From 7a0b1805300055c4792c0209bd1bf5a3822bf6ae Mon Sep 17 00:00:00 2001
From: David Michael <dm0@redhat.com>
Date: Wed, 15 Aug 2018 16:56:45 +0000
Subject: [PATCH] sys-kernel/coreos-sources: Bump 4.17.14 to 4.17.15

---
 ...14.ebuild => coreos-kernel-4.17.15.ebuild} |  0
 ...4.ebuild => coreos-modules-4.17.15.ebuild} |  0
 .../sys-kernel/coreos-sources/Manifest        |  8 +--
 ...4.ebuild => coreos-sources-4.17.15.ebuild} |  1 +
 ...lative-path-for-KBUILD_SRC-from-CURD.patch |  6 +-
 .../z0002-Add-arm64-coreos-verity-hash.patch  |  4 +-
 ...kefile-Don-t-fail-on-fallthrough-wit.patch |  4 +-
 ...t-due-to-x86-boot-compressed-64-Hand.patch |  4 +-
 ...ncrease-fragment-memory-usage-limits.patch | 63 +++++++++++++++++++
 9 files changed, 77 insertions(+), 13 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.17.14.ebuild => coreos-kernel-4.17.15.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.17.14.ebuild => coreos-modules-4.17.15.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.17.14.ebuild => coreos-sources-4.17.15.ebuild} (94%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0005-Revert-net-increase-fragment-memory-usage-limits.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.17.14.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.17.15.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.17.14.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.17.15.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.17.14.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.17.15.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.17.14.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.17.15.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
index 710d4e9c2d..b9bba95f35 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
@@ -1,4 +1,4 @@
-DIST linux-4.14.tar.xz 100770500 SHA256 f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7 SHA512 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8 WHIRLPOOL fee10d54ecb210156aa55364ecc15867127819e9f7ff9ec5f6ef159b1013e2ae3d3a28d35c62d663886cbe826b996a1387671766093be002536309045a8e4d10
-DIST linux-4.17.tar.xz 102165892 SHA256 9faa1dd896eaea961dc6e886697c0b3301277102e5bc976b2758f9a62d3ccd13 SHA512 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db WHIRLPOOL 60573a6837a5daae91ea8d36f7aea0439a398d47810524df378b37df20ebb6fa83d518380348ec66cfe8f94b2405de59f884d52ac879cb4ff78f6674ad322077
-DIST patch-4.14.62.xz 1567892 SHA256 2595a071c6253fb579fa0401b3deb9a9d1ddb74dd1dcd1e668ed4d8726dc4b6c SHA512 c0f3746650d697d5bf3c84f9ed3646d32e746102f51f87b62999d49f4ab43dd18fcb7b14d9f5e6fc0329af68e22cec761b1ab6a1395ca5e367151edd5e221407 WHIRLPOOL 5ed0a4592b6ab47d1e04f3eda9fd79af1f7194b13ed65ec511e10ae7b3fba2c1d9c02559897b0333a3a47b4165681ed3001503083039f11cad7a744b8fb3167d
-DIST patch-4.17.14.xz 334432 SHA256 bf4d95df98dc6197024bc2a7c8a8ef5fd3b21495298c7a7a5dbd63c159ea9f17 SHA512 99b76b9305868a93139d9e977ee244c02ada7e3966856a1c559c049dff4543cd39595b723d9fc9b8f27ffef9ff0e4b28bcfbdb28738d5e19342473336553eb27 WHIRLPOOL 437f4aef1dc4dd14ac90e599108e5c219cb3c3db59c7ef01dbd2b161c20671fd3a6cd67b16f330f98d0deffec106b0310668357e8d2802015d722a86dcf77f09
+DIST linux-4.14.tar.xz 100770500 BLAKE2B 85dc4aa953fe65e273a24473d8de98e4f204f97c43be9fc87cf5be01f796f94cfde5c8f9c84619751f1cac51f83ce0b4681fb19c5f2965a72d4a94fe5577846a SHA512 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
