This change adds a new LSM hook, inode_init_security_anon(), that will
be used while creating secure anonymous inodes. The hook allows/denies
its creation and assigns a security context to the inode.
The new hook accepts an optional context_inode parameter that callers
can use to provide additional contextual information to security modules
for granting/denying permission to create an anon-inode of the same type.
This context_inode's security_context can also be used to initialize the
newly created anon-inode's security_context.
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 215b674b84dd052098fe6389e32a5afaff8b4d56)
Conflicts:
include/linux/lsm_hook_defs.h
(1. Added LSM hook in lsm_hook.h and removd lsm_hook_defs.h as per
98e828a0650f348be85728c69875260cf78069e6, which is not merged here)
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
Bug: 160737021
Bug: 169683130
Change-Id: I83fe318c891f034b4dd7f3f357cc74964b55ffc8
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmXYSHgACgkQONu9yGCS
aT74ag/6AqWJBzK/2xvUCYjfBU5+4ApFWQt47Ly9MKFhFX7YBjQGXS6av1YFA9Kw
i01R9SCpIv2eaDrM7/J0wvXGybemfvQ8VyNngG30QC/0jTc4ZAj0PEbtyHpUaz4F
HWOFfAlHAYcLQWhmjhXitoGUfeyhchWnQZpn45mkT0i3DSAEFc5gsiMlO+jaM8No
hOaAHEpGsd7zlH32NYpWrFI0i54HSCwlaHlQFJ7U+rbWyG935RdLjMAX+488R8oc
KccOj+xb4zQyASdC7qdgPz02U7Tm3UB5s0lLrviDiBrYVxSe77vw2TBEeejF+7ZE
oYqjsygRYmRbKuI55rxyxph7cT93ZctL48DZJ4fT4zVIT9kak3S/NtFs0Hyr3TkY
N6ZlDnd10cj8QsnXXtTd9QgT7Ind+3KySv7sr4a/gLO/N39EYpztrMCc/lKfG/Bu
MPDMXBrEtKkjMelcnISwac9QcOb/MAJaepCWtYgcXbEcaBP+/Or8OM0yZPOEk7SA
3CamE+ou0Ds/c6gnsBw6WDMTJd+sX6sw6+4cMEaWzaWiE12Ryc0gscCDJXjEAYzc
+47PiPijNJ+iPjsos8ZaNnTQHALemgJ4cjolHivsEvAYU1s5cyKjVEgMB1MJN8ib
y19D9L8T9BtG2ukWBxtIXMIt51VZ7B8fXodcYXbyqtV25JZj/k8=
=cJfu
-----END PGP SIGNATURE-----
Merge 5.4.269 into android11-5.4-lts
Changes in 5.4.269
PCI: mediatek: Clear interrupt status before dispatching handler
include/linux/units.h: add helpers for kelvin to/from Celsius conversion
units: Add Watt units
units: change from 'L' to 'UL'
units: add the HZ macros
serial: sc16is7xx: set safe default SPI clock frequency
spi: introduce SPI_MODE_X_MASK macro
serial: sc16is7xx: add check for unsupported SPI modes during probe
ext4: allow for the last group to be marked as trimmed
crypto: api - Disallow identical driver names
PM: hibernate: Enforce ordering during image compression/decompression
hwrng: core - Fix page fault dead lock on mmap-ed hwrng
rpmsg: virtio: Free driver_override when rpmsg_remove()
parisc/firmware: Fix F-extend for PDC addresses
arm64: dts: qcom: sdm845: fix USB wakeup interrupt types
mmc: core: Use mrq.sbc in close-ended ffu
nouveau/vmm: don't set addr on the fail path to avoid warning
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
rename(): fix the locking of subdirectories
block: Remove special-casing of compound pages
mtd: spinand: macronix: Fix MX35LFxGE4AD page size
fs: add mode_strip_sgid() helper
fs: move S_ISGID stripping into the vfs_*() helpers
powerpc: Use always instead of always-y in for crtsavres.o
x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum
net/smc: fix illegal rmb_desc access in SMC-D connection dump
vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
llc: make llc_ui_sendmsg() more robust against bonding changes
llc: Drop support for ETH_P_TR_802_2.
net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
tracing: Ensure visibility when inserting an element into tracing_map
afs: Hide silly-rename files from userspace
tcp: Add memory barrier to tcp_push()
netlink: fix potential sleeping issue in mqueue_flush_file
net/mlx5: DR, Use the right GVMI number for drop action
net/mlx5: Use kfree(ft->g) in arfs_create_groups()
net/mlx5e: fix a double-free in arfs_create_groups
netfilter: nf_tables: restrict anonymous set and map names to 16 bytes
netfilter: nf_tables: validate NFPROTO_* family
fjes: fix memleaks in fjes_hw_setup
net: fec: fix the unhandled context fault from smmu
btrfs: ref-verify: free ref cache before clearing mount opt
btrfs: tree-checker: fix inline ref size in error messages
btrfs: don't warn if discard range is not aligned to sector
btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args
rbd: don't move requests to the running list on errors
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04
drm: Don't unref the same fb many times by mistake due to deadlock handling
drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking
drm/bridge: nxp-ptn3460: simplify some error checking
drm/exynos: fix accidental on-stack copy of exynos_drm_plane
drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume
gpio: eic-sprd: Clear interrupt after set the interrupt type
spi: bcm-qspi: fix SFDP BFPT read by usig mspi read
mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan
tick/sched: Preserve number of idle sleeps across CPU hotplug events
x86/entry/ia32: Ensure s32 is sign extended to s64
powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
powerpc: Fix build error due to is_valid_bugaddr()
powerpc/mm: Fix build failures due to arch_reserved_kernel_pages()
powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE
powerpc/lib: Validate size for vector operations
x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel
perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file
regulator: core: Only increment use_count when enable_count changes
audit: Send netlink ACK before setting connection in auditd_set
ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop
PNP: ACPI: fix fortify warning
ACPI: extlog: fix NULL pointer dereference check
FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
UBSAN: array-index-out-of-bounds in dtSplitRoot
jfs: fix slab-out-of-bounds Read in dtSearch
jfs: fix array-index-out-of-bounds in dbAdjTree
jfs: fix uaf in jfs_evict_inode
pstore/ram: Fix crash when setting number of cpus to an odd number
crypto: stm32/crc32 - fix parsing list of devices
afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*()
rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock()
jfs: fix array-index-out-of-bounds in diNewExt
s390/ptrace: handle setting of fpc register correctly
KVM: s390: fix setting of fpc register
SUNRPC: Fix a suspicious RCU usage warning
ecryptfs: Reject casefold directory inodes
ext4: fix inconsistent between segment fstrim and full fstrim
ext4: unify the type of flexbg_size to unsigned int
ext4: remove unnecessary check from alloc_flex_gd()
ext4: avoid online resizing failures due to oversized flex bg
wifi: rt2x00: restart beacon queue when hardware reset
selftests/bpf: satisfy compiler by having explicit return in btf test
selftests/bpf: Fix pyperf180 compilation failure with clang18
scsi: lpfc: Fix possible file string name overflow when updating firmware
PCI: Add no PM reset quirk for NVIDIA Spectrum devices
bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk
ARM: dts: imx7d: Fix coresight funnel ports
ARM: dts: imx7s: Fix lcdif compatible
ARM: dts: imx7s: Fix nand-controller #size-cells
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
bpf: Add map and need_defer parameters to .map_fd_put_ptr()
scsi: libfc: Don't schedule abort twice
scsi: libfc: Fix up timeout error in fc_fcp_rec_error()
ARM: dts: rockchip: fix rk3036 hdmi ports node
ARM: dts: imx25/27-eukrea: Fix RTC node name
ARM: dts: imx: Use flash@0,0 pattern
ARM: dts: imx27: Fix sram node
ARM: dts: imx1: Fix sram node
ARM: dts: imx25/27: Pass timing0
ARM: dts: imx27-apf27dev: Fix LED name
ARM: dts: imx23-sansa: Use preferred i2c-gpios properties
ARM: dts: imx23/28: Fix the DMA controller node name
block: prevent an integer overflow in bvec_try_merge_hw_page
md: Whenassemble the array, consult the superblock of the freshest device
arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property
arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property
wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
wifi: cfg80211: free beacon_ies when overridden from hidden BSS
f2fs: fix to check return value of f2fs_reserve_new_block()
ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument
fast_dput(): handle underflows gracefully
RDMA/IPoIB: Fix error code return in ipoib_mcast_join
drm/drm_file: fix use of uninitialized variable
drm/framebuffer: Fix use of uninitialized variable
drm/mipi-dsi: Fix detach call without attach
media: stk1160: Fixed high volume of stk1160_dbg messages
media: rockchip: rga: fix swizzling for RGB formats
PCI: add INTEL_HDA_ARL to pci_ids.h
ALSA: hda: Intel: add HDA_ARL PCI ID support
drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time
IB/ipoib: Fix mcast list locking
media: ddbridge: fix an error code problem in ddb_probe
drm/msm/dpu: Ratelimit framedone timeout msgs
clk: hi3620: Fix memory leak in hi3620_mmc_clk_init()
clk: mmp: pxa168: Fix memory leak in pxa168_clk_init()
drm/amdgpu: Let KFD sync with VM fences
drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()'
leds: trigger: panic: Don't register panic notifier if creating the trigger failed
um: Fix naming clash between UML and scheduler
um: Don't use vfprintf() for os_info()
um: net: Fix return type of uml_net_start_xmit()
i3c: master: cdns: Update maximum prescaler value for i2c clock
mfd: ti_am335x_tscadc: Fix TI SoC dependencies
PCI: Only override AMD USB controller if required
PCI: switchtec: Fix stdev_release() crash after surprise hot remove
usb: hub: Replace hardcoded quirk value with BIT() macro
fs/kernfs/dir: obey S_ISGID
PCI/AER: Decode Requester ID when no error info found
libsubcmd: Fix memory leak in uniq()
virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings
blk-mq: fix IO hang from sbitmap wakeup race
ceph: fix deadlock or deadcode of misusing dget()
drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()'
perf: Fix the nr_addr_filters fix
wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
scsi: isci: Fix an error code problem in isci_io_request_build()
net: remove unneeded break
ixgbe: Remove non-inclusive language
ixgbe: Refactor returning internal error codes
ixgbe: Refactor overtemp event handling
ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550()
ipv6: Ensure natural alignment of const ipv6 loopback and router addresses
llc: call sock_orphan() at release time
netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger
netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations
net: ipv4: fix a memleak in ip_setup_cork
af_unix: fix lockdep positive in sk_diag_dump_icons()
net: sysfs: Fix /sys/class/net/<iface> path
HID: apple: Add support for the 2021 Magic Keyboard
HID: apple: Swap the Fn and Left Control keys on Apple keyboards
HID: apple: Add 2021 magic keyboard FN key mapping
bonding: remove print in bond_verify_device_path
dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA
dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
phy: renesas: rcar-gen3-usb2: Fix returning wrong error code
dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV
phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
net: stmmac: xgmac: fix handling of DPP safety error for DMA channels
selftests: net: avoid just another constant wait
atm: idt77252: fix a memleak in open_card_ubr0
hwmon: (aspeed-pwm-tacho) mutex for tach reading
hwmon: (coretemp) Fix out-of-bounds memory access
hwmon: (coretemp) Fix bogus core_id to attr name mapping
inet: read sk->sk_family once in inet_recv_error()
rxrpc: Fix response to PING RESPONSE ACKs to a dead call
tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()
ppp_async: limit MRU to 64K
netfilter: nft_compat: reject unused compat flag
netfilter: nft_compat: restrict match/target protocol to u16
netfilter: nft_ct: reject direction for ct id
net/af_iucv: clean up a try_then_request_module()
USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e
USB: serial: option: add Fibocom FM101-GL variant
USB: serial: cp210x: add ID for IMST iM871A-USB
hrtimer: Report offline hrtimer enqueue
Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID
vhost: use kzalloc() instead of kmalloc() followed by memset()
net: stmmac: xgmac: use #define for string constants
net: stmmac: xgmac: fix a typo of register name in DPP safety handling
netfilter: nft_set_rbtree: skip end interval element from gc
btrfs: forbid creating subvol qgroups
btrfs: forbid deleting live subvol qgroup
btrfs: send: return EOPNOTSUPP on unknown flags
of: unittest: add overlay gpio test to catch gpio hog problem
of: unittest: Fix compile in the non-dynamic case
spi: ppc4xx: Drop write-only variable
ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()
MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler
i40e: Fix waiting for queues of all VSIs to be disabled
tracing/trigger: Fix to return error if failed to alloc snapshot
mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
HID: wacom: generic: Avoid reporting a serial of '0' to userspace
HID: wacom: Do not register input devices until after hid_hw_start
USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT
usb: f_mass_storage: forbid async queue when shutdown happen
i2c: i801: Remove i801_set_block_buffer_mode
i2c: i801: Fix block process call transactions
scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock"
firewire: core: correct documentation of fw_csr_string() kernel API
kbuild: Fix changing ELF file type for output of gen_btf for big endian
nfc: nci: free rx_data_reassembly skb on NCI device cleanup
xen-netback: properly sync TX responses
ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL
binder: signal epoll threads of self-work
misc: fastrpc: Mark all sessions as invalid in cb_remove
ext4: fix double-free of blocks due to wrong extents moved_len
tracing: Fix wasted memory in saved_cmdlines logic
staging: iio: ad5933: fix type mismatch regression
iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC
ring-buffer: Clean ring_buffer_poll_wait() error return
serial: max310x: set default value when reading clock ready bit
serial: max310x: improve crystal stable clock detection
x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6
x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
mmc: slot-gpio: Allow non-sleeping GPIO ro
ALSA: hda/conexant: Add quirk for SWS JS201D
nilfs2: fix data corruption in dsync block recovery for small block sizes
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
nfp: use correct macro for LengthSelect in BAR config
nfp: flower: prevent re-adding mac index for bonded port
irqchip/irq-brcmstb-l2: Add write memory barrier before exit
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
pmdomain: core: Move the unused cleanup to a _sync initcall
tracing: Inform kmemleak of saved_cmdlines allocation
Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
bus: moxtet: Add spi device table
arch, mm: remove stale mentions of DISCONIGMEM
mips: Fix max_mapnr being uninitialized on early stages
KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
netfilter: ipset: fix performance regression in swap operation
netfilter: ipset: Missing gc cancellations fixed
net: prevent mss overflow in skb_segment()
sched/membarrier: reduce the ability to hammer on sys_membarrier
nilfs2: fix potential bug in end_buffer_async_write
PM: runtime: add devm_pm_runtime_enable helper
PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()
drm/msm/dsi: Enable runtime PM
lsm: new security_file_ioctl_compat() hook
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
Revert "Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting""
net: bcmgenet: Fix EEE implementation
of: unittest: fix EXPECT text for gpio hog errors
of: gpio unittest kfree() wrong object
Linux 5.4.269
Change-Id: Iedabcdbe95a83593f102e237f2a80d2fc7206669
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit f1bb47a31dff6d4b34fb14e99850860ee74bb003 upstream.
