Merge pull request #2698 from bgilbert/kernel

sys-kernel/coreos-*: apply CVE patches

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel savedconfig
 
 DESCRIPTION="CoreOS Linux kernel modules"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5-r1.ebuild

@@ -46,4 +46,6 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
 	${PATCH_DIR}/z0025-bonding-commit-link-status-change-after-propose.patch \
 	${PATCH_DIR}/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch \
+	${PATCH_DIR}/z0027-udp-consistently-apply-ufo-or-fragmentation.patch \
+	${PATCH_DIR}/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch \
 "

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
 From ce3175a0cc48f722fa2cd41722e29059b71bb9a9 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 01/26] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 01/28] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 that can be passed to efi_enabled() to find out whether secure boot is
@@ -18,7 +18,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 2 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 36646f1..87ef54e 100644
+index 36646f19d40b..87ef54e64842 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -1190,6 +1190,7 @@ void __init setup_arch(char **cmdline_p)
@@ -30,7 +30,7 @@ index 36646f1..87ef54e 100644
  			break;
  		default:
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index ec36f42..381b3f6 100644
+index ec36f42a2add..381b3f6670d3 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
 @@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
@@ -42,5 +42,5 @@ index ec36f42..381b3f6 100644
  #ifdef CONFIG_EFI
  /*
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch

@@ -1,7 +1,7 @@
 From 9f4e6a47c74ed8a659e0f7498d0c10482c2cfbaf Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:36:17 +0000
-Subject: [PATCH 02/26] Add the ability to lock down access to the running
+Subject: [PATCH 02/28] Add the ability to lock down access to the running
  kernel image
 
 Provide a single call to allow kernel code to determine whether the system
@@ -21,7 +21,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  create mode 100644 security/lock_down.c
 
 diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index 13bc08a..282a168 100644
+index 13bc08aba704..282a1684d6e8 100644
 --- a/include/linux/kernel.h
 +++ b/include/linux/kernel.h
 @@ -276,6 +276,15 @@ extern int oops_may_print(void);
@@ -41,7 +41,7 @@ index 13bc08a..282a168 100644
  int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
  int __must_check _kstrtol(const char *s, unsigned int base, long *res);
 diff --git a/include/linux/security.h b/include/linux/security.h
-index af675b5..68bab18 100644
+index af675b576645..68bab18ddd57 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
 @@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata)
@@ -62,7 +62,7 @@ index af675b5..68bab18 100644
  #endif /* ! __LINUX_SECURITY_H */
  
 diff --git a/security/Kconfig b/security/Kconfig
-index 93027fd..4baac4a 100644
+index 93027fdf47d1..4baac4aab277 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
 @@ -189,6 +189,21 @@ config STATIC_USERMODEHELPER_PATH
@@ -88,7 +88,7 @@ index 93027fd..4baac4a 100644
  source security/smack/Kconfig
  source security/tomoyo/Kconfig
 diff --git a/security/Makefile b/security/Makefile
-index f2d71cd..8c4a43e 100644
+index f2d71cdb8e19..8c4a43e3d4e0 100644
 --- a/security/Makefile
 +++ b/security/Makefile
 @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
@@ -100,7 +100,7 @@ index f2d71cd..8c4a43e 100644
 +obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
 diff --git a/security/lock_down.c b/security/lock_down.c
 new file mode 100644
-index 0000000..5788c60
+index 000000000000..5788c60ff4e1
 --- /dev/null
 +++ b/security/lock_down.c
 @@ -0,0 +1,40 @@
@@ -145,5 +145,5 @@ index 0000000..5788c60
 +}
 +EXPORT_SYMBOL(kernel_is_locked_down);
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

