From 818b86ad0e8d6e0237ff21957b133900c6fdceae Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sun, 27 Oct 2024 20:24:30 -0400
Subject: [PATCH] Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...ove-error-checking-in-sel_write_load.patch | 95 +++++++++++++++++++
 ...art_port_dtr_rts-in-uart_shutdown-to.patch | 67 +++++++++++++
 queue-6.1/series                              |  2 +
 3 files changed, 164 insertions(+)
 create mode 100644 queue-6.1/selinux-improve-error-checking-in-sel_write_load.patch
 create mode 100644 queue-6.1/serial-protect-uart_port_dtr_rts-in-uart_shutdown-to.patch

diff --git a/queue-6.1/selinux-improve-error-checking-in-sel_write_load.patch b/queue-6.1/selinux-improve-error-checking-in-sel_write_load.patch
new file mode 100644
index 00000000000..46fa8d9c90f
--- /dev/null
+++ b/queue-6.1/selinux-improve-error-checking-in-sel_write_load.patch
@@ -0,0 +1,95 @@
+From 06cc17f13fc4f6a6df61b7f2f8a96dc83ed5f583 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 11:20:46 -0300
+Subject: selinux: improve error checking in sel_write_load()
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit 42c773238037c90b3302bf37a57ae3b5c3f6004a ]
+
+Move our existing input sanity checking to the top of sel_write_load()
+and add a check to ensure the buffer size is non-zero.
+
+Move a local variable initialization from the declaration to before it
+is used.
+
+Minor style adjustments.
+
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+[cascardo: keep fsi initialization at its declaration point as it is used earlier]
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/selinuxfs.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
+index a00d191394365..ab804d4ea9117 100644
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -621,6 +621,13 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
+ 	ssize_t length;
+ 	void *data = NULL;
+ 
++	/* no partial writes */
++	if (*ppos)
++		return -EINVAL;
++	/* no empty policies */
++	if (!count)
++		return -EINVAL;
++
+ 	mutex_lock(&fsi->state->policy_mutex);
+ 
+ 	length = avc_has_perm(&selinux_state,
+@@ -629,26 +636,21 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
+ 	if (length)
+ 		goto out;
+ 
+-	/* No partial writes. */
+-	length = -EINVAL;
+-	if (*ppos != 0)
+-		goto out;
+-
+-	length = -ENOMEM;
+ 	data = vmalloc(count);
+-	if (!data)
++	if (!data) {
++		length = -ENOMEM;
+ 		goto out;
+-
+-	length = -EFAULT;
+-	if (copy_from_user(data, buf, count) != 0)
++	}
++	if (copy_from_user(data, buf, count) != 0) {
++		length = -EFAULT;
+ 		goto out;
++	}
+ 
+ 	length = security_load_policy(fsi->state, data, count, &load_state);
+ 	if (length) {
+ 		pr_warn_ratelimited("SELinux: failed to load policy\n");
+ 		goto out;
+ 	}
+-
+ 	length = sel_make_policy_nodes(fsi, load_state.policy);
+ 	if (length) {
+ 		pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n");
+@@ -657,13 +659,12 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
+ 	}
+ 
+ 	selinux_policy_commit(fsi->state, &load_state);
+-
+ 	length = count;
+-
+ 	audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
+ 		"auid=%u ses=%u lsm=selinux res=1",
+ 		from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ 		audit_get_sessionid(current));
++
+ out:
+ 	mutex_unlock(&fsi->state->policy_mutex);
+ 	vfree(data);
+-- 
+2.43.0
+
diff --git a/queue-6.1/serial-protect-uart_port_dtr_rts-in-uart_shutdown-to.patch b/queue-6.1/serial-protect-uart_port_dtr_rts-in-uart_shutdown-to.patch
new file mode 100644
index 00000000000..521514085b0
--- /dev/null
+++ b/queue-6.1/serial-protect-uart_port_dtr_rts-in-uart_shutdown-to.patch
@@ -0,0 +1,67 @@
+From c1183adeb990eab22c2fe672e2ce9aa9226e57d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 11:05:48 +0000
+Subject: serial: protect uart_port_dtr_rts() in uart_shutdown() too
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit 602babaa84d627923713acaf5f7e9a4369e77473 ]
+
+Commit af224ca2df29 (serial: core: Prevent unsafe uart port access, part
+3) added few uport == NULL checks. It added one to uart_shutdown(), so
+the commit assumes, uport can be NULL in there. But right after that
+protection, there is an unprotected "uart_port_dtr_rts(uport, false);"
+call. That is invoked only if HUPCL is set, so I assume that is the
+reason why we do not see lots of these reports.
+
+Or it cannot be NULL at this point at all for some reason :P.
+
+Until the above is investigated, stay on the safe side and move this
+dereference to the if too.
+
+I got this inconsistency from Coverity under CID 1585130. Thanks.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20240805102046.307511-3-jirislaby@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[Adapted over commit 5701cb8bf50e ("tty: Call ->dtr_rts() parameter
+active consistently") not in the tree]
+Signed-off-by: Tomas Krcka <krckatom@amazon.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/serial_core.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
+index c91e3195dc207..19a53801ff9ee 100644
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -339,14 +339,16 @@ static void uart_shutdown(struct tty_struct *tty, struct uart_state *state)
+ 		/*
+ 		 * Turn off DTR and RTS early.
+ 		 */
+-		if (uport && uart_console(uport) && tty) {
+-			uport->cons->cflag = tty->termios.c_cflag;
+-			uport->cons->ispeed = tty->termios.c_ispeed;
+-			uport->cons->ospeed = tty->termios.c_ospeed;
+-		}
++		if (uport) {
++			if (uart_console(uport) && tty) {
++				uport->cons->cflag = tty->termios.c_cflag;
++				uport->cons->ispeed = tty->termios.c_ispeed;
++				uport->cons->ospeed = tty->termios.c_ospeed;
++			}
+ 
+-		if (!tty || C_HUPCL(tty))
+-			uart_port_dtr_rts(uport, 0);
++			if (!tty || C_HUPCL(tty))
++				uart_port_dtr_rts(uport, 0);
++		}
+ 
+ 		uart_port_shutdown(port);
+ 	}
+-- 
+2.43.0
+
diff --git a/queue-6.1/series b/queue-6.1/series
index 0702e70d7b3..8f09cbe8e17 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -112,3 +112,5 @@ powercap-dtpm_devfreq-fix-error-check-against-dev_pm.patch
 alsa-hda-realtek-update-default-depop-procedure.patch
 cpufreq-cppc-move-and-rename-cppc_cpufreq_-perf_to_k.patch
 cpufreq-cppc-fix-perf_to_khz-khz_to_perf-conversion-.patch
+selinux-improve-error-checking-in-sel_write_load.patch
+serial-protect-uart_port_dtr_rts-in-uart_shutdown-to.patch
-- 
2.47.2