Merge remote-tracking branch 'origin/f36' into f36-user-thl-vanilla-fedora

4 files changed, 48 insertions, 51 deletions

diff --git a/Patchlist.changelog b/Patchlist.changelog
index 224614e2b..6b3a108ee 100644
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@@ -1,3 +1,12 @@
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/f147438b42147e1cf44f1471dc2a4288486dd791
+ f147438b42147e1cf44f1471dc2a4288486dd791 netfilter: nf_tables: stricter validation of element data
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/536f55b6208f317e86c5876014be423642690098
+ 536f55b6208f317e86c5876014be423642690098 Revert "Revert "smb3: use netname when available on secondary channels""
+
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/f881c8e206d2f230bd7b67dd4b611b46e07ff202
+ f881c8e206d2f230bd7b67dd4b611b46e07ff202 Revert "Revert "smb3: fix empty netname context on secondary channels""
+
 "https://gitlab.com/cki-project/kernel-ark/-/commit"/70b6a2dd3426c05d36f40c5d75e4f4a4d6196a59
  70b6a2dd3426c05d36f40c5d75e4f4a4d6196a59 Revert "smb3: fix empty netname context on secondary channels"
 
diff --git a/kernel.spec b/kernel.spec
index ac8d31606..de91d02b9 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -3041,6 +3041,11 @@ fi
 #
 #
 %changelog
+* Thu Jul 07 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.18.10-0]
+- netfilter: nf_tables: stricter validation of element data (Pablo Neira Ayuso)
+- Revert "Revert "smb3: use netname when available on secondary channels"" (Justin M. Forbes)
+- Revert "Revert "smb3: fix empty netname context on secondary channels"" (Justin M. Forbes)
+
 * Sat Jul 02 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.18.9-0]
 - Revert "smb3: fix empty netname context on secondary channels" (Justin M. Forbes)
 - Revert "smb3: use netname when available on secondary channels" (Justin M. Forbes)
diff --git a/patch-5.18-redhat.patch b/patch-5.18-redhat.patch
index 5fee738c2..570f2adcb 100644
--- a/patch-5.18-redhat.patch
+++ b/patch-5.18-redhat.patch
@@ -30,7 +30,6 @@
  drivers/nvme/host/nvme.h                           |   4 +
  drivers/pci/quirks.c                               |  24 ++++
  drivers/usb/core/hub.c                             |   7 ++
- fs/cifs/smb2pdu.c                                  |  21 +---
  include/linux/efi.h                                |  24 ++--
  include/linux/lsm_hook_defs.h                      |   2 +
  include/linux/lsm_hooks.h                          |   6 +
@@ -38,15 +37,16 @@
  include/linux/security.h                           |   5 +
  init/Kconfig                                       |   2 +-
  kernel/module_signing.c                            |   9 +-
+ net/netfilter/nf_tables_api.c                      |   9 +-
  scripts/tags.sh                                    |   2 +
  security/integrity/platform_certs/load_uefi.c      |   6 +-
  security/lockdown/Kconfig                          |  13 +++
  security/lockdown/lockdown.c                       |   1 +
  security/security.c                                |   6 +
- 45 files changed, 727 insertions(+), 206 deletions(-)
+ 45 files changed, 729 insertions(+), 192 deletions(-)
 
 diff --git a/Makefile b/Makefile
-index 751cfd786c8c..1dbeaa096d9b 100644
+index 088b84f99203..53ce8dbdd481 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \
@@ -123,7 +123,7 @@ index 1cc85b8ff42e..b7ee128c67ce 100644
 +	return !!ipl_secure_flag;
 +}
 diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
-index d860ac300919..6e63924932e6 100644
+index 2cef49983e9e..c50998b4b554 100644
 --- a/arch/s390/kernel/setup.c
 +++ b/arch/s390/kernel/setup.c
 @@ -49,6 +49,7 @@
@@ -134,7 +134,7 @@ index d860ac300919..6e63924932e6 100644
  #include <linux/hugetlb.h>
  #include <linux/kmemleak.h>
 
-@@ -965,6 +966,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -970,6 +971,9 @@ void __init setup_arch(char **cmdline_p)
 
  	log_component_list();
 
