From 1700cefc512e715349c48680df1478641400342a Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Sun, 16 Jan 2022 11:16:21 -0600
Subject: kernel-5.15.15-0

* Sun Jan 16 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.15.15-0]
- netfilter: nat: force port remap to prevent shadowing well-known ports (Florian Westphal)
- netfilter: conntrack: tag conntracks picked up in local out hook (Florian Westphal)
- configs/fedora: Enable CONFIG_NFC_PN532_UART for use PN532 NFC module (Ziqian SUN (Zamir))
Resolves: rhbz#

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
---
 Patchlist.changelog                     |   6 ++
 kernel-aarch64-debug-fedora.config      |   8 +-
 kernel-aarch64-debug-rhel.config        |   6 +-
 kernel-aarch64-fedora.config            |   8 +-
 kernel-aarch64-rhel.config              |   6 +-
 kernel-armv7hl-debug-fedora.config      |   8 +-
 kernel-armv7hl-fedora.config            |   8 +-
 kernel-armv7hl-lpae-debug-fedora.config |   8 +-
 kernel-armv7hl-lpae-fedora.config       |   8 +-
 kernel-i686-debug-fedora.config         |   8 +-
 kernel-i686-fedora.config               |   8 +-
 kernel-ppc64le-debug-fedora.config      |   8 +-
 kernel-ppc64le-debug-rhel.config        |   6 +-
 kernel-ppc64le-fedora.config            |   8 +-
 kernel-ppc64le-rhel.config              |   6 +-
 kernel-s390x-debug-fedora.config        |   8 +-
 kernel-s390x-debug-rhel.config          |   6 +-
 kernel-s390x-fedora.config              |   8 +-
 kernel-s390x-rhel.config                |   6 +-
 kernel-x86_64-debug-fedora.config       |   8 +-
 kernel-x86_64-debug-rhel.config         |   6 +-
 kernel-x86_64-fedora.config             |   8 +-
 kernel-x86_64-rhel.config               |   6 +-
 kernel.spec                             |  13 ++-
 patch-5.15-redhat.patch                 | 148 +++++++++++++++++++++++++++++---
 sources                                 |   6 +-
 26 files changed, 235 insertions(+), 98 deletions(-)

diff --git a/Patchlist.changelog b/Patchlist.changelog
index 5b272a52a..b75b5dcea 100644
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@@ -1,3 +1,9 @@
+https://gitlab.com/cki-project/kernel-ark/-/commit/d334145759adb9d064c94828fe534b78d6d8ca3a
+ d334145759adb9d064c94828fe534b78d6d8ca3a netfilter: nat: force port remap to prevent shadowing well-known ports
+
+https://gitlab.com/cki-project/kernel-ark/-/commit/ff45edcc5c5fd94937474616c9a1c6ed8331e6ce
+ ff45edcc5c5fd94937474616c9a1c6ed8331e6ce netfilter: conntrack: tag conntracks picked up in local out hook
+
 https://gitlab.com/cki-project/kernel-ark/-/commit/f1cc8d1b733c14b152da07eeab09ae0ffb541ef1
  f1cc8d1b733c14b152da07eeab09ae0ffb541ef1 iwlwifi: mvm: Increase the scan timeout guard to 30 seconds
 
