From fe29234528b1452380ab9a427f9d0ea3708141d6 Mon Sep 17 00:00:00 2001
From: David Michael <dm0@redhat.com>
Date: Wed, 15 Aug 2018 16:58:19 +0000
Subject: [PATCH] sys-kernel/coreos-sources: Bump 4.14.62 to 4.14.63

---
 ...62.ebuild => coreos-kernel-4.14.63.ebuild} |  0
 ...2.ebuild => coreos-modules-4.14.63.ebuild} |  0
 .../sys-kernel/coreos-sources/Manifest        |  2 +-
 ...2.ebuild => coreos-sources-4.14.63.ebuild} |  1 +
 ...lative-path-for-KBUILD_SRC-from-CURD.patch |  6 +-
 .../z0002-Add-arm64-coreos-verity-hash.patch  |  4 +-
 ...kefile-Don-t-fail-on-fallthrough-wit.patch |  4 +-
 ...-netfront-Fix-mismatched-rtnl_unlock.patch |  6 +-
 ...ate-features-after-registering-netde.patch |  6 +-
 ...ncrease-fragment-memory-usage-limits.patch | 63 +++++++++++++++++++
 10 files changed, 78 insertions(+), 14 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.14.62.ebuild => coreos-kernel-4.14.63.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.14.62.ebuild => coreos-modules-4.14.63.ebuild} (100%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.14.62.ebuild => coreos-sources-4.14.63.ebuild} (94%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0006-Revert-net-increase-fragment-memory-usage-limits.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.62.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.63.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.62.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.63.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14.62.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14.63.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14.62.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14.63.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
index b9bba95f35..a43f43f019 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest
@@ -1,4 +1,4 @@
 DIST linux-4.14.tar.xz 100770500 BLAKE2B 85dc4aa953fe65e273a24473d8de98e4f204f97c43be9fc87cf5be01f796f94cfde5c8f9c84619751f1cac51f83ce0b4681fb19c5f2965a72d4a94fe5577846a SHA512 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8
 DIST linux-4.17.tar.xz 102165892 BLAKE2B b9e1fe2c063d2761b4d54594b841f6591fd6f5b634a402c07e0fa5518a2b271293d97c5a7a8e3c30c9c4d78df16bf20a4f0befe998c9a9393bb3290d2df1dda3 SHA512 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db
-DIST patch-4.14.62.xz 1567892 BLAKE2B ccb7ee6097b49755f873d39f9d2f3d4f75f2e646a1e9f8fe6e09a333da97b0958320f8e713bcef17681bb6e90898a139fdcb15d065deb379e084b6a7646660d4 SHA512 c0f3746650d697d5bf3c84f9ed3646d32e746102f51f87b62999d49f4ab43dd18fcb7b14d9f5e6fc0329af68e22cec761b1ab6a1395ca5e367151edd5e221407
+DIST patch-4.14.63.xz 1598940 BLAKE2B 532af2963b6be9361b8acda05d59c942e69ee27656c47cec3f078a8932a967c8f1a171c0e6688b6ceba656407f577f2b334533bea348720353de06ed39375e01 SHA512 09871bb57e36b15859cfe67691d9cf60831f73e10a8bc43dfe89d22aebf249a84326293612dd620b6ee118b0e60daead76acd93eb1c2a0eb15613836fed5e7b7
 DIST patch-4.17.15.xz 368596 BLAKE2B 30f45922c280d6742f6cefca828deb17602c684e86e2e072e8a42890439f9d317fd4357ae2a1d5b0809b81f6c0e2c4ed54a29c06a43246c7d940c72f973b5f40 SHA512 3e9c0bee00992bf857419ec628e4e3a7651deaf6b4d598cbd50c2fc758ae342d372ff04704737b8eb585e926807ea19c1da3e8a62b3c87583ab2cff0785e331a
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14.62.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14.63.ebuild
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14.62.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14.63.ebuild
index cd5d47e6f3..b1ba619619 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14.62.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14.63.ebuild
