For lakitu, we would like to cherry-pick this too in 65, 66, 67, 68 and 69.
And trigger builds on the stable branches over the weekend (hopefully).

For 67 and earlier go ahead, for 68 and 69 we probably want to see this landed on ToT first, and at least go into a build.

This bug requires manual review: Request affecting a post-stable build
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Thanks Bernie.
Code review sent:

* R67 (v4.14): https://crrev.com/c/1159401/
* R66 (v4.14): https://crrev.com/c/1159389/
* R65 (v4.4): https://crrev.com/c/1159395/

#5: Agreed; I'll want to see this landed in ToT first.

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e8c0ff33cafa8f83bea062af411a9f70e57a39cc

commit e8c0ff33cafa8f83bea062af411a9f70e57a39cc
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 20:53:35 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 77fade0ec7fc697e01cbf61a119795f013bf3eb6)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit fed867a4f3924ee7986b1e8fb3e2bd870b12d8b3)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159101

[modify] https://crrev.com/e8c0ff33cafa8f83bea062af411a9f70e57a39cc/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/9b99322dd39137a60345c94cb64e37f9f978eece

commit 9b99322dd39137a60345c94cb64e37f9f978eece
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 20:53:07 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159089
Reviewed-by: Aditya Kali <adityakali@google.com>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>

[modify] https://crrev.com/9b99322dd39137a60345c94cb64e37f9f978eece/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5cae9533cf155e8e5ff9f0ec4cf962078d18322d

commit 5cae9533cf155e8e5ff9f0ec4cf962078d18322d
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 20:53:09 2018

BACKPORT: FROMGIT: ipv4: frags: handle possible skb truesize change

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4672694bd4f1aebdab0ad763ae4716e89cb15221
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I1b30bd6c5c56d4b610388b848b920396fa905725
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159090
Reviewed-by: Aditya Kali <adityakali@google.com>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>

[modify] https://crrev.com/5cae9533cf155e8e5ff9f0ec4cf962078d18322d/net/ipv4/ip_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6404db255c1a6d60e651897fc1a1f7d1a3932339

commit 6404db255c1a6d60e651897fc1a1f7d1a3932339
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 20:53:03 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 77fade0ec7fc697e01cbf61a119795f013bf3eb6)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159093
Reviewed-by: Aditya Kali <adityakali@google.com>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>

[modify] https://crrev.com/6404db255c1a6d60e651897fc1a1f7d1a3932339/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/79299e391d039c582132fe43be781305f26d0b89

commit 79299e391d039c582132fe43be781305f26d0b89
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 20:53:04 2018

BACKPORT: FROMGIT: ipv4: frags: handle possible skb truesize change

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4672694bd4f1aebdab0ad763ae4716e89cb15221
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I1b30bd6c5c56d4b610388b848b920396fa905725
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 29ab5261b05136f39530be25c8469a69b1416279)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159094
Reviewed-by: Aditya Kali <adityakali@google.com>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>

[modify] https://crrev.com/79299e391d039c582132fe43be781305f26d0b89/net/ipv4/ip_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6162676c79b124be56eb76a9a9e70e359ca29f7c

commit 6162676c79b124be56eb76a9a9e70e359ca29f7c
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 23:31:47 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 77fade0ec7fc697e01cbf61a119795f013bf3eb6)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159395
Commit-Queue: Aditya Kali <adityakali@google.com>
Tested-by: Aditya Kali <adityakali@google.com>

[modify] https://crrev.com/6162676c79b124be56eb76a9a9e70e359ca29f7c/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d78dd653129973230d642c8ab77cf578b1fb7344

commit d78dd653129973230d642c8ab77cf578b1fb7344
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 23:31:48 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159401
Commit-Queue: Aditya Kali <adityakali@google.com>
Tested-by: Aditya Kali <adityakali@google.com>

[modify] https://crrev.com/d78dd653129973230d642c8ab77cf578b1fb7344/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4df76b6fb22548e5c3c9e646ac3c1cffdaa72740

commit 4df76b6fb22548e5c3c9e646ac3c1cffdaa72740
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 23:31:49 2018

BACKPORT: FROMGIT: ipv4: frags: handle possible skb truesize change

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4672694bd4f1aebdab0ad763ae4716e89cb15221
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I1b30bd6c5c56d4b610388b848b920396fa905725
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 29ab5261b05136f39530be25c8469a69b1416279)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159396
Commit-Queue: Aditya Kali <adityakali@google.com>
Tested-by: Aditya Kali <adityakali@google.com>