Some ioctl commands do not require ioctl permission, but are routed to
other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is
done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*).
However, if a 32-bit process is running on a 64-bit kernel, it emits
32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are
being checked erroneously, which leads to these ioctl operations being
routed to the ioctl permission, rather than the correct file
permissions.
This was also noted in a RED-PEN finding from a while back -
"/* RED-PEN how should LSM module know it's handling 32bit? */".
This patch introduces a new hook, security_file_ioctl_compat(), that is
called from the compat ioctl syscall. All current LSMs have been changed
to support this hook.
Reviewing the three places where we are currently using
security_file_ioctl(), it appears that only SELinux needs a dedicated
compat change; TOMOYO and SMACK appear to be functional without any
change.
Cc: stable@vger.kernel.org
Fixes: 0b24dcb7f2 ("Revert "selinux: simplify ioctl checking"")
Signed-off-by: Alfred Piccioni <alpic@google.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: subject tweak, line length fixes, and alignment corrections]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIyBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmQModwACgkQONu9yGCS
aT7W7A/1EyhortcaMdZXEkdl7kZYupASsOm2QgOzeRkK0ELtbYRTt1qXdZgl40hU
binrh5Yib2avHTEAF9I6AKVXMirSUTtODe/zQ7icyxVNcXeanlIbobEVBzSWIBtC
Wxj129KZyCQlucagWihngQ9D+66bvD5JCsJ3EHKJjpheSqmZI88KVnOSnvyoJArj
yLDY21UgxRN4KASgB+tpLBT4x0yN9zk8VuCGpyJjO/nHzhj6Y6DkOcx2q7hAxdn+
H1OBCQ2QBCODCMrpW4xBuwy2blBZsRytUdEy8JsfxjgXvUp8+TdxUsuxb16a31jW
pVo9LYB0cdKVoAzNJ2pTD8rhaATSbq+2MYDEUYCz8Rr+dZ/Nt2nTKSYeJprLsTwx
TzPRNErQMKxKoQUQU/seWx47ebwt+Z8Rk4FAoyQMxRITw/9bBGLWpDKrGjNsByz9
A2Q9UU+uM+jyqZnjQMvkzKSznggwfJ+SgaeqDMjwyyCQysJS8DTXPr9nA+IC9cht
Kz00QetNgvPvZPE/gg81XOcKtJVTmA4AITQ0PlxYJT0hHCHx02GxvdPH2XBspgUt
aNbDgVsupq8ONvRZlEf9hJKltTUmIRvI9JSOXnuhaN2jCv88SNv1M0TKfAo0XDNK
Z/prv3qCnugMZ0KB0TD7d09XqSlKbefOq8TdtbXoTcC0NzFQkw==
=29jZ
-----END PGP SIGNATURE-----
Merge 5.4.235 into android11-5.4-lts
Changes in 5.4.235
HID: asus: Remove check for same LED brightness on set
HID: asus: use spinlock to protect concurrent accesses
HID: asus: use spinlock to safely schedule workers
ARM: OMAP2+: Fix memory leak in realtime_counter_init()
arm64: dts: qcom: qcs404: use symbol names for PCIe resets
ARM: zynq: Fix refcount leak in zynq_early_slcr_init
arm64: dts: meson-gx: Fix Ethernet MAC address unit name
arm64: dts: meson-g12a: Fix internal Ethernet PHY unit name
arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address
arm64: dts: meson: remove CPU opps below 1GHz for G12A boards
ARM: OMAP1: call platform_device_put() in error case in omap1_dm_timer_init()
ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato
ARM: imx: Call ida_simple_remove() for ida_simple_get
arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name
arm64: dts: amlogic: meson-axg: fix SCPI clock dvfs node name
arm64: dts: amlogic: meson-gx: add missing SCPI sensors compatible
arm64: dts: amlogic: meson-gx: add missing unit address to rng node name
arm64: dts: amlogic: meson-gxl: add missing unit address to eth-phy-mux node name
arm64: dts: amlogic: meson-gxl-s905d-phicomm-n1: fix led node name
ARM: dts: imx7s: correct iomuxc gpr mux controller cells
arm64: dts: mediatek: mt7622: Add missing pwm-cells to pwm node
Revert "scsi: core: run queue if SCSI device queue isn't ready and queue is idle"
block: Limit number of items taken from the I/O scheduler in one go
blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx
blk-mq: wait on correct sbitmap_queue in blk_mq_mark_tag_wait
blk-mq: correct stale comment of .get_budget
s390/dasd: Prepare for additional path event handling
s390/dasd: Fix potential memleak in dasd_eckd_init()
sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity()
sched/rt: pick_next_rt_entity(): check list_entry
block: bio-integrity: Copy flags when bio_integrity_payload is cloned
wifi: rsi: Fix memory leak in rsi_coex_attach()
net/wireless: Delete unnecessary checks before the macro call “dev_kfree_skb”
wifi: iwlegacy: common: don't call dev_kfree_skb() under spin_lock_irqsave()
wifi: libertas: fix memory leak in lbs_init_adapter()
wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave()
rtlwifi: fix -Wpointer-sign warning
wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()
ipw2x00: switch from 'pci_' to 'dma_' API
wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave()
wifi: ipw2200: fix memory leak in ipw_wdev_init()
wilc1000: let wilc_mac_xmit() return NETDEV_TX_OK
wifi: wilc1000: fix potential memory leak in wilc_mac_xmit()
wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave()
wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave()
crypto: x86/ghash - fix unaligned access in ghash_setkey()
ACPICA: Drop port I/O validation for some regions
genirq: Fix the return type of kstat_cpu_irqs_sum()
lib/mpi: Fix buffer overrun when SG is too long
ACPICA: nsrepair: handle cases without a return value correctly
wifi: orinoco: check return value of hermes_write_wordrec()
wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
ath9k: hif_usb: simplify if-if to if-else
ath9k: htc: clean up statistics macros
wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails
wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
ACPI: battery: Fix missing NUL-termination with large strings
crypto: ccp - Failure on re-initialization due to duplicate sysfs filename
crypto: essiv - remove redundant null pointer check before kfree
crypto: essiv - Handle EBUSY correctly
crypto: seqiv - Handle EBUSY correctly
powercap: fix possible name leak in powercap_register_zone()
net/mlx5: Enhance debug print in page allocation failure
irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains
irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe
irqchip/ti-sci: Fix refcount leak in ti_sci_intr_irq_domain_probe
mptcp: add sk_stop_timer_sync helper
net: add sock_init_data_uid()
tun: tun_chr_open(): correctly initialize socket uid
tap: tap_open(): correctly initialize socket uid
OPP: fix error checking in opp_migrate_dentry()
Bluetooth: L2CAP: Fix potential user-after-free
libbpf: Fix alen calculation in libbpf_nla_dump_errormsg()
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
crypto: rsa-pkcs1pad - Use akcipher_request_complete
m68k: /proc/hardware should depend on PROC_FS
RISC-V: time: initialize hrtimer based broadcast clock event device
usb: gadget: udc: Avoid tasklet passing a global
treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
wifi: iwl3945: Add missing check for create_singlethread_workqueue
wifi: iwl4965: Add missing check for create_singlethread_workqueue()
wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize()
crypto: crypto4xx - Call dma_unmap_page when done
wifi: mac80211: make rate u32 in sta_set_rate_info_rx()
thermal/drivers/hisi: Drop second sensor hi3660
can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of a bus error
irqchip/irq-brcmstb-l2: Set IRQ_LEVEL for level triggered interrupts
irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts
selftests/net: Interpret UDP_GRO cmsg data as an int value
selftest: fib_tests: Always cleanup before exit
drm/fourcc: Add missing big-endian XRGB1555 and RGB565 formats
drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC
drm/bridge: megachips: Fix error handling in i2c_register_driver()
drm/vc4: dpi: Add option for inverting pixel clock and output enable
drm/vc4: dpi: Fix format mapping for RGB565
gpu: ipu-v3: common: Add of_node_put() for reference returned by of_graph_get_port_by_id()
drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain
ASoC: fsl_sai: initialize is_dsp_mode flag
ALSA: hda/ca0132: minor fix for allocation size
drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
drm/msm: use strscpy instead of strncpy
drm/msm/dpu: Add check for cstate
drm/msm/dpu: Add check for pstates
drm/exynos: Don't reset bridge->next
drm/bridge: Rename bridge helpers targeting a bridge chain
drm/bridge: Introduce drm_bridge_get_next_bridge()
drm: Initialize struct drm_crtc_state.no_vblank from device settings
drm/msm/mdp5: Add check for kzalloc
gpu: host1x: Don't skip assigning syncpoints to channels
drm/mediatek: remove cast to pointers passed to kfree
drm/mediatek: Use NULL instead of 0 for NULL pointer
drm/mediatek: Drop unbalanced obj unref
drm/mediatek: Clean dangling pointer on bind error path
ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress()
gpio: vf610: connect GPIO label to dev name
hwmon: (ltc2945) Handle error case in ltc2945_value_store
scsi: aic94xx: Add missing check for dma_map_single()
spi: bcm63xx-hsspi: fix pm_runtime
spi: bcm63xx-hsspi: Fix multi-bit mode setting
hwmon: (mlxreg-fan) Return zero speed for broken fan
dm: remove flush_scheduled_work() during local_exit()
spi: synquacer: Fix timeout handling in synquacer_spi_transfer_one()
ASoC: dapm: declare missing structure prototypes
ASoC: soc-dapm.h: fixup warning struct snd_pcm_substream not declared
HID: bigben: use spinlock to protect concurrent accesses
HID: bigben_worker() remove unneeded check on report_field
HID: bigben: use spinlock to safely schedule workers
HID: asus: Only set EV_REP if we are adding a mapping
HID: asus: Add report_size to struct asus_touchpad_info
HID: asus: Add support for multi-touch touchpad on Medion Akoya E1239T
HID: asus: Fix mute and touchpad-toggle keys on Medion Akoya E1239T
hid: bigben_probe(): validate report count
nfsd: fix race to check ls_layouts
cifs: Fix lost destroy smbd connection when MR allocate failed
cifs: Fix warning and UAF when destroy the MR list
gfs2: jdata writepage fix
perf llvm: Fix inadvertent file creation
perf tools: Fix auto-complete on aarch64
sparc: allow PM configs for sparc32 COMPILE_TEST
selftests/ftrace: Fix bash specific "==" operator
mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()
clk: qcom: gcc-qcs404: disable gpll[04]_out_aux parents
clk: qcom: gcc-qcs404: fix names of the DSI clocks used as parents
mtd: rawnand: sunxi: Fix the size of the last OOB region
clk: renesas: cpg-mssr: Fix use after free if cpg_mssr_common_init() failed
clk: renesas: cpg-mssr: Use enum clk_reg_layout instead of a boolean flag
clk: renesas: cpg-mssr: Remove superfluous check in resume code
Input: ads7846 - don't report pressure for ads7845
Input: ads7846 - don't check penirq immediately for 7845
clk: qcom: gpucc-sdm845: fix clk_dis_wait being programmed for CX GDSC
powerpc/powernv/ioda: Skip unallocated resources when mapping to PE
clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled()
powerpc/pseries/lpar: add missing RTAS retry status handling
powerpc/pseries/lparcfg: add missing RTAS retry status handling
powerpc/rtas: make all exports GPL
powerpc/rtas: ensure 4KB alignment for rtas_data_buf
powerpc/eeh: Small refactor of eeh_handle_normal_event()
powerpc/eeh: Set channel state after notifying the drivers
MIPS: SMP-CPS: fix build error when HOTPLUG_CPU not set
