From: Eric Dumazet <eduma...@google.com> Date: Mon, 23 Jul 2018 09:28:16 -0700
> Juha-Matti Tilli reported that malicious peers could inject tiny > packets in out_of_order_queue, forcing very expensive calls > to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for > every incoming packet. > > With tcp_rmem[2] default of 6MB, the ooo queue could > contain ~7000 nodes. > > This patch series makes sure we cut cpu cycles enough to > render the attack not critical. > > We might in the future go further, like disconnecting > or black-holing proven malicious flows. Sucky... It took me a while to understand the sums_tiny logic, every time I read that function I forget that we reset all of the state and restart the loop after a coalesce inside the loop. Series applied, and queued up for -stable. Thanks!
