From dbe1b529d716689835849eb9da45d03bcaba60d2 Mon Sep 17 00:00:00 2001
From: David P <megver83@parabola.nu>
Date: Sun, 17 Mar 2019 12:29:39 -0300
Subject: upgpkg: libre/linux-libre 5.0.2_gnu-1

Signed-off-by: David P <megver83@parabola.nu>
---
 ...to-disallow-unprivileged-CLONE_NEWUSER-by.patch |   2 +-
 ...002-exec-Fix-mem-leak-in-kernel_read_file.patch |  49 --------
 ...f_tables-fix-set-double-free-in-abort-pat.patch | 131 +++++++++++++++++++++
 libre/linux-libre/PKGBUILD                         |  18 +--
 libre/linux-libre/config.armv7h                    |   6 +-
 5 files changed, 144 insertions(+), 62 deletions(-)
 delete mode 100644 libre/linux-libre/0002-exec-Fix-mem-leak-in-kernel_read_file.patch
 create mode 100644 libre/linux-libre/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch

(limited to 'libre')

diff --git a/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
index c271a555b..c6b567471 100644
--- a/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+++ b/libre/linux-libre/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
@@ -1,4 +1,4 @@
-From daf814968caf9f6b6b9f208964d2accdae8a0ea9 Mon Sep 17 00:00:00 2001
+From e71668257d1353a7bd428ec90f0871b038db813b Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <serge.hallyn@canonical.com>
 Date: Fri, 31 May 2013 19:12:12 +0100
 Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by
diff --git a/libre/linux-libre/0002-exec-Fix-mem-leak-in-kernel_read_file.patch b/libre/linux-libre/0002-exec-Fix-mem-leak-in-kernel_read_file.patch
deleted file mode 100644
index dd68baeab..000000000
--- a/libre/linux-libre/0002-exec-Fix-mem-leak-in-kernel_read_file.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 991d1205762f0ad463c54190242a8b421879f7d3 Mon Sep 17 00:00:00 2001
-From: YueHaibing <yuehaibing@huawei.com>
-Date: Tue, 19 Feb 2019 10:10:38 +0800
-Subject: [PATCH 2/2] exec: Fix mem leak in kernel_read_file
-
-syzkaller report this:
-BUG: memory leak
-unreferenced object 0xffffc9000488d000 (size 9195520):
-  comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
-  hex dump (first 32 bytes):
-    ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00  ................
-    02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff  ..........z.....
-  backtrace:
-    [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
-    [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
-    [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
-    [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
-    [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
-    [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
-    [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
-    [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
-    [<00000000241f889b>] 0xffffffffffffffff
-
-It should goto 'out_free' lable to free allocated buf while kernel_read
-fails.
-
-Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
-Signed-off-by: YueHaibing <yuehaibing@huawei.com>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
----
- fs/exec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/exec.c b/fs/exec.c
-index fb72d36f7823..bcf383730bea 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -932,7 +932,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
- 		bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
- 		if (bytes < 0) {
- 			ret = bytes;
--			goto out;
-+			goto out_free;
- 		}
- 
- 		if (bytes == 0)
--- 
-2.21.0
-
diff --git a/libre/linux-libre/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch b/libre/linux-libre/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
new file mode 100644
index 000000000..c092a69cb
--- /dev/null
+++ b/libre/linux-libre/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
@@ -0,0 +1,131 @@
+From 7a6c88347cc6dd3b0ade3be5e45cb932a07cec82 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 8 Mar 2019 00:58:53 +0100
+Subject: [PATCH 2/2] netfilter: nf_tables: fix set double-free in abort path
