4 files changed, 153 insertions, 18 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 3882a01cd9e0..71261b13b47b 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 # Generated by mksrcinfo v8
-# Thu Mar 14 17:22:23 UTC 2019
+# Thu Mar 21 19:38:08 UTC 2019
 pkgbase = linux-ck
-	pkgver = 5.0.2
+	pkgver = 5.0.3
 	pkgrel = 1
 	url = https://wiki.archlinux.org/index.php/Linux-ck
 	arch = x86_64
@@ -11,8 +11,8 @@ pkgbase = linux-ck
 	makedepends = bc
 	makedepends = libelf
 	options = !strip
-	source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.2.tar.xz
-	source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.2.tar.sign
+	source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.3.tar.xz
+	source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.3.tar.sign
 	source = config
 	source = 60-linux.hook
 	source = 90-linux.hook
@@ -20,7 +20,8 @@ pkgbase = linux-ck
 	source = enable_additional_cpu_optimizations-20180509.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/20180509.tar.gz
 	source = http://ck.kolivas.org/patches/5.0/5.0/5.0-ck1/patch-5.0-ck1.xz
 	source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
-	sha256sums = 43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b
+	source = 0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
+	sha256sums = 40d533792a784bfd519cfc2eab7fe98bbafeb283eb31f17a99f6bf39cabfff89
 	sha256sums = SKIP
 	sha256sums = cc8341a0f4b25ee98238d90faa75338c3ed9ae882d3982464b239960ce5b187f
 	sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21
@@ -28,7 +29,8 @@ pkgbase = linux-ck
 	sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65
 	sha256sums = 226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d
 	sha256sums = 661f64bbd8bf49afcc7c760c4148b2e2108511a1eadcae917cfe6056a83d8476
-	sha256sums = 55823bb3ca652d917ba79860d595b479ec20c22a7c6854cbef901d44b4196316
+	sha256sums = 91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3
+	sha256sums = 87e88d199d8e9beb89d8e5f7ce6a4bf8db18ccec169323c9b6fda563719d76ba
 
 pkgname = linux-ck
 	pkgdesc = The Linux-ck kernel and modules with the ck1 patchset featuring MuQSS CPU scheduler v0.190
@@ -38,12 +40,12 @@ pkgname = linux-ck
 	depends = kmod
 	depends = mkinitcpio
 	optdepends = crda: to set the correct wireless channels of your country
-	provides = linux-ck=5.0.2
+	provides = linux-ck=5.0.3
 	backup = etc/mkinitcpio.d/linux-ck.preset
 
 pkgname = linux-ck-headers
 	pkgdesc = Header files and scripts for building modules for Linux-ck kernel
 	depends = linux-ck
-	provides = linux-ck-headers=5.0.2
-	provides = linux-headers=5.0.2
+	provides = linux-ck-headers=5.0.3
+	provides = linux-headers=5.0.3
 
diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
index 4a24f9ce9682..e7432e3242f2 100644
--- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
@@ -1,4 +1,4 @@
-From 884528c4629b0b333061c191d9b26081431dbfd3 Mon Sep 17 00:00:00 2001
+From e71668257d1353a7bd428ec90f0871b038db813b Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <serge.hallyn@canonical.com>
 Date: Fri, 31 May 2013 19:12:12 +0100
 Subject: [PATCH 1/3] add sysctl to disallow unprivileged CLONE_NEWUSER by
@@ -14,7 +14,7 @@ Signed-off-by: Daniel Micay <danielmicay@gmail.com>
  3 files changed, 30 insertions(+)
 
 diff --git a/kernel/fork.c b/kernel/fork.c
-index 906cd0c13d15..0d1d30ad91e7 100644
+index b69248e6f0e0..3b1cd11dc6dc 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -104,6 +104,11 @@
@@ -29,7 +29,7 @@ index 906cd0c13d15..0d1d30ad91e7 100644
  