[modify] https://crrev.com/4df76b6fb22548e5c3c9e646ac3c1cffdaa72740/net/ipv4/ip_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/21d1cc31f5a732ffe2742b209feec6e76a4791ce

commit 21d1cc31f5a732ffe2742b209feec6e76a4791ce
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 23:36:24 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159389
Commit-Queue: Aditya Kali <adityakali@google.com>
Tested-by: Aditya Kali <adityakali@google.com>

[modify] https://crrev.com/21d1cc31f5a732ffe2742b209feec6e76a4791ce/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a64d42388743f77dc01fef398d96ffdda96b321b

commit a64d42388743f77dc01fef398d96ffdda96b321b
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 23:36:25 2018

BACKPORT: FROMGIT: ipv4: frags: handle possible skb truesize change

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4672694bd4f1aebdab0ad763ae4716e89cb15221
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I1b30bd6c5c56d4b610388b848b920396fa905725
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159390
Commit-Queue: Aditya Kali <adityakali@google.com>
Tested-by: Aditya Kali <adityakali@google.com>

[modify] https://crrev.com/a64d42388743f77dc01fef398d96ffdda96b321b/net/ipv4/ip_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bbe3394dcd24530dd05b2059e7ab7263a07a34c6

commit bbe3394dcd24530dd05b2059e7ab7263a07a34c6
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Aug 02 23:36:27 2018

BACKPORT: FROMGIT: ipv4: frags: handle possible skb truesize change

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4672694bd4f1aebdab0ad763ae4716e89cb15221
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I1b30bd6c5c56d4b610388b848b920396fa905725
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159402
Commit-Queue: Aditya Kali <adityakali@google.com>
Tested-by: Aditya Kali <adityakali@google.com>

[modify] https://crrev.com/bbe3394dcd24530dd05b2059e7ab7263a07a34c6/net/ipv4/ip_fragment.c

Move back to started: For chromeos-3.14 and earlier, will revert commit c2a936600f78aea00d3312ea4b66a79a4619f9b4 as suggested originally.

PMs: Please approve merge into R68, R69. Patches will only be applied to stable releases for chromeos-3.18 and later.

SGTM for 68, though this will not be in the first stable.

Merge approved for M69.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4247e35fccf65053abfec70a9c9a3701fd7f6626

commit 4247e35fccf65053abfec70a9c9a3701fd7f6626
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:01:14 2018

BACKPORT: FROMGIT: ipv4: frags: handle possible skb truesize change

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4672694bd4f1aebdab0ad763ae4716e89cb15221
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I1b30bd6c5c56d4b610388b848b920396fa905725
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159307

[modify] https://crrev.com/4247e35fccf65053abfec70a9c9a3701fd7f6626/net/ipv4/ip_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d35703d6e908ca2b3ece20a39a17d5a92875db5b

commit d35703d6e908ca2b3ece20a39a17d5a92875db5b
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:01:16 2018

BACKPORT: FROMGIT: ipv4: frags: handle possible skb truesize change

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4672694bd4f1aebdab0ad763ae4716e89cb15221
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I1b30bd6c5c56d4b610388b848b920396fa905725
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 29ab5261b05136f39530be25c8469a69b1416279)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159303

[modify] https://crrev.com/d35703d6e908ca2b3ece20a39a17d5a92875db5b/net/ipv4/ip_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5b91f0bf318cb7c4bbb7ba35d2023119150183c6

commit 5b91f0bf318cb7c4bbb7ba35d2023119150183c6
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:01:17 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159305

[modify] https://crrev.com/5b91f0bf318cb7c4bbb7ba35d2023119150183c6/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/39f7241d7d04473666124f97aba3b7502cf59b4d

commit 39f7241d7d04473666124f97aba3b7502cf59b4d
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:01:18 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 77fade0ec7fc697e01cbf61a119795f013bf3eb6)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159301

[modify] https://crrev.com/39f7241d7d04473666124f97aba3b7502cf59b4d/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8dfac4fe62f300c64181b23a84fac949712a788e

commit 8dfac4fe62f300c64181b23a84fac949712a788e
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:01:19 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 77fade0ec7fc697e01cbf61a119795f013bf3eb6)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit fed867a4f3924ee7986b1e8fb3e2bd870b12d8b3)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159281