+
+The abort path can cause a double-free of an anonymous set.
+Added-and-to-be-aborted rule looks like this:
+
+udp dport { 137, 138 } drop
+
+The to-be-aborted transaction list looks like this:
+
+newset
+newsetelem
+newsetelem
+rule
+
+This gets walked in reverse order, so first pass disables the rule, the
+set elements, then the set.
+
+After synchronize_rcu(), we then destroy those in same order: rule, set
+element, set element, newset.
+
+Problem is that the anonymous set has already been bound to the rule, so
+the rule (lookup expression destructor) already frees the set, when then
+cause use-after-free when trying to delete the elements from this set,
+then try to free the set again when handling the newset expression.
+
+Rule releases the bound set in first place from the abort path, this
+causes the use-after-free on set element removal when undoing the new
+element transactions. To handle this, skip new element transaction if
+set is bound from the abort path.
+
+This is still causes the use-after-free on set element removal.  To
+handle this, remove transaction from the list when the set is already
+bound.
+
+Joint work with Florian Westphal.
+
+Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
+Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/net/netfilter/nf_tables.h |  6 ++----
+ net/netfilter/nf_tables_api.c     | 17 +++++++++++------
+ 2 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index b4984bbbe157..3d58acf94dd2 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -416,7 +416,8 @@ struct nft_set {
+ 	unsigned char			*udata;
+ 	/* runtime data below here */
+ 	const struct nft_set_ops	*ops ____cacheline_aligned;
+-	u16				flags:14,
++	u16				flags:13,
++					bound:1,
+ 					genmask:2;
+ 	u8				klen;
+ 	u8				dlen;
+@@ -1329,15 +1330,12 @@ struct nft_trans_rule {
+ struct nft_trans_set {
+ 	struct nft_set			*set;
+ 	u32				set_id;
+-	bool				bound;
+ };
+ 
+ #define nft_trans_set(trans)	\
+ 	(((struct nft_trans_set *)trans->data)->set)
+ #define nft_trans_set_id(trans)	\
+ 	(((struct nft_trans_set *)trans->data)->set_id)
+-#define nft_trans_set_bound(trans)	\
+-	(((struct nft_trans_set *)trans->data)->bound)
+ 
+ struct nft_trans_chain {
+ 	bool				update;
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4893f248dfdc..e1724f9d8b9d 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
+ 	list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
+ 		if (trans->msg_type == NFT_MSG_NEWSET &&
+ 		    nft_trans_set(trans) == set) {
+-			nft_trans_set_bound(trans) = true;
++			set->bound = true;
+ 			break;
+ 		}
+ 	}
+@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans)
+ 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
+ 		break;
+ 	case NFT_MSG_NEWSET:
+-		if (!nft_trans_set_bound(trans))
+-			nft_set_destroy(nft_trans_set(trans));
++		nft_set_destroy(nft_trans_set(trans));
+ 		break;
+ 	case NFT_MSG_NEWSETELEM:
+ 		nft_set_elem_destroy(nft_trans_elem_set(trans),
+@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net)
+ 			break;
+ 		case NFT_MSG_NEWSET:
+ 			trans->ctx.table->use--;
+-			if (!nft_trans_set_bound(trans))
+-				list_del_rcu(&nft_trans_set(trans)->list);
++			if (nft_trans_set(trans)->bound) {
++				nft_trans_destroy(trans);
++				break;
++			}
++			list_del_rcu(&nft_trans_set(trans)->list);
+ 			break;
+ 		case NFT_MSG_DELSET:
+ 			trans->ctx.table->use++;
+@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net)
+ 			nft_trans_destroy(trans);
+ 			break;
+ 		case NFT_MSG_NEWSETELEM:
++			if (nft_trans_elem_set(trans)->bound) {
++				nft_trans_destroy(trans);
++				break;
++			}
+ 			te = (struct nft_trans_elem *)trans->data;
+-
+ 			te->set->ops->remove(net, te->set, &te->elem);
+ 			atomic_dec(&te->set->nelems);
+ 			break;
+-- 
+2.21.0
+
diff --git a/libre/linux-libre/PKGBUILD b/libre/linux-libre/PKGBUILD
index dab364f68..299a7aec7 100644
--- a/libre/linux-libre/PKGBUILD
+++ b/libre/linux-libre/PKGBUILD
@@ -11,8 +11,8 @@
 
