From d34ef5503e2b5ff95566449fc0f9269d966fe3e0 Mon Sep 17 00:00:00 2001 From: Jenkins OS Date: Thu, 12 Oct 2017 20:36:31 +0000 Subject: [PATCH] sys-kernel/coreos-sources: bump to 4.13.6 --- ...-r1.ebuild => coreos-kernel-4.13.6.ebuild} | 2 +- ...r1.ebuild => coreos-modules-4.13.6.ebuild} | 2 +- .../sys-kernel/coreos-sources/Manifest | 2 +- ...r1.ebuild => coreos-sources-4.13.6.ebuild} | 2 +- .../z0001-efi-Add-EFI_SECURE_BOOT-bit.patch | 4 +- ...to-lock-down-access-to-the-running-k.patch | 4 +- ...e-kernel-if-booted-in-secure-boot-mo.patch | 4 +- ...ignatures-if-the-kernel-is-locked-do.patch | 4 +- ...-and-dev-kmem-when-the-kernel-is-loc.patch | 4 +- ...-runtime-if-the-kernel-is-locked-dow.patch | 12 +- ...-flag-in-boot-params-across-kexec-re.patch | 4 +- ...le-at-runtime-if-securelevel-has-bee.patch | 4 +- ...sable-when-the-kernel-is-locked-down.patch | 4 +- ...sable-when-the-kernel-is-locked-down.patch | 4 +- ...R-access-when-the-kernel-is-locked-d.patch | 4 +- ...-port-access-when-the-kernel-is-lock.patch | 4 +- ...-access-when-the-kernel-is-locked-do.patch | 4 +- ...t-debugfs-interface-when-the-kernel-.patch | 4 +- ...s-to-custom_method-when-the-kernel-i.patch | 4 +- ..._rsdp-kernel-param-when-the-kernel-h.patch | 4 +- ...I-table-override-if-the-kernel-is-lo.patch | 4 +- ...I-error-injection-if-the-kernel-is-l.patch | 4 +- ...nel-image-access-functions-when-the-.patch | 4 +- ...z0020-scsi-Lock-down-the-eata-driver.patch | 4 +- ...CIS-storage-when-the-kernel-is-locke.patch | 4 +- .../4.13/z0022-Lock-down-TIOCSSERIAL.patch | 4 +- ...lative-path-for-KBUILD_SRC-from-CURD.patch | 6 +- .../z0024-Add-arm64-coreos-verity-hash.patch | 4 +- ...on-caused-by-exclusive-upper-work-di.patch | 148 ------------------ ...-waitid-Add-missing-access_ok-checks.patch | 43 +++++ 30 files changed, 100 insertions(+), 205 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.13.5-r1.ebuild => coreos-kernel-4.13.6.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.13.5-r1.ebuild => coreos-modules-4.13.6.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.13.5-r1.ebuild => coreos-sources-4.13.6.ebuild} (97%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-ovl-fix-regression-caused-by-exclusive-upper-work-di.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-waitid-Add-missing-access_ok-checks.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.5-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.6.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.5-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.6.ebuild index 2a177741dd..abc3b4ff57 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.5-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.6.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="-r1" +COREOS_SOURCE_REVISION="" inherit coreos-kernel DESCRIPTION="CoreOS Linux kernel" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.5-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.6.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.5-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.6.ebuild index 6c70281dca..685aa802e6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.5-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.6.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="-r1" +COREOS_SOURCE_REVISION="" inherit coreos-kernel savedconfig DESCRIPTION="CoreOS Linux kernel modules" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index ae6bf8d1d3..3d8afc7ce9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-4.13.tar.xz 100579888 SHA256 2db3d6066c3ad93eb25b973a3d2951e022a7e975ee2fa7cbe5bddf84d9a49a2c SHA512 a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 WHIRLPOOL d3d332e02cd3c5056c76c28cf1f81504c6f7b8f2caed7238e7dd7866747fb03154b88d8d7aec4d0eddf5760624bc7d6c5485fb52a3e32d098a2742eba96c0d05 -DIST patch-4.13.5.xz 120108 SHA256 ba0cf285525e24850917c2f5cc7c2283b6509e2185bb70108f140f7ec695d57d SHA512 de55b07e52e88e3bc5af54c619933a81f535393f20712f38000bffa77ded22c7a16e70e43c28daf576bcc6cd3ad39387b8e1f430e3d22222f572113d2345df48 WHIRLPOOL cf0e094ef73563e464128d9e080b3653ea059dc8ae60f55581bbf20483ada96b71144c0862f95e15cf2281cf359c75b9be91c0b246c192ec0f5bb8b918287506 +DIST patch-4.13.6.xz 165096 SHA256 12d897b7f547c7d03a81be690b3dc0e0e5b9becfbd63e3dbf9f7258db861ddfb SHA512 40e111f3969b622f982bfb75f8c35aa59d9989a627a4511d8e0090b0c7bbcafcc90567434f5166ef2d17831f0beddb52762107e523414523e1877f67f66ca3f7 WHIRLPOOL 84ffb5f228a46d5551de04e8dcb8fda2ed72b40f0306198c909036610f58f6d5e6299d71bcd08e235f3c34fbfffb5d6dae805aaaa2dbef220ae94ef844a6890b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.5-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.6.ebuild similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.5-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.6.ebuild index c0da52d21d..c13c3dfb99 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.5-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.6.ebuild @@ -55,5 +55,5 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \ ${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ ${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \ - ${PATCH_DIR}/z0025-ovl-fix-regression-caused-by-exclusive-upper-work-di.patch \ + ${PATCH_DIR}/z0025-waitid-Add-missing-access_ok-checks.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch index b0cf4ad1c1..e6a5019f6d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,4 +1,4 @@ -From f1837934545ec345d6509fe6b70d5a8e7fb48c06 Mon Sep 17 00:00:00 2001 +From 0ca587d266c2a08314e7e5026f4db17b2587aaae Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 21 Nov 2016 23:55:55 +0000 Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit @@ -42,5 +42,5 @@ index 8269bcb8ccf7..7952dd3ffa73 100644 #ifdef CONFIG_EFI /* -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch index 8e444cdcac..b6e0216d9c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -1,4 +1,4 @@ -From 07584ac35f055643fbb7d3db977edb1667761cdd Mon Sep 17 00:00:00 2001 +From 9488dfe7dd6c558cbf39b358b6e26c58ec728f79 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:36:17 +0000 Subject: [PATCH 02/25] Add the ability to lock down access to the running @@ -145,5 +145,5 @@ index 000000000000..5788c60ff4e1 +} +EXPORT_SYMBOL(kernel_is_locked_down); -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index d65a326aff..3f791221f6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -1,4 +1,4 @@ -From 50ee015df6059aafabbde1ca24cc93ed9a5d4dec Mon Sep 17 00:00:00 2001 +From d2ad9ef2777a166bf439681a6e1feb9bed15ba77 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:55:55 +0000 Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode @@ -65,5 +65,5 @@ index 319995f58345..d0128aef43ce 100644 default: pr_info("Secure boot could not be determined\n"); -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch index 918e6f4de1..53bfeaf9bc 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch @@ -1,4 +1,4 @@ -From 76bf27c180ae82174aa7429c24c815b7d69f4580 Mon Sep 17 00:00:00 2001 +From 1f144b1dcd97473d15e939518257f05df63f25de Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 23 Nov 2016 13:22:22 +0000 Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down @@ -25,5 +25,5 @@ index 40f983cbea81..e5b878b26906 100644 return err; -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch index 86365567e7..6034d3110e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch @@ -1,4 +1,4 @@ -From 9062089abfaf7e47d6f734d84c27c1cbea3c04c6 Mon Sep 17 00:00:00 2001 +From ec132d88b99550cf6bd04d4b38a660e350c93648 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is @@ -39,5 +39,5 @@ index 593a8818aca9..ba68add9677f 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch index 396f0fdb1c..a2b06b948f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch @@ -1,4 +1,4 @@ -From a4a18f7a7c9f4dc853d1ed84e100bfad45ca768d Mon Sep 17 00:00:00 2001 +From 569b20893b215e18e6bd7ac866a6e768c3d6fd8d Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down @@ -20,20 +20,20 @@ diff --git a/kernel/kexec.c b/kernel/kexec.c index e62ec4dc6620..37f75d0b75de 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c -@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -201,6 +201,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, + if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) return -EPERM; - /* ++ /* + * kexec can be used to circumvent module loading restrictions, so + * prevent loading in that case + */ + if (kernel_is_locked_down()) + return -EPERM; + -+ /* + /* * Verify we have a legal set of flags * This leaves us room for future extensions. - */ -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch index efb73fc7e1..132da3378c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch @@ -1,4 +1,4 @@ -From d3aa49c4e2c3fc2db64a67802d2d1ca7682f3e43 Mon Sep 17 00:00:00 2001 +From ab96910a663a80ec3f8121ca6d6606678a2af6a7 Mon Sep 17 00:00:00 2001 From: Dave Young Date: Tue, 22 Nov 2016 08:46:15 +0000 Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec @@ -34,5 +34,5 @@ index fb095ba0c02f..7d0fac5bcbbe 100644 ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch index 426a34ed33..bf55bfd6e6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch @@ -1,4 +1,4 @@ -From 4f56499f69dd3492dcd4ec80bf0d39882384fedb Mon Sep 17 00:00:00 2001 +From e81bd7b2b8cf468648817b1495d11ea12cc17b61 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:49:19 +0000 Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been @@ -35,5 +35,5 @@ index 9f48f4412297..7da87007c202 100644 if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL; -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch index f61196d774..0ace9c9c95 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch @@ -1,4 +1,4 @@ -From 73206c208c0fd2658938c75f8b2c223d64f926ac Mon Sep 17 00:00:00 2001 +From b104d0504ff5cd4f2bc55dfe50c7c7758016b50b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:15 +0000 Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down @@ -28,5 +28,5 @@ index e1914c7b85b1..7859ba79e181 100644 /** -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch index 9e7f47731c..ad84a0c16f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch @@ -1,4 +1,4 @@ -From d575c18b93c029bd3042e5719af1e3536f13f90c Mon Sep 17 00:00:00 2001 +From f2d13ff04ffccd9da300c704c47e4df944f88167 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 23 Nov 2016 13:28:17 +0000 Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down @@ -28,5 +28,5 @@ index 22df9f7ff672..e4b926d329b7 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch index fb3dfebe71..7ebb4290d9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch @@ -1,4 +1,4 @@ -From 16ad18e196811749d4d5f737e4ca0482326be131 Mon Sep 17 00:00:00 2001 +From e3efec13deba479e22e02b51222868fb1ffdfb17 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked @@ -99,5 +99,5 @@ index 9bf993e1f71e..c09524738ceb 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch index 4fa99e5d53..e982dcf8df 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch @@ -1,4 +1,4 @@ -From ad9d4a91032b313727714cbb57aa8ddfb8d80dfc Mon Sep 17 00:00:00 2001 +From 8cf28062fa8fe09449f2a08fc653f8b67eeb6b23 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked @@ -55,5 +55,5 @@ index ba68add9677f..5e2a260fb89f 100644 } -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch index 871a03efa9..d0731d6e35 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch @@ -1,4 +1,4 @@ -From f1e625e306e90405acff33c68a6285a20877de59 Mon Sep 17 00:00:00 2001 +From aceb992e68395597c9e158db6fac1104cc8481bd Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:17 +0000 Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down @@ -40,5 +40,5 @@ index ef688804f80d..fbcce028e502 100644 err = -EFAULT; break; -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch index b7c859674e..881f15beef 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch @@ -1,4 +1,4 @@ -From b94b97961964b34fa834a5a49a381ba5c40d1136 Mon Sep 17 00:00:00 2001 +From cbf465826c9e7a903640c77abd259df18ca98525 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is @@ -51,5 +51,5 @@ index 709e3a67391a..2d8db47698b2 100644 1, asus->debug.method_id, &input, &output); -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch index fb20dc3e09..d3755b45fe 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch @@ -1,4 +1,4 @@ -From 3c68d0f079679bbd37603e30a28fda1a51f2052d Mon Sep 17 00:00:00 2001 +From 66efb15a02ff6e631461b419b6534fbf065baa4a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is @@ -29,5 +29,5 @@ index c68e72414a67..e4d721c330c0 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch index f1d93314c1..a80bee65c2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch @@ -1,4 +1,4 @@ -From b422de393e6d978f5067cee5170c449dc4277f20 Mon Sep 17 00:00:00 2001 +From ff8247261c2e520d2d86c9b1c49d6a3add0f787e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has @@ -28,5 +28,5 @@ index db78d353bab1..d4d4ba348451 100644 #endif -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch index 3daf526f09..81fc451d16 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch @@ -1,4 +1,4 @@ -From 26bcf43365c06c2ca9e3386b202c52988525d70d Mon Sep 17 00:00:00 2001 +From 0e0436f160dc5e72da06475f47cf0f3d3eb825c2 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:32:27 +0000 Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is @@ -37,5 +37,5 @@ index ff425390bfa8..c72bfa97888a 100644 memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch index 048bb09a78..8648ed5b11 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch @@ -1,4 +1,4 @@ -From 0b2d6eaf44fe27ffc3f266d60acd785054c9251a Mon Sep 17 00:00:00 2001 +From 76da8791076ba432067fe7d079ca49e0c9db7bf4 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:39:41 +0000 Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is @@ -40,5 +40,5 @@ index ec50c32ea3da..e082718d01c2 100644 if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch index 017a5c0045..62a4db76e2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch @@ -1,4 +1,4 @@ -From c03a14e840c12755863e0bb0fc3dc466cdcab734 Mon Sep 17 00:00:00 2001 +From 48cf308a15eb59f0ab3d7f1ca07633888008dd83 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:52:16 +0000 Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the @@ -53,5 +53,5 @@ index dc498b605d5d..fb240222b89b 100644 for (i = 0; i < fmt_size; i++) { if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch index 2982c428a3..29f690ee74 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch @@ -1,4 +1,4 @@ -From 87d86828a5c23d79d182fe08fc311980a49bb314 Mon Sep 17 00:00:00 2001 +From f65f1cb103ada3d4df63e90259b8087218211385 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 22 Nov 2016 10:10:34 +0000 Subject: [PATCH 20/25] scsi: Lock down the eata driver @@ -43,5 +43,5 @@ index 227dd2c2ec2f..5c036d10c18b 100644 #if defined(MODULE) /* io_port could have been modified when loading as a module */ -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch index 646f0f9e74..337f899f9d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch @@ -1,4 +1,4 @@ -From 5674808941b241db1a075ecf6392cd2f5f963c7b Mon Sep 17 00:00:00 2001 +From 7dbf7ac8f7767b2553126a6a4d99ef5d089b7ac2 Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 25 Nov 2016 14:37:45 +0000 Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked @@ -29,5 +29,5 @@ index 55ef7d1fd8da..193e4f7b73b1 100644 if (off) -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch index 0cdddcb9b0..0013992be0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch @@ -1,4 +1,4 @@ -From c9f901215cc9798206af8934f3e3396e812bfd36 Mon Sep 17 00:00:00 2001 +From d2242c4df8c05d84c7d598603b04733da930bcd3 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 7 Dec 2016 10:28:39 +0000 Subject: [PATCH 22/25] Lock down TIOCSSERIAL @@ -32,5 +32,5 @@ index f534a40aebde..e32c0179f423 100644 retval = -EPERM; if (change_irq || change_port || -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index c39807dacd..7aaca7bc60 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,4 +1,4 @@ -From 7a7e247d55502efe910eef98322fa706aa8b7ad8 Mon Sep 17 00:00:00 2001 +From 8239e8a3c6a9679b4b84c60e7914fe2cb6cd9f29 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 189f1a748e4c..c44e17ddc9e1 100644 +index 9e1af1af327b..cff814738d5e 100644 --- a/Makefile +++ b/Makefile @@ -142,7 +142,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index 189f1a748e4c..c44e17ddc9e1 100644 # Leave processing to above invocation of make -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch index 23d9fcfdd6..29906b7eda 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch @@ -1,4 +1,4 @@ -From 0038c7fad4882341972286f31a15f8013f97e964 Mon Sep 17 00:00:00 2001 +From 569a5db0554a7e94aa37775be1d171b5814f03f1 Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Fri, 11 Nov 2016 17:28:52 -0800 Subject: [PATCH 24/25] Add arm64 coreos verity hash @@ -25,5 +25,5 @@ index 613fc3000677..fdaf86c78332 100644 /* * The debug table is referenced via its Relative Virtual Address (RVA), -- -2.13.6 +2.14.1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-ovl-fix-regression-caused-by-exclusive-upper-work-di.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-ovl-fix-regression-caused-by-exclusive-upper-work-di.patch deleted file mode 100644 index f69dbaf965..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-ovl-fix-regression-caused-by-exclusive-upper-work-di.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 3dd952f456fda073b3d492a94745f119effba17b Mon Sep 17 00:00:00 2001 -From: Amir Goldstein -Date: Fri, 29 Sep 2017 10:21:21 +0300 -Subject: [PATCH 25/25] ovl: fix regression caused by exclusive upper/work dir - protection - -Enforcing exclusive ownership on upper/work dirs caused a docker -regression: https://github.com/moby/moby/issues/34672. - -Euan spotted the regression and pointed to the offending commit. -Vivek has brought the regression to my attention and provided this -reproducer: - -Terminal 1: - - mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none - merged/ - -Terminal 2: - - unshare -m - -Terminal 1: - - umount merged - mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none - merged/ - mount: /root/overlay-testing/merged: none already mounted or mount point - busy - -To fix the regression, I replaced the error with an alarming warning. -With index feature enabled, mount does fail, but logs a suggestion to -override exclusive dir protection by disabling index. -Note that index=off mount does take the inuse locks, so a concurrent -index=off will issue the warning and a concurrent index=on mount will fail. - -Documentation was updated to reflect this change. - -Fixes: 2cac0c00a6cd ("ovl: get exclusive ownership on upper/work dirs") -Cc: # v4.13 -Reported-by: Euan Kemp -Reported-by: Vivek Goyal -Signed-off-by: Amir Goldstein ---- - Documentation/filesystems/overlayfs.txt | 5 ++++- - fs/overlayfs/ovl_entry.h | 3 +++ - fs/overlayfs/super.c | 27 +++++++++++++++++++-------- - 3 files changed, 26 insertions(+), 9 deletions(-) - -diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt -index 36f528a7fdd6..8caa60734647 100644 ---- a/Documentation/filesystems/overlayfs.txt -+++ b/Documentation/filesystems/overlayfs.txt -@@ -210,8 +210,11 @@ path as another overlay mount and it may use a lower layer path that is - beneath or above the path of another overlay lower layer path. - - Using an upper layer path and/or a workdir path that are already used by --another overlay mount is not allowed and will fail with EBUSY. Using -+another overlay mount is not allowed and may fail with EBUSY. Using - partially overlapping paths is not allowed but will not fail with EBUSY. -+If files are accessed from two overlayfs mounts which share or overlap the -+upper layer and/or workdir path the behavior of the overlay is undefined, -+though it will not result in a crash or deadlock. - - Mounting an overlay using an upper layer path, where the upper layer path - was previously used by another mounted overlay in combination with a -diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h -index 878a750986dd..25d9b5adcd42 100644 ---- a/fs/overlayfs/ovl_entry.h -+++ b/fs/overlayfs/ovl_entry.h -@@ -37,6 +37,9 @@ struct ovl_fs { - bool noxattr; - /* sb common to all layers */ - struct super_block *same_sb; -+ /* Did we take the inuse lock? */ -+ bool upperdir_locked; -+ bool workdir_locked; - }; - - /* private information held for every overlayfs dentry */ -diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c -index d86e89f97201..a1464905c1ea 100644 ---- a/fs/overlayfs/super.c -+++ b/fs/overlayfs/super.c -@@ -210,9 +210,10 @@ static void ovl_put_super(struct super_block *sb) - - dput(ufs->indexdir); - dput(ufs->workdir); -- ovl_inuse_unlock(ufs->workbasedir); -+ if (ufs->workdir_locked) -+ ovl_inuse_unlock(ufs->workbasedir); - dput(ufs->workbasedir); -- if (ufs->upper_mnt) -+ if (ufs->upper_mnt && ufs->upperdir_locked) - ovl_inuse_unlock(ufs->upper_mnt->mnt_root); - mntput(ufs->upper_mnt); - for (i = 0; i < ufs->numlower; i++) -@@ -880,9 +881,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) - goto out_put_upperpath; - - err = -EBUSY; -- if (!ovl_inuse_trylock(upperpath.dentry)) { -- pr_err("overlayfs: upperdir is in-use by another mount\n"); -+ if (ovl_inuse_trylock(upperpath.dentry)) { -+ ufs->upperdir_locked = true; -+ } else if (ufs->config.index) { -+ pr_err("overlayfs: upperdir is in-use by another mount, mount with '-o index=off' to override exclusive upperdir protection.\n"); - goto out_put_upperpath; -+ } else { -+ pr_warn("overlayfs: upperdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n"); - } - - err = ovl_mount_dir(ufs->config.workdir, &workpath); -@@ -900,9 +905,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) - } - - err = -EBUSY; -- if (!ovl_inuse_trylock(workpath.dentry)) { -- pr_err("overlayfs: workdir is in-use by another mount\n"); -+ if (ovl_inuse_trylock(workpath.dentry)) { -+ ufs->workdir_locked = true; -+ } else if (ufs->config.index) { -+ pr_err("overlayfs: workdir is in-use by another mount, mount with '-o index=off' to override exclusive workdir protection.\n"); - goto out_put_workpath; -+ } else { -+ pr_warn("overlayfs: workdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n"); - } - - ufs->workbasedir = workpath.dentry; -@@ -1155,11 +1164,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) - out_free_lowertmp: - kfree(lowertmp); - out_unlock_workdentry: -- ovl_inuse_unlock(workpath.dentry); -+ if (ufs->workdir_locked) -+ ovl_inuse_unlock(workpath.dentry); - out_put_workpath: - path_put(&workpath); - out_unlock_upperdentry: -- ovl_inuse_unlock(upperpath.dentry); -+ if (ufs->upperdir_locked) -+ ovl_inuse_unlock(upperpath.dentry); - out_put_upperpath: - path_put(&upperpath); - out_free_config: --- -2.13.6 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-waitid-Add-missing-access_ok-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-waitid-Add-missing-access_ok-checks.patch new file mode 100644 index 0000000000..7e2af55497 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-waitid-Add-missing-access_ok-checks.patch @@ -0,0 +1,43 @@ +From 4e6fc257193a1d56eedc55e040d6e5c158cdaceb Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 9 Oct 2017 11:36:52 -0700 +Subject: [PATCH 25/25] waitid(): Add missing access_ok() checks + +Adds missing access_ok() checks. + +CVE-2017-5123 + +Reported-by: Chris Salls +Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()") +Signed-off-by: Kees Cook +--- + kernel/exit.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/exit.c b/kernel/exit.c +index 6d31fc5ba50d..135b36985f8a 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -1611,6 +1611,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *, + if (!infop) + return err; + ++ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) ++ goto Efault; ++ + user_access_begin(); + unsafe_put_user(signo, &infop->si_signo, Efault); + unsafe_put_user(0, &infop->si_errno, Efault); +@@ -1736,6 +1739,9 @@ COMPAT_SYSCALL_DEFINE5(waitid, + if (!infop) + return err; + ++ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) ++ goto Efault; ++ + user_access_begin(); + unsafe_put_user(signo, &infop->si_signo, Efault); + unsafe_put_user(0, &infop->si_errno, Efault); +-- +2.14.1 +