From: Greg Kroah-Hartman Date: Tue, 2 Jul 2024 15:12:24 +0000 (+0200) Subject: drop a vfs and ima patch from 6.1 that were not needed X-Git-Tag: v4.19.317~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5b1b69bb40eb19f82e1371b5b47b159423a33fc9;p=thirdparty%2Fkernel%2Fstable-queue.git drop a vfs and ima patch from 6.1 that were not needed --- diff --git a/queue-6.1/ima-fix-use-after-free-on-a-dentry-s-dname.name.patch b/queue-6.1/ima-fix-use-after-free-on-a-dentry-s-dname.name.patch index 9d4e3fb4470..5384314e000 100644 --- a/queue-6.1/ima-fix-use-after-free-on-a-dentry-s-dname.name.patch +++ b/queue-6.1/ima-fix-use-after-free-on-a-dentry-s-dname.name.patch @@ -19,25 +19,23 @@ Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin --- - security/integrity/ima/ima_api.c | 16 ++++++++++++---- - security/integrity/ima/ima_template_lib.c | 17 ++++++++++++++--- + security/integrity/ima/ima_api.c | 16 ++++++++++++---- + security/integrity/ima/ima_template_lib.c | 17 ++++++++++++++--- 2 files changed, 26 insertions(+), 7 deletions(-) -diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c -index 7a244e8ce65a5..cea8df0115a28 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c -@@ -243,8 +243,8 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, +@@ -244,8 +244,8 @@ int ima_collect_measurement(struct integ const char *audit_cause = "failed"; struct inode *inode = file_inode(file); struct inode *real_inode = d_real_inode(file_dentry(file)); - const char *filename = file->f_path.dentry->d_name.name; struct ima_max_digest_data hash; + struct name_snapshot filename; - struct kstat stat; int result = 0; int length; -@@ -322,9 +322,13 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, + void *tmpbuf; +@@ -319,9 +319,13 @@ out: if (file->f_flags & O_DIRECT) audit_cause = "failed(directio)"; @@ -53,7 +51,7 @@ index 7a244e8ce65a5..cea8df0115a28 100644 } return result; } -@@ -437,6 +441,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, +@@ -434,6 +438,7 @@ out: */ const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) { @@ -61,7 +59,7 @@ index 7a244e8ce65a5..cea8df0115a28 100644 char *pathname = NULL; *pathbuf = __getname(); -@@ -450,7 +455,10 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) +@@ -447,7 +452,10 @@ const char *ima_d_path(const struct path } if (!pathname) { @@ -73,11 +71,9 @@ index 7a244e8ce65a5..cea8df0115a28 100644 pathname = namebuf; } -diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c -index 7bf9b15072202..41ec31debe870 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c -@@ -483,7 +483,10 @@ static int ima_eventname_init_common(struct ima_event_data *event_data, +@@ -483,7 +483,10 @@ static int ima_eventname_init_common(str bool size_limit) { const char *cur_filename = NULL; @@ -88,7 +84,7 @@ index 7bf9b15072202..41ec31debe870 100644 BUG_ON(event_data->filename == NULL && event_data->file == NULL); -@@ -496,7 +499,10 @@ static int ima_eventname_init_common(struct ima_event_data *event_data, +@@ -496,7 +499,10 @@ static int ima_eventname_init_common(str } if (event_data->file) { @@ -100,7 +96,7 @@ index 7bf9b15072202..41ec31debe870 100644 cur_filename_len = strlen(cur_filename); } else /* -@@ -505,8 +511,13 @@ static int ima_eventname_init_common(struct ima_event_data *event_data, +@@ -505,8 +511,13 @@ static int ima_eventname_init_common(str */ cur_filename_len = IMA_EVENT_NAME_LEN_MAX; out: @@ -116,6 +112,3 @@ index 7bf9b15072202..41ec31debe870 100644 } /* --- -2.43.0 - diff --git a/queue-6.1/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch b/queue-6.1/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch deleted file mode 100644 index 6ab879cf8ef..00000000000 --- a/queue-6.1/ima-use-vfs_getattr_nosec-to-get-the-i_version.