diff --git a/kernel-aarch64-debug-fedora.config b/kernel-aarch64-debug-fedora.config
index 2d20e58ad..20dc6cd61 100644
--- a/kernel-aarch64-debug-fedora.config
+++ b/kernel-aarch64-debug-fedora.config
@@ -1303,9 +1303,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
 CONFIG_CRYPTO_CHACHA20_NEON=y
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32_ARM_CE=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1424,8 +1424,8 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_POLY1305_NEON=y
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4734,7 +4734,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config
index d624bf422..f0f33bda6 100644
--- a/kernel-aarch64-debug-rhel.config
+++ b/kernel-aarch64-debug-rhel.config
@@ -972,9 +972,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
 CONFIG_CRYPTO_CHACHA20_NEON=y
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32_ARM64_CE=m
 # CONFIG_CRYPTO_CRC32C_VPMSUM is not set
@@ -1056,8 +1056,8 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_POLY1305_NEON=y
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
diff --git a/kernel-aarch64-fedora.config b/kernel-aarch64-fedora.config
index 3d06fd64d..bf5f88774 100644
--- a/kernel-aarch64-fedora.config
+++ b/kernel-aarch64-fedora.config
@@ -1303,9 +1303,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
 CONFIG_CRYPTO_CHACHA20_NEON=y
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32_ARM_CE=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1424,8 +1424,8 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_POLY1305_NEON=y
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4710,7 +4710,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config
index 1b203ba06..d19c656a1 100644
--- a/kernel-aarch64-rhel.config
+++ b/kernel-aarch64-rhel.config
@@ -972,9 +972,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
 CONFIG_CRYPTO_CHACHA20_NEON=y
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32_ARM64_CE=m
 # CONFIG_CRYPTO_CRC32C_VPMSUM is not set
@@ -1056,8 +1056,8 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_POLY1305_NEON=y
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
diff --git a/kernel-armv7hl-debug-fedora.config b/kernel-armv7hl-debug-fedora.config
index 2e14cfb96..09b59602e 100644
--- a/kernel-armv7hl-debug-fedora.config
+++ b/kernel-armv7hl-debug-fedora.config
@@ -1296,9 +1296,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
 CONFIG_CRYPTO_CHACHA20_NEON=y
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32_ARM_CE=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1420,7 +1420,7 @@ CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
 CONFIG_CRYPTO_POLY1305_ARM=y
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4806,7 +4806,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-armv7hl-fedora.config b/kernel-armv7hl-fedora.config
index 48ffcb496..9449a93f2 100644
--- a/kernel-armv7hl-fedora.config
+++ b/kernel-armv7hl-fedora.config
@@ -1296,9 +1296,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
 CONFIG_CRYPTO_CHACHA20_NEON=y
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32_ARM_CE=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1420,7 +1420,7 @@ CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
 CONFIG_CRYPTO_POLY1305_ARM=y
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4783,7 +4783,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-armv7hl-lpae-debug-fedora.config b/kernel-armv7hl-lpae-debug-fedora.config
index 571b0f7e8..d525e9e2c 100644
--- a/kernel-armv7hl-lpae-debug-fedora.config
+++ b/kernel-armv7hl-lpae-debug-fedora.config
@@ -1267,9 +1267,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
 CONFIG_CRYPTO_CHACHA20_NEON=y
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32_ARM_CE=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1390,7 +1390,7 @@ CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
 CONFIG_CRYPTO_POLY1305_ARM=y
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4704,7 +4704,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-armv7hl-lpae-fedora.config b/kernel-armv7hl-lpae-fedora.config
index 5c261af7c..dfa908c95 100644
--- a/kernel-armv7hl-lpae-fedora.config
+++ b/kernel-armv7hl-lpae-fedora.config
@@ -1267,9 +1267,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
 CONFIG_CRYPTO_CHACHA20_NEON=y
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32_ARM_CE=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1390,7 +1390,7 @@ CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
 CONFIG_CRYPTO_POLY1305_ARM=y
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4681,7 +4681,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-i686-debug-fedora.config b/kernel-i686-debug-fedora.config
index c93da919b..ffa5c44b4 100644
--- a/kernel-i686-debug-fedora.config
+++ b/kernel-i686-debug-fedora.config
@@ -1045,8 +1045,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_INTEL=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1131,7 +1131,7 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4318,7 +4318,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-i686-fedora.config b/kernel-i686-fedora.config
index d3229929e..585b49862 100644
--- a/kernel-i686-fedora.config
+++ b/kernel-i686-fedora.config
@@ -1044,8 +1044,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_INTEL=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1130,7 +1130,7 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4295,7 +4295,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-ppc64le-debug-fedora.config b/kernel-ppc64le-debug-fedora.config
index 8740dd7bc..7b97aa692 100644
--- a/kernel-ppc64le-debug-fedora.config
