version - -From: Jeff Layton - -[ Upstream commit db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7 ] - -IMA currently accesses the i_version out of the inode directly when it -does a measurement. This is fine for most simple filesystems, but can be -problematic with more complex setups (e.g. overlayfs). - -Make IMA instead call vfs_getattr_nosec to get this info. This allows -the filesystem to determine whether and how to report the i_version, and -should allow IMA to work properly with a broader class of filesystems in -the future. - -Reported-and-Tested-by: Stefan Berger -Reviewed-by: Christian Brauner -Signed-off-by: Jeff Layton -Signed-off-by: Mimi Zohar -Signed-off-by: Sasha Levin ---- - security/integrity/ima/ima_api.c | 9 ++++++--- - security/integrity/ima/ima_main.c | 12 ++++++++---- - 2 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c -index 04b9e465463b6..f8e2a9e0c7e97 100644 ---- a/security/integrity/ima/ima_api.c -+++ b/security/integrity/ima/ima_api.c -@@ -13,7 +13,6 @@ - #include - #include - #include --#include - - #include "ima.h" - -@@ -218,10 +217,11 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, - struct inode *inode = file_inode(file); - struct inode *real_inode = d_real_inode(file_dentry(file)); - const char *filename = file->f_path.dentry->d_name.name; -+ struct kstat stat; - int result = 0; - int length; - void *tmpbuf; -- u64 i_version; -+ u64 i_version = 0; - struct { - struct ima_digest_data hdr; - char digest[IMA_MAX_DIGEST_SIZE]; -@@ -243,7 +243,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, - * which do not support i_version, support is limited to an initial - * measurement/appraisal/audit. - */ -- i_version = inode_query_iversion(inode); -+ result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, -+ AT_STATX_SYNC_AS_STAT); -+ if (!result && (stat.result_mask & STATX_CHANGE_COOKIE)) -+ i_version = stat.change_cookie; - hash.hdr.algo = algo; - - /* Initialize hash digest to 0's in case of failure */ -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index 7cd9df8499296..f64d86dfff36f 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -24,7 +24,6 @@ - #include - #include - #include --#include - #include - #include - -@@ -164,11 +163,16 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, - - mutex_lock(&iint->mutex); - if (atomic_read(&inode->i_writecount) == 1) { -+ struct kstat stat; -+ - update = test_and_clear_bit(IMA_UPDATE_XATTR, - &iint->atomic_flags); -- if (!IS_I_VERSION(inode) || -- !inode_eq_iversion(inode, iint->version) || -- (iint->flags & IMA_NEW_FILE)) { -+ if ((iint->flags & IMA_NEW_FILE) || -+ vfs_getattr_nosec(&file->f_path, &stat, -+ STATX_CHANGE_COOKIE, -+ AT_STATX_SYNC_AS_STAT) || -+ !(stat.result_mask & STATX_CHANGE_COOKIE) || -+ stat.change_cookie != iint->version) { - iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); - iint->measured_pcrs = 0; - if (update) --- -2.43.0 - diff --git a/queue-5.15/series b/queue-5.15/series index 3b006cfcec0..a0ccfbd867c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -2,8 +2,6 @@ perf-x86-uncore-don-t-warn_on_once-for-a-broken-discovery-table.patch r8152-add-usb-device-driver-for-config-selection.patch r8152-add-vendor-device-id-pair-for-d-link-dub-e250.patch r8152-add-vendor-device-id-pair-for-asus-usb-c2500.patch -vfs-plumb-i_version-handling-into-struct-kstat.patch -ima-use-vfs_getattr_nosec-to-get-the-i_version.patch netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch mm-memory_hotplug-handle-memblock_add_node-failures-.patch memblock-allow-to-specify-flags-with-memblock_add_no.patch diff --git a/queue-5.15/vfs-plumb-i_version-handling-into-struct-kstat.patch b/queue-5.15/vfs-plumb-i_version-handling-into-struct-kstat.patch deleted file mode 100644 index f375c6e628a..00000000000 --- a/queue-5.15/vfs-plumb-i_version-handling-into-struct-kstat.