MIPS: vpe-mt: drop physical_memsize
remoteproc: qcom_q6v5_mss: Use a carveout to authenticate modem headers
media: platform: ti: Add missing check for devm_regulator_get
powerpc: Remove linker flag from KBUILD_AFLAGS
media: ov5675: Fix memleak in ov5675_init_controls()
media: i2c: ov772x: Fix memleak in ov772x_probe()
media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
media: i2c: ov7670: 0 instead of -EINVAL was returned
media: usb: siano: Fix use after free bugs caused by do_submit_urb
rpmsg: glink: Avoid infinite loop on intent for missing channel
udf: Define EFSCORRUPTED error code
ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
blk-iocost: fix divide by 0 error in calc_lcoefs()
wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait()
thermal: intel: Fix unsigned comparison with less than zero
timers: Prevent union confusion from unexpected restart_syscall()
x86/bugs: Reset speculation control settings on init
wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds
wifi: mt7601u: fix an integer underflow
inet: fix fast path in __inet_hash_connect()
ice: add missing checks for PF vsi type
ACPI: Don't build ACPICA with '-Os'
net: bcmgenet: Add a check for oversized packets
m68k: Check syscall_trace_enter() return code
wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup
ACPI: video: Fix Lenovo Ideapad Z570 DMI match
net/mlx5: fw_tracer: Fix debug print
coda: Avoid partial allocation of sig_inputArgs
uaccess: Add minimum bounds check on kernel buffer size
drm/amd/display: Fix potential null-deref in dm_resume
drm/omap: dsi: Fix excessive stack usage
HID: Add Mapping for System Microphone Mute
drm/radeon: free iio for atombios when driver shutdown
drm/msm/dsi: Add missing check for alloc_ordered_workqueue
docs/scripts/gdb: add necessary make scripts_gdb step
ASoC: kirkwood: Iterate over array indexes instead of using pointer math
regulator: max77802: Bounds check regulator id against opmode
regulator: s5m8767: Bounds check id indexing into arrays
hwmon: (coretemp) Simplify platform device handling
pinctrl: at91: use devm_kasprintf() to avoid potential leaks
drm: panel-orientation-quirks: Add quirk for Lenovo IdeaPad Duet 3 10IGL5
dm thin: add cond_resched() to various workqueue loops
dm cache: add cond_resched() to various workqueue loops
nfsd: zero out pointers after putting nfsd_files on COPY setup error
wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu
firmware: coreboot: framebuffer: Ignore reserved pixel color bits
rtc: pm8xxx: fix set-alarm race
ipmi_ssif: Rename idle state and check
s390: discard .interp section
s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler
s390/kprobes: fix current_kprobe never cleared after kprobes reenter
ARM: dts: exynos: correct HDMI phy compatible in Exynos4
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
fs: hfsplus: fix UAF issue in hfsplus_put_super
f2fs: fix information leak in f2fs_move_inline_dirents()
f2fs: fix cgroup writeback accounting with fs-layer encryption
ocfs2: fix defrag path triggering jbd2 ASSERT
ocfs2: fix non-auto defrag path not working issue
udf: Truncate added extents on failed expansion
udf: Do not bother merging very long extents
udf: Do not update file length for failed writes to inline files
udf: Preserve link count of system files
udf: Detect system inodes linked into directory hierarchy
udf: Fix file corruption when appending just after end of preallocated extent
KVM: Destroy target device if coalesced MMIO unregistration fails
KVM: s390: disable migration mode when dirty tracking is disabled
x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows)
x86/crash: Disable virt in core NMI crash handler to avoid double shootdown
x86/reboot: Disable virtualization in an emergency if SVM is supported
x86/reboot: Disable SVM, not just VMX, when stopping CPUs
x86/kprobes: Fix __recover_optprobed_insn check optimizing logic
x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range
x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter
x86/microcode/AMD: Add a @cpu parameter to the reloading functions
x86/microcode/AMD: Fix mixed steppings support
x86/speculation: Allow enabling STIBP with legacy IBRS
Documentation/hw-vuln: Document the interaction between IBRS and STIBP
ima: Align ima_file_mmap() parameters with mmap_file LSM hook
irqdomain: Fix association race
irqdomain: Fix disassociation race
irqdomain: Drop bogus fwspec-mapping error handling
ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls()
ALSA: hda/realtek: Add quirk for HP EliteDesk 800 G6 Tower PC
ext4: optimize ea_inode block expansion
ext4: refuse to create ea block when umounted
wifi: rtl8xxxu: Use a longer retry limit of 48
wifi: cfg80211: Fix use after free for wext
thermal: intel: powerclamp: Fix cur_state for multi package system
dm flakey: fix logic when corrupting a bio
dm flakey: don't corrupt the zero page
ARM: dts: exynos: correct TMU phandle in Exynos4
ARM: dts: exynos: correct TMU phandle in Odroid XU
rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
alpha: fix FEN fault handling
mips: fix syscall_get_nr
media: ipu3-cio2: Fix PM runtime usage_count in driver unbind
mm: memcontrol: deprecate charge moving
mm/thp: check and bail out if page in deferred queue already
ktest.pl: Give back console on Ctrt^C on monitor
ktest.pl: Fix missing "end_monitor" when machine check fails
ktest.pl: Add RUN_TIMEOUT option with default unlimited
scsi: qla2xxx: Fix link failure in NPIV environment
scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
scsi: qla2xxx: Fix erroneous link down
scsi: ses: Don't attach if enclosure has no components
scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
scsi: ses: Fix possible desc_ptr out-of-bounds accesses
scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
PCI/PM: Observe reset delay irrespective of bridge_d3
PCI: hotplug: Allow marking devices as disconnected during bind/unbind
PCI: Avoid FLR for AMD FCH AHCI adapters
drm/i915/quirks: Add inverted backlight quirk for HP 14-r206nv
drm/radeon: Fix eDP for single-display iMac11,2
wifi: ath9k: use proper statements in conditionals
kbuild: Port silent mode detection to future gnu make.
net/sched: Retire tcindex classifier
fs/jfs: fix shift exponent db_agl2size negative
pwm: sifive: Reduce time the controller lock is held
pwm: sifive: Always let the first pwm_apply_state succeed
pwm: stm32-lp: fix the check on arr and cmp registers update
f2fs: use memcpy_{to,from}_page() where possible
fs: f2fs: initialize fsdata in pagecache_write()
um: vector: Fix memory leak in vector_config
ubi: ensure that VID header offset + VID header size <= alloc, size
ubifs: Fix build errors as symbol undefined
ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted
ubifs: Rectify space budget for ubifs_xrename()
ubifs: Fix wrong dirty space budget for dirty inode
ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1
ubifs: Reserve one leb for each journal head while doing budget
ubi: Fix use-after-free when volume resizing failed
ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()
ubifs: Fix memory leak in alloc_wbufs()
ubi: Fix possible null-ptr-deref in ubi_free_volume()
ubifs: Re-statistic cleaned znode count if commit failed
ubifs: dirty_cow_znode: Fix memleak in error handling path
ubifs: ubifs_writepage: Mark page dirty after writing inode failed
ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list
watchdog: at91sam9_wdt: use devm_request_irq to avoid missing free_irq() in error path
watchdog: Fix kmemleak in watchdog_cdev_register
watchdog: pcwd_usb: Fix attempting to access uninitialized memory
netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()
ipv6: Add lwtunnel encap size of all siblings in nexthop calculation
sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop
net: fix __dev_kfree_skb_any() vs drop monitor
9p/xen: fix version parsing
9p/xen: fix connection sequence
9p/rdma: unmap receive dma buffer in rdma_request()/post_recv()
net/mlx5: Geneve, Fix handling of Geneve object id as error code
nfc: fix memory leak of se_io context in nfc_genl_se_io
net/sched: act_sample: fix action bind logic
ARM: dts: spear320-hmi: correct STMPE GPIO compatible
tcp: tcp_check_req() can be called from process context
vc_screen: modify vcs_size() handling in vcs_read()
rtc: sun6i: Make external 32k oscillator optional
rtc: sun6i: Always export the internal oscillator
scsi: ipr: Work around fortify-string warning
thermal: intel: quark_dts: fix error pointer dereference
thermal: intel: BXT_PMIC: select REGMAP instead of depending on it
tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak
media: uvcvideo: Handle cameras with invalid descriptors
media: uvcvideo: Handle errors from calls to usb_string
media: uvcvideo: Quirk for autosuspend in Logitech B910 and C910
media: uvcvideo: Silence memcpy() run-time false positive warnings
staging: emxx_udc: Add checks for dma_alloc_coherent()
tty: fix out-of-bounds access in tty_driver_lookup_tty()
tty: serial: fsl_lpuart: disable the CTS when send break signal
mei: bus-fixup:upon error print return values of send and receive
tools/iio/iio_utils:fix memory leak
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word()
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word()
usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math
USB: ene_usb6250: Allocate enough memory for full object
usb: uvc: Enumerate valid values for color matching
kernel/fail_function: fix memory leak with using debugfs_lookup()
PCI: Add ACS quirk for Wangxun NICs
phy: rockchip-typec: Fix unsigned comparison with less than zero
net: tls: avoid hanging tasks on the tx_lock
x86/resctrl: Apply READ_ONCE/WRITE_ONCE to task_struct.{rmid,closid}
x86/resctl: fix scheduler confusion with 'current'
Bluetooth: hci_sock: purge socket queues in the destruct() callback
tcp: Fix listen() regression in 5.4.229.
media: uvcvideo: Provide sync and async uvc_ctrl_status_event
media: uvcvideo: Fix race condition with usb_kill_urb
dt-bindings: rtc: sun6i-a31-rtc: Loosen the requirements on the clocks
Linux 5.4.235
Change-Id: I256ca8288bf61707f5103c9b7c7831da0d7a08a0
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 4971c268b85e1c7a734a61622fc0813c86e2362e upstream.
Commit 98de59bfe4 ("take calculation of final prot in
security_mmap_file() into a helper") moved the code to update prot, to be
the actual protections applied to the kernel, to a new helper called
mmap_prot().
However, while without the helper ima_file_mmap() was getting the updated
prot, with the helper ima_file_mmap() gets the original prot, which
contains the protections requested by the application.
A possible consequence of this change is that, if an application calls
mmap() with only PROT_READ, and the kernel applies PROT_EXEC in addition,
that application would have access to executable memory without having this
event recorded in the IMA measurement list. This situation would occur for
example if the application, before mmap(), calls the personality() system
call with READ_IMPLIES_EXEC as the first argument.