@@ -1,7 +1,7 @@
 From fe6eb63a38a0e5f99d73e4b4cb2f4bbd8f127723 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 03/26] efi: Lock down the kernel if booted in secure boot mode
+Subject: [PATCH 03/28] efi: Lock down the kernel if booted in secure boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
 only load signed bootloaders and kernels.  Certain use cases may also
@@ -16,7 +16,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 19 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 0efb4c9..4d1c53b 100644
+index 0efb4c9497bc..4d1c53bb8411 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
 @@ -1827,6 +1827,18 @@ config EFI_MIXED
@@ -39,7 +39,7 @@ index 0efb4c9..4d1c53b 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 87ef54e..4c4d758 100644
+index 87ef54e64842..4c4d758d4be1 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -69,6 +69,7 @@
@@ -65,5 +65,5 @@ index 87ef54e..4c4d758 100644
  		default:
  			pr_info("Secure boot could not be determined\n");
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch

@@ -1,7 +1,7 @@
 From d7e6ff962e25a9a4c7900dcae3c325d68b0b01ad Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 23 Nov 2016 13:22:22 +0000
-Subject: [PATCH 04/26] Enforce module signatures if the kernel is locked down
+Subject: [PATCH 04/28] Enforce module signatures if the kernel is locked down
 
 If the kernel is locked down, require that all modules have valid
 signatures that we can verify.
@@ -12,7 +12,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/kernel/module.c b/kernel/module.c
-index 4a3665f..3f1de34 100644
+index 4a3665f8f837..3f1de34c6d10 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
 @@ -2777,7 +2777,7 @@ static int module_sig_check(struct load_info *info, int flags)
@@ -25,5 +25,5 @@ index 4a3665f..3f1de34 100644
  
  	return err;
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch

@@ -1,7 +1,7 @@
 From 4c9d9cc8455fc46e6a5171df2367cc89171894e8 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 05/26] Restrict /dev/mem and /dev/kmem when the kernel is
+Subject: [PATCH 05/28] Restrict /dev/mem and /dev/kmem when the kernel is
  locked down
 
 Allowing users to write to address space makes it possible for the kernel to
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 593a881..ba68add 100644
+index 593a8818aca9..ba68add9677f 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@@ -39,5 +39,5 @@ index 593a881..ba68add 100644
  		unsigned long to_write = min_t(unsigned long, count,
  					       (unsigned long)high_memory - p);
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch

@@ -1,7 +1,7 @@
 From eebae3db37325d6ca57d1b006f904437a59580f6 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 06/26] kexec: Disable at runtime if the kernel is locked down
+Subject: [PATCH 06/28] kexec: Disable at runtime if the kernel is locked down
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
 is something that lock-down is meant to prevent. It makes sense to disable
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 7 insertions(+)
 
 diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 980936a..46de8e6 100644
+index 980936a90ee6..46de8e6b42f4 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
 @@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
@@ -35,5 +35,5 @@ index 980936a..46de8e6 100644
  	 * This leaves us room for future extensions.
  	 */
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch

@@ -1,7 +1,7 @@
 From cc3ff81651b05bfeeeda80928837019d67a7b1cc Mon Sep 17 00:00:00 2001
 From: Dave Young <dyoung@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 07/26] Copy secure_boot flag in boot params across kexec
+Subject: [PATCH 07/28] Copy secure_boot flag in boot params across kexec
  reboot
 
 Kexec reboot in case secure boot being enabled does not keep the secure
@@ -22,7 +22,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index 9d7fd5e..7e6f00a 100644
+index 9d7fd5e6689a..7e6f00ae8322 100644
 --- a/arch/x86/kernel/kexec-bzimage64.c
 +++ b/arch/x86/kernel/kexec-bzimage64.c
 @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
@@ -34,5 +34,5 @@ index 9d7fd5e..7e6f00a 100644
  	ei->efi_systab = current_ei->efi_systab;
  	ei->efi_systab_hi = current_ei->efi_systab_hi;
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch

@@ -1,7 +1,7 @@
 From 11cdd5d6f82dc648da689d0d5df80415aa6ccfdb Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
 Date: Wed, 23 Nov 2016 13:49:19 +0000
-Subject: [PATCH 08/26] kexec_file: Disable at runtime if securelevel has been
+Subject: [PATCH 08/28] kexec_file: Disable at runtime if securelevel has been
  set
 