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 1ecfaeacb62b0e0c7cbe178410b6bd5dc2a394b1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Apr 2023 12:55:51 -0400 -Subject: IMA: use vfs_getattr_nosec to get the i_version - -From: Jeff Layton - -[ Upstream commit db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7 ] - -IMA currently accesses the i_version out of the inode directly when it -does a measurement. This is fine for most simple filesystems, but can be -problematic with more complex setups (e.g. overlayfs). - -Make IMA instead call vfs_getattr_nosec to get this info. This allows -the filesystem to determine whether and how to report the i_version, and -should allow IMA to work properly with a broader class of filesystems in -the future. - -Reported-and-Tested-by: Stefan Berger -Reviewed-by: Christian Brauner -Signed-off-by: Jeff Layton -Signed-off-by: Mimi Zohar -Stable-dep-of: be84f32bb2c9 ("ima: Fix use-after-free on a dentry's dname.name") -Signed-off-by: Sasha Levin ---- - security/integrity/ima/ima_api.c | 9 ++++++--- - security/integrity/ima/ima_main.c | 12 ++++++++---- - 2 files changed, 14 insertions(+), 7 deletions(-) - -diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c -index 026c8c9db9920..7a244e8ce65a5 100644 ---- a/security/integrity/ima/ima_api.c -+++ b/security/integrity/ima/ima_api.c -@@ -13,7 +13,6 @@ - #include - #include - #include --#include - #include - - #include "ima.h" -@@ -246,10 +245,11 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, - struct inode *real_inode = d_real_inode(file_dentry(file)); - const char *filename = file->f_path.dentry->d_name.name; - struct ima_max_digest_data hash; -+ struct kstat stat; - int result = 0; - int length; - void *tmpbuf; -- u64 i_version; -+ u64 i_version = 0; - - /* - * Always collect the modsig, because IMA might have already collected -@@ -268,7 +268,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, - * to an initial measurement/appraisal/audit, but was modified to - * assume the file changed. - */ -- i_version = inode_query_iversion(inode); -+ result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, -+ AT_STATX_SYNC_AS_STAT); -+ if (!result && (stat.result_mask & STATX_CHANGE_COOKIE)) -+ i_version = stat.change_cookie; - hash.hdr.algo = algo; - hash.hdr.length = hash_digest_size[algo]; - -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index 185666d90eebc..bba421f617312 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -24,7 +24,6 @@ - #include - #include - #include --#include - #include - #include - -@@ -164,11 +163,16 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, - - mutex_lock(&iint->mutex); - if (atomic_read(&inode->i_writecount) == 1) { -+ struct kstat stat; -+ - update = test_and_clear_bit(IMA_UPDATE_XATTR, - &iint->atomic_flags); -- if (!IS_I_VERSION(inode) || -- !inode_eq_iversion(inode, iint->version) || -- (iint->flags & IMA_NEW_FILE)) { -+ if ((iint->flags & IMA_NEW_FILE) || -+ vfs_getattr_nosec(&file->f_path, &stat, -+ STATX_CHANGE_COOKIE, -+ AT_STATX_SYNC_AS_STAT) || -+ !(stat.result_mask & STATX_CHANGE_COOKIE) || -+ stat.change_cookie != iint->version) { - iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); - iint->measured_pcrs = 0; - if (update) --- -2.43.0 - diff --git a/queue-6.1/series b/queue-6.1/series index 1b4f0c55080..cfd827fae32 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -58,8 +58,6 @@ drm-amdgpu-fix-pci-state-save-during-mode-1-reset.patch riscv-stacktrace-convert-arch_stack_walk-to-noinstr.patch gpiolib-cdev-disallow-reconfiguration-without-direct.patch randomize_kstack-remove-non-functional-per-arch-entr.patch -vfs-plumb-i_version-handling-into-struct-kstat.patch -ima-use-vfs_getattr_nosec-to-get-the-i_version.patch ima-fix-use-after-free-on-a-dentry-s-dname.name.patch x86-stop-playing-stack-games-in-profile_pc.patch parisc-use-generic-sys_fanotify_mark-implementation.patch diff --git a/queue-6.1/vfs-plumb-i_version-handling-into-struct-kstat.patch b/queue-6.1/vfs-plumb-i_version-handling-into-struct-kstat.patch deleted file mode 100644 index 3a1cb038217..00000000000 --- a/queue-6.1/vfs-plumb-i_version-handling-into-struct-kstat.