From e5702a4d6bb613ceb2935d93f5edf450d2ae373b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 11 Jan 2024 10:59:20 +0100
Subject: [PATCH] 6.7-stable patches

added patches:
	netlink-return-unsigned-value-for-nla_len.patch
	series
---
 ...nk-return-unsigned-value-for-nla_len.patch | 56 +++++++++++++++++++
 queue-6.7/series                              |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 queue-6.7/netlink-return-unsigned-value-for-nla_len.patch
 create mode 100644 queue-6.7/series

diff --git a/queue-6.7/netlink-return-unsigned-value-for-nla_len.patch b/queue-6.7/netlink-return-unsigned-value-for-nla_len.patch
new file mode 100644
index 00000000000..b93dbee3610
--- /dev/null
+++ b/queue-6.7/netlink-return-unsigned-value-for-nla_len.patch
@@ -0,0 +1,56 @@
+From 172db56d90d29e47e7d0d64885d5dbd92c87ec42 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 6 Dec 2023 12:59:07 -0800
+Subject: netlink: Return unsigned value for nla_len()
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 172db56d90d29e47e7d0d64885d5dbd92c87ec42 upstream.
+
+The return value from nla_len() is never expected to be negative, and can
+never be more than struct nlattr::nla_len (a u16). Adjust the prototype
+on the function. This will let GCC's value range optimization passes
+know that the return can never be negative, and can never be larger than
+u16. As recently discussed[1], this silences the following warning in
+GCC 12+:
+
+net/wireless/nl80211.c: In function 'nl80211_set_cqm_rssi.isra':
+net/wireless/nl80211.c:12892:17: warning: 'memcpy' specified bound 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=]
+12892 |                 memcpy(cqm_config->rssi_thresholds, thresholds,
+      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+12893 |                        flex_array_size(cqm_config, rssi_thresholds,
+      |                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+12894 |                                        n_thresholds));
+      |                                        ~~~~~~~~~~~~~~
+
+A future change would be to clamp the subtraction to make sure it never
+wraps around if nla_len is somehow less than NLA_HDRLEN, which would
+have the additional benefit of being defensive in the face of nlattr
+corruption or logic errors.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202311090752.hWcJWAHL-lkp@intel.com/ [1]
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: Jeff Johnson <quic_jjohnson@quicinc.com>
+Cc: Michael Walle <mwalle@kernel.org>
+Cc: Max Schulze <max.schulze@online.de>
+Link: https://lore.kernel.org/r/20231202202539.it.704-kees@kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20231206205904.make.018-kees@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netlink.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/netlink.h
++++ b/include/net/netlink.h
+@@ -1200,7 +1200,7 @@ static inline void *nla_data(const struc
+  * nla_len - length of payload
+  * @nla: netlink attribute
+  */
+-static inline int nla_len(const struct nlattr *nla)
++static inline u16 nla_len(const struct nlattr *nla)
+ {
+ 	return nla->nla_len - NLA_HDRLEN;
+ }
diff --git a/queue-6.7/series b/queue-6.7/series
new file mode 100644
index 00000000000..d58f7843c31
--- /dev/null
+++ b/queue-6.7/series
@@ -0,0 +1 @@
+netlink-return-unsigned-value-for-nla_len.patch
-- 
2.47.3