[modify] https://crrev.com/8dfac4fe62f300c64181b23a84fac949712a788e/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ebb4cdd98fb323c8e019c6ae33751d885ec84fc8

commit ebb4cdd98fb323c8e019c6ae33751d885ec84fc8
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:04:45 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159306

[modify] https://crrev.com/ebb4cdd98fb323c8e019c6ae33751d885ec84fc8/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3c65ac391ae2700b694a83d73a13e2d0f8085a48

commit 3c65ac391ae2700b694a83d73a13e2d0f8085a48
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:04:57 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 77fade0ec7fc697e01cbf61a119795f013bf3eb6)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit fed867a4f3924ee7986b1e8fb3e2bd870b12d8b3)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159282

[modify] https://crrev.com/3c65ac391ae2700b694a83d73a13e2d0f8085a48/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ac311fdc01133c1001ad2751bbbc5a93480eb65e

commit ac311fdc01133c1001ad2751bbbc5a93480eb65e
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:04:58 2018

BACKPORT: FROMGIT: inet: frag: enforce memory limits earlier

We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.

Note that before commit 648700f76b03 ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b03, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.

Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: Ia5009b602cf15c08b0fe0307fbcd61467b0d3d86
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 77fade0ec7fc697e01cbf61a119795f013bf3eb6)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159302

[modify] https://crrev.com/ac311fdc01133c1001ad2751bbbc5a93480eb65e/net/ipv4/inet_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2bf666456691e3fa3660ce371b38b3509030a338

commit 2bf666456691e3fa3660ce371b38b3509030a338
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:04:59 2018

BACKPORT: FROMGIT: ipv4: frags: handle possible skb truesize change

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4672694bd4f1aebdab0ad763ae4716e89cb15221
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I1b30bd6c5c56d4b610388b848b920396fa905725
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159308

[modify] https://crrev.com/2bf666456691e3fa3660ce371b38b3509030a338/net/ipv4/ip_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/42e717d49891844d9255ecdc45e95c861b363455

commit 42e717d49891844d9255ecdc45e95c861b363455
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Aug 03 17:05:00 2018

BACKPORT: FROMGIT: ipv4: frags: handle possible skb truesize change

ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.

We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.

IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :

  When reassembling an IPv6 datagram, if
  one or more its constituent fragments is determined to be an
  overlapping fragment, the entire datagram (and any constituent
  fragments) MUST be silently discarded.

Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4672694bd4f1aebdab0ad763ae4716e89cb15221
 git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I1b30bd6c5c56d4b610388b848b920396fa905725
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 29ab5261b05136f39530be25c8469a69b1416279)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1159304

[modify] https://crrev.com/42e717d49891844d9255ecdc45e95c861b363455/net/ipv4/ip_fragment.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/08c670dff80e6608bb2d6e249b1572c376209ead

commit 08c670dff80e6608bb2d6e249b1572c376209ead
Author: Guenter Roeck <groeck@chromium.org>
Date: Sat Aug 04 05:14:53 2018

CHROMIUM: Revert "net: increase fragment memory usage limits"

This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I6e54f322c99fcae8b14d5fd0e35c1604480626fb
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1162272
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>

[modify] https://crrev.com/08c670dff80e6608bb2d6e249b1572c376209ead/net/ipv4/ip_fragment.c
[modify] https://crrev.com/08c670dff80e6608bb2d6e249b1572c376209ead/include/net/ipv6.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/128fab81189dc365132ee92146844dac3891551b

commit 128fab81189dc365132ee92146844dac3891551b
Author: Guenter Roeck <groeck@chromium.org>
Date: Sat Aug 04 05:14:51 2018

CHROMIUM: Revert "net: increase fragment memory usage limits"

This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I6e54f322c99fcae8b14d5fd0e35c1604480626fb
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1162281
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>

[modify] https://crrev.com/128fab81189dc365132ee92146844dac3891551b/net/ipv4/ip_fragment.c
[modify] https://crrev.com/128fab81189dc365132ee92146844dac3891551b/include/net/ipv6.h

Marking as fixed: Won't apply to stable releases for older kernels (3.14 and older) since the problem is DoS which is considered low severity for Chrome OS. As such, the added risk for stable releases does not outweigh the benefits.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fdd57e935099fc42786c861faa8bdb89cf91859b

commit fdd57e935099fc42786c861faa8bdb89cf91859b
Author: Guenter Roeck <groeck@chromium.org>
Date: Sun Aug 12 18:27:43 2018