@@ -1517,49 +1517,6 @@ index 1460857026e0..7e1964891089 100644
  	/* Lock the device, then check to see if we were
  	 * disconnected while waiting for the lock to succeed. */
  	usb_lock_device(hdev);
-diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
-index 6a8a00f28b19..179c1630bf56 100644
---- a/fs/cifs/smb2pdu.c
-+++ b/fs/cifs/smb2pdu.c
-@@ -543,7 +543,6 @@ assemble_neg_contexts(struct smb2_negotiate_req *req,
- 		      struct TCP_Server_Info *server, unsigned int *total_len)
- {
- 	char *pneg_ctxt;
--	char *hostname = NULL;
- 	unsigned int ctxt_len, neg_context_count;
-
- 	if (*total_len > 200) {
-@@ -571,24 +570,16 @@ assemble_neg_contexts(struct smb2_negotiate_req *req,
- 	*total_len += ctxt_len;
- 	pneg_ctxt += ctxt_len;
-
-+	ctxt_len = build_netname_ctxt((struct smb2_netname_neg_context *)pneg_ctxt,
-+					server->hostname);
-+	*total_len += ctxt_len;
-+	pneg_ctxt += ctxt_len;
-+
- 	build_posix_ctxt((struct smb2_posix_neg_context *)pneg_ctxt);
- 	*total_len += sizeof(struct smb2_posix_neg_context);
- 	pneg_ctxt += sizeof(struct smb2_posix_neg_context);
-
--	/*
--	 * secondary channels don't have the hostname field populated
--	 * use the hostname field in the primary channel instead
--	 */
--	hostname = CIFS_SERVER_IS_CHAN(server) ?
--		server->primary_server->hostname : server->hostname;
--	if (hostname && (hostname[0] != 0)) {
--		ctxt_len = build_netname_ctxt((struct smb2_netname_neg_context *)pneg_ctxt,
--					      hostname);
--		*total_len += ctxt_len;
--		pneg_ctxt += ctxt_len;
--		neg_context_count = 4;
--	} else /* second channels do not have a hostname */
--		neg_context_count = 3;
-+	neg_context_count = 4;
-
- 	if (server->compress_algorithm) {
- 		build_compression_ctxt((struct smb2_compression_capabilities_context *)
 diff --git a/include/linux/efi.h b/include/linux/efi.h
 index cc6d2be2ffd5..418d814d2eb7 100644
 --- a/include/linux/efi.h
@@ -1743,6 +1700,32 @@ index 8723ae70ea1f..fb2d773498c2 100644
 +	}
 +	return ret;
  }
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 81243c834abb..a136148627e7 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5213,13 +5213,20 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
+ 				  struct nft_data *data,
+ 				  struct nlattr *attr)
+ {
++	u32 dtype;
+ 	int err;
+
+ 	err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
+ 	if (err < 0)
+ 		return err;
+
+-	if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
++	if (set->dtype == NFT_DATA_VERDICT)
++		dtype = NFT_DATA_VERDICT;
++	else
++		dtype = NFT_DATA_VALUE;
++
++	if (dtype != desc->type ||
++	    set->dlen != desc->len) {
+ 		nft_data_release(data, desc->type);
+ 		return -EINVAL;
+ 	}
 diff --git a/scripts/tags.sh b/scripts/tags.sh
 index 16d475b3e203..4e333f14b84e 100755
 --- a/scripts/tags.sh
diff --git a/sources b/sources
index 9a7d60a88..00dfa5b9a 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.18.9.tar.xz) = df523ea0a547da055d8ee435192ad0769cc91e7d081da52558f66ae7108525a80353565bd33dd70f6bcdb393e6ba7634971e30cee7d4eb36678d9183558d1e47
-SHA512 (kernel-abi-stablelists-5.18.9-200.tar.bz2) = 37dfd71b2947c90ace803b904c82e449f8f52cbaf782c6b61ab40c6ba04268631c78701729680102d96d246878d6758b89398a0ecdde07332cc8f8951ef67757
-SHA512 (kernel-kabi-dw-5.18.9-200.tar.bz2) = 6ffc70c49dacc3546ceef8024538eeeac6629c9d02110b5042287e327cc43ca3756011eb13ea68f1254c8f76ad3e38f61c7252f8301033e9e18aec62ae4c4c8a
+SHA512 (linux-5.18.10.tar.xz) = 443ade4d54208697976ac6dfaa96f1a3d2ac21f1440d6414304161305aa5571aa93cee65f1adaae9163382dff3bbf4d712f04cfae5d57bbc61de4295ebbcaa88
+SHA512 (kernel-abi-stablelists-5.18.10-200.tar.bz2) = 6e290f5bc4f5ec91aa586a62652f6cefb9ca9743e31ff172de9e95f0faabe7dc94ba26bcd479c2a8adbd8dae8ea2a0e7c5478a9d3ee2871855cf5b0d313d1e7c
+SHA512 (kernel-kabi-dw-5.18.10-200.tar.bz2) = 07a7a5f8bc318fdda6f6d8dac0df667dffadecc6db8def51cc92e246f1ad372668aa6a7d58054f9bd56010b3599de74b9406f3b83c1d23bc0de4b61bd703eda4