+++ b/kernel-ppc64le-debug-fedora.config
@@ -992,8 +992,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
 CONFIG_CRYPTO_CRC32C=y
@@ -1071,7 +1071,7 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4052,7 +4052,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config
index cf769a5b2..3768b580d 100644
--- a/kernel-ppc64le-debug-rhel.config
+++ b/kernel-ppc64le-debug-rhel.config
@@ -822,8 +822,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 # CONFIG_CRYPTO_CRC32C_VPMSUM is not set
 CONFIG_CRYPTO_CRC32C=y
@@ -903,7 +903,7 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
diff --git a/kernel-ppc64le-fedora.config b/kernel-ppc64le-fedora.config
index bff21d8e2..3f6abee85 100644
--- a/kernel-ppc64le-fedora.config
+++ b/kernel-ppc64le-fedora.config
@@ -991,8 +991,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
 CONFIG_CRYPTO_CRC32C=y
@@ -1070,7 +1070,7 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4028,7 +4028,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config
index 96477f0c2..418f2e9b0 100644
--- a/kernel-ppc64le-rhel.config
+++ b/kernel-ppc64le-rhel.config
@@ -822,8 +822,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 # CONFIG_CRYPTO_CRC32C_VPMSUM is not set
 CONFIG_CRYPTO_CRC32C=y
@@ -903,7 +903,7 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
diff --git a/kernel-s390x-debug-fedora.config b/kernel-s390x-debug-fedora.config
index 371f0a752..87972fbf4 100644
--- a/kernel-s390x-debug-fedora.config
+++ b/kernel-s390x-debug-fedora.config
@@ -1000,8 +1000,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
 CONFIG_CRYPTO_CRC32C=y
@@ -1074,7 +1074,7 @@ CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PAES_S390=m
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4032,7 +4032,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config
index 73fdf8403..74cf67f09 100644
--- a/kernel-s390x-debug-rhel.config
+++ b/kernel-s390x-debug-rhel.config
@@ -824,8 +824,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 # CONFIG_CRYPTO_CRC32C_VPMSUM is not set
 CONFIG_CRYPTO_CRC32C=y
@@ -902,7 +902,7 @@ CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PAES_S390=m
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
diff --git a/kernel-s390x-fedora.config b/kernel-s390x-fedora.config
index fcf1ac318..04b77fbec 100644
--- a/kernel-s390x-fedora.config
+++ b/kernel-s390x-fedora.config
@@ -999,8 +999,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
 CONFIG_CRYPTO_CRC32C=y
@@ -1073,7 +1073,7 @@ CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PAES_S390=m
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4008,7 +4008,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config
index 4010f8548..a41c44546 100644
--- a/kernel-s390x-rhel.config
+++ b/kernel-s390x-rhel.config
@@ -824,8 +824,8 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 # CONFIG_CRYPTO_CRC32C_VPMSUM is not set
 CONFIG_CRYPTO_CRC32C=y
@@ -902,7 +902,7 @@ CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PAES_S390=m
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
diff --git a/kernel-x86_64-debug-fedora.config b/kernel-x86_64-debug-fedora.config
index b1cb32cda..58217d3af 100644
--- a/kernel-x86_64-debug-fedora.config
+++ b/kernel-x86_64-debug-fedora.config
@@ -1070,9 +1070,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
 CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_INTEL=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1163,8 +1163,8 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4362,7 +4362,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config
index a204e74e1..0fb97249f 100644
--- a/kernel-x86_64-debug-rhel.config
+++ b/kernel-x86_64-debug-rhel.config
@@ -862,9 +862,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
 CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_INTEL=m
 # CONFIG_CRYPTO_CRC32C_VPMSUM is not set
@@ -957,8 +957,8 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
diff --git a/kernel-x86_64-fedora.config b/kernel-x86_64-fedora.config
index 64ec4a0b8..00fac72bb 100644
--- a/kernel-x86_64-fedora.config
+++ b/kernel-x86_64-fedora.config
@@ -1069,9 +1069,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
 CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_INTEL=m
 CONFIG_CRYPTO_CRC32C_VPMSUM=m
@@ -1162,8 +1162,8 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
@@ -4339,7 +4339,7 @@ CONFIG_NF_CONNTRACK_TFTP=m
 # CONFIG_NF_CONNTRACK_TIMEOUT is not set
 CONFIG_NF_CONNTRACK_TIMESTAMP=y
 CONFIG_NF_CONNTRACK_ZONES=y
-# CONFIG_NFC_PN532_UART is not set
+CONFIG_NFC_PN532_UART=m
 CONFIG_NFC_PN533_I2C=m
 CONFIG_NFC_PN533=m
 CONFIG_NFC_PN533_USB=m
diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config
index 3e7902171..76006d1f0 100644
--- a/kernel-x86_64-rhel.config
+++ b/kernel-x86_64-rhel.config
@@ -862,9 +862,9 @@ CONFIG_CRYPTO_CAST6=m
 CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CCM=y
 CONFIG_CRYPTO_CFB=y
-CONFIG_CRYPTO_CHACHA20=m
-CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_CHACHA20POLY1305=y
 CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_CRC32C_INTEL=m
 # CONFIG_CRYPTO_CRC32C_VPMSUM is not set
@@ -957,8 +957,8 @@ CONFIG_CRYPTO_NULL=y
 CONFIG_CRYPTO_OFB=y
 CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_PCRYPT=m
-CONFIG_CRYPTO_POLY1305=m
 CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_POLY1305=y
 CONFIG_CRYPTO_RMD128=m
 CONFIG_CRYPTO_RMD160=m
 CONFIG_CRYPTO_RMD256=m
diff --git a/kernel.spec b/kernel.spec
index e5a128176..55f59e644 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -128,7 +128,7 @@ Summary: The Linux kernel
 # The kernel tarball/base version
 %define kversion 5.15
 
