sys-kernel/coreos-sources: bump to v4.9.9

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1,2 +1,2 @@
-DIST linux-4.8.tar.xz 91966856 SHA256 3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a SHA512 a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358 WHIRLPOOL 3888c8c07db0c069f827245d4d7306087f78f7d03e8240eb1fcd13622cd5dbe1c17cd8ed7dc11513f77f3efd5dbd84e2b48e82bdb9b9bfd2242fd62ae32812d5
-DIST patch-4.8.17.xz 320288 SHA256 1e4be6f6a8eab3edcd0899db382fe1a9330320c603a9ad2c32ebb1dc6f53b3db SHA512 df239d990077cdf697fd487b4b8abb97fe442ac9fac4ed2e90c626560fc15058363310cf40580fd000d4ad55198486594a608544ce9c2bcaf03704415aa45441 WHIRLPOOL 401c8ee9f41b78b355ab76f1f0ed25b53855f641e0c27c07461e82af4e322fe958f73ef3cce6d074de2a6be550c8c8615a0a53187f3f9d17c8bd8b928d3a6051
+DIST linux-4.9.tar.xz 93192404 SHA256 029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a SHA512 bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a WHIRLPOOL 072505b29972ad120eb25a074217847c9c2813416c4903e605a0433574f5f87616dbea0b1454e4b19acc48107f11274b682958b1d773373156e99f8163e6606a
+DIST patch-4.9.9.xz 256400 SHA256 ec97e3bf8585865d409a804316b276a6b4e4939286de9757f99bfb41cf112078 SHA512 a7a2d44b83b00b20f1424d12af0f42e1c576d3053feacd13491ef185661fb1c789b9265c500b62f5ede39f57b72f358820000fa6c852a5f035e566ee1dfcd5d9 WHIRLPOOL 3d83b79dd6d4ca249638338cfd93153f2914142859d4126fbc499acc30f1aef2ba7d59c41c337fd45fb20b56b375fb2457319c933bdf8c38b656eb3e340fe95e

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild

@@ -1,49 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
-
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-
-# XXX: Note we must prefix the patch filenames with "z" to ensure they are
-# applied _after_ a potential patch-${KV}.patch file, present when building a
-# patchlevel revision.  We mustn't apply our patches first, it fails when the
-# local patches overlap with the upstream patch.
-
-# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
-UNIPATCH_LIST="
-	${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \
-	${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \
-	${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \
-	${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \
-	${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \
-	${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \
-	${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \
-	${PATCH_DIR}/z0008-Add-secure_modules-call.patch \
-	${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
-	${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \
-	${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \
-	${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
-	${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
-	${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
-	${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
-	${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
-	${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \
-	${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
-	${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \
-	${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \
-	${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-	${PATCH_DIR}/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch \
-	${PATCH_DIR}/z0023-Add-arm64-coreos-verity-hash.patch \
-	${PATCH_DIR}/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch \
-"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.9.ebuild

@@ -0,0 +1,43 @@
+# Copyright 2014 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+ETYPE="sources"
+inherit kernel-2
+detect_version
+
+DESCRIPTION="Full sources for the CoreOS Linux kernel"
+HOMEPAGE="http://www.kernel.org"
+SRC_URI="${KERNEL_URI}"
+
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+
+# XXX: Note we must prefix the patch filenames with "z" to ensure they are
+# applied _after_ a potential patch-${KV}.patch file, present when building a
+# patchlevel revision.  We mustn't apply our patches first, it fails when the
+# local patches overlap with the upstream patch.
+
+# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
+UNIPATCH_LIST="
+	${PATCH_DIR}/z0001-Add-secure_modules-call.patch \
+	${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
+	${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
+	${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \
+	${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
+	${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
+	${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
+	${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
+	${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
+	${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \
+	${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
+	${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
+	${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \
+	${PATCH_DIR}/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+	${PATCH_DIR}/z0015-Add-arm64-coreos-verity-hash.patch \
+	${PATCH_DIR}/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch \
+	${PATCH_DIR}/z0017-perf-x86-intel-rapl-Make-package-handling-more-robus.patch \
+	${PATCH_DIR}/z0018-perf-x86-intel-uncore-Make-package-handling-more-rob.patch \
+"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch

@@ -1,148 +0,0 @@
-From 72f2135b077dd2e44d5bbd6b39194d009aeb2af2 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:57 -0400
-Subject: [PATCH 01/24] security, overlayfs: provide copy up security hook for
- unioned files
-
-Provide a security hook to label new file correctly when a file is copied
-up from lower layer to upper layer of a overlay/union mount.
-
-This hook can prepare a new set of creds which are suitable for new file
-creation during copy up. Caller will use new creds to create file and then
-revert back to old creds and release new creds.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- fs/overlayfs/copy_up.c    | 15 +++++++++++++++
- include/linux/lsm_hooks.h | 11 +++++++++++
- include/linux/security.h  |  6 ++++++
- security/security.c       |  8 ++++++++
- 4 files changed, 40 insertions(+)
-
-diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 767377e..14a892b 100644
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -260,6 +260,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
- 	struct dentry *upper = NULL;
- 	umode_t mode = stat->mode;
- 	int err;
-+	const struct cred *old_creds = NULL;
-+	struct cred *new_creds = NULL;
- 
- 	newdentry = ovl_lookup_temp(workdir, dentry);
- 	err = PTR_ERR(newdentry);
-@@ -272,10 +274,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
- 	if (IS_ERR(upper))
- 		goto out1;
- 
-+	err = security_inode_copy_up(dentry, &new_creds);
-+	if (err < 0)
-+		goto out2;
-+
-+	if (new_creds)
-+		old_creds = override_creds(new_creds);
-+
- 	/* Can't properly set mode on creation because of the umask */
- 	stat->mode &= S_IFMT;
- 	err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);
- 	stat->mode = mode;
-+
-+	if (new_creds) {
-+		revert_creds(old_creds);
-+		put_cred(new_creds);
-+	}
-+
- 	if (err)
- 		goto out2;
- 
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 101bf19..ba3c842 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -401,6 +401,15 @@
-  *	@inode contains a pointer to the inode.
-  *	@secid contains a pointer to the location where result will be saved.
-  *	In case of failure, @secid will be set to zero.
-+ * @inode_copy_up:
-+ *	A file is about to be copied up from lower layer to upper layer of
-+ *	overlay filesystem. Security module can prepare a set of new creds
-+ *	and modify as need be and return new creds. Caller will switch to
-+ *	new creds temporarily to create new file and release newly allocated
-+ *	creds.
-+ *	@src indicates the union dentry of file that is being copied up.
-+ *	@new pointer to pointer to return newly allocated creds.
-+ *	Returns 0 on success or a negative error code on error.
-  *
-  * Security hooks for file operations
-  *
-@@ -1425,6 +1434,7 @@ union security_list_options {
- 	int (*inode_listsecurity)(struct inode *inode, char *buffer,
- 					size_t buffer_size);
- 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
-+	int (*inode_copy_up) (struct dentry *src, struct cred **new);
- 
- 	int (*file_permission)(struct file *file, int mask);
- 	int (*file_alloc_security)(struct file *file);
-@@ -1696,6 +1706,7 @@ struct security_hook_heads {
- 	struct list_head inode_setsecurity;
- 	struct list_head inode_listsecurity;
- 	struct list_head inode_getsecid;
-+	struct list_head inode_copy_up;
- 	struct list_head file_permission;
- 	struct list_head file_alloc_security;
- 	struct list_head file_free_security;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 7831cd5..c5b0ccd 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
- int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
- int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
- void security_inode_getsecid(struct inode *inode, u32 *secid);
-+int security_inode_copy_up(struct dentry *src, struct cred **new);
- int security_file_permission(struct file *file, int mask);
- int security_file_alloc(struct file *file);
- void security_file_free(struct file *file);
-@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
- 	*secid = 0;
- }
- 
-+static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
-+{
-+	return 0;
-+}
-+
- static inline int security_file_permission(struct file *file, int mask)
- {
- 	return 0;
-diff --git a/security/security.c b/security/security.c
-index 4838e7f..f2a7f27 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
- 	call_void_hook(inode_getsecid, inode, secid);
- }
- 
-+int security_inode_copy_up(struct dentry *src, struct cred **new)
-+{
-+	return call_int_hook(inode_copy_up, 0, src, new);
-+}
-+EXPORT_SYMBOL(security_inode_copy_up);
-+
- int security_file_permission(struct file *file, int mask)
- {
- 	int ret;
-@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
- 	.inode_getsecid =
- 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
-+	.inode_copy_up =
-+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
- 	.file_permission =
- 		LIST_HEAD_INIT(security_hook_heads.file_permission),
- 	.file_alloc_security =
--- 
-2.9.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch

@@ -1,62 +0,0 @@
-From b45eb80e5b2412980d38d2ea00aabc3057a91a05 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 02/24] selinux: Implementation for inode_copy_up() hook
-
-A file is being copied up for overlay file system. Prepare a new set of
-creds and set create_sid appropriately so that new file is created with
-appropriate label.
-
-Overlay inode has right label for both context and non-context mount
-cases. In case of non-context mount, overlay inode will have the label
-of lower file and in case of context mount, overlay inode will have
-the label from context= mount option.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- security/selinux/hooks.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 13185a6..264ee90 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
- 	*secid = isec->sid;
- }
- 
-+static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
-+{
-+	u32 sid;
-+	struct task_security_struct *tsec;
-+	struct cred *new_creds = *new;
-+
-+	if (new_creds == NULL) {
-+		new_creds = prepare_creds();
-+		if (!new_creds)
-+			return -ENOMEM;
-+	}
-+
-+	tsec = new_creds->security;
-+	/* Get label from overlay inode and set it in create_sid */
-+	selinux_inode_getsecid(d_inode(src), &sid);
-+	tsec->create_sid = sid;
-+	*new = new_creds;
-+	return 0;
-+}
-+
- /* file security operations */
- 
- static int selinux_revalidate_file_permission(struct file *file, int mask)
-@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
- 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
- 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
-+	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
- 
- 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
- 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
--- 
-2.9.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch

@@ -1,129 +0,0 @@
-From 8a5e4f3cd784d18008e2f32f07cf7ab2f949c00a Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 03/24] security,overlayfs: Provide security hook for copy up
- of xattrs for overlay file
-
-Provide a security hook which is called when xattrs of a file are being
-copied up. This hook is called once for each xattr and LSM can return
-0 if the security module wants the xattr to be copied up, 1 if the
-security module wants the xattr to be discarded on the copy, -EOPNOTSUPP
-if the security module does not handle/manage the xattr, or a -errno
-upon an error.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- fs/overlayfs/copy_up.c    |  7 +++++++
- include/linux/lsm_hooks.h | 10 ++++++++++
- include/linux/security.h  |  6 ++++++
- security/security.c       |  8 ++++++++
- 4 files changed, 31 insertions(+)
-
-diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 14a892b..8797c72 100644
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -115,6 +115,13 @@ retry:
- 			goto retry;
- 		}
- 
-+		error = security_inode_copy_up_xattr(name);
-+		if (error < 0 && error != -EOPNOTSUPP)
-+			break;
-+		if (error == 1) {
-+			error = 0;
-+			continue; /* Discard */
-+		}
- 		error = vfs_setxattr(new, name, value, size, 0);
- 		if (error)
- 			break;
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index ba3c842..336b3fb 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -410,6 +410,14 @@
-  *	@src indicates the union dentry of file that is being copied up.
-  *	@new pointer to pointer to return newly allocated creds.
-  *	Returns 0 on success or a negative error code on error.
-+ * @inode_copy_up_xattr:
-+ *	Filter the xattrs being copied up when a unioned file is copied
-+ *	up from a lower layer to the union/overlay layer.
-+ *	@name indicates the name of the xattr.
-+ *	Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if
-+ *	security module does not know about attribute or a negative error code
-+ *	to abort the copy up. Note that the caller is responsible for reading
-+ *	and writing the xattrs as this hook is merely a filter.
-  *
-  * Security hooks for file operations
-  *
-@@ -1435,6 +1443,7 @@ union security_list_options {
- 					size_t buffer_size);
- 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
- 	int (*inode_copy_up) (struct dentry *src, struct cred **new);
-+	int (*inode_copy_up_xattr) (const char *name);
- 
- 	int (*file_permission)(struct file *file, int mask);
- 	int (*file_alloc_security)(struct file *file);
-@@ -1707,6 +1716,7 @@ struct security_hook_heads {
- 	struct list_head inode_listsecurity;
- 	struct list_head inode_getsecid;
- 	struct list_head inode_copy_up;
-+	struct list_head inode_copy_up_xattr;
- 	struct list_head file_permission;
- 	struct list_head file_alloc_security;
- 	struct list_head file_free_security;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index c5b0ccd..536fafd 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void
- int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
- void security_inode_getsecid(struct inode *inode, u32 *secid);
- int security_inode_copy_up(struct dentry *src, struct cred **new);
-+int security_inode_copy_up_xattr(const char *name);
- int security_file_permission(struct file *file, int mask);
- int security_file_alloc(struct file *file);
- void security_file_free(struct file *file);
-@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
- 	return 0;
- }
- 
-+static inline int security_inode_copy_up_xattr(const char *name)
-+{
-+	return -EOPNOTSUPP;
-+}
-+
- static inline int security_file_permission(struct file *file, int mask)
- {
- 	return 0;
-diff --git a/security/security.c b/security/security.c
-index f2a7f27..a9e2bb9 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new)
- }
- EXPORT_SYMBOL(security_inode_copy_up);
- 
-+int security_inode_copy_up_xattr(const char *name)
-+{
-+	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
-+}
-+EXPORT_SYMBOL(security_inode_copy_up_xattr);
-+
- int security_file_permission(struct file *file, int mask)
- {
- 	int ret;
-@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
- 	.inode_copy_up =
- 		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
-+	.inode_copy_up_xattr =
-+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
- 	.file_permission =
- 		LIST_HEAD_INIT(security_hook_heads.file_permission),
- 	.file_alloc_security =
--- 
-2.9.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch

@@ -1,53 +0,0 @@
-From 6f9f7038760f6ed22de9beb621d1dcd5259bfa00 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 04/24] selinux: Implementation for inode_copy_up_xattr() hook
-
-When a file is copied up in overlay, we have already created file on upper/
-with right label and there is no need to copy up selinux label/xattr from
-lower file to upper file. In fact in case of context mount, we don't want
-to copy up label as newly created file got its label from context= option.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- security/selinux/hooks.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 264ee90..d30d7b3 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
- 	return 0;
- }
- 
-+static int selinux_inode_copy_up_xattr(const char *name)
-+{
-+	/* The copy_up hook above sets the initial context on an inode, but we
-+	 * don't then want to overwrite it by blindly copying all the lower
-+	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
-+	 */
-+	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
-+		return 1; /* Discard */
-+	/*
-+	 * Any other attribute apart from SELINUX is not claimed, supported
-+	 * by selinux.
-+	 */
-+	return -EOPNOTSUPP;
-+}
-+
- /* file security operations */
- 
- static int selinux_revalidate_file_permission(struct file *file, int mask)
-@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
- 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
- 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
-+	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
- 
- 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
- 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
--- 
-2.9.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch

@@ -1,73 +0,0 @@
-From 1104a4c8e3bdf480e5ca55b558a3812b5190bb84 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 05/24] selinux: Pass security pointer to
- determine_inode_label()
-
-Right now selinux_determine_inode_label() works on security pointer of
-current task. Soon I need this to work on a security pointer retrieved
-from a set of creds. So start passing in a pointer and caller can decide
-where to fetch security pointer from.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- security/selinux/hooks.c | 19 ++++++++++---------
- 1 file changed, 10 insertions(+), 9 deletions(-)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index d30d7b3..2bf0d00 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -1808,13 +1808,13 @@ out:
- /*
-  * Determine the label for an inode that might be unioned.
-  */
--static int selinux_determine_inode_label(struct inode *dir,
--					 const struct qstr *name,
--					 u16 tclass,
--					 u32 *_new_isid)
-+static int
-+selinux_determine_inode_label(const struct task_security_struct *tsec,
-+				 struct inode *dir,
-+				 const struct qstr *name, u16 tclass,
-+				 u32 *_new_isid)
- {
- 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
--	const struct task_security_struct *tsec = current_security();
- 
- 	if ((sbsec->flags & SE_SBINITIALIZED) &&
- 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
-@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir,
- 	if (rc)
- 		return rc;
- 
--	rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
--					   &newsid);
-+	rc = selinux_determine_inode_label(current_security(), dir,
-+					   &dentry->d_name, tclass, &newsid);
- 	if (rc)
- 		return rc;
- 
-@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
- 	u32 newsid;
- 	int rc;
- 
--	rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
-+	rc = selinux_determine_inode_label(current_security(),
-+					   d_inode(dentry->d_parent), name,
- 					   inode_mode_to_security_class(mode),
- 					   &newsid);
- 	if (rc)
-@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
- 	sid = tsec->sid;
- 	newsid = tsec->create_sid;
- 
--	rc = selinux_determine_inode_label(
-+	rc = selinux_determine_inode_label(current_security(),
- 		dir, qstr,
- 		inode_mode_to_security_class(inode->i_mode),
- 		&newsid);
--- 
-2.9.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch

@@ -1,159 +0,0 @@
-From 6edae1670b755c5c747bdb30031ff9b24f2f585e Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 06/24] security, overlayfs: Provide hook to correctly label
- newly created files
-
-During a new file creation we need to make sure new file is created with the
-right label. New file is created in upper/ so effectively file should get
-label as if task had created file in upper/.
-
-We switched to mounter's creds for actual file creation. Also if there is a
-whiteout present, then file will be created in work/ dir first and then
-renamed in upper. In none of the cases file will be labeled as we want it to
-be.
-
-This patch introduces a new hook dentry_create_files_as(), which determines
-the label/context dentry will get if it had been created by task in upper
-and modify passed set of creds appropriately. Caller makes use of these new
-creds for file creation.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- fs/overlayfs/dir.c        | 10 ++++++++++
- include/linux/lsm_hooks.h | 15 +++++++++++++++
- include/linux/security.h  | 12 ++++++++++++
- security/security.c       | 11 +++++++++++
- 4 files changed, 48 insertions(+)
-
-diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
-index 74e6964..adfaa21 100644
---- a/fs/overlayfs/dir.c
-+++ b/fs/overlayfs/dir.c
-@@ -492,6 +492,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
- 	if (override_cred) {
- 		override_cred->fsuid = inode->i_uid;
- 		override_cred->fsgid = inode->i_gid;
-+		if (!hardlink) {
-+			err = security_dentry_create_files_as(dentry,
-+					stat->mode, &dentry->d_name, old_cred,
-+					override_cred);
-+			if (err) {
-+				put_cred(override_cred);
-+				goto out_revert_creds;
-+			}
-+		}
- 		put_cred(override_creds(override_cred));
- 		put_cred(override_cred);
- 
-@@ -502,6 +511,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
- 			err = ovl_create_over_whiteout(dentry, inode, stat,
- 							link, hardlink);
- 	}
-+out_revert_creds:
- 	revert_creds(old_cred);
- 	if (!err) {
- 		struct inode *realinode = d_inode(ovl_dentry_upper(dentry));
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 336b3fb..55891c0 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -151,6 +151,16 @@
-  *	@name name of the last path component used to create file
-  *	@ctx pointer to place the pointer to the resulting context in.
-  *	@ctxlen point to place the length of the resulting context.
-+ * @dentry_create_files_as:
-+ *	Compute a context for a dentry as the inode is not yet available
-+ *	and set that context in passed in creds so that new files are
-+ *	created using that context. Context is calculated using the
-+ *	passed in creds and not the creds of the caller.
-+ *	@dentry dentry to use in calculating the context.
-+ *	@mode mode used to determine resource type.
-+ *	@name name of the last path component used to create file
-+ * 	@old creds which should be used for context calculation
-+ * 	@new creds to modify
-  *
-  *
-  * Security hooks for inode operations.
-@@ -1375,6 +1385,10 @@ union security_list_options {
- 	int (*dentry_init_security)(struct dentry *dentry, int mode,
- 					const struct qstr *name, void **ctx,
- 					u32 *ctxlen);
-+	int (*dentry_create_files_as)(struct dentry *dentry, int mode,
-+					struct qstr *name,
-+					const struct cred *old,
-+					struct cred *new);
- 
- 
- #ifdef CONFIG_SECURITY_PATH
-@@ -1675,6 +1689,7 @@ struct security_hook_heads {
- 	struct list_head sb_clone_mnt_opts;
- 	struct list_head sb_parse_opts_str;
- 	struct list_head dentry_init_security;
-+	struct list_head dentry_create_files_as;
- #ifdef CONFIG_SECURITY_PATH
- 	struct list_head path_unlink;
- 	struct list_head path_mkdir;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 536fafd..a6c6d5d 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
- int security_dentry_init_security(struct dentry *dentry, int mode,
- 					const struct qstr *name, void **ctx,
- 					u32 *ctxlen);
-+int security_dentry_create_files_as(struct dentry *dentry, int mode,
-+					struct qstr *name,
-+					const struct cred *old,
-+					struct cred *new);
- 
- int security_inode_alloc(struct inode *inode);
- void security_inode_free(struct inode *inode);
-@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry,
- 	return -EOPNOTSUPP;
- }
- 
-+static inline int security_dentry_create_files_as(struct dentry *dentry,
-+						  int mode, struct qstr *name,
-+						  const struct cred *old,
-+						  struct cred *new)
-+{
-+	return 0;
-+}
-+
- 
- static inline int security_inode_init_security(struct inode *inode,
- 						struct inode *dir,
-diff --git a/security/security.c b/security/security.c
-index a9e2bb9..69614f1 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
- }
- EXPORT_SYMBOL(security_dentry_init_security);
- 
-+int security_dentry_create_files_as(struct dentry *dentry, int mode,
-+					struct qstr *name,
-+					const struct cred *old, struct cred *new)
-+{
-+	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
-+				name, old, new);
-+}
-+EXPORT_SYMBOL(security_dentry_create_files_as);
-+
- int security_inode_init_security(struct inode *inode, struct inode *dir,
- 				 const struct qstr *qstr,
- 				 const initxattrs initxattrs, void *fs_data)
-@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
- 	.dentry_init_security =
- 		LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
-+	.dentry_create_files_as =
-+		LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
- #ifdef CONFIG_SECURITY_PATH
- 	.path_unlink =	LIST_HEAD_INIT(security_hook_heads.path_unlink),
- 	.path_mkdir =	LIST_HEAD_INIT(security_hook_heads.path_mkdir),
--- 
-2.9.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch

@@ -1,60 +0,0 @@
-From d1d5776d41d3c426ccb6984206d20769ba1ad01f Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 07/24] selinux: Implement dentry_create_files_as() hook
-
-Calculate what would be the label of newly created file and set that secid
-in the passed creds.
-
-Context of the task which is actually creating file is retrieved from
-set of creds passed in. (old->security).
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- security/selinux/hooks.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 2bf0d00..603b600 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
- 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
- }
- 
-+static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
-+					  struct qstr *name,
-+					  const struct cred *old,
-+					  struct cred *new)
-+{
-+	u32 newsid;
-+	int rc;
-+	struct task_security_struct *tsec;
-+
-+	rc = selinux_determine_inode_label(old->security,
-+					   d_inode(dentry->d_parent), name,
-+					   inode_mode_to_security_class(mode),
-+					   &newsid);
-+	if (rc)
-+		return rc;
-+
-+	tsec = new->security;
-+	tsec->create_sid = newsid;
-+	return 0;
-+}
-+
- static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
- 				       const struct qstr *qstr,
- 				       const char **name,
-@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
- 
- 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
-+	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
- 
- 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
- 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
--- 
-2.9.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch

@@ -1,40 +0,0 @@
-From e47cbf707c26036420fec8846d07ec640b744c0e Mon Sep 17 00:00:00 2001
-From: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Sun, 11 Dec 2016 10:05:49 +0800
-Subject: [PATCH 22/24] Revert "tty: serial: 8250: add CON_CONSDEV to flags"
-
-This commit needs to be reverted because it prevents people from
-using the serial console as a secondary console with input being
-directed to tty0.
-
-IOW, if you boot with console=ttyS0 console=tty0 then all kernels
-prior to this commit will produce output on both ttyS0 and tty0
-but input will only be taken from tty0.  With this patch the serial
-console will always be the primary console instead of tty0,
-potentially preventing people from getting into their machines in
-emergency situations.
-
-Fixes: d03516df8375 ("tty: serial: 8250: add CON_CONSDEV to flags")
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/8250/8250_core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
-index dcf43f6..fa823a5 100644
---- a/drivers/tty/serial/8250/8250_core.c
-+++ b/drivers/tty/serial/8250/8250_core.c
-@@ -675,7 +675,7 @@ static struct console univ8250_console = {
- 	.device		= uart_console_device,
- 	.setup		= univ8250_console_setup,
- 	.match		= univ8250_console_match,
--	.flags		= CON_PRINTBUFFER | CON_ANYTIME | CON_CONSDEV,
-+	.flags		= CON_PRINTBUFFER | CON_ANYTIME,
- 	.index		= -1,
- 	.data		= &serial8250_reg,
- };
--- 
-2.9.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch

@@ -1,7 +1,7 @@
-From 14accb84196be11dbfc524cc24014f479c81e5e2 Mon Sep 17 00:00:00 2001
+From 428385fe28e9523377ecf26c97dd36382468fd8d Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 08/24] Add secure_modules() call
+Subject: [PATCH 01/18] Add secure_modules() call
 
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
@@ -41,10 +41,10 @@ index 0c3207d..c8b4ea0 100644
  
  #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index 529efae..0332fdd 100644
+index 0e54d5b..085b720 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod,
+@@ -4285,3 +4285,13 @@ void module_layout(struct module *mod,
  }
  EXPORT_SYMBOL(module_layout);
  #endif

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,7 +1,7 @@
-From c1a2f1afbbccfb4c5659b4dae4f82b442c38f57b Mon Sep 17 00:00:00 2001
+From ac008727488d38debfe9d336bc3172c0cc6a55d3 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 09/24] PCI: Lock down BAR access when module security is
+Subject: [PATCH 02/18] PCI: Lock down BAR access when module security is
  enabled
 
 Any hardware that can potentially generate DMA has to be locked down from

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,7 +1,7 @@
-From ef9962bc8d75916b7c2f70a4b13b53f3332efa40 Mon Sep 17 00:00:00 2001
+From 594c655d0c106fbc6c3789688d0f58dd741f2c49 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 10/24] x86: Lock down IO port access when module security is
+Subject: [PATCH 03/18] x86: Lock down IO port access when module security is
  enabled
 
 IO port access would permit users to gain access to PCI configuration
@@ -46,7 +46,7 @@ index 589b319..ab83724 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index a33163d..48a2897 100644
+index 6d9cc2d..a6eca51 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -28,6 +28,7 @@
@@ -57,7 +57,7 @@ index a33163d..48a2897 100644
  
  #include <linux/uaccess.h>
  
-@@ -574,6 +575,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
+@@ -578,6 +579,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
  	unsigned long i = *ppos;
  	const char __user *tmp = buf;
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch

@@ -1,7 +1,7 @@
-From d01d4b34ddae2cd731d4b8b08c53260a448806b6 Mon Sep 17 00:00:00 2001
+From 6514dc7053261af884ba59e0a6c08a1c091dc9e0 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 11/24] ACPI: Limit access to custom_method
+Subject: [PATCH 04/18] ACPI: Limit access to custom_method
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,7 +1,7 @@
-From 70e4a01956577b99322da3aa0ff3bc991fc23401 Mon Sep 17 00:00:00 2001
+From 459c4b5751f448645f26292fe780d97d47e84265 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 12/24] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 05/18] asus-wmi: Restrict debugfs interface when module
  loading is restricted
 
