From 623d64c6af17cf65e892f2f3d8f3ba58dd62b3bc Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Wed, 3 Jul 2019 14:29:24 +0000
Subject: Linux v5.1.16

---
 kernel.spec                                        |  9 +++-
 ...netlink-Fix-regression-in-conntrack-entry.patch | 62 ++++++++++++++++++++++
 sources                                            |  2 +-
 3 files changed, 71 insertions(+), 2 deletions(-)
 create mode 100644 netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch

diff --git a/kernel.spec b/kernel.spec
index cb9462352..e133474a6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 15
+%define stable_update 16
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -623,6 +623,9 @@ Patch542: 0001-platform-x86-asus-wmi-Only-Tell-EC-the-OS-will-handl.patch
 Patch544: drm-panel-orientation-quirks.patch
 Patch545: efi-bgrt-acpi6.2-support.patch
 
+# Accepted upstream; rhbz 1724357
+Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1861,6 +1864,10 @@ fi
 #
 #
 %changelog
+* Wed Jul 03 2019 Jeremy Cline <jcline@redhat.com> - 5.1.16-200
+- Linux v5.1.16
+- Fix an issue with deleting singular conntrack entries (rhbz 1724357)
+
 * Tue Jun 25 2019 Jeremy Cline <jcline@redhat.com> - 5.1.15-200
 - Linux v5.1.15
 - Fixes CVE-2019-12817 (rhbz 1720616 1723697)
diff --git a/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch b/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
new file mode 100644
index 000000000..750d884df
--- /dev/null
+++ b/netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
@@ -0,0 +1,62 @@
+From e7600865db32b69deb0109b8254244dca592adcf Mon Sep 17 00:00:00 2001
+From: Felix Kaechele <felix@kaechele.ca>
+Date: Tue, 25 Jun 2019 16:48:59 -0400
+Subject: [PATCH] netfilter: ctnetlink: Fix regression in conntrack entry
+ deletion
+
+Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack
+L3-protocol flush regression") introduced a regression in which deletion
+of conntrack entries would fail because the L3 protocol information
+is replaced by AF_UNSPEC. As a result the search for the entry to be
+deleted would turn up empty due to the tuple used to perform the search
+is now different from the tuple used to initially set up the entry.
+
+For flushing the conntrack table we do however want to keep the option
+for nfgenmsg->version to have a non-zero value to allow for newer
+user-space tools to request treatment under the new behavior. With that
+it is possible to independently flush tables for a defined L3 protocol.
+This was introduced with the enhancements in in commit 59c08c69c278
+("netfilter: ctnetlink: Support L3 protocol-filter on flush").
+
+Older user-space tools will retain the behavior of flushing all tables
+regardless of defined L3 protocol.
+
+Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression")
+Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Felix Kaechele <felix@kaechele.ca>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 7db79c1b8084..1b77444d5b52 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -1256,7 +1256,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
+ 	struct nf_conntrack_tuple tuple;
+ 	struct nf_conn *ct;
+ 	struct nfgenmsg *nfmsg = nlmsg_data(nlh);
+-	u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
+ 	struct nf_conntrack_zone zone;
+ 	int err;
+ 
+@@ -1266,11 +1265,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
+ 
+ 	if (cda[CTA_TUPLE_ORIG])
+ 		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
+-					    u3, &zone);
++					    nfmsg->nfgen_family, &zone);
+ 	else if (cda[CTA_TUPLE_REPLY])
+ 		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
+-					    u3, &zone);
++					    nfmsg->nfgen_family, &zone);
+ 	else {
++		u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
++
+ 		return ctnetlink_flush_conntrack(net, cda,
+ 						 NETLINK_CB(skb).portid,
+ 						 nlmsg_report(nlh), u3);
+-- 
+2.21.0
+
diff --git a/sources b/sources
index 829accf75..8b634147f 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-5.1.tar.xz) = ae96f347badc95f1f3acf506c52b6cc23c0bd09ce8f4ce6705d4b4058b62593059bba1bc603c8d8b00a2f19131e7e56c31ac62b45883a346fa61d655e178f236
-SHA512 (patch-5.1.15.xz) = 0b2e4436644da2699cf6fdfb38d80dd7156fac74c1d99bec718f74171fb91815e3de1d08b892effc0ae39080c90b569a2bd30c1c4665c6b3a156cbb8e4c2ba61
+SHA512 (patch-5.1.16.xz) = 4e5a2946c4db9f5be24332eee217fddf8f0a8ce13935fad8936de02c97a0549185f931709b185cd289756011551f6876c14db751c522b0f6c4215b7d47b231be
-- 
cgit