  /*
   * Minimum number of threads to boot the kernel
-@@ -1699,6 +1704,10 @@ static __latent_entropy struct task_struct *copy_process(
+@@ -1695,6 +1700,10 @@ static __latent_entropy struct task_struct *copy_process(
  	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
  		return ERR_PTR(-EINVAL);
  
@@ -40,7 +40,7 @@ index 906cd0c13d15..0d1d30ad91e7 100644
  	/*
  	 * Thread groups must share signals as well, and detached threads
  	 * can only be started up within the thread group.
-@@ -2532,6 +2541,12 @@ int ksys_unshare(unsigned long unshare_flags)
+@@ -2528,6 +2537,12 @@ int ksys_unshare(unsigned long unshare_flags)
  	if (unshare_flags & CLONE_NEWNS)
  		unshare_flags |= CLONE_FS;
  
@@ -54,7 +54,7 @@ index 906cd0c13d15..0d1d30ad91e7 100644
  	if (err)
  		goto bad_unshare_out;
 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 9ee261fce89e..ab26ddeab33d 100644
+index ba4d9e85feb8..e88b93a850df 100644
 --- a/kernel/sysctl.c
 +++ b/kernel/sysctl.c
 @@ -106,6 +106,9 @@ extern int core_uses_pid;
@@ -98,5 +98,5 @@ index 923414a246e9..6b9dbc257e34 100644
  static DEFINE_MUTEX(userns_state_mutex);
  
 -- 
-2.20.1
+2.21.0
 
diff --git a/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch b/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
new file mode 100644
index 000000000000..e5797a8c2314
--- /dev/null
+++ b/0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
@@ -0,0 +1,131 @@
+From 7a6c88347cc6dd3b0ade3be5e45cb932a07cec82 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 8 Mar 2019 00:58:53 +0100
+Subject: [PATCH 2/3] netfilter: nf_tables: fix set double-free in abort path
+
+The abort path can cause a double-free of an anonymous set.
+Added-and-to-be-aborted rule looks like this:
+
+udp dport { 137, 138 } drop
+
+The to-be-aborted transaction list looks like this:
+
+newset
+newsetelem
+newsetelem
+rule
+
+This gets walked in reverse order, so first pass disables the rule, the
+set elements, then the set.
+
+After synchronize_rcu(), we then destroy those in same order: rule, set
+element, set element, newset.
+
+Problem is that the anonymous set has already been bound to the rule, so
+the rule (lookup expression destructor) already frees the set, when then
+cause use-after-free when trying to delete the elements from this set,
+then try to free the set again when handling the newset expression.
+
+Rule releases the bound set in first place from the abort path, this
+causes the use-after-free on set element removal when undoing the new
+element transactions. To handle this, skip new element transaction if
+set is bound from the abort path.
+
+This is still causes the use-after-free on set element removal.  To
+handle this, remove transaction from the list when the set is already
+bound.
+
+Joint work with Florian Westphal.
+
+Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
+Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/net/netfilter/nf_tables.h |  6 ++----
+ net/netfilter/nf_tables_api.c     | 17 +++++++++++------
+ 2 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index b4984bbbe157..3d58acf94dd2 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -416,7 +416,8 @@ struct nft_set {
+ 	unsigned char			*udata;
+ 	/* runtime data below here */
+ 	const struct nft_set_ops	*ops ____cacheline_aligned;
+-	u16				flags:14,
++	u16				flags:13,
++					bound:1,
+ 					genmask:2;
+ 	u8				klen;
+ 	u8				dlen;
+@@ -1329,15 +1330,12 @@ struct nft_trans_rule {
+ struct nft_trans_set {
+ 	struct nft_set			*set;
+ 	u32				set_id;
+-	bool				bound;
+ };
+ 
+ #define nft_trans_set(trans)	\
+ 	(((struct nft_trans_set *)trans->data)->set)
+ #define nft_trans_set_id(trans)	\
+ 	(((struct nft_trans_set *)trans->data)->set_id)
+-#define nft_trans_set_bound(trans)	\
+-	(((struct nft_trans_set *)trans->data)->bound)
+ 
+ struct nft_trans_chain {
+ 	bool				update;
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4893f248dfdc..e1724f9d8b9d 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
+ 	list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
+ 		if (trans->msg_type == NFT_MSG_NEWSET &&
+ 		    nft_trans_set(trans) == set) {
+-			nft_trans_set_bound(trans) = true;
++			set->bound = true;
+ 			break;
+ 		}
+ 	}
+@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans)
+ 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
+ 		break;
+ 	case NFT_MSG_NEWSET:
+-		if (!nft_trans_set_bound(trans))
+-			nft_set_destroy(nft_trans_set(trans));
++		nft_set_destroy(nft_trans_set(trans));
+ 		break;
+ 	case NFT_MSG_NEWSETELEM:
+ 		nft_set_elem_destroy(nft_trans_elem_set(trans),
+@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net)
+ 			break;
+ 		case NFT_MSG_NEWSET:
+ 			trans->ctx.table->use--;
+-			if (!nft_trans_set_bound(trans))
+-				list_del_rcu(&nft_trans_set(trans)->list);
++			if (nft_trans_set(trans)->bound) {
++				nft_trans_destroy(trans);
++				break;
++			}
++			list_del_rcu(&nft_trans_set(trans)->list);
+ 			break;
+ 		case NFT_MSG_DELSET:
+ 			trans->ctx.table->use++;
+@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net)
+ 			nft_trans_destroy(trans);
+ 			break;
+ 		case NFT_MSG_NEWSETELEM:
++			if (nft_trans_elem_set(trans)->bound) {
++				nft_trans_destroy(trans);
++				break;
++			}
+ 			te = (struct nft_trans_elem *)trans->data;
+-
+ 			te->set->ops->remove(net, te->set, &te->elem);
+ 			atomic_dec(&te->set->nelems);
+ 			break;
+-- 
+2.21.0
+
diff --git a/PKGBUILD b/PKGBUILD
index 04e47797c8eb..3010c7d71f59 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -61,7 +61,7 @@ _localmodcfg=
 ### IMPORTANT: Do no edit below this line unless you know what you're doing
 
