From 467cedff05f5021e11fbff9845b82090b55d82ae Mon Sep 17 00:00:00 2001
From: Jenkins OS <team-os@coreos.com>
Date: Mon, 17 Jul 2017 20:23:39 +0000
Subject: [PATCH] sys-kernel/coreos-sources: bump to 4.12.2

---
 ...2.0.ebuild => coreos-kernel-4.12.2.ebuild} |  0
 ....0.ebuild => coreos-modules-4.12.2.ebuild} |  0
 .../sys-kernel/coreos-sources/Manifest        |  1 +
 ....0.ebuild => coreos-sources-4.12.2.ebuild} |  1 +
 .../z0001-efi-Add-EFI_SECURE_BOOT-bit.patch   | 12 +++---
 ...to-lock-down-access-to-the-running-k.patch | 16 ++++----
 ...e-kernel-if-booted-in-secure-boot-mo.patch | 12 +++---
 ...ignatures-if-the-kernel-is-locked-do.patch |  8 ++--
 ...-and-dev-kmem-when-the-kernel-is-loc.patch |  8 ++--
 ...-runtime-if-the-kernel-is-locked-dow.patch |  8 ++--
 ...-flag-in-boot-params-across-kexec-re.patch |  8 ++--
 ...le-at-runtime-if-securelevel-has-bee.patch |  8 ++--
 ...sable-when-the-kernel-is-locked-down.patch |  8 ++--
 ...sable-when-the-kernel-is-locked-down.patch |  8 ++--
 ...R-access-when-the-kernel-is-locked-d.patch | 12 +++---
 ...-port-access-when-the-kernel-is-lock.patch | 10 ++---
 ...-access-when-the-kernel-is-locked-do.patch |  8 ++--
 ...t-debugfs-interface-when-the-kernel-.patch |  8 ++--
 ...s-to-custom_method-when-the-kernel-i.patch |  8 ++--
 ..._rsdp-kernel-param-when-the-kernel-h.patch |  8 ++--
 ...I-table-override-if-the-kernel-is-lo.patch |  8 ++--
 ...I-error-injection-if-the-kernel-is-l.patch |  8 ++--
 ...nel-image-access-functions-when-the-.patch |  8 ++--
 ...z0020-scsi-Lock-down-the-eata-driver.patch |  8 ++--
 ...CIS-storage-when-the-kernel-is-locke.patch |  8 ++--
 .../4.12/z0022-Lock-down-TIOCSSERIAL.patch    |  8 ++--
 ...lative-path-for-KBUILD_SRC-from-CURD.patch |  8 ++--
 .../z0024-Add-arm64-coreos-verity-hash.patch  |  8 ++--
 ...0025-vmbus-re-enable-channel-tasklet.patch | 40 +++++++++++++++++++
 29 files changed, 149 insertions(+), 107 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.12.0.ebuild => coreos-kernel-4.12.2.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.12.0.ebuild => coreos-modules-4.12.2.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.12.0.ebuild => coreos-sources-4.12.2.ebuild} (97%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-vmbus-re-enable-channel-tasklet.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.2.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.0.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.2.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.2.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.0.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.2.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
index 0f29bd0b5a..9b6d25dd95 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
@@ -1 +1,2 @@
 DIST linux-4.12.tar.xz 99186576 SHA256 a45c3becd4d08ce411c14628a949d08e2433d8cdeca92036c7013980e93858ab SHA512 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728 WHIRLPOOL 3b97da251c2ba4ace4a27b708f2b1dcf94cb1b59aaeded6acb74bd98f0d3e33f1df83670665e4186d99a55daa84c88d539d93e20f0ff18a6d46ef326c48dd375
+DIST patch-4.12.2.xz 14660 SHA256 8447d28c88834bac75653a0370a6f30615688db4756b953720e9b024537e34ac SHA512 3d3e7cea82b20ba841d74f6f63e635143a52ee1428017792aa210ee591fcccf7ee1475c1576257722f0f5891547b69a192d48723ab6f4c189841e17ed8013300 WHIRLPOOL aa231e904ac23186cc1fcf380cbef9ee5d1e877af7a79003ad14fbb409ff2c3aa8a4613b7f9d87ae958283d3ed4009983e6cfca71177787fce24c39c80332508
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.2.ebuild
similarity index 97%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.0.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.2.ebuild
index 8e306611f2..8d1c06c3c6 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.0.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.2.ebuild
@@ -44,4 +44,5 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
 	${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
 	${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
+	${PATCH_DIR}/z0025-vmbus-re-enable-channel-tasklet.patch \
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
index 5ae27cd028..4caa8afe1d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -1,7 +1,7 @@
-From 3f3cb677d70e6b5c77420792b9dc3c7183313b22 Mon Sep 17 00:00:00 2001
+From cfa603453e1ce4a90b4181a770fc17967e93d092 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 that can be passed to efi_enabled() to find out whether secure boot is
@@ -18,10 +18,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 2 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f818236..3a3ef6e 100644
+index 36646f19d40b..87ef54e64842 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1183,6 +1183,7 @@ void __init setup_arch(char **cmdline_p)
+@@ -1190,6 +1190,7 @@ void __init setup_arch(char **cmdline_p)
  			pr_info("Secure boot disabled\n");
  			break;
  		case efi_secureboot_mode_enabled:
@@ -30,7 +30,7 @@ index f818236..3a3ef6e 100644
  			break;
  		default:
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index ec36f42..381b3f6 100644
+index ec36f42a2add..381b3f6670d3 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
 @@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *);
@@ -42,5 +42,5 @@ index ec36f42..381b3f6 100644
  #ifdef CONFIG_EFI
  /*
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
index 83ba3730d6..0bfcb35f5b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch
@@ -1,7 +1,7 @@
-From 5d520de1931337577f000d9d082fea40e388e546 Mon Sep 17 00:00:00 2001
+From 835ca0ffa0228cacbec3e2d17864053302bb0479 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:36:17 +0000
-Subject: [PATCH 02/24] Add the ability to lock down access to the running
+Subject: [PATCH 02/25] Add the ability to lock down access to the running
  kernel image
 
