--- /dev/null
+From 91e326563ee34509c35267808a4b1b3ea3db62a8 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 27 Sep 2023 09:22:14 +0200
+Subject: ima: rework CONFIG_IMA dependency block
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 91e326563ee34509c35267808a4b1b3ea3db62a8 upstream.
+
+Changing the direct dependencies of IMA_BLACKLIST_KEYRING and
+IMA_LOAD_X509 caused them to no longer depend on IMA, but a
+a configuration without IMA results in link failures:
+
+arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys':
+iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509'
+
+aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify':
+digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring'
+
+Adding explicit dependencies on IMA would fix this, but a more reliable
+way to do this is to enclose the entire Kconfig file in an 'if IMA' block.
+This also allows removing the existing direct dependencies.
+
+Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/Kconfig | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+--- a/security/integrity/ima/Kconfig
++++ b/security/integrity/ima/Kconfig
+@@ -29,9 +29,11 @@ config IMA
+ to learn more about IMA.
+ If unsure, say N.
+
++if IMA
++
+ config IMA_KEXEC
+ bool "Enable carrying the IMA measurement list across a soft boot"
+- depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
++ depends on TCG_TPM && HAVE_IMA_KEXEC
+ default n
+ help
+ TPM PCRs are only reset on a hard reboot. In order to validate
+@@ -43,7 +45,6 @@ config IMA_KEXEC
+
+ config IMA_MEASURE_PCR_IDX
+ int
+- depends on IMA
+ range 8 14
+ default 10
+ help
+@@ -53,7 +54,7 @@ config IMA_MEASURE_PCR_IDX
+
+ config IMA_LSM_RULES
+ bool
+- depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
++ depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
+ default y
+ help
+ Disabling this option will disregard LSM based policy rules.
+@@ -61,7 +62,6 @@ config IMA_LSM_RULES
+ choice
+ prompt "Default template"
+ default IMA_NG_TEMPLATE
+- depends on IMA
+ help
+ Select the default IMA measurement template.
+
+@@ -80,14 +80,12 @@ endchoice
+
+ config IMA_DEFAULT_TEMPLATE
+ string
+- depends on IMA
+ default "ima-ng" if IMA_NG_TEMPLATE
+ default "ima-sig" if IMA_SIG_TEMPLATE
+
+ choice
+ prompt "Default integrity hash algorithm"
+ default IMA_DEFAULT_HASH_SHA1
+- depends on IMA
+ help
+ Select the default hash algorithm used for the measurement
+ list, integrity appraisal and audit log. The compiled default
+@@ -113,7 +111,6 @@ endchoice
+
+ config IMA_DEFAULT_HASH
+ string
+- depends on IMA
+ default "sha1" if IMA_DEFAULT_HASH_SHA1
+ default "sha256" if IMA_DEFAULT_HASH_SHA256
+ default "sha512" if IMA_DEFAULT_HASH_SHA512
+@@ -121,7 +118,6 @@ config IMA_DEFAULT_HASH
+
+ config IMA_WRITE_POLICY
+ bool "Enable multiple writes to the IMA policy"
+- depends on IMA
+ default n
+ help
+ IMA policy can now be updated multiple times. The new rules get
+@@ -132,7 +128,6 @@ config IMA_WRITE_POLICY
+
+ config IMA_READ_POLICY
+ bool "Enable reading back the current IMA policy"
+- depends on IMA
+ default y if IMA_WRITE_POLICY
+ default n if !IMA_WRITE_POLICY
+ help
+@@ -142,7 +137,6 @@ config IMA_READ_POLICY
+
+ config IMA_APPRAISE
+ bool "Appraise integrity measurements"
+- depends on IMA
+ default n
+ help
+ This option enables local measurement integrity appraisal.
+@@ -295,3 +289,5 @@ config IMA_APPRAISE_SIGNED_INIT
+ default n
+ help
+ This option requires user-space init to be signed.
++
++endif
--- /dev/null
+From 9c07b75b80eeff714420fb6a4c880b284e529d0f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 30 Apr 2020 15:08:26 -0400
+Subject: NFS: Fix a race in __nfs_list_for_each_server()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 9c07b75b80eeff714420fb6a4c880b284e529d0f upstream.
+
+The struct nfs_server gets put on the cl_superblocks list before
+the server->super field has been initialised, in which case the
+call to nfs_sb_active() will Oops. Add a check to ensure that
+we skip such a list entry.
+
+Fixes: 3c9e502b59fb ("NFS: Add a helper nfs_client_for_each_server()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -445,7 +445,7 @@ static int __nfs_list_for_each_server(st
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(server, head, client_link) {
+- if (!nfs_sb_active(server->super))
++ if (!(server->super && nfs_sb_active(server->super)))
+ continue;
+ rcu_read_unlock();
+ if (last)
projects / thirdparty / kernel / stable-queue.git / commitdiff
