From 82fdaabdb20ae6bf14e7ba999bd9a87ebdf626c3 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mar 22 2023 09:34:55 +0000
Subject: netlink: prevent potential spectre v1 gadgets (bsc#1209547

CVE-2017-5753).

---

diff --git a/patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch b/patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch
new file mode 100644
index 0000000..8c2de03
--- /dev/null
+++ b/patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch
@@ -0,0 +1,67 @@
+From f0950402e8c76e7dcb08563f1b4e8000fbc62455 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 19 Jan 2023 11:01:50 +0000
+Subject: [PATCH] netlink: prevent potential spectre v1 gadgets
+Git-commit: f0950402e8c76e7dcb08563f1b4e8000fbc62455
+Patch-mainline: v6.2-rc6
+References: bsc#1209547 CVE-2017-5753 
+
+Most netlink attributes are parsed and validated from
+__nla_validate_parse() or validate_nla()
+
+    u16 type = nla_type(nla);
+
+    if (type == 0 || type > maxtype) {
+        /* error or continue */
+    }
+
+@type is then used as an array index and can be used
+as a Spectre v1 gadget.
+
+array_index_nospec() can be used to prevent leaking
+content of kernel memory to malicious users.
+
+This should take care of vast majority of netlink uses,
+but an audit is needed to take care of others where
+validation is not yet centralized in core netlink functions.
+
+Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230119110150.2678537-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ lib/nlattr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/nlattr.c b/lib/nlattr.c
+index 9055e8b4d144..489e15bde5c1 100644
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -10,6 +10,7 @@
+ #include <linux/kernel.h>
+ #include <linux/errno.h>
+ #include <linux/jiffies.h>
++#include <linux/nospec.h>
+ #include <linux/skbuff.h>
+ #include <linux/string.h>
+ #include <linux/types.h>
+@@ -381,6 +382,7 @@ static int validate_nla(const struct nlattr *nla, int maxtype,
+ 	if (type <= 0 || type > maxtype)
+ 		return 0;
+ 
++	type = array_index_nospec(type, maxtype + 1);
+ 	pt = &policy[type];
+ 
+ 	BUG_ON(pt->type > NLA_TYPE_MAX);
+@@ -596,6 +598,7 @@ static int __nla_validate_parse(const struct nlattr *head, int len, int maxtype,
+ 			}
+ 			continue;
+ 		}
++		type = array_index_nospec(type, maxtype + 1);
+ 		if (policy) {
+ 			int err = validate_nla(nla, maxtype, policy,
+ 					       validate, extack, depth);
+-- 
+2.40.0
+
diff --git a/series.conf b/series.conf
index 5d70e6d..0405b71 100644
--- a/series.conf
+++ b/series.conf
@@ -36874,6 +36874,7 @@
 	patches.suse/gsmi-fix-null-deref-in-gsmi_get_variable.patch
 	patches.suse/VMCI-Use-threaded-irqs-instead-of-tasklets.patch
 	patches.suse/module-Don-t-wait-for-GOING-modules.patch
+	patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch
 	patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch
 	patches.suse/Fix-page-corruption-caused-by-racy-check-in-__free_pages.patch
 	patches.suse/fbdev-Fix-invalid-page-access-after-closing-deferred.patch