CHROMIUM: Revert "net: increase fragment memory usage limits"

This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I6e54f322c99fcae8b14d5fd0e35c1604480626fb
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1162272
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
(cherry picked from commit 08c670dff80e6608bb2d6e249b1572c376209ead)
Reviewed-on: https://chromium-review.googlesource.com/1171407

[modify] https://crrev.com/fdd57e935099fc42786c861faa8bdb89cf91859b/net/ipv4/ip_fragment.c
[modify] https://crrev.com/fdd57e935099fc42786c861faa8bdb89cf91859b/include/net/ipv6.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c5f33f8259d044040fe6ea6bf2cf50936a5720df

commit c5f33f8259d044040fe6ea6bf2cf50936a5720df
Author: Guenter Roeck <groeck@chromium.org>
Date: Sun Aug 12 18:27:44 2018

CHROMIUM: Revert "net: increase fragment memory usage limits"

This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.

BUG= chromium:869941 
TEST=Run IP fragmentation tests

Change-Id: I6e54f322c99fcae8b14d5fd0e35c1604480626fb
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1162272
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
(cherry picked from commit 08c670dff80e6608bb2d6e249b1572c376209ead)
Reviewed-on: https://chromium-review.googlesource.com/1171882

[modify] https://crrev.com/c5f33f8259d044040fe6ea6bf2cf50936a5720df/net/ipv4/ip_fragment.c
[modify] https://crrev.com/c5f33f8259d044040fe6ea6bf2cf50936a5720df/include/net/ipv6.h

Reopening: Backport was found incomplete and will require follow-up fix.

Fix (in v4.4.149): 42962538cd9f ("tcp: Fix missing range_truesize enlargement in the backport")

CL:1179260 for merge of v4.4.149 into chromeos-4.4
CL:1179351 and friends for backport of relevant patch into R68, R69 for chromeos-3.18 and chromeos-4.4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/348a7f27630bd26ed54bb939fec4f9cb5f5a143d

commit 348a7f27630bd26ed54bb939fec4f9cb5f5a143d
Author: Takashi Iwai <tiwai@suse.de>
Date: Wed Aug 22 19:50:53 2018

FROMGIT: tcp: Fix missing range_truesize enlargement in the backport

The 4.4.y stable backport dc6ae4dffd65 for the upstream commit
3d4bf93ac120 ("tcp: detect malicious patterns in
tcp_collapse_ofo_queue()") missed a line that enlarges the
range_truesize value, which broke the whole check.

Fixes: dc6ae4dffd65 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Michal Kubecek <mkubecek@suse.cz>
(cherry picked from commit 42962538cd9fe281a6e8602f22c7b1e218ed812a
 git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y)

BUG= chromium:869941 
TEST=Run POC

Change-Id: I4dceb07a696ef9a0b41b5364f4b094a36692b65e
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1179351

[modify] https://crrev.com/348a7f27630bd26ed54bb939fec4f9cb5f5a143d/net/ipv4/tcp_input.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/31ac3946a0e7ec152b2bf55ce9a86d111cf014e4

commit 31ac3946a0e7ec152b2bf55ce9a86d111cf014e4
Author: Takashi Iwai <tiwai@suse.de>
Date: Wed Aug 22 19:51:05 2018

FROMGIT: tcp: Fix missing range_truesize enlargement in the backport

The 4.4.y stable backport dc6ae4dffd65 for the upstream commit
3d4bf93ac120 ("tcp: detect malicious patterns in
tcp_collapse_ofo_queue()") missed a line that enlarges the
range_truesize value, which broke the whole check.

Fixes: dc6ae4dffd65 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Michal Kubecek <mkubecek@suse.cz>
(cherry picked from commit 42962538cd9fe281a6e8602f22c7b1e218ed812a
 git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y)

BUG= chromium:869941 
TEST=Run POC

Change-Id: I4dceb07a696ef9a0b41b5364f4b094a36692b65e
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1180367

[modify] https://crrev.com/31ac3946a0e7ec152b2bf55ce9a86d111cf014e4/net/ipv4/tcp_input.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2638ccfbb3dabb3f2fbdd98e386fa4e3c2d18fae

commit 2638ccfbb3dabb3f2fbdd98e386fa4e3c2d18fae
Author: Takashi Iwai <tiwai@suse.de>
Date: Thu Aug 23 14:37:14 2018

FROMGIT: tcp: Fix missing range_truesize enlargement in the backport

The 4.4.y stable backport dc6ae4dffd65 for the upstream commit
3d4bf93ac120 ("tcp: detect malicious patterns in
tcp_collapse_ofo_queue()") missed a line that enlarges the
range_truesize value, which broke the whole check.

