lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 09 Aug 2018 13:52:02 +0100
From:   David Woodhouse <dwmw2@...radead.org>
To:     Greg KH <gregkh@...ux-foundation.org>,
        maowenan <maowenan@...wei.com>
Cc:     davem@...emloft.net, edumazet@...gle.com, juha-matti.tilli@....fi,
        ycheng@...gle.com, soheil@...gle.com, netdev@...r.kernel.org,
        eric.dumazet@...il.com, jdw@...zon.de
Subject: Re: [PATCH 4.9-stable] tcp: add tcp_ooo_try_coalesce() helper

On Thu, 2018-08-09 at 14:47 +0200, Greg KH wrote:
> On Thu, Aug 09, 2018 at 08:37:13PM +0800, maowenan wrote:
> > There are two patches in stable branch linux-4.4, but I have tested with below patches, and found that the cpu usage was very high.
> > dc6ae4d tcp: detect malicious patterns in tcp_collapse_ofo_queue()
> > 5fbec48 tcp: avoid collapses in tcp_prune_queue() if possible
> > 
> > test results:
> > with fix patch: 78.2%   ksoftirqd
> > no fix patch:   90%     ksoftirqd
> > 
> > there is %0 when no attack packets.
> > 
> > so please help verify that fixed patches are enough in linux-stable 4.4.
> > 
> 
> I do not know, I am not a network developer.  Please try to reproduce
> the same thing on a newer kernel release and see if the result is the
> same or not.  If you can find a change that I missed, please let me know
> and I will be glad to apply it.

maowenan, there were five patches in the original upstream set to
address SegmentSmack:

      tcp: free batches of packets in tcp_prune_ofo_queue()
      tcp: avoid collapses in tcp_prune_queue() if possible
      tcp: detect malicious patterns in tcp_collapse_ofo_queue()
      t
cp: call tcp_drop() from tcp_data_queue_ofo()
      tcp: add
tcp_ooo_try_coalesce() helper

I believe that the first one, "free batches of packets..." is not
needed in 4.4 because we only have a simple queue of packets there
anyway, so we're dropping everything each time and don't need the
heuristics for how many to drop.

That leaves two more which have so far not been backported to 4.4; can
you try applying them and see if it resolves the problem for you?

Thanks.

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5213 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