brain-hackers_pepepper-mirror
/
linux-brain
mirror of https://github.com/brain-hackers/linux-brain.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
894,855 Commits 19 Branches 467 Tags 3.3 GiB
Commit Graph

4435 Commits

Author SHA1 Message Date
Andrey Zhizhikin 913880358f This is the 5.4.149 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFQYpIACgkQONu9yGCS
 aT5nNBAAnao6g0C+ZSPUJrX3Aa9I+dcP8le9T4faUD1E8fa3XSIrDhUrZwhvdI06
 ljos1XzQe60/CJmY1jnfL4TOQqrfS6tLTseVGIhFAtJQorxxQwzuCEq/2sqlYz/A
 BEN1/g1XjXyFMmKw598luTClbHk91pnScxA0ZyJ28lhNeBnpuHKK5+PvqNT2bg6G
 Vc8IGPv7cd48FjfwBzDuWklsQE9FFHPtq2eyhAk6K9QbECnP9wgfdrPx87oyRGN6
 tPtSEhlwNM8EEaFZ1/1zgTgj3n35I3LXGfV19YRid20y1SbwB8yFloidx8SjaAOE
 rMpiyxcDgfYoeHw5WBt+f/QVLx3Ia8uEFgwFSHyD1btNrPGdAlatWgXSrNBLvQuy
 jIoDtqY9L5Ty3T3rBjyDlXl0oUUDD4JyVteGsrXlzVEHa7YaLIhvrcQ6Es09XDZX
 TXPinEMPTohO7/cCVHjXOuREXeYukXLrKuZBBNTutANP9Yx7Tj9yAwVtrnakkv1B
 WykWhjJSmOHcj3q8hm9i1GI8qo3sWIwvM0c8in1OLzA+vpjXPR9onA8PHYidj8LY
 f4E3I2Xp+zBj8WljLgHIJhpwdo8jq5StdYPl0y3Na/ZVU3El3VKtwiT0RieOnKfp
 aOj16+CdbCDpdDZofqu/Zio4Do0RFPsHHeEnfedH38aOw1bjctw=
 =e/m/
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmFRuk4ACgkQ7G51OISz
 Hs05Iw/9EJFb9xJJhi1GzCVg6X5rF4Nna8yNwZOtEWtnG3fE0FcJJ1AP8pN0l93v
 yI+c6KbNl30hqI25ji/VEgoLlOOe5/5QctnPXryXrkf4jvoXQC2TZSGhFfznBlYK
 XcfbaYSlCf9fgaFQBDfi9S1/k/8yVDs9QKIKf6aUlXKmNWhF9I3Fp6nQ1cnaZjMp
 tMto2WOilgCFMwb9EuSTuSPHE0bDqmwk7npVQ8/HA2QdMzLySwHVUZKD8vC9Kvsc
 1csT8lkWak+7N5p2RNyrJAORL9OBvhdPZVyh0cMet00T+zDV0aUDpn3/6R4gnFUz
 TmRdG/oRMqlkhQYvKpFiE295AtU41TMjc9Mb0dg9KYCsCh9yTGgZdR0ftYOHFb+o
 wgXBkURAbj7JETTtRBVMRDEV8Zo1iJjpvGmILT8jO7IsQppkTh2JcjI5rnoxUdGB
 eAd5W36aZfnOEPdUpoWf2mNF8bgQodDVYHc8cPlknJPKP3GM6EZDUNEkKRFTe8hD
 /IP4yLrOvqaxP9n82bPNuRTpKM365Q+rmHkPlTof8ZLYCB52gdJBg9/oTVGfuLfE
 o+DtHU1sBuzukyPEJE2okb3D9uqKM0/xnUxhXQqxDFhXMcI5npllQ7FK71FOWtcp
 4YTGwf/Y4DmK0tckzNg1URnzATRR+6b8zjMR1zc9gfUawnBhwWU=
 =zMkr
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.149' into 5.4-2.3.x-imx

This is the 5.4.149 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-09-27 12:34:19 +00:00
Andy Shevchenko 278df06460 apparmor: remove duplicate macro list_entry_is_head() 
commit 9801ca279ad37f72f71234fa81722afd95a3f997 upstream.

Strangely I hadn't had noticed the existence of the list_entry_is_head()
in apparmor code when added the same one in the list.h.  Luckily it's
fully identical and didn't break builds.  In any case we don't need a
duplicate anymore, thus remove it from apparmor code.

Link: https://lkml.kernel.org/r/20201208100639.88182-1-andriy.shevchenko@linux.intel.com
Fixes: e130816164e244 ("include/linux/list.h: add a macro to test if entry is pointing to the head")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E . Hallyn " <serge@hallyn.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-09-26 14:07:06 +02:00
Andrey Zhizhikin 8b231e0e8e This is the 5.4.148 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFLBPMACgkQONu9yGCS
 aT6BIQ//Wb4ZQJtEVvaKnda7vFwe8BoZzPGYZA4Imn9KERDRgHuavEuRfMQtKc2y
 YHwe/PD2JreuDHcd+Wz32xsdMe045xNvgiE1oGcxq0jNBvhJqANSmVTWpdqAquON
 cTmwsK3roa7ELC2g1WjrYZDv6CrCggqvbuM9AJ/cLITtd8zerhLdZo+CCDG/28cH
 EosrWvkBcaGmX+r/IBC86Rt6K2OFQ/3LLbb79L4vjKi5lopsm5CTAmfOfIk8p1gB
 mGB3PkQZnIqphBfqGXLGuljl4e+zb1SONrugUh78Egom393Ex34oo+RjWEGe9dV2
 Stkuqo0GTi85X7JA7SGCA/xgF8A8yvaaLjQBsJsL9+2ji+GW+J7hfn4mE5h8H3Di
 UBjeLMFJA8Mge8Ng9xUSttvjRdwSTm0jWTS9SOl07w24b0pKYbMrQdWt2eI6CT+/
 ytq3nCxNJZKeVcAVH+OJNrbSLYvMy/PgYvGTbzASkNmpAeyNiHOyBz1sRcoiAM9U
 QCWDdZyaqDKktqEyKHxK3opqPzbnHfZFFlCxR7Gw7vvR+itIGJEh/50RNv2F6vnu
 wzowrVxe+Bf1h7JiNEqLLVHdiuygRqjH1ygepGM4+3TVF4jYHzDISyrqlA/Se3Pg
 Hhvlzsbv7PH+KiApwBFjSeHTs5WOrokGMFQ7ZYFDpPkleWiywS0=
 =50Hk
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.148' into 5.4-2.3.x-imx

This is the 5.4.148 stable release

Conflicts:
- drivers/dma/imx-sdma.c:
Following upstream patches are already applied to NXP tree:
7cfbf391e8 ("dmaengine: imx-sdma: remove duplicated sdma_load_context")
788122c99d ("Revert "dmaengine: imx-sdma: refine to load context only
once"")

- drivers/usb/chipidea/host.c:
Merge upstream commit a18cfd715e ("usb: chipidea: host: fix port index
underflow and UBSAN complains") to NXP version.

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-09-22 13:19:32 +00:00
Tianjia Zhang a1d12196c3 Smack: Fix wrong semantics in smk_access_entry() 
[ Upstream commit 6d14f5c7028eea70760df284057fe198ce7778dd ]

In the smk_access_entry() function, if no matching rule is found
in the rust_list, a negative error code will be used to perform bit
operations with the MAY_ enumeration value. This is semantically
wrong. This patch fixes this issue.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-09-22 12:26:27 +02:00
Andrey Zhizhikin 33478cc104 This is the 5.4.147 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFDItIACgkQONu9yGCS
 aT7qHw/+MC8nqbYT/fMu3ZsTsNB8JZelGhrpXVAFc4E80oZDVEF3aNh8koTk13o/
 sI+9LZD6vPJ7kxPBT45PPxDfwM7VlVlQTVWQ8lUjY+8a2Ml7xZSiz9I3bMX0MsvU
 ylXeAJ4BntXI4679ccSjWGwwcQa+PrHsPrpZqKLBI4+pjxps3eMGwK0yE5jcRd4Z
 WlhgYbE8QhmB4iWSA5CBr7IY5pVIlKpvovlvIi1TlU1C9LXU6O8OBPkhmbuFF4fG
 HY2ge6d+xZItcn9RFi+uH51PwPBpN9U2I+QakQ4iyMNgF1uqHzfWh30ZeINxHzw2
 2Nn/nCmNeUwoOt6YSQGxlZUieqqvq5y4VeXo2nThqBdds8GPJ4AhvvxmM/NnP0EV
 lfI6RSxJcYULfl0XQB5sj3fJ2Fo7G7Mx+kg0q0018iTuOx9kNdQF/WXdLqHvBUIi
 VIaRFR2wKeWXCV7tmb5o8928clv0FWJRi19Gcq8597zWxGC8mlSOg48jVVMkE9rU
 IaYhIiIRL/Dkf34Hal2+mZbvbD5IjtViw9uYOzME7NuF4VVHD6RavsMOM8AuUc+t
 OtSRo6mID1rH+RrvFZhZRzcT3Fg5NVbmEhiVG7tH26ZEJE2Gs/CjexQgTHf25+VL
 /H8Mnjjw7gAmvqAJyG9s3eocnhuuWeYj5YWg3vAxVNoUqUT2uO4=
 =RNKE
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmFDnvkACgkQ7G51OISz
 Hs17yQ/8CoCEE3h3RZQ07Y4RSyePZU96IRGqd5Dhyli0BUgWahmaaoBrXYQPL2c1
 IzBW2/e0vxCwMflVHxRMS6tXoTyj3dXuNG30SU+pkCDnsWyrWxtNALFgDt0a/wHa
 pszFKfnXKxrYOKKU2gSPxFu1+0Tm0zV6puwgvwcuKzUFx/wjIZxH+8+fLhTWYu2X
 7OBuwCvDjbsQgnruKbyysI14DBu4rfYm/7hXLgRLCtYRdUYeuVrR1W5N8QEqLYr4
 daZHCl2T4VF6qiiE5FdZc6yfW0H6KSK8A1B9PYZnSJyeYwLS1edXQFbZq4VBSjPh
 wIefx3xB0ZKuyPUHc1EYjxvxfYJCbWjFaOT8aT+qDxkpYgMRltur1fmE1fS0P9hp
 3g2JrSl5EzzNqklZUuC51X4Gq2rGrO31FCXcOh/rAfbJ4sHeUlWU2pnTN7ilJt/W
 yW51Rl+mYPNTY964iCkMzVmNyAH9oIgJyR7a9P0gkIUwCqq780POtN2bMzkS/Om0
 lauKR5NmuNVw//jfeQddrrdVILfErZ5tHplGNsk3VFMi2/ITNEbmm1CJGb2090F/
 EK1lcWOj6vuETN9Lqc/dv2hX0UgDG8I1SVb1SXwRLCCZREiuoS+Z3EmMfLAkmV46
 tXz+x34BTvMl3CEZMvy69ovTrJlh6537mFx2T7+FNBqeDLHT2Z4=
 =yJQM
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.147' into 5.4-2.3.x-imx

This is the 5.4.147 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-09-16 19:45:58 +00:00
THOBY Simon 4a95b04afa IMA: remove the dependency on CRYPTO_MD5 
commit 8510505d55e194d3f6c9644c9f9d12c4f6b0395a upstream.

MD5 is a weak digest algorithm that shouldn't be used for cryptographic
operation. It hinders the efficiency of a patch set that aims to limit
the digests allowed for the extended file attribute namely security.ima.
MD5 is no longer a requirement for IMA, nor should it be used there.

The sole place where we still use the MD5 algorithm inside IMA is setting
the ima_hash algorithm to MD5, if the user supplies 'ima_hash=md5'
parameter on the command line.  With commit ab60368ab6 ("ima: Fallback
to the builtin hash algorithm"), setting "ima_hash=md5" fails gracefully
when CRYPTO_MD5 is not set:
	ima: Can not allocate md5 (reason: -2)
	ima: Allocating md5 failed, going to use default hash algorithm sha256

Remove the CRYPTO_MD5 dependency for IMA.

