From 4aeec504ba3fa8185d385611d5c391447876b9c9 Mon Sep 17 00:00:00 2001 From: Jan200101 Date: Fri, 21 Jan 2022 08:54:16 +0100 Subject: kernel 5.15.15 --- SOURCES/Patchlist.changelog | 6 + SOURCES/kernel-aarch64-debug-fedora.config | 8 +- SOURCES/kernel-aarch64-debug-rhel.config | 6 +- SOURCES/kernel-aarch64-fedora.config | 8 +- SOURCES/kernel-aarch64-rhel.config | 6 +- SOURCES/kernel-armv7hl-debug-fedora.config | 8 +- SOURCES/kernel-armv7hl-fedora.config | 8 +- SOURCES/kernel-armv7hl-lpae-debug-fedora.config | 8 +- SOURCES/kernel-armv7hl-lpae-fedora.config | 8 +- SOURCES/kernel-i686-debug-fedora.config | 8 +- SOURCES/kernel-i686-fedora.config | 8 +- SOURCES/kernel-ppc64le-debug-fedora.config | 8 +- SOURCES/kernel-ppc64le-debug-rhel.config | 6 +- SOURCES/kernel-ppc64le-fedora.config | 8 +- SOURCES/kernel-ppc64le-rhel.config | 6 +- SOURCES/kernel-s390x-debug-fedora.config | 8 +- SOURCES/kernel-s390x-debug-rhel.config | 6 +- SOURCES/kernel-s390x-fedora.config | 8 +- SOURCES/kernel-s390x-rhel.config | 6 +- SOURCES/kernel-x86_64-debug-fedora.config | 8 +- SOURCES/kernel-x86_64-debug-rhel.config | 6 +- SOURCES/kernel-x86_64-fedora.config | 8 +- SOURCES/kernel-x86_64-rhel.config | 6 +- SOURCES/patch-5.15-redhat.patch | 148 ++++++++++++++++++++++-- SPECS/kernel.spec | 17 ++- 25 files changed, 234 insertions(+), 97 deletions(-) diff --git a/SOURCES/Patchlist.changelog b/SOURCES/Patchlist.changelog index 5b272a5..b75b5dc 100644 --- a/SOURCES/Patchlist.changelog +++ b/SOURCES/Patchlist.changelog @@ -1,3 +1,9 @@ +https://gitlab.com/cki-project/kernel-ark/-/commit/d334145759adb9d064c94828fe534b78d6d8ca3a + d334145759adb9d064c94828fe534b78d6d8ca3a netfilter: nat: force port remap to prevent shadowing well-known ports + +https://gitlab.com/cki-project/kernel-ark/-/commit/ff45edcc5c5fd94937474616c9a1c6ed8331e6ce + ff45edcc5c5fd94937474616c9a1c6ed8331e6ce netfilter: conntrack: tag conntracks picked up in local out hook + https://gitlab.com/cki-project/kernel-ark/-/commit/f1cc8d1b733c14b152da07eeab09ae0ffb541ef1 f1cc8d1b733c14b152da07eeab09ae0ffb541ef1 iwlwifi: mvm: Increase the scan timeout guard to 30 seconds diff --git a/SOURCES/kernel-aarch64-debug-fedora.config b/SOURCES/kernel-aarch64-debug-fedora.config index b180da4..d037b2a 100644 --- a/SOURCES/kernel-aarch64-debug-fedora.config +++ b/SOURCES/kernel-aarch64-debug-fedora.config @@ -1303,9 +1303,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1424,8 +1424,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_NEON=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4734,7 +4734,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-aarch64-debug-rhel.config b/SOURCES/kernel-aarch64-debug-rhel.config index 94c67a6..5884741 100644 --- a/SOURCES/kernel-aarch64-debug-rhel.config +++ b/SOURCES/kernel-aarch64-debug-rhel.config @@ -972,9 +972,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM64_CE=m # CONFIG_CRYPTO_CRC32C_VPMSUM is not set @@ -1056,8 +1056,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_NEON=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/SOURCES/kernel-aarch64-fedora.config b/SOURCES/kernel-aarch64-fedora.config index c148107..dcfd2ea 100644 --- a/SOURCES/kernel-aarch64-fedora.config +++ b/SOURCES/kernel-aarch64-fedora.config @@ -1303,9 +1303,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1424,8 +1424,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_NEON=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4710,7 +4710,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-aarch64-rhel.config b/SOURCES/kernel-aarch64-rhel.config index cdfcce5..91c40fd 100644 --- a/SOURCES/kernel-aarch64-rhel.config +++ b/SOURCES/kernel-aarch64-rhel.config @@ -972,9 +972,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM64_CE=m # CONFIG_CRYPTO_CRC32C_VPMSUM is not set @@ -1056,8 +1056,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_NEON=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/SOURCES/kernel-armv7hl-debug-fedora.config b/SOURCES/kernel-armv7hl-debug-fedora.config index d718916..3218194 100644 --- a/SOURCES/kernel-armv7hl-debug-fedora.config +++ b/SOURCES/kernel-armv7hl-debug-fedora.config @@ -1296,9 +1296,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1420,7 +1420,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m CONFIG_CRYPTO_POLY1305_ARM=y -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4806,7 +4806,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-armv7hl-fedora.config b/SOURCES/kernel-armv7hl-fedora.config index 3e6b62c..9990b29 100644 --- a/SOURCES/kernel-armv7hl-fedora.config +++ b/SOURCES/kernel-armv7hl-fedora.config @@ -1296,9 +1296,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1420,7 +1420,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m CONFIG_CRYPTO_POLY1305_ARM=y -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4783,7 +4783,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-armv7hl-lpae-debug-fedora.config b/SOURCES/kernel-armv7hl-lpae-debug-fedora.config index 136acaf..a892bc8 100644 --- a/SOURCES/kernel-armv7hl-lpae-debug-fedora.config +++ b/SOURCES/kernel-armv7hl-lpae-debug-fedora.config @@ -1267,9 +1267,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1390,7 +1390,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m CONFIG_CRYPTO_POLY1305_ARM=y -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4704,7 +4704,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-armv7hl-lpae-fedora.config b/SOURCES/kernel-armv7hl-lpae-fedora.config index a966c97..300b858 100644 --- a/SOURCES/kernel-armv7hl-lpae-fedora.config +++ b/SOURCES/kernel-armv7hl-lpae-fedora.config @@ -1267,9 +1267,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1390,7 +1390,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m CONFIG_CRYPTO_POLY1305_ARM=y -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4681,7 +4681,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-i686-debug-fedora.config b/SOURCES/kernel-i686-debug-fedora.config index 3cef78b..4fd39d6 100644 --- a/SOURCES/kernel-i686-debug-fedora.config +++ b/SOURCES/kernel-i686-debug-fedora.config @@ -1045,8 +1045,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1131,7 +1131,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4318,7 +4318,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-i686-fedora.config b/SOURCES/kernel-i686-fedora.config index c62bac1..1e45684 100644 --- a/SOURCES/kernel-i686-fedora.config +++ b/SOURCES/kernel-i686-fedora.config @@ -1044,8 +1044,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1130,7 +1130,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4295,7 +4295,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-ppc64le-debug-fedora.config b/SOURCES/kernel-ppc64le-debug-fedora.config index 8b7db13..537c215 100644 --- a/SOURCES/kernel-ppc64le-debug-fedora.config +++ b/SOURCES/kernel-ppc64le-debug-fedora.config @@ -992,8 +992,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_VPMSUM=m CONFIG_CRYPTO_CRC32C=y @@ -1071,7 +1071,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4052,7 +4052,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-ppc64le-debug-rhel.config b/SOURCES/kernel-ppc64le-debug-rhel.config index fd4ea87..076bc30 100644 --- a/SOURCES/kernel-ppc64le-debug-rhel.config +++ b/SOURCES/kernel-ppc64le-debug-rhel.config @@ -822,8 +822,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y # CONFIG_CRYPTO_CRC32C_VPMSUM is not set CONFIG_CRYPTO_CRC32C=y @@ -903,7 +903,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/SOURCES/kernel-ppc64le-fedora.config b/SOURCES/kernel-ppc64le-fedora.config index 1b2a5c8..a1cd8b1 100644 --- a/SOURCES/kernel-ppc64le-fedora.config +++ b/SOURCES/kernel-ppc64le-fedora.config @@ -991,8 +991,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_VPMSUM=m CONFIG_CRYPTO_CRC32C=y @@ -1070,7 +1070,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4028,7 +4028,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-ppc64le-rhel.config b/SOURCES/kernel-ppc64le-rhel.config index 256e61a..d6fdef0 100644 --- a/SOURCES/kernel-ppc64le-rhel.config +++ b/SOURCES/kernel-ppc64le-rhel.config @@ -822,8 +822,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y # CONFIG_CRYPTO_CRC32C_VPMSUM is not set CONFIG_CRYPTO_CRC32C=y @@ -903,7 +903,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/SOURCES/kernel-s390x-debug-fedora.config b/SOURCES/kernel-s390x-debug-fedora.config index 7f4066a..9737fd1 100644 --- a/SOURCES/kernel-s390x-debug-fedora.config +++ b/SOURCES/kernel-s390x-debug-fedora.config @@ -1000,8 +1000,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_VPMSUM=m CONFIG_CRYPTO_CRC32C=y @@ -1074,7 +1074,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PAES_S390=m CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4032,7 +4032,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-s390x-debug-rhel.config b/SOURCES/kernel-s390x-debug-rhel.config index 25ddbc6..a214727 100644 --- a/SOURCES/kernel-s390x-debug-rhel.config +++ b/SOURCES/kernel-s390x-debug-rhel.config @@ -824,8 +824,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y # CONFIG_CRYPTO_CRC32C_VPMSUM is not set CONFIG_CRYPTO_CRC32C=y @@ -902,7 +902,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PAES_S390=m CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/SOURCES/kernel-s390x-fedora.config b/SOURCES/kernel-s390x-fedora.config index 7b64abf..b4270dc 100644 --- a/SOURCES/kernel-s390x-fedora.config +++ b/SOURCES/kernel-s390x-fedora.config @@ -999,8 +999,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_VPMSUM=m CONFIG_CRYPTO_CRC32C=y @@ -1073,7 +1073,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PAES_S390=m CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4008,7 +4008,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-s390x-rhel.config b/SOURCES/kernel-s390x-rhel.config index 1d120e0..dd3a8d1 100644 --- a/SOURCES/kernel-s390x-rhel.config +++ b/SOURCES/kernel-s390x-rhel.config @@ -824,8 +824,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y # CONFIG_CRYPTO_CRC32C_VPMSUM is not set CONFIG_CRYPTO_CRC32C=y @@ -902,7 +902,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PAES_S390=m CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/SOURCES/kernel-x86_64-debug-fedora.config b/SOURCES/kernel-x86_64-debug-fedora.config index 25b84fa..cab560d 100644 --- a/SOURCES/kernel-x86_64-debug-fedora.config +++ b/SOURCES/kernel-x86_64-debug-fedora.config @@ -1070,9 +1070,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1163,8 +1163,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4362,7 +4362,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-x86_64-debug-rhel.config b/SOURCES/kernel-x86_64-debug-rhel.config index 2f499ef..b849536 100644 --- a/SOURCES/kernel-x86_64-debug-rhel.config +++ b/SOURCES/kernel-x86_64-debug-rhel.config @@ -862,9 +862,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m # CONFIG_CRYPTO_CRC32C_VPMSUM is not set @@ -957,8 +957,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/SOURCES/kernel-x86_64-fedora.config b/SOURCES/kernel-x86_64-fedora.config index 470f4eb..0fbbe37 100644 --- a/SOURCES/kernel-x86_64-fedora.config +++ b/SOURCES/kernel-x86_64-fedora.config @@ -1069,9 +1069,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1162,8 +1162,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4339,7 +4339,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/SOURCES/kernel-x86_64-rhel.config b/SOURCES/kernel-x86_64-rhel.config index f2a3bed..09cfecf 100644 --- a/SOURCES/kernel-x86_64-rhel.config +++ b/SOURCES/kernel-x86_64-rhel.config @@ -862,9 +862,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m # CONFIG_CRYPTO_CRC32C_VPMSUM is not set @@ -957,8 +957,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/SOURCES/patch-5.15-redhat.patch b/SOURCES/patch-5.15-redhat.patch index 867962f..292d02f 100644 --- a/SOURCES/patch-5.15-redhat.patch +++ b/SOURCES/patch-5.15-redhat.patch @@ -41,14 +41,18 @@ include/linux/random.h | 7 ++ include/linux/rmi.h | 1 + include/linux/security.h | 5 + + include/net/netfilter/nf_conntrack.h | 1 + init/Kconfig | 2 +- kernel/module_signing.c | 9 +- + net/netfilter/nf_conntrack_core.c | 3 + + net/netfilter/nf_nat_core.c | 43 ++++++- scripts/tags.sh | 2 + security/integrity/platform_certs/load_uefi.c | 6 +- security/lockdown/Kconfig | 13 +++ security/lockdown/lockdown.c | 1 + security/security.c | 6 + - 50 files changed, 753 insertions(+), 202 deletions(-) + tools/testing/selftests/netfilter/nft_nat.sh | 5 +- + 54 files changed, 800 insertions(+), 207 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 8ff6dafafdf8..e3f786336cf9 100644 @@ -71,7 +75,7 @@ index 8ff6dafafdf8..e3f786336cf9 100644 This is normally done in pci_enable_device(), so this option is a temporary workaround diff --git a/Makefile b/Makefile -index a469670e7675..cf656b40117c 100644 +index aed26e228dde..543979497d37 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \ @@ -683,7 +687,7 @@ index fe91090e04a4..f00bc6886913 100644 rv = ipmi_register_driver(); mutex_unlock(&ipmi_interfaces_mutex); diff --git a/drivers/char/random.c b/drivers/char/random.c -index 605969ed0f96..4d51f1c67675 100644 +index 7470ee24db2f..a3ac18f64ba7 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -335,6 +335,7 @@ @@ -706,7 +710,7 @@ index 605969ed0f96..4d51f1c67675 100644 /* * Configuration information */ -@@ -481,6 +487,9 @@ static int ratelimit_disable __read_mostly; +@@ -482,6 +488,9 @@ static int ratelimit_disable __read_mostly; module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); @@ -716,7 +720,7 @@ index 605969ed0f96..4d51f1c67675 100644 /********************************************************************** * * OS independent entropy store. Here are the functions which handle -@@ -1858,6 +1867,13 @@ random_poll(struct file *file, poll_table * wait) +@@ -1878,6 +1887,13 @@ random_poll(struct file *file, poll_table * wait) return mask; } @@ -730,7 +734,7 @@ index 605969ed0f96..4d51f1c67675 100644 static int write_pool(struct entropy_store *r, const char __user *buffer, size_t count) { -@@ -1961,7 +1977,58 @@ static int random_fasync(int fd, struct file *filp, int on) +@@ -1981,7 +1997,58 @@ static int random_fasync(int fd, struct file *filp, int on) return fasync_helper(fd, filp, on, &fasync); } @@ -789,7 +793,7 @@ index 605969ed0f96..4d51f1c67675 100644 .read = random_read, .write = random_write, .poll = random_poll, -@@ -1972,6 +2039,7 @@ const struct file_operations random_fops = { +@@ -1992,6 +2059,7 @@ const struct file_operations random_fops = { }; const struct file_operations urandom_fops = { @@ -797,7 +801,7 @@ index 605969ed0f96..4d51f1c67675 100644 .read = urandom_read, .write = random_write, .unlocked_ioctl = random_ioctl, -@@ -1980,9 +2048,31 @@ const struct file_operations urandom_fops = { +@@ -2000,9 +2068,31 @@ const struct file_operations urandom_fops = { .llseek = noop_llseek, }; @@ -829,7 +833,7 @@ index 605969ed0f96..4d51f1c67675 100644 int ret; if (flags & ~(GRND_NONBLOCK|GRND_RANDOM|GRND_INSECURE)) -@@ -1998,6 +2088,18 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, +@@ -2018,6 +2108,18 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, if (count > INT_MAX) count = INT_MAX; @@ -848,7 +852,7 @@ index 605969ed0f96..4d51f1c67675 100644 if (!(flags & GRND_INSECURE) && !crng_ready()) { if (flags & GRND_NONBLOCK) return -EAGAIN; -@@ -2303,3 +2405,16 @@ void add_bootloader_randomness(const void *buf, unsigned int size) +@@ -2324,3 +2426,16 @@ void add_bootloader_randomness(const void *buf, unsigned int size) add_device_randomness(buf, size); } EXPORT_SYMBOL_GPL(add_bootloader_randomness); @@ -1666,7 +1670,7 @@ index 3dc055ce6e61..bb56640eb31f 100644 static inline bool tpacpi_is_led_restricted(const unsigned int led) { diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 00070a8a6507..e9e0ffa990cd 100644 +index 3bc4a86c3d0a..e346da4f58f2 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5666,6 +5666,13 @@ static void hub_event(struct work_struct *work) @@ -1841,6 +1845,18 @@ index 46a02ce34d00..37e991a10d70 100644 #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index d24b0a34c8f0..871489df63c6 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -95,6 +95,7 @@ struct nf_conn { + unsigned long status; + + u16 cpu; ++ u16 local_origin:1; + possible_net_t ct_net; + + #if IS_ENABLED(CONFIG_NF_NAT) diff --git a/init/Kconfig b/init/Kconfig index 11f8a845f259..9b94cc1b5546 100644 --- a/init/Kconfig @@ -1875,6 +1891,100 @@ index 8723ae70ea1f..fb2d773498c2 100644 + } + return ret; } +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 4712a90a1820..208abc729302 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1749,6 +1749,9 @@ resolve_normal_ct(struct nf_conn *tmpl, + return 0; + if (IS_ERR(h)) + return PTR_ERR(h); ++ ++ ct = nf_ct_tuplehash_to_ctrack(h); ++ ct->local_origin = state->hook == NF_INET_LOCAL_OUT; + } + ct = nf_ct_tuplehash_to_ctrack(h); + +diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c +index 273117683922..21ec0c3d1d47 100644 +--- a/net/netfilter/nf_nat_core.c ++++ b/net/netfilter/nf_nat_core.c +@@ -494,6 +494,38 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, + goto another_round; + } + ++static bool tuple_force_port_remap(const struct nf_conntrack_tuple *tuple) ++{ ++ u16 sp, dp; ++ ++ switch (tuple->dst.protonum) { ++ case IPPROTO_TCP: ++ sp = ntohs(tuple->src.u.tcp.port); ++ dp = ntohs(tuple->dst.u.tcp.port); ++ break; ++ case IPPROTO_UDP: ++ case IPPROTO_UDPLITE: ++ sp = ntohs(tuple->src.u.udp.port); ++ dp = ntohs(tuple->dst.u.udp.port); ++ break; ++ default: ++ return false; ++ } ++ ++ /* IANA: System port range: 1-1023, ++ * user port range: 1024-49151, ++ * private port range: 49152-65535. ++ * ++ * Linux default ephemeral port range is 32768-60999. ++ * ++ * Enforce port remapping if sport is significantly lower ++ * than dport to prevent NAT port shadowing, i.e. ++ * accidental match of 'new' inbound connection vs. ++ * existing outbound one. ++ */ ++ return sp < 16384 && dp >= 32768; ++} ++ + /* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING, + * we change the source to map into the range. For NF_INET_PRE_ROUTING + * and NF_INET_LOCAL_OUT, we change the destination to map into the +@@ -507,11 +539,17 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, + struct nf_conn *ct, + enum nf_nat_manip_type maniptype) + { ++ bool random_port = range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL; + const struct nf_conntrack_zone *zone; + struct net *net = nf_ct_net(ct); + + zone = nf_ct_zone(ct); + ++ if (maniptype == NF_NAT_MANIP_SRC && ++ !random_port && ++ !ct->local_origin) ++ random_port = tuple_force_port_remap(orig_tuple); ++ + /* 1) If this srcip/proto/src-proto-part is currently mapped, + * and that same mapping gives a unique tuple within the given + * range, use that. +@@ -520,8 +558,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, + * So far, we don't do local source mappings, so multiple + * manips not an issue. + */ +- if (maniptype == NF_NAT_MANIP_SRC && +- !(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) { ++ if (maniptype == NF_NAT_MANIP_SRC && !random_port) { + /* try the original tuple first */ + if (in_range(orig_tuple, range)) { + if (!nf_nat_used_tuple(orig_tuple, ct)) { +@@ -545,7 +582,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, + */ + + /* Only bother mapping if it's not already in range and unique */ +- if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) { ++ if (!random_port) { + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) && + l4proto_in_range(tuple, maniptype, diff --git a/scripts/tags.sh b/scripts/tags.sh index db8ba411860a..2294fb0f17a9 100755 --- a/scripts/tags.sh @@ -1965,3 +2075,19 @@ index 67264cb08fb3..85a0227bfac1 100644 #ifdef CONFIG_PERF_EVENTS int security_perf_event_open(struct perf_event_attr *attr, int type) { +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +index da1c1e4b6c86..6a08644d501e 100755 +--- a/tools/testing/selftests/netfilter/nft_nat.sh ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -867,8 +867,9 @@ EOF + return $ksft_skip + fi + +- # test default behaviour. Packet from ns1 to ns0 is redirected to ns2. +- test_port_shadow "default" "CLIENT" ++ # test default behaviour. Packet from ns1 to ns0 is not redirected ++ # due to automatic port translation. ++ test_port_shadow "default" "ROUTER" + + # test packet filter based mitigation: prevent forwarding of + # packets claiming to come from the service port. diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 4e7c6da..910401d 100755 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -128,7 +128,7 @@ Summary: The Linux kernel # The kernel tarball/base version %define kversion 5.15 -%define rpmversion 5.15.14 +%define rpmversion 5.15.15 %define patchversion 5.15 %define pkgrelease 201 @@ -682,7 +682,7 @@ BuildRequires: lld # exact git commit you can run # # xzcat -qq ${TARBALL} | git get-tar-commit-id -Source0: linux-5.15.14.tar.xz +Source0: linux-5.15.15.tar.xz Source1: Makefile.rhelver @@ -1383,8 +1383,8 @@ ApplyOptionalPatch() fi } -%setup -q -n kernel-5.15.14 -c -mv linux-5.15.14 linux-%{KVERREL} +%setup -q -n kernel-5.15.15 -c +mv linux-5.15.15 linux-%{KVERREL} cd linux-%{KVERREL} cp -a %{SOURCE1} . @@ -2990,8 +2990,13 @@ fi # # %changelog -* Mon Jan 17 2022 Jan Drögehoff - 5.15.14-201 -- Linux v5.15.14 futex2 zen openrgb +* Fri Jan 21 2022 Jan Drögehoff - 5.15.15-201 +- Linux v5.15.15 futex2 zen openrgb + +* Sun Jan 16 2022 Justin M. Forbes [5.15.15-0] +- netfilter: nat: force port remap to prevent shadowing well-known ports (Florian Westphal) +- netfilter: conntrack: tag conntracks picked up in local out hook (Florian Westphal) +- configs/fedora: Enable CONFIG_NFC_PN532_UART for use PN532 NFC module (Ziqian SUN (Zamir)) * Tue Jan 11 2022 Justin M. Forbes [5.15.14-0] - Fix up changelog (Justin M. Forbes) -- cgit v1.2.3