From: Eric Dumazet <eric.duma...@gmail.com> Date: Tue, 24 Jan 2017 14:57:36 -0800
> From: Eric Dumazet <eduma...@google.com> > > tcp_add_backlog() can use skb_condense() helper to get better > gains and less SKB_TRUESIZE() magic. This only happens when socket > backlog has to be used. > > Some attacks involve specially crafted out of order tiny TCP packets, > clogging the ofo queue of (many) sockets. > Then later, expensive collapse happens, trying to copy all these skbs > into single ones. > This unfortunately does not work if each skb has no neighbor in TCP > sequence order. > > By using skb_condense() if the skb could not be coalesced to a prior > one, we defeat these kind of threats, potentially saving 4K per skb > (or more, since this is one page fragment). > > A typical NAPI driver allocates gro packets with GRO_MAX_HEAD bytes > in skb->head, meaning the copy done by skb_condense() is limited to > about 200 bytes. > > Signed-off-by: Eric Dumazet <eduma...@google.com> Applied, thanks Eric.