Signed-off-by: THOBY Simon <Simon.THOBY@viveris.fr>
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
[zohar@linux.ibm.com: include commit number in patch description for
stable.]
Cc: stable@vger.kernel.org # 4.17
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-09-15 09:47:41 +02:00
Austin Kim c69935f0b0 IMA: remove -Wmissing-prototypes warning 
commit a32ad90426a9c8eb3915eed26e08ce133bd9e0da upstream.

With W=1 build, the compiler throws warning message as below:

   security/integrity/ima/ima_mok.c:24:12: warning:
   no previous prototype for ‘ima_mok_init’ [-Wmissing-prototypes]
       __init int ima_mok_init(void)

Silence the warning by adding static keyword to ima_mok_init().

Signed-off-by: Austin Kim <austin.kim@lge.com>
Fixes: 41c89b64d7 ("IMA: create machine owner and blacklist keyrings")
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-09-15 09:47:41 +02:00
Andrey Zhizhikin 0615afea9f This is the 5.4.133 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmD1IXQACgkQONu9yGCS
 aT50sBAAtueT2WsCuD1psEN219cK0e7AuLrHXtAnkHFJIPWnzS0vyBy7/hmFwWtq
 sBSenqG8qufqtLVnMkeEAhu2/sk/5NHRPQJtK0k4hCzt8FQuiVQco1raOtetIJx+
 +wBfE4FAGDmiYGkcuzh61n1euvpBetXd9HFfWtSfQq7Q3nN+sfv0q1V9ZK0MUJ8v
 ipvSY1hTSDEQQJ7cU48DDJtZUGNxrfEFzi4CLI2YVphzoHEbowd5nxtHUL5cwDhx
 3sHYJoN+5RAkRinzGyviDlRpodNUUkLusBzs54xNIzgdzkckEKniKotZ2lUGsEu+
 QQgj0paNB95GLkY/Rgn6AL03AQdYBgGIjHQkSaYJ+UM9TlacqgFMiGugn28bj0o/
 1F4s6zCWG5tuhM5zNcnTsJmwSPA3eZ0uI6NCkjKC/RAyD5SC6JQqcf5zYCzygdT/
 PpeFRcZGoxyQqmOjW2e+tpNAbHuIeayExx/6/3rw3b/xaR9Ju9mYxNDiIpYZwdc6
 FIWOsHG+bEEZANiWv6Ju7DfOTKg8F7mbm4Zrd00euIWEsxuUZO/lAzxPR8pPzsn7
 2k46PDrhah25Y/tbSE5hdKrLqSorSjIg+7CxLAk7LWPmq13zzEd8y+e/Bk5rFJ4T
 7vPLUb23OYFdrVMOXd1UyKhcP4CKyOf7IvG4SsZwj9WfWoNEDNg=
 =2WCO
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmD25jEACgkQ7G51OISz
 Hs1QgxAAl7FiNoI3XJ2GbS0bQAxYXeUtcQ6lJmHRD/6IEikDr12bQ9XMvF1k4o+P
 15MzTOndSRSW0Yxi5QXRTGcBuqbC+HhnUVHggJpUJugUt9Q5TtO6ZxVX0dkbMhp3
 AXK55Zm465y4dX6ys59IWL138xMKd0pBIfchlb3oSaiQ9qBFmKDXMEYDGOxDC3e9
 VR1EO5PfpzEgrGONO+Xxu+2IDWRiWfKGyIaZCIWsRqlsrjdOFMKbTL2iBwMgrqmi
 D3kndN6kGvxqoHCe3P9chKqNfU+P3durBNomhhXyBZBRNT2XW19UVpk3VIhqa5Dw
 7DA6zHihFuZlI9XEZKAr4cokxS9IRFWZBayYE4diMu4+BA45mKIS+1BRyPDozgRG
 cyp6QaGI8IEzdI1oa6WW/CR/zkhQKyIj/lhwlx98XJlkGoDtfSgGMx6QdmtH8Pfk
 Gmgg3aHV/AQMRasSfKPDLGWD0f3nVzneHh9ceK9/j8gjY+T6msVYw/p4kIhXZQCE
 cZplDehOsFtJubB5lXxe1PZzHedM5p0mrYousngjVhHjbe/5h243fj3gBsTJK3zZ
 XP74VPZyqwBtEUrMEL2nPlsQSDfeZRnNSCiXNq1vJg+skqJTMicv2TUP0134ME8K
 yUjmJxd46diY/bOPBL737MuWMlpm9Bpg31qRe92jSHovKrbZVTk=
 =rRdV
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.133' into 5.4-2.3.x-imx

This is the 5.4.133 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-07-20 15:05:19 +00:00
Andrey Zhizhikin e9646ca701 This is the 5.4.132 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmDu+p0ACgkQONu9yGCS
 aT5SOw/9F58e4gz7PSTn4A9oCTNodRPe9B9rzf3y1Ol0k7T1aeQoWsPFOkZpNSOJ
 tdOGEXnwYnLpMC7nuFshWv1uKGAL/weHADyGV6J37AntYFjpEFhJhSH7pGGhDk7V
 EeIl98luBynPXOKNnDvcrQweeRaHKOInQBT8JJzwwsZbF2oqfOqdU0A787BiRu+3
 zoi/mV0upDB443ji/JY0xj+o4jlbsuD0WxEqgkcD2YHL+QvU5Wr0mGys7m5gG9x7
 TpKpMic0ILrF1vt/znLL5rOlX497prTvZ74ZXV/DYizeYxqtl/UG3CZjo1uf2yqk
 pAXA57paz6DY2Ct+3QbJBeuer27bTz6SCClSS1om9AcUk6oNSdULmMdTGvQb0SLU
 wx1Cy8b2ei04SVl96+McKKZ6ln47LJediGn0qIdwC6O/XHHrLq4u5PkSnQxRU4pA
 GH1tP5oYy4GzL9RbBeiDJQETFiXwkexSEWVyuSc6BhqQXao9yVzmLQbL1zgjH/zO
 m/tckZ3vEg+ll8j4QJCisHRyqYhwfru4PsJQH9Q7q6CtIuGOsd0Z/OUcLuF6knXg
 jDOrDIykE/PnkQ2Dc2RhdONP1ud5j3oBnHvNHs6FDghRKjaixMQzg3g/RNtnAaTj
 +7Xsfbi6ntpZSDOaY7YNgt+ZH3l4YRnUL/xBA6qIygayz374nzI=
 =LU0G
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmD25ikACgkQ7G51OISz
 Hs1dcw/8DKef1hGC5O2WKfpInTYtgnClkyD5/yOnGAPMvMRDGybA3dRejpIEefNM
 Qol1XICjb0wdBDV0I+n+fnGbBgaX3g0N/pn16pdbbSPBBe1L+d97gZNZznDGHYZu
 033qtbxii8e0QTxTvO7nx4L80ZZsyPLchpPxowS/vd1Ezti+pTIU4y43MCc2jYLL
 KqUBDz72TkPLhgVZdDJ1z9gb+OoJ+sJPaeBrO57hpY/os9SxlMPeY56YrD3Hyfy5
 IHZw3bTCDiIXpHBaJG8fvuudaM5M8V3dbD6oXnEPo1Gzb1Y7WR4Z7q28g7arSYjP
 fMPd243mCXd1V7LpmapxXvFsnbdsA7oauTho50dwmEvxQf9jEgX6thBWAFsrItaS
 crHdOppS7Lc3FK8cTMxZd6ZyZpaU6sF183tMOteuhtwmF/uoy1LBHqLnAvtfWYrl
 InGcImgABRkiYBRyODlgC4UNLd49Svon/8HcbBZlmeGIkosXjo5r1itnipgnF/TB
 /NkHRkixYTBCnJZyx+9Lihqw+HMnHVfjOnIBjbXjzX9ITH/tiMn4y87E+x9vRQqr
 Td5AKJwiSXSWZBQoX+XNLqXRwjZKHVQe45J4gzL9dhCzi9bwK99BvBPWr8+JyI7w
 83YQfkhPju47+KFrEN6DUBxdYrROsJLsjgdTl38IlCi4SKoQSkE=
 =Li9I
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.132' into 5.4-2.3.x-imx

This is the 5.4.132 stable release

Conflicts (manual resolve):
- drivers/gpu/drm/rockchip/cdn-dp-core.c:
Fix merge hiccup when integrating upstream commit 450c25b8a4
("drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on
error in cdn_dp_grf_write()")

- drivers/perf/fsl_imx8_ddr_perf.c:
Port upstream commit 3fea9b708a ("drivers/perf: fix the missed
ida_simple_remove() in ddr_perf_probe()") manually to NXP version.

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-07-20 15:04:13 +00:00
Andrey Zhizhikin 3050bcad92 Linux 5.4.130 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAmDlnnAACgkQ3qZv95d3
 LNxq3Q/5AaAtg+YK2+b1bBV/sLq9rmLt/TlxxB4jpDklD+F9ioCqr7AR9/OCX6KG
 Q9+PUS/gEixC542IjzF/EPlKNjvTmNhIP9V9tWJo7XYyqP0TkZ7VSNhreWv+N51Y
 SMRoA/T37Fmhy6IMeAp1EvdAEpqlIntjdifJBLnt56fv3cCCy6I1sHenUG8H9iSf
 oRwGLsfBadEtihP4h+sqcLbMTHVhMBxyn0rKTa+Qt+sCRjVHgMzWs/XMQO3Ou/bZ
 Zy6BwWkYFXpc78E6HIk5mBj6JBmx4YdFNNjQG2ld6TCNq7P5DrjWQAchVUrSgLyO
 dz2ntpdBS/9GukByIaD9HbTICuUrf8f5mCpK730IcEOxb3rqVWCIrpJQXhrrYWfi
 3xjzxHzu2DH6ZNedHdH59N5il4WpOMAsasBEIRYZTLK2oEkRLah6k2HDS9LSgZ4M
 wcnmdEeA7vKlYyaYGhkFPePKVoVdFW8yTxGsN6f2kyKR7DjW7zRcFT5/9GH5Hu+n
 0jfUbCsIN+VSP7NFPYW5VywwUiVz1uVTdFK0XKpKzKrLTaWztQ+R5cQDatYu/jpq
 Chq7VTWdZIRsTe2tHetA7SMh32NRbESx9bxXz+OjvAbc7QlOss37YAztBusH0Uup
 /nBeRZw7z5N5jn8g2tl+mV/pTE+DrH86cDeAba4SqHztG2Y3H0g=
 =Uo47
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmD25dUACgkQ7G51OISz
 Hs1qnQ//cw/fFOWdhhypsaZeYs4YTIhOQznGoq2dgU7koujNAt00ZY15g+hCtLei
 kYJJXi9zL2j5M2K5zhGPymooMudFTzQtkBrqov39EjpEEO8e2rFW+vbaf8Y5/sVL
 PPHY6O3vZ/sjhitQA0XjSNlWrA81jzunzDjTgErxRKCfTFEjw0RkAs7bdFMeKGCD
 1LGuoqUFxBYc+YeFwoVN/A9x9cudI0sTXdmC6FhzCy1yiZK1gD94oweq85WaN2Bx
 GGxOg3opkgdDn8iZE4WPL9F6P4Po5+WfTDznpSVOIANFjKk1pMFqjG6oamv6FQlI
 uGe6pHXMv4ECuazMoZa6mkGsOf593vwBLTT4Bmaeo8fZ07+z3/l5bg53B/4pRJKs
 L4RT3e12EHA9ZtdTDogCnao/zdO86J8lo3WjcFPkziahEFEKwG8xywPgvU/SFbyU
 JN6aazf8iQTPMM5KYUX8k71CVB+8i+ySchjsSIR/Q1owZe1k6Q4HSTAZd8Mf9R6l
 /whgebKnO5Y/LcA5ssfWqEUaXRmNJboF+iPhBlJCArzUOVc2OuXIh8971RK930bR
 myFDXDEh2xNfb5mXdwMulJggQxvoh9u1sx4CNw9hCtz0w297+x7POKtsA9/sq3m6
 Z2Lnmz8Y2gF97U8GYlpmvHYshlCvCRIlt9Vn7JfARr/2o5vLLRk=
 =9eSo
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.130' into 5.4-2.3.x-imx

Linux 5.4.130

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-07-20 15:03:46 +00:00
Tetsuo Handa 135122f174 smackfs: restrict bytes count in smk_set_cipso() 
commit 49ec114a6e62d8d320037ce71c1aaf9650b3cafd upstream.