Align ima_file_mmap() parameters with those of the mmap_file LSM hook, so
that IMA can receive both the requested prot and the final prot. Since the
requested protections are stored in a new variable, and the final
protections are stored in the existing variable, this effectively restores
the original behavior of the MMAP_CHECK hook.
Cc: stable@vger.kernel.org
Fixes: 98de59bfe4 ("take calculation of final prot in security_mmap_file() into a helper")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmJZYqcACgkQONu9yGCS
aT51cA/+PXr+24MJMwa0PyLuQO9YScRAu/4E8PtEkumpj5dA9FuWJCcuNwO9cmNp
YM6IdGGbHfW+JRsX3wLAothut1ID9hfl+Y2tpBFJacS7E5ezgzoiAF1ke8RsBxd/
s+sRwZqRfSVoVmwYGj9/SwXLzJJTdPwY/FwXUdsyxxkn8u99YmAURlNUZdv0+KWs
vmAvS6mj4M4GfazS9FfBhnUVMcxbDgY0/rNlek2rMQi1ValvrYeNBATjKMI/NrkR
/bRTplCezuDFDw82IqQfiqGQ71mMbpYFXxkbdXsJj3nhIJ1AimWRQhLRg/TqJOi4
0Hhx3cEk/5hs/22VBN9sIYIAbJr+z7Kr9gnhltAETPOrv0s9w9fnJARve5GlwSHV
yKBm3Pfq0+abAQ2urnsmiHFvMMzFaiNuWe98TOF0BHkJbwMSFQpgFtp0yWx2bgMf
Svx/rEXzd2Cx0h5X4dHAMykPqsJAek0qIb4MgOPAEpuZWLZ09xfXOeVc8lTbHG22
y/HfKE+4FMTw8tsAe/7E7xP+yjosPrAq8De2ymMo9NGDFxT8I9ro+gkqwMWwC+yi
trYDVFEX3NNIEG9D6Oh+eP2nY97U898wCI1GFU18J9zOPQsw4peHSS8xPW7vLbqy
zrzOxMKW+2khSwj/wFlSXRaj3pogP5/y4jaAXpMSse0Zb3Neu2U=
=p4tc
-----END PGP SIGNATURE-----
Merge 5.4.189 into android11-5.4-lts
Changes in 5.4.189
swiotlb: fix info leak with DMA_FROM_DEVICE
USB: serial: pl2303: add IBM device IDs
USB: serial: simple: add Nokia phone driver
netdevice: add the case if dev is NULL
HID: logitech-dj: add new lightspeed receiver id
xfrm: fix tunnel model fragmentation behavior
virtio_console: break out of buf poll on remove
ethernet: sun: Free the coherent when failing in probing
spi: Fix invalid sgs value
net:mcf8390: Use platform_get_irq() to get the interrupt
spi: Fix erroneous sgs value with min_t()
af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
net: dsa: microchip: add spi_device_id tables
iommu/iova: Improve 32-bit free space estimate
tpm: fix reference counting for struct tpm_chip
block: Add a helper to validate the block size
virtio-blk: Use blk_validate_block_size() to validate block size
USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
xhci: fix runtime PM imbalance in USB2 resume
xhci: make xhci_handshake timeout for xhci_reset() adjustable
xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx()
coresight: Fix TRCCONFIGR.QE sysfs interface
iio: afe: rescale: use s64 for temporary scale calculations
iio: inkern: apply consumer scale on IIO_VAL_INT cases
iio: inkern: apply consumer scale when no channel scale is available
iio: inkern: make a best effort on offset calculation
greybus: svc: fix an error handling bug in gb_svc_hello()
clk: uniphier: Fix fixed-rate initialization
ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
KEYS: fix length validation in keyctl_pkey_params_get_2()
Documentation: add link to stable release candidate tree
Documentation: update stable tree link
HID: intel-ish-hid: Use dma_alloc_coherent for firmware update
SUNRPC: avoid race between mod_timer() and del_timer_sync()
NFSD: prevent underflow in nfssvc_decode_writeargs()
NFSD: prevent integer overflow on 32 bit systems
f2fs: fix to unlock page correctly in error path of is_alive()
f2fs: quota: fix loop condition at f2fs_quota_sync()
f2fs: fix to do sanity check on .cp_pack_total_block_count
pinctrl: samsung: drop pin banks references on error paths
spi: mxic: Fix the transmit path
can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
jffs2: fix memory leak in jffs2_do_mount_fs
jffs2: fix memory leak in jffs2_scan_medium
mm/pages_alloc.c: don't create ZONE_MOVABLE beyond the end of a node
mm: invalidate hwpoison page cache page in fault path
mempolicy: mbind_range() set_policy() after vma_merge()
scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
qed: display VF trust config
qed: validate and restrict untrusted VFs vlan promisc mode
riscv: Fix fill_callchain return value
Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
ALSA: cs4236: fix an incorrect NULL check on list iterator
ALSA: hda/realtek: Fix audio regression on Mi Notebook Pro 2020
mm,hwpoison: unmap poisoned page before invalidation
mm/kmemleak: reset tag when compare object pointer
drbd: fix potential silent data corruption
powerpc/kvm: Fix kvm_use_magic_page
udp: call udp_encap_enable for v6 sockets when enabling encap
ACPI: properties: Consistently return -ENOENT if there are no more references
drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()
mailbox: tegra-hsp: Flush whole channel
block: don't merge across cgroup boundaries if blkcg is enabled
drm/edid: check basic audio support on CEA extension block
video: fbdev: sm712fb: Fix crash in smtcfb_read()
video: fbdev: atari: Atari 2 bpp (STe) palette bugfix
ARM: dts: at91: sama5d2: Fix PMERRLOC resource size
ARM: dts: exynos: fix UART3 pins configuration in Exynos5250
ARM: dts: exynos: add missing HDMI supplies on SMDK5250
ARM: dts: exynos: add missing HDMI supplies on SMDK5420
carl9170: fix missing bit-wise or operator for tx_params
thermal: int340x: Increase bitmap size
lib/raid6/test: fix multiple definition linking error
crypto: rsa-pkcs1pad - correctly get hash from source scatterlist
crypto: rsa-pkcs1pad - restore signature length check
crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete()
DEC: Limit PMAX memory probing to R3k systems
media: davinci: vpif: fix unbalanced runtime PM get
xtensa: fix stop_machine_cpuslocked call in patch_text
xtensa: fix xtensa_wsr always writing 0
brcmfmac: firmware: Allocate space for default boardrev in nvram
brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path
brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio
brcmfmac: pcie: Fix crashes due to early IRQs
PCI: pciehp: Clear cmd_busy bit in polling mode
regulator: qcom_smd: fix for_each_child.cocci warnings
crypto: authenc - Fix sleep in atomic context in decrypt_tail
crypto: mxs-dcp - Fix scatterlist processing
spi: tegra114: Add missing IRQ check in tegra_spi_probe
selftests/x86: Add validity check and allow field splitting
audit: log AUDIT_TIME_* records only from rules
crypto: ccree - don't attempt 0 len DMA mappings
spi: pxa2xx-pci: Balance reference count for PCI DMA device
hwmon: (pmbus) Add mutex to regulator ops
hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING
block: don't delete queue kobject before its children
PM: hibernate: fix __setup handler error handling
PM: suspend: fix return value of __setup handler
hwrng: atmel - disable trng on failure path
crypto: vmx - add missing dependencies
clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init()
ACPI: APEI: fix return value of __setup handlers
crypto: ccp - ccp_dmaengine_unregister release dma channels
hwmon: (pmbus) Add Vin unit off handling
clocksource: acpi_pm: fix return value of __setup handler
sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa
perf/core: Fix address filter parser for multiple filters
perf/x86/intel/pt: Fix address filter config for 32-bit kernel
f2fs: fix missing free nid in f2fs_handle_failed_inode
f2fs: fix to avoid potential deadlock
media: bttv: fix WARNING regression on tunerless devices
media: coda: Fix missing put_device() call in coda_get_vdoa_data
media: hantro: Fix overfill bottom register field name
media: aspeed: Correct value for h-total-pixels
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe()
video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name()
ARM: dts: qcom: ipq4019: fix sleep clock
soc: qcom: rpmpd: Check for null return of devm_kcalloc
soc: qcom: aoss: remove spurious IRQF_ONESHOT flags
arm64: dts: qcom: sm8150: Correct TCS configuration for apps rsc
soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe
ARM: dts: imx: Add missing LVDS decoder on M53Menlo
media: video/hdmi: handle short reads of hdmi info frame.
media: em28xx: initialize refcount before kref_get
media: usb: go7007: s2250-board: fix leak in probe()
uaccess: fix nios2 and microblaze get_user_8()
ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp()
ASoC: ti: davinci-i2s: Add check for clk_enable()
ALSA: spi: Add check for clk_enable()
arm64: dts: ns2: Fix spi-cpol and spi-cpha property
arm64: dts: broadcom: Fix sata nodename
printk: fix return value of printk.devkmsg __setup handler
ASoC: mxs-saif: Handle errors for clk_enable
ASoC: atmel_ssc_dai: Handle errors for clk_enable
ASoC: soc-compress: prevent the potentially use of null pointer
memory: emif: Add check for setup_interrupts
memory: emif: check the pointer temp in get_device_details()
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
arm64: dts: rockchip: Fix SDIO regulator supply properties on rk3399-firefly
media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED
ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe
ASoC: wm8350: Handle error for wm8350_register_irq
ASoC: fsi: Add check for clk_enable
video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of
ivtv: fix incorrect device_caps for ivtvfb
ASoC: dmaengine: do not use a NULL prepare_slave_config() callback
ASoC: mxs: Fix error handling in mxs_sgtl5000_probe
ASoC: imx-es8328: Fix error return code in imx_es8328_probe()
ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe
mmc: davinci_mmc: Handle error for clk_enable
ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe
drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev
drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe
ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern
udmabuf: validate ubuf->pagecount
Bluetooth: hci_serdev: call init_rwsem() before p->open()
mtd: onenand: Check for error irq
mtd: rawnand: gpmi: fix controller timings setting
drm/edid: Don't clear formats if using deep color
drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()
ath9k_htc: fix uninit value bugs
KVM: PPC: Fix vmx/vsx mixup in mmio emulation
i40e: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb
power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe
ray_cs: Check ioremap return value
powerpc/perf: Don't use perf_hw_context for trace IMC PMU
mt76: mt7603: check sta_rates pointer in mt7603_sta_rate_tbl_update
mt76: mt7615: check sta_rates pointer in mt7615_sta_rate_tbl_update
net: dsa: mv88e6xxx: Enable port policy support on 6097
PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge
power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports
iommu/ipmmu-vmsa: Check for error num after setting mask
drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug
IB/cma: Allow XRC INI QPs to set their local ACK timeout
dax: make sure inodes are flushed before destroy cache
iwlwifi: Fix -EIO error code that is never returned
iwlwifi: mvm: Fix an error code in iwl_mvm_up()
dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS
scsi: pm8001: Fix command initialization in pm80XX_send_read_log()
scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req()
scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config()
scsi: pm8001: Fix abort all task initialization
drm/amd/display: Remove vupdate_int_entry definition
TOMOYO: fix __setup handlers return values
ext2: correct max file size computing
drm/tegra: Fix reference leak in tegra_dsi_ganged_probe
power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return
scsi: hisi_sas: Change permission of parameter prot_mask
drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt
bpf, arm64: Call build_prologue() first in first JIT pass
bpf, arm64: Feed byte-offset into bpf line info
libbpf: Skip forward declaration when counting duplicated type names
powerpc/Makefile: Don't pass -mcpu=powerpc64 when building 32-bit
KVM: x86: Fix emulation in writing cr8
KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor()
hv_balloon: rate-limit "Unhandled message" warning
i2c: xiic: Make bus names unique
power: supply: wm8350-power: Handle error for wm8350_register_irq
power: supply: wm8350-power: Add missing free in free_charger_irq
PCI: Reduce warnings on possible RW1C corruption
mips: DEC: honor CONFIG_MIPS_FP_SUPPORT=n
powerpc/sysdev: fix incorrect use to determine if list is empty
mfd: mc13xxx: Add check for mc13xxx_irq_request
selftests/bpf: Make test_lwt_ip_encap more stable and faster
powerpc: 8xx: fix a return value error in mpc8xx_pic_init
vxcan: enable local echo for sent CAN frames
MIPS: RB532: fix return value of __setup handler
mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init
RDMA/mlx5: Fix memory leak in error flow for subscribe event routine
bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full
bpf, sockmap: Fix more uncharged while msg has more_data
bpf, sockmap: Fix double uncharge the mem of sk_msg
USB: storage: ums-realtek: fix error code in rts51x_read_mem()
Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt
af_netlink: Fix shift out of bounds in group mask calculation
i2c: mux: demux-pinctrl: do not deactivate a master that is not active
selftests/bpf/test_lirc_mode2.sh: Exit with proper code
tcp: ensure PMTU updates are processed during fastopen
openvswitch: always update flow key after nat
tipc: fix the timer expires after interval 100ms
mfd: asic3: Add missing iounmap() on error asic3_mfd_probe
mxser: fix xmit_buf leak in activate when LSR == 0xff
pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add()
misc: alcor_pci: Fix an error handling path
staging:iio:adc:ad7280a: Fix handing of device address bit reversing.