 pkgbase=linux-libre         # Build stock kernel
 #pkgbase=linux-libre-custom # Build kernel with a different name
-_srcbasever=4.20-gnu
-_srcver=5.0-gnu
+_srcbasever=5.0-gnu
+_srcver=5.0.2-gnu
 
 _replacesarchkernel=('linux%') # '%' gets replaced with _kernelname
 _replacesoldkernels=() # '%' gets replaced with _kernelname
@@ -58,15 +58,15 @@ source=(
   0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch
   0002-fix-Atmel-maXTouch-touchscreen-support.patch
   0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
-  0002-exec-Fix-mem-leak-in-kernel_read_file.patch
+  0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
 )
 validpgpkeys=(
   '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva
   '6DB9C4B4F0D8C0DC432CF6E4227CA7C556B2BA78' # David P.
 )
-sha512sums=('a4a0a25fd490c051deb32ff84ba51e8807bfc8db1ad46c22c7807e9be2e5db5e1c22c211e47fca2509d5d75d64626fb28e9bbc8ccadc565f27fe9c8e47e12dc4'
+sha512sums=('56b8e77eb445c92c3e0ec0dc45fa5fb09641cad18003b79991652b83cf1d96cc1651750dfa9eec15652108a1b8aff1781c4f8ec5f92784b8542e59e0605922d9'
             'SKIP'
-            'ef6ec083f67f2a44110b904798e4263e03dccce38b7a2d1a574ce06cc7db870a37e8f27eba7ef86743eef504f4876eae26c3f96d80b020a2412a28fb96c4feae'
+            '2eee919805705709ef5493e0a0e1f7baeb71fed20da7ee06c09546c8976046568447422fc4f0b70178a645840a5a3d46946b4573ea42c025182916cb13bb849a'
             'SKIP'
             '13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3'
             'SKIP'
@@ -76,7 +76,7 @@ sha512sums=('a4a0a25fd490c051deb32ff84ba51e8807bfc8db1ad46c22c7807e9be2e5db5e1c2
             'SKIP'
             '70776ba8c99c778acd48e22d1396ef5e6419a6f78828776067b32081e345ba82510f05bae2d4cf07a2cb8b00406c607c38097425ff9cad9dabac6ff9c3f7feeb'
             'd676726b536ea6bf255e5fd70ed0dbd97fa24ec29b6a6a36f438705b2be4c842127b2f5bd7b5270d99588fa75e3d3674d28113defcd665f11feb518022f032a3'
-            '492c39f1ffe45cb5baac7de7aa825b22974aa0982d38d57defa956af7bcbbfa98a01bfa3b209a75bbd173625329d418a976d5fa1c0097686da6f21e5322121e1'
+            '9f528e1549eb3acf46efa58ff24f00d76e26d4656e0472ab1fa950c7afec1b1f5f097874eb19a5b6ef4c53f0d6bdf527414cec664ebbdd0bb1611be895f337a7'
             '7ad5be75ee422dda3b80edd2eb614d8a9181e2c8228cd68b3881e2fb95953bf2dea6cbe7900ce1013c9de89b2802574b7b24869fc5d7a95d3cc3112c4d27063a'
             '2718b58dbbb15063bacb2bde6489e5b3c59afac4c0e0435b97fe720d42c711b6bcba926f67a8687878bd51373c9cf3adb1915a11666d79ccb220bf36e0788ab7'
             '2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf'
@@ -96,8 +96,8 @@ sha512sums=('a4a0a25fd490c051deb32ff84ba51e8807bfc8db1ad46c22c7807e9be2e5db5e1c2
             '17b09c80b0c235a5395c350c2b1acfda1c549c5bb6017f6a7056a84686fe23d7983a40f416cfc1da075523ad87d39ff4ff7b4057a275705679830db15b621991'
             '02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af'
             'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168'
-            '6e8710c5f243ec44406730bab11581ff9e4386203c22997d6b13e7f43f8fb99073fa1b7aee4bd8598478e0f4652975ae156e92c5be3f21efefff06345078e703'
-            'f8d47cb9e4cbc3f050afc7a8a364526445439a0e7d64b4182496fa6da056afbc0381d04ee872b3794fe6fa05af38a7ed532549304c919b2c91250554f75997b9')
+            '0016e750127728458ab23ef445f92a8b52064806f235c03dd92e699a8bfb397d6274f6ba484a99af19ed729f6c63bab714bd350c7e7ed82c30a4b62b29857ff7'
+            '8348ecfeec519a41c68f1a97ec4b6007b3ed5ed61c271733d562ae22c6c85e4e217eb6c367bb53f3c53ad72f311360bd3aa57d09fba7cda358748c2bdd0416c2')
 
 _kernelname=${pkgbase#linux-libre}
 _replacesarchkernel=("${_replacesarchkernel[@]/\%/${_kernelname}}")
@@ -142,7 +142,7 @@ prepare() {
 
   # add Arch patches
   patch -p1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
-  patch -p1 -i ../0002-exec-Fix-mem-leak-in-kernel_read_file.patch
+  patch -p1 -i ../0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
 
   # maintain the TTY over USB disconnects
   # http://www.coreboot.org/EHCI_Gadget_Debug
diff --git a/libre/linux-libre/config.armv7h b/libre/linux-libre/config.armv7h
index e63afbc01..ce0fcfeda 100644
--- a/libre/linux-libre/config.armv7h
+++ b/libre/linux-libre/config.armv7h
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm 5.0.0-gnu Kernel Configuration
+# Linux/arm 5.0.2-gnu Kernel Configuration
 #
 
 #
@@ -3668,8 +3668,8 @@ CONFIG_SERIAL_SAMSUNG_UARTS_4=y
 CONFIG_SERIAL_SAMSUNG_UARTS=4
 CONFIG_SERIAL_SAMSUNG_CONSOLE=y
 CONFIG_SERIAL_TEGRA=y
-# CONFIG_SERIAL_MAX3100 is not set
-# CONFIG_SERIAL_MAX310X is not set
+CONFIG_SERIAL_MAX3100=m
+CONFIG_SERIAL_MAX310X=m
 CONFIG_SERIAL_IMX=y
 CONFIG_SERIAL_IMX_CONSOLE=y
 # CONFIG_SERIAL_UARTLITE is not set
-- 
cgit v1.2.2