5 files changed, 9 insertions, 188 deletions

diff --git a/.SRCINFO b/.SRCINFO
index e60b78beecaa..e886ecfe5493 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = linux-vfio-lts
 	pkgdesc = LTS Linux VFIO
-	pkgver = 5.15.53
+	pkgver = 5.15.54
 	pkgrel = 1
 	url = https://www.kernel.org/
 	arch = x86_64
@@ -19,8 +19,8 @@ pkgbase = linux-vfio-lts
 	makedepends = imagemagick
 	makedepends = texlive-latexextra
 	options = !strip
-	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.53.tar.xz
-	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.53.tar.sign
+	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.54.tar.xz
+	source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.54.tar.sign
 	source = config
 	source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
 	source = 0002-PCI_Add_more_NVIDIA_controllers_to_the_MSI_masking_quirk.patch
@@ -28,23 +28,19 @@ pkgbase = linux-vfio-lts
 	source = 0004-Bluetooth_btintel_Fix_bdaddress_comparison_with_garbage_value.patch
 	source = 0005-lg-laptop_Recognize_more_models.patch
 	source = 0006_fix_NFSv4_mount_regression.diff
-	source = 0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
-	source = 0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
 	source = add-acs-overrides.patch
 	source = i915-vga-arbiter.patch
 	validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
 	validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
-	sha256sums = f3aa717243051f3fcca90ebfe26fe5c3a596c2f6047846e8d1724ea90df77b07
+	sha256sums = 594f548bb0a73e9c08deef838836c984666709687257a624c5ccaf9ae056ce4d
 	sha256sums = SKIP
-	sha256sums = 0e605ccfafa347522c5960289aaaabe368aef98b47bc0b76baadab7ca28e833c
+	sha256sums = 8d9ae7bd60b671077a34e68058a1800b759060f93d658b0bbf83fb2a921a7fc8
 	sha256sums = 99df282c594cc269d9a5d19bb86ea887892d3654cfc53c4ce94a644cf3278423
 	sha256sums = c35018601f04ae81e0a2018a8597595db6ae053158c206845399cdebb2d2b706
 	sha256sums = 7c7707c738983f3683d76295b496f578996b7341fa39ad334ec2833bfe4b966e
 	sha256sums = 3fa8a4af66d5a3b99b48ca979a247c61e81c9b2d3bcdffa9d3895a5532a420b4
 	sha256sums = 79266c6cc970733fd35881d9a8f0a74c25c00b4d81741b8d4bba6827c48f7c78
 	sha256sums = e9527ad81d5b1821a7b17c56cb3abaec85785563f51e448cb3c06f1c68e2966f
-	sha256sums = b2e03d795a67843b9898367eaf3f2b855487d7e7cbe87b43a0df22b2fb36477c
-	sha256sums = 08cae506648665a0a2990a690d951dd4432b6eea4ca295dbfc0a836ee63671ea
 	sha256sums = b90be7b79652be61f7d50691000f6a8c75a240dc2eee2667b68d984f67583f77
 	sha256sums = 856230cfbdc2bb53a4920dfbcb6fb2d58427b7b184e5f94e21f08011d0a2fcc6
 