 Provide a single call to allow kernel code to determine whether the system
@@ -21,7 +21,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  create mode 100644 security/lock_down.c
 
 diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index 13bc08a..282a168 100644
+index 13bc08aba704..282a1684d6e8 100644
 --- a/include/linux/kernel.h
 +++ b/include/linux/kernel.h
 @@ -276,6 +276,15 @@ extern int oops_may_print(void);
@@ -41,7 +41,7 @@ index 13bc08a..282a168 100644
  int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
  int __must_check _kstrtol(const char *s, unsigned int base, long *res);
 diff --git a/include/linux/security.h b/include/linux/security.h
-index af675b5..68bab18 100644
+index af675b576645..68bab18ddd57 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
 @@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata)
@@ -62,7 +62,7 @@ index af675b5..68bab18 100644
  #endif /* ! __LINUX_SECURITY_H */
  
 diff --git a/security/Kconfig b/security/Kconfig
-index 93027fd..4baac4a 100644
+index 93027fdf47d1..4baac4aab277 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
 @@ -189,6 +189,21 @@ config STATIC_USERMODEHELPER_PATH
@@ -88,7 +88,7 @@ index 93027fd..4baac4a 100644
  source security/smack/Kconfig
  source security/tomoyo/Kconfig
 diff --git a/security/Makefile b/security/Makefile
-index f2d71cd..8c4a43e 100644
+index f2d71cdb8e19..8c4a43e3d4e0 100644
 --- a/security/Makefile
 +++ b/security/Makefile
 @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
@@ -100,7 +100,7 @@ index f2d71cd..8c4a43e 100644
 +obj-$(CONFIG_LOCK_DOWN_KERNEL)		+= lock_down.o
 diff --git a/security/lock_down.c b/security/lock_down.c
 new file mode 100644
-index 0000000..5788c60
+index 000000000000..5788c60ff4e1
 --- /dev/null
 +++ b/security/lock_down.c
 @@ -0,0 +1,40 @@
@@ -145,5 +145,5 @@ index 0000000..5788c60
 +}
 +EXPORT_SYMBOL(kernel_is_locked_down);
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
index cf664d7c01..b716a4d697 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -1,7 +1,7 @@
-From b60bbf065c75ec4b32387d0b2396f3d7c8402a09 Mon Sep 17 00:00:00 2001
+From 44a561a24da72b39d2df450f9a3da7c3682d1fe5 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
+Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
 only load signed bootloaders and kernels.  Certain use cases may also
@@ -16,7 +16,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 19 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 0efb4c9..4d1c53b 100644
+index 0efb4c9497bc..4d1c53bb8411 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
 @@ -1827,6 +1827,18 @@ config EFI_MIXED
@@ -39,7 +39,7 @@ index 0efb4c9..4d1c53b 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 3a3ef6e..f6990c0 100644
+index 87ef54e64842..4c4d758d4be1 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -69,6 +69,7 @@
@@ -50,7 +50,7 @@ index 3a3ef6e..f6990c0 100644
  