Oops, I failed to update subject line.

From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Mon, 12 Apr 2021 22:25:06 +0900
Subject: smackfs: restrict bytes count in smk_set_cipso()

Commit 7ef4c19d245f3dc2 ("smackfs: restrict bytes count in smackfs write
functions") missed that count > SMK_CIPSOMAX check applies to only
format == SMK_FIXED24_FMT case.

Reported-by: syzbot <syzbot+77c53db50c9fff774e8e@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-07-19 08:53:18 +02:00
Minchan Kim bfb8eb833e selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC 
[ Upstream commit 648f2c6100cfa18e7dfe43bc0b9c3b73560d623c ]

In the field, we have seen lots of allocation failure from the call
path below.

06-03 13:29:12.999 1010315 31557 31557 W Binder  : 31542_2: page allocation failure: order:0, mode:0x800(GFP_NOWAIT), nodemask=(null),cpuset=background,mems_allowed=0
...
...
06-03 13:29:12.999 1010315 31557 31557 W Call trace:
06-03 13:29:12.999 1010315 31557 31557 W         : dump_backtrace.cfi_jt+0x0/0x8
06-03 13:29:12.999 1010315 31557 31557 W         : dump_stack+0xc8/0x14c
06-03 13:29:12.999 1010315 31557 31557 W         : warn_alloc+0x158/0x1c8
06-03 13:29:12.999 1010315 31557 31557 W         : __alloc_pages_slowpath+0x9d8/0xb80
06-03 13:29:12.999 1010315 31557 31557 W         : __alloc_pages_nodemask+0x1c4/0x430
06-03 13:29:12.999 1010315 31557 31557 W         : allocate_slab+0xb4/0x390
06-03 13:29:12.999 1010315 31557 31557 W         : ___slab_alloc+0x12c/0x3a4
06-03 13:29:12.999 1010315 31557 31557 W         : kmem_cache_alloc+0x358/0x5e4
06-03 13:29:12.999 1010315 31557 31557 W         : avc_alloc_node+0x30/0x184
06-03 13:29:12.999 1010315 31557 31557 W         : avc_update_node+0x54/0x4f0
06-03 13:29:12.999 1010315 31557 31557 W         : avc_has_extended_perms+0x1a4/0x460
06-03 13:29:12.999 1010315 31557 31557 W         : selinux_file_ioctl+0x320/0x3d0
06-03 13:29:12.999 1010315 31557 31557 W         : __arm64_sys_ioctl+0xec/0x1fc
06-03 13:29:12.999 1010315 31557 31557 W         : el0_svc_common+0xc0/0x24c
06-03 13:29:12.999 1010315 31557 31557 W         : el0_svc+0x28/0x88
06-03 13:29:12.999 1010315 31557 31557 W         : el0_sync_handler+0x8c/0xf0
06-03 13:29:12.999 1010315 31557 31557 W         : el0_sync+0x1a4/0x1c0
..
..
06-03 13:29:12.999 1010315 31557 31557 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:12.999 1010315 31557 31557 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:12.999 1010315 31557 31557 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:12.999 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:12.999 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:12.999 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:12.999 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:12.999 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:12.999 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:12.999 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:12.999 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:12.999 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:13.000 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:13.000 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:13.000 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 10230 30892 30892 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 10230 30892 30892 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:13.000 10230 30892 30892 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 10230 30892 30892 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 10230 30892 30892 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0

Based on [1], selinux is tolerate for failure of memory allocation.
Then, use __GFP_NOWARN together.

[1] 476accbe2f ("selinux: use GFP_NOWAIT in the AVC kmem_caches")

Signed-off-by: Minchan Kim <minchan@kernel.org>
[PM: subj fix, line wraps, normalized commit refs]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-07-19 08:53:10 +02:00
Mimi Zohar 4020615bd7 evm: fix writing <securityfs>/evm overflow 
[ Upstream commit 49219d9b8785ba712575c40e48ce0f7461254626 ]

EVM_SETUP_COMPLETE is defined as 0x80000000, which is larger than INT_MAX.
The "-fno-strict-overflow" compiler option properly prevents signaling
EVM that the EVM policy setup is complete.  Define and read an unsigned
int.

Fixes: f00d797507 ("EVM: Allow userspace to signal an RSA key has been loaded")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-07-14 16:53:21 +02:00
Roberto Sassu 74e9d920f2 evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded 
commit 9acc89d31f0c94c8e573ed61f3e4340bbd526d0c upstream.

EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to
temporarily disable metadata verification until all xattrs/attrs necessary
to verify an EVM portable signature are copied to the file. This flag is
cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is
calculated on unverified xattrs/attrs.

Currently EVM unnecessarily denies setting this flag if EVM is initialized
with a public key, which is not a concern as it cannot be used to trust
xattrs/attrs updates. This patch removes this limitation.

Fixes: ae1ba1676b ("EVM: Allow userland to permit modification of EVM-protected metadata")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org # 4.16.x
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-07-14 16:53:08 +02:00
Roberto Sassu d7dfaf13d2 evm: Execute evm_inode_init_security() only when an HMAC key is loaded 
commit 9eea2904292c2d8fa98df141d3bf7c41ec9dc1b5 upstream.

evm_inode_init_security() requires an HMAC key to calculate the HMAC on
initial xattrs provided by LSMs. However, it checks generically whether a
key has been loaded, including also public keys, which is not correct as
public keys are not suitable to calculate the HMAC.

Originally, support for signature verification was introduced to verify a
possibly immutable initial ram disk, when no new files are created, and to
switch to HMAC for the root filesystem. By that time, an HMAC key should
have been loaded and usable to calculate HMACs for new files.

More recently support for requiring an HMAC key was removed from the
kernel, so that signature verification can be used alone. Since this is a
legitimate use case, evm_inode_init_security() should not return an error
when no HMAC key has been loaded.

This patch fixes this problem by replacing the evm_key_loaded() check with
a check of the EVM_INIT_HMAC flag in evm_initialized.

Fixes: 26ddabfe96 ("evm: enable EVM when X509 certificate is loaded")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org # 4.5.x
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-07-14 16:53:08 +02:00
YueHaibing a6c85a8433 x86/efi: remove unused variables 
[ Upstream commit 6f090192f8225f52ba95d08785989688cb768cca ]

commit ad723674d675 ("x86/efi: move common keyring handler functions
to new file") leave this unused.

Fixes: ad723674d675 ("x86/efi: move common keyring handler functions to new file")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20191115130830.13320-1-yuehaibing@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-07-07 08:22:58 -04:00
Andrey Zhizhikin 3aef3ef268 Linux 5.4.129 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAmDcbxkACgkQ3qZv95d3
 LNxZMBAArNPLhVYdEDDFosb6Y/5RGjjZ/79OGHH0p5YiTo8D+wBHi+wXRl5Jp0PA
 3YVVU8lDTbeDm7E7uWeduWjFwEpsPBL8395scbhC6VR3PfnyunjarVXZgi6EHnMl
 p6HjXXtQ1jTrdDSziGDIhZVQT5FGb2/MMx9m69mfi5BTLjGfWy8chHFbC2GZszlp
 Znu9syjisUBbc4I4XHFgXw0hoQSSig6SUTZCrdTpIW/PZ0swfl8ZPxREh0CZNMpw
 Y2orRt+oHlkWPw1/sSkoTE1PRvXwNWFXyw5caOu846jAfhKtxO54SsqJqhM7VLHZ
 pdH4eb6q7AFyt0A62HkIqa5oabs5Vk9G24b8m5ggc2F/UTkHqgwUcMCud0d3DYL0
 Q7OEAmThQzHHKJ+CeNRJLsiKqVBNHmeS24B+ELldlAiX22vLr9pUsIb342Au1ZjR
 S3BTnneAbYGBv4qUoV2yUF9wQ/LxsFMSl/vmjCBOxg7c3LbKYChUwskYnvd6EwWj
 ObCyLU6FK9HWXSBSp/X+irlF1CLla+HuOC+Aej2U5a8DtmHId4LHMeq/XOxZ9s/8
 QUoX4rh5P+TJ8PIiTqXKrQo5rnR79MiYssIhUozKTdt9ZoMtXzI4mVLXN/yzAVD9
 v4aWYx8m2x17Wq+ptaLMSTSed4m3c25uEl4MucLBmKQV8ClAxW8=
 =Sijo
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmDchOoACgkQ7G51OISz
 Hs3s9Q/+OfeIcTzOY6qDX53PSxK5iF3xZEiPR5HOSVu1cY4+1tyt0bkYdQJ2N//d
 NH6YCuOsVI5chRxKN8b6I01U6xxQ0VNvj5RYmuC0AqhhzJBpfhh6FrrGuVxP+dCj
 aa2twfRZO+Y0yzrIYdSvYdRhJlEhMbKGNyHu871tyQQTlp0eQKy9lBhcCuVSCMso
 p64lRlK35GDi6TaWQ7R0SYOziWWSHByf4p3h4ZlpyhB7w6yMNjNrts4qSoZb2uOY
 I453WroS7tWV3qkOZ9FeqjHyg4mjBg87/wSMZ0DbBANinlQZW5YTOjE/WyPossL3
 C4jTP8NBLsng+ZfhAaMRfbvxGj5gbY0ghSOmsuglAOQDd+tlTfB23pkgHFlj6aie
 FUplJnTLd8VXPWkoNVKH6GfG2rZAUtQKM4EWDPt2KK3Dch9W3YH1bHL9EyxR0G7f
 aDBHM9egTyPOYNcfeVDj0KEJTrOxkmCcYz83D+eEDGKHi//Gcb+k9Gsg6q8X6Yxa
 ejFx5RBM5SW57LA70ZK3+HWhqfqcILYJT7Lxoue7bH+15vSGnTkmJKS80OUrP8w8
 y9gQ9WNsmjQUHvtKPAIZUZYlUS05FhtQ+faC8XyrLnfZj+ZCGBZor/KsNe0SP/UN
 bAYudfCn0YkjGfTNcljOe4oAnwmnVKAjGlQkHOFw+llmM0czEBk=
 =vpHo
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.129' into 5.4-2.3.x-imx

Linux 5.4.129

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-06-30 14:51:20 +00:00
Eric Snowberg e20b90e4f8 certs: Add EFI_CERT_X509_GUID support for dbx entries 
[ Upstream commit 56c5812623f95313f6a46fbf0beee7fa17c68bbf ]

This fixes CVE-2020-26541.

The Secure Boot Forbidden Signature Database, dbx, contains a list of now
revoked signatures and keys previously approved to boot with UEFI Secure
Boot enabled.  The dbx is capable of containing any number of
EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID
entries.

Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are
skipped.

Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID
is found, it is added as an asymmetrical key to the .blacklist keyring.
Anytime the .platform keyring is used, the keys in the .blacklist keyring
are referenced, if a matching key is found, the key will be rejected.

[DH: Made the following changes:
 - Added to have a config option to enable the facility.  This allows a
   Kconfig solution to make sure that pkcs7_validate_trust() is
   enabled.[1][2]
 - Moved the functions out from the middle of the blacklist functions.
 - Added kerneldoc comments.]

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
cc: Randy Dunlap <rdunlap@infradead.org>
cc: Mickaël Salaün <mic@digikod.net>
cc: Arnd Bergmann <arnd@kernel.org>
cc: keyrings@vger.kernel.org
Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc
Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2
Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3
Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4
Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5
Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/
Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2
Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3
Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1]
Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2]
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-06-30 08:47:55 -04:00
Nayna Jain 06ab9df09e x86/efi: move common keyring handler functions to new file 
[ Upstream commit ad723674d6758478829ee766e3f1a2a24d56236f ]

The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.

This patch moves the common code from load_uefi.c to keyring_handler.c

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1573441836-3632-4-git-send-email-nayna@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-06-30 08:47:55 -04:00
Andrey Zhizhikin ba4e63325c This is the 5.4.118 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmCacuMACgkQONu9yGCS
 aT7jXQ/+N95y28rkW+9aG33bMKwodiGO3pax1ZT59SwVICDQQQhK6zXmsVtWP3hv
 oaDqbfN+ap/Ms0dARSxhq4NxtGc1RX8Jv+0XJ0nJ10JkJqAizNwglhtfA4NDAeB1
 w0M4b6vYYpotjReo86ZB8SC870eKUIocJKiayksIvgOTJewvq+4qDqn3h6VKdV3s
 p9Gxjz/8l2koGfUix+lPvPRx2c7juw49Nje0fWQzfHYUwtOYn8s7e6NZxtIJtYtq
 F80lqdXjGAXkUCf1omW+6TifSUPfmx1aPgOPBiP8WBlNwJ8hvsq6s+2MGdC+0PkZ
 4UPTllSe/Q2g1xbO67yFHNYFYE4PKojZ8NKvJXcp5nvBDNpbiefaRROM7PbkQQmm
 p1Bayy39Hlsmxb6/d/9HOANOZZeCaF1PchaLviwfkrq64U/Yg2csFHl/uX71fJoT
 RchzeLRWPCqN91Bm5tgUeBGibqNsfkZNzfbiOEGN7MzZNsU3BZm0KbKpqnXzSvgG
 6guZD1m4cjmyT7BzRsSremecIn9n8TmxT/lutAGtUi8TWodWBc3kvtxe3/xBILQ1
 MOWhBIhO9/2HAjJ+h/GIFGOrwhGtFmA5x1gGXOSE+Kkxx1jUiPE9zvPFQrgYrdAQ
 yL25fPyfNO5MTUC2rEF7s0hW5dWbcL7H8r8ZbXSh2oaUokn+a00=
 =FHFi
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmCaq/0ACgkQ7G51OISz
 Hs10mA//ci+tIUNzwXtWW5LAW5gpapDK3vVLwT4e1hrjeHFlHhIAVfRX2CcpLSoj
 dgpQOFKFKJ3q30GzkJSG0eniurqYNBz2T7N0bozPcKIvvbUVF7JnZECfizC24+kd
 GcjSUx15vwnHhYbg7cwXb8kkVjzjL/pfGSdlKsUZ5q2dcbIxWH8XVt/DKGaQyq+G
 zRH46Wc4TLQim4W5nsiNiSZw9L2kj+GTrFFJttG/+/K7OMMXrjiRdpUM90ufUqJm
 OPRn52myz7R9+SygQ2++5pSXIws2vAp6xd6CSQ+uXF7kxiDGCs+W/+v6TDr/8a4K
 haONfcWqcnc4IXLkr7m6nCQCqowBRzK6gXYlocWbsfJDBoQw8dzQQbe2EY8wWxwe
 qjLA9/Y/cR9YKinSdilex9Wixt1S0tsWZVWY4wvsztH24nM1l/jLAxw8ebaoTxv6
 5thEsBmZCCJLP7gvqPh0bXyIGki03yZGpa/7D7cU8zNLQTOpY3rHfWzK518mRzrG
 LDIM9YfW3k/4evN8t5pJEbO+R9oeWyvQV3Ka48fttOYlyy5AMqxlZSEFwypjTz2N
 hE0x1gBV2l9k6kxErkQs/IWNeOO4xr53TNgepcMis0ADsTLv3J0kGv0tC4Ifvdwf
 Sl3+TXovEeCcUYSCFCUviPpdSziGQh+w9XxYeDfC7zbNKVHQoqk=
 =zVUy
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.118' into 5.4-2.3.x-imx

This is the 5.4.118 stable release

Conflicts (manual resolve):
- drivers/mmc/core/core.c:
- drivers/mmc/core/host.c:
Fix merge fuzz for upstream commit 909a01b951 ("mmc: core: Fix hanging
on I/O during system suspend for removable cards")

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-05-11 16:08:17 +00:00
Arnd Bergmann 8aa7285682 security: commoncap: fix -Wstringop-overread warning 
commit 82e5d8cc768b0c7b03c551a9ab1f8f3f68d5f83f upstream.

gcc-11 introdces a harmless warning for cap_inode_getsecurity:

security/commoncap.c: In function ‘cap_inode_getsecurity’:
security/commoncap.c:440:33: error: ‘memcpy’ reading 16 bytes from a region of size 0 [-Werror=stringop-overread]
  440 |                                 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
      |                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The problem here is that tmpbuf is initialized to NULL, so gcc assumes
it is not accessible unless it gets set by vfs_getxattr_alloc().  This is
a legitimate warning as far as I can tell, but the code is correct since
it correctly handles the error when that function fails.

Add a separate NULL check to tell gcc about it as well.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: James Morris <jamorris@linux.microsoft.com>
Cc: Andrey Zhizhikin <andrey.z@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-05-11 14:04:16 +02:00
Andrey Zhizhikin c4253dfaf6 This is the 5.4.109 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBjGy8ACgkQONu9yGCS
 aT6P4Q//RUTmWKIEvODK9Hyac0qfvd1CsIgebVR/1hkadYO8OVssIVjSZoyHvfgg
 B2rsjrY1+ywwPl+IYFe4V29SIEuy+YWNo7rjavAPP7W1ybYzhaUXog7KSapho8cy
 hqTlLyWq/TeSehdomz2Luv5vM794RgEV4NjgxnBsncfjUchx5smGQH80xbKRbWFB
 QNq2h1coPbABv3dj1cBb1v2jiCc58QD8rfJuguaHjAiGem2HaMat2iWYo8T2Qcre
 UDb1yrOxCbwltc8+aRRcXI4QuS/4edPz3ZH8H9zdqMQVoS5RX0Alse+w6+F26c1c
 fRZmtg6t70wsznIQ+Jn6ouMY3Ea1jtrF4oVjMCMnno+4V7BgDGW+A+CAqbCC90mt
 QTwaObNyJRjUYjlLmTml7t+S3GqW2YoC2jALs2P3hx/ht0wOl6TIt7YmHCh3/tnR
 wZjyofl+2ml/z+cPqP7/IWGJzzNCEwxreZNcvjgx+k/L/zeNri4q/+fLETe0VE0H
 LNU04JBl2oOOMpkyX8MJODH5Gm9sOg+GiQ3tEZWsgls0mwtxKMxRuu6zNPQvIY93
 cGntM1kVTtQ8fzIUugZR0JgElnosg1xFup3nQKyoids+SEGDgDpC4O5pxYvNW8oo
 jThLWud1waFzhnVXGRGviI0irQPUeYh7Bfw///c7hPHbqw9+F0k=
 =6s9w
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmBsF/oACgkQ7G51OISz
 Hs3CjRAApVP+mu2FCtefIpEnIJJnsPt3L3QQKq3OtChJb6pSRv9FZ7+KW9RYz+qg
 kTyYa1O8FPxaiUH1RUJnRt93qRYf12JitFAUOuEthJGL6Rac5pl2JfvMNAAWvhW7
 nin/Ci7klYyve7Fk3JsBnzpppQHgODTHbQ4TyUH0Mcx8l20o7uxoClevs9JqB3m8
 RbpwRjKKU+4dZU51ueLVPKenS2pk8Hz3kKLPDP27ZJh0PeJrLa4Och7rh3cqVBLW
 nYFJDLBRMRmuVnAHmzCclhH/YFzRC9TKI/iET2u14P1HPdHFO5TUqARbRY37iWLT
 w33qPohDAdR08Kzn7LWGxxoiyoYxqyWgCXhTaeuciMS+NipdHo8/dyDVQClnYZdh
 aPf0eqNciWEkE4KwltvKl4huYwzptsraBxa5eweHa4LhB6M21kmcOdenwPAz1dcO
 upiQqC68ZJAVoT75RD1M1cvQfVDPoNMcrl/Nw+sDqqawwUQ6jpyu46kRK3ttJ0Qx
 EiG5UhS50IyNPbgNUztnsezks26ajyNho69yQuiGA7qgPBKDBPuBrLnk3LlEkuzq
 8fpMRYDQqIYe0YaKb/DV/8X/c9WowskNv9VkGoqx4VbOFnQUFoxl9MEDjzWcksOq
 9OihF8flIwsY8rKFZGJ5EbMbgaw85DutEu6m830CMoIZfUTCRFo=
 =XQ0y
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.109' into 5.4-2.3.x-imx

This is the 5.4.109 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-04-06 08:12:40 +00:00
Mimi Zohar 752589cd4e integrity: double check iint_cache was initialized 
commit 92063f3ca73aab794bd5408d3361fd5b5ea33079 upstream.

The kernel may be built with multiple LSMs, but only a subset may be
enabled on the boot command line by specifying "lsm=".  Not including
"integrity" on the ordered LSM list may result in a NULL deref.

As reported by Dmitry Vyukov:
in qemu:
qemu-system-x86_64       -enable-kvm     -machine q35,nvdimm -cpu
max,migratable=off -smp 4       -m 4G,slots=4,maxmem=16G        -hda
wheezy.img      -kernel arch/x86/boot/bzImage   -nographic -vga std
 -soundhw all     -usb -usbdevice tablet  -bt hci -bt device:keyboard
   -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net
nic,model=virtio-net-pci   -object
memory-backend-file,id=pmem1,share=off,mem-path=/dev/zero,size=64M
  -device nvdimm,id=nvdimm1,memdev=pmem1  -append "console=ttyS0
root=/dev/sda earlyprintk=serial rodata=n oops=panic panic_on_warn=1
panic=86400 lsm=smack numa=fake=2 nopcid dummy_hcd.num=8"   -pidfile
vm_pid -m 2G -cpu host

But it crashes on NULL deref in integrity_inode_get during boot:

Run /sbin/init as init process
BUG: kernel NULL pointer dereference, address: 000000000000001c
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc2+ #97
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.13.0-44-g88ab0c15525c-prebuilt.qemu.org 04/01/2014
RIP: 0010:kmem_cache_alloc+0x2b/0x370 mm/slub.c:2920
Code: 57 41 56 41 55 41 54 41 89 f4 55 48 89 fd 53 48 83 ec 10 44 8b
3d d9 1f 90 0b 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 <8b> 5f
1c 4cf
RSP: 0000:ffffc9000032f9d8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888017fc4f00 RCX: 0000000000000000
RDX: ffff888040220000 RSI: 0000000000000c40 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888019263627
R10: ffffffff83937cd1 R11: 0000000000000000 R12: 0000000000000c40
R13: ffff888019263538 R14: 0000000000000000 R15: 0000000000ffffff
FS:  0000000000000000(0000) GS:ffff88802d180000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000001c CR3: 000000000b48e000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 integrity_inode_get+0x47/0x260 security/integrity/iint.c:105
 process_measurement+0x33d/0x17e0 security/integrity/ima/ima_main.c:237
 ima_bprm_check+0xde/0x210 security/integrity/ima/ima_main.c:474
 security_bprm_check+0x7d/0xa0 security/security.c:845
 search_binary_handler fs/exec.c:1708 [inline]
 exec_binprm fs/exec.c:1761 [inline]
 bprm_execve fs/exec.c:1830 [inline]
 bprm_execve+0x764/0x19a0 fs/exec.c:1792
 kernel_execve+0x370/0x460 fs/exec.c:1973
 try_to_run_init_process+0x14/0x4e init/main.c:1366
 kernel_init+0x11d/0x1b8 init/main.c:1477
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
CR2: 000000000000001c
---[ end trace 22d601a500de7d79 ]---