diff --git a/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff b/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
deleted file mode 100644
index 385b9cf9634c..000000000000
--- a/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
+++ /dev/null
@@ -1,44 +0,0 @@
-From 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Sat, 2 Jul 2022 04:16:30 +0200
-Subject: netfilter: nf_tables: stricter validation of element data
-
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-
-commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 upstream.
-
-Make sure element data type and length do not mismatch the one specified
-by the set declaration.
-
-Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data")
-Reported-by: Hugues ANGUELKOV <hanguelkov@randorisec.fr>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nf_tables_api.c |    9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -5118,13 +5118,20 @@ static int nft_setelem_parse_data(struct
- 				  struct nft_data *data,
- 				  struct nlattr *attr)
- {
-+	u32 dtype;
- 	int err;
- 
- 	err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
- 	if (err < 0)
- 		return err;
- 
--	if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
-+	if (set->dtype == NFT_DATA_VERDICT)
-+		dtype = NFT_DATA_VERDICT;
-+	else
-+		dtype = NFT_DATA_VALUE;
-+
-+	if (dtype != desc->type ||
-+	    set->dlen != desc->len) {
- 		nft_data_release(data, desc->type);
- 		return -EINVAL;
- 	}
diff --git a/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff b/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
deleted file mode 100644
index e19d1daae73c..000000000000
--- a/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
+++ /dev/null
@@ -1,123 +0,0 @@
-From 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Sat, 2 Jul 2022 04:16:31 +0200
-Subject: netfilter: nft_set_pipapo: release elements in clone from abort path
-
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-
-commit 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e upstream.
-
-New elements that reside in the clone are not released in case that the
-transaction is aborted.
-
-[16302.231754] ------------[ cut here ]------------
-[16302.231756] WARNING: CPU: 0 PID: 100509 at net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 [nf_tables]
-[...]
-[16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G        W         5.19.0-rc3+ #155
-[...]
-[16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables]
-[16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 <0f> 0b 5b 5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05
-[...]
-[16302.231917] Call Trace:
-[16302.231919]  <TASK>
-[16302.231921]  __nf_tables_abort.cold+0x23/0x28 [nf_tables]
-[16302.231934]  nf_tables_abort+0x30/0x50 [nf_tables]
-[16302.231946]  nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink]
-[16302.231952]  ? __nla_validate_parse+0x48/0x190
-[16302.231959]  nfnetlink_rcv+0x110/0x129 [nfnetlink]
-[16302.231963]  netlink_unicast+0x211/0x340
-[16302.231969]  netlink_sendmsg+0x21e/0x460
-
-Add nft_set_pipapo_match_destroy() helper function to release the
-elements in the lookup tables.
-
-Stefano Brivio says: "We additionally look for elements pointers in the
-cloned matching data if priv->dirty is set, because that means that
-cloned data might point to additional elements we did not commit to the
-working copy yet (such as the abort path case, but perhaps not limited
-to it)."
-
-Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
-Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nft_set_pipapo.c |   48 ++++++++++++++++++++++++++++-------------
- 1 file changed, 33 insertions(+), 15 deletions(-)
-
---- a/net/netfilter/nft_set_pipapo.c
-+++ b/net/netfilter/nft_set_pipapo.c
-@@ -2125,6 +2125,32 @@ out_scratch:
- }
- 
- /**
-+ * nft_set_pipapo_match_destroy() - Destroy elements from key mapping array
-+ * @set:	nftables API set representation
-+ * @m:		matching data pointing to key mapping array
-+ */
-+static void nft_set_pipapo_match_destroy(const struct nft_set *set,
-+					 struct nft_pipapo_match *m)
-+{
-+	struct nft_pipapo_field *f;
-+	int i, r;
-+
-+	for (i = 0, f = m->f; i < m->field_count - 1; i++, f++)
-+		;
-+
-+	for (r = 0; r < f->rules; r++) {
-+		struct nft_pipapo_elem *e;
-+
-+		if (r < f->rules - 1 && f->mt[r + 1].e == f->mt[r].e)
-+			continue;
-+
-+		e = f->mt[r].e;
-+
-+		nft_set_elem_destroy(set, e, true);
-+	}
-+}
-+
-+/**
-  * nft_pipapo_destroy() - Free private data for set and all committed elements
-  * @set:	nftables API set representation
-  */
-@@ -2132,26 +2158,13 @@ static void nft_pipapo_destroy(const str
- {
- 	struct nft_pipapo *priv = nft_set_priv(set);
- 	struct nft_pipapo_match *m;
--	struct nft_pipapo_field *f;
--	int i, r, cpu;
-+	int cpu;
- 
- 	m = rcu_dereference_protected(priv->match, true);
- 	if (m) {
- 		rcu_barrier();
- 
--		for (i = 0, f = m->f; i < m->field_count - 1; i++, f++)
--			;
--
--		for (r = 0; r < f->rules; r++) {
--			struct nft_pipapo_elem *e;
--
--			if (r < f->rules - 1 && f->mt[r + 1].e == f->mt[r].e)
--				continue;
--
--			e = f->mt[r].e;
--
--			nft_set_elem_destroy(set, e, true);
--		}
-+		nft_set_pipapo_match_destroy(set, m);
- 
- #ifdef NFT_PIPAPO_ALIGN
- 		free_percpu(m->scratch_aligned);
-@@ -2165,6 +2178,11 @@ static void nft_pipapo_destroy(const str
- 	}
- 
- 	if (priv->clone) {
-+		m = priv->clone;
-+
-+		if (priv->dirty)
-+			nft_set_pipapo_match_destroy(set, m);
-+
- #ifdef NFT_PIPAPO_ALIGN
- 		free_percpu(priv->clone->scratch_aligned);
- #endif
diff --git a/PKGBUILD b/PKGBUILD
index 1feea911850f..46023840db91 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Andreas Radke <andyrtr@archlinux.org>
 