  #include <linux/usb/xhci-dbgp.h>
  #include <video/edid.h>
-@@ -1184,7 +1185,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1191,7 +1192,12 @@ void __init setup_arch(char **cmdline_p)
  			break;
  		case efi_secureboot_mode_enabled:
  			set_bit(EFI_SECURE_BOOT, &efi.flags);
@@ -65,5 +65,5 @@ index 3a3ef6e..f6990c0 100644
  		default:
  			pr_info("Secure boot could not be determined\n");
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
index 3518c01a37..e1e90a7140 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch
@@ -1,7 +1,7 @@
-From 47f98c1c46069b98debb6e46b4da67a385d172b1 Mon Sep 17 00:00:00 2001
+From 2e096fd974c29912c84c44565f2f1cf255f15f03 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 23 Nov 2016 13:22:22 +0000
-Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
+Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down
 
 If the kernel is locked down, require that all modules have valid
 signatures that we can verify.
@@ -12,7 +12,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/kernel/module.c b/kernel/module.c
-index 4a3665f..3f1de34 100644
+index 4a3665f8f837..3f1de34c6d10 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
 @@ -2777,7 +2777,7 @@ static int module_sig_check(struct load_info *info, int flags)
@@ -25,5 +25,5 @@ index 4a3665f..3f1de34 100644
  
  	return err;
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
index 511215a59b..08e82525ba 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch
@@ -1,7 +1,7 @@
-From 46e0cb8ba4a7647882b604bb58f86bc310d1c2b2 Mon Sep 17 00:00:00 2001
+From bd187bcfb3d9f9637da68c3751c75a72316aa9b9 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
+Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is
  locked down
 
 Allowing users to write to address space makes it possible for the kernel to
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 593a881..ba68add 100644
+index 593a8818aca9..ba68add9677f 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@@ -39,5 +39,5 @@ index 593a881..ba68add 100644
  		unsigned long to_write = min_t(unsigned long, count,
  					       (unsigned long)high_memory - p);
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
index f4d47df7e3..4f0340c335 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch
@@ -1,7 +1,7 @@
-From 5aa43af8a55eae13963a0b20b8369de49fa99590 Mon Sep 17 00:00:00 2001
+From b02f53821c4ac3f070ffa5bcad5462f9dc39fff5 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
+Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
 is something that lock-down is meant to prevent. It makes sense to disable
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 7 insertions(+)
 
 diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 980936a..46de8e6 100644
+index 980936a90ee6..46de8e6b42f4 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
 @@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
@@ -35,5 +35,5 @@ index 980936a..46de8e6 100644
  	 * This leaves us room for future extensions.
  	 */
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
index eb39ac5263..8fedcee893 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch
@@ -1,7 +1,7 @@
-From acdcb4a8e2b0644fbd87eb0209ba3d1b3cfbf915 Mon Sep 17 00:00:00 2001
+From a2d0b5ce698aea2d9c9365e8a0e1950ccfca04c9 Mon Sep 17 00:00:00 2001
 From: Dave Young <dyoung@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
+Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec
  reboot
 