 When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
@@ -18,7 +18,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index b118735..f6937ee 100644
+index b118735fea9d..f6937eecd1eb 100644
 --- a/kernel/kexec_file.c
 +++ b/kernel/kexec_file.c
 @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
@@ -35,5 +35,5 @@ index b118735..f6937ee 100644
  	if (flags != (flags & KEXEC_FILE_FLAGS))
  		return -EINVAL;
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch

@@ -1,7 +1,7 @@
 From e066547b800fe128b1490bed96ce05485308a4ac Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 09/26] hibernate: Disable when the kernel is locked down
+Subject: [PATCH 09/28] hibernate: Disable when the kernel is locked down
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index a8b978c..50cca5d 100644
+index a8b978c35a6a..50cca5dcb62f 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
 @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
@@ -28,5 +28,5 @@ index a8b978c..50cca5d 100644
  
  /**
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch

@@ -1,7 +1,7 @@
 From 56b9aa60591fcda67ed2343781feae65d4b644e0 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Wed, 23 Nov 2016 13:28:17 +0000
-Subject: [PATCH 10/26] uswsusp: Disable when the kernel is locked down
+Subject: [PATCH 10/28] uswsusp: Disable when the kernel is locked down
 
 uswsusp allows a user process to dump and then restore kernel state, which
 makes it possible to modify the running kernel.  Disable this if the kernel
@@ -14,7 +14,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/kernel/power/user.c b/kernel/power/user.c
-index 22df9f7..e4b926d 100644
+index 22df9f7ff672..e4b926d329b7 100644
 --- a/kernel/power/user.c
 +++ b/kernel/power/user.c
 @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
@@ -28,5 +28,5 @@ index 22df9f7..e4b926d 100644
  
  	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch

@@ -1,7 +1,7 @@
 From 376f41a9e72da16e71afae479db0ddfdb3b00648 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 11/26] PCI: Lock down BAR access when the kernel is locked
+Subject: [PATCH 11/28] PCI: Lock down BAR access when the kernel is locked
  down
 
 Any hardware that can potentially generate DMA has to be locked down in
@@ -19,7 +19,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  3 files changed, 17 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 31e9961..5595560 100644
+index 31e99613a12e..559556047d66 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
 @@ -754,6 +754,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
@@ -53,7 +53,7 @@ index 31e9961..5595560 100644
  }
  
 diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index 098360d..ef16fcc 100644
+index 098360d7ff81..ef16fccb1923 100644
 --- a/drivers/pci/proc.c
 +++ b/drivers/pci/proc.c
 @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
@@ -86,7 +86,7 @@ index 098360d..ef16fcc 100644
  
  	if (fpriv->mmap_state == pci_mmap_io) {
 diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index 9bf993e..c095247 100644
+index 9bf993e1f71e..c09524738ceb 100644
 --- a/drivers/pci/syscall.c
 +++ b/drivers/pci/syscall.c
 @@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
@@ -99,5 +99,5 @@ index 9bf993e..c095247 100644
  
  	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch

@@ -1,7 +1,7 @@
 From 95073d14a7f72af389cf7ae17967918f5fa69807 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 12/26] x86: Lock down IO port access when the kernel is locked
+Subject: [PATCH 12/28] x86: Lock down IO port access when the kernel is locked
  down
 
 IO port access would permit users to gain access to PCI configuration
@@ -20,7 +20,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
-index 9c3cf09..4a613fe 100644
+index 9c3cf0944bce..4a613fed94b6 100644
 --- a/arch/x86/kernel/ioport.c
 +++ b/arch/x86/kernel/ioport.c
 @@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
@@ -42,7 +42,7 @@ index 9c3cf09..4a613fe 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index ba68add..5e2a260 100644
+index ba68add9677f..5e2a260fb89f 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
@@ -55,5 +55,5 @@ index ba68add..5e2a260 100644
  }
  