@@ -36,4 +36,5 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch \
 	${PATCH_DIR}/z0004-xen-netfront-Fix-mismatched-rtnl_unlock.patch \
 	${PATCH_DIR}/z0005-xen-netfront-Update-features-after-registering-netde.patch \
+	${PATCH_DIR}/z0006-Revert-net-increase-fragment-memory-usage-limits.patch \
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
index c8a36926f3..a3843c43bb 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@@ -1,7 +1,7 @@
-From f45de8ae090dd18c41f39451a7a1ed29aedbc476 Mon Sep 17 00:00:00 2001
+From 9d1011c375ffe3342c80e582de8f7cde844d5cdd Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 1/5] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 1/6] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index d407ecfdee0b..c8dcbd0c8ed2 100644
+index f3bb9428b3dc..b1c2652dc750 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0002-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0002-Add-arm64-coreos-verity-hash.patch
index 1fb69a6690..2d27074fe4 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0002-Add-arm64-coreos-verity-hash.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0002-Add-arm64-coreos-verity-hash.patch
@@ -1,7 +1,7 @@
-From 570aaa9028efc04d40d5eb57b7d4ea9f649e510e Mon Sep 17 00:00:00 2001
+From 7a69ba11c9ff74e1be37f5d3be9d0460e41bc4f0 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 2/5] Add arm64 coreos verity hash
+Subject: [PATCH 2/6] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch
index 64bf59551e..dd0ea1df6c 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch
@@ -1,7 +1,7 @@
-From 41ae3a5fb507dc5ea4d1dbd22510850a0ac4e3ed Mon Sep 17 00:00:00 2001
+From e2c5855562db61c969ab9f0048c686e6cee03ece Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 8 Feb 2018 21:23:12 -0500
-Subject: [PATCH 3/5] tools/objtool/Makefile: Don't fail on fallthrough with
+Subject: [PATCH 3/6] tools/objtool/Makefile: Don't fail on fallthrough with
  new GCCs
 
 ---
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0004-xen-netfront-Fix-mismatched-rtnl_unlock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0004-xen-netfront-Fix-mismatched-rtnl_unlock.patch
index 34f39bb820..2fe42ec903 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0004-xen-netfront-Fix-mismatched-rtnl_unlock.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0004-xen-netfront-Fix-mismatched-rtnl_unlock.patch
@@ -1,7 +1,7 @@
-From 442e935e14fbfc3a4d4b2dec0345eacdaeca948d Mon Sep 17 00:00:00 2001
+From 0d3a9acb7215379fbf9f447ff1896120e8b8c473 Mon Sep 17 00:00:00 2001
 From: Ross Lagerwall <ross.lagerwall@citrix.com>
 Date: Thu, 21 Jun 2018 14:00:20 +0100
-Subject: [PATCH 4/5] xen-netfront: Fix mismatched rtnl_unlock
+Subject: [PATCH 4/6] xen-netfront: Fix mismatched rtnl_unlock
 
 Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
 Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
@@ -13,7 +13,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index dfc076f9ee4b..dee55e2efa54 100644
+index d5e790dd589a..d7dc95f58dae 100644
 --- a/drivers/net/xen-netfront.c
 +++ b/drivers/net/xen-netfront.c
 @@ -1817,7 +1817,7 @@ static int talk_to_netback(struct xenbus_device *dev,
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0005-xen-netfront-Update-features-after-registering-netde.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0005-xen-netfront-Update-features-after-registering-netde.patch
index 2ee2fdec42..1ea8a0197e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0005-xen-netfront-Update-features-after-registering-netde.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0005-xen-netfront-Update-features-after-registering-netde.patch
@@ -1,7 +1,7 @@