+DIST linux-4.17.tar.xz 102165892 BLAKE2B b9e1fe2c063d2761b4d54594b841f6591fd6f5b634a402c07e0fa5518a2b271293d97c5a7a8e3c30c9c4d78df16bf20a4f0befe998c9a9393bb3290d2df1dda3 SHA512 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db
+DIST patch-4.14.62.xz 1567892 BLAKE2B ccb7ee6097b49755f873d39f9d2f3d4f75f2e646a1e9f8fe6e09a333da97b0958320f8e713bcef17681bb6e90898a139fdcb15d065deb379e084b6a7646660d4 SHA512 c0f3746650d697d5bf3c84f9ed3646d32e746102f51f87b62999d49f4ab43dd18fcb7b14d9f5e6fc0329af68e22cec761b1ab6a1395ca5e367151edd5e221407
+DIST patch-4.17.15.xz 368596 BLAKE2B 30f45922c280d6742f6cefca828deb17602c684e86e2e072e8a42890439f9d317fd4357ae2a1d5b0809b81f6c0e2c4ed54a29c06a43246c7d940c72f973b5f40 SHA512 3e9c0bee00992bf857419ec628e4e3a7651deaf6b4d598cbd50c2fc758ae342d372ff04704737b8eb585e926807ea19c1da3e8a62b3c87583ab2cff0785e331a
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.17.14.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.17.15.ebuild
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.17.14.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.17.15.ebuild
index fda167a8ac..d65c048271 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.17.14.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.17.15.ebuild
@@ -39,4 +39,5 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0002-Add-arm64-coreos-verity-hash.patch \
 	${PATCH_DIR}/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch \
 	${PATCH_DIR}/z0004-4.17.x-won-t-boot-due-to-x86-boot-compressed-64-Hand.patch \
+	${PATCH_DIR}/z0005-Revert-net-increase-fragment-memory-usage-limits.patch \
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
index acac30b266..0f1dc8d24d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@@ -1,7 +1,7 @@
-From e9a7cabf0ccc22ba7f661405991ef3d0ef12539e Mon Sep 17 00:00:00 2001
+From e1593c1bc7abaf6ce0fc78802471248646b1ba9d Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 1/4] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 1/5] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index ce4248f558d1..e7eb5601d712 100644
+index e8cbf2dd3069..03bcab6788bf 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0002-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0002-Add-arm64-coreos-verity-hash.patch
index 4aa29fc1fd..a78dbdf458 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0002-Add-arm64-coreos-verity-hash.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0002-Add-arm64-coreos-verity-hash.patch
@@ -1,7 +1,7 @@
-From da77768fcef726254957e64c2adda82bf34f3cd8 Mon Sep 17 00:00:00 2001
+From c95b2f4115f6f2a490ea93c8330145b89208511e Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 2/4] Add arm64 coreos verity hash
+Subject: [PATCH 2/5] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch
index 1ce484297e..5a4d245cac 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch
@@ -1,7 +1,7 @@
-From 09a476dd6676d037b939b9d87585ddb701ff797f Mon Sep 17 00:00:00 2001
+From c119155056fed0105cd2ae17f70e6432ecaf7886 Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 8 Feb 2018 21:23:12 -0500
-Subject: [PATCH 3/4] tools/objtool/Makefile: Don't fail on fallthrough with
+Subject: [PATCH 3/5] tools/objtool/Makefile: Don't fail on fallthrough with
  new GCCs
 
 ---
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0004-4.17.x-won-t-boot-due-to-x86-boot-compressed-64-Hand.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0004-4.17.x-won-t-boot-due-to-x86-boot-compressed-64-Hand.patch