Since LSMs and IMA may be configured at build time, but not enabled at
run time, panic the system if "integrity" was not initialized before use.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: 79f7865d84 ("LSM: Introduce "lsm=" for boottime LSM selection")
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-03-30 14:35:24 +02:00
Andrey Zhizhikin 960eed45f6 This is the 5.4.106 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBSKIcACgkQONu9yGCS
 aT6nww//RYwO4quTQO9h/SnVtYta3C0bkgSjLCuLjM6LY20L5sHiPxMXKn3LTb67
 SSFtW7vyR4gOmIduQ783yoDxzSGuKZvQ48zh5OZYXD4GlhP9JZ5y4IkEf5r0SGIA
 k4pYYX8rPLNaeOu8TprjdGdaDFC4XplFfZEN19sympvv2q20qD+JzvcjjhyCFmvk
 4A9NibAStU4jUK8AvY4STJb9XmaYo337Btv3Y2j+qUBVj6fMsNCfUif1SdGHA4de
 TPzaPVOIm5p4USOy/m+hsc0e/q+nzz+VYYk+T7X9NDU+kAiEOjdyMqwNOtfAUl9A
 k7aca4oQMjO+MNVGrvER7xF0Se+wlTomTINzLYf0YTfkCMh9+Me+pFr8Fivdvhv9
 /mBFOJ0qqYXpezUETh7F5tgzMUHkzEcOiOpEG/sINxnsZXJaa09VJrS2GYIjILFN
 Epe83Z4ekbZtIzfUY+RWYVEP44fvV1lmLqKIs7z4xoz/IgF2NR++ABwyScCY1E2X
 GstK4fJ7wHA/usbmQofyfLMEF9hvawOu/GwWP2IVQRbK3E5Miux+tTkLXvVhqlr+
 CrLXHb8OZSb4+bzZb3fFLg/B6mR+MiNKXYp2WW1/7pqhTfJHHg8P7Ui72nAcM5Jw
 +W0Gezv/DtPqbhK6rGGTUxOTYOvWqJEuh6QAI4mDx1kIeevw13o=
 =MKFy
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmBTK2MACgkQ7G51OISz
 Hs0njRAAlH8lNVQeZfbDi0w6CfR/biyqTI1RCH3Kak6xTQPFv7zx19eejIj6liTf
 8N1U+MB5mzTzUlt7+fakKUBIbZFbf0gFXL0CgS3dIAyr/1AjZx5rvZP9PckH4pIJ
 m777SlNg07Rm6iVTkVBsES9+BhVvl5kLDRsx2WKQLg9rwaPsnxOR3aiQMqueLW9N
 /1l/Kxoz8jld+yK1mT4gmdTzc5zBJ8ywpyNMln0WWw2Esd+X8D+fc3iyj+DqKGaU
 Cdr8Wr1EoAnt5c9HMeuyTQiW5jyIvJwjtjBFJuy2hj0KH+7yeJen/fKBJXxp+J3Y
 FQbR0NLg25zWXxzNDyZ0mLFjB6KIF4IRFUAlEUBO4oavlyyLzAjg0GXE/Cy4ZVrw
 KE5sg6jcpkNNvwBx2rp+MKYhrRkZN26t7p21f8KMsoApyZR3cfT2RxhsFVZ650wi
 QAr2ZouNbwn5K6Bs7jVIv1VCVtW8uJyEeOuJph+4dSBv9fMzj1jVMXezXuKy1Yjn
 q66OkBjletI/hxaa6f/w4k+o20kxINexSmkg+6ZpvYTsBkElQW3GoHm1/QbW6b80
 KGA5MmwvsqXpp5HaepZ5QXpMZWmIGtYxXltBv+BFwQhjKHk+M8hCYKrmD0ZyHAN5
 mkh19gwi+3evxVhOMFb2WKuJngrH/om3fSftx1oJtHmAYadM+XA=
 =81mD
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.106' into 5.4-2.3.x-imx

This is the 5.4.106 stable release

Following conflicts were resolved during merge:
----
- drivers/net/can/flexcan.c:
Merge NXP commit c2aba4909d ("MLK-23225-2 can: flexcan: initialize all
flexcan memory for ECC function") with upstream commit fd872e63b274e ("can:
flexcan: invoke flexcan_chip_freeze() to enter freeze mode").

- drivers/net/ethernet/freescale/enetc/enetc_pf.c:
Merge upstream commit a8ecf0b2d9547 ("net: enetc: initialize RFS/RSS memories
for unused ports too") with NXP commits 7a5abf6a72 ("enetc: Remove mdio bus
on PF probe error path") and 501d929c03 ("enetc: Use DT protocol information
to set up the ports")
----

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-03-18 10:27:50 +00:00
Eric W. Biederman 47a5d1b63f Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities") 
commit 3b0c2d3eaa83da259d7726192cf55a137769012f upstream.

It turns out that there are in fact userspace implementations that
care and this recent change caused a regression.

https://github.com/containers/buildah/issues/3071

As the motivation for the original change was future development,
and the impact is existing real world code just revert this change
and allow the ambiguity in v3 file caps.

Cc: stable@vger.kernel.org
Fixes: 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities")
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-03-17 17:03:47 +01:00
Andrey Zhizhikin 653b37e2c7 This is the 5.4.103 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBEt1AACgkQONu9yGCS
 aT5UcBAAuobHx4KFrA3/SWKQo81k7oyyXdbb8BJK3hYLCl+RFD7aYguZlvqITVw+
 Hme5PQPnLvY3jc/TwhuIDOG2o2020mT79J8Ggo5ccP/pMIumOwi4LXLvcFQiUevo
 PnYbXM+QCmxyrm+d10gYeARaGDjP+rI5V46AeB+lkn9SgjzJB649d7BQxnQUxPfB
 bm+PyOhX7WgqvZFmkPR4RmLBBC57OfUtZoPID/mLW0w6kKYcy3GD1uHEp3TeG3Pe
 PVxjC57kEiHqnEck2df2XhaB12QlGUGxJXPDmhx6djsvpr3Ss4XOMOYVkZcfsWW5
 hThRdiBEgoOhjhqpfpuKYXE0IrB41Uxd6LNd4piCGF1xfiPSWF2x0m8a0NmgAynN
 Ungl6BbvgSyawI0luZeocSStD2POEbx264qxvA2t+XlxGCxw8PpS4X5mtNAk7vao
 VathiQFdt9LVtFftq7tVcy1XMt7U6SSOj84opLig5S4LHrUPY+/E0qCgZ4V786eo
 fkE13zUpixsxgbvYphAYIErXrq9o0B3WtaAa4jFB/RBugHy5mDGCavM/MNVgitJr
 Y7L9dNzdx2FpAez/dbod+n/CH5wXsnmLa2ZGqqIBVhxHRMOlYTVKa1ioc0bHrjab
 8giS1lm1EXOFgIPW7xI9aEG5alLy9s2ai29nAPmhpi1N72WUtQQ=
 =OmY7
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmBFGe0ACgkQ7G51OISz
 Hs0dLg//Ujaz2OkNFcwt6/2qdRERYfAK76wJ8CuWToykhgUNKoPLtxHGCFphiDo4
 liE0ABJQLVSptyJSbkw0xcsqMav0EgdBXH3JNaU2Cr2cSW+BIOLblHbtTyLdPffr
 53NGwubt9kgZE2du2T0mBIjEnq2cespdN5v5zBPRkNvF6YwDzTP7864qsW6Ky75H
 KczmdP95uoWm33CDjLj4unMx/4bzhGtp40oae9YiToxXXq+eqjZGUxveOluP/gGX
 UpcQEM5+BAdDOTDcAiFTHqXI8fU6nvHOrl90yfyL7rbcY8K9wbvM1LkXdeHGaO+p
 F6Jf9Wo9k1LxRWCmq8PBK6PaPClrYaMLCs3YPCuTGsKhv5QfqezUshbTEmgoeEJs
 PZmTzbxeolItxhZmt2zsNm/nhGcfUivyvn100y0hSCxUAdctokn09OaB29JX4okt
 I1/gNBWJdzXdK878870MAUD31S3Z4cvrYRMYdHTCNG0SJ/uzcs8YftAIjKZjYb+u
 3jYcqRZrHiQAoC4NagKUsH4Hz/WGB9P7jyJO6dI/pJVVqSBWJwuGom1Mfs9wDkLt
 Z6BT7rg+CQSKj+8r7iq384ozqPXK8TRQYvUQ/vHZQ34S6jo93atIlsdsHrKc5VzE
 a55vkAYZKX/BhxVWYcfA+wOFBHqBNOBdY+Aekx6qpg115+lz/iA=
 =aN1o
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.103' into 5.4-2.3.x-imx

This is the 5.4.103 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-03-07 18:22:33 +00:00
Sabyrzhan Tasbolatov 4ceb5ca9e6 smackfs: restrict bytes count in smackfs write functions 
commit 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 upstream.

syzbot found WARNINGs in several smackfs write operations where
bytes count is passed to memdup_user_nul which exceeds
GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE.

Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO,
smk_write_net6addr accepts any label or -DELETE. I couldn't find
any general rule for other label lengths except SMK_LABELLEN,
SMK_LONGLABEL, SMK_CIPSOMAX which are documented.

Let's constrain, in general, smackfs label lengths for PAGE_SIZE.
Although fuzzer crashes write to smackfs/netlabel on 0x400000 length.

Here is a quick way to reproduce the WARNING:
python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel

Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-03-07 12:20:42 +01:00
Andrey Zhizhikin d51b217cf8 This is the 5.4.102 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBAqDoACgkQONu9yGCS
 aT7R4A//RC4/R+Uc+cX8I2al+B017epRXRtfMDz7cd/dO1SAAhgDi4zrebAxs1XP
 6g/t37NuDZ0rjKxMBRzATSwizDLP9gKpeWCVQTtvlHGf+tm/5sn2bt7pckoPvXvo
 GqXPT4YgUgZQSHE+YG5Rhjtv0xMcOEu9yNTsPNZJU6BDdYJylQX/D97MPVjJjbXJ
 Sz+U98wHt0zIbwkg13/2FZvPMdEKL0z8Ub/SIKDaXfFSPJMDYb/5UcEfdnDctSbI
 B3i2i1/IXa97EmNG/MNDi1zPI2l9+PtRrtIzpfLASRNx3ySceiC25EyDk0mp5JnZ
 czxXJ0NxG9z9Pk9X6Isvaz6X5Nqv70LORTFeZRBEp0ohYbsxH/yBuPZ0T8bukjgU
 MA/uZDQryfeNgBN1aEJlTRCAmGyyD6NIICsNPnetmmowgqYxhHXt0tVafMvWpH9F
 vbM3eHcOfOfNejoQiPqTj5vX7NF0BZGQYa5LywKHeGe5q2nwaMj++Kffj9ERCo49
 OZFylFPiQVdEjse07JJb5vGWQkvvTv1FDB+zb7GVgHwJNnb9Lswv2VQbjdZBS++h
 YUuDSxkhEYR+vdKKLcFBbjAYkJXrpiSeXzywjR5N0c90OJdaBX1kpAbBHHXYiwo1
 P39l5/hsxWljQ1ZJqbeFWr2ef27xDiEz7aPojLUlyjBRgBC4eYc=
 =JSQX
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmBBQn0ACgkQ7G51OISz
 Hs1bUw/8C8T64CcvBDZhx2MyFqP5Wmc3h2li2/mAGYBPXnq9bQqhHVwNxBoeOY+d
 8jmPuao6Rb5xWWDCK/7bpshOyM7M4oBKDwJK6tgg9+ntPhllL29H8NYnH+hd45Zm
 oeM9gzKk4DU2jxZMt9BOi/ByrCApVKxcbiddPKmgXqaz568JQg4P10E7D2ceRudq
 uGlZbtEVqw6ftAyygzqiVmioGCwdgd/5BC+HPGcSaodF63z5Dc5LPOG+uefAVxq/
 oXawWdqScGqJXsbbkncgbvNSkIlYdVJIPqnMYrYnD2saAq4qeisrEkUzTUJwRCYT
 CeKxKL6nP4vqzgc21YGyxhtxJf+Sv2pU9QMgN/qfuhG9Nnz+7hQ3TntEjviPf6kC
 73a7cyQeLCVM2uECVN1b3fXweXRvllzkYCsomO5hU2J8mHHcUjJhwyYqsyE80Vpl
 w8qmZcyR0J0BmKXnYISGfe/S77Ze2nqLhOkGmP/PQWiTrULtLR/7wDEOap2xZbmz
 LPqK7nIrTD9lntyksNg1C1Az+So/tZQLh2hCX0C2efGqRyP2UbzoR6HgaI84LWf7
 L6qG9zVjl88lHLPZSO6WpOlxoR8RpmMprHs0bHJS79ucU+XzD0o9LyWhMBm6++qE
 WuDsSYYJtKPl7Qe04uBJNfO8cbmY9YcorYkgAcUz/Ar+QgCT0js=
 =aicv
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.102' into 5.4-2.3.x-imx

This is the 5.4.102 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-03-04 20:26:33 +00:00
Jarkko Sakkinen 2910038c09 KEYS: trusted: Fix migratable=1 failing 
commit 8da7520c80468c48f981f0b81fc1be6599e3b0ad upstream.

