From: Greg Kroah-Hartman Date: Mon, 9 Oct 2023 11:49:02 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.14.327~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d977187ce0352ae904b266c51b8781e6ca15375;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ima-rework-config_ima-dependency-block.patch nfs-fix-a-race-in-__nfs_list_for_each_server.patch --- diff --git a/queue-5.4/ima-rework-config_ima-dependency-block.patch b/queue-5.4/ima-rework-config_ima-dependency-block.patch new file mode 100644 index 00000000000..fd2ba0555ed --- /dev/null +++ b/queue-5.4/ima-rework-config_ima-dependency-block.patch @@ -0,0 +1,124 @@ +From 91e326563ee34509c35267808a4b1b3ea3db62a8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 27 Sep 2023 09:22:14 +0200 +Subject: ima: rework CONFIG_IMA dependency block + +From: Arnd Bergmann + +commit 91e326563ee34509c35267808a4b1b3ea3db62a8 upstream. + +Changing the direct dependencies of IMA_BLACKLIST_KEYRING and +IMA_LOAD_X509 caused them to no longer depend on IMA, but a +a configuration without IMA results in link failures: + +arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys': +iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509' + +aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify': +digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring' + +Adding explicit dependencies on IMA would fix this, but a more reliable +way to do this is to enclose the entire Kconfig file in an 'if IMA' block. +This also allows removing the existing direct dependencies. + +Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig") +Signed-off-by: Arnd Bergmann +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/Kconfig | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -29,9 +29,11 @@ config IMA + to learn more about IMA. + If unsure, say N. + ++if IMA ++ + config IMA_KEXEC + bool "Enable carrying the IMA measurement list across a soft boot" +- depends on IMA && TCG_TPM && HAVE_IMA_KEXEC ++ depends on TCG_TPM && HAVE_IMA_KEXEC + default n + help + TPM PCRs are only reset on a hard reboot. In order to validate +@@ -43,7 +45,6 @@ config IMA_KEXEC + + config IMA_MEASURE_PCR_IDX + int +- depends on IMA + range 8 14 + default 10 + help +@@ -53,7 +54,7 @@ config IMA_MEASURE_PCR_IDX + + config IMA_LSM_RULES + bool +- depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) ++ depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) + default y + help + Disabling this option will disregard LSM based policy rules. +@@ -61,7 +62,6 @@ config IMA_LSM_RULES + choice + prompt "Default template" + default IMA_NG_TEMPLATE +- depends on IMA + help + Select the default IMA measurement template. + +@@ -80,14 +80,12 @@ endchoice + + config IMA_DEFAULT_TEMPLATE + string +- depends on IMA + default "ima-ng" if IMA_NG_TEMPLATE + default "ima-sig" if IMA_SIG_TEMPLATE + + choice + prompt "Default integrity hash algorithm" + default IMA_DEFAULT_HASH_SHA1 +- depends on IMA + help + Select the default hash algorithm used for the measurement + list, integrity appraisal and audit log. The compiled default +@@ -113,7 +111,6 @@ endchoice + + config IMA_DEFAULT_HASH + string +- depends on IMA + default "sha1" if IMA_DEFAULT_HASH_SHA1 + default "sha256" if IMA_DEFAULT_HASH_SHA256 + default "sha512" if IMA_DEFAULT_HASH_SHA512 +@@ -121,7 +118,6 @@ config IMA_DEFAULT_HASH + + config IMA_WRITE_POLICY + bool "Enable multiple writes to the IMA policy" +- depends on IMA + default n + help + IMA policy can now be updated multiple times. The new rules get +@@ -132,7 +128,6 @@ config IMA_WRITE_POLICY + + config IMA_READ_POLICY + bool "Enable reading back the current IMA policy" +- depends on IMA + default y if IMA_WRITE_POLICY + default n if !IMA_WRITE_POLICY + help +@@ -142,7 +137,6 @@ config IMA_READ_POLICY + + config IMA_APPRAISE + bool "Appraise integrity measurements" +- depends on IMA + default n + help + This option enables local measurement integrity appraisal. +@@ -295,3 +289,5 @@ config IMA_APPRAISE_SIGNED_INIT + default n + help + This option requires user-space init to be signed. ++ ++endif diff --git a/queue-5.4/nfs-fix-a-race-in-__nfs_list_for_each_server.patch b/queue-5.4/nfs-fix-a-race-in-__nfs_list_for_each_server.patch new file mode 100644 index 00000000000..3284c927a8a --- /dev/null +++ b/queue-5.4/nfs-fix-a-race-in-__nfs_list_for_each_server.patch @@ -0,0 +1,32 @@ +From 9c07b75b80eeff714420fb6a4c880b284e529d0f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 30 Apr 2020 15:08:26 -0400 +Subject: NFS: Fix a race in __nfs_list_for_each_server() + +From: Trond Myklebust + +commit 9c07b75b80eeff714420fb6a4c880b284e529d0f upstream. + +The struct nfs_server gets put on the cl_superblocks list before +the server->super field has been initialised, in which case the +call to nfs_sb_active() will Oops. Add a check to ensure that +we skip such a list entry. + +Fixes: 3c9e502b59fb ("NFS: Add a helper nfs_client_for_each_server()") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -445,7 +445,7 @@ static int __nfs_list_for_each_server(st + + rcu_read_lock(); + list_for_each_entry_rcu(server, head, client_link) { +- if (!nfs_sb_active(server->super)) ++ if (!(server->super && nfs_sb_active(server->super))) + continue; + rcu_read_unlock(); + if (last) diff --git a/queue-5.4/series b/queue-5.4/series index e5e69618bbf..77250ce18ba 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -128,3 +128,5 @@ rdma-uverbs-fix-typo-of-sizeof-argument.patch rdma-siw-fix-connection-failure-handling.patch rdma-mlx5-fix-null-string-error.patch parisc-restore-__ldcw_align-for-pa-risc-2.0-processors.patch +nfs-fix-a-race-in-__nfs_list_for_each_server.patch +ima-rework-config_ima-dependency-block.patch