pinctrl: renesas: r8a77470: Reduce size for narrow VIN1 channel
clk: qcom: ipq8074: Use floor ops for SDCC1 clock
phy: dphy: Correct lpx parameter and its derivatives(ta_{get,go,sure})
serial: 8250_mid: Balance reference count for PCI DMA device
serial: 8250: Fix race condition in RTS-after-send handling
iio: adc: Add check for devm_request_threaded_irq
NFS: Return valid errors from nfs2/3_decode_dirent()
dma-debug: fix return value of __setup handlers
clk: imx7d: Remove audio_mclk_root_clk
clk: qcom: clk-rcg2: Update logic to calculate D value for RCG
clk: qcom: clk-rcg2: Update the frac table for pixel clock
remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region
remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region
clk: actions: Terminate clk_div_table with sentinel element
clk: loongson1: Terminate clk_div_table with sentinel element
clk: clps711x: Terminate clk_div_table with sentinel element
clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver
NFS: remove unneeded check in decode_devicenotify_args()
staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree
pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init
pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get()
pinctrl: mediatek: paris: Fix pingroup pin config state readback
pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe
pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe
tty: hvc: fix return value of __setup handler
kgdboc: fix return value of __setup handler
kgdbts: fix return value of __setup handler
firmware: google: Properly state IOMEM dependency
driver core: dd: fix return value of __setup handler
jfs: fix divide error in dbNextAG
netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options
NFSv4.1: don't retry BIND_CONN_TO_SESSION on session error
clk: qcom: gcc-msm8994: Fix gpll4 width
clk: Initialize orphan req_rate
xen: fix is_xen_pmu()
net: phy: broadcom: Fix brcm_fet_config_init()
selftests: test_vxlan_under_vrf: Fix broken test case
qlcnic: dcb: default to returning -EOPNOTSUPP
net/x25: Fix null-ptr-deref caused by x25_disconnect
NFSv4/pNFS: Fix another issue with a list iterator pointing to the head
net: dsa: bcm_sf2_cfp: fix an incorrect NULL check on list iterator
lib/test: use after free in register_test_dev_kmod()
LSM: general protection fault in legacy_parse_param
gcc-plugins/stackleak: Exactly match strings instead of prefixes
pinctrl: npcm: Fix broken references to chip->parent_device
block, bfq: don't move oom_bfqq
selinux: use correct type for context length
loop: use sysfs_emit() in the sysfs xxx show()
Fix incorrect type in assignment of ipv6 port for audit
irqchip/qcom-pdc: Fix broken locking
irqchip/nvic: Release nvic_base upon failure
bfq: fix use-after-free in bfq_dispatch_request
ACPICA: Avoid walking the ACPI Namespace if it is not there
lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3
Revert "Revert "block, bfq: honor already-setup queue merges""
ACPI/APEI: Limit printable size of BERT table data
PM: core: keep irq flags in device_pm_check_callbacks()
spi: tegra20: Use of_device_get_match_data()
ext4: don't BUG if someone dirty pages without asking ext4 first
ntfs: add sanity check on allocation size
video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
video: fbdev: w100fb: Reset global state
video: fbdev: cirrusfb: check pixclock to avoid divide by zero
video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit
ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960
ARM: dts: bcm2837: Add the missing L1/L2 cache information
ASoC: madera: Add dependencies on MFD
video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()
video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()
video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit
ASoC: soc-core: skip zero num_dai component in searching dai name
media: cx88-mpeg: clear interrupt status register before streaming video
ARM: tegra: tamonten: Fix I2C3 pad setting
ARM: mmp: Fix failure to remove sram device
video: fbdev: sm712fb: Fix crash in smtcfb_write()
media: Revert "media: em28xx: add missing em28xx_close_extension"
media: hdpvr: initialize dev->worker at hdpvr_register_videodev
mmc: host: Return an error when ->enable_sdio_irq() ops is missing
ALSA: hda/realtek: Add alc256-samsung-headphone fixup
powerpc/lib/sstep: Fix 'sthcx' instruction
powerpc/lib/sstep: Fix build errors with newer binutils
powerpc: Fix build errors with newer binutils
scsi: qla2xxx: Fix stuck session in gpdb
scsi: qla2xxx: Fix wrong FDMI data for 64G adapter
scsi: qla2xxx: Fix warning for missing error code
scsi: qla2xxx: Fix device reconnect in loop topology
scsi: qla2xxx: Add devids and conditionals for 28xx
scsi: qla2xxx: Check for firmware dump already collected
scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
scsi: qla2xxx: Fix disk failure to rediscover
scsi: qla2xxx: Fix incorrect reporting of task management failure
scsi: qla2xxx: Fix hang due to session stuck
scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests
scsi: qla2xxx: Fix N2N inconsistent PLOGI
scsi: qla2xxx: Reduce false trigger to login
scsi: qla2xxx: Use correct feature type field during RFF_ID processing
KVM: Prevent module exit until all VMs are freed
KVM: x86: fix sending PV IPI
ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM
ubifs: rename_whiteout: Fix double free for whiteout_ui->data
ubifs: Fix deadlock in concurrent rename whiteout and inode writeback
ubifs: Add missing iput if do_tmpfile() failed in rename whiteout
ubifs: setflags: Make dirtied_ino_d 8 bytes aligned
ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock()
ubifs: rename_whiteout: correct old_dir size computing
XArray: Fix xas_create_range() when multi-order entry present
can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path
can: mcba_usb: properly check endpoint type
XArray: Update the LRU list in xas_split()
rtc: check if __rtc_read_time was successful
gfs2: Make sure FITRIM minlen is rounded up to fs block size
net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware
pinctrl: pinconf-generic: Print arguments for bias-pull-*
pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR()
pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE()
ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs
ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
ARM: iop32x: offset IRQ numbers by 1
ACPI: CPPC: Avoid out of bounds access when parsing _CPC data
powerpc/kasan: Fix early region not updated correctly
ASoC: soc-compress: Change the check for codec_dai
mm/mmap: return 1 from stack_guard_gap __setup() handler
mm/memcontrol: return 1 from cgroup.memory __setup() handler
mm/usercopy: return 1 from hardened_usercopy __setup() handler
bpf: Fix comment for helper bpf_current_task_under_cgroup()
dt-bindings: mtd: nand-controller: Fix the reg property description
dt-bindings: mtd: nand-controller: Fix a comment in the examples
dt-bindings: spi: mxic: The interrupt property is not mandatory
ubi: fastmap: Return error code if memory allocation fails in add_aeb()
ASoC: topology: Allow TLV control to be either read or write
ARM: dts: spear1340: Update serial node properties
ARM: dts: spear13xx: Update SPI dma properties
um: Fix uml_mconsole stop/go
openvswitch: Fixed nd target mask field in the flow dump.
KVM: x86/mmu: do compare-and-exchange of gPTE via the user address
KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated
ubifs: Rectify space amount budget for mkdir/tmpfile operations
rtc: wm8350: Handle error for wm8350_register_irq
riscv module: remove (NOLOAD)
ARM: 9187/1: JIVE: fix return value of __setup handler
KVM: x86/svm: Clear reserved bits written to PerfEvtSeln MSRs
drm: Add orientation quirk for GPD Win Max
ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj
ptp: replace snprintf with sysfs_emit
powerpc: dts: t104xrdb: fix phy type for FMAN 4/5
bpf: Make dst_port field in struct bpf_sock 16-bit wide
scsi: mvsas: Replace snprintf() with sysfs_emit()
scsi: bfa: Replace snprintf() with sysfs_emit()
power: supply: axp20x_battery: properly report current when discharging
ipv6: make mc_forwarding atomic
powerpc: Set crashkernel offset to mid of RMA region
drm/amdgpu: Fix recursive locking warning
PCI: aardvark: Fix support for MSI interrupts
iommu/arm-smmu-v3: fix event handling soft lockup
usb: ehci: add pci device support for Aspeed platforms
PCI: pciehp: Add Qualcomm quirk for Command Completed erratum
power: supply: axp288-charger: Set Vhold to 4.4V
ipv4: Invalidate neighbour for broadcast address upon address addition
dm ioctl: prevent potential spectre v1 gadget
drm/amdkfd: make CRAT table missing message informational only
scsi: pm8001: Fix pm8001_mpi_task_abort_resp()
scsi: aha152x: Fix aha152x_setup() __setup handler return value
net/smc: correct settings of RMB window update limit
mips: ralink: fix a refcount leak in ill_acc_of_setup()
macvtap: advertise link netns via netlink
tuntap: add sanity checks about msg_controllen in sendmsg
bnxt_en: Eliminate unintended link toggle during FW reset
MIPS: fix fortify panic when copying asm exception handlers
scsi: libfc: Fix use after free in fc_exch_abts_resp()
usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm
xtensa: fix DTC warning unit_address_format
Bluetooth: Fix use after free in hci_send_acl
netlabel: fix out-of-bounds memory accesses
init/main.c: return 1 from handled __setup() functions
minix: fix bug when opening a file with O_DIRECT
clk: si5341: fix reported clk_rate when output divider is 2
w1: w1_therm: fixes w1_seq for ds28ea00 sensors
NFSv4: Protect the state recovery thread against direct reclaim
xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32
clk: Enforce that disjoints limits are invalid
SUNRPC/call_alloc: async tasks mustn't block waiting for memory
NFS: swap IO handling is slightly different for O_DIRECT IO
NFS: swap-out must always use STABLE writes.
serial: samsung_tty: do not unlock port->lock for uart_write_wakeup()
virtio_console: eliminate anonymous module_init & module_exit
jfs: prevent NULL deref in diFree
SUNRPC: Fix socket waits for write buffer space
parisc: Fix CPU affinity for Lasi, WAX and Dino chips
parisc: Fix patch code locking and flushing
mm: fix race between MADV_FREE reclaim and blkdev direct IO read
KVM: arm64: Check arm64_get_bp_hardening_data() didn't return NULL
drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire()
Drivers: hv: vmbus: Fix potential crash on module unload
scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()
net/tls: fix slab-out-of-bounds bug in decrypt_internal
net: ipv4: fix route with nexthop object delete warning
net: stmmac: Fix unset max_speed difference between DT and non-DT platforms
drm/imx: Fix memory leak in imx_pd_connector_get_modes
bnxt_en: reserve space inside receive page for skb_shared_info
IB/rdmavt: add lock to call to rvt_error_qp to prevent a race condition
dpaa2-ptp: Fix refcount leak in dpaa2_ptp_probe
ipv6: Fix stats accounting in ip6_pkt_drop
net: openvswitch: don't send internal clone attribute to the userspace.
rxrpc: fix a race in rxrpc_exit_net()
qede: confirm skb is allocated before using
spi: bcm-qspi: fix MSPI only access with bcm_qspi_exec_mem_op()
bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
drbd: Fix five use after free bugs in get_initial_state
SUNRPC: Handle ENOMEM in call_transmit_status()
SUNRPC: Handle low memory situations in call_status()
perf tools: Fix perf's libperf_print callback
perf session: Remap buf if there is no space for event
Revert "mmc: sdhci-xenon: fix annoying 1.8V regulator warning"
mmc: renesas_sdhi: don't overwrite TAP settings when HS400 tuning is complete
lz4: fix LZ4_decompress_safe_partial read out of bound
mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0)
mm/mempolicy: fix mpol_new leak in shared_policy_replace
x86/pm: Save the MSR validity status at context setup
x86/speculation: Restore speculation related MSRs during S3 resume
btrfs: fix qgroup reserve overflow the qgroup limit
arm64: patch_text: Fixup last cpu should be master
ata: sata_dwc_460ex: Fix crash due to OOB write
perf: qcom_l2_pmu: fix an incorrect NULL check on list iterator
irqchip/gic-v3: Fix GICR_CTLR.RWP polling
tools build: Filter out options and warnings not supported by clang
tools build: Use $(shell ) instead of `` to get embedded libperl's ccopts
dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error"
mmc: mmci_sdmmc: Replace sg_dma_xxx macros
mmc: mmci: stm32: correctly check all elements of sg list
mm: don't skip swap entry even if zap_details specified
arm64: module: remove (NOLOAD) from linker script
mm/sparsemem: fix 'mem_section' will never be NULL gcc 12 warning
drm/amdkfd: add missing void argument to function kgd2kfd_init
drm/amdkfd: Fix -Wstrict-prototypes from amdgpu_amdkfd_gfx_10_0_get_functions()
io_uring: fix fs->users overflow
cgroup: Use open-time credentials for process migraton perm checks
cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv
cgroup: Use open-time cgroup namespace for process migration perm checks
selftests: cgroup: Make cg_create() use 0755 for permission instead of 0644
selftests: cgroup: Test open-time credential usage for migration checks
selftests: cgroup: Test open-time cgroup namespace usage for migration checks
cpuidle: PSCI: Move the `has_lpi` check to the beginning of the function
ACPI: processor idle: Check for architectural support for LPI
Linux 5.4.189
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If3564fc9b0854c215e077cf29dabd4d88de266eb
[ Upstream commit ecff30575b5ad0eda149aadad247b7f75411fd47 ]
The usual LSM hook "bail on fail" scheme doesn't work for cases where
a security module may return an error code indicating that it does not
recognize an input. In this particular case Smack sees a mount option
that it recognizes, and returns 0. A call to a BPF hook follows, which
returns -ENOPARAM, which confuses the caller because Smack has processed
its data.