 We have no way of validating what all of the Asus WMI methods do on a
@@ -16,7 +16,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index 7c093a0..21fd6b8 100644
+index ce6ca31..55d2399 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
 @@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data)

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,7 +1,7 @@
-From c746f3492e8c039f9c85341d36cec803cbef9424 Mon Sep 17 00:00:00 2001
+From 06dd44588d8aa2f2c4a903b858660d6d6860c22f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 13/24] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 06/18] Restrict /dev/mem and /dev/kmem when module loading is
  restricted
 
 Allowing users to write to address space makes it possible for the kernel
@@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 48a2897..08a7bff 100644
+index a6eca51..191b2b0 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@@ -27,7 +27,7 @@ index 48a2897..08a7bff 100644
  	if (!valid_phys_addr_range(p, count))
  		return -EFAULT;
  
-@@ -510,6 +513,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
+@@ -514,6 +517,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
  	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
  	int err = 0;
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,7 +1,7 @@
-From 5f74d421b9177d8f92a9462771744e26713b3110 Mon Sep 17 00:00:00 2001
+From 904f9519810723da81230c693b60510684990837 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 14/24] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 07/18] acpi: Ignore acpi_rsdp kernel parameter when module
  loading is restricted
 
 This option allows userspace to pass the RSDP address to the kernel, which
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 4305ee9..fa1bcf0 100644
+index 416953a..4887e34 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
 @@ -40,6 +40,7 @@
@@ -25,7 +25,7 @@ index 4305ee9..fa1bcf0 100644
  
  #include <asm/io.h>
  #include <asm/uaccess.h>
-@@ -184,7 +185,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
  acpi_physical_address __init acpi_os_get_root_pointer(void)
  {
  #ifdef CONFIG_KEXEC

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,7 +1,7 @@
-From fb93701fdbfbe966ea426cc02e6cd0abdc4e955a Mon Sep 17 00:00:00 2001
+From 97b270a085859d5ada3614b45902c0b75df2be4e Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
-Subject: [PATCH 15/24] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 08/18] kexec: Disable at runtime if the kernel enforces module
  loading restrictions
 
 kexec permits the loading and execution of arbitrary code in ring 0, which

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,7 +1,7 @@
-From c707e9d71a1beeecf41e75936c89587b68734a35 Mon Sep 17 00:00:00 2001
+From 43e3113404497c837aa083b43b0a9e08dae73f53 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 16/24] x86: Restrict MSR access when module loading is
+Subject: [PATCH 09/18] x86: Restrict MSR access when module loading is
  restricted
 
 Writing to MSRs should not be allowed if module loading is restricted,

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch

@@ -1,7 +1,7 @@
-From 22a7af2714d4dc7284c8070d305fb6d15a8f119b Mon Sep 17 00:00:00 2001
+From 24fd0e7dcfb42abc8999f0bc3b55bdf02324da75 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 17/24] Add option to automatically enforce module signatures
+Subject: [PATCH 10/18] Add option to automatically enforce module signatures
  when in Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
@@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 2a1f0ce..ba2c734 100644
+index bada636..882da2b 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1774,6 +1774,16 @@ config EFI_MIXED
+@@ -1786,6 +1786,16 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
@@ -55,7 +55,7 @@ index 2a1f0ce..ba2c734 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 94dd4a3..1959b82 100644
+index cc69e37..17b3765 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -12,6 +12,7 @@
@@ -66,7 +66,7 @@ index 94dd4a3..1959b82 100644
  
  #include "../string.h"
  #include "eboot.h"
-@@ -571,6 +572,36 @@ free_handle:
+@@ -537,6 +538,36 @@ static void setup_efi_pci(struct boot_params *params)
  	efi_call_early(free_pool, pci_handle);
  }
  
@@ -103,7 +103,7 @@ index 94dd4a3..1959b82 100644
  static efi_status_t
  setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
  {
-@@ -1128,6 +1159,10 @@ struct boot_params *efi_main(struct efi_config *c,
+@@ -1094,6 +1125,10 @@ struct boot_params *efi_main(struct efi_config *c,
  	else
  		setup_boot_services32(efi_early);
  
@@ -129,7 +129,7 @@ index c18ce67..2b3e542 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index d5219b1..d635886 100644
+index 9c337b0..f7f369b 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
@@ -163,10 +163,10 @@ index c8b4ea0..8918ef4 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 0332fdd..3f1ea6b 100644
+index 085b720..e0c6216 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4280,6 +4280,13 @@ void module_layout(struct module *mod,
+@@ -4286,6 +4286,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,7 +1,7 @@
-From 22710872487fdcb61445299f7cdd92d1b702fcc8 Mon Sep 17 00:00:00 2001
+From 24e6c471ffdfed1d389c9bd033117e1ca4cbd97b Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 18/24] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 11/18] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
@@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index ba2c734..a5d6b58 100644
+index 882da2b..d666ef8b 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1775,7 +1775,8 @@ config EFI_MIXED
+@@ -1787,7 +1787,8 @@ config EFI_MIXED
  	   If unsure, say N.
  
  config EFI_SECURE_BOOT_SIG_ENFORCE

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
-From b0f4c9e56311b1d894766e815570b240f5c5edbe Mon Sep 17 00:00:00 2001
+From 3891469497a0435fa026dca9fe58dc707d49c197 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 19/24] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 12/18] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
@@ -13,7 +13,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 3 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index d635886..5824ae5 100644
+index f7f369b..60dccc2 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
@@ -27,10 +27,10 @@ index d635886..5824ae5 100644
  #endif
  
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 0148a30..4b62b48 100644
+index cba7177..0d76705 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -1012,6 +1012,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1045,6 +1045,7 @@ extern int __init efi_setup_pcdp_console(char *);
  #define EFI_ARCH_1		7	/* First arch-specific bit */
  #define EFI_DBG			8	/* Print additional debug info at runtime */
  #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,7 +1,7 @@
-From f342c4af0fd094a2ab367c5b5bf019d41337e7e9 Mon Sep 17 00:00:00 2001
+From 804784cb138b64f247a1db03d2b43118e4d31e54 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 20/24] hibernate: Disable in a signed modules environment
+Subject: [PATCH 13/18] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index 33c79b6..d1420be 100644
+index b26dbc4..ab187ad 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
 @@ -29,6 +29,7 @@

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
-From fd0e3487c3e608c27b03adad678df805eff0811f Mon Sep 17 00:00:00 2001
+From 023410cc67fdf43960f44d73121e735aeee3fc35 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 21/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 14/18] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index ace32d3..66cfbaa 100644
+index c0c41c9..8ab8bd3 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0015-Add-arm64-coreos-verity-hash.patch

@@ -1,7 +1,7 @@
-From e3614cf4156b5b9eb7eb9e1a1081260ca404b0fe Mon Sep 17 00:00:00 2001
+From 888796efad08c03f7868fe02189e02132e925766 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 23/24] Add arm64 coreos verity hash
+Subject: [PATCH 15/18] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---
@@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand <geoff@infradead.org>
  1 file changed, 5 insertions(+)
 
 diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
-index 4d19508..b7ecaf9 100644
+index 332e331..964bae1 100644
 --- a/arch/arm64/kernel/head.S
 +++ b/arch/arm64/kernel/head.S
 @@ -195,6 +195,11 @@ section_table:

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch

@@ -1,7 +1,7 @@
-From e5868fc1175409ad885926cbb66cb5dc5fc3e6fa Mon Sep 17 00:00:00 2001
+From 648e8f090f90f19237cfa70c047419341de49417 Mon Sep 17 00:00:00 2001
 From: Stephen Smalley <sds@tycho.nsa.gov>
 Date: Mon, 9 Jan 2017 10:07:31 -0500
-Subject: [PATCH 24/24] selinux: allow context mounts on tmpfs, ramfs, devpts
+Subject: [PATCH 16/18] selinux: allow context mounts on tmpfs, ramfs, devpts
  within user namespaces
 
 commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for
@@ -31,7 +31,7 @@ Signed-off-by: Paul Moore <paul@paul-moore.com>
  1 file changed, 7 insertions(+), 3 deletions(-)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 603b600..feb29df 100644
+index 09fd610..7f4387f 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
 @@ -832,10 +832,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0017-perf-x86-intel-rapl-Make-package-handling-more-robus.patch

@@ -0,0 +1,179 @@
+From 463b9d55d967de5900c5097bc99c34f4207a85a9 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 31 Jan 2017 23:58:38 +0100
+Subject: [PATCH 17/18] perf/x86/intel/rapl: Make package handling more robust
+
+The package management code in RAPL relies on package mapping being
+available before a CPU is started. This changed with:
+
+  9d85eb9119f4 ("x86/smpboot: Make logical package management more robust")
+
+because the ACPI/BIOS information turned out to be unreliable, but that
+left RAPL in broken state. This was not noticed because on a regular boot
+all CPUs are online before RAPL is initialized.
+
+A possible fix would be to reintroduce the mess which allocates a package
+data structure in CPU prepare and when it turns out to already exist in
+starting throw it away later in the CPU online callback. But that's a
+horrible hack and not required at all because RAPL becomes functional for
+perf only in the CPU online callback. That's correct because user space is
+not yet informed about the CPU being onlined, so nothing caan rely on RAPL
+being available on that particular CPU.
+
+Move the allocation to the CPU online callback and simplify the hotplug
+handling. At this point the package mapping is established and correct.
+
+This also adds a missing check for available package data in the
+event_init() function.
+
+Reported-by: Yasuaki Ishimatsu <yasu.isimatu@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: 9d85eb9119f4 ("x86/smpboot: Make logical package management more robust")
+Link: http://lkml.kernel.org/r/20170131230141.212593966@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/events/intel/rapl.c | 60 +++++++++++++++++++-------------------------
+ include/linux/cpuhotplug.h   |  1 -
+ 2 files changed, 26 insertions(+), 35 deletions(-)
+
+diff --git a/arch/x86/events/intel/rapl.c b/arch/x86/events/intel/rapl.c
+index 0a535ce..1dba3c2 100644
+--- a/arch/x86/events/intel/rapl.c
++++ b/arch/x86/events/intel/rapl.c
+@@ -161,7 +161,13 @@ static u64 rapl_timer_ms;
+ 
+ static inline struct rapl_pmu *cpu_to_rapl_pmu(unsigned int cpu)
+ {
+-	return rapl_pmus->pmus[topology_logical_package_id(cpu)];
++	unsigned int pkgid = topology_logical_package_id(cpu);
++
++	/*
++	 * The unsigned check also catches the '-1' return value for non
++	 * existent mappings in the topology map.
++	 */
++	return pkgid < rapl_pmus->maxpkg ? rapl_pmus->pmus[pkgid] : NULL;
+ }
+ 
+ static inline u64 rapl_read_counter(struct perf_event *event)
+@@ -402,6 +408,8 @@ static int rapl_pmu_event_init(struct perf_event *event)
+ 
+ 	/* must be done before validate_group */
+ 	pmu = cpu_to_rapl_pmu(event->cpu);
++	if (!pmu)
++		return -EINVAL;
+ 	event->cpu = pmu->cpu;
+ 	event->pmu_private = pmu;
+ 	event->hw.event_base = msr;
+@@ -585,6 +593,20 @@ static int rapl_cpu_online(unsigned int cpu)
+ 	struct rapl_pmu *pmu = cpu_to_rapl_pmu(cpu);
+ 	int target;
+ 
++	if (!pmu) {
++		pmu = kzalloc_node(sizeof(*pmu), GFP_KERNEL, cpu_to_node(cpu));
++		if (!pmu)
++			return -ENOMEM;
++
++		raw_spin_lock_init(&pmu->lock);
++		INIT_LIST_HEAD(&pmu->active_list);
++		pmu->pmu = &rapl_pmus->pmu;
++		pmu->timer_interval = ms_to_ktime(rapl_timer_ms);
++		rapl_hrtimer_init(pmu);
++
++		rapl_pmus->pmus[topology_logical_package_id(cpu)] = pmu;
++	}
++
+ 	/*
+ 	 * Check if there is an online cpu in the package which collects rapl
+ 	 * events already.
+@@ -598,27 +620,6 @@ static int rapl_cpu_online(unsigned int cpu)
+ 	return 0;
+ }
+ 
+-static int rapl_cpu_prepare(unsigned int cpu)
+-{
+-	struct rapl_pmu *pmu = cpu_to_rapl_pmu(cpu);
+-
+-	if (pmu)
+-		return 0;
+-
+-	pmu = kzalloc_node(sizeof(*pmu), GFP_KERNEL, cpu_to_node(cpu));
+-	if (!pmu)
+-		return -ENOMEM;
+-
+-	raw_spin_lock_init(&pmu->lock);
+-	INIT_LIST_HEAD(&pmu->active_list);
+-	pmu->pmu = &rapl_pmus->pmu;
+-	pmu->timer_interval = ms_to_ktime(rapl_timer_ms);
+-	pmu->cpu = -1;
+-	rapl_hrtimer_init(pmu);
+-	rapl_pmus->pmus[topology_logical_package_id(cpu)] = pmu;
+-	return 0;
+-}
+-
+ static int rapl_check_hw_unit(bool apply_quirk)
+ {
+ 	u64 msr_rapl_power_unit_bits;
+@@ -802,29 +803,21 @@ static int __init rapl_pmu_init(void)
+ 	/*
+ 	 * Install callbacks. Core will call them for each online cpu.
+ 	 */
+-
+-	ret = cpuhp_setup_state(CPUHP_PERF_X86_RAPL_PREP, "PERF_X86_RAPL_PREP",
+-				rapl_cpu_prepare, NULL);
+-	if (ret)
+-		goto out;
+-
+ 	ret = cpuhp_setup_state(CPUHP_AP_PERF_X86_RAPL_ONLINE,
+ 				"AP_PERF_X86_RAPL_ONLINE",
+ 				rapl_cpu_online, rapl_cpu_offline);
+ 	if (ret)
+-		goto out1;
++		goto out;
+ 
+ 	ret = perf_pmu_register(&rapl_pmus->pmu, "power", -1);
+ 	if (ret)
+-		goto out2;
++		goto out1;
+ 
+ 	rapl_advertise();
+ 	return 0;
+ 
+-out2:
+-	cpuhp_remove_state(CPUHP_AP_PERF_X86_RAPL_ONLINE);
+ out1:
+-	cpuhp_remove_state(CPUHP_PERF_X86_RAPL_PREP);
++	cpuhp_remove_state(CPUHP_AP_PERF_X86_RAPL_ONLINE);
+ out:
+ 	pr_warn("Initialization failed (%d), disabled\n", ret);
+ 	cleanup_rapl_pmus();
+@@ -835,7 +828,6 @@ module_init(rapl_pmu_init);
+ static void __exit intel_rapl_exit(void)
+ {
+ 	cpuhp_remove_state_nocalls(CPUHP_AP_PERF_X86_RAPL_ONLINE);
+-	cpuhp_remove_state_nocalls(CPUHP_PERF_X86_RAPL_PREP);
+ 	perf_pmu_unregister(&rapl_pmus->pmu);
+ 	cleanup_rapl_pmus();
+ }
+diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
+index ba1cad7..965cc56 100644
+--- a/include/linux/cpuhotplug.h
++++ b/include/linux/cpuhotplug.h
+@@ -10,7 +10,6 @@ enum cpuhp_state {
+ 	CPUHP_PERF_X86_PREPARE,
+ 	CPUHP_PERF_X86_UNCORE_PREP,
+ 	CPUHP_PERF_X86_AMD_UNCORE_PREP,
+-	CPUHP_PERF_X86_RAPL_PREP,
+ 	CPUHP_PERF_BFIN,
+ 	CPUHP_PERF_POWER,
+ 	CPUHP_PERF_SUPERH,
+-- 
+2.9.3
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0018-perf-x86-intel-uncore-Make-package-handling-more-rob.patch

@@ -0,0 +1,309 @@
+From c768c2f2907728b8ce5c43718221afcd1353da8b Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 31 Jan 2017 23:58:40 +0100
+Subject: [PATCH 18/18] perf/x86/intel/uncore: Make package handling more
+ robust
+
+The package management code in uncore relies on package mapping being
+available before a CPU is started. This changed with:
+
+  9d85eb9119f4 ("x86/smpboot: Make logical package management more robust")
+
+because the ACPI/BIOS information turned out to be unreliable, but that
+left uncore in broken state. This was not noticed because on a regular boot
+all CPUs are online before uncore is initialized.
+
+Move the allocation to the CPU online callback and simplify the hotplug
+handling. At this point the package mapping is established and correct.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: Yasuaki Ishimatsu <yasu.isimatu@gmail.com>
+Fixes: 9d85eb9119f4 ("x86/smpboot: Make logical package management more robust")
+Link: http://lkml.kernel.org/r/20170131230141.377156255@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/events/intel/uncore.c | 196 +++++++++++++++++++----------------------
+ include/linux/cpuhotplug.h     |   2 -
+ 2 files changed, 91 insertions(+), 107 deletions(-)
+
+diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
+index 19d646a..f2d760d 100644
+--- a/arch/x86/events/intel/uncore.c
++++ b/arch/x86/events/intel/uncore.c
+@@ -100,7 +100,13 @@ ssize_t uncore_event_show(struct kobject *kobj,
+ 
+ struct intel_uncore_box *uncore_pmu_to_box(struct intel_uncore_pmu *pmu, int cpu)
+ {
+-	return pmu->boxes[topology_logical_package_id(cpu)];
++	unsigned int pkgid = topology_logical_package_id(cpu);
++
++	/*
++	 * The unsigned check also catches the '-1' return value for non
++	 * existent mappings in the topology map.
++	 */
++	return pkgid < max_packages ? pmu->boxes[pkgid] : NULL;
+ }
+ 
+ u64 uncore_msr_read_counter(struct intel_uncore_box *box, struct perf_event *event)
+@@ -1033,76 +1039,6 @@ static void uncore_pci_exit(void)
+ 	}
+ }
+ 
+-static int uncore_cpu_dying(unsigned int cpu)
+-{
+-	struct intel_uncore_type *type, **types = uncore_msr_uncores;
+-	struct intel_uncore_pmu *pmu;
+-	struct intel_uncore_box *box;
+-	int i, pkg;
+-
+-	pkg = topology_logical_package_id(cpu);
+-	for (; *types; types++) {
+-		type = *types;
+-		pmu = type->pmus;
+-		for (i = 0; i < type->num_boxes; i++, pmu++) {
+-			box = pmu->boxes[pkg];
+-			if (box && atomic_dec_return(&box->refcnt) == 0)
+-				uncore_box_exit(box);
+-		}
+-	}
+-	return 0;
+-}
+-
+-static int uncore_cpu_starting(unsigned int cpu)
+-{
+-	struct intel_uncore_type *type, **types = uncore_msr_uncores;
+-	struct intel_uncore_pmu *pmu;
+-	struct intel_uncore_box *box;
+-	int i, pkg;
+-
+-	pkg = topology_logical_package_id(cpu);
+-	for (; *types; types++) {
+-		type = *types;
+-		pmu = type->pmus;
+-		for (i = 0; i < type->num_boxes; i++, pmu++) {
+-			box = pmu->boxes[pkg];
+-			if (!box)
+-				continue;
+-			/* The first cpu on a package activates the box */
+-			if (atomic_inc_return(&box->refcnt) == 1)
+-				uncore_box_init(box);
+-		}
+-	}
+-
+-	return 0;
+-}
+-
+-static int uncore_cpu_prepare(unsigned int cpu)
+-{
+-	struct intel_uncore_type *type, **types = uncore_msr_uncores;
+-	struct intel_uncore_pmu *pmu;
+-	struct intel_uncore_box *box;
+-	int i, pkg;
+-
+-	pkg = topology_logical_package_id(cpu);
+-	for (; *types; types++) {
+-		type = *types;
+-		pmu = type->pmus;
+-		for (i = 0; i < type->num_boxes; i++, pmu++) {
+-			if (pmu->boxes[pkg])
+-				continue;
+-			/* First cpu of a package allocates the box */
+-			box = uncore_alloc_box(type, cpu_to_node(cpu));
+-			if (!box)
+-				return -ENOMEM;
+-			box->pmu = pmu;
+-			box->pkgid = pkg;
+-			pmu->boxes[pkg] = box;
+-		}
+-	}
+-	return 0;
+-}
+-
+ static void uncore_change_type_ctx(struct intel_uncore_type *type, int old_cpu,
+ 				   int new_cpu)
+ {
+@@ -1142,12 +1078,14 @@ static void uncore_change_context(struct intel_uncore_type **uncores,
+ 
+ static int uncore_event_cpu_offline(unsigned int cpu)
+ {
+-	int target;
++	struct intel_uncore_type *type, **types = uncore_msr_uncores;
++	struct intel_uncore_pmu *pmu;
++	struct intel_uncore_box *box;
++	int i, pkg, target;
+ 
+ 	/* Check if exiting cpu is used for collecting uncore events */
+ 	if (!cpumask_test_and_clear_cpu(cpu, &uncore_cpu_mask))
+-		return 0;
+-
++		goto unref;
+ 	/* Find a new cpu to collect uncore events */
+ 	target = cpumask_any_but(topology_core_cpumask(cpu), cpu);
+ 
+@@ -1159,12 +1097,82 @@ static int uncore_event_cpu_offline(unsigned int cpu)
+ 
+ 	uncore_change_context(uncore_msr_uncores, cpu, target);
+ 	uncore_change_context(uncore_pci_uncores, cpu, target);
++
++unref:
++	/* Clear the references */
++	pkg = topology_logical_package_id(cpu);
++	for (; *types; types++) {
++		type = *types;
++		pmu = type->pmus;
++		for (i = 0; i < type->num_boxes; i++, pmu++) {
++			box = pmu->boxes[pkg];
++			if (box && atomic_dec_return(&box->refcnt) == 0)
++				uncore_box_exit(box);
++		}
++	}
+ 	return 0;
+ }
+ 
++static int allocate_boxes(struct intel_uncore_type **types,
++			 unsigned int pkg, unsigned int cpu)
++{
++	struct intel_uncore_box *box, *tmp;
++	struct intel_uncore_type *type;
++	struct intel_uncore_pmu *pmu;
++	LIST_HEAD(allocated);
++	int i;
++
++	/* Try to allocate all required boxes */
++	for (; *types; types++) {
++		type = *types;
++		pmu = type->pmus;
++		for (i = 0; i < type->num_boxes; i++, pmu++) {
++			if (pmu->boxes[pkg])
++				continue;
++			box = uncore_alloc_box(type, cpu_to_node(cpu));
++			if (!box)
++				goto cleanup;
++			box->pmu = pmu;
++			box->pkgid = pkg;
++			list_add(&box->active_list, &allocated);
++		}
++	}
++	/* Install them in the pmus */
++	list_for_each_entry_safe(box, tmp, &allocated, active_list) {
++		list_del_init(&box->active_list);
++		box->pmu->boxes[pkg] = box;
++	}
++	return 0;
++
++cleanup:
++	list_for_each_entry_safe(box, tmp, &allocated, active_list) {
++		list_del_init(&box->active_list);
++		kfree(box);
++	}
++	return -ENOMEM;
++}
++
+ static int uncore_event_cpu_online(unsigned int cpu)
+ {
+-	int target;
++	struct intel_uncore_type *type, **types = uncore_msr_uncores;
++	struct intel_uncore_pmu *pmu;
++	struct intel_uncore_box *box;
++	int i, ret, pkg, target;
++
++	pkg = topology_logical_package_id(cpu);
++	ret = allocate_boxes(types, pkg, cpu);
++	if (ret)
++		return ret;
++
++	for (; *types; types++) {
++		type = *types;
++		pmu = type->pmus;
++		for (i = 0; i < type->num_boxes; i++, pmu++) {
++			box = pmu->boxes[pkg];
++			if (!box && atomic_inc_return(&box->refcnt) == 1)
++				uncore_box_init(box);
++		}
++	}
+ 
+ 	/*
+ 	 * Check if there is an online cpu in the package
+@@ -1354,33 +1362,13 @@ static int __init intel_uncore_init(void)
+ 	if (cret && pret)
+ 		return -ENODEV;
+ 
+-	/*
+-	 * Install callbacks. Core will call them for each online cpu.
+-	 *
+-	 * The first online cpu of each package allocates and takes
+-	 * the refcounts for all other online cpus in that package.
+-	 * If msrs are not enabled no allocation is required and
+-	 * uncore_cpu_prepare() is not called for each online cpu.
+-	 */
+-	if (!cret) {
+-	       ret = cpuhp_setup_state(CPUHP_PERF_X86_UNCORE_PREP,
+-					"PERF_X86_UNCORE_PREP",
+-					uncore_cpu_prepare, NULL);
+-		if (ret)
+-			goto err;
+-	} else {
+-		cpuhp_setup_state_nocalls(CPUHP_PERF_X86_UNCORE_PREP,
+-					  "PERF_X86_UNCORE_PREP",
+-					  uncore_cpu_prepare, NULL);
+-	}
+-
+-	cpuhp_setup_state(CPUHP_AP_PERF_X86_UNCORE_STARTING,
+-			  "AP_PERF_X86_UNCORE_STARTING",
+-			  uncore_cpu_starting, uncore_cpu_dying);
+-
+-	cpuhp_setup_state(CPUHP_AP_PERF_X86_UNCORE_ONLINE,
+-			  "AP_PERF_X86_UNCORE_ONLINE",
+-			  uncore_event_cpu_online, uncore_event_cpu_offline);
++	/* Install hotplug callbacks to setup the targets for each package */
++	ret = cpuhp_setup_state(CPUHP_AP_PERF_X86_UNCORE_ONLINE,
++				"AP_PERF_X86_UNCORE_ONLINE",
++				uncore_event_cpu_online,
++				uncore_event_cpu_offline);
++	if (ret)
++		goto err;
+ 	return 0;
+ 
+ err:
+@@ -1392,9 +1380,7 @@ module_init(intel_uncore_init);
+ 
+ static void __exit intel_uncore_exit(void)
+ {
+-	cpuhp_remove_state_nocalls(CPUHP_AP_PERF_X86_UNCORE_ONLINE);
+-	cpuhp_remove_state_nocalls(CPUHP_AP_PERF_X86_UNCORE_STARTING);
+-	cpuhp_remove_state_nocalls(CPUHP_PERF_X86_UNCORE_PREP);
++	cpuhp_remove_state(CPUHP_AP_PERF_X86_UNCORE_ONLINE);
+ 	uncore_types_exit(uncore_msr_uncores);
+ 	uncore_pci_exit();
+ }
+diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
+index 965cc56..ce83119 100644
+--- a/include/linux/cpuhotplug.h
++++ b/include/linux/cpuhotplug.h
+@@ -8,7 +8,6 @@ enum cpuhp_state {
+ 	CPUHP_CREATE_THREADS,
+ 	CPUHP_PERF_PREPARE,
+ 	CPUHP_PERF_X86_PREPARE,
+-	CPUHP_PERF_X86_UNCORE_PREP,
+ 	CPUHP_PERF_X86_AMD_UNCORE_PREP,
+ 	CPUHP_PERF_BFIN,
+ 	CPUHP_PERF_POWER,
+@@ -63,7 +62,6 @@ enum cpuhp_state {
+ 	CPUHP_AP_IRQ_ARMADA_CASC_STARTING,
+ 	CPUHP_AP_IRQ_BCM2836_STARTING,
+ 	CPUHP_AP_ARM_MVEBU_COHERENCY,
+-	CPUHP_AP_PERF_X86_UNCORE_STARTING,
+ 	CPUHP_AP_PERF_X86_AMD_UNCORE_STARTING,
+ 	CPUHP_AP_PERF_X86_STARTING,
+ 	CPUHP_AP_PERF_X86_AMD_IBS_STARTING,
+-- 
+2.9.3
+