-%define rpmversion 5.15.14
+%define rpmversion 5.15.15
 %define patchversion 5.15
 %define pkgrelease 100
 
@@ -682,7 +682,7 @@ BuildRequires: lld
 # exact git commit you can run
 #
 # xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-5.15.14.tar.xz
+Source0: linux-5.15.15.tar.xz
 
 Source1: Makefile.rhelver
 
@@ -1374,8 +1374,8 @@ ApplyOptionalPatch()
   fi
 }
 
-%setup -q -n kernel-5.15.14 -c
-mv linux-5.15.14 linux-%{KVERREL}
+%setup -q -n kernel-5.15.15 -c
+mv linux-5.15.15 linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 cp -a %{SOURCE1} .
@@ -2972,6 +2972,11 @@ fi
 #
 #
 %changelog
+* Sun Jan 16 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.15.15-0]
+- netfilter: nat: force port remap to prevent shadowing well-known ports (Florian Westphal)
+- netfilter: conntrack: tag conntracks picked up in local out hook (Florian Westphal)
+- configs/fedora: Enable CONFIG_NFC_PN532_UART for use PN532 NFC module (Ziqian SUN (Zamir))
+
 * Tue Jan 11 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.15.14-0]
 - Fix up changelog (Justin M. Forbes)
 
diff --git a/patch-5.15-redhat.patch b/patch-5.15-redhat.patch
index 867962f63..292d02fdf 100644
--- a/patch-5.15-redhat.patch
+++ b/patch-5.15-redhat.patch
@@ -41,14 +41,18 @@
  include/linux/random.h                             |   7 ++
  include/linux/rmi.h                                |   1 +
  include/linux/security.h                           |   5 +
+ include/net/netfilter/nf_conntrack.h               |   1 +
  init/Kconfig                                       |   2 +-
  kernel/module_signing.c                            |   9 +-
+ net/netfilter/nf_conntrack_core.c                  |   3 +
+ net/netfilter/nf_nat_core.c                        |  43 ++++++-
  scripts/tags.sh                                    |   2 +
  security/integrity/platform_certs/load_uefi.c      |   6 +-
  security/lockdown/Kconfig                          |  13 +++
  security/lockdown/lockdown.c                       |   1 +
  security/security.c                                |   6 +
- 50 files changed, 753 insertions(+), 202 deletions(-)
+ tools/testing/selftests/netfilter/nft_nat.sh       |   5 +-
+ 54 files changed, 800 insertions(+), 207 deletions(-)
 
