Update to 5.15.53-1

5 files changed, 188 insertions, 9 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 22a49fd292af..e60b78beecaa 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = linux-vfio-lts
 	pkgdesc = LTS Linux VFIO
-	pkgver = 5.15.52
+	pkgver = 5.15.53
 	pkgrel = 1
 	url = https://www.kernel.org/
 	arch = x86_64
@@ -19,8 +19,8 @@ pkgbase = linux-vfio-lts
 	makedepends = imagemagick
 	makedepends = texlive-latexextra
 	options = !strip
-	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.52.tar.xz
-	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.52.tar.sign
+	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.53.tar.xz
+	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.53.tar.sign
 	source = config
 	source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
 	source = 0002-PCI_Add_more_NVIDIA_controllers_to_the_MSI_masking_quirk.patch
@@ -28,19 +28,23 @@ pkgbase = linux-vfio-lts
 	source = 0004-Bluetooth_btintel_Fix_bdaddress_comparison_with_garbage_value.patch
 	source = 0005-lg-laptop_Recognize_more_models.patch
 	source = 0006_fix_NFSv4_mount_regression.diff
+	source = 0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
+	source = 0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
 	source = add-acs-overrides.patch
 	source = i915-vga-arbiter.patch
 	validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
 	validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
-	sha256sums = f4680a5da9f25a908ead5956935e7c05124d5f37f6e75a1e07d58641d7ab6d05
+	sha256sums = f3aa717243051f3fcca90ebfe26fe5c3a596c2f6047846e8d1724ea90df77b07
 	sha256sums = SKIP
-	sha256sums = 522a85c0853ecb070f58d969ea1c65982f945d5a7d7748702116a551573aa6d9
+	sha256sums = 0e605ccfafa347522c5960289aaaabe368aef98b47bc0b76baadab7ca28e833c
 	sha256sums = 99df282c594cc269d9a5d19bb86ea887892d3654cfc53c4ce94a644cf3278423
 	sha256sums = c35018601f04ae81e0a2018a8597595db6ae053158c206845399cdebb2d2b706
 	sha256sums = 7c7707c738983f3683d76295b496f578996b7341fa39ad334ec2833bfe4b966e
 	sha256sums = 3fa8a4af66d5a3b99b48ca979a247c61e81c9b2d3bcdffa9d3895a5532a420b4
 	sha256sums = 79266c6cc970733fd35881d9a8f0a74c25c00b4d81741b8d4bba6827c48f7c78
 	sha256sums = e9527ad81d5b1821a7b17c56cb3abaec85785563f51e448cb3c06f1c68e2966f
+	sha256sums = b2e03d795a67843b9898367eaf3f2b855487d7e7cbe87b43a0df22b2fb36477c
+	sha256sums = 08cae506648665a0a2990a690d951dd4432b6eea4ca295dbfc0a836ee63671ea
 	sha256sums = b90be7b79652be61f7d50691000f6a8c75a240dc2eee2667b68d984f67583f77
 	sha256sums = 856230cfbdc2bb53a4920dfbcb6fb2d58427b7b184e5f94e21f08011d0a2fcc6
 