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch

@@ -1,7 +1,7 @@
 From 772e7b9176b7ddcce9cef71b2e79ed705916342f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:17 +0000
-Subject: [PATCH 13/26] x86: Restrict MSR access when the kernel is locked down
+Subject: [PATCH 13/28] x86: Restrict MSR access when the kernel is locked down
 
 Writing to MSRs should not be allowed if the kernel is locked down, since
 it could lead to execution of arbitrary code in kernel mode.  Based on a
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 7 insertions(+)
 
 diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index ef68880..fbcce02 100644
+index ef688804f80d..fbcce028e502 100644
 --- a/arch/x86/kernel/msr.c
 +++ b/arch/x86/kernel/msr.c
 @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
@@ -40,5 +40,5 @@ index ef68880..fbcce02 100644
  			err = -EFAULT;
  			break;
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch

@@ -1,7 +1,7 @@
 From e08b26f76b182ac6e12a6b9d50b493d2fedd34fc Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 14/26] asus-wmi: Restrict debugfs interface when the kernel is
+Subject: [PATCH 14/28] asus-wmi: Restrict debugfs interface when the kernel is
  locked down
 
 We have no way of validating what all of the Asus WMI methods do on a given
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index 6c7d860..57b82cb 100644
+index 6c7d86074b38..57b82cbc9a6b 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
 @@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data)
@@ -51,5 +51,5 @@ index 6c7d860..57b82cb 100644
  				     1, asus->debug.method_id,
  				     &input, &output);
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch

@@ -1,7 +1,7 @@
 From 47a2d3bcc537f52e09d195cd5ae6c1546dfb2cdc Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 15/26] ACPI: Limit access to custom_method when the kernel is
+Subject: [PATCH 15/28] ACPI: Limit access to custom_method when the kernel is
  locked down
 
 custom_method effectively allows arbitrary access to system memory, making
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index c68e724..e4d721c 100644
+index c68e72414a67..e4d721c330c0 100644
 --- a/drivers/acpi/custom_method.c
 +++ b/drivers/acpi/custom_method.c
 @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
@@ -29,5 +29,5 @@ index c68e724..e4d721c 100644
  		/* parse the table header to get the table length */
  		if (count <= sizeof(struct acpi_table_header))
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch

@@ -1,7 +1,7 @@
 From 9e4a043b792c4599a313aeb81b548e4a65b85f3f Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 16/26] acpi: Ignore acpi_rsdp kernel param when the kernel has
+Subject: [PATCH 16/28] acpi: Ignore acpi_rsdp kernel param when the kernel has
  been locked down
 
 This option allows userspace to pass the RSDP address to the kernel, which
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index db78d35..d4d4ba3 100644
+index db78d353bab1..d4d4ba348451 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
 @@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
@@ -28,5 +28,5 @@ index db78d35..d4d4ba3 100644
  #endif
  
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch

@@ -1,7 +1,7 @@
 From e0ff61fba4dd9e26a6744446a6e133eac094b6ee Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:32:27 +0000
-Subject: [PATCH 17/26] acpi: Disable ACPI table override if the kernel is
+Subject: [PATCH 17/28] acpi: Disable ACPI table override if the kernel is
  locked down
 
 From the kernel documentation (initrd_table_override.txt):
@@ -21,7 +21,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 5 insertions(+)
 
 diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
-index ff42539..c72bfa9 100644
+index ff425390bfa8..c72bfa97888a 100644
 --- a/drivers/acpi/tables.c
 +++ b/drivers/acpi/tables.c
 @@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void)
@@ -37,5 +37,5 @@ index ff42539..c72bfa9 100644
  		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
  				       all_tables_size, PAGE_SIZE);
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch

@@ -1,7 +1,7 @@
 From 7f0ec497364d309fdddb96ced1a83a9890b86baa Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:39:41 +0000
-Subject: [PATCH 18/26] acpi: Disable APEI error injection if the kernel is
+Subject: [PATCH 18/28] acpi: Disable APEI error injection if the kernel is
  locked down
 