 Kexec reboot in case secure boot being enabled does not keep the secure
@@ -22,7 +22,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
-index 9d7fd5e..7e6f00a 100644
+index 9d7fd5e6689a..7e6f00ae8322 100644
 --- a/arch/x86/kernel/kexec-bzimage64.c
 +++ b/arch/x86/kernel/kexec-bzimage64.c
 @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr,
@@ -34,5 +34,5 @@ index 9d7fd5e..7e6f00a 100644
  	ei->efi_systab = current_ei->efi_systab;
  	ei->efi_systab_hi = current_ei->efi_systab_hi;
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
index 82094b8f15..17aaa416cc 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch
@@ -1,7 +1,7 @@
-From 5d6c3356ce40c4cf0994b5d02324bd7db356e2a3 Mon Sep 17 00:00:00 2001
+From fd75640cbb9761818b21f658aa63585dd3b51924 Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
 Date: Wed, 23 Nov 2016 13:49:19 +0000
-Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
+Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been
  set
 
 When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
@@ -18,7 +18,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
-index b118735..f6937ee 100644
+index b118735fea9d..f6937eecd1eb 100644
 --- a/kernel/kexec_file.c
 +++ b/kernel/kexec_file.c
 @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
@@ -35,5 +35,5 @@ index b118735..f6937ee 100644
  	if (flags != (flags & KEXEC_FILE_FLAGS))
  		return -EINVAL;
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
index e5ccf9d081..a6b8ae65f7 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch
@@ -1,7 +1,7 @@
-From 8e84b9fb024820a587273a1ddd35e6ba7b1c605b Mon Sep 17 00:00:00 2001
+From 009afd2bd0dfa1e5c0ee2165ffbdba019a43ef99 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
+Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index a8b978c..50cca5d 100644
+index a8b978c35a6a..50cca5dcb62f 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
 @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
@@ -28,5 +28,5 @@ index a8b978c..50cca5d 100644
  
  /**
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
index 7629bc2f44..09eee2c05c 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch
@@ -1,7 +1,7 @@
-From 320e7ee93cc1f51f1995e20e9ec43b748a0c87b1 Mon Sep 17 00:00:00 2001
+From 6355e8dee4bbee901afa9f602ed436b960d79441 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Wed, 23 Nov 2016 13:28:17 +0000
-Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
+Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down
 
 uswsusp allows a user process to dump and then restore kernel state, which
 makes it possible to modify the running kernel.  Disable this if the kernel
@@ -14,7 +14,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/kernel/power/user.c b/kernel/power/user.c
-index 22df9f7..e4b926d 100644
+index 22df9f7ff672..e4b926d329b7 100644
 --- a/kernel/power/user.c
 +++ b/kernel/power/user.c
 @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
@@ -28,5 +28,5 @@ index 22df9f7..e4b926d 100644
  
  	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
index b33d152672..330672f9ae 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch
@@ -1,7 +1,7 @@
-From a9c564104ea9fa19437d581330c558e6f9c9ca6c Mon Sep 17 00:00:00 2001
+From dfff658afb99aaa528052d384d33e5f365cc730c Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
+Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked
  down
 
 Any hardware that can potentially generate DMA has to be locked down in
@@ -19,7 +19,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  3 files changed, 17 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 31e9961..5595560 100644
+index 31e99613a12e..559556047d66 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
 @@ -754,6 +754,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
@@ -53,7 +53,7 @@ index 31e9961..5595560 100644
  }
  
 diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index 098360d..ef16fcc 100644
+index 098360d7ff81..ef16fccb1923 100644
 --- a/drivers/pci/proc.c
 +++ b/drivers/pci/proc.c
 @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
@@ -86,7 +86,7 @@ index 098360d..ef16fcc 100644
  
  	if (fpriv->mmap_state == pci_mmap_io) {
 diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c
-index 9bf993e..c095247 100644
+index 9bf993e1f71e..c09524738ceb 100644
 --- a/drivers/pci/syscall.c
 +++ b/drivers/pci/syscall.c
 @@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
@@ -99,5 +99,5 @@ index 9bf993e..c095247 100644
  