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 21586e51e3f9c2fbfe73b980f4366d16e74fecbc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 4 Dec 2016 09:29:46 -0500 -Subject: vfs: plumb i_version handling into struct kstat - -From: Jeff Layton - -[ Upstream commit a1175d6b1bdaf4f74eda47ab18eb44194f9cb796 ] - -The NFS server has a lot of special handling for different types of -change attribute access, depending on the underlying filesystem. In -most cases, it's doing a getattr anyway and then fetching that value -after the fact. - -Rather that do that, add a new STATX_CHANGE_COOKIE flag that is a -kernel-only symbol (for now). If requested and getattr can implement it, -it can fill out this field. For IS_I_VERSION inodes, add a generic -implementation in vfs_getattr_nosec. Take care to mask -STATX_CHANGE_COOKIE off in requests from userland and in the result -mask. - -Since not all filesystems can give the same guarantees of monotonicity, -claim a STATX_ATTR_CHANGE_MONOTONIC flag that filesystems can set to -indicate that they offer an i_version value that can never go backward. - -Eventually if we decide to make the i_version available to userland, we -can just designate a field for it in struct statx, and move the -STATX_CHANGE_COOKIE definition to the uapi header. - -Reviewed-by: NeilBrown -Reviewed-by: Jan Kara -Signed-off-by: Jeff Layton -Stable-dep-of: db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version") -Signed-off-by: Sasha Levin ---- - fs/stat.c | 17 +++++++++++++++-- - include/linux/stat.h | 9 +++++++++ - 2 files changed, 24 insertions(+), 2 deletions(-) - -diff --git a/fs/stat.c b/fs/stat.c -index 246d138ec0669..e868e6382b709 100644 ---- a/fs/stat.c -+++ b/fs/stat.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -118,6 +119,11 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, - stat->attributes_mask |= (STATX_ATTR_AUTOMOUNT | - STATX_ATTR_DAX); - -+ if ((request_mask & STATX_CHANGE_COOKIE) && IS_I_VERSION(inode)) { -+ stat->result_mask |= STATX_CHANGE_COOKIE; -+ stat->change_cookie = inode_query_iversion(inode); -+ } -+ - mnt_userns = mnt_user_ns(path->mnt); - if (inode->i_op->getattr) - return inode->i_op->getattr(mnt_userns, path, stat, -@@ -573,9 +579,11 @@ cp_statx(const struct kstat *stat, struct statx __user *buffer) - - memset(&tmp, 0, sizeof(tmp)); - -- tmp.stx_mask = stat->result_mask; -+ /* STATX_CHANGE_COOKIE is kernel-only for now */ -+ tmp.stx_mask = stat->result_mask & ~STATX_CHANGE_COOKIE; - tmp.stx_blksize = stat->blksize; -- tmp.stx_attributes = stat->attributes; -+ /* STATX_ATTR_CHANGE_MONOTONIC is kernel-only for now */ -+ tmp.stx_attributes = stat->attributes & ~STATX_ATTR_CHANGE_MONOTONIC; - tmp.stx_nlink = stat->nlink; - tmp.stx_uid = from_kuid_munged(current_user_ns(), stat->uid); - tmp.stx_gid = from_kgid_munged(current_user_ns(), stat->gid); -@@ -612,6 +620,11 @@ int do_statx(int dfd, const char __user *filename, unsigned flags, - if ((flags & AT_STATX_SYNC_TYPE) == AT_STATX_SYNC_TYPE) - return -EINVAL; - -+ /* STATX_CHANGE_COOKIE is kernel-only for now. Ignore requests -+ * from userland. -+ */ -+ mask &= ~STATX_CHANGE_COOKIE; -+ - error = vfs_statx(dfd, filename, flags, &stat, mask); - if (error) - return error; -diff --git a/include/linux/stat.h b/include/linux/stat.h -index 7df06931f25d8..c295fc03a2c98 100644 ---- a/include/linux/stat.h -+++ b/include/linux/stat.h -@@ -50,6 +50,15 @@ struct kstat { - struct timespec64 btime; /* File creation time */ - u64 blocks; - u64 mnt_id; -+ u64 change_cookie; - }; - -+/* These definitions are internal to the kernel for now. Mainly used by nfsd. */ -+ -+/* mask values */ -+#define STATX_CHANGE_COOKIE 0x40000000U /* Want/got stx_change_attr */ -+ -+/* file attribute values */ -+#define STATX_ATTR_CHANGE_MONOTONIC 0x8000000000000000ULL /* version monotonically increases */ -+ - #endif --- -2.43.0 - diff --git a/queue-6.1/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch b/queue-6.1/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch deleted file mode 100644 index d7ca0e018bf..00000000000 --- a/queue-6.1/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 6169658018937657f61d2ef9127d38476faafb14 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Apr 2023 12:55:51 -0400 -Subject: IMA: use vfs_getattr_nosec to get the i_version - -From: Jeff Layton - -[ Upstream commit db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7 ] - -IMA currently accesses the i_version out of the inode directly when it -does a measurement. This is fine for most simple filesystems, but can be -problematic with more complex setups (e.g. overlayfs). - -Make IMA instead call vfs_getattr_nosec to get this info. This allows -the filesystem to determine whether and how to report the i_version, and -should allow IMA to work properly with a broader class of filesystems in -the future. - -Reported-and-Tested-by: Stefan Berger -Reviewed-by: Christian Brauner -Signed-off-by: Jeff Layton -Signed-off-by: Mimi Zohar -Signed-off-by: Sasha Levin ---- - security/integrity/ima/ima_api.c | 9 ++++++--- - security/integrity/ima/ima_main.c | 12 ++++++++---- - 2 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c -index 026c8c9db9920..7a244e8ce65a5 100644 ---- a/security/integrity/ima/ima_api.c -+++ b/security/integrity/ima/ima_api.c -@@ -13,7 +13,6 @@ - #include - #include - #include --#include - #include - - #include "ima.h" -@@ -246,10 +245,11 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, - struct inode *real_inode = d_real_inode(file_dentry(file)); - const char *filename = file->f_path.dentry->d_name.name; - struct ima_max_digest_data hash; -+ struct kstat stat; - int result = 0; - int length; - void *tmpbuf; -- u64 i_version; -+ u64 i_version = 0; - - /* - * Always collect the modsig, because IMA might have already collected -@@ -268,7 +268,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, - * to an initial measurement/appraisal/audit, but was modified to - * assume the file changed. - */ -- i_version = inode_query_iversion(inode); -+ result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, -+ AT_STATX_SYNC_AS_STAT); -+ if (!result && (stat.result_mask & STATX_CHANGE_COOKIE)) -+ i_version = stat.change_cookie; - hash.hdr.algo = algo; - hash.hdr.length = hash_digest_size[algo]; - -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index 185666d90eebc..bba421f617312 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -24,7 +24,6 @@ - #include - #include - #include --#include - #include - #include - -@@ -164,11 +163,16 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, - - mutex_lock(&iint->mutex); - if (atomic_read(&inode->i_writecount) == 1) { -+ struct kstat stat; -+ - update = test_and_clear_bit(IMA_UPDATE_XATTR, - &iint->atomic_flags); -- if (!IS_I_VERSION(inode) || -- !inode_eq_iversion(inode, iint->version) || -- (iint->flags & IMA_NEW_FILE)) { -+ if ((iint->flags & IMA_NEW_FILE) || -+ vfs_getattr_nosec(&file->f_path, &stat, -+ STATX_CHANGE_COOKIE, -+ AT_STATX_SYNC_AS_STAT) || -+ !(stat.result_mask & STATX_CHANGE_COOKIE) || -+ stat.change_cookie != iint->version) { - iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); - iint->measured_pcrs = 0; - if (update) --- -2.43.0 - diff --git a/queue-6.1/series b/queue-6.1/series index c277868711f..297a50921cb 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -2,8 +2,6 @@ perf-x86-uncore-don-t-warn_on_once-for-a-broken-discovery-table.patch r8152-add-usb-device-driver-for-config-selection.patch r8152-add-vendor-device-id-pair-for-d-link-dub-e250.patch r8152-add-vendor-device-id-pair-for-asus-usb-c2500.patch -vfs-plumb-i_version-handling-into-struct-kstat.patch -ima-use-vfs_getattr_nosec-to-get-the-i_version.patch powerpc-ftrace-fix-stack-teardown-in-ftrace_no_trace.patch ext4-fix-warning-in-ext4_dio_write_end_io.patch ksmbd-fix-memory-leak-in-smb2_lock.patch diff --git a/queue-6.1/vfs-plumb-i_version-handling-into-struct-kstat.patch b/queue-6.1/vfs-plumb-i_version-handling-into-struct-kstat.patch deleted file mode 100644 index 57c38501509..00000000000 --- a/queue-6.1/vfs-plumb-i_version-handling-into-struct-kstat.