Update with 5.14.0-284.25.1.el9_2 security fixes

SOURCES/1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch

@@ -0,0 +1,87 @@
+From 6f404ab35a9a684cb6ee146a39413698bba17fe4 Mon Sep 17 00:00:00 2001
+From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Date: Wed, 2 Aug 2023 12:50:36 +0000
+Subject: [PATCH 1/5]     KVM: x86/mmu: Fix race condition in direct_page_fault
+
+    make_mmu_pages_available() must be called with mmu_lock held for write.
+    However, if the TDP MMU is used, it will be called with mmu_lock held for
+    read.
+    This function does nothing unless shadow pages are used, so there is no
+    race unless nested TDP is used.
+    Since nested TDP uses shadow pages, old shadow pages may be zapped by this
+    function even when the TDP MMU is enabled.
+    Since shadow pages are never allocated by kvm_tdp_mmu_map(), a race
+    condition can be avoided by not calling make_mmu_pages_available() if the
+    TDP MMU is currently in use.
+
+    I encountered this when repeatedly starting and stopping nested VM.
+    It can be artificially caused by allocating a large number of nested TDP
+    SPTEs.
+
+    For example, the following BUG and general protection fault are caused in
+    the host kernel.
+
+    pte_list_remove: 00000000cd54fc10 many->many
+    ------------[ cut here ]------------
+    kernel BUG at arch/x86/kvm/mmu/mmu.c:963!
+    invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+    RIP: 0010:pte_list_remove.cold+0x16/0x48 [kvm]
+    Call Trace:
+     <TASK>
+     drop_spte+0xe0/0x180 [kvm]
+     mmu_page_zap_pte+0x4f/0x140 [kvm]
+     __kvm_mmu_prepare_zap_page+0x62/0x3e0 [kvm]
+     kvm_mmu_zap_oldest_mmu_pages+0x7d/0xf0 [kvm]
+     direct_page_fault+0x3cb/0x9b0 [kvm]
+     kvm_tdp_page_fault+0x2c/0xa0 [kvm]
+     kvm_mmu_page_fault+0x207/0x930 [kvm]
+     npf_interception+0x47/0xb0 [kvm_amd]
+     svm_invoke_exit_handler+0x13c/0x1a0 [kvm_amd]
+     svm_handle_exit+0xfc/0x2c0 [kvm_amd]
+     kvm_arch_vcpu_ioctl_run+0xa79/0x1780 [kvm]
+     kvm_vcpu_ioctl+0x29b/0x6f0 [kvm]
+     __x64_sys_ioctl+0x95/0xd0
+     do_syscall_64+0x5c/0x90
+
+    general protection fault, probably for non-canonical address
+    0xdead000000000122: 0000 [#1] PREEMPT SMP NOPTI
+    RIP: 0010:kvm_mmu_commit_zap_page.part.0+0x4b/0xe0 [kvm]
+    Call Trace:
+     <TASK>
+     kvm_mmu_zap_oldest_mmu_pages+0xae/0xf0 [kvm]
+     direct_page_fault+0x3cb/0x9b0 [kvm]
+     kvm_tdp_page_fault+0x2c/0xa0 [kvm]
+     kvm_mmu_page_fault+0x207/0x930 [kvm]
+     npf_interception+0x47/0xb0 [kvm_amd]
+
+    CVE: CVE-2022-45869
+    Fixes: a2855afc7ee8 ("KVM: x86/mmu: Allow parallel page faults for the TDP MMU")
+    Signed-off-by: Kazuki Takiguchi <takiguchi.kazuki171@gmail.com>
+    Cc: stable@vger.kernel.org
+    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Conflicts: dropped hunk in direct_page_fault because the following backported commits do the same thing
+           a158127f55b98c ("KVM: x86/mmu: Split out TDP MMU page fault handling")
+           1290f90e77186b ("KVM: x86/mmu: Stop needlessly making MMU pages available for TDP MMU faults")
+
+Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
+---
+ arch/x86/kvm/mmu/mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
+index 05c137831..2968f8137 100644
+--- a/arch/x86/kvm/mmu/mmu.c
++++ b/arch/x86/kvm/mmu/mmu.c
+@@ -2432,6 +2432,7 @@ static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm,
+ {
+ 	bool list_unstable, zapped_root = false;
+ 
++	lockdep_assert_held_write(&kvm->mmu_lock);
+ 	trace_kvm_mmu_prepare_zap_page(sp);
+ 	++kvm->stat.mmu_shadow_zapped;
+ 	*nr_zapped = mmu_zap_unsync_children(kvm, sp, invalid_list);
+-- 
+2.31.1
+