The SELinux hook incorrectly returns 1 on success. There was a time
when this was correct, however the current expectation is that it
return 0 on success. This is repaired.
Reported-by: syzbot+d1e3b1d92d25abf97943@syzkaller.appspotmail.com
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes: 79af73079d ("Add security hooks to binder and implement the hooks for SELinux.")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I9053ce58e7449b92928ed8a17148a598b5c40f21
Bug: 200688826
[ resolved minor conflict ]
Signed-off-by: Todd Kjos <tkjos@google.com>
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes: 79af73079d ("Add security hooks to binder and implement the hooks for SELinux.")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit c0dbfed5ff as it is
not needed now that sdcardfs is gone.
Bug: 157700134
Cc: Daniel Rosenberg <drosen@google.com>
Cc: Guenter Roeck <groeck@chromium.org>
Cc: Alistair Strachan <astrachan@google.com>
Cc: Yongqin Liu <yongqin.liu@linaro.org>
Cc: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ia738ff19487e2e3e129d2ef17ef1f28f777bf306
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In commit c0dbfed5ff ("ANDROID: sdcardfs: Enable modular sdcardfs") a
new symbol was exported, but it should have been set as a _GPL symbol.
Fix this up by properly changing the export type.
Bug: 35142419
Cc: Daniel Rosenberg <drosen@google.com>
Cc: Guenter Roeck <groeck@chromium.org>
Cc: Alistair Strachan <astrachan@google.com>
Cc: Yongqin Liu <yongqin.liu@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iab657f0c901496cf2eb59a5ee3087d76d7c14ea3
In current mainline, the degree of access to perf_event_open(2) system
call depends on the perf_event_paranoid sysctl. This has a number of
limitations:
1. The sysctl is only a single value. Many types of accesses are controlled
based on the single value thus making the control very limited and
coarse grained.
2. The sysctl is global, so if the sysctl is changed, then that means
all processes get access to perf_event_open(2) opening the door to
security issues.
This patch adds LSM and SELinux access checking which will be used in
Android to access perf_event_open(2) for the purposes of attaching BPF
programs to tracepoints, perf profiling and other operations from
userspace. These operations are intended for production systems.
5 new LSM hooks are added:
1. perf_event_open: This controls access during the perf_event_open(2)
syscall itself. The hook is called from all the places that the
perf_event_paranoid sysctl is checked to keep it consistent with the
systctl. The hook gets passed a 'type' argument which controls CPU,
kernel and tracepoint accesses (in this context, CPU, kernel and
tracepoint have the same semantics as the perf_event_paranoid sysctl).
Additionally, I added an 'open' type which is similar to
perf_event_paranoid sysctl == 3 patch carried in Android and several other
distros but was rejected in mainline [1] in 2016.
2. perf_event_alloc: This allocates a new security object for the event
which stores the current SID within the event. It will be useful when
the perf event's FD is passed through IPC to another process which may
try to read the FD. Appropriate security checks will limit access.
3. perf_event_free: Called when the event is closed.
4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
5. perf_event_write: Called from the ioctl(2) syscalls for the event.
[1] https://lwn.net/Articles/696240/
Since Peter had suggest LSM hooks in 2016 [1], I am adding his
Suggested-by tag below.
To use this patch, we set the perf_event_paranoid sysctl to -1 and then
apply selinux checking as appropriate (default deny everything, and then
add policy rules to give access to domains that need it). In the future
we can remove the perf_event_paranoid sysctl altogether.
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Co-developed-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: James Morris <jmorris@namei.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: rostedt@goodmis.org
Cc: Yonghong Song <yhs@fb.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: jeffv@google.com
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: primiano@google.com
Cc: Song Liu <songliubraving@fb.com>
Cc: rsavitski@google.com
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Matthew Garrett <matthewgarrett@google.com>
Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org
Bug: 137092007
(cherry picked from commit da97e18458fb42d7c00fac5fd1c56a3896ec666e)
[ Ryan Savitski: resolved merge conflicts with perf_event_paranoid=3 code ]
Signed-off-by: Ryan Savitski <rsavitski@google.com>
[ Ryan Savitski: Folded in upstream ae79d5588a04 (perf/core: Fix
!CONFIG_PERF_EVENTS build warnings and failures). This should fix the
build errors from the previous backport attempt, where certain
configurations would end up with functions referring to the perf_event
struct prior to its declaration (and therefore declaring it with a
different scope). ]
Signed-off-by: Ryan Savitski <rsavitski@google.com>
Change-Id: I50769ede23fbfd8996657c6dae99cab98a3042bc
This reverts commit 3605586e90 as it
breaks the build :(
Cc: Ryan Savitski <rsavitski@google.com>
Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In current mainline, the degree of access to perf_event_open(2) system
call depends on the perf_event_paranoid sysctl. This has a number of
limitations:
1. The sysctl is only a single value. Many types of accesses are controlled
based on the single value thus making the control very limited and
coarse grained.
2. The sysctl is global, so if the sysctl is changed, then that means
all processes get access to perf_event_open(2) opening the door to
security issues.
This patch adds LSM and SELinux access checking which will be used in
Android to access perf_event_open(2) for the purposes of attaching BPF
programs to tracepoints, perf profiling and other operations from
userspace. These operations are intended for production systems.
5 new LSM hooks are added:
1. perf_event_open: This controls access during the perf_event_open(2)
syscall itself. The hook is called from all the places that the
perf_event_paranoid sysctl is checked to keep it consistent with the
systctl. The hook gets passed a 'type' argument which controls CPU,
kernel and tracepoint accesses (in this context, CPU, kernel and
tracepoint have the same semantics as the perf_event_paranoid sysctl).
Additionally, I added an 'open' type which is similar to
perf_event_paranoid sysctl == 3 patch carried in Android and several other
distros but was rejected in mainline [1] in 2016.
2. perf_event_alloc: This allocates a new security object for the event
which stores the current SID within the event. It will be useful when
the perf event's FD is passed through IPC to another process which may
try to read the FD. Appropriate security checks will limit access.
3. perf_event_free: Called when the event is closed.
4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
5. perf_event_write: Called from the ioctl(2) syscalls for the event.
[1] https://lwn.net/Articles/696240/
Since Peter had suggest LSM hooks in 2016 [1], I am adding his
Suggested-by tag below.
To use this patch, we set the perf_event_paranoid sysctl to -1 and then
apply selinux checking as appropriate (default deny everything, and then
add policy rules to give access to domains that need it). In the future
we can remove the perf_event_paranoid sysctl altogether.
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Co-developed-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: James Morris <jmorris@namei.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: rostedt@goodmis.org
Cc: Yonghong Song <yhs@fb.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: jeffv@google.com
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: primiano@google.com
Cc: Song Liu <songliubraving@fb.com>
Cc: rsavitski@google.com
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Matthew Garrett <matthewgarrett@google.com>
Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org
Bug: 137092007
Change-Id: I5df32b668e2dd5f2dd3ab472dfc74f533bc4d8db
(cherry picked from commit da97e18458fb42d7c00fac5fd1c56a3896ec666e)
[ Ryan Savitski: resolved merge conflicts with perf_event_paranoid=3 code ]
Signed-off-by: Ryan Savitski <rsavitski@google.com>
To make the 5.4-rc1 merge easier, merge at a prerelease point in time
before the final release happens.
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If613d657fd0abf9910c5bf3435a745f01b89765e
Pull kernel lockdown mode from James Morris:
"This is the latest iteration of the kernel lockdown patchset, from
Matthew Garrett, David Howells and others.
From the original description:
This patchset introduces an optional kernel lockdown feature,
intended to strengthen the boundary between UID 0 and the kernel.
When enabled, various pieces of kernel functionality are restricted.
Applications that rely on low-level access to either hardware or the
kernel may cease working as a result - therefore this should not be
enabled without appropriate evaluation beforehand.
The majority of mainstream distributions have been carrying variants
of this patchset for many years now, so there's value in providing a
doesn't meet every distribution requirement, but gets us much closer
to not requiring external patches.
There are two major changes since this was last proposed for mainline:
- Separating lockdown from EFI secure boot. Background discussion is
covered here: https://lwn.net/Articles/751061/
- Implementation as an LSM, with a default stackable lockdown LSM
module. This allows the lockdown feature to be policy-driven,
rather than encoding an implicit policy within the mechanism.
The new locked_down LSM hook is provided to allow LSMs to make a
policy decision around whether kernel functionality that would allow
tampering with or examining the runtime state of the kernel should be
permitted.
The included lockdown LSM provides an implementation with a simple
policy intended for general purpose use. This policy provides a coarse
level of granularity, controllable via the kernel command line:
lockdown={integrity|confidentiality}
Enable the kernel lockdown feature. If set to integrity, kernel features
that allow userland to modify the running kernel are disabled. If set to
confidentiality, kernel features that allow userland to extract
confidential information from the kernel are also disabled.
This may also be controlled via /sys/kernel/security/lockdown and
overriden by kernel configuration.
New or existing LSMs may implement finer-grained controls of the
lockdown features. Refer to the lockdown_reason documentation in
include/linux/security.h for details.
The lockdown feature has had signficant design feedback and review
across many subsystems. This code has been in linux-next for some
weeks, with a few fixes applied along the way.
Stephen Rothwell noted that commit 9d1f8be5cf ("bpf: Restrict bpf
when kernel lockdown is in confidentiality mode") is missing a
Signed-off-by from its author. Matthew responded that he is providing
this under category (c) of the DCO"
* 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (31 commits)
kexec: Fix file verification on S390
security: constify some arrays in lockdown LSM
lockdown: Print current->comm in restriction messages
efi: Restrict efivar_ssdt_load when the kernel is locked down
tracefs: Restrict tracefs when the kernel is locked down
debugfs: Restrict debugfs when the kernel is locked down
kexec: Allow kexec_file() with appropriate IMA policy when locked down
lockdown: Lock down perf when in confidentiality mode
bpf: Restrict bpf when kernel lockdown is in confidentiality mode
lockdown: Lock down tracing and perf kprobes when in confidentiality mode
lockdown: Lock down /proc/kcore
x86/mmiotrace: Lock down the testmmiotrace module
lockdown: Lock down module params that specify hardware parameters (eg. ioport)
lockdown: Lock down TIOCSSERIAL
lockdown: Prohibit PCMCIA CIS storage when the kernel is locked down
acpi: Disable ACPI table override if the kernel is locked down
acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down
ACPI: Limit access to custom_method when the kernel is locked down
x86/msr: Restrict MSR access when the kernel is locked down
x86: Lock down IO port access when the kernel is locked down
...
