diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.4-r1.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.4-r1.ebuild index 090cb5ec8a..9a05b45bc9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.4-r1.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="" +COREOS_SOURCE_REVISION="-r1" inherit coreos-kernel DESCRIPTION="CoreOS Linux kernel" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.4-r1.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.4-r1.ebuild index 763d6d9dfe..5f7ad1c646 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.4-r1.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="" +COREOS_SOURCE_REVISION="-r1" inherit coreos-kernel savedconfig DESCRIPTION="CoreOS Linux kernel modules" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.4-r1.ebuild similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.4-r1.ebuild index bf53ea4859..343813cbb3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.4-r1.ebuild @@ -45,4 +45,5 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ ${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \ ${PATCH_DIR}/z0025-bonding-commit-link-status-change-after-propose.patch \ + ${PATCH_DIR}/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch index bbd71d5800..ac2ec03bf6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ From 8bc2cecfd74015c23051dc35f2923cd05767b51a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 01/26] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit that can be passed to efi_enabled() to find out whether secure boot is @@ -18,7 +18,7 @@ Signed-off-by: David Howells 2 files changed, 2 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 36646f1..87ef54e 100644 +index 36646f19d40b..87ef54e64842 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1190,6 +1190,7 @@ void __init setup_arch(char **cmdline_p) @@ -30,7 +30,7 @@ index 36646f1..87ef54e 100644 break; default: diff --git a/include/linux/efi.h b/include/linux/efi.h -index ec36f42..381b3f6 100644 +index ec36f42a2add..381b3f6670d3 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *); @@ -42,5 +42,5 @@ index ec36f42..381b3f6 100644 #ifdef CONFIG_EFI /* -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch index 70219d7394..bfc4a6f01c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -1,7 +1,7 @@ From 9f93a1ebd276e37181a80ffec89568e88a1ddaaa Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:36:17 +0000 -Subject: [PATCH 02/25] Add the ability to lock down access to the running +Subject: [PATCH 02/26] Add the ability to lock down access to the running kernel image Provide a single call to allow kernel code to determine whether the system @@ -21,7 +21,7 @@ Signed-off-by: David Howells create mode 100644 security/lock_down.c diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 13bc08a..282a168 100644 +index 13bc08aba704..282a1684d6e8 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -276,6 +276,15 @@ extern int oops_may_print(void); @@ -41,7 +41,7 @@ index 13bc08a..282a168 100644 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); int __must_check _kstrtol(const char *s, unsigned int base, long *res); diff --git a/include/linux/security.h b/include/linux/security.h -index af675b5..68bab18 100644 +index af675b576645..68bab18ddd57 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata) @@ -62,7 +62,7 @@ index af675b5..68bab18 100644 #endif /* ! __LINUX_SECURITY_H */ diff --git a/security/Kconfig b/security/Kconfig -index 93027fd..4baac4a 100644 +index 93027fdf47d1..4baac4aab277 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -189,6 +189,21 @@ config STATIC_USERMODEHELPER_PATH @@ -88,7 +88,7 @@ index 93027fd..4baac4a 100644 source security/smack/Kconfig source security/tomoyo/Kconfig diff --git a/security/Makefile b/security/Makefile -index f2d71cd..8c4a43e 100644 +index f2d71cdb8e19..8c4a43e3d4e0 100644 --- a/security/Makefile +++ b/security/Makefile @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o @@ -100,7 +100,7 @@ index f2d71cd..8c4a43e 100644 +obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o diff --git a/security/lock_down.c b/security/lock_down.c new file mode 100644 -index 0000000..5788c60 +index 000000000000..5788c60ff4e1 --- /dev/null +++ b/security/lock_down.c @@ -0,0 +1,40 @@ @@ -145,5 +145,5 @@ index 0000000..5788c60 +} +EXPORT_SYMBOL(kernel_is_locked_down); -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index 01b99b0d6f..21fb8d3e7e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -1,7 +1,7 @@ From 2c1331c4ba6e6df752e4c7068d84dc6d5bd1eba6 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode +Subject: [PATCH 03/26] efi: Lock down the kernel if booted in secure boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -16,7 +16,7 @@ Signed-off-by: David Howells 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 0efb4c9..4d1c53b 100644 +index 0efb4c9497bc..4d1c53bb8411 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1827,6 +1827,18 @@ config EFI_MIXED @@ -39,7 +39,7 @@ index 0efb4c9..4d1c53b 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 87ef54e..4c4d758 100644 +index 87ef54e64842..4c4d758d4be1 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -69,6 +69,7 @@ @@ -65,5 +65,5 @@ index 87ef54e..4c4d758 100644 default: pr_info("Secure boot could not be determined\n"); -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch index a2ec4d936f..0908ac17cc 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ From 6080dd6abf77372d59d4b7b1f56fa0fa0cee8fe9 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 23 Nov 2016 13:22:22 +0000 -Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down +Subject: [PATCH 04/26] Enforce module signatures if the kernel is locked down If the kernel is locked down, require that all modules have valid signatures that we can verify. @@ -12,7 +12,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c -index 4a3665f..3f1de34 100644 +index 4a3665f8f837..3f1de34c6d10 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2777,7 +2777,7 @@ static int module_sig_check(struct load_info *info, int flags) @@ -25,5 +25,5 @@ index 4a3665f..3f1de34 100644 return err; -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch index 879d30c792..826938a598 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch @@ -1,7 +1,7 @@ From 964b821d7a5f54197ef6d41d41da58a051ad0ffc Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is +Subject: [PATCH 05/26] Restrict /dev/mem and /dev/kmem when the kernel is locked down Allowing users to write to address space makes it possible for the kernel to @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 593a881..ba68add 100644 +index 593a8818aca9..ba68add9677f 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, @@ -39,5 +39,5 @@ index 593a881..ba68add 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch index a9549aec66..40f098ffec 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch @@ -1,7 +1,7 @@ From 9fe3ac82c10eb3bcc3a9c0a9dd797862a8aeb6d1 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down +Subject: [PATCH 06/26] kexec: Disable at runtime if the kernel is locked down kexec permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable @@ -17,7 +17,7 @@ Signed-off-by: David Howells 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 980936a..46de8e6 100644 +index 980936a90ee6..46de8e6b42f4 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, @@ -35,5 +35,5 @@ index 980936a..46de8e6 100644 * This leaves us room for future extensions. */ -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch index 386ba7965c..92d281e7a0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch @@ -1,7 +1,7 @@ From 10c1542768bc3ff9f655da4315401065c600ea8b Mon Sep 17 00:00:00 2001 From: Dave Young Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec +Subject: [PATCH 07/26] Copy secure_boot flag in boot params across kexec reboot Kexec reboot in case secure boot being enabled does not keep the secure @@ -22,7 +22,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c -index 9d7fd5e..7e6f00a 100644 +index 9d7fd5e6689a..7e6f00ae8322 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, @@ -34,5 +34,5 @@ index 9d7fd5e..7e6f00a 100644 ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch index 050cf5da8e..0c9d55a68c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch @@ -1,7 +1,7 @@ From 477e5612e6446d3b1df9ed49efee42d319721e74 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:49:19 +0000 -Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been +Subject: [PATCH 08/26] kexec_file: Disable at runtime if securelevel has been set When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image @@ -18,7 +18,7 @@ Signed-off-by: David Howells 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c -index b118735..f6937ee 100644 +index b118735fea9d..f6937eecd1eb 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, @@ -35,5 +35,5 @@ index b118735..f6937ee 100644 if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL; -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch index ead2a9464a..ef7308db84 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ From ef8d6a280865af7b555327c33543f8b1ebb23902 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down +Subject: [PATCH 09/26] hibernate: Disable when the kernel is locked down There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index a8b978c..50cca5d 100644 +index a8b978c35a6a..50cca5dcb62f 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; @@ -28,5 +28,5 @@ index a8b978c..50cca5d 100644 /** -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch index 4ae8c8fc41..05db71d662 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ From c2cf47ce26f820f0c9d3ad6112b179c6c884e415 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 23 Nov 2016 13:28:17 +0000 -Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down +Subject: [PATCH 10/26] uswsusp: Disable when the kernel is locked down uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel @@ -14,7 +14,7 @@ Signed-off-by: David Howells 1 file changed, 3 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c -index 22df9f7..e4b926d 100644 +index 22df9f7ff672..e4b926d329b7 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) @@ -28,5 +28,5 @@ index 22df9f7..e4b926d 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch index d6debc57d8..241f4d8b90 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch @@ -1,7 +1,7 @@ From a8175632e2d54fff6093cc5793d257b1968b8bf8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked +Subject: [PATCH 11/26] PCI: Lock down BAR access when the kernel is locked down Any hardware that can potentially generate DMA has to be locked down in @@ -19,7 +19,7 @@ Signed-off-by: David Howells 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 31e9961..5595560 100644 +index 31e99613a12e..559556047d66 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -754,6 +754,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, @@ -53,7 +53,7 @@ index 31e9961..5595560 100644 } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 098360d..ef16fcc 100644 +index 098360d7ff81..ef16fccb1923 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, @@ -86,7 +86,7 @@ index 098360d..ef16fcc 100644 if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index 9bf993e..c095247 100644 +index 9bf993e1f71e..c09524738ceb 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, @@ -99,5 +99,5 @@ index 9bf993e..c095247 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch index 7a020eb3d8..e17c1f1e61 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch @@ -1,7 +1,7 @@ From df08e412dc65f840fd2f17a38ca90e3c41bd39e0 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked +Subject: [PATCH 12/26] x86: Lock down IO port access when the kernel is locked down IO port access would permit users to gain access to PCI configuration @@ -20,7 +20,7 @@ Signed-off-by: David Howells 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 9c3cf09..4a613fe 100644 +index 9c3cf0944bce..4a613fed94b6 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) @@ -42,7 +42,7 @@ index 9c3cf09..4a613fe 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index ba68add..5e2a260 100644 +index ba68add9677f..5e2a260fb89f 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) @@ -55,5 +55,5 @@ index ba68add..5e2a260 100644 } -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch index 1f69cad8f5..7553cdbe17 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ From acce1508e26594ecc21c388f57390cde3fbae4d9 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:17 +0000 -Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down +Subject: [PATCH 13/26] x86: Restrict MSR access when the kernel is locked down Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index ef68880..fbcce02 100644 +index ef688804f80d..fbcce028e502 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, @@ -40,5 +40,5 @@ index ef68880..fbcce02 100644 err = -EFAULT; break; -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch index 1a4cb01b7d..7c5ba7c45b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch @@ -1,7 +1,7 @@ From 7d73bb9bb6c50eaeb32dd6cb1f11f4ab815384df Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is +Subject: [PATCH 14/26] asus-wmi: Restrict debugfs interface when the kernel is locked down We have no way of validating what all of the Asus WMI methods do on a given @@ -17,7 +17,7 @@ Signed-off-by: David Howells 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index 6c7d860..57b82cb 100644 +index 6c7d86074b38..57b82cbc9a6b 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c @@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data) @@ -51,5 +51,5 @@ index 6c7d860..57b82cb 100644 1, asus->debug.method_id, &input, &output); -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch index 5d62e9ec09..2537a38aae 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch @@ -1,7 +1,7 @@ From f4dde9c46875e6b5c0bde36af5888b8096398e7e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is +Subject: [PATCH 15/26] ACPI: Limit access to custom_method when the kernel is locked down custom_method effectively allows arbitrary access to system memory, making @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index c68e724..e4d721c 100644 +index c68e72414a67..e4d721c330c0 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, @@ -29,5 +29,5 @@ index c68e724..e4d721c 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch index 439da2be06..648e003c61 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch @@ -1,7 +1,7 @@ From ede9a80c123614264dbf20f3e4f98ac6c9553930 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has +Subject: [PATCH 16/26] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down This option allows userspace to pass the RSDP address to the kernel, which @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index db78d35..d4d4ba3 100644 +index db78d353bab1..d4d4ba348451 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) @@ -28,5 +28,5 @@ index db78d35..d4d4ba3 100644 #endif -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch index 33e47744a6..c553fcce8e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch @@ -1,7 +1,7 @@ From d785b547deba4fcd1c84124a0093afd23103f134 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:32:27 +0000 -Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is +Subject: [PATCH 17/26] acpi: Disable ACPI table override if the kernel is locked down From the kernel documentation (initrd_table_override.txt): @@ -21,7 +21,7 @@ Signed-off-by: David Howells 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c -index ff42539..c72bfa9 100644 +index ff425390bfa8..c72bfa97888a 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void) @@ -37,5 +37,5 @@ index ff42539..c72bfa9 100644 memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch index d1684167ca..cc09592190 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch @@ -1,7 +1,7 @@ From ba162f6166b691dd390cff53080574b570f0c1a5 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:39:41 +0000 -Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is +Subject: [PATCH 18/26] acpi: Disable APEI error injection if the kernel is locked down ACPI provides an error injection mechanism, EINJ, for debugging and testing @@ -26,7 +26,7 @@ Signed-off-by: David Howells 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c -index ec50c32..e082718 100644 +index ec50c32ea3da..e082718d01c2 100644 --- a/drivers/acpi/apei/einj.c +++ b/drivers/acpi/apei/einj.c @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, @@ -40,5 +40,5 @@ index ec50c32..e082718 100644 if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch index 27055bf79b..489e5ccb98 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch @@ -1,7 +1,7 @@ From f75cba8e764cc7247b6237c80af6e73b3303aaee Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:52:16 +0000 -Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the +Subject: [PATCH 19/26] bpf: Restrict kernel image access functions when the kernel is locked down There are some bpf functions can be used to read kernel memory: @@ -17,7 +17,7 @@ Signed-off-by: David Howells 1 file changed, 11 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c -index 460a031..58eb33d 100644 +index 460a031c77e5..58eb33d5d6ae 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) @@ -53,5 +53,5 @@ index 460a031..58eb33d 100644 for (i = 0; i < fmt_size; i++) { if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch index 0d1dc31938..c2e8dc05c9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch @@ -1,7 +1,7 @@ From 275c37641a64fdb13c2bf5b7c8c6c240080e7ee8 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 22 Nov 2016 10:10:34 +0000 -Subject: [PATCH 20/25] scsi: Lock down the eata driver +Subject: [PATCH 20/26] scsi: Lock down the eata driver When the kernel is running in secure boot mode, we lock down the kernel to prevent userspace from modifying the running kernel image. Whilst this @@ -24,7 +24,7 @@ cc: linux-scsi@vger.kernel.org 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c -index 227dd2c..5c036d1 100644 +index 227dd2c2ec2f..5c036d10c18b 100644 --- a/drivers/scsi/eata.c +++ b/drivers/scsi/eata.c @@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt) @@ -43,5 +43,5 @@ index 227dd2c..5c036d1 100644 #if defined(MODULE) /* io_port could have been modified when loading as a module */ -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch index e5a381de48..c03d2b166d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch @@ -1,7 +1,7 @@ From ab6c3943aaf0b45b422d77b8ef6e817e33758619 Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 25 Nov 2016 14:37:45 +0000 -Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked +Subject: [PATCH 21/26] Prohibit PCMCIA CIS storage when the kernel is locked down Prohibit replacement of the PCMCIA Card Information Structure when the @@ -13,7 +13,7 @@ Signed-off-by: David Howells 1 file changed, 5 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c -index 55ef7d1..193e4f7 100644 +index 55ef7d1fd8da..193e4f7b73b1 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, @@ -29,5 +29,5 @@ index 55ef7d1..193e4f7 100644 if (off) -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch index 4d4ef1eccb..b60d763dbb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch @@ -1,7 +1,7 @@ From 1fcbe5b939cec829f80dca667f6a1629cd7f8ac8 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 7 Dec 2016 10:28:39 +0000 -Subject: [PATCH 22/25] Lock down TIOCSSERIAL +Subject: [PATCH 22/26] Lock down TIOCSSERIAL Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 13bfd5d..45fb768 100644 +index 13bfd5dcffce..45fb7689bc1c 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, @@ -32,5 +32,5 @@ index 13bfd5d..45fb768 100644 retval = -EPERM; if (change_irq || change_port || -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 2c1d623339..0b750ff97f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ From 498ba076f1f149e03dfd9fc4c52741f063d006f6 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 23/26] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index bfdc92c..2d56a74 100644 +index bfdc92c2e47a..2d56a7441e02 100644 --- a/Makefile +++ b/Makefile @@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index bfdc92c..2d56a74 100644 # Leave processing to above invocation of make -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch index a3289c2d7c..ac589fe5ea 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch @@ -1,7 +1,7 @@ From de896f01efda42dddf52e0362db62d7f26a43b28 Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Fri, 11 Nov 2016 17:28:52 -0800 -Subject: [PATCH 24/25] Add arm64 coreos verity hash +Subject: [PATCH 24/26] Add arm64 coreos verity hash Signed-off-by: Geoff Levand --- @@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand 1 file changed, 5 insertions(+) diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S -index 613fc30..fdaf86c 100644 +index 613fc3000677..fdaf86c78332 100644 --- a/arch/arm64/kernel/efi-header.S +++ b/arch/arm64/kernel/efi-header.S @@ -103,6 +103,11 @@ section_table: @@ -25,5 +25,5 @@ index 613fc30..fdaf86c 100644 /* * The debug table is referenced via its Relative Virtual Address (RVA), -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch index b9d55b9418..c10e4311ca 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch @@ -1,7 +1,7 @@ From 3849236f6d4900e255fea0c609887fc5901f9837 Mon Sep 17 00:00:00 2001 From: WANG Cong Date: Tue, 25 Jul 2017 09:44:25 -0700 -Subject: [PATCH 25/25] bonding: commit link status change after propose +Subject: [PATCH 25/26] bonding: commit link status change after propose Commit de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring") moves link status commitment into bond_mii_monitor(), but it still relies @@ -20,7 +20,7 @@ Signed-off-by: David S. Miller 1 file changed, 2 insertions(+) diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 8ab6bdb..0eab2fd 100644 +index 8ab6bdbe1682..0eab2fdff8d7 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -2047,6 +2047,7 @@ static int bond_miimon_inspect(struct bonding *bond) @@ -40,5 +40,5 @@ index 8ab6bdb..0eab2fd 100644 if (slave->delay) { -- -2.10.2 +2.13.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch new file mode 100644 index 0000000000..0d1b6eedd2 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch @@ -0,0 +1,59 @@ +From 53e714799440efa994d43e8ac7e3325cda3405d5 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Mon, 31 Jul 2017 21:49:49 +0300 +Subject: [PATCH 26/26] virtio_net: fix truesize for mergeable buffers + +Seth Forshee noticed a performance degradation with some workloads. +This turns out to be due to packet drops. Euan Kemp noticed that this +is because we drop all packets where length exceeds the truesize, but +for some packets we add in extra memory without updating the truesize. +This in turn was kept around unchanged from ab7db91705e95 ("virtio-net: +auto-tune mergeable rx buffer size for improved performance"). That +commit had an internal reason not to account for the extra space: not +enough bits to do it. No longer true so let's account for the allocated +length exactly. + +Many thanks to Seth Forshee for the report and bisecting and Euan Kemp +for debugging the issue. + +Fixes: 680557cf79f8 ("virtio_net: rework mergeable buffer handling") +Reported-by: Euan Kemp +Tested-by: Euan Kemp +Reported-by: Seth Forshee +Tested-by: Seth Forshee +Signed-off-by: Michael S. Tsirkin +--- + drivers/net/virtio_net.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 6633dd4bb649..acb754eb1ccb 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -889,21 +889,20 @@ static int add_recvbuf_mergeable(struct virtnet_info *vi, + + buf = (char *)page_address(alloc_frag->page) + alloc_frag->offset; + buf += headroom; /* advance address leaving hole at front of pkt */ +- ctx = (void *)(unsigned long)len; + get_page(alloc_frag->page); + alloc_frag->offset += len + headroom; + hole = alloc_frag->size - alloc_frag->offset; + if (hole < len + headroom) { + /* To avoid internal fragmentation, if there is very likely not + * enough space for another buffer, add the remaining space to +- * the current buffer. This extra space is not included in +- * the truesize stored in ctx. ++ * the current buffer. + */ + len += hole; + alloc_frag->offset += hole; + } + + sg_init_one(rq->sg, buf, len); ++ ctx = (void *)(unsigned long)len; + err = virtqueue_add_inbuf_ctx(rq->vq, rq->sg, 1, buf, ctx, gfp); + if (err < 0) + put_page(virt_to_head_page(buf)); +-- +2.13.0 +