 pkgbase=linux-vfio-lts
-pkgver=5.15.53
+pkgver=5.15.54
 pkgrel=1
 pkgdesc='LTS Linux VFIO'
 url="https://www.kernel.org/"
@@ -22,8 +22,6 @@ source=(
   0004-Bluetooth_btintel_Fix_bdaddress_comparison_with_garbage_value.patch
   0005-lg-laptop_Recognize_more_models.patch
   0006_fix_NFSv4_mount_regression.diff
-  0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
-  0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
   add-acs-overrides.patch
   i915-vga-arbiter.patch
 )
@@ -32,17 +30,15 @@ validpgpkeys=(
   '647F28654894E3BD457199BE38DBBDC86092693E'  # Greg Kroah-Hartman
 )
 # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
-sha256sums=('f3aa717243051f3fcca90ebfe26fe5c3a596c2f6047846e8d1724ea90df77b07'
+sha256sums=('594f548bb0a73e9c08deef838836c984666709687257a624c5ccaf9ae056ce4d'
             'SKIP'
-            '0e605ccfafa347522c5960289aaaabe368aef98b47bc0b76baadab7ca28e833c'
+            '8d9ae7bd60b671077a34e68058a1800b759060f93d658b0bbf83fb2a921a7fc8'
             '99df282c594cc269d9a5d19bb86ea887892d3654cfc53c4ce94a644cf3278423'
             'c35018601f04ae81e0a2018a8597595db6ae053158c206845399cdebb2d2b706'
             '7c7707c738983f3683d76295b496f578996b7341fa39ad334ec2833bfe4b966e'
             '3fa8a4af66d5a3b99b48ca979a247c61e81c9b2d3bcdffa9d3895a5532a420b4'
             '79266c6cc970733fd35881d9a8f0a74c25c00b4d81741b8d4bba6827c48f7c78'
             'e9527ad81d5b1821a7b17c56cb3abaec85785563f51e448cb3c06f1c68e2966f'
-            'b2e03d795a67843b9898367eaf3f2b855487d7e7cbe87b43a0df22b2fb36477c'
-            '08cae506648665a0a2990a690d951dd4432b6eea4ca295dbfc0a836ee63671ea'
             'b90be7b79652be61f7d50691000f6a8c75a240dc2eee2667b68d984f67583f77'
             '856230cfbdc2bb53a4920dfbcb6fb2d58427b7b184e5f94e21f08011d0a2fcc6')
 
@@ -57,10 +53,6 @@ prepare() {
   # https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=6f2836341d8a39e1e000572b10959347d7e61fd9
   patch -Rp1 -i ../0006_fix_NFSv4_mount_regression.diff
 
-  # FS#75226 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
-  patch -Np1 -i ../0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
-  patch -Np1 -i ../0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
-
   echo "Setting version..."
   scripts/setlocalversion --save-scmversion
   echo "-$pkgrel" > localversion.10-pkgrel
diff --git a/config b/config
index 8fe74182eb84..b18a8e6e273c 100644
--- a/config
+++ b/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.15.53 Kernel Configuration
+# Linux/x86 5.15.54 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 12.1.0"
 CONFIG_CC_IS_GCC=y