index 616feb4320..f7b79e9bbb 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0004-4.17.x-won-t-boot-due-to-x86-boot-compressed-64-Hand.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0004-4.17.x-won-t-boot-due-to-x86-boot-compressed-64-Hand.patch
@@ -1,7 +1,7 @@
-From a7996a6eac2d5e305abea44983739878adb8c734 Mon Sep 17 00:00:00 2001
+From 69e6ad4b81284090f96dad849c9f17845c57a443 Mon Sep 17 00:00:00 2001
 From: "Kirill A. Shutemov" <kirill@shutemov.name>
 Date: Wed, 4 Jul 2018 18:08:57 +0300
-Subject: [PATCH 4/4] 4.17.x won't boot due to "x86/boot/compressed/64: Handle
+Subject: [PATCH 4/5] 4.17.x won't boot due to "x86/boot/compressed/64: Handle
  5-level paging boot if kernel is above 4G"
 
 On Tue, Jul 03, 2018 at 05:21:50PM +0300, Kirill A. Shutemov wrote:
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0005-Revert-net-increase-fragment-memory-usage-limits.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0005-Revert-net-increase-fragment-memory-usage-limits.patch
new file mode 100644
index 0000000000..cbadb652f5
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0005-Revert-net-increase-fragment-memory-usage-limits.patch
@@ -0,0 +1,63 @@
+From c2dfbafc6484be4b8aea89419635cddf3ee9248d Mon Sep 17 00:00:00 2001
+From: David Michael <dm0@redhat.com>
+Date: Wed, 15 Aug 2018 12:50:10 -0400
+Subject: [PATCH 5/5] Revert "net: increase fragment memory usage limits"
+
+This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.
+---
+ include/net/ipv6.h     |  4 ++--
+ net/ipv4/ip_fragment.c | 22 +++++++---------------
+ 2 files changed, 9 insertions(+), 17 deletions(-)
+
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index aeebbbb9e0bd..f63954d64bf2 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -379,8 +379,8 @@ static inline bool ipv6_accept_ra(struct inet6_dev *idev)
+ 	    idev->cnf.accept_ra;
+ }
+ 
+-#define IPV6_FRAG_HIGH_THRESH	(4 * 1024*1024)	/* 4194304 */
+-#define IPV6_FRAG_LOW_THRESH	(3 * 1024*1024)	/* 3145728 */
++#define IPV6_FRAG_HIGH_THRESH	(256 * 1024)	/* 262144 */
++#define IPV6_FRAG_LOW_THRESH	(192 * 1024)	/* 196608 */
+ #define IPV6_FRAG_TIMEOUT	(60 * HZ)	/* 60 seconds */
+ 
+ int __ipv6_addr_type(const struct in6_addr *addr);
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index d14d741fb05e..bd10399eb916 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_net(struct net *net)
+ {
+ 	int res;
+ 
+-	/* Fragment cache limits.
+-	 *
+-	 * The fragment memory accounting code, (tries to) account for
+-	 * the real memory usage, by measuring both the size of frag
+-	 * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue))
+-	 * and the SKB's truesize.
+-	 *
+-	 * A 64K fragment consumes 129736 bytes (44*2944)+200
+-	 * (1500 truesize == 2944, sizeof(struct ipq) == 200)
+-	 *
+-	 * We will commit 4MB at one time. Should we cross that limit
+-	 * we will prune down to 3MB, making room for approx 8 big 64K
+-	 * fragments 8x128k.
++	/*
++	 * Fragment cache limits. We will commit 256K at one time. Should we
++	 * cross that limit we will prune down to 192K. This should cope with
++	 * even the most extreme cases without allowing an attacker to
++	 * measurably harm machine performance.
+ 	 */
+-	net->ipv4.frags.high_thresh = 4 * 1024 * 1024;
+-	net->ipv4.frags.low_thresh  = 3 * 1024 * 1024;
++	net->ipv4.frags.high_thresh = 256 * 1024;
++	net->ipv4.frags.low_thresh = 192 * 1024;
+ 	/*
+ 	 * Important NOTE! Fragment queue must be destroyed before MSL expires.
+ 	 * RFC791 is wrong proposing to prolongate timer each fragment arrival
+-- 
+2.17.1
+