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAl2BLvcUHHBhdWxAcGF1
bC1tb29yZS5jb20ACgkQ6iDy2pc3iXP9pA/+Ls9sRGZoEipycbgRnwkL9/6yFtn4
UCFGMP0eobrjL82i8uMOa/72Budsp3ZaZRxf36NpbMDPyB9ohp5jf7o1WFTELESv
EwxVvOMNwrxO2UbzRv3iywnhdPVJ4gHPa4GWfBHu2EEfhz3/Bv0tPIBdeXAbq4aC
R0p+M9X0FFEp9eP4ftwOvFGpbZ8zKo1kwgdvCnqLhHDkyqtapqO/ByCTe1VATERP
fyxjYDZNnITmI0plaIxCeeudklOTtVSAL4JPh1rk8rZIkUznZ4EBDHxdKiaz3j9C
ZtAthiAA9PfAwf4DZSPHnGsfINxeNBKLD65jZn/PUne/gNJEx4DK041X9HXBNwjv
OoArw58LCzxtTNZ//WB4CovRpeSdKvmKv0oh61k8cdQahLeHhzXE1wLQbnnBJLI3
CTsumIp4ZPEOX5r4ogdS3UIQpo3KrZump7VO85yUTRni150JpZR3egYpmcJ0So1A
QTPemBhC2CHJVTpycYZ9fVTlPeC4oNwosPmvpB8XeGu3w5JpuNSId+BDR/ZlQAmq
xWiIocGL3UMuPuJUrTGChifqBAgzK+gLa7S7RYPEnTCkj6LVQwsuP4gBXf75QTG4
FPwVcoMSDFxUDF0oFqwz4GfJlCxBSzX+BkWUn6jIiXKXBnQjU+1gu6KTwE25mf/j
snJznFk25hFYFaM=
=n4ht
-----END PGP SIGNATURE-----
Merge tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore:
- Add LSM hooks, and SELinux access control hooks, for dnotify,
fanotify, and inotify watches. This has been discussed with both the
LSM and fs/notify folks and everybody is good with these new hooks.
- The LSM stacking changes missed a few calls to current_security() in
the SELinux code; we fix those and remove current_security() for
good.
- Improve our network object labeling cache so that we always return
the object's label, even when under memory pressure. Previously we
would return an error if we couldn't allocate a new cache entry, now
we always return the label even if we can't create a new cache entry
for it.
- Convert the sidtab atomic_t counter to a normal u32 with
READ/WRITE_ONCE() and memory barrier protection.
- A few patches to policydb.c to clean things up (remove forward
declarations, long lines, bad variable names, etc)
* tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
lsm: remove current_security()
selinux: fix residual uses of current_security() for the SELinux blob
selinux: avoid atomic_t usage in sidtab
fanotify, inotify, dnotify, security: add security hook for fs notifications
selinux: always return a secid from the network caches if we find one
selinux: policydb - rename type_val_to_struct_array
selinux: policydb - fix some checkpatch.pl warnings
selinux: shuffle around policydb.c to get rid of forward declarations
Add a mechanism to allow LSMs to make a policy decision around whether
kernel functionality that would allow tampering with or examining the
runtime state of the kernel should be permitted.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
The lockdown module is intended to allow for kernels to be locked down
early in boot - sufficiently early that we don't have the ability to
kmalloc() yet. Add support for early initialisation of some LSMs, and
then add them to the list of names when we do full initialisation later.
Early LSMs are initialised in link order and cannot be overridden via
boot parameters, and cannot make use of kmalloc() (since the allocator
isn't initialised yet).
(Fixed by Stephen Rothwell to include a stub to fix builds when
!CONFIG_SECURITY)
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: James Morris <jmorris@namei.org>
As of now, setting watches on filesystem objects has, at most, applied a
check for read access to the inode, and in the case of fanotify, requires
CAP_SYS_ADMIN. No specific security hook or permission check has been
provided to control the setting of watches. Using any of inotify, dnotify,
or fanotify, it is possible to observe, not only write-like operations, but
even read access to a file. Modeling the watch as being merely a read from
the file is insufficient for the needs of SELinux. This is due to the fact
that read access should not necessarily imply access to information about
when another process reads from a file. Furthermore, fanotify watches grant
more power to an application in the form of permission events. While
notification events are solely, unidirectional (i.e. they only pass
information to the receiving application), permission events are blocking.
Permission events make a request to the receiving application which will
then reply with a decision as to whether or not that action may be
completed. This causes the issue of the watching application having the
ability to exercise control over the triggering process. Without drawing a
distinction within the permission check, the ability to read would imply
the greater ability to control an application. Additionally, mount and
superblock watches apply to all files within the same mount or superblock.
Read access to one file should not necessarily imply the ability to watch
all files accessed within a given mount or superblock.
In order to solve these issues, a new LSM hook is implemented and has been
placed within the system calls for marking filesystem objects with inotify,
fanotify, and dnotify watches. These calls to the hook are placed at the
point at which the target path has been resolved and are provided with the
path struct, the mask of requested notification events, and the type of
object on which the mark is being set (inode, superblock, or mount). The
mask and obj_type have already been translated into common FS_* values
shared by the entirety of the fs notification infrastructure. The path
struct is passed rather than just the inode so that the mount is available,
particularly for mount watches. This also allows for use of the hook by
pathname-based security modules. However, since the hook is intended for
use even by inode based security modules, it is not placed under the
CONFIG_SECURITY_PATH conditional. Otherwise, the inode-based security
modules would need to enable all of the path hooks, even though they do not
use any of them.
This only provides a hook at the point of setting a watch, and presumes
that permission to set a particular watch implies the ability to receive
all notification about that object which match the mask. This is all that
is required for SELinux. If other security modules require additional hooks
or infrastructure to control delivery of notification, these can be added
by them. It does not make sense for us to propose hooks for which we have
no implementation. The understanding that all notifications received by the
requesting application are all strictly of a type for which the application
has been granted permission shows that this implementation is sufficient in
its coverage.
Security modules wishing to provide complete control over fanotify must
also implement a security_file_open hook that validates that the access
requested by the watching application is authorized. Fanotify has the issue
that it returns a file descriptor with the file mode specified during
fanotify_init() to the watching process on event. This is already covered
by the LSM security_file_open hook if the security module implements
checking of the requested file mode there. Otherwise, a watching process
can obtain escalated access to a file for which it has not been authorized.
The selinux_path_notify hook implementation works by adding five new file
permissions: watch, watch_mount, watch_sb, watch_reads, and watch_with_perm
(descriptions about which will follow), and one new filesystem permission:
watch (which is applied to superblock checks). The hook then decides which
subset of these permissions must be held by the requesting application
based on the contents of the provided mask and the obj_type. The
selinux_file_open hook already checks the requested file mode and therefore
ensures that a watching process cannot escalate its access through
fanotify.
The watch, watch_mount, and watch_sb permissions are the baseline
permissions for setting a watch on an object and each are a requirement for
any watch to be set on a file, mount, or superblock respectively. It should
be noted that having either of the other two permissions (watch_reads and
watch_with_perm) does not imply the watch, watch_mount, or watch_sb
permission. Superblock watches further require the filesystem watch
permission to the superblock. As there is no labeled object in view for
mounts, there is no specific check for mount watches beyond watch_mount to
the inode. Such a check could be added in the future, if a suitable labeled
object existed representing the mount.
The watch_reads permission is required to receive notifications from
read-exclusive events on filesystem objects. These events include accessing
a file for the purpose of reading and closing a file which has been opened
read-only. This distinction has been drawn in order to provide a direct
indication in the policy for this otherwise not obvious capability. Read
access to a file should not necessarily imply the ability to observe read
events on a file.
Finally, watch_with_perm only applies to fanotify masks since it is the
only way to set a mask which allows for the blocking, permission event.
This permission is needed for any watch which is of this type. Though
fanotify requires CAP_SYS_ADMIN, this is insufficient as it gives implicit
trust to root, which we do not do, and does not support least privilege.
Signed-off-by: Aaron Goidel <acgoide@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Jan Kara <jack@suse.cz>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Export the following symbols:
- copy_fs_struct
- free_fs_struct
- security_path_chown
- set_fs_pwd
- vfs_read
- vfs_write
These are needed to build sdcardfs as a module.
Test: HiKey/X15 + Pie + android-mainline,
and HiKey + AOSP Maser + android-mainline,
directories under /sdcard created,
output of mount is right,
CTS test collecting device infor works
Bug: 35142419
Change-Id: If6e14f0b3bdc858a9f684e6c209927a9232091f0
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
[astrachan: Folded the following changes into this patch:
e19f69662df5 ("ANDROID: Revert "fs: unexport vfs_read and vfs_write"")
17071a8e1e7d ("ANDROID: fs: Export free_fs_struct and set_fs_pwd")
2e9a639597cd ("ANDROID: export security_path_chown")]
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Pull integrity updates from Mimi Zohar:
"Bug fixes, code clean up, and new features:
- IMA policy rules can be defined in terms of LSM labels, making the
IMA policy dependent on LSM policy label changes, in particular LSM
label deletions. The new environment, in which IMA-appraisal is
being used, frequently updates the LSM policy and permits LSM label
deletions.
- Prevent an mmap'ed shared file opened for write from also being
mmap'ed execute. In the long term, making this and other similar
changes at the VFS layer would be preferable.
- The IMA per policy rule template format support is needed for a
couple of new/proposed features (eg. kexec boot command line
measurement, appended signatures, and VFS provided file hashes).
- Other than the "boot-aggregate" record in the IMA measuremeent
list, all other measurements are of file data. Measuring and
storing the kexec boot command line in the IMA measurement list is
the first buffer based measurement included in the measurement
list"
* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
integrity: Introduce struct evm_xattr
ima: Update MAX_TEMPLATE_NAME_LEN to fit largest reasonable definition
KEXEC: Call ima_kexec_cmdline to measure the boot command line args
IMA: Define a new template field buf
IMA: Define a new hook to measure the kexec boot command line arguments
IMA: support for per policy rule template formats
integrity: Fix __integrity_init_keyring() section mismatch
ima: Use designated initializers for struct ima_event_data
ima: use the lsm policy update notifier
LSM: switch to blocking policy update notifiers
x86/ima: fix the Kconfig dependency for IMA_ARCH_POLICY
ima: Make arch_policy_entry static
ima: prevent a file already mmap'ed write to be mmap'ed execute
x86/ima: check EFI SetupMode too
Atomic policy updaters are not very useful as they cannot
usually perform the policy updates on their own. Since it
seems that there is no strict need for the atomicity,
switch to the blocking variant. While doing so, rename
the functions accordingly.
Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 3029 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pull mount ABI updates from Al Viro:
"The syscalls themselves, finally.
That's not all there is to that stuff, but switching individual
filesystems to new methods is fortunately independent from everything
else, so e.g. NFS series can go through NFS tree, etc.
As those conversions get done, we'll be finally able to get rid of a
bunch of duplication in fs/super.c introduced in the beginning of the
entire thing. I expect that to be finished in the next window..."
* 'work.mount-syscalls' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
vfs: Add a sample program for the new mount API
vfs: syscall: Add fspick() to select a superblock for reconfiguration
vfs: syscall: Add fsmount() to create a mount for a superblock
vfs: syscall: Add fsconfig() for configuring and managing a context
vfs: Implement logging through fs_context
vfs: syscall: Add fsopen() to prepare for superblock creation
Make anon_inodes unconditional
teach move_mount(2) to work with OPEN_TREE_CLONE
vfs: syscall: Add move_mount(2) to move mounts around
vfs: syscall: Add open_tree(2) to reference or clone a mount
This patch introduces a new security hook that is intended for
initializing the security data for newly created kernfs nodes, which
provide a way of storing a non-default security context, but need to
operate independently from mounts (and therefore may not have an
associated inode at the moment of creation).
The main motivation is to allow kernfs nodes to inherit the context of
the parent under SELinux, similar to the behavior of
security_inode_init_security(). Other LSMs may implement their own logic
for handling the creation of new nodes.
This patch also adds helper functions to <linux/kernfs.h> for
getting/setting security xattrs of a kernfs node so that LSMs hooks are
able to do their job. Other important attributes should be accessible
direcly in the kernfs_node fields (in case there is need for more, then
new helpers should be added to kernfs.h along with the patch that needs
them).
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: more manual merge fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Add a move_mount() system call that will move a mount from one place to
another and, in the next commit, allow to attach an unattached mount tree.