Consider the following transcript:

$ keyctl add trusted kmk "new 32 blobauth=helloworld keyhandle=80000000 migratable=1" @u
add_key: Invalid argument

The documentation has the following description:

  migratable=   0|1 indicating permission to reseal to new PCR values,
                default 1 (resealing allowed)

The consequence is that "migratable=1" should succeed. Fix this by
allowing this condition to pass instead of return -EINVAL.

[*] Documentation/security/keys/trusted-encrypted.rst

Cc: stable@vger.kernel.org
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Fixes: d00a1c72f7 ("keys: add new trusted key-type")
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-03-04 10:26:44 +01:00
David Howells 0fec3272ab certs: Fix blacklist flag type confusion 
[ Upstream commit 4993e1f9479a4161fd7d93e2b8b30b438f00cb0f ]

KEY_FLAG_KEEP is not meant to be passed to keyring_alloc() or key_alloc(),
as these only take KEY_ALLOC_* flags.  KEY_FLAG_KEEP has the same value as
KEY_ALLOC_BYPASS_RESTRICTION, but fortunately only key_create_or_update()
uses it.  LSMs using the key_alloc hook don't check that flag.

KEY_FLAG_KEEP is then ignored but fortunately (again) the root user cannot
write to the blacklist keyring, so it is not possible to remove a key/hash
from it.

Fix this by adding a KEY_ALLOC_SET_KEEP flag that tells key_alloc() to set
KEY_FLAG_KEEP on the new key.  blacklist_init() can then, correctly, pass
this to keyring_alloc().

We can also use this in ima_mok_init() rather than setting the flag
manually.

Note that this doesn't fix an observable bug with the current
implementation but it is required to allow addition of new hashes to the
blacklist in the future without making it possible for them to be removed.

Fixes: 734114f878 ("KEYS: Add a system blacklist keyring")
Reported-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Mickaël Salaün <mic@linux.microsoft.com>
cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-03-04 10:26:29 +01:00
Eric W. Biederman 33a2e62473 capabilities: Don't allow writing ambiguous v3 file capabilities 
[ Upstream commit 95ebabde382c371572297915b104e55403674e73 ]

The v3 file capabilities have a uid field that records the filesystem
uid of the root user of the user namespace the file capabilities are
valid in.

When someone is silly enough to have the same underlying uid as the
root uid of multiple nested containers a v3 filesystem capability can
be ambiguous.

In the spirit of don't do that then, forbid writing a v3 filesystem
capability if it is ambiguous.

Fixes: 8db6c34f1d ("Introduce v3 namespaced file capabilities")
Reviewed-by: Andrew G. Morgan <morgan@kernel.org>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-03-04 10:26:26 +01:00
Lakshmi Ramasubramanian 091b409383 ima: Free IMA measurement buffer after kexec syscall 
[ Upstream commit f31e3386a4e92ba6eda7328cb508462956c94c64 ]

IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function.  This buffer is not freed before
completing the kexec system call resulting in memory leak.

Add ima_buffer field in "struct kimage" to store the virtual address
of the buffer allocated for the IMA measurement list.
Free the memory allocated for the IMA measurement list in
kimage_file_post_load_cleanup() function.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Suggested-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Fixes: 7b8589cc29 ("ima: on soft reboot, save the measurement list")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-03-04 10:26:25 +01:00
Lakshmi Ramasubramanian e436d3f7bd ima: Free IMA measurement buffer on error 
[ Upstream commit 6d14c6517885fa68524238787420511b87d671df ]

IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function.  In error code paths this memory
is not freed resulting in memory leak.

Free the memory allocated for the IMA measurement list in
the error code paths in ima_add_kexec_buffer() function.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Suggested-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Fixes: 7b8589cc29 ("ima: on soft reboot, save the measurement list")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-03-04 10:26:25 +01:00
Dinghao Liu 3d5afcae9a evm: Fix memleak in init_desc 
[ Upstream commit ccf11dbaa07b328fa469415c362d33459c140a37 ]

tmp_tfm is allocated, but not freed on subsequent kmalloc failure, which
leads to a memory leak.  Free tmp_tfm.

Fixes: d46eb36995 ("evm: crypto hash replaced by shash")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
[zohar@linux.ibm.com: formatted/reworded patch description]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-03-04 10:26:21 +01:00
Andrey Zhizhikin ce0c0d68c7 This is the 5.4.99 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAs43QACgkQONu9yGCS
 aT4omw/+JPBAZB5ClIOSDuf3/yJkbigVRFNVmQJy4/cluG32cxlcpudoau7AXq3N
 0Sn/rfSdldl5eI98OTA+Y0yPIsVnQJdei228A5gmULkkc+rEFugorSJKRmmA7tH0
 VdZ1C4NlhhmjoIT/W8mMNzv14dtyGQvRbT+zzfxqwqL6tF9+alcdBYTP/Z691K6x
 8Csfe05MZ8VkvBizStaTXC+dtMhU917Ikd5i5v4ZzaesZJcUTLS7J82FhtKeoz7q
 tDoA/Bl+pN1KjyIIE61/zJ8DKzBtOeuo1PWJFpO+EBVhKVosr3oWJfTAiM7Fsnu5
 dbKHYPsbe3mB79JdQibr7TpU7vSjDr5a/HTuYtp7WM1R5IssiFeVOdpXTGim/s/E
 Flao5LYSUcj0X/Io6TyUnxQWw8sJz3PGKYiLUn8/9DBpzNFzynQ+vuapXCoGxJzh
 W108q32PIx2ZTJsD5RUUqZbytG/zKzI1+SxXo2uOhs9/k5qT+35Yp9epsE2Cp8v1
 Oiw3P/ZUDNk6zPj0dsHcTsqTofRK07l71HnM8iIbCWSPw834IoGBuB8c3H7HaHn4
 v5M4tMTDAaKi/e09K92fR6SZDgZz8D0N+sLLneA4NEASXIJanCUwcgVCUbja+BO1
 H1hiYTTZQa7kOkSxBa/wGsWkdfvOpOvCSFr+c6LPmB9sHMe4K8o=
 =3BI0
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmAtjOoACgkQ7G51OISz
 Hs3p0w/+J3WWl9sa+L25ZY92AZDQWMFEIlsiyKrVVgC3dRhtEr2iWylMFsFRCS3K
 IYTcHxe3MrhnaRycXZ25I0jse3doAFkTbsEl3WcjabI4/xARUW77vedz5CvxBBH9
 5Spjn5qs5zfmxHTss4qbta1zEq7PjtoJEpFVDhlhK6VXKXz07QZrRnSAztde030R
 vg9OaJFyQauPguySXISBg/XXLJEJ3j5NO3PnAW5eJKJyguQF/ujFNsv5s80297BT
 vc7kNdyy7Zz+C8dem65WMsB9egcuqt6jwjadePGz/5mhUxaj+IESJnkZ3ezCSgMI
 NDdIROT228RScO5BVEHXZHKsAdyIKibdZ7Ta7P607buvBRSd7+eV6/QkbndNYxva
 40NBGTlevffBBBl3KXbZTSJX4IrUCr45kfwNXrHGo588aiSrOoYPbr3Tq0TsWyvc
 hkDOb5XARlvyun4vvL5cKmfOV7I6MrnGs07chQ8Xd732SIhRwgzsZg7cM3kzmceB
 cEV1d+2uTmxzzldW34fU/xWPSDb/dFKjOKrsttMNM3lbL58oPS17eu4zjSQ/vO72
 x/h8KY6Uc1ceja/fWZrk4t1fusMNJZ/NPxPVjOFJpMgz90aGMMQDm4bVM6yW1x4r
 zTr1iR6q9N/+S6Y2Vc2LEuEhB2fC9q9kuFbp8Evk8DPSotQT514=
 =FE60
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.99' into 5.4-2.3.x-imx

This is the 5.4.99 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-02-17 21:38:47 +00:00
Miklos Szeredi 43e3cf46af cap: fix conversions on getxattr 
[ Upstream commit f2b00be488730522d0fb7a8a5de663febdcefe0a ]

If a capability is stored on disk in v2 format cap_inode_getsecurity() will
currently return in v2 format unconditionally.

This is wrong: v2 cap should be equivalent to a v3 cap with zero rootid,
and so the same conversions performed on it.

If the rootid cannot be mapped, v3 is returned unconverted.  Fix this so
that both v2 and v3 return -EOVERFLOW if the rootid (or the owner of the fs
user namespace in case of v2) cannot be mapped into the current user
namespace.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2021-02-17 10:35:15 +01:00
Andrey Zhizhikin 91b466d782 This is the 5.4.91 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAHFkkACgkQONu9yGCS
 aT5DMg//TWHV1loe76Jy6mT7SavddKkO+C6YXdGMYN4vVKJqYzASSqqmkIGYZVOj
 G5GnILybNjA9aJIqX4vXTXs3YslWZN+rd//GYRyBTE7SwlNI8Lho1ZJq8VqtWo+x
 jxm+2QNX8wBb9QuCqsnLOVidWVOQ9dcz0GC6/N8gKcAWJ71B2RpwKQxnEXjlJp3f
 m5cX+Vnm3XnJkdT4mmycV3h4gnOrwhIUGbu8iLbPTmfZf5aZ14eD2Su8gpcunWat
 7JY2z1u4jSpkKspG5eVn8wmL1aB5+WhkqU5+rOtHZ+KJZvRY0wTnmIQEBCw0bAW+
 49tIthuJF8wC7oa3hXoXMNG8K112ffeeF2Hm29WFbpFYRinIjGt/MPmg2A1sM+C1
 jVQewVOArNLA0lo5m1jun2/c56EEGFKKODzJR7Epphdi+bsY7DSttIfIIzwUqTc5
 9wgZG81+l9uP/ohTm7vG8hQcANt0DN+X8wet+HqpuO5Mj5T6150dKW4zQhdOljBH
 GL/O/31DfIUmLJL50+X6kn47c0noZlwEmZc+buVxdO5bC27cK6awEE3gQeCTgsWj
 Ok1Sa+3FwwEPnKs8zInYP69U/obvNxBhdxrccrUOViGBxsXKHMPEnXG2bUuiV/7v
 KnuO9z1Pj3+YAdZTwWygdJcZNdCAwGL4ekQV9N/Pxeg6ejq2E3Q=
 =TOgX
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAmAHWewACgkQ7G51OISz
 Hs1aUBAAinOh6FoVKp9uU/lgt98zHLjlYHD+CJlnpD3uj/9q9VvdMMZugxE9jyhx
 x9tZCRkscc0Mrn7LxxV3L6QvxB5wIlIE+6S9+Rhx8yKb1PLO5S5ZmOGsxeZXjkDn
 BiaOJ9fKCWcauYJ3mfgOf4OXn8j+wRSZgNZUBavBdS/kl4DGYz5QWp0UiL7MHYwJ
 YqiFXTVmhGZjM0dYWHKlst3HNqfZcdQBqAkmzu6qZfGUZPaJkd+EWKxtbdwg3Q//
 vb382I3zONAqyQYauSvs4HFLJHU6oBjQVGdmYv8w5U3MY2ESyp7K4RBQPAdEeW7B
 Xq4pycGWyyeLFG0c+G3R5VYdQ0/z6xhN0UY4QGY6guXDk68SXQ2SN1grSkoJRoCI
 N7LgMOKcJHifiWP5Hq6K1g8f2AKhtTPOqFQW3tF0C+saoTmvW7EiNI9z1mTecSs9
 7RMLO+A5N80Bu7cUsptqUmOITUFGwvQLHsrQrJiVY09aKjJlF4i2vwRb1lLlGCoL
 DUDGerqu7MRF7EgjRGRBxAdvc+jvnawQM0koZG9uOsXQHcBzA0EwA7NuLSM5+RJh
 W+Y7U09xgQbku7hiVd6fKdWtqLLrowJv0+hq5ZyHW6OS9PlD5yKhQ59sOx4+K4R8
 8Z1pCytsK0ImkuUPXASbo1QdDM9l8iRIYfWOc7aq6uz7KAiPcek=
 =NgKs
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.91' into 5.4-2.3.x-imx

This is the 5.4.91 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-01-19 22:15:05 +00:00
Al Viro 08eb8a735c dump_common_audit_data(): fix racy accesses to ->d_name 
commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream.