 ACPI provides an error injection mechanism, EINJ, for debugging and testing
@@ -26,7 +26,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
-index ec50c32..e082718 100644
+index ec50c32ea3da..e082718d01c2 100644
 --- a/drivers/acpi/apei/einj.c
 +++ b/drivers/acpi/apei/einj.c
 @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
@@ -40,5 +40,5 @@ index ec50c32..e082718 100644
  	if (flags && (flags &
  		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch

@@ -1,7 +1,7 @@
 From 1670abea3f18938e2bd3407c47e6d1b0b66d3bc2 Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <jlee@suse.com>
 Date: Wed, 23 Nov 2016 13:52:16 +0000
-Subject: [PATCH 19/26] bpf: Restrict kernel image access functions when the
+Subject: [PATCH 19/28] bpf: Restrict kernel image access functions when the
  kernel is locked down
 
 There are some bpf functions can be used to read kernel memory:
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 11 insertions(+)
 
 diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
-index 460a031..58eb33d 100644
+index 460a031c77e5..58eb33d5d6ae 100644
 --- a/kernel/trace/bpf_trace.c
 +++ b/kernel/trace/bpf_trace.c
 @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
@@ -53,5 +53,5 @@ index 460a031..58eb33d 100644
  	for (i = 0; i < fmt_size; i++) {
  		if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch

@@ -1,7 +1,7 @@
 From 6c9effad0058286f8bb4d01ac247ef92be727b40 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 22 Nov 2016 10:10:34 +0000
-Subject: [PATCH 20/26] scsi: Lock down the eata driver
+Subject: [PATCH 20/28] scsi: Lock down the eata driver
 
 When the kernel is running in secure boot mode, we lock down the kernel to
 prevent userspace from modifying the running kernel image.  Whilst this
@@ -24,7 +24,7 @@ cc: linux-scsi@vger.kernel.org
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
-index 227dd2c..5c036d1 100644
+index 227dd2c2ec2f..5c036d10c18b 100644
 --- a/drivers/scsi/eata.c
 +++ b/drivers/scsi/eata.c
 @@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
@@ -43,5 +43,5 @@ index 227dd2c..5c036d1 100644
  #if defined(MODULE)
  	/* io_port could have been modified when loading as a module */
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch

@@ -1,7 +1,7 @@
 From df81e03770883fd556ba9591ab30e74097f0229f Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Fri, 25 Nov 2016 14:37:45 +0000
-Subject: [PATCH 21/26] Prohibit PCMCIA CIS storage when the kernel is locked
+Subject: [PATCH 21/28] Prohibit PCMCIA CIS storage when the kernel is locked
  down
 
 Prohibit replacement of the PCMCIA Card Information Structure when the
@@ -13,7 +13,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 5 insertions(+)
 
 diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
-index 55ef7d1..193e4f7 100644
+index 55ef7d1fd8da..193e4f7b73b1 100644
 --- a/drivers/pcmcia/cistpl.c
 +++ b/drivers/pcmcia/cistpl.c
 @@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
@@ -29,5 +29,5 @@ index 55ef7d1..193e4f7 100644
  
  	if (off)
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch

@@ -1,7 +1,7 @@
 From d17a0012c78e29a87b949f30f175267fd91ff525 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 7 Dec 2016 10:28:39 +0000
-Subject: [PATCH 22/26] Lock down TIOCSSERIAL
+Subject: [PATCH 22/28] Lock down TIOCSSERIAL
 
 Lock down TIOCSSERIAL as that can be used to change the ioport and irq
 settings on a serial port.  This only appears to be an issue for the serial
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 13bfd5d..45fb768 100644
+index 13bfd5dcffce..45fb7689bc1c 100644
 --- a/drivers/tty/serial/serial_core.c
 +++ b/drivers/tty/serial/serial_core.c
 @@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
@@ -32,5 +32,5 @@ index 13bfd5d..45fb768 100644
  		retval = -EPERM;
  		if (change_irq || change_port ||
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
 From d21200af07c733bfc29d16883443a5207dd623eb Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 23/26] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 23/28] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 382e967..e5aa822 100644
+index 382e967b0792..e5aa82292663 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
@@ -26,5 +26,5 @@ index 382e967..e5aa822 100644
  
  # Leave processing to above invocation of make
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch

@@ -1,7 +1,7 @@
 From 94f8291a354361a902bfaa9aefc9de9cbbe8bacb Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 24/26] Add arm64 coreos verity hash
+Subject: [PATCH 24/28] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---
@@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand <geoff@infradead.org>
  1 file changed, 5 insertions(+)
 
 diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S
-index 613fc30..fdaf86c 100644
+index 613fc3000677..fdaf86c78332 100644
 --- a/arch/arm64/kernel/efi-header.S
 +++ b/arch/arm64/kernel/efi-header.S
 @@ -103,6 +103,11 @@ section_table:
@@ -25,5 +25,5 @@ index 613fc30..fdaf86c 100644
  	/*
  	 * The debug table is referenced via its Relative Virtual Address (RVA),
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch

@@ -1,7 +1,7 @@
 From 0d1fedc72064771c52e3bd8947b9a52b81f239fb Mon Sep 17 00:00:00 2001
 From: WANG Cong <xiyou.wangcong@gmail.com>
 Date: Tue, 25 Jul 2017 09:44:25 -0700
-Subject: [PATCH 25/26] bonding: commit link status change after propose
+Subject: [PATCH 25/28] bonding: commit link status change after propose
 
 Commit de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring")
 moves link status commitment into bond_mii_monitor(), but it still relies
@@ -20,7 +20,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  1 file changed, 2 insertions(+)
 
 diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index 8ab6bdb..0eab2fd 100644
+index 8ab6bdbe1682..0eab2fdff8d7 100644
 --- a/drivers/net/bonding/bond_main.c
 +++ b/drivers/net/bonding/bond_main.c
 @@ -2047,6 +2047,7 @@ static int bond_miimon_inspect(struct bonding *bond)
@@ -40,5 +40,5 @@ index 8ab6bdb..0eab2fd 100644
  
  			if (slave->delay) {
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch

@@ -1,7 +1,7 @@
 From b24f16f597586d794bb66c08f09b4e83579da916 Mon Sep 17 00:00:00 2001
 From: "Michael S. Tsirkin" <mst@redhat.com>
 Date: Mon, 31 Jul 2017 21:49:49 +0300
-Subject: [PATCH 26/26] virtio_net: fix truesize for mergeable buffers
+Subject: [PATCH 26/28] virtio_net: fix truesize for mergeable buffers
 
 Seth Forshee noticed a performance degradation with some workloads.
 This turns out to be due to packet drops.  Euan Kemp noticed that this
@@ -27,7 +27,7 @@ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
  1 file changed, 2 insertions(+), 3 deletions(-)
 
 diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
-index 6633dd4..acb754e 100644
+index 6633dd4bb649..acb754eb1ccb 100644
 --- a/drivers/net/virtio_net.c
 +++ b/drivers/net/virtio_net.c
 @@ -889,21 +889,20 @@ static int add_recvbuf_mergeable(struct virtnet_info *vi,
@@ -55,5 +55,5 @@ index 6633dd4..acb754e 100644
  	if (err < 0)
  		put_page(virt_to_head_page(buf));
 -- 
-2.10.2
+2.13.4
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0027-udp-consistently-apply-ufo-or-fragmentation.patch