Fixes: dc6ae4dffd65 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Michal Kubecek <mkubecek@suse.cz>
(cherry picked from commit 42962538cd9fe281a6e8602f22c7b1e218ed812a
 git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y)

BUG= chromium:869941 
TEST=Run POC

Change-Id: I4dceb07a696ef9a0b41b5364f4b094a36692b65e
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1184541
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/2638ccfbb3dabb3f2fbdd98e386fa4e3c2d18fae/net/ipv4/tcp_input.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8c0cb17dd7e059aa8b48d8a3913fe0255a089db0

commit 8c0cb17dd7e059aa8b48d8a3913fe0255a089db0
Author: Takashi Iwai <tiwai@suse.de>
Date: Thu Aug 23 16:02:42 2018

FROMGIT: tcp: Fix missing range_truesize enlargement in the backport

The 4.4.y stable backport dc6ae4dffd65 for the upstream commit
3d4bf93ac120 ("tcp: detect malicious patterns in
tcp_collapse_ofo_queue()") missed a line that enlarges the
range_truesize value, which broke the whole check.

Fixes: dc6ae4dffd65 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Michal Kubecek <mkubecek@suse.cz>
(cherry picked from commit 42962538cd9fe281a6e8602f22c7b1e218ed812a
 git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y)

BUG= chromium:869941 
TEST=Run POC

Change-Id: I4dceb07a696ef9a0b41b5364f4b094a36692b65e
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1179349

[modify] https://crrev.com/8c0cb17dd7e059aa8b48d8a3913fe0255a089db0/net/ipv4/tcp_input.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8e92b92287dc7cb2ddac73cb69d4f5ab56ea418e

commit 8e92b92287dc7cb2ddac73cb69d4f5ab56ea418e
Author: Takashi Iwai <tiwai@suse.de>
Date: Thu Aug 23 16:02:43 2018

FROMGIT: tcp: Fix missing range_truesize enlargement in the backport

The 4.4.y stable backport dc6ae4dffd65 for the upstream commit
3d4bf93ac120 ("tcp: detect malicious patterns in
tcp_collapse_ofo_queue()") missed a line that enlarges the
range_truesize value, which broke the whole check.

Fixes: dc6ae4dffd65 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Michal Kubecek <mkubecek@suse.cz>
(cherry picked from commit 42962538cd9fe281a6e8602f22c7b1e218ed812a
 git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y)

BUG= chromium:869941 
TEST=Run POC

Change-Id: I4dceb07a696ef9a0b41b5364f4b094a36692b65e
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1179350

[modify] https://crrev.com/8e92b92287dc7cb2ddac73cb69d4f5ab56ea418e/net/ipv4/tcp_input.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/eb9bce9a5e7702408b6d7a5673ecef7a46fec0bb

commit eb9bce9a5e7702408b6d7a5673ecef7a46fec0bb
Author: Takashi Iwai <tiwai@suse.de>
Date: Fri Aug 24 18:27:15 2018

FROMGIT: tcp: Fix missing range_truesize enlargement in the backport

The 4.4.y stable backport dc6ae4dffd65 for the upstream commit
3d4bf93ac120 ("tcp: detect malicious patterns in
tcp_collapse_ofo_queue()") missed a line that enlarges the
range_truesize value, which broke the whole check.

Fixes: dc6ae4dffd65 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Michal Kubecek <mkubecek@suse.cz>
(cherry picked from commit 42962538cd9fe281a6e8602f22c7b1e218ed812a
 git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y)

BUG= chromium:869941 
TEST=Run POC

Change-Id: I4dceb07a696ef9a0b41b5364f4b094a36692b65e
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1179351
(cherry picked from commit 348a7f27630bd26ed54bb939fec4f9cb5f5a143d)
Reviewed-on: https://chromium-review.googlesource.com/1187163
Commit-Queue: Aditya Kali <adityakali@google.com>
Tested-by: Aditya Kali <adityakali@google.com>

[modify] https://crrev.com/eb9bce9a5e7702408b6d7a5673ecef7a46fec0bb/net/ipv4/tcp_input.c

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot