From: "Prout, Andrew - LLSC - MITLL" <firstname.lastname@example.org> To: Eric Dumazet <email@example.com>, Christoph Paasch <firstname.lastname@example.org> Cc: "David S . Miller" <email@example.com>, netdev <firstname.lastname@example.org>, Greg Kroah-Hartman <email@example.com>, Jonathan Looney <firstname.lastname@example.org>, Neal Cardwell <email@example.com>, Tyler Hicks <firstname.lastname@example.org>, Yuchung Cheng <email@example.com>, Bruce Curtis <firstname.lastname@example.org>, Jonathan Lemon <email@example.com>, "Dustin Marquess" <firstname.lastname@example.org> Subject: RE: [PATCH net 2/4] tcp: tcp_fragment() should apply sane memory limits Date: Thu, 11 Jul 2019 17:14:58 +0000 Message-ID: <email@example.com> (raw) In-Reply-To: <firstname.lastname@example.org> On 7/10/19 3:27 PM, Eric Dumazet <email@example.com> wrote: > On 7/10/19 8:53 PM, Prout, Andrew - LLSC - MITLL wrote: >> >> Our initial rollout was v4.14.130, but I reproduced it with v4.14.132 as well, reliably for the samba test and once (not reliably) with synthetic test I was trying. A patched v4.14.132 with this patch partially reverted (just the four lines from tcp_fragment deleted) passed the samba test. >> >> The synthetic test was a pair of simple send/recv test programs under the following conditions: >> -The send socket was non-blocking >> -SO_SNDBUF set to 128KiB >> -The receiver NIC was being flooded with traffic from multiple hosts (to induce packet loss/retransmits) >> -Load was on both systems: a while(1) program spinning on each CPU core >> -The receiver was on an older unaffected kernel >> > > SO_SNDBUF to 128KB does not permit to recover from heavy losses, > since skbs needs to be allocated for retransmits. > > The bug we fixed allowed remote attackers to crash all linux hosts, > > I am afraid we have to enforce the real SO_SNDBUF limit, finally. > > Even a cushion of 128KB per socket is dangerous, for servers with millions of TCP sockets. > > You will either have to set SO_SNDBUF to higher values, or let autotuning in place. > Or revert the patches and allow attackers hit you badly. I in no way intended to imply that I had confirmed the small SO_SNDBUF was a prerequisite to our problem. With my synthetic test, I was looking for a concise reproducer and trying things to stress the system. Unfortunately we're often stuck being forced to support very old code, right alongside the latest and greatest. We still run a lot of FORTRAN. Telling users en-mass to search and revise their code is not an option for us. In my opinion, if a small SO_SNDBUF below a certain value is no longer supported, then SOCK_MIN_SNDBUF should be adjusted to reflect this. The RCVBUF/SNDBUF sizes are supposed to be hints, no error is returned if they are not honored. The kernel should continue to function regardless of what userspace requests for their values. Alternatively, a config option could be added. I am not concerned about DoS attacks, our system is not connected to the internet, and we shouldn't have to maintain an out-of-tree patch for basic functionality.
next prev parent reply index Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-06-17 17:03 [PATCH net 0/4] tcp: make sack processing more robust Eric Dumazet 2019-06-17 17:03 ` [PATCH net 1/4] tcp: limit payload size of sacked skbs Eric Dumazet 2019-06-17 17:14 ` Jonathan Lemon 2019-06-17 17:03 ` [PATCH net 2/4] tcp: tcp_fragment() should apply sane memory limits Eric Dumazet 2019-06-17 17:14 ` Jonathan Lemon 2019-06-18 0:18 ` Christoph Paasch 2019-06-18 2:28 ` Eric Dumazet 2019-06-18 3:19 ` Christoph Paasch 2019-06-18 3:44 ` Eric Dumazet 2019-06-18 3:53 ` Christoph Paasch 2019-06-18 4:08 ` Eric Dumazet 2019-07-10 18:23 ` Prout, Andrew - LLSC - MITLL 2019-07-10 18:28 ` Eric Dumazet 2019-07-10 18:53 ` Prout, Andrew - LLSC - MITLL 2019-07-10 19:26 ` Eric Dumazet 2019-07-11 7:28 ` Christoph Paasch 2019-07-11 9:19 ` Eric Dumazet 2019-07-11 18:26 ` Michal Kubecek 2019-07-11 18:50 ` Eric Dumazet 2019-07-11 10:18 ` Eric Dumazet 2019-07-11 17:14 ` Prout, Andrew - LLSC - MITLL [this message] 2019-07-11 18:28 ` Eric Dumazet 2019-07-11 19:04 ` Jonathan Lemon 2019-07-12 7:05 ` Eric Dumazet 2019-07-16 15:13 ` Prout, Andrew - LLSC - MITLL 2019-06-17 17:03 ` [PATCH net 3/4] tcp: add tcp_min_snd_mss sysctl Eric Dumazet 2019-06-17 17:15 ` Jonathan Lemon 2019-06-17 17:18 ` Tyler Hicks 2019-06-17 17:03 ` [PATCH net 4/4] tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() Eric Dumazet 2019-06-17 17:16 ` Jonathan Lemon 2019-06-17 17:18 ` Tyler Hicks 2019-06-17 17:41 ` [PATCH net 0/4] tcp: make sack processing more robust David Miller 2019-08-02 19:02 [PATCH net 2/4] tcp: tcp_fragment() should apply sane memory limits Bernd 2019-08-02 19:14 ` Neal Cardwell 2019-08-02 19:58 ` Bernd 2019-08-14 14:41 ` Marcelo Ricardo Leitner
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Netdev Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \ firstname.lastname@example.org public-inbox-index netdev Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.netdev AGPL code for this site: git clone https://public-inbox.org/public-inbox.git