SOURCES/1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch

@@ -0,0 +1,45 @@
+From c9e34f92dafffe1fd37ba7ef7fb198002576bea1 Mon Sep 17 00:00:00 2001
+From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Date: Wed, 2 Aug 2023 12:54:02 +0000
+Subject: [PATCH 2/5] prlimit: do_prlimit needs to have a speculation check
+
+CVE: CVE-2023-0458
+
+commit 739790605705ddcf18f21782b9c99ad7d53a8c11
+Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date:   Fri Jan 20 11:03:20 2023 +0100
+
+    prlimit: do_prlimit needs to have a speculation check
+
+    do_prlimit() adds the user-controlled resource value to a pointer that
+    will subsequently be dereferenced.  In order to help prevent this
+    codepath from being used as a spectre "gadget" a barrier needs to be
+    added after checking the range.
+
+    Reported-by: Jordy Zomer <jordyzomer@google.com>
+    Tested-by: Jordy Zomer <jordyzomer@google.com>
+    Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
+---
+ kernel/sys.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index 75852f64d..45480f6f6 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1439,6 +1439,8 @@ static int do_prlimit(struct task_struct *tsk, unsigned int resource,
+ 
+ 	if (resource >= RLIM_NLIMITS)
+ 		return -EINVAL;
++	resource = array_index_nospec(resource, RLIM_NLIMITS);
++
+ 	if (new_rlim) {
+ 		if (new_rlim->rlim_cur > new_rlim->rlim_max)
+ 			return -EINVAL;
+-- 
+2.31.1
+

SOURCES/1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch

@@ -0,0 +1,95 @@
+From 4758c1f8ad5385e53ea85739ad9f6fa6dfc0abda Mon Sep 17 00:00:00 2001
+From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Date: Wed, 2 Aug 2023 12:55:46 +0000
+Subject: [PATCH 3/5] x86/speculation: Allow enabling STIBP with legacy IBRS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When plain IBRS is enabled (not enhanced IBRS), the logic in
+spectre_v2_user_select_mitigation() determines that STIBP is not needed.
+
+The IBRS bit implicitly protects against cross-thread branch target
+injection. However, with legacy IBRS, the IBRS bit is cleared on
+returning to userspace for performance reasons which leaves userspace
+threads vulnerable to cross-thread branch target injection against which
+STIBP protects.
+
+Exclude IBRS from the spectre_v2_in_ibrs_mode() check to allow for
+enabling STIBP (through seccomp/prctl() by default or always-on, if
+selected by spectre_v2_user kernel cmdline parameter).
+
+  [ bp: Massage. ]
+
+Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS")
+Reported-by: José Oliveira <joseloliveira11@gmail.com>
+Reported-by: Rodrigo Branco <rodrigo@kernelhacking.com>
+Signed-off-by: KP Singh <kpsingh@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
+---
+ arch/x86/kernel/cpu/bugs.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index da7c361f4..e13c4ecdc 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1095,14 +1095,18 @@ spectre_v2_parse_user_cmdline(void)
+ 	return SPECTRE_V2_USER_CMD_AUTO;
+ }
+ 
+-static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
++static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)
+ {
+-	return mode == SPECTRE_V2_IBRS ||
+-	       mode == SPECTRE_V2_EIBRS ||
++	return mode == SPECTRE_V2_EIBRS ||
+ 	       mode == SPECTRE_V2_EIBRS_RETPOLINE ||
+ 	       mode == SPECTRE_V2_EIBRS_LFENCE;
+ }
+ 
++static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
++{
++	return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS;
++}
++
+ static void __init
+ spectre_v2_user_select_mitigation(void)
+ {
+@@ -1165,12 +1169,19 @@ spectre_v2_user_select_mitigation(void)
+ 	}
+ 
+ 	/*
+-	 * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
+-	 * STIBP is not required.
++	 * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP
++	 * is not required.
++	 *
++	 * Enhanced IBRS also protects against cross-thread branch target
++	 * injection in user-mode as the IBRS bit remains always set which
++	 * implicitly enables cross-thread protections.  However, in legacy IBRS
++	 * mode, the IBRS bit is set only on kernel entry and cleared on return
++	 * to userspace. This disables the implicit cross-thread protection,
++	 * so allow for STIBP to be selected in that case.
+ 	 */
+ 	if (!boot_cpu_has(X86_FEATURE_STIBP) ||
+ 	    !smt_possible ||
+-	    spectre_v2_in_ibrs_mode(spectre_v2_enabled))
++	    spectre_v2_in_eibrs_mode(spectre_v2_enabled))
+ 		return;
+ 
+ 	/*
+@@ -2295,7 +2306,7 @@ static ssize_t mmio_stale_data_show_state(char *buf)
+ 
+ static char *stibp_state(void)
+ {
+-	if (spectre_v2_in_ibrs_mode(spectre_v2_enabled))
++	if (spectre_v2_in_eibrs_mode(spectre_v2_enabled))
+ 		return "";
+ 
+ 	switch (spectre_v2_user_stibp) {
+-- 
+2.31.1
+