 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
 index 8ff6dafafdf8..e3f786336cf9 100644
@@ -71,7 +75,7 @@ index 8ff6dafafdf8..e3f786336cf9 100644
  				This is normally done in pci_enable_device(),
  				so this option is a temporary workaround
 diff --git a/Makefile b/Makefile
-index a469670e7675..cf656b40117c 100644
+index aed26e228dde..543979497d37 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \
@@ -683,7 +687,7 @@ index fe91090e04a4..f00bc6886913 100644
  	rv = ipmi_register_driver();
  	mutex_unlock(&ipmi_interfaces_mutex);
 diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 605969ed0f96..4d51f1c67675 100644
+index 7470ee24db2f..a3ac18f64ba7 100644
 --- a/drivers/char/random.c
 +++ b/drivers/char/random.c
 @@ -335,6 +335,7 @@
@@ -706,7 +710,7 @@ index 605969ed0f96..4d51f1c67675 100644
  /*
   * Configuration information
   */
-@@ -481,6 +487,9 @@ static int ratelimit_disable __read_mostly;
+@@ -482,6 +488,9 @@ static int ratelimit_disable __read_mostly;
  module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
  MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
 
@@ -716,7 +720,7 @@ index 605969ed0f96..4d51f1c67675 100644
  /**********************************************************************
   *
   * OS independent entropy store.   Here are the functions which handle
-@@ -1858,6 +1867,13 @@ random_poll(struct file *file, poll_table * wait)
+@@ -1878,6 +1887,13 @@ random_poll(struct file *file, poll_table * wait)
  	return mask;
  }
 
@@ -730,7 +734,7 @@ index 605969ed0f96..4d51f1c67675 100644
  static int
  write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
  {
-@@ -1961,7 +1977,58 @@ static int random_fasync(int fd, struct file *filp, int on)
+@@ -1981,7 +1997,58 @@ static int random_fasync(int fd, struct file *filp, int on)
  	return fasync_helper(fd, filp, on, &fasync);
  }
 
@@ -789,7 +793,7 @@ index 605969ed0f96..4d51f1c67675 100644
  	.read  = random_read,
  	.write = random_write,
  	.poll  = random_poll,
-@@ -1972,6 +2039,7 @@ const struct file_operations random_fops = {
+@@ -1992,6 +2059,7 @@ const struct file_operations random_fops = {
  };
 
  const struct file_operations urandom_fops = {
@@ -797,7 +801,7 @@ index 605969ed0f96..4d51f1c67675 100644
  	.read  = urandom_read,
  	.write = random_write,
  	.unlocked_ioctl = random_ioctl,
-@@ -1980,9 +2048,31 @@ const struct file_operations urandom_fops = {
+@@ -2000,9 +2068,31 @@ const struct file_operations urandom_fops = {
  	.llseek = noop_llseek,
  };
 
@@ -829,7 +833,7 @@ index 605969ed0f96..4d51f1c67675 100644
  	int ret;
 
  	if (flags & ~(GRND_NONBLOCK|GRND_RANDOM|GRND_INSECURE))
-@@ -1998,6 +2088,18 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
+@@ -2018,6 +2108,18 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
  	if (count > INT_MAX)
  		count = INT_MAX;
 