@@ -0,0 +1,74 @@
+From 0f444da98d55b1d78467778c2db2a0fdf7a11f9d Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 14 Jul 2017 10:19:00 -0700
+Subject: [PATCH 27/28] udp: consistently apply ufo or fragmentation
+
+When iteratively building a UDP datagram with MSG_MORE and that
+datagram exceeds MTU, consistently choose UFO or fragmentation.
+
+Once skb_is_gso, always apply ufo. Conversely, once a datagram is
+split across multiple skbs, do not consider ufo.
+
+Sendpage already maintains the first invariant, only add the second.
+IPv6 does not have a sendpage implementation to modify.
+
+Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
+CVE: CVE-2017-1000112
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+---
+ net/ipv4/ip_output.c  | 8 +++++---
+ net/ipv6/ip6_output.c | 7 ++++---
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 532b36e9ce2a..e5948c0c9759 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -964,11 +964,12 @@ static int __ip_append_data(struct sock *sk,
+ 		csummode = CHECKSUM_PARTIAL;
+ 
+ 	cork->length += length;
+-	if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) ||
+-	     (skb && skb_is_gso(skb))) &&
++	if ((skb && skb_is_gso(skb)) ||
++	    (((length + (skb ? skb->len : fragheaderlen)) > mtu) &&
++	    (skb_queue_len(queue) <= 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
+-	    (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
++	    (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) {
+ 		err = ip_ufo_append_data(sk, queue, getfrag, from, length,
+ 					 hh_len, fragheaderlen, transhdrlen,
+ 					 maxfraglen, flags);
+@@ -1287,6 +1288,7 @@ ssize_t	ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
+ 		return -EINVAL;
+ 
+ 	if ((size + skb->len > mtu) &&
++	    (skb_queue_len(&sk->sk_write_queue) == 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO)) {
+ 		if (skb->ip_summed != CHECKSUM_PARTIAL)
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 1699acb2fa2c..90e8c3d57423 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1390,11 +1390,12 @@ static int __ip6_append_data(struct sock *sk,
+ 	 */
+ 
+ 	cork->length += length;
+-	if ((((length + (skb ? skb->len : headersize)) > mtu) ||
+-	     (skb && skb_is_gso(skb))) &&
++	if ((skb && skb_is_gso(skb)) ||
++	    (((length + (skb ? skb->len : headersize)) > mtu) &&
++	    (skb_queue_len(queue) <= 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
+-	    (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
++	    (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) {
+ 		err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
+ 					  hh_len, fragheaderlen, exthdrlen,
+ 					  transhdrlen, mtu, flags, fl6);
+-- 
+2.13.4
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch

@@ -0,0 +1,63 @@
+From af6054f1bf2facd5f44e4f3652f5f86ea81e7c06 Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Date: Fri, 4 Aug 2017 12:48:20 -0400
+Subject: [PATCH 28/28] net-packet: fix race in packet_set_ring on
+ PACKET_RESERVE
+
+PACKET_RESERVE reserves headroom in memory mapped packet ring frames.
+The value po->tp_reserve must is verified to be safe in packet_set_ring
+
+    if (unlikely(req->tp_frame_size < po->tp_hdrlen + po->tp_reserve))
+
+and the setsockopt fails once a ring is set.
+
+    if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+            return -EBUSY;
+
+This operation does not take the socket lock. This leads to a race
+similar to the one with PACKET_VERSION fixed in commit 84ac7260236a
+("packet: fix race condition in packet_set_ring").
+
+Fix this issue in the same manner: take the socket lock, which as of
+that patch is held for the duration of packet_set_ring.
+
+This bug was discovered with syzkaller.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+CVE: CVE-2017-1000111
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+---
+ net/packet/af_packet.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index e3eeed19cc7a..b2df3bae2de7 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3705,14 +3705,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ 
+ 		if (optlen != sizeof(val))
+ 			return -EINVAL;
+-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
+ 		if (val > INT_MAX)
+ 			return -EINVAL;
+-		po->tp_reserve = val;
+-		return 0;
++		lock_sock(sk);
++		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
++			ret = -EBUSY;
++		else {
++			po->tp_reserve = val;
++			ret = 0;
++		}
++		release_sock(sk);
++		return ret;
+ 	}
+ 	case PACKET_LOSS:
+ 	{
+-- 
+2.13.4
+