SOURCES/1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch

@@ -0,0 +1,180 @@
+From 4308d0e03dfe439f30b356630beb8b941bf84bf7 Mon Sep 17 00:00:00 2001
+From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Date: Wed, 2 Aug 2023 13:05:59 +0000
+Subject: [PATCH 4/5] ipvlan:Fix out-of-bounds caused by unclear skb->cb
+
+CVE: CVE-2023-3090
+
+commit 90cbed5247439a966b645b34eb0a2e037836ea8e
+Author: t.feng <fengtao40@huawei.com>
+Date:   Wed May 10 11:50:44 2023 +0800
+
+    ipvlan:Fix out-of-bounds caused by unclear skb->cb
+
+    If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
+    is actually skb->cb, and IPCB(skb_in)->opt will be used in
+    __ip_options_echo. It is possible that memcpy is out of bounds and lead
+    to stack overflow.
+    We should clear skb->cb before ip_local_out or ip6_local_out.
+
+    v2:
+    1. clean the stack info
+    2. use IPCB/IP6CB instead of skb->cb
+
+    crash on stable-5.10(reproduce in kasan kernel).
+    Stack info:
+    [ 2203.651571] BUG: KASAN: stack-out-of-bounds in
+    __ip_options_echo+0x589/0x800
+    [ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
+    swapper/3/0
+    [ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
+    5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
+    [ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+    BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
+    [ 2203.655475] Call Trace:
+    [ 2203.655481]  <IRQ>
+    [ 2203.655501]  dump_stack+0x9c/0xd3
+    [ 2203.655514]  print_address_description.constprop.0+0x19/0x170
+    [ 2203.655530]  __kasan_report.cold+0x6c/0x84
+    [ 2203.655586]  kasan_report+0x3a/0x50
+    [ 2203.655586]  kasan_report+0x3a/0x50
+    [ 2203.655594]  check_memory_region+0xfd/0x1f0
+    [ 2203.655594]  check_memory_region+0xfd/0x1f0
+    [ 2203.655601]  memcpy+0x39/0x60
+    [ 2203.655608]  __ip_options_echo+0x589/0x800
+    [ 2203.655654]  __icmp_send+0x59a/0x960
+    [ 2203.655755]  nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
+    [ 2203.655763]  reject_tg+0x77/0x1bf [ipt_REJECT]
+    [ 2203.655772]  ipt_do_table+0x691/0xa40 [ip_tables]
+    [ 2203.655821]  nf_hook_slow+0x69/0x100
+    [ 2203.655828]  __ip_local_out+0x21e/0x2b0
+    [ 2203.655857]  ip_local_out+0x28/0x90
+    [ 2203.655868]  ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
+    [ 2203.655931]  ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
+    [ 2203.655967]  ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
+    [ 2203.655977]  ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
+    [ 2203.655984]  xmit_one.constprop.0+0xe1/0x280
+    [ 2203.655992]  dev_hard_start_xmit+0x62/0x100
+    [ 2203.656000]  sch_direct_xmit+0x215/0x640
+    [ 2203.656028]  __qdisc_run+0x153/0x1f0
+    [ 2203.656069]  __dev_queue_xmit+0x77f/0x1030
+    [ 2203.656173]  ip_finish_output2+0x59b/0xc20
+    [ 2203.656244]  __ip_finish_output.part.0+0x318/0x3d0
+    [ 2203.656312]  ip_finish_output+0x168/0x190
+    [ 2203.656320]  ip_output+0x12d/0x220
+    [ 2203.656357]  __ip_queue_xmit+0x392/0x880
+    [ 2203.656380]  __tcp_transmit_skb+0x1088/0x11c0
+    [ 2203.656436]  __tcp_retransmit_skb+0x475/0xa30
+    [ 2203.656505]  tcp_retransmit_skb+0x2d/0x190
+    [ 2203.656512]  tcp_retransmit_timer+0x3af/0x9a0
+    [ 2203.656519]  tcp_write_timer_handler+0x3ba/0x510
+    [ 2203.656529]  tcp_write_timer+0x55/0x180
+    [ 2203.656542]  call_timer_fn+0x3f/0x1d0
+    [ 2203.656555]  expire_timers+0x160/0x200
+    [ 2203.656562]  run_timer_softirq+0x1f4/0x480
+    [ 2203.656606]  __do_softirq+0xfd/0x402
+    [ 2203.656613]  asm_call_irq_on_stack+0x12/0x20
+    [ 2203.656617]  </IRQ>
+    [ 2203.656623]  do_softirq_own_stack+0x37/0x50
+    [ 2203.656631]  irq_exit_rcu+0x134/0x1a0
+    [ 2203.656639]  sysvec_apic_timer_interrupt+0x36/0x80
+    [ 2203.656646]  asm_sysvec_apic_timer_interrupt+0x12/0x20
+    [ 2203.656654] RIP: 0010:default_idle+0x13/0x20
+    [ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
+    cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
+    f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
+    [ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
+    [ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
+    ffffffffaf290191
+    [ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
+    ffff88811a3c4f60
+    [ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
+    ffff88811a3c4f63
+    [ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
+    0000000000000003
+    [ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
+    0000000000000000
+    [ 2203.656729]  default_idle_call+0x5a/0x150
+    [ 2203.656735]  cpuidle_idle_call+0x1c6/0x220
+    [ 2203.656780]  do_idle+0xab/0x100
+    [ 2203.656786]  cpu_startup_entry+0x19/0x20
+    [ 2203.656793]  secondary_startup_64_no_verify+0xc2/0xcb
+
+    [ 2203.657409] The buggy address belongs to the page:
+    [ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
+    mapping:0000000000000000 index:0x0 pfn:0x11a388
+    [ 2203.658665] flags:
+    0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
+    [ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
+    0000000000000000
+    [ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
+    0000000000000000
+    [ 2203.658686] page dumped because: kasan: bad access detected
+
+    To reproduce(ipvlan with IPVLAN_MODE_L3):
+    Env setting:
+    =======================================================
+    modprobe ipvlan ipvlan_default_mode=1
+    sysctl net.ipv4.conf.eth0.forwarding=1
+    iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
+    MASQUERADE
+    ip link add gw link eth0 type ipvlan
+    ip -4 addr add 20.0.0.254/24 dev gw
+    ip netns add net1
+    ip link add ipv1 link eth0 type ipvlan
+    ip link set ipv1 netns net1
+    ip netns exec net1 ip link set ipv1 up
+    ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
+    ip netns exec net1 route add default gw 20.0.0.254
+    ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
+    ifconfig gw up
+    iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
+    icmp-port-unreachable
+    =======================================================
+    And then excute the shell(curl any address of eth0 can reach):
+
+    for((i=1;i<=100000;i++))
+    do
+            ip netns exec net1 curl x.x.x.x:8888
+    done
+    =======================================================
+
+    Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+    Signed-off-by: "t.feng" <fengtao40@huawei.com>
+    Suggested-by: Florian Westphal <fw@strlen.de>
+    Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+    Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index fe584e8ac..ab14c06d1 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -437,6 +437,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
+ 		goto err;
+ 	}
+ 	skb_dst_set(skb, &rt->dst);
++
++	memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
++
+ 	err = ip_local_out(net, skb->sk, skb);
+ 	if (unlikely(net_xmit_eval(err)))
+ 		dev->stats.tx_errors++;
+@@ -475,6 +478,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
+ 		goto err;
+ 	}
+ 	skb_dst_set(skb, dst);
++
++	memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
++
+ 	err = ip6_local_out(net, skb->sk, skb);
+ 	if (unlikely(net_xmit_eval(err)))
+ 		dev->stats.tx_errors++;
+-- 
+2.31.1
+