@@ -848,7 +852,7 @@ index 605969ed0f96..4d51f1c67675 100644
  	if (!(flags & GRND_INSECURE) && !crng_ready()) {
  		if (flags & GRND_NONBLOCK)
  			return -EAGAIN;
-@@ -2303,3 +2405,16 @@ void add_bootloader_randomness(const void *buf, unsigned int size)
+@@ -2324,3 +2426,16 @@ void add_bootloader_randomness(const void *buf, unsigned int size)
  		add_device_randomness(buf, size);
  }
  EXPORT_SYMBOL_GPL(add_bootloader_randomness);
@@ -1666,7 +1670,7 @@ index 3dc055ce6e61..bb56640eb31f 100644
  static inline bool tpacpi_is_led_restricted(const unsigned int led)
  {
 diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index 00070a8a6507..e9e0ffa990cd 100644
+index 3bc4a86c3d0a..e346da4f58f2 100644
 --- a/drivers/usb/core/hub.c
 +++ b/drivers/usb/core/hub.c
 @@ -5666,6 +5666,13 @@ static void hub_event(struct work_struct *work)
@@ -1841,6 +1845,18 @@ index 46a02ce34d00..37e991a10d70 100644
  #endif	/* CONFIG_SECURITY */
 
  #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
+diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
+index d24b0a34c8f0..871489df63c6 100644
+--- a/include/net/netfilter/nf_conntrack.h
++++ b/include/net/netfilter/nf_conntrack.h
+@@ -95,6 +95,7 @@ struct nf_conn {
+ 	unsigned long status;
+
+ 	u16		cpu;
++	u16		local_origin:1;
+ 	possible_net_t ct_net;
+
+ #if IS_ENABLED(CONFIG_NF_NAT)
 diff --git a/init/Kconfig b/init/Kconfig
 index 11f8a845f259..9b94cc1b5546 100644
 --- a/init/Kconfig
@@ -1875,6 +1891,100 @@ index 8723ae70ea1f..fb2d773498c2 100644
 +	}
 +	return ret;
  }
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 4712a90a1820..208abc729302 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1749,6 +1749,9 @@ resolve_normal_ct(struct nf_conn *tmpl,
+ 			return 0;
+ 		if (IS_ERR(h))
+ 			return PTR_ERR(h);
++
++		ct = nf_ct_tuplehash_to_ctrack(h);
++		ct->local_origin = state->hook == NF_INET_LOCAL_OUT;
+ 	}
+ 	ct = nf_ct_tuplehash_to_ctrack(h);
+
+diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
+index 273117683922..21ec0c3d1d47 100644
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -494,6 +494,38 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
+ 	goto another_round;
+ }
+
++static bool tuple_force_port_remap(const struct nf_conntrack_tuple *tuple)
++{
++	u16 sp, dp;
++
++	switch (tuple->dst.protonum) {
++	case IPPROTO_TCP:
++		sp = ntohs(tuple->src.u.tcp.port);
++		dp = ntohs(tuple->dst.u.tcp.port);
++		break;
++	case IPPROTO_UDP:
++	case IPPROTO_UDPLITE:
++		sp = ntohs(tuple->src.u.udp.port);
++		dp = ntohs(tuple->dst.u.udp.port);
++		break;
++	default:
++		return false;
++	}
++
++	/* IANA: System port range: 1-1023,
++	 *         user port range: 1024-49151,
++	 *      private port range: 49152-65535.
++	 *
++	 * Linux default ephemeral port range is 32768-60999.
++	 *
++	 * Enforce port remapping if sport is significantly lower
++	 * than dport to prevent NAT port shadowing, i.e.
++	 * accidental match of 'new' inbound connection vs.
++	 * existing outbound one.
++	 */
++	return sp < 16384 && dp >= 32768;
++}
++
+ /* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING,
+  * we change the source to map into the range. For NF_INET_PRE_ROUTING
+  * and NF_INET_LOCAL_OUT, we change the destination to map into the
+@@ -507,11 +539,17 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
+ 		 struct nf_conn *ct,
+ 		 enum nf_nat_manip_type maniptype)
+ {
++	bool random_port = range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL;
+ 	const struct nf_conntrack_zone *zone;