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 72aa39d07c4636965c9a8c7e965476f103d8a398 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 4 Dec 2016 09:29:46 -0500 -Subject: vfs: plumb i_version handling into struct kstat - -From: Jeff Layton - -[ Upstream commit a1175d6b1bdaf4f74eda47ab18eb44194f9cb796 ] - -The NFS server has a lot of special handling for different types of -change attribute access, depending on the underlying filesystem. In -most cases, it's doing a getattr anyway and then fetching that value -after the fact. - -Rather that do that, add a new STATX_CHANGE_COOKIE flag that is a -kernel-only symbol (for now). If requested and getattr can implement it, -it can fill out this field. For IS_I_VERSION inodes, add a generic -implementation in vfs_getattr_nosec. Take care to mask -STATX_CHANGE_COOKIE off in requests from userland and in the result -mask. - -Since not all filesystems can give the same guarantees of monotonicity, -claim a STATX_ATTR_CHANGE_MONOTONIC flag that filesystems can set to -indicate that they offer an i_version value that can never go backward. - -Eventually if we decide to make the i_version available to userland, we -can just designate a field for it in struct statx, and move the -STATX_CHANGE_COOKIE definition to the uapi header. - -Reviewed-by: NeilBrown -Reviewed-by: Jan Kara -Signed-off-by: Jeff Layton -Stable-dep-of: be84f32bb2c9 ("ima: Fix use-after-free on a dentry's dname.name") -Signed-off-by: Sasha Levin ---- - fs/stat.c | 17 +++++++++++++++-- - include/linux/stat.h | 9 +++++++++ - 2 files changed, 24 insertions(+), 2 deletions(-) - -diff --git a/fs/stat.c b/fs/stat.c -index ef50573c72a26..06fd3fc1ab84b 100644 ---- a/fs/stat.c -+++ b/fs/stat.c -@@ -18,6 +18,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -119,6 +120,11 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, - stat->attributes_mask |= (STATX_ATTR_AUTOMOUNT | - STATX_ATTR_DAX); - -+ if ((request_mask & STATX_CHANGE_COOKIE) && IS_I_VERSION(inode)) { -+ stat->result_mask |= STATX_CHANGE_COOKIE; -+ stat->change_cookie = inode_query_iversion(inode); -+ } -+ - mnt_userns = mnt_user_ns(path->mnt); - if (inode->i_op->getattr) - return inode->i_op->getattr(mnt_userns, path, stat, -@@ -599,9 +605,11 @@ cp_statx(const struct kstat *stat, struct statx __user *buffer) - - memset(&tmp, 0, sizeof(tmp)); - -- tmp.stx_mask = stat->result_mask; -+ /* STATX_CHANGE_COOKIE is kernel-only for now */ -+ tmp.stx_mask = stat->result_mask & ~STATX_CHANGE_COOKIE; - tmp.stx_blksize = stat->blksize; -- tmp.stx_attributes = stat->attributes; -+ /* STATX_ATTR_CHANGE_MONOTONIC is kernel-only for now */ -+ tmp.stx_attributes = stat->attributes & ~STATX_ATTR_CHANGE_MONOTONIC; - tmp.stx_nlink = stat->nlink; - tmp.stx_uid = from_kuid_munged(current_user_ns(), stat->uid); - tmp.stx_gid = from_kgid_munged(current_user_ns(), stat->gid); -@@ -640,6 +648,11 @@ int do_statx(int dfd, struct filename *filename, unsigned int flags, - if ((flags & AT_STATX_SYNC_TYPE) == AT_STATX_SYNC_TYPE) - return -EINVAL; - -+ /* STATX_CHANGE_COOKIE is kernel-only for now. Ignore requests -+ * from userland. -+ */ -+ mask &= ~STATX_CHANGE_COOKIE; -+ - error = vfs_statx(dfd, filename, flags, &stat, mask); - if (error) - return error; -diff --git a/include/linux/stat.h b/include/linux/stat.h -index ff277ced50e9f..52150570d37a5 100644 ---- a/include/linux/stat.h -+++ b/include/linux/stat.h -@@ -52,6 +52,15 @@ struct kstat { - u64 mnt_id; - u32 dio_mem_align; - u32 dio_offset_align; -+ u64 change_cookie; - }; - -+/* These definitions are internal to the kernel for now. Mainly used by nfsd. */ -+ -+/* mask values */ -+#define STATX_CHANGE_COOKIE 0x40000000U /* Want/got stx_change_attr */ -+ -+/* file attribute values */ -+#define STATX_ATTR_CHANGE_MONOTONIC 0x8000000000000000ULL /* version monotonically increases */ -+ - #endif --- -2.43.0 -