-From f9e4830e018654766504ab726c0c14e7acf03114 Mon Sep 17 00:00:00 2001
+From bece1c540243cc7d7164d93860bb5b34858aa6d1 Mon Sep 17 00:00:00 2001
 From: Ross Lagerwall <ross.lagerwall@citrix.com>
 Date: Thu, 21 Jun 2018 14:00:21 +0100
-Subject: [PATCH 5/5] xen-netfront: Update features after registering netdev
+Subject: [PATCH 5/6] xen-netfront: Update features after registering netdev
 
 Update the features after calling register_netdev() otherwise the
 device features are not set up correctly and it not possible to change
@@ -19,7 +19,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
-index dee55e2efa54..a246e4ff1985 100644
+index d7dc95f58dae..31bc4210f969 100644
 --- a/drivers/net/xen-netfront.c
 +++ b/drivers/net/xen-netfront.c
 @@ -1958,10 +1958,6 @@ static int xennet_connect(struct net_device *dev)
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0006-Revert-net-increase-fragment-memory-usage-limits.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0006-Revert-net-increase-fragment-memory-usage-limits.patch
new file mode 100644
index 0000000000..07b988bcd8
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0006-Revert-net-increase-fragment-memory-usage-limits.patch
@@ -0,0 +1,63 @@
+From d0c455f2007c62369ae25e5bb454955418b82839 Mon Sep 17 00:00:00 2001
+From: David Michael <dm0@redhat.com>
+Date: Wed, 15 Aug 2018 12:43:38 -0400
+Subject: [PATCH 6/6] Revert "net: increase fragment memory usage limits"
+
+This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.
+---
+ include/net/ipv6.h     |  4 ++--
+ net/ipv4/ip_fragment.c | 22 +++++++---------------
+ 2 files changed, 9 insertions(+), 17 deletions(-)
+
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index e59f385da38e..a0ee27c52d93 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -345,8 +345,8 @@ static inline int ip6_frag_mem(struct net *net)
+ }
+ #endif
+ 
+-#define IPV6_FRAG_HIGH_THRESH	(4 * 1024*1024)	/* 4194304 */
+-#define IPV6_FRAG_LOW_THRESH	(3 * 1024*1024)	/* 3145728 */
++#define IPV6_FRAG_HIGH_THRESH	(256 * 1024)	/* 262144 */
++#define IPV6_FRAG_LOW_THRESH	(192 * 1024)	/* 196608 */
+ #define IPV6_FRAG_TIMEOUT	(60 * HZ)	/* 60 seconds */
+ 
+ int __ipv6_addr_type(const struct in6_addr *addr);
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index 4cb1befc3949..a90461dcf170 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -850,22 +850,14 @@ static void __init ip4_frags_ctl_register(void)
+ 
+ static int __net_init ipv4_frags_init_net(struct net *net)
+ {
+-	/* Fragment cache limits.
+-	 *
+-	 * The fragment memory accounting code, (tries to) account for
+-	 * the real memory usage, by measuring both the size of frag
+-	 * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue))
+-	 * and the SKB's truesize.
+-	 *
+-	 * A 64K fragment consumes 129736 bytes (44*2944)+200
+-	 * (1500 truesize == 2944, sizeof(struct ipq) == 200)
+-	 *
+-	 * We will commit 4MB at one time. Should we cross that limit
+-	 * we will prune down to 3MB, making room for approx 8 big 64K
+-	 * fragments 8x128k.
++	/*
++	 * Fragment cache limits. We will commit 256K at one time. Should we
++	 * cross that limit we will prune down to 192K. This should cope with
++	 * even the most extreme cases without allowing an attacker to
++	 * measurably harm machine performance.
+ 	 */
+-	net->ipv4.frags.high_thresh = 4 * 1024 * 1024;
+-	net->ipv4.frags.low_thresh  = 3 * 1024 * 1024;
++	net->ipv4.frags.high_thresh = 256 * 1024;
++	net->ipv4.frags.low_thresh = 192 * 1024;
+ 	/*
+ 	 * Important NOTE! Fragment queue must be destroyed before MSL expires.
+ 	 * RFC791 is wrong proposing to prolongate timer each fragment arrival
+-- 
+2.17.1
+