  	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
index 6481cf929c..25a386d526 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch
@@ -1,7 +1,7 @@
-From 71dd9dbf442d3d92005817b59c3814deb7ddcc88 Mon Sep 17 00:00:00 2001
+From 5071401ad122ff7f04f909b5871f57385bf96573 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
+Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked
  down
 
 IO port access would permit users to gain access to PCI configuration
@@ -20,7 +20,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
-index 9c3cf09..4a613fe 100644
+index 9c3cf0944bce..4a613fed94b6 100644
 --- a/arch/x86/kernel/ioport.c
 +++ b/arch/x86/kernel/ioport.c
 @@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
@@ -42,7 +42,7 @@ index 9c3cf09..4a613fe 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index ba68add..5e2a260 100644
+index ba68add9677f..5e2a260fb89f 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
@@ -55,5 +55,5 @@ index ba68add..5e2a260 100644
  }
  
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
index 0b1c2e78db..aeeed47449 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch
@@ -1,7 +1,7 @@
-From 582efb243bbb08cadab48c6242c167dbfc23acbe Mon Sep 17 00:00:00 2001
+From 3acbbd38964877431c984d86896bd5e105312e8e Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:17 +0000
-Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
+Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down
 
 Writing to MSRs should not be allowed if the kernel is locked down, since
 it could lead to execution of arbitrary code in kernel mode.  Based on a
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 7 insertions(+)
 
 diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index ef68880..fbcce02 100644
+index ef688804f80d..fbcce028e502 100644
 --- a/arch/x86/kernel/msr.c
 +++ b/arch/x86/kernel/msr.c
 @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
@@ -40,5 +40,5 @@ index ef68880..fbcce02 100644
  			err = -EFAULT;
  			break;
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
index 73989b175f..c35c2aa9ba 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch
@@ -1,7 +1,7 @@
-From 94967b682db14cb61ae864be6981159b87b4aac5 Mon Sep 17 00:00:00 2001
+From ccd15a16715ea1984f5800f8e3587b394f394837 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
+Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is
  locked down
 
 We have no way of validating what all of the Asus WMI methods do on a given
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index 6c7d860..57b82cb 100644
+index 6c7d86074b38..57b82cbc9a6b 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
 @@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data)
@@ -51,5 +51,5 @@ index 6c7d860..57b82cb 100644
  				     1, asus->debug.method_id,
  				     &input, &output);
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
index 619fdb1b5d..7e0a501694 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch
@@ -1,7 +1,7 @@
-From 45b4d28d45f07af2c75d9364ccb5f60f871dc4f6 Mon Sep 17 00:00:00 2001
+From 764be416d67e5b5975fa1c06318db42cabe2d2bf Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
+Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is
  locked down
 
 custom_method effectively allows arbitrary access to system memory, making
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index c68e724..e4d721c 100644
+index c68e72414a67..e4d721c330c0 100644
 --- a/drivers/acpi/custom_method.c
 +++ b/drivers/acpi/custom_method.c
 @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
@@ -29,5 +29,5 @@ index c68e724..e4d721c 100644
  		/* parse the table header to get the table length */
  		if (count <= sizeof(struct acpi_table_header))
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
index 92d17cc70c..f3c344d2fe 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch
@@ -1,7 +1,7 @@
-From b5defb2cf61590316c053f540f505006749c9984 Mon Sep 17 00:00:00 2001
+From 673433370151b244c7c092485c69f55a67044ebd Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
+Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
  been locked down
 
 This option allows userspace to pass the RSDP address to the kernel, which
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index db78d35..d4d4ba3 100644
+index db78d353bab1..d4d4ba348451 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
 @@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
@@ -28,5 +28,5 @@ index db78d35..d4d4ba3 100644
  #endif
  
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
index 5be65674da..d4aa5a73b8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch
@@ -1,7 +1,7 @@
-From 39645f967ccec01a3fc9b5385581ad49f89d29b5 Mon Sep 17 00:00:00 2001
+From 19585059101a2626d79718a56001c3340a40ccf9 Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:32:27 +0000
-Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
+Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is
  locked down
 