The new system call looks like the following:
int move_mount(int from_dfd, const char *from_path,
int to_dfd, const char *to_path,
unsigned int flags);
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-api@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Pull vfs mount infrastructure updates from Al Viro:
"The rest of core infrastructure; no new syscalls in that pile, but the
old parts are switched to new infrastructure. At that point
conversions of individual filesystems can happen independently; some
are done here (afs, cgroup, procfs, etc.), there's also a large series
outside of that pile dealing with NFS (quite a bit of option-parsing
stuff is getting used there - it's one of the most convoluted
filesystems in terms of mount-related logics), but NFS bits are the
next cycle fodder.
It got seriously simplified since the last cycle; documentation is
probably the weakest bit at the moment - I considered dropping the
commit introducing Documentation/filesystems/mount_api.txt (cutting
the size increase by quarter ;-), but decided that it would be better
to fix it up after -rc1 instead.
That pile allows to do followup work in independent branches, which
should make life much easier for the next cycle. fs/super.c size
increase is unpleasant; there's a followup series that allows to
shrink it considerably, but I decided to leave that until the next
cycle"
* 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (41 commits)
afs: Use fs_context to pass parameters over automount
afs: Add fs_context support
vfs: Add some logging to the core users of the fs_context log
vfs: Implement logging through fs_context
vfs: Provide documentation for new mount API
vfs: Remove kern_mount_data()
hugetlbfs: Convert to fs_context
cpuset: Use fs_context
kernfs, sysfs, cgroup, intel_rdt: Support fs_context
cgroup: store a reference to cgroup_ns into cgroup_fs_context
cgroup1_get_tree(): separate "get cgroup_root to use" into a separate helper
cgroup_do_mount(): massage calling conventions
cgroup: stash cgroup_root reference into cgroup_fs_context
cgroup2: switch to option-by-option parsing
cgroup1: switch to option-by-option parsing
cgroup: take options parsing into ->parse_monolithic()
cgroup: fold cgroup1_mount() into cgroup1_get_tree()
cgroup: start switching to fs_context
ipc: Convert mqueue fs to fs_context
proc: Add fs_context support to procfs
...
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAlx+8ZgUHHBhdWxAcGF1
bC1tb29yZS5jb20ACgkQ6iDy2pc3iXOlDhAAiGlirQ9syyG2fYzaARZZ2QoU/GGD
PSAeiNmP3jvJzXArCvugRCw+YSNDdQOBM3SrLQC+cM0MAIDRYXN0NdcrsbTchlMA
51Fx1egZ9Fyj+Ehgida3muh2lRUy7DQwMCL6tAVqwz7vYkSTGDUf+MlYqOqXDka5
74pEExOS3Jdi7560BsE8b6QoW9JIJqEJnirXGkG9o2qC0oFHCR6PKxIyQ7TJrLR1
F23aFTqLTH1nbPUQjnox2PTf13iQVh4j2gwzd+9c9KBfxoGSge3dmxId7BJHy2aG
M27fPdCYTNZAGWpPVujsCPAh1WPQ9NQqg3mA9+g14PEbiLqPcqU+kWmnDU7T7bEw
Qx0kt6Y8GiknwCqq8pDbKYclgRmOjSGdfutzd0z8uDpbaeunS4/NqnDb/FUaDVcr
jA4d6ep7qEgHpYbL8KgOeZCexfaTfz6mcwRWNq3Uu9cLZbZqSSQ7PXolMADHvoRs
LS7VH2jcP7q4p4GWmdfjv67xyUUo9HG5HHX74h5pLfQSYXiBWo4ht0UOAzX/6EcE
CJNHAFHv+OanI5Rg/6JQ8b3/bJYxzAJVyLZpCuMtlKk6lYBGNeADk9BezEDIYsm8
tSe4/GqqyR9+Qz8rSdpAZ0KKkfqS535IcHUPUJau7Bzg1xqSEP5gzZN6QsjdXg0+
5wFFfdFICTfJFXo=
=57/1
-----END PGP SIGNATURE-----
Merge tag 'audit-pr-20190305' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
Pull audit updates from Paul Moore:
"A lucky 13 audit patches for v5.1.
Despite the rather large diffstat, most of the changes are from two
bug fix patches that move code from one Kconfig option to another.
Beyond that bit of churn, the remaining changes are largely cleanups
and bug-fixes as we slowly march towards container auditing. It isn't
all boring though, we do have a couple of new things: file
capabilities v3 support, and expanded support for filtering on
filesystems to solve problems with remote filesystems.
All changes pass the audit-testsuite. Please merge for v5.1"
* tag 'audit-pr-20190305' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: mark expected switch fall-through
audit: hide auditsc_get_stamp and audit_serial prototypes
audit: join tty records to their syscall
audit: remove audit_context when CONFIG_ AUDIT and not AUDITSYSCALL
audit: remove unused actx param from audit_rule_match
audit: ignore fcaps on umount
audit: clean up AUDITSYSCALL prototypes and stubs
audit: more filter PATH records keyed on filesystem magic
audit: add support for fcaps v3
audit: move loginuid and sessionid from CONFIG_AUDITSYSCALL to CONFIG_AUDIT
audit: add syscall information to CONFIG_CHANGE records
audit: hand taken context to audit_kill_trees for syscall logging
audit: give a clue what CONFIG_CHANGE op was involved
new primitive: vfs_dup_fs_context(). Comes with fs_context
method (->dup()) for copying the filesystem-specific parts
of fs_context, along with LSM one (->fs_context_dup()) for
doing the same to LSM parts.
[needs better commit message, and change of Author:, anyway]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Add LSM hooks for use by the new mount API and filesystem context code.
This includes:
(1) Hooks to handle allocation, duplication and freeing of the security
record attached to a filesystem context.
(2) A hook to snoop source specifications. There may be multiple of these
if the filesystem supports it. They will to be local files/devices if
fs_context::source_is_dev is true and will be something else, possibly
remote server specifications, if false.
(3) A hook to snoop superblock configuration options in key[=val] form.
If the LSM decides it wants to handle it, it can suppress the option
being passed to the filesystem. Note that 'val' may include commas
and binary data with the fsopen patch.
(4) A hook to perform validation and allocation after the configuration
has been done but before the superblock is allocated and set up.
(5) A hook to transfer the security from the context to a newly created
superblock.
(6) A hook to rule on whether a path point can be used as a mountpoint.
These are intended to replace:
security_sb_copy_data
security_sb_kern_mount
security_sb_mount
security_sb_set_mnt_opts
security_sb_clone_mnt_opts
security_sb_parse_opts_str
[AV -- some of the methods being replaced are already gone, some of the
methods are not added for the lack of need]
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-security-module@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
To avoid potential confusion, explicitly ignore "security=" when "lsm=" is
used on the command line, and report that it is happening.
Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
The audit_rule_match() struct audit_context *actx parameter is not used
by any in-tree consumers (selinux, apparmour, integrity, smack).
The audit context is an internal audit structure that should only be
accessed by audit accessor functions.
It was part of commit 03d37d25e0 ("LSM/Audit: Introduce generic
Audit LSM hooks") but appears to have never been used.
Remove it.
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/107
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fixed the referenced commit title]
Signed-off-by: Paul Moore <paul@paul-moore.com>
-----BEGIN PGP SIGNATURE-----
iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAlxFDv0eHHRvcnZhbGRz
QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiGBPsH/3Ij47fut8kwxGSX
Tmx7Y+VYftRiKSwK3+HxsCvde3scqfkxAukb3HeJDzZdpnouT0k4nqUYQabAANi/
MdaO+NSBRp/NjzZcpFG9QAroIQ2G2sRQ4E8ldFcNmdsjZWlUfKIHPfYHzvvc06L4
MhvdkpMa/p51Jz9egQs0kfSvrb6fh4OEDTI19/aaGR0oJBhoGhLrqTI+vdYhMiyO
wWtUXgZfsmlCBdAQLRh04CxGTc/32VApoB/SwP9sF+xD3gcL0mPFNKUociio6K2Y
a7u7yuzUKvVwuafVgX9QT+f+je5/5u+WFsG/26cfXzizZoNWW5oDl3sBD3hRNkvt
J13lB1w=
=ch+/
-----END PGP SIGNATURE-----
Merge tag 'v5.0-rc3' into next-general
Sync to Linux 5.0-rc3 to pull in the VFS changes which impacted a lot
of the LSM code.
Fixes the following sparse warnings:
security/security.c:533:5: warning:
symbol 'lsm_task_alloc' was not declared. Should it be static?
security/security.c:554:5: warning:
symbol 'lsm_ipc_alloc' was not declared. Should it be static?
security/security.c:575:5: warning:
symbol 'lsm_msg_msg_alloc' was not declared. Should it be static?
Fixes: f4ad8f2c40 ("LSM: Infrastructure management of the task security")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Since current->cred == current->real_cred when ordered_lsm_init()
is called, and lsm_early_cred()/lsm_early_task() need to be called
between the amount of required bytes is determined and module specific
initialization function is called, we can move these calls from
individual modules to ordered_lsm_init().
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
From: Casey Schaufler <casey@schaufler-ca.com>
Check that the cred security blob has been set before trying
to clean it up. There is a case during credential initialization
that could result in this.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Reported-by: syzbot+69ca07954461f189e808@syzkaller.appspotmail.com
This patch provides a general mechanism for passing flags to the
security_capable LSM hook. It replaces the specific 'audit' flag that is
used to tell security_capable whether it should log an audit message for
the given capability check. The reason for generalizing this flag
passing is so we can add an additional flag that signifies whether
security_capable is being called by a setid syscall (which is needed by
the proposed SafeSetID LSM).
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
Move management of the kern_ipc_perm->security and
msg_msg->security blobs out of the individual security
modules and into the security infrastructure. Instead
of allocating the blobs from within the modules the modules
tell the infrastructure how much space is required, and
the space is allocated there.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
[kees: adjusted for ordered init series]
Signed-off-by: Kees Cook <keescook@chromium.org>
Move management of the task_struct->security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.
The only user of this blob is AppArmor. The AppArmor use
is abstracted to avoid future conflict.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
[kees: adjusted for ordered init series]
Signed-off-by: Kees Cook <keescook@chromium.org>
Move management of the inode->i_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
[kees: adjusted for ordered init series]
Signed-off-by: Kees Cook <keescook@chromium.org>
Move management of the file->f_security blob out of the
individual security modules and into the infrastructure.
The modules no longer allocate or free the data, instead
they tell the infrastructure how much space they require.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
[kees: adjusted for ordered init series]
Signed-off-by: Kees Cook <keescook@chromium.org>
Move management of the cred security blob out of the
security modules and into the security infrastructre.
Instead of allocating and freeing space the security
modules tell the infrastructure how much space they
require.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
[kees: adjusted for ordered init series]
Signed-off-by: Kees Cook <keescook@chromium.org>
Back in 2007 I made what turned out to be a rather serious
mistake in the implementation of the Smack security module.
The SELinux module used an interface in /proc to manipulate
the security context on processes. Rather than use a similar
interface, I used the same interface. The AppArmor team did
likewise. Now /proc/.../attr/current will tell you the
security "context" of the process, but it will be different
depending on the security module you're using.
This patch provides a subdirectory in /proc/.../attr for
Smack. Smack user space can use the "current" file in
this subdirectory and never have to worry about getting
SELinux attributes by mistake. Programs that use the
old interface will continue to work (or fail, as the case
may be) as before.
The proposed S.A.R.A security module is dependent on
the mechanism to create its own attr subdirectory.
The original implementation is by Kees Cook.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
This converts capabilities to use the new LSM_ORDER_FIRST position.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
In preparation for distinguishing the "capability" LSM from other LSMs, it
must be ordered first. This introduces LSM_ORDER_MUTABLE for the general
LSMs and LSM_ORDER_FIRST for capability. In the future LSM_ORDER_LAST
for could be added for anything that must run last (e.g. Landlock may
use this).
Signed-off-by: Kees Cook <keescook@chromium.org>
This converts Yama from being a direct "minor" LSM into an ordered LSM.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
This converts LoadPin from being a direct "minor" LSM into an ordered LSM.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Lokesh Gidra
Greg Kroah-Hartman
Alfred Piccioni
Roberto Sassu
Casey Schaufler
Todd Kjos
Joel Fernandes (Google)
Linus Torvalds
Matthew Garrett
Aaron Goidel
Daniel Rosenberg
Janne Karhunen
Thomas Gleixner
Ondrej Mosnacek
David Howells
Al Viro
Kees Cook
Richard Guy Briggs
James Morris
Wei Yongjun
Tetsuo Handa
Micah Morton