 pkgbase=linux-ck
-_srcver=5.0.2-arch1
+_srcver=5.0.3-arch1
 pkgver=${_srcver%-*}
 pkgrel=1
 _ckpatchversion=1
@@ -81,12 +81,13 @@ source=(
   "enable_additional_cpu_optimizations-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/$_gcc_more_v.tar.gz"
   "http://ck.kolivas.org/patches/5.0/5.0/5.0-ck${_ckpatchversion}/$_ckpatch.xz"
   0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+  0002-netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch
 )
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
   '647F28654894E3BD457199BE38DBBDC86092693E'  # Greg Kroah-Hartman
 )
-sha256sums=('43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b'
+sha256sums=('40d533792a784bfd519cfc2eab7fe98bbafeb283eb31f17a99f6bf39cabfff89'
             'SKIP'
             'cc8341a0f4b25ee98238d90faa75338c3ed9ae882d3982464b239960ce5b187f'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
@@ -94,7 +95,8 @@ sha256sums=('43bfea3a6b24b4e5f63190409a199bee8cb93dbea01c52ad7f017078ebdf7c9b'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
             '226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d'
             '661f64bbd8bf49afcc7c760c4148b2e2108511a1eadcae917cfe6056a83d8476'
-            '55823bb3ca652d917ba79860d595b479ec20c22a7c6854cbef901d44b4196316')
+            '91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3'
+            '87e88d199d8e9beb89d8e5f7ce6a4bf8db18ccec169323c9b6fda563719d76ba')
 
 _kernelname=${pkgbase#linux}
 : ${_kernelname:=-ARCH}