 From the kernel documentation (initrd_table_override.txt):
@@ -21,7 +21,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 5 insertions(+)
 
 diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
-index ff42539..c72bfa9 100644
+index ff425390bfa8..c72bfa97888a 100644
 --- a/drivers/acpi/tables.c
 +++ b/drivers/acpi/tables.c
 @@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void)
@@ -37,5 +37,5 @@ index ff42539..c72bfa9 100644
  		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
  				       all_tables_size, PAGE_SIZE);
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
index 443b5b6f3c..99adf7d1d8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch
@@ -1,7 +1,7 @@
-From 01ec365f7bc1250419041321f346d6a916e05263 Mon Sep 17 00:00:00 2001
+From 812d81fcbf27458892c9a661b65e005caa600a77 Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:39:41 +0000
-Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
+Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is
  locked down
 
 ACPI provides an error injection mechanism, EINJ, for debugging and testing
@@ -26,7 +26,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
-index ec50c32..e082718 100644
+index ec50c32ea3da..e082718d01c2 100644
 --- a/drivers/acpi/apei/einj.c
 +++ b/drivers/acpi/apei/einj.c
 @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
@@ -40,5 +40,5 @@ index ec50c32..e082718 100644
  	if (flags && (flags &
  		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
index 32fc6920c7..1046fc25ae 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch
@@ -1,7 +1,7 @@
-From fae701c2fca54509ddfb85da2ac7cc14a4c2011e Mon Sep 17 00:00:00 2001
+From 92bd5fbe1085fe4d179391ffd2a51edc3cb08dd2 Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <jlee@suse.com>
 Date: Wed, 23 Nov 2016 13:52:16 +0000
-Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
+Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the
  kernel is locked down
 
 There are some bpf functions can be used to read kernel memory:
@@ -17,7 +17,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 11 insertions(+)
 
 diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
-index 460a031..58eb33d 100644
+index 460a031c77e5..58eb33d5d6ae 100644
 --- a/kernel/trace/bpf_trace.c
 +++ b/kernel/trace/bpf_trace.c
 @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
@@ -53,5 +53,5 @@ index 460a031..58eb33d 100644
  	for (i = 0; i < fmt_size; i++) {
  		if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch
index 7a4a98abf7..4b24422af8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch
@@ -1,7 +1,7 @@
-From 83e910f07e8cb747a1d676d86a16b983c53535d9 Mon Sep 17 00:00:00 2001
+From 98b52d715b3deac17438877d0a98d5b579d5c77e Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 22 Nov 2016 10:10:34 +0000
-Subject: [PATCH 20/24] scsi: Lock down the eata driver
+Subject: [PATCH 20/25] scsi: Lock down the eata driver
 
 When the kernel is running in secure boot mode, we lock down the kernel to
 prevent userspace from modifying the running kernel image.  Whilst this
@@ -24,7 +24,7 @@ cc: linux-scsi@vger.kernel.org
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c
-index 227dd2c..5c036d1 100644
+index 227dd2c2ec2f..5c036d10c18b 100644
 --- a/drivers/scsi/eata.c
 +++ b/drivers/scsi/eata.c
 @@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt)
@@ -43,5 +43,5 @@ index 227dd2c..5c036d1 100644
  #if defined(MODULE)
  	/* io_port could have been modified when loading as a module */
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
index 57be158ac0..e5e9912713 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch
@@ -1,7 +1,7 @@
-From 6bc5732f932207cdfe3e9c70ac6d43367f0c5c4b Mon Sep 17 00:00:00 2001
+From 57d71dbd2cc6c719fc01a697b7369d0594d9d28a Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Fri, 25 Nov 2016 14:37:45 +0000
-Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
+Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked
  down
 
 Prohibit replacement of the PCMCIA Card Information Structure when the
@@ -13,7 +13,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 5 insertions(+)
 
 diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
-index 55ef7d1..193e4f7 100644
+index 55ef7d1fd8da..193e4f7b73b1 100644
 --- a/drivers/pcmcia/cistpl.c
 +++ b/drivers/pcmcia/cistpl.c
 @@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
@@ -29,5 +29,5 @@ index 55ef7d1..193e4f7 100644
  
  	if (off)
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch
index 9399153b93..fa66746450 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch
@@ -1,7 +1,7 @@
-From 819850ca18442e75bfb9c9d01efd10622f950aad Mon Sep 17 00:00:00 2001
+From bbf9b9edd8e7eff5610cfa16b4e67281337fbf70 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 7 Dec 2016 10:28:39 +0000
-Subject: [PATCH 22/24] Lock down TIOCSSERIAL
+Subject: [PATCH 22/25] Lock down TIOCSSERIAL
 
 Lock down TIOCSSERIAL as that can be used to change the ioport and irq
 settings on a serial port.  This only appears to be an issue for the serial
@@ -15,7 +15,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 13bfd5d..45fb768 100644
+index 13bfd5dcffce..45fb7689bc1c 100644
 --- a/drivers/tty/serial/serial_core.c
 +++ b/drivers/tty/serial/serial_core.c
 @@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
@@ -32,5 +32,5 @@ index 13bfd5d..45fb768 100644
  		retval = -EPERM;
  		if (change_irq || change_port ||
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
index 67b87cff32..81f652873a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@@ -1,7 +1,7 @@
-From 56ec4aaa02d21637344b102d88ae817486dcdb41 Mon Sep 17 00:00:00 2001
+From 3b495dca8e50681b45c93aa8c8e5ca7b670aa530 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 283c623..aacf9cc 100644
+index 7c81bbba2943..3a0b09071efa 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
@@ -26,5 +26,5 @@ index 283c623..aacf9cc 100644
  
  # Leave processing to above invocation of make
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch
index 05d4a6aabf..8dcaa01fe2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch
@@ -1,7 +1,7 @@
-From 23fe6061c449fc088d6272c284a66817ccf59d96 Mon Sep 17 00:00:00 2001
+From 5fe5056f8dad60719469b61ae41db16e7fb0e9a5 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 24/24] Add arm64 coreos verity hash
+Subject: [PATCH 24/25] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---
@@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand <geoff@infradead.org>
  1 file changed, 5 insertions(+)
 
 diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S
-index 613fc30..fdaf86c 100644
+index 613fc3000677..fdaf86c78332 100644
 --- a/arch/arm64/kernel/efi-header.S
 +++ b/arch/arm64/kernel/efi-header.S
 @@ -103,6 +103,11 @@ section_table:
@@ -25,5 +25,5 @@ index 613fc30..fdaf86c 100644
  	/*
  	 * The debug table is referenced via its Relative Virtual Address (RVA),
 -- 
-2.9.4
+2.13.0
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-vmbus-re-enable-channel-tasklet.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-vmbus-re-enable-channel-tasklet.patch
new file mode 100644
index 0000000000..bb136a1e36
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-vmbus-re-enable-channel-tasklet.patch
@@ -0,0 +1,40 @@
+From 91e148c7e146b7cdd53e0c0ede953c9fa90c110a Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Sun, 25 Jun 2017 12:47:46 -0700
+Subject: [PATCH 25/25] vmbus: re-enable channel tasklet
+
+This problem shows up in 4.11 when netvsc driver is removed and reloaded.
+The problem is that the channel is closed during module removal and the
+tasklet for processing responses is disabled. When module is reloaded
+the channel is reopened but the tasklet is marked as disabled.
+The fix is to re-enable tasklet at the end of close which gets it back
+to the initial state.
+
+The issue is less urgent in 4.12 since network driver now uses NAPI
+and not the tasklet; and other VMBUS devices are rarely unloaded/reloaded.
+
+Fixes: dad72a1d2844 ("vmbus: remove hv_event_tasklet_disable/enable")
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Cc: stable@vger.kernel.org
+---
+ drivers/hv/channel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
+index 736ac76d2a6a..3cea1216754e 100644
+--- a/drivers/hv/channel.c
++++ b/drivers/hv/channel.c
+@@ -606,6 +606,8 @@ static int vmbus_close_internal(struct vmbus_channel *channel)
+ 		get_order(channel->ringbuffer_pagecount * PAGE_SIZE));
+ 
+ out:
++	/* re-enable tasklet for use on re-open */
++	tasklet_enable(&channel->callback_event);
+ 	return ret;
+ }
+ 
+-- 
+2.13.0
+