We are not guaranteed the locking environment that would prevent
dentry getting renamed right under us.  And it's possible for
old long name to be freed after rename, leading to UAF here.

Cc: stable@kernel.org # v2.6.2+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2021-01-19 18:26:16 +01:00
Andrey Zhizhikin 6f99d03764 This is the 5.4.87 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl/1wNYACgkQONu9yGCS
 aT64cxAAwwt2H911zFagJCVDfLKXJ4da062n0YcJe3saGSg+mdEkSGYEDxjV6jjM
 jTzK1W5C49sQ9kzIF43YnYgdULwcXJ76G/uqFjFOlmbRzAKAYgs/3KXesa7S4cp+
 LT0fiR7uyViOw1zn4yBIeSnax8uRwT4vR1vV++ILC/7vL6hcnOBOPLxGzUKYlvJQ
 TD8ZQjeTXe5E7IhE+ztuhJQT+hZr1VERTjoktcfmlUps94uITeKdKYoCCZQ/zYIL
 IS7OgnAw5RNERHa1JUZruaGFvJORTu8wAfVtgD1VgRUZAe2ziWH6aCeDPaWaLzS5
 3U7Rc3Fyf0CRYrhe7mI1J864GIEUAe9V34sGQzaU/ap4SWpLvHbu12ePlb+nLNKF
 MZmGEd0eZuKKDSx9dlcx8hbfVg99YpI5oOeDvfCJpYx/uxNzzJhO5wkkZxweiN9s
 XTMUhhkTNkhgYdzn4Y8G9++LLAZpwOImSh3NkntoH+mSVlC+jVBbskz6PdywDjQR
 ROVpW26t5Ee6uDTrjci5cffbfje2y0r9km5/sbRWUz2YGsqYfAI3FtbH5isNUPOm
 Q6ucTd+xvmApfp9bn+XYLnbTQEGAD6mAgSmO11CIDsUJUvOTD/2cv861kATJqhXm
 01rHgohIG604vERppYC3WWFjh0cdevBvwSOpDi1LIdlgbEF6QY0=
 =q0Fm
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAl/8SgIACgkQ7G51OISz
 Hs2VKRAAml9ZwPiiMF8+9Si2UgXrC76XSe9ugeFR8w3xRYfSeE7/xH/eA3pl8iay
 zO3Z+EuF0Qd6Wo+q+8hLO7Qp6PbWfp9dqWoUA2klptVT6cyvrW3lGT65XK8oYvIO
 7ElkQYY8MCx/NLpExbgQzydJbcb7u6Gpl3s+o6eVIXEA4vewlTU5RVpUGs0YxpWR
 lFh6w1LM1bE18HNK34saIsvKYQURBWMdpj+eN1P/Ts4XSTXBv7Xw9Uf4D4berzsd
 +Xtp4AT2zmyq1iU1QRtkNXY2XyBsnMJLfQAEkbpq+hHHY644hJKU7yWiSWgfvAac
 ylY/VZ6kkEvdXsCHC8pCc/MlPMc9T3ciuHIHDRUjSXDctPcxeOdkVuNah0JG1s2l
 UQYD328Sb55zaq4oSJnG9SQVSj299yOnrRmAKLJb12cFa4wxAwXbbaP1w2baf/Ck
 PQAivRb+zp7G17Uirih3yv/UjSK9f1OcyZywU2P1srL18elfjKdJTQAS11uoZ5NQ
 vGhwlQp5VGQmdML5Z2h9V6w7G+XcEaflR5PkM6QmiuAIRk7/0uESSB+gje6sE4eA
 hGbikUI9K3BV6ppx/OlRLgbEgq0f+V2xjwDRZL7qDLsiiOUp6eWyY9K+QgAglnFH
 2XoZTDsZ+7yNQ2nRQvwhHg2hEGyjJh1dDib2yMmslDujD/w2GZA=
 =Oh8o
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.87' into 5.4-2.3.x-imx

This is the 5.4.87 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-01-11 12:52:13 +00:00
Andrey Zhizhikin 3a2ed314f3 This is the 5.4.82 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl/PSigACgkQONu9yGCS
 aT6bSw//eDCpWcnLDa1Rt4bOrnO82484ebr1PZeYPfca/3QVS59j8DsVOf6Xklmz
 z2ponI6SRFxZwO2SmXrfoiOhUVI9Kd3ohTH+LSo3ezpk0klamIf60L914RBc7QFE
 wmVgOPz5LwLxfkU5a148/H4rwLGlM9oBxVcCXpnLkN03Ul4JM/P6A/T3rFrX8ZkW
 3r4NYu3jOHgNz+irosW8zAea+jIf7ALg4Gch3ILwrbM4KSQiyXbAp0mJsY+li7HE
 BSa1RJHBXkqCwK/mWT4LWuJNf871T656kKr04/rxipRu2lEcGCPghO4DGba1mjqR
 NdnuMWBjoxetlRAbWOylWT+2ngQNx+E9hFrBxg1+js/mcHvfpeM4EuSK4YCnI7rO
 6r5JZqYdw7GGHqvy51JPLx1m+NMt8XhTp5+1vOIZhjtdNrcTMBz0kxIiGbvTwdlb
 BbO+LDjmBmQYwmTcadbBPPMRLKnvx5bbNtTAzdwkvYEC8ev5RfxebFO/StTbmVRd
 JIUKkwmNw803OjhMgs+dXVw0lX8C1nLSSROKHf4+lCGFhCDnDhos5DpKpfBIwXxP
 Xv0Uf1YA4ygFVId+kuJOoXWNBkzB6UOlKMxoU1YcuRwpZHFk8b+MvTAzaCbSSl3A
 nJT6CK3K3H6WSiF9PC8i85kFJbAJbwifjx904nGBekaqU0bgI+s=
 =Faec
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAl/8P/MACgkQ7G51OISz
 Hs19zBAAp3TVOftsZveCj5LPuqVf9ceOJe8qrTgsPJqL/j5pYvEhjiFryIBMBfBq
 tg9jj6dgsShjej8u/7jlcNbXnbDynTOEBozU1KkQspAHp0AS6r/SoiF0R3W5trK+
 sfbAsUce9wU2kgZF190Covr2Ju3xQSJ5iFXtrtpdYTlzxB3b46Rw7R3DWOYLaO41
 EzJ48IIfcjD16MAoiLYdIoBjaLm9so0JIOZJyrGCnboDnAlfI/9Ty11kGD2vqHAq
 P9g74uGbCBa68JsL8437yx2eG3mjdI1o7n/MLDelaFYNtxjzMGae7aRI2PrdelJS
 ny1Le6tdG+0L1CBoCTXHaLSTIgcyaSaQ9i/3ussQl12sAuNXiWUQJYuRbzQG+fwm
 yUBWJISv2kJxXYuCUDTrY1BWK/38HKu2CCSE8ijl9v4re0zG2+EZlr9qXUAU8ap7
 yzIYaHZ2WlXMag6lzbbaK7PqdBaFeQLNEoHT4hCNEZYHJ7peOcOZgJlm9o+3l1FP
 3LFwRTVetFYVGhSMaDSLXn5jMIQE2jgmPUtaPiTNKYI7UxXjSwZLxVgTIOQm7ldh
 248DIjUGJ6BLDRuz/2dGRjVaf7vYf2G/igDc0ySI9hMAxrk2zRROHSwdeu19Eil6
 z37MY0RDtWTEDi/bU4z10I9Al3lpXh9N2yXIo9b4//GcbZLgVjU=
 =mk34
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.82' into 5.4-2.3.x-imx

This is the 5.4.82 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-01-11 12:09:17 +00:00
Andrey Zhizhikin 36d7dcf6da This is the 5.4.78 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+1Zg0ACgkQONu9yGCS
 aT75KBAAqvo33a5xoTM+FQQRsRSKaRNOhCQooXEB1bJcas3y+yQ6ehmwCJ8/K1tC
 JilD+NQt6uuwH2f2cLrH0e4EQcvno390qF/wOCF377bUnKklsxydyaLSLhGYTqR9
 5u/vZVf/QoWZc6BvDwPWNo/NwuRPgJ+sVjuFvtt08l0pGQou26WGujl6ElJKBiLV
 SbbRDlx/f8cJa/oqN8TL/V/VDqJfVLcv6hFRvf44newSUJK05LgCVoM76WEcSQLj
 GYrtCNwffJtnCUzUr/SctNymsgmjj65df6tKmS0vntWH5kTBnCKK/Mnly38gQbeB
 nvci1siOUjnnrkBhydKixO4Q6OZmrbuM0g3vXmW5/Az7HjRcX84BRu+yE7aArE3/
 GMAIO/D1Wj9Dhxs59cu12IWxRaljkT+5FsZYV55TgcRMmWHq/YzBYFSW15fZ9xEw
 ehel9m5ou+HqVtz+bR+ar3v6M2bhedJ0fFvXnbN2OhMwHsEUTuYqfTb7k/21dUwE
 P5k8qGGcYKE1q1gb/Dp3p/hDBjr5h4Mg7z7S8diGsVv3klgrtttgqkOo79JfTESz
 BS5vsF9yS0k23xemCl3jZ41X9uReXnE3lvEeuDBDdYvHPwnjyzPeUN5jgN6abQm7
 CTxp0oPIFW+O8MV+vgF1joK6ykbK8rJRjIUcfzHeI6oKt+HQBJY=
 =gimO
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAl/8L9MACgkQ7G51OISz
 Hs0pEg//X863iBcTnTS2d89K0iioN+QsmoqgV/J0E5piuUpRLK1LgLsaFBFh/PHN
 ZymSF7XuJL4RGZH5kX60Arj3aw1OmJcSObvqejDrfZ87S2PQCaygXITUHVY44QI/
 gSDvotbCWd++RsJicYYAXEmWBs2vYP4gDJnYc2bLo/v8mWVmuyGC0449pJWTsW/z
 2Xb8E6qGtmzopDrNlNT4EhyrepWEmOLEnJ0HE/yjvNgScEmGkb8W9mZQY0ICKJzE
 WQk6lid35VgW0+SiYRauJsHUPLC6hoKtqBA3UQCoiLe939vANvgqqjzhNSRTJBUD
 oldGwT6Voy7DpeCFnX80/h7jkSjwxQ/QZqBXuoOjvvkv5p2Lc/b3kAMqMZKemaDP
 EDIYf7986qDJLqBg9l2wrB7yNcuAYIOgJnYjTcFZrKaZCt5fPQVgh8aDY821aD2U
 lWbL3RKNdTmGa9j3NrIJAMmW8M8sDwV8RQberAQ0TwKOfwqucQF9pCN+oz+V8xBZ
 bKW/SfrFoqk0x+bTe4vz2V2g5nL4MlOTLhNn3CbL7APiL7SJPljezR0SCy5tHYoC
 G+gpU23EF8Dk6QJ1qZoCBJLIGimQBqR65wbvfotGA652DX2OEH0u8kDnw0EihzgB
 FLh2ZWlfcYk/5VDFnrbtBPLZ6RygoL2Ma5mhFWMikmGu3RoFHCk=
 =Jfly
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.78' into 5.4-2.3.x-imx

This is the 5.4.78 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-01-11 11:00:32 +00:00
Andrey Zhizhikin 3b4072dd51 This is the 5.4.74 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+elYEACgkQONu9yGCS
 aT4DfQ/+OoCvKzPm/gxmJejGNUvagBhMLXxNw62jvmLwHnagWNchXMQEoplmwpIz
 D3FeSnH6VjBj8QfXCzxZJVazuPNaiSfxrwvaboakvVnvJw66rC0LgiXUJ5MuMhmr
 YVBJ9YfA73Lpv96ySrXWdqEO6QIMgYnlR95Ep+33IBUb5x2QuQB+8ho+qQ3h6I4r
 uoVAzFLaliCpRF/Hz9pwjZjSo3zDbyYx29XVFXYkrHn8cJWE6oBZtNo+K1cyY3wH
 dNY9CXPRh4oC5G+w579m5GvnW5Ac5hTHKONNURCu9NgsEJgHfpuXXiK+ve1yS7xa
 LFj1qFuYW90scgvmcx/YSKIWkNdCGCsqLlp3OJwVDm573touy6NZOag5GW2S35iD
 GcPRvJjWHay8NJSwKteKN9YH92xBxaSWJalrIQcY4Q4VAgJpXizIxZskGieWRdYv
 2XrSAOyXfSPP3nEsRXANEC2RY38Vp6zQt5G4a5duvztNU8knRjuQijMU7vvUbjvU
 V7D+kpamoqSiEkKmPYi3ViH80BkBNaxVrh54AMW9BQiFxUum5X/8sD7PDnKg+p8R
 tPPFsFHKAyVSQQe/7VlAfDq1D9xCfgfzA4TiMYqseyBBFs4UZ1dkLBQTL7Xza9ma
 H4NrA6SQibzYXH5F8OPWFqLPye1hmzAvojhskLk6ijeCw+koLk4=
 =zfx+
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEdQaENiSDAlGTDEbB7G51OISzHs0FAl/8I+oACgkQ7G51OISz
 Hs0wwQ//TfFLCDI74fXraTgX8Uhcv4jelk05KVXA1cXTA4LJvoRHpDmEXXVg3dr0
 jZBpyyCO9GQZ3jJibY5hC112rttvSTCVky/Drefs9O0t5Z8VUdrYVtZ+GxBZGt2d
 ciooMYHh7aQmMoThyVqSd3rYC8KXNTwRSaAQblJqY0JnBChLjgEgIEXuJi1HJthG
 1tUy+sOI8DOs4mSDV+SFx9heC2qd0cFW2b3tnQwvT4FQ/dbEPXoi5ORkdLbrMU5Z
 iiT67i26FamT0uzGKH/RyRjpLndTF9p84IAJ/i0Qs9mnrA9/ldJKNxlGjN8Yxm+v
 k4pDBCgi1bBdPUc8ET5TnJyYSfZU654KfUpkXduOdGJb2/uOM7wh5lIUneOxHNcT
 4lwMuAj1598WYNiATLNubGmugevbfgcErut76XQ6AcA5T6Jx5BgawwFuL3G9x5h4
 J4ftWKroa432yFEt2t8MM58HNQCyE3M04iaXxFd9D9/l5pHnC5+IY+6Y1g5a3pkQ
 82kxmyTok9jjaURnWJp5q3xG4YBBOmzjVFdHb77LtuNn1wRAP2Rjh0Ux/CwVPiUr
 de8PSFvrTBcZ8KP24oGrdoFFGAYqVS06QT2lNcTYuD8vS8y/GNnIDL81gz3hdPGq
 irCoqKPD0ur6QWqNE3I1v6nCT8kReSSqjFCOF9sNTDe9Jyc7XFo=
 =3FEK
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.74' into 5.4-2.3.x-imx

This is the 5.4.74 stable release

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-01-11 10:09:44 +00:00
Andrey Zhizhikin b5636ee381 This is the 5.4.73 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+ahE8ACgkQONu9yGCS
 aT4j1A/9HzkKKoqZ2vXYQ1/uEnUqZech9ly1KxpNTBrSZYAtx3MaWY7tGDEx2BqD
 y6iw9x4MymhHEbpwLg6YmmdWuMQLNNYJGoyLiPJgWhkE4c7zHadhNz1DcPEI8F7z
 bSlUJ3Oebr8gzv0FvUmeVXw7Z2EuOqM1zGgTAZfnKY3DkYHbLnrzUJ4AiI8TNeba
 pPIhjfIJ1TvhF+s5ggf2m8OtSWLZ0doCWCPmCFe2WyERX2WYCzPgsm0yL7L7oXME
 ZqWpOcClBsiYekBNcZ4kxozhJtArCnv24n9VoXJ/YJIlWKvCA6uC8r527nGN/z08
 dfFelj1nDs7/VrCSP4+109EjxLQnSYGgIWP0g0OsC+9wOmrQsYJ1azP1eNjm+NuC
 hPa8uYVEZxwVyJuEfu4ZB4NMZBlD2qnHoskvBKbyZ8yaVnbvlMp552XMwsmJBpCs
 8wArzabrJEz396LUUIYG829D7NBDuRav1Miu+FTzlbn+xZ/Y/S8OmhoG2stWa4wV
 y5x0M0DWgrqiZ9rMkz9A03UNnCInQVTfIBoMl63xFitW4/0vLsln3+CjzlKm7H46
 rD/tKACUoCDjR5DN+JwQzmTdL9zBb4p1cXwWjWb6rON3BkXmO0JVAxzurxI9PfX0
 ZWDydZ3HNmrm0d3J12zf3kTX56PfPFAGWUsEc4Ntb5zdWXSQJsE=
 =fZ3T
 -----END PGP SIGNATURE-----

Merge tag 'v5.4.73' into 5.4-2.3.x-imx

This is the 5.4.73 stable release

Conflicts:
- arch/arm/boot/dts/imx6sl.dtsi:
Commit [a1767c9019] in NXP tree is now covered with commit [5c4c2f437c]
from upstream.

- drivers/gpu/drm/mxsfb/mxsfb_drv.c:
Resolve merge hunk for patch [ed8b90d303] from upstream

- drivers/media/i2c/ov5640.c:
Patch [aa4bb8b883] in NXP tree is now covered by patches [79ec0578c7]
and [b2f8546056] from upstream. Changes from NXP patch [99aa4c8c18] are
covered in upstream version as well.

- drivers/net/ethernet/freescale/fec_main.c:
Fix merge fuzz for patch [9e70485b40] from upstream.

- drivers/usb/cdns3/gadget.c:
Keep NXP version of the file, upstream version is not compatible.

- drivers/usb/dwc3/core.c:
- drivers/usb/dwc3/core.h:
Fix merge fuzz of patch [08045050c6] together wth NXP patch [b30e41dc1e]

- sound/soc/fsl/fsl_sai.c:
- sound/soc/fsl/fsl_sai.h:
Commit [2ea70e51eb72a] in NXP tree is now covered with commit [1ad7f52fe6]
from upstream.

Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
 2021-01-11 10:09:27 +00:00
Roberto Sassu 26d72a8460 ima: Don't modify file descriptor mode on the fly 
commit 207cdd565dfc95a0a5185263a567817b7ebf5467 upstream.

Commit a408e4a86b ("ima: open a new file instance if no read
permissions") already introduced a second open to measure a file when the
original file descriptor does not allow it. However, it didn't remove the
existing method of changing the mode of the original file descriptor, which
is still necessary if the current process does not have enough privileges
to open a new one.

Changing the mode isn't really an option, as the filesystem might need to
do preliminary steps to make the read possible. Thus, this patch removes
the code and keeps the second open as the only option to measure a file
when it is unreadable with the original file descriptor.

Cc: <stable@vger.kernel.org> # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode
Fixes: 2fe5d6def1 ("ima: integrity appraisal extension")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2020-12-30 11:51:39 +01:00
Paul Moore c807042f2d selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling 
[ Upstream commit 200ea5a2292dc444a818b096ae6a32ba3caa51b9 ]

A previous fix, commit 83370b31a915 ("selinux: fix error initialization
in inode_doinit_with_dentry()"), changed how failures were handled
before a SELinux policy was loaded.  Unfortunately that patch was
potentially problematic for two reasons: it set the isec->initialized
state without holding a lock, and it didn't set the inode's SELinux
label to the "default" for the particular filesystem.  The later can
be a problem if/when a later attempt to revalidate the inode fails
and SELinux reverts to the existing inode label.

This patch should restore the default inode labeling that existed
before the original fix, without affecting the LABEL_INVALID marking
such that revalidation will still be attempted in the future.

Fixes: 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()")
Reported-by: Sven Schnelle <svens@linux.ibm.com>
Tested-by: Sven Schnelle <svens@linux.ibm.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2020-12-30 11:51:05 +01:00
Tianyue Ren 4aae08a71e selinux: fix error initialization in inode_doinit_with_dentry() 
[ Upstream commit 83370b31a915493231e5b9addc72e4bef69f8d31 ]

Mark the inode security label as invalid if we cannot find
a dentry so that we will retry later rather than marking it
initialized with the unlabeled SID.

Fixes: 9287aed2ad ("selinux: Convert isec->lock into a spinlock")
Signed-off-by: Tianyue Ren <rentianyue@kylinos.cn>
[PM: minor comment tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2020-12-30 11:51:02 +01:00
Maurizio Drocco c4405cdf96 ima: extend boot_aggregate with kernel measurements 
[ Upstream commit 20c59ce010f84300f6c655d32db2610d3433f85c ]

Registers 8-9 are used to store measurements of the kernel and its
command line (e.g., grub2 bootloader with tpm module enabled). IMA
should include them in the boot aggregate. Registers 8-9 should be
only included in non-SHA1 digests to avoid ambiguity.

Signed-off-by: Maurizio Drocco <maurizio.drocco@ibm.com>
Reviewed-by: Bruno Meneguele <bmeneg@redhat.com>
Tested-by: Bruno Meneguele <bmeneg@redhat.com>  (TPM 1.2, TPM 2.0)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2020-12-08 10:40:24 +01:00
Chen Zhou 68dae71b7c selinux: Fix error return code in sel_ib_pkey_sid_slow() 
commit c350f8bea271782e2733419bd2ab9bf4ec2051ef upstream.

Fix to return a negative error code from the error handling case
instead of 0 in function sel_ib_pkey_sid_slow(), as done elsewhere
in this function.

Cc: stable@vger.kernel.org
Fixes: 409dcf3153 ("selinux: Add a cache for quicker retreival of PKey SIDs")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Chen Zhou <chenzhou10@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2020-11-18 19:20:30 +01:00
Roberto Sassu 801863f634 evm: Check size of security.evm before using it 
commit 455b6c9112eff8d249e32ba165742085678a80a4 upstream.

This patch checks the size for the EVM_IMA_XATTR_DIGSIG and
EVM_XATTR_PORTABLE_DIGSIG types to ensure that the algorithm is read from
the buffer returned by vfs_getxattr_alloc().

Cc: stable@vger.kernel.org # 4.19.x
Fixes: 5feeb61183 ("evm: Allow non-SHA1 digital signatures")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2020-11-01 12:01:05 +01:00
Roberto Sassu 68e3b25444 ima: Don't ignore errors from crypto_shash_update() 
commit 60386b854008adc951c470067f90a2d85b5d520f upstream.

Errors returned by crypto_shash_update() are not checked in
ima_calc_boot_aggregate_tfm() and thus can be overwritten at the next
iteration of the loop. This patch adds a check after calling
crypto_shash_update() and returns immediately if the result is not zero.

Cc: stable@vger.kernel.org
Fixes: 3323eec921 ("integrity: IMA as an integrity service provider")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2020-10-29 09:57:28 +01:00