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 64bb46638404acd0de4374537409e7c04a3bacf8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 4 Dec 2016 09:29:46 -0500 -Subject: vfs: plumb i_version handling into struct kstat - -From: Jeff Layton - -[ Upstream commit a1175d6b1bdaf4f74eda47ab18eb44194f9cb796 ] - -The NFS server has a lot of special handling for different types of -change attribute access, depending on the underlying filesystem. In -most cases, it's doing a getattr anyway and then fetching that value -after the fact. - -Rather that do that, add a new STATX_CHANGE_COOKIE flag that is a -kernel-only symbol (for now). If requested and getattr can implement it, -it can fill out this field. For IS_I_VERSION inodes, add a generic -implementation in vfs_getattr_nosec. Take care to mask -STATX_CHANGE_COOKIE off in requests from userland and in the result -mask. - -Since not all filesystems can give the same guarantees of monotonicity, -claim a STATX_ATTR_CHANGE_MONOTONIC flag that filesystems can set to -indicate that they offer an i_version value that can never go backward. - -Eventually if we decide to make the i_version available to userland, we -can just designate a field for it in struct statx, and move the -STATX_CHANGE_COOKIE definition to the uapi header. - -Reviewed-by: NeilBrown -Reviewed-by: Jan Kara -Signed-off-by: Jeff Layton -Stable-dep-of: db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version") -Signed-off-by: Sasha Levin ---- - fs/stat.c | 17 +++++++++++++++-- - include/linux/stat.h | 9 +++++++++ - 2 files changed, 24 insertions(+), 2 deletions(-) - -diff --git a/fs/stat.c b/fs/stat.c -index ef50573c72a26..06fd3fc1ab84b 100644 ---- a/fs/stat.c -+++ b/fs/stat.c -@@ -18,6 +18,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -119,6 +120,11 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, - stat->attributes_mask |= (STATX_ATTR_AUTOMOUNT | - STATX_ATTR_DAX); - -+ if ((request_mask & STATX_CHANGE_COOKIE) && IS_I_VERSION(inode)) { -+ stat->result_mask |= STATX_CHANGE_COOKIE; -+ stat->change_cookie = inode_query_iversion(inode); -+ } -+ - mnt_userns = mnt_user_ns(path->mnt); - if (inode->i_op->getattr) - return inode->i_op->getattr(mnt_userns, path, stat, -@@ -599,9 +605,11 @@ cp_statx(const struct kstat *stat, struct statx __user *buffer) - - memset(&tmp, 0, sizeof(tmp)); - -- tmp.stx_mask = stat->result_mask; -+ /* STATX_CHANGE_COOKIE is kernel-only for now */ -+ tmp.stx_mask = stat->result_mask & ~STATX_CHANGE_COOKIE; - tmp.stx_blksize = stat->blksize; -- tmp.stx_attributes = stat->attributes; -+ /* STATX_ATTR_CHANGE_MONOTONIC is kernel-only for now */ -+ tmp.stx_attributes = stat->attributes & ~STATX_ATTR_CHANGE_MONOTONIC; - tmp.stx_nlink = stat->nlink; - tmp.stx_uid = from_kuid_munged(current_user_ns(), stat->uid); - tmp.stx_gid = from_kgid_munged(current_user_ns(), stat->gid); -@@ -640,6 +648,11 @@ int do_statx(int dfd, struct filename *filename, unsigned int flags, - if ((flags & AT_STATX_SYNC_TYPE) == AT_STATX_SYNC_TYPE) - return -EINVAL; - -+ /* STATX_CHANGE_COOKIE is kernel-only for now. Ignore requests -+ * from userland. -+ */ -+ mask &= ~STATX_CHANGE_COOKIE; -+ - error = vfs_statx(dfd, filename, flags, &stat, mask); - if (error) - return error; -diff --git a/include/linux/stat.h b/include/linux/stat.h -index ff277ced50e9f..52150570d37a5 100644 ---- a/include/linux/stat.h -+++ b/include/linux/stat.h -@@ -52,6 +52,15 @@ struct kstat { - u64 mnt_id; - u32 dio_mem_align; - u32 dio_offset_align; -+ u64 change_cookie; - }; - -+/* These definitions are internal to the kernel for now. Mainly used by nfsd. */ -+ -+/* mask values */ -+#define STATX_CHANGE_COOKIE 0x40000000U /* Want/got stx_change_attr */ -+ -+/* file attribute values */ -+#define STATX_ATTR_CHANGE_MONOTONIC 0x8000000000000000ULL /* version monotonically increases */ -+ - #endif --- -2.43.0 -