+ 	struct net *net = nf_ct_net(ct);
+
+ 	zone = nf_ct_zone(ct);
+
++	if (maniptype == NF_NAT_MANIP_SRC &&
++	    !random_port &&
++	    !ct->local_origin)
++		random_port = tuple_force_port_remap(orig_tuple);
++
+ 	/* 1) If this srcip/proto/src-proto-part is currently mapped,
+ 	 * and that same mapping gives a unique tuple within the given
+ 	 * range, use that.
+@@ -520,8 +558,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
+ 	 * So far, we don't do local source mappings, so multiple
+ 	 * manips not an issue.
+ 	 */
+-	if (maniptype == NF_NAT_MANIP_SRC &&
+-	    !(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
++	if (maniptype == NF_NAT_MANIP_SRC && !random_port) {
+ 		/* try the original tuple first */
+ 		if (in_range(orig_tuple, range)) {
+ 			if (!nf_nat_used_tuple(orig_tuple, ct)) {
+@@ -545,7 +582,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
+ 	 */
+
+ 	/* Only bother mapping if it's not already in range and unique */
+-	if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
++	if (!random_port) {
+ 		if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+ 			if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) &&
+ 			    l4proto_in_range(tuple, maniptype,
 diff --git a/scripts/tags.sh b/scripts/tags.sh
 index db8ba411860a..2294fb0f17a9 100755
 --- a/scripts/tags.sh
@@ -1965,3 +2075,19 @@ index 67264cb08fb3..85a0227bfac1 100644
  #ifdef CONFIG_PERF_EVENTS
  int security_perf_event_open(struct perf_event_attr *attr, int type)
  {
+diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
+index da1c1e4b6c86..6a08644d501e 100755
+--- a/tools/testing/selftests/netfilter/nft_nat.sh
++++ b/tools/testing/selftests/netfilter/nft_nat.sh
+@@ -867,8 +867,9 @@ EOF
+ 		return $ksft_skip
+ 	fi
+
+-	# test default behaviour. Packet from ns1 to ns0 is redirected to ns2.
+-	test_port_shadow "default" "CLIENT"
++	# test default behaviour. Packet from ns1 to ns0 is not redirected
++	# due to automatic port translation.
++	test_port_shadow "default" "ROUTER"
+
+ 	# test packet filter based mitigation: prevent forwarding of
+ 	# packets claiming to come from the service port.
diff --git a/sources b/sources
index 6ea50a440..f3fd705cd 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
 SHA512 (kernel-abi-whitelists-5.13.19-200.tar.bz2) = 7d28816c431019c9f09b7bcda4eb43ed2c3a7cbb8199af0fecccf16bff3ac992e2c9ed3acc2d06d7c8ebec3dc9ad76d0975cc179d2e4b7541af2af05f7e35de6
-SHA512 (linux-5.15.14.tar.xz) = 68808e62a14cc4247f0b1a1657a07cd227ac2809c03fa511d7f34b797cd1f470748009dd68e3e0b260177b105151d06a96d14655b163f4efb0733359c01c0dcb
-SHA512 (kernel-abi-stablelists-5.15.14-100.tar.bz2) = a999a55cf0afad4cad4165840489a5f68c6c0fe0308140f031ad5419d345162aae005d44a15c923e6dc7df6b9c3e14d82cb355d5e9c4d12d12c25bd53d7a2f39
-SHA512 (kernel-kabi-dw-5.15.14-100.tar.bz2) = 9edfce3d218388876825ae4120aa4f6ab032e51b0c8f7635ed443e8655adc9e26c49f227653f7cf460a60a6df90313b0ed6fc201456fd86a165a303ee8595675
+SHA512 (linux-5.15.15.tar.xz) = 5dfc8616da24fd314b3d278bdaac2d6e95ac6bec21f624189cc0f3a71f6e2351aedc7a1e2887fe41e7469897558eb81ca835fda8084ca0cbf0bc66acf1b9cf07
+SHA512 (kernel-abi-stablelists-5.15.15-100.tar.bz2) = 939736964028892fb34c03659c6b34395fc163d3c4f010757650f286cecd4fbec4903663c7d8cd864f6554e9ef1b937990b9b05221caa0c5d12a8a42038c07f7
+SHA512 (kernel-kabi-dw-5.15.15-100.tar.bz2) = 27206d327a588cca4830c4a26f88f60e0ebf010cbc5ec0f3acf57a264a8818f99deae12e9af64b670850e1db6133a3e11bf64dd00b2c4ae6826fe10e0ee07512
-- 
cgit