SOURCES/1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch

@@ -0,0 +1,49 @@
+From 68e161867609dafcee1a20343990547a8da9be83 Mon Sep 17 00:00:00 2001
+From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Date: Wed, 2 Aug 2023 13:10:03 +0000
+Subject: [PATCH 5/5] net/sched: flower: fix possible OOB write
+ in-fl_set_geneve_opt()
+
+CVE: CVE-2023-35788
+
+commit 4d56304e5827c8cc8cc18c75343d283af7c4825c
+Author: Hangyu Hua <hbh25y@gmail.com>
+Date:   Wed May 31 18:28:04 2023 +0800
+
+    net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
+
+    If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
+    size is 252 bytes(key->enc_opts.len = 252) then
+    key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
+    TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
+    bypasses the next bounds check and results in an out-of-bounds.
+
+    Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
+    Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+    Reviewed-by: Simon Horman <simon.horman@corigine.com>
+    Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
+    Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com
+
+Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
+Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
+---
+ net/sched/cls_flower.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
+index 041d63ff8..65b68bf36 100644
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -1145,6 +1145,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key,
+ 	if (option_len > sizeof(struct geneve_opt))
+ 		data_len = option_len - sizeof(struct geneve_opt);
+ 
++	if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4)
++		return -ERANGE;
++
+ 	opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len];
+ 	memset(opt, 0xff, option_len);
+ 	opt->length = data_len / 4;
+-- 
+2.31.1
+

SPECS/kernel.spec

@@ -161,13 +161,13 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 284.18.1
+%define pkgrelease 284.25.1
 %define kversion 5
 %define tarfile_release 5.14.0-284.18.1.el9_2
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 284.18.1%{?buildid}%{?dist}
+%define specrelease 284.25.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 5.14.0-284.18.1.el9_2
 
@@ -900,6 +900,13 @@ Source4002: gating.yaml
 Patch1: patch-%{patchversion}-redhat.patch
 %endif
 
+# Patches from Oracle Linux kernel package
+Patch1200: 1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch
+Patch1201: 1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch
+Patch1202: 1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch
+Patch1203: 1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
+Patch1204: 1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
+  
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
 
@@ -1553,6 +1560,11 @@ cp -a %{SOURCE1} .
 ApplyOptionalPatch patch-%{patchversion}-redhat.patch
 %endif
 
+ApplyPatch 1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch
+ApplyPatch 1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch
+ApplyPatch 1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch
+ApplyPatch 1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
+ApplyPatch 1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
 ApplyOptionalPatch linux-kernel-test.patch
 
 # END OF PATCH APPLICATIONS
@@ -3422,6 +3434,13 @@ fi
 #
 #
 %changelog
+* Tue Aug 01 2023 Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com> - [5.14.0-284.25.1.el9_2]	
+- KVM x86 mmuFix race condition in direct_page_fault
+- prlimit do_prlimit needs to have a speculation check
+- x86 speculation Allow enabling STIBP with legacy IBR
+- ipvlan Fix out of bounds caused by unclear skb cb
+- net sched flower fix possible OOB write in fl_set_geneve_opt
+
 * Wed May 31 2023 Herton R. Krzesinski <herton@redhat.com> [5.14.0-284.18.1.el9_2]
 - x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (Baoquan He) [2210614 2116317]
 - bluetooth: Perform careful capability checks in hci_sock_ioctl() (Ricardo Robaina) [2196340 2196341] {CVE-2023-2002}