diff --git a/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff b/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
new file mode 100644
index 000000000000..385b9cf9634c
--- /dev/null
+++ b/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
@@ -0,0 +1,44 @@
+From 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 2 Jul 2022 04:16:30 +0200
+Subject: netfilter: nf_tables: stricter validation of element data
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 upstream.
+
+Make sure element data type and length do not mismatch the one specified
+by the set declaration.
+
+Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data")
+Reported-by: Hugues ANGUELKOV <hanguelkov@randorisec.fr>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5118,13 +5118,20 @@ static int nft_setelem_parse_data(struct
+ 				  struct nft_data *data,
+ 				  struct nlattr *attr)
+ {
++	u32 dtype;
+ 	int err;
+ 
+ 	err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
+ 	if (err < 0)
+ 		return err;
+ 
+-	if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
++	if (set->dtype == NFT_DATA_VERDICT)
++		dtype = NFT_DATA_VERDICT;
++	else
++		dtype = NFT_DATA_VALUE;
++
++	if (dtype != desc->type ||
++	    set->dlen != desc->len) {
+ 		nft_data_release(data, desc->type);
+ 		return -EINVAL;
+ 	}
diff --git a/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff b/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
new file mode 100644
index 000000000000..e19d1daae73c
--- /dev/null
+++ b/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
@@ -0,0 +1,123 @@
+From 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 2 Jul 2022 04:16:31 +0200
+Subject: netfilter: nft_set_pipapo: release elements in clone from abort path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e upstream.
+
+New elements that reside in the clone are not released in case that the
+transaction is aborted.
+
+[16302.231754] ------------[ cut here ]------------
+[16302.231756] WARNING: CPU: 0 PID: 100509 at net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 [nf_tables]
+[...]
+[16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G        W         5.19.0-rc3+ #155
+[...]
+[16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables]
+[16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 <0f> 0b 5b 5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05
+[...]
+[16302.231917] Call Trace:
+[16302.231919]  <TASK>
+[16302.231921]  __nf_tables_abort.cold+0x23/0x28 [nf_tables]
+[16302.231934]  nf_tables_abort+0x30/0x50 [nf_tables]
+[16302.231946]  nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink]
+[16302.231952]  ? __nla_validate_parse+0x48/0x190
+[16302.231959]  nfnetlink_rcv+0x110/0x129 [nfnetlink]
+[16302.231963]  netlink_unicast+0x211/0x340
+[16302.231969]  netlink_sendmsg+0x21e/0x460
+
+Add nft_set_pipapo_match_destroy() helper function to release the
+elements in the lookup tables.
+
+Stefano Brivio says: "We additionally look for elements pointers in the
+cloned matching data if priv->dirty is set, because that means that
+cloned data might point to additional elements we did not commit to the
+working copy yet (such as the abort path case, but perhaps not limited
+to it)."
+
+Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_pipapo.c |   48 ++++++++++++++++++++++++++++-------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2125,6 +2125,32 @@ out_scratch:
+ }
+ 
+ /**
++ * nft_set_pipapo_match_destroy() - Destroy elements from key mapping array
++ * @set:	nftables API set representation
++ * @m:		matching data pointing to key mapping array
++ */
++static void nft_set_pipapo_match_destroy(const struct nft_set *set,
++					 struct nft_pipapo_match *m)
++{
++	struct nft_pipapo_field *f;
++	int i, r;
++
++	for (i = 0, f = m->f; i < m->field_count - 1; i++, f++)
++		;
++
++	for (r = 0; r < f->rules; r++) {
++		struct nft_pipapo_elem *e;
++
++		if (r < f->rules - 1 && f->mt[r + 1].e == f->mt[r].e)
++			continue;
++
++		e = f->mt[r].e;
++
++		nft_set_elem_destroy(set, e, true);
++	}
++}
++
++/**
+  * nft_pipapo_destroy() - Free private data for set and all committed elements
+  * @set:	nftables API set representation
+  */
+@@ -2132,26 +2158,13 @@ static void nft_pipapo_destroy(const str
+ {
+ 	struct nft_pipapo *priv = nft_set_priv(set);
+ 	struct nft_pipapo_match *m;
+-	struct nft_pipapo_field *f;
+-	int i, r, cpu;
++	int cpu;
+ 
+ 	m = rcu_dereference_protected(priv->match, true);
+ 	if (m) {
+ 		rcu_barrier();
+ 
+-		for (i = 0, f = m->f; i < m->field_count - 1; i++, f++)
+-			;
+-
+-		for (r = 0; r < f->rules; r++) {
+-			struct nft_pipapo_elem *e;
+-
+-			if (r < f->rules - 1 && f->mt[r + 1].e == f->mt[r].e)
+-				continue;
+-
+-			e = f->mt[r].e;
+-
+-			nft_set_elem_destroy(set, e, true);
+-		}
++		nft_set_pipapo_match_destroy(set, m);
+ 
+ #ifdef NFT_PIPAPO_ALIGN
+ 		free_percpu(m->scratch_aligned);
+@@ -2165,6 +2178,11 @@ static void nft_pipapo_destroy(const str
+ 	}
+ 
+ 	if (priv->clone) {
++		m = priv->clone;
++
++		if (priv->dirty)
++			nft_set_pipapo_match_destroy(set, m);
++
+ #ifdef NFT_PIPAPO_ALIGN
+ 		free_percpu(priv->clone->scratch_aligned);
+ #endif
diff --git a/PKGBUILD b/PKGBUILD
index 1eb8b9e9feb3..1feea911850f 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Andreas Radke <andyrtr@archlinux.org>
 
 pkgbase=linux-vfio-lts
-pkgver=5.15.52
+pkgver=5.15.53
 pkgrel=1
 pkgdesc='LTS Linux VFIO'
 url="https://www.kernel.org/"
@@ -22,6 +22,8 @@ source=(
   0004-Bluetooth_btintel_Fix_bdaddress_comparison_with_garbage_value.patch
   0005-lg-laptop_Recognize_more_models.patch
   0006_fix_NFSv4_mount_regression.diff
+  0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
+  0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
   add-acs-overrides.patch
   i915-vga-arbiter.patch
 )
@@ -30,15 +32,17 @@ validpgpkeys=(
   '647F28654894E3BD457199BE38DBBDC86092693E'  # Greg Kroah-Hartman
 )
 # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
-sha256sums=('f4680a5da9f25a908ead5956935e7c05124d5f37f6e75a1e07d58641d7ab6d05'
+sha256sums=('f3aa717243051f3fcca90ebfe26fe5c3a596c2f6047846e8d1724ea90df77b07'
             'SKIP'
-            '522a85c0853ecb070f58d969ea1c65982f945d5a7d7748702116a551573aa6d9'
+            '0e605ccfafa347522c5960289aaaabe368aef98b47bc0b76baadab7ca28e833c'
             '99df282c594cc269d9a5d19bb86ea887892d3654cfc53c4ce94a644cf3278423'
             'c35018601f04ae81e0a2018a8597595db6ae053158c206845399cdebb2d2b706'
             '7c7707c738983f3683d76295b496f578996b7341fa39ad334ec2833bfe4b966e'
             '3fa8a4af66d5a3b99b48ca979a247c61e81c9b2d3bcdffa9d3895a5532a420b4'
             '79266c6cc970733fd35881d9a8f0a74c25c00b4d81741b8d4bba6827c48f7c78'
             'e9527ad81d5b1821a7b17c56cb3abaec85785563f51e448cb3c06f1c68e2966f'
+            'b2e03d795a67843b9898367eaf3f2b855487d7e7cbe87b43a0df22b2fb36477c'
+            '08cae506648665a0a2990a690d951dd4432b6eea4ca295dbfc0a836ee63671ea'
             'b90be7b79652be61f7d50691000f6a8c75a240dc2eee2667b68d984f67583f77'
             '856230cfbdc2bb53a4920dfbcb6fb2d58427b7b184e5f94e21f08011d0a2fcc6')
 
@@ -53,6 +57,10 @@ prepare() {
   # https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=6f2836341d8a39e1e000572b10959347d7e61fd9
   patch -Rp1 -i ../0006_fix_NFSv4_mount_regression.diff
 
+  # FS#75226 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
+  patch -Np1 -i ../0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
+  patch -Np1 -i ../0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
+
   echo "Setting version..."
   scripts/setlocalversion --save-scmversion
   echo "-$pkgrel" > localversion.10-pkgrel
diff --git a/config b/config
index d4010c685379..8fe74182eb84 100644
--- a/config
+++ b/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.15.52 Kernel Configuration
+# Linux/x86 5.15.53 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